On the Security of a Latin-Bit Cube-Based Image Chaotic Encryption Algorithm

In this paper, the security analysis of an image chaotic encryption algorithm based on Latin cubes and bit cubes is given. The proposed algorithm adopts a first-scrambling-diffusion- second-scrambling three-stage encryption scheme. First, a finite field is constructed using chaotic sequences. Then, the Latin cubes are generated from finite field operation and used for image chaotic encryption. In addition, according to the statistical characteristics of the diffusion image in the diffusion stage, the algorithm also uses different Latin cube combinations to scramble the diffusion image for the second time. However, the generation of Latin cubes in this algorithm is independent of plain image, while, in the diffusion stage, when any one bit in the plain image changes, the corresponding number of bits in the cipher image follows the change with obvious regularity. Thus, the equivalent secret keys can be obtained by chosen plaintext attack. Theoretical analysis and experimental results indicate that only a maximum of 2.5×w×h3+6 plain images are needed to crack the cipher image with w×h resolution. The size of equivalent keys deciphered by the method proposed in this paper are much smaller than other general methods of cryptanalysis for similar encryption schemes.


Introduction
Image chaotic encryption algorithms have attracted some special attention in the field of information security [1][2][3][4][5][6][7]. In recent years, many image chaotic encryption schemes combined chaos theories with other technologies, such as one-time keys [8], bit-level permutation [9], DNA operations [10][11][12][13], parallel computing system [14], matrix semi-tensor product theory [15], cellular automata [16,17], neural network [18,19], Latin square or Latin cube [20][21][22], and so on, have been proposed. However, the security issues of image chaotic encryption algorithms have also attracted much attention. As a basic requirement of security, the ciphertext image of the image chaotic encryption algorithm must have good uniformity. In addition, the algorithm must have a large enough key space to resist brute force attacks. For instance, in order to show the security of the image chaotic encryption algorithm in the statistical sense, the key space analysis, statistical analysis, and differential analysis of the chaos encryption algorithm proposed in [23] and its corresponding extended algorithm are given in Sections 4 and 5 of [23], respectively. However, the high uniformity of ciphertext does not mean that the encryption algorithm has high security performance. For example, in [24], the security analysis of an image chaotic encryption algorithm proposed in [16] is given, and it is found that the generation of key stream is related to the sum of pixel values of plain images. Under the premise of satisfying the sum of pixel values of a plain image unchanged, only two pixel values of cipher image are changed corresponding to the variation of two pixel values of a plain image, which is vulnerable to differential attack. Therefore, the equivalent secret keys can be obtained by selecting 512 plain images. In [25], the cryptanalysis of a DNA encoding-based image scrambling and diffusion encryption (1) The generation of Latin cubes in this algorithm is independent of plain image.
(2) When any one bit in the plain image changes, the corresponding number of bits in the cipher image follows the change with obvious regularity.
Based on the above-mentioned security vulnerabilities, this paper adopts both chosen plaintext attack and differential attack for analyzing the safety performance for the image chaotic encryption algorithm proposed in [20]. First, a full zero plain image and multiple non-full zero plain images are selected, and the differential operation is performed between the cipher image corresponding to this full zero plain image and the cipher image corresponding to those non-full zero plain images. On the premise that the sum of bit 1 in each differential operation is even, the chaotic index sequence lx can be deciphered. Next, based on the obtained lx, and on the condition that there exists an intersection in the solutions of unary quadratic equation on finite field GF(q), the secret keys α, β, γ can be further deciphered.
The rest of the paper is organized as follows: Section 2 briefly introduces the image chaotic encryption algorithm. Section 3 presents the security analysis. Section 4 gives the steps for deciphering image chaotic encryption algorithm. Section 5 demonstrates the numerical simulation experiments. Section 6 gives some improvement suggestions for the image chaotic encryption algorithm. Finally, Section 7 concludes the paper.

A Brief View of an Image Chaotic Encryption Algorithm
In [20], the image chaotic encryption algorithm consists of secret keys selection, Latin cube generation, scrambling encryption, and diffusion encryption, as shown in Figure 1, where key 0 , µ 0 , α, β, γ are the secret keys, x n (n = 0, 1, 2, · · · ) is a chaotic sequence generated by Logistic mapping, lx is a chaotic index sequence, L 1 , L 2 , L 3 are three Latin cubes, P is a 2D plain gray image, M is a bit cube representation of P, S 1 is a first-scrambling image of M, D is a diffusion image of S 1 , S 2 is a second-scrambling image of D, E is a 2D cipher gray image of S 2 , and B is generated by L 1 . When the size of the image is w × h, the length of x n and lx is q = 3 √ 8 × w × h, the side length of Latin cubes and bit cubes is q = 3 √ 8 × w × h, and the secret keys α, β, γ ∈ {0, 1, 2, · · · , q − 1}. Note that an appropriate image size w × h should be selected to ensure that q = 3 is an even number. In Figure 1, L 1 , L 2 , L 3 ∈ {0, 1, 2, · · · , q − 1} are Latin cubes, M, S 1 , D, S 2 , B ∈ {0, 1} are bit cubes, P is a 2D plain gray image, E is a 2D cipher gray image, p k , p t , s 1 , b, d, e k ∈ {0, 1} are 1D bit sequences corresponding to P, S 1 , B, D, E, and t = T(k) is a position scrambling rule corresponding to the first-scrambling stage.

