Cracking a hierarchical chaotic image encryption algorithm based on permutation
CCracking a hierarchical chaotic image encryption algorithm based on permutation
Chengqing Li ∗ College of Information Engineering, Xiangtan University, Xiangtan 411105, Hunan, China
Abstract
In year 2000, an e ffi cient hierarchical chaotic image encryption (HCIE) algorithm was proposed, which divides a plain-imageof size M × N with T possible value levels into K blocks of the same size and then operates position permutation on two levels:intra-block and inter-block. As a typical position permutation-only encryption algorithm, it has received intensive attention.The present paper analyzes specific security performance of HCIE against ciphertext-only attack and known / chosen-plaintextattack. It is found that only O ( (cid:100) log T ( M · N / K ) (cid:101) ) known / chosen plain-images are su ffi cient to achieve a good performance, andthe computational complexity is O ( M · N · (cid:100) log T ( M · N / K ) (cid:101) ), which e ff ectively demonstrates that hierarchical permutation-only image encryption algorithms are less secure than normal (i.e., non-hierarchical) ones. Detailed experiment results aregiven to verify the feasibility of the known-plaintext attack. In addition, it is pointed out that the security of HCIE againstciphertext-only attack was much overestimated. Keywords:
Chosen-plaintext attack, chaotic cryptanalysis, known-plaintext attack, permutation.
1. Introduction
With the increasing transmission speeds ofwired / wireless networks and popularization of imagecapturing devices and cloud storage services, image dataare transmitted over open networks more and more fre-quently. This makes security of image data become moreand more important. The public concern of it becomesserious as news about the illegal online leak of personalphotos of some celebrities was released. As a chaoticsystem owns some similar properties as that of modernencryption schemes, it has been intensively studied as analternative approach for designing secure and e ffi cientencryption schemes [1, 2, 3]. The main idea and principleof applying chaos theory to protecting images can betraced back to 1986 [4], which demonstrates the stretchinge ff ect of a chaotic map on a painting of Henri Poincar´e, afounder of modern chaos theory.The simplest and most e ffi cient method for protectingmultimedia data is permuting the positions of their spa-tial pixels [5] or frequency coe ffi cients [6]. In the litera-ture, some synonyms of permutation, transposition, shu ffl e,scramble [6], swap and shift, are used. Security scrutinyon some specific permutation-only encryption algorithms ∗ Corresponding author.
Email address:
[email protected] (Chengqing Li) against known / chosen-plaintext attacks were previously de-veloped [7, 8]. In [9], a ciphertext-only attack on a spe-cially simple permutation-only encryption algorithm wasproposed utilizing correlation redundancy remaining in thecipher-image. No matter how the permutation relation-ships are generated and what the permutation object is, anypermutation-only encryption algorithm can always be rep-resented by a permutation relationship matrix , whose entrystores the corresponding permuted location in the cipher-text [10]. The security of permutation-only encryption al-gorithm relies on its real permutation domain , in which anyelement in the permutation object can be permuted inde-pendently. As for a permutation domain of size M × N with T possible value levels, it is estimated that the re-quired number of known / chosen-plaintexts for an e ffi cientplaintext attack is O ( (cid:100) log T ( M · N ) (cid:101) ), where (cid:100) x (cid:101) denotes theceiling function. An upper bound of the attack complexityis also derived therein to be O ( n · ( M · N ) ), where n is thenumber of known / chosen plain-images [10]. In [11], thecomputational complexity of the attack is further reducedto O ( n · ( M · N )) by replacing the set intersection operationsof quadratic complexity with linear element access opera-tions. Even so, all kinds of permutation operations are stillbeing used in multimedia protection today [12, 13, 14, 15].In [16], a typical example of permutation-only image en-cryption algorithms, called HCIE (hierarchical chaotic im-age encryption), was proposed. Although security perfor- Preprint submitted to Elsevier November 7, 2018 a r X i v : . [ c s . CR ] S e p ance of general permutation-only image encryption algo-rithms against plaintext attack has been quantitatively an-alyzed, specific security performance of HCIE is still notevaluated. The core of HCIE is a permutation functioncomposed of rotation operations of four directions, origi-nates from an intellectual toy, Rubik’s Cube [17]. In [16],the authors claimed about the security property of HCIE asfollows: “By way of collecting some original images andtheir encryption results or collecting some specified imagesand their corresponding encryption results, it is still di ffi -cult for the cryptanalysts to decrypt an encrypted imagecorrectly because the permutation relationship is di ff erentfor each image.” In this paper, we will demonstrate that theclaim on the robustness of HCIE against known / chosen-plaintext attack is groundless. Further more, we find thatthe hierarchical encryption structure suggested in HCIEdoes not provide any higher security against known / chosen-plaintext attack, but actually make the overall security evenweaker. In addition, we find the capability of HCIE againstciphertext-only attack was much over-estimated.The rest of this paper is organized as follows. The algo-rithm HCIE is briefly introduced in Sec. 2. Detailed crypt-analysis on HCIE is provided in Sec. 3, with some experi-mental results. The last section concludes the paper.
2. The hierarchical chaotic image encryption algorithm(HCIE)
HCIE is a two-level hierarchical permutation-only imageencryption algorithm, in which all involved permutationrelationships are defined by pseudo-random combinationsof four rotation mappings with pseudo-random parameters.For an image, f = [ f ( i , j )] M × N , the four mapping opera-tions are described as follows, where p < min( M , N ) holdsfor each mapping. Definition 1.
The mapping f (cid:48) = ROLR i , pb ( f ) (0 ≤ i ≤ M − is defined to rotate the i-th row of f , in the left (whenb = ) or right (when b = ) direction, by p pixels. Definition 2.
The mapping f (cid:48) = ROUD j , pb ( f ) (0 ≤ j ≤ N − is defined to rotate the j-th column of f , in the up(when b = ) or down (when b = ) direction, by p pixels. Definition 3.
The mapping f (cid:48) = ROUR k , pb ( f ) (0 ≤ k ≤ M + N − is defined to rotate all pixels satisfying i + j = k,in the lower-left (when b = ) or upper-right (when b = )direction, by p pixels. Definition 4.
The mapping f (cid:48) = ROUL l , pb ( f ) (1 − N ≤ l ≤ M − is defined to rotate all pixels satisfying i − j = l,in the upper-left (when b = ) or lower-right (when b = )direction, by p pixels. Given a pseudo-random bit sequence { b ( i ) } starting from i , the Sub HCIE function in Algorithm 1 is used to permutean S M × S N image f sub to become another S M × S N image f (cid:48) sub , where ( α, β, γ, no ) are control parameters. One can see Algorithm 1
The
Sub HCIE function function Sub HCIE ( f sub , { b ( i ) } , no , S M , S N ) for ite ← , no do q ← i + (3 S M + S N − · ite p ← α + β · b ( q + + γ · b ( q + for i ← , ( S M − do f (cid:48) sub ← ROLR i , pb ( i + q ) ( f sub ) end for for j ← , ( S N − do f (cid:48) sub ← ROUD j , pb ( j + q + S M ) ( f (cid:48) sub ) end for for k ← , ( S M + S N − do f (cid:48) sub ← ROUR k , pb ( k + q + S M + S N ) ( f (cid:48) sub ) end for for l ← (1 − S N ) , ( S M − do f (cid:48) sub ← ROUL l , pb ( l + q + · S M + · S N − ( f (cid:48) sub ) end for end for i ← i + (3 S M + S N − · no return ( f (cid:48) sub , i ) end function that the Sub HCIE function actually defines an S M × S N per-mutation relationship matrix pseudo-randomly controlledby (3 S M + S N − · no bits in the bit sequence { b ( i ) } from i . Based on this function, for an M × N image f = [ f ( i , j )] M × N , the four basic parts of HCIE can be brieflydescribed as follows. • The secret key is the initial condition x (0) and the con-trol parameter µ of the chaotic Logistic map, f ( x ) = µ x (1 − x ) [18], which is realized in L -bit finite preci-sion. • Some public parameters : S M , S N , α , β , γ and no ,where √ M ≤ S M ≤ M , M mod S M = √ N ≤ S N ≤ N , and N mod S N = Although (S M , S N , α, β, γ, no) can all be in-cluded in the secret key, they are not suitable for sucha use due to the following reasons: 1) S M , S N are re-lated to M , N; 2) α, β, γ are related to S M , S N (andthen related to M , N, too); 3) S M , S N can be easilyguessed from the mosaic e ff ect of the cipher-image; 4)iteration number no cannot be too large to achieve anacceptable encryption speed. • The initialization procedure of generating the bit se-quence used in the
Sub HCIE function: run the Lo-2istic map starting from x (0) to generate a chaotic se-quence, { x ( i ) } (cid:100) L b / (cid:101)− i = , and then extract 8 bits followingthe decimal point of each chaotic state x ( i ) to yielda bit sequence { b ( i ) } L b − i = , where L b = (cid:16) + MS M · NS N (cid:17) · (3 S M + S N − · no ; finally, set i = Sub HCIE function run starting from b (0). • The two-level hierarchical encryption procedure :