Generation of Latin Cubes
Let the side length of L 1 , L 2 , where q is an even number. For a given (l 1 , l 2 , l 3 ), one gets L 1 (l 1 , l 2 , , then L 1 , L 2 , L 3 are orthogonal to each other [38]. When q = 3, one gets three orthogonal Latin cubes, as shown in Figure 2a, and the corresponding triple tuple is shown in Figure 2b, respectively. The algorithm for generating Latin cubes proposed in [20] is implemented by replacing the ordered set {0, 1, 2, ..., q} in the generation method proposed in [38] with the chaotic index sequence lx. The detailed steps for generating three orthogonal Latin cubes by means of a finite field are in Algorithm 1.

Algorithm 1 Steps for Generation of Latin Cubes.
Input: Secret keys key 0 , µ 0 , α, β, γ; Side length q = 3 √ 8 × w × h; Output: Three orthogonal Latin cubes L 1 , L 2 and L 3 ; 1: Generate the chaotic sequence x = {x 0 , x 1 , . . . , x q−1 } by using Logistic mapping. 2: Obtain the corresponding chaotic index sequence lx = {c 0 , c 1 , · · · , c i , · · · , c q−1 } by arranging x = {x 0 , x 1 , . . . , x q−1 } in ascending order, where 0 ≤ c i , i ≤ q − 1, satisfying lx[i] = c i . Note that the chaotic index sequence lx can only be determined after the sequence value c i and the sequence number i are simultaneously obtained. When the sequence value c i is obtained, but the sequence number i is uncertain, the general form of the chaotic index sequence lx is in the form of In the following, ξ or ξ denotes the sequence value and i ξ or i ξ denotes the sequence number in Equation (2), respectively. 3: Construct a finite field by using chaotic index sequence lx, and then one gets the orthogonal Latin cubes on the finite field, given by where "+" denotes addition operation on the finite field, "×" denotes multiplication operation on the finite field, α, β, γ ∈ lx, c l 1 , c l 2 , c l 3 are sequence values of lx. 4: return L 1 , L 2 , L 3 .

Steps for Image Chaotic Encryption
According to Figure 1, and taking a plain gray image with 512 × 512 resolution as an example, one has q = 3 √ 512 × 512 × 8 = 128. The steps for image chaotic encryption are in Algorithm 2.

Algorithm 2
Steps for Image Chaotic Encryption.
Input: Secret keys key 0 , µ 0 , α, β, γ; Plaintext image P; Output: Ciphertxet image E; 1: Convert the 2D plain gray image P into the bit cube M; 2: Obtain three orthogonal Latin cubes L 1 , L 2 , L 3 by Algorithm 1; 3: Scramble bit cube M by using three orthogonal Latin cubes L 1 , L 2 , L 3 , and get the corresponding first-scrambling image S 1 in the form of bit cube, such that 4: Obtain the diffusion bit cube B (l 1 , l 2 , l 3 ) by using Latin cube L 1 , given by Then, get the diffusion 1D bit sequence b[t] corresponding to diffusion bit cube B(l 1 , l 2 , where t ∈ {0, 1, 2, · · · , q 3 − 1}, · is a round down operation, and "%" is a modulo operation.
Then, get the 1D bit sequence d[t] by using s 1 [t] and b[t] as where , and convert the 1D bit sequence d[t] into the bit cube D(l 1 , l 2 , l 3 ). Then, get the bit cube S 2 (l 1 , l 2 , l 3 ) by utilizing D(l 1 , l 2 , l 3 ), such that where G(d)%2 ∈ {0, 1} denotes the modular 2 operation on G(d). 7: Convert the bit cube S 2 (l 1 , l 2 , l 3 ) into the 2D cipher gray image E with 512 × 512 resolution. 8: return E.
An example of encrypting a gray image with 2 × 4 resolution using the original encryption algorithm is shown in Figure 3. Figure 3a shows the three Latin cubes and the corresponding bit cubes L used for encryption. Figure 3b shows the encryption process. The numbers in the cells of P and E represent pixel values, and the bit values are represented in the cells of S 1 , B, and S 2 . The red cells in M indicate that they are bit representations of the red cell corresponding to P, i.e., the binary representation of 166 is (10100110) 2 .