1) The high-level encryption – permuting imageblocks : divide the plain-image f into blocks of size S M × S N , which compose an MS M × NS N block-image P f = (cid:104) P f ( i , j ) (cid:105) MSM × NSN , where P f ( i , j ) is the block of size S M × S N at the po-sition ( i , j ). Then, permute the positions of all blockswith the Sub HCIE function in the following way: a)create a pseudo-image f p = [ f p ( i , j )] S M × S N contain-ing (cid:16) MS M · NS N (cid:17) non-zero indices of all image blocks in P f and (cid:16) S M · S N − MS M · NS N (cid:17) zero-elements, and per-mute f p with the Sub HCIE function to get a shuf-fled pseudo-image f ∗ p ; b) generate a permuted block-image P f ∗ from P f (i.e., permute f blockwise) usingthe shu ffl ed indices contained in f ∗ p . The above high-level encryption procedure can be considered as a per-mutation of the block-image: P f f ∗ p = Sub HCIE ( f p ) −−−−−−−−−−−−→ P f ∗ ,where f ∗ p actually corresponds to an MS M × NS N permu-tation relationship matrix.
2) The low-level encryption – permuting pixels in ev-ery image block one by one : for i = ∼ (cid:16) MS M − (cid:17) and j = ∼ (cid:16) NS N − (cid:17) , call the Sub HCIE function to per-mute each block P f ∗ ( i , j ) so as to get the correspond-ing block of the cipher-image f (cid:48) : P f (cid:48) ( i , j ) = Sub HCIE (cid:16) P f ∗ ( i , j ) (cid:17) . As normalized in [10], any permutation-only encryp-tion algorithm exerting on an object of size H × W can berepresented with a permutation relationship matrix of size H × W , denoted by W = (cid:2) w ( i , j ) = ( i (cid:48) , j (cid:48) ) ∈ H × W (cid:3) H × W , (1)where H = { , · · · , H − } , W = { , · · · , W − } , and w ( i , j ) (cid:44) w ( i , j ) for any ( i , j ) (cid:44) ( i , j ).In HCIE, a total of (cid:16) + MS M · NS N (cid:17) permutation relation-ship matrices are involved: 1) one high-level permutationrelationship matrix of size MS M × NS N ; 2) (cid:16) MS M · NS N (cid:17) low-levelpermutation relationship matrices of size S M × S N . With theabove-mentioned representation of a permutation-only im-age encryption algorithm, the secret key ( µ, x (0)) of HCIE is equivalent to the (cid:16) + MS M · NS N (cid:17) permutation relationshipmatrices for plain-images of the same size. To facilitatethe following discussions, we use W = [ w ( i , j )] MSM × NSN to denote the high-level permutation relationship matrix,and use (cid:110) W ( i , j ) (cid:111) MSM − , NSN − i = , j = to denote the (cid:16) MS M × NS N (cid:17) low-level permutation relationship matrices, where W ( i , j ) = (cid:104) w ( i , j ) ( i (cid:48) , j (cid:48) ) (cid:105) S M × S N . Apparently, the (cid:16) + MS M · NS N (cid:17) permu-tation relationship matrices can be easily transformed to anequivalent permutation relationship matrix of size M × N , W = [ w ( i , j )] M × N .When S M = M and S N = N (or S M = S N = (cid:16) + MS M · NS N (cid:17) permutation relationship matrices becomeone permutation relationship matrix of size M × N , a typi-cal permutation-only image encryption algorithm in whicheach pixel can be independently permuted to any other po-sition in the whole image by a single M × N permutationrelationship matrix W .
3. Cryptanalysis of HCIE
In [16], it was claimed that the complexity of brute-force attacks to HCIE is O (cid:16) L b (cid:17) , since there are L b = (cid:16) + MS M · NS N (cid:17) · (3 S M + S N − · no secret chaotic bits in { b ( i ) } L b − i = that are unknown to the attackers. However, thisstatement is not true due to the following fact: the L b bitsare uniquely determined by the secret key, i.e., the initialcondition x (0) and the control parameter µ , which have only2 L secret bits. This means that there are only 2 L di ff erentchaotic bit sequences.Now, let us study the real complexity of brute-force at-tacks. For each pair of guessed values of x (0) and µ , thefollowing operations are needed: • generating the chaotic bit sequence: there are L b / • creating the pseudo-image f p : the complexity is S M · S N ; • shu ffl ing the pseudo-image f p : running the Sub HCIE function once; • generating P f ∗ : the complexity is M · N ; • shu ffl ing the partition image P f ∗ : running the Sub HCIE function for (cid:16) MS M · NS N (cid:17) times.Assume that the computing complexity of the Sub HCIE function is (4 S M + S N ) · no . Then, the total com-plexity of brute-force attacks to HCIE can be estimated3o be O (cid:16) L · ( L b + M · N ) (cid:17) , which is much smaller than O (cid:16) L b / (cid:17) when L b is not too small. Additionally, consider-ing the fact that the Logistic map can exhibit a su ffi cientlystrong chaotic behavior only when µ is close to 4 [19], theabove complexity should be even smaller. This analysisshows that the security of HCIE was much over-estimatedby the authors in [20, 16], for brute-force attacks.Observing the hierarchical permutation structure ofHCIE, one can see that the histogram of each S M × S N blockin the plain-image will keep unchanged during the wholepermutation process of HCIE. Due to the strong correla-tion between neighbouring pixels (and even blocks) of nat-ural images (See [21, Fig. 5]), there exists some correlationbetween histograms of neighbouring blocks. So, one maydetermine the relative locations of some blocks in cipher-image by comparing similarity degrees of histograms forevery pair of cipher-blocks [22, 23]. Since HCIE is a permutation-only image encryption al-gorithm, given n known plain-images f ∼ f n of size M × N and the corresponding cipher-images f (cid:48) ∼ f (cid:48) n , one can sim-ply call the Get Permutation Matrix function defined in[10, Sec. 3.1] or its enhanced version in [11, Sec. 4] withthe input parameter ( f ∼ f n , f (cid:48) ∼ f (cid:48) n , M , N ) to estimate an M × N permutation relationship matrix W , which is equiv-alent to the (cid:16) + MS M · NS N (cid:17) smaller permutation relationshipmatrices. However, if the hierarchical structure of HCIE isconsidered, the known-plaintext attack may be quicker andthe estimation will be more e ff ective. Thus, the followinghierarchical procedure of known-plaintext attacks to HCIEis suggested : • Reconstruct the high-level permutation relationshipmatrix W :
1) for i = ∼ (cid:16) MS M − (cid:17) and j = ∼ (cid:16) NS N − (cid:17) : calculate the mean values of the 2 n blocks P f ( i , j ) ∼ P f n ( i , j ), P f (cid:48) ( i , j ) ∼ P f (cid:48) n ( i , j ) and denotethem by P f ( i , j ) ∼ P f n ( i , j ) and P f (cid:48) ( i , j ) ∼ P f (cid:48) n ( i , j );
2) generate n images P f ∼ P f n and P f (cid:48) ∼ P f (cid:48) n of size MS M × NS N as follows : ∀ m = ∼ n , P f m = (cid:104) P f m ( i , j ) (cid:105) MSM × NSN (2)and P f (cid:48) m = (cid:104) P f (cid:48) m ( i , j ) (cid:105) MSM × NSN , (3) For HCIE, the permutation relationship matrices also depend on thevalues of the public parameters. To simplify the following description,without loss of generality, it is assumed that all public parameters are fixedfor all known plain-images. and call the
Get Permutation Matrix function withthe input parameters (cid:32) P f ∼ P f n , P f (cid:48) ∼ P f (cid:48) n , MS M , NS N (cid:33) to get an estimated permutation relationship ma-trix (cid:101) W = (cid:2)(cid:101) w ( i , j ) (cid:3) MSM × NSN and its inverse (cid:101) W − = (cid:104)(cid:101) w − ( i , j ) (cid:105) MSM × NSN .