Security Analysis
According to Figure 1, it is found that the generation of three orthogonal Latin cubes L 1 , L 2 , L 3 is not related to the plain image. When the secret keys are given, the three orthogonal Latin cubes L 1 , L 2 , L 3 remain unchanged for different input plain images, which are provided a prerequisite for chosen plaintext attack. Therefore, one can decipher the equivalent secret keys lx, α, β, γ corresponding to the original secret keys key 0 , µ 0 , α, β, γ.
q − 1}, i 0 denotes the sequence number corresponding to the sequence value 0, and i ξ denotes the sequence number corresponding to the sequence value ξ.

The First Case for Analysis of Chaotic Index Sequence lx
Suppose that the 1D bit sequence corresponding to plain image P 0 is {p 0 , the cipher image corresponding to plain image P 0 is E 0 , the 1D bit sequence corresponding to cipher In addition, suppose that the cipher image corresponding to plain image P k is E k , the 1D bit , the cipher image corresponding to P k 1 k 2 k 3 is E k 1 k 2 k 3 , and the 1D bit sequence corresponding to

Proposition 2.
Suppose that the cipher image corresponding to plain image P k is E k , the 1D bit sequence , the cipher image corresponding to plain image P 0 is E 0 , and the 1D bit sequence corresponding to cipher image E 0 is {e 0 , q 3 is an even number. If (q 3 − m k,0 )%2 = q 3 %2 − m k,0 %2 = m k,0 %2 = 0, then T(k) = m k,0 holds, where T(k) denotes the position scrambling rule in the first-scrambling stage, k denotes the position of the k-th bit before the first-scrambling of plain image, and T(k) denotes the position of k-th bit after the first-scrambling of plain image.
Proof. According to Equation (6), the relationship between the coordinates (l 1 , l 2 , l 3 ) of bit cube B(l 1 , l 2 , l 3 ) and the position t of 1D bit sequence b[t] corresponding to B(l 1 , l 2 , l 3 ) is given by On the other hand, the relationship between the coordinates (ξ, ξ, ξ) of bit cube M(ξ, ξ, ξ) and the position k of 1D bit sequence p k [i] in Equation (13) is given by Thus, the relationship between the position of t-th bit after the first-scrambling of plain image and the position of k-th bit before the first-scrambling of plain image is given by (1) Consider the first-scrambling stage. In the first-scrambling stage, only change the bit position, but the bit value should remain unchanged. Suppose that the input 1D bit sequence corresponding to plain image P k is p k , after the first-scrambling of plain image, the corresponding output 1D bit sequence is p t . According to Equation (16), the relationship between position t and k satisfies t = T(k).
Based on Proposition 1, one has S 1 (i 0 , i 0 , i ξ ) = M(ξ, ξ, ξ), where ξ ∈ {0, 1, 2, · · · , q − 1} is the sequence value of chaotic index sequence lx, i ξ is the sequence number of lx. However, even though ξ is given, since S 1 (i 0 , i 0 , i ξ ) is the first-scrambling result of bit cube M(ξ, ξ, ξ), but the scrambling rule T(·) is unknown beforehand, the sequence numbers i 0 and i ξ cannot be directly available. Thus, Proposition 2 is needed to obtain the specific numbers i 0 and i ξ .
An example of Proposition 2 is as in Figure 4. Figure 4a shows the ciphertext corresponding to the grayscale image lena. Figure 4b shows the corresponding ciphertext image after changing the bit at the bit-cube coordinates (6, 6, 6) of lena. Figure 4c   The difference between the two plaintexts is only 1 bit. It can be found from Figure 4d that the number of identical bits between their corresponding ciphertexts is 1,733,762, which is an even number. Substituting m k,0 = 1, 733, 762, ξ = 6, and q = 128 into Equation (22) yields i 0 = 105 and i 6 = 2.

The Second Case for Analysis of Chaotic Index Sequence lx
If m k,0 %2 = 0, the above-mentioned method is no longer available, which needs to be further consideration.
Note that one can also select t i , t i+1 , t (i = 2, 3, · · · , (q/2 − 1)) in the same way, which is omitted here due to the limited length of the article.
According to the first equation of Equation (33), one gets two solutions χ Similarly, according to the second equation of Equation (33), one gets two solutions χ 2 for χ 2 . Thus, there exists an intersection for the first equation and the second equation of Equation (33), 2 }. Based on the deciphered secret key β, the remaining two secret keys α = {χ 2 } − {β} can further be deciphered as well. If L 1 (l 1 , l 2 , l 3 ) = L 2 (l 1 , l 2 , l 3 ) = 0 and L 2 (l 1 , l 2 , l 3 ) = L 3 (l 1 , l 2 , l 3 ) = 0, then, an intersection for the first equation and the second equation of Equation (33) does not exist, so the secret keys α, β, γ cannot be obtained [39]. The proof is finished.