3) Reconstruct the (cid:16) MS M · NS N (cid:17) low-level permutation rela-tionship matrices (cid:110) W ( i , j ) (cid:111) MSM − , NSN − i = , j = : • for i = ∼ (cid:16) MS M − (cid:17) and j = ∼ (cid:16) NS N − (cid:17) ,call the Get Permutation Matrix function with theinput parameters ( P f ( i , j ) ∼ P f n ( i , j ) , P f (cid:48) ( i (cid:48) , j (cid:48) ) ∼ P f (cid:48) n ( i (cid:48) , j (cid:48) ) , S M , S N ), where ( i (cid:48) , j (cid:48) ) = W ( i , j ), to de-termine an estimated permutation relationship matrix (cid:101) W ( i , j ) and its inverse (cid:101) W − i , j ) .With the (cid:16) + MS M · NS N (cid:17) inverse matrices W − and (cid:110) (cid:101) W − i , j ) (cid:111) MSM − , NSN − i = , j = , one can decrypt a new cipher-image f (cid:48) n + with Dermutation function given in Algorithm 2 to get anestimated plain-image f ∗ n + : Algorithm 2
The function
Dermutation function Dermutation ( W − , (cid:110) (cid:101) W − i , j ) (cid:111) MSM − , NSN − i = , j = , f (cid:48) n + ) for i ← , ( M / S M ) − do for j ← , ( N / S N ) − do f temp ← P f (cid:48) n + ( w − ( i , j )) for ii ← , S M − do for j j ← , S N − do f ∗ temp ( ii , j j ) ← f temp (cid:16) w − i , j ) ( ii , j j ) (cid:17) P f ∗ n + ( i , j ) ← f ∗ temp end for end for end for end for return f ∗ n + end function In fact, in the above procedure, any measure keeping in-variant in the block permutations can be used instead of themean value. A typical measure is the histogram of each S M × S N block. Although the mean value is less precisethan the histogram, it works well in most cases and is e ff ec-tive to reduce the time complexity. When T and S M × S N are both very small, the e ffi ciency of the mean value willbecome low, in this case the histogram or the array of all4ixel values can be used as a replacement. As for an imageof size H × W and T possible value levels, the number ofdi ff erent histogram is n h = min( T , H · W ) (cid:88) i = (cid:32) Ti (cid:33) · (cid:32) H · Wi − (cid:33) . (4)As n h is a huge number for a non-tiny image and histogramis sensitive to the change of pixel value, it is easier to getthe high-level permutation relationship matrix W than thelow-level permutation relationship matrices.Finally, let us see whether the hierarchical structure usedin HCIE is helpful for enhancing the security against theknown-plaintext attack to the common permutation imageciphers. As discussed in [10, Sec. 3.1], n ≥ (cid:100) log T (2( M · N − (cid:101) known plain-images are needed to achieve an accept-able breaking performance. Since the hierarchical structuremakes it possible for an attacker to work on permutationrelationship matrices of size S M × S N or MS M × NS N (bothsmaller than M × N ), it is obvious that for HCIE the num-ber of required known plain-images will be smaller than (cid:100) log T (2( M · N − (cid:101) . As the permutation relationship ma-trix W can be recovered in a very high probability withone or two known plain-images, one can conclude as fol-lows: the smaller the ( S M × S N ) is, the smaller the n is.Also, the attack complexity will become lower, since thenumber of used plaintexts is reduced. In this sense, hierar-chical permutation-only image ciphers are less secure thannon-hierarchical ones, which discourages the use of HCIE. To verify the decryption performance of the above-discussed known-plaintext attack to HCIE, some experi-ments are performed using the six 256 ×
256 test imageswith 256 gray scales shown in Fig. 1. Assume that the first n = ∼ ff erent configurations ofHCIE are used: S M = S N = S M = S N = S M = S N =
16. As mentioned above, the configurationof S M = S N =
256 corresponds to general permutation-only image ciphers working in the spatial domain (withoutusing hierarchical structures). As shown in [10, Sec. 4],three known plain-images are always enough to achieve agood breaking performance, and an almost perfect break-ing performance can be achieved with four plain-images,where the public parameters are α = β = γ = no =
9. Image
Figure 1: The six 256 ×
256 test images used in the experiments. M = S N = α = β = γ = no =
2. The cipher-images of the six testimages are all shown in Fig. 2. When the first n = ∼ Figure 2: The cipher-images of the six 256 ×
256 test images, when S M = S N = M = S N = α = β = γ = no =
2. The cipher-images of the six test images are allshown in Fig. 4. When the first n = ∼ = n = n = n = n = Figure 3: The decrypted image of Cipher-Image n testimages are known to the attacker, when S M = S N = even one known plain-image can reveal a rough view of theplain-image, and two is enough to obtain a nearly-perfectrecovery.Cipher-image Figure 4: The cipher-images of the six 256 ×
256 test images, when S M = S N = Now, let us give a performance comparison of theknown-plaintext attack to HCIE with the above three dif-ferent configurations. Figure 6a) shows the quantitative re-lationship between the number of known plain-images andthe decryption quality (represented by the decryption errorratio). It can be seen that three known plain-images areenough for all three configurations to achieve an acceptablebreaking performance, and two can reveal quite a lot of pix-els (which means that most significant visual information isrevealed). Also, it is found that the breaking performanceis dependent on the configuration: when S M = S N = n = n = n = n = n = Figure 5: The decrypted images of Cipher-Image n testimages are known to an attacker, when S M = S N = previous analysis.Figure 6b) shows the average cardinality of the elementsin (cid:98) W , which is an indicator of the probability of getting cor-rect permutation elements in (cid:101) W and an indicator of the timecomplexity as analyzed above. Comparing Figures 6a) and6b), one can see that the occurrence probability of decryp-tion errors has a good correspondence with the average car-dinality, where the correctness of the uniquely-determinedpermutation relationship matrix was obtained by some cho-sen plain-images and the corresponding cipher-images.From the above comparison, it is concluded that the se-curity of HCIE with a hierarchical structure is even weakerthan the security of general permutation-only image en-cryption algorithms without hierarchical structures: when S M = S N =
32 and S M = S N =
16, two known plain-images are enough to achieve an acceptable breaking per-formance; while when S M = S N = / chosen-plaintext attacks, the hierarchi-cal idea proposed in HCIE has no technical merits. To discover an equivalent secret key of a commonpermutation-only image encryption scheme under the sce-nario of chosen-plaintext attack, one can construct a “com-position plain-text”, whose every element is di ff erent fromeach other [24, Sec. 5.1]. To satisfy the requirement, thenumber of the bit planes of the special chosen-text shouldbe not smaller than (cid:100) log ( M · N ) (cid:101) . So, the number of re-quired chosen-images is n = (cid:100)(cid:100) log ( M · N ) (cid:101) / (cid:100) log ( T ) (cid:101)(cid:101) . n a) decryption error ratio n b) the average cardinality (cid:98) w ( i , j ))(Legend: (cid:52) – S M = S N = (cid:3) – S M = S N = (cid:13) – S M = S N = Figure 6: A performance comparison of the known-plaintext attack toHCIE.
In general, T is a power of 2 in the digital domain, hencelog ( T ) is an integer. To this end, one has n = (cid:100) log ( M · N ) / log ( T ) (cid:101) = (cid:100) log T ( M · N ) (cid:101) (5)by referring to [25, Theorem 3.10].Similarly to the known-plaintext attack, the use of a hier-archical structure in HCIE can also make the constructionof chosen plain-images easier. Accordingly, an attackercan work hierarchically to construct n chosen plain-images, f , · · · , f n , as follows: • high-level : P f ∼ P f n , which are defined in Eq. (2),compose an orthogonal image set; • low-level : ∀ ( i , j ), P f ( i , j ) ∼ P f n ( i , j ) compose an or-thogonal image set.In this case, the minimal number of required chosen plain-images becomes n = max (cid:0)(cid:6) log T ( S M · S N ) (cid:7) , (cid:6) log T ( K ) (cid:7)(cid:1) ≤ (cid:6) log T ( M · N ) (cid:7) , (6)where K = MS M · NS N . The above equality holds if and only ifthe hierarchical encryption structure is disabled, i.e., when K ∈ { , M · N } .As the (cid:16) + MS M · NS N (cid:17) permutation relationship matricesof HCIE are uniquely determined by the bit sequence { b ( i ) } L b − i = and the public parameters, one may recover re-versely some consecutive bits of { b ( i ) } L b − i = [26, Sec. 3.3.6].Furthermore, one can derive the secret key x (0) and µ fol-lowing the approach given in [21, Sec.3.3.2].
4. Conclusion
Specific security performance of a typical permutation-only encryption algorithm, called HCIE, against ciphertext-only attack and known / chosen-plaintext attacks has beenstudied in detail. It is found that the capability of HCIEagainst the former attack was over-estimated much and hi-erarchical permutation-only image encryption algorithmssuch as HCIE are less secure than normal permutation-onlyones without using hierarchical encryption structures. Thiswork e ff ectively demonstrates that the size of the real per-mutation domain of a permutation algorithm should be aslarge as possible in order to reach the best performance. Aspermutation operation alone cannot provide high level ofsecurity, it should be combined with other value substitu-tion functions. Acknowledgement
This research was supported by the Distinguished YoungScholar Program of the Hunan Provincial Natural ScienceFoundation of China (No. 2015JJ1013). Some parts ofSec. 3 were completed with the help of Dr. Shujun Li, fromSurrey University, UK.
References [1] S. Li, Analyses and new designs of digital chaotic ciphers, Ph.D.thesis, School of Electronic and Information Engineering, Xi’anJiaotong University, Xi’an, China, available online at (June 2003).[2] G. Chen, Y. Mao, C. K. Chui, A symmetric image encryption schemebased on 3D chaotic cat maps, Chaos, Solitons & Fractals 21 (3)(2004) 749–761.[3] G. ´Alvarez, S. Li, Some basic cryptographic requirements for chaos-based cryptosystems, International Journal of Bifurcation and Chaos16 (8) (2006) 2129–2151.[4] J. P. Crutchfield, J. D. Farmer, N. H. Packard, R. S. Shaw, Chaos,Scientific American 255 (12) (1986) 46–57. doi:10.1038/scientificamerican1286-46 .[5] Y. Matias, A. Shamir, A video scrambing technique based on spacefilling curve (extended abstract), in: Advances in Cryptology –Crypto’87, Lecture Notes in Computer Science, volume 293, 1987,pp. 398–417.[6] W. Zeng, S. Lei, E ffi cient frequency domain selective scrambling ofdigital video, IEEE Transactions on Multimedia 5 (1) (2003) 118–129.[7] J.-K. Jan, Y.-M. Tseng, On the security of image encryption method,Information Processing Letters 60 (5) (1996) 261–265.[8] C.-C. Chang, T.-X. Yu, Cryptanalysis of an encryption scheme forbinary images, Pattern Recognition Letters 23 (14) (2002) 1847–1852.[9] W. Li, Y. Yan, N. Yu, Breaking row-column shu ffl e based image ci-pher, in: Proceedings of ACM International Conference on Multime-dia, 2012, p. art. no. 6011939. doi:10.1145/2393347.2396392 .[10] S. Li, C. Li, G. Chen, N. G. Bourbakis, K.-T. Lo, A general quanti-tative cryptanalysis of permutation-only multimedia ciphers againstplaintext attacks, Signal Processing: Image Communication 23 (3)(2008) 212–223, https: // eprint.iacr.org / /
11] C. Li, K.-T. Lo, Optimal quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks, Signal Processing91 (4) (2011) 949–954.[12] S. Li, C. Li, K.-T. Lo, G. Chen, Cryptanalysis of an image scram-bling scheme without bandwidth expansion, IEEE Transactions onCircuits and Systems for Video Technology 18 (3) (2008) 338–349.[13] H. Sohn, W. D. Neve, Y. M. Ro, Privacy protection in video surveil-lance systems: analysis of subband-adaptive scrambling in JPEGXR, IEEE Transactions on Circuits and Systems for Video Tech-nology 21 (2) (2011) 170–177.[14] Y. Wu, Y. Zhou, S. Agaian, J. P. Noonana, A symmetric image cipherusing wave perturbations, Signal Processing 102 (2014) 122–131.[15] H. Zheng, S. Yu, J. Lu, Design and ARM platform-based realiza-tion of digital color image encryption and decryption via single statevariable feedback control, International Journal of Bifurcation andChaos 24 (4) (2014) art. no. 1450049.[16] J.-C. Yen, J.-I. Guo, E ffi cient hierarchical chaotic image encryptionalgorithm and its VLSI realisation, IEE Proc. – Vis. Image SignalProcess. 147 (2) (2000) 167–175.[17] R. E. Korf, Finding optimal solutions to Rubik’s cube using pat-tern databases, in: Proceedings of AAAI-97, 1997, pp. 700–705,https: // / Papers / AAAI / / AAAI97-109.pdf.[18] R. L. Devaney, An introduction to chaotic dynamical systems, West-view Press, 2003.[19] C. Li, T. Xie, Q. Liu, G. Cheng, Cryptanalyzing image encryptionusing chaotic logistic map, Nonlinear Dynamics 78 (2) (2014) 1545–1551.[20] J.-I. Guo, J.-C. Yen, J.-C. Yeh, The design and realization of a newchaotic image encryption algorithm, in: Proc. 1999 InternationalSymposium on Communications, 1999, pp. 210–214.[21] S. Li, C. Li, G. Chen, X. Mou, Cryptanalysis of the RCES / RSESimage encryption scheme, Journal of Systems and Software 81 (7)(2008) 1130–1143.[22] H. Li, Y. Zheng, S. Zhang, J. Cheng, Solving a special type of jigsawpuzzles: Banknote reconstruction from a large number of fragments,IEEE Transactions on Multimedia 16 (2) (2014) 571–578.[23] H. Ling, K. Okada, An e ffi cient earth mover’s distance algorithm forrobust histogram comparison, IEEE Transactions on Pattern Analy-sis and Machine Intelligence 29 (5) (2007) 840–853.[24] C. Li, S. Li, G. Chen, G. Chen, L. Hu, Cryptanalysis of a new signalsecurity system for multimedia data transmission, EURASIP Journalon Applied Signal Processing 2005 (8) (2005) 1277–1288.[25] R. L. Graham, D. E. Knuth, O. Patashnik, Concrete Mathematics,Adison-Wesley, 1989.[26] C. Li, S. Li, K.-T. Lo, K. Kyamakya, A di ff erential cryptanalysis ofYen-Chen-Wu multimedia cryptography system, Journal of Systemsand Software 83 (8) (2010) 1443–1452.erential cryptanalysis ofYen-Chen-Wu multimedia cryptography system, Journal of Systemsand Software 83 (8) (2010) 1443–1452.