Flowchart of Security Analysis
The flowchart of security analysis is shown in Figure 5.

Steps for Deciphering the Image Chaotic Encryption Algorithm
The steps for deciphering image chaotic encryption algorithm are as Algorithm 3.

Algorithm 3
Steps for Deciphering Image Chaotic Encryption Algorithm.

Output:
The equivalent secret keys lx, α, β, γ; 1: According to the chosen plaintext attack, choose the plain image as P 0 , the corresponding cipher image is E 0 , the 1D bit sequence corresponding to i=0 . 2: According to the chosen plaintext attack, choose the plain image as P k , the corresponding cipher image is E k , the 1D bit sequence corresponding to  (22), the sequence number corresponding to sequence value 0 is i 0 = t/q 2 = m k,0 /q 2 , the sequence number corresponding to sequence value ξ ∈ Ψ is i ξ = t%q = m k,0 %q. 5: If m k %2 = 1, then t = m k,0 holds, Equation (22) is not available. According to the chosen plaintext attack, choose the plain image as P k 1 k 2 = P k 1 ⊕ P k 2 , the corresponding cipher image is i=0 . In addition, choose the plain image asP k 1 k 2 k = P k 1 ⊕ P k 2 ⊕ P k , the corresponding cipher image is E k 1 k 2 k , the 1D bit sequence i=0 . 6: According to the differential attack, first calculate m k 1 k 2 ,0 by using obtained in step 1 and step 5. Then, calculate m k 1 k 2 k,0 by using obtained in step 1 and step 5. 7: According to Equation (32), calculate the sequence number i ξ i = t i %q corresponding to sequence value ξ i ∈ Ψ . 8: Decipher the chaotic index sequence lx by using Equation (22) and Equation (32). Then, decipher the secret keys α, β, γ according to the Proposition 3. 9: return lx, α, β, γ; Theoretical analysis and experimental results indicate that only a maximum of 2.5 × 3 √ w × h plain images are needed to decipher the chaotic index sequence lx, and only a maximum of six plain images are needed to decipher secret keys α, β, γ. Therefore, only a maximum of 2.5 × 3 √ w × h + 6 is needed to crack the cipher image with w × h resolution.

Numerical Simulation Experiments
In the numerical simulation experiments, the secret keys are set as key 0 = 0.34, µ 0 = 3.9, α = 20, β = 37, γ = 46, the image is with 512 × 512 resolution. According to the steps for deciphering the image chaotic encryption algorithm given in Section 4, the deciphering algorithm of the origin cipher is implemented by the C program language. Simulations are operated under a laptop computer with Intel Core i7-8550U CPU (Santa Clara, CA, USA) 1.80 GHz, 8 GB RAM, the operating system is Microsoft Windows 10 (Redmond, WA, USA). Using the original algorithm to encrypt and use the algorithm proposed in this paper to crack an image with size of 512 × 512 takes about 0.115 s and 10.702 s, respectively. Since the encryption process of the algorithm is independent of plaintext and ciphertext, the equivalent key obtained by deciphering any ciphertext image can be used to decipher all ciphertext images of the same resolution. Taking the standard 2D plain gray image Lena, Cameraman, Livingroom as three examples, the plain images, the cipher images, and the deciphered images are shown in Figure 6, respectively. Although the previous analysis is for grayscale images, the original encryption algorithm can be easily extended to encrypt color images by encrypting each of the three channels of the color image as a separate grayscale image. In this case, the attack method proposed in this paper is still valid. Take a real-life image with 1024 × 2048 resolution as an example. Encrypting this image using the original encryption algorithm, it takes about 0.53 s to encrypt the three color channels with the same key, and it takes about 107.36 s to decipher the corresponding ciphertext using the attack method proposed in this paper. Encrypting three color channels with three different sets of keys takes about 1.42 s, and it takes about 318.45 s to decipher the corresponding ciphertext. The results are shown in Figure 7.

Suggestions for Improvement
According to the analysis in Section 3, the original algorithm is insecure and cannot resist the choice of plaintext attack, and the complexity of the attack method is relatively low. To deal with its security defects, the corresponding suggestions for improvement to enhance the security are as follows: (1) Enhance the sensitivity of the encryption algorithm to plaintext and ciphertext. According to the analysis in Section 3, the original algorithm has a universal equivalent key lx, α, β, γ. The original algorithm is not sensitive to both plaintext and ciphertext. The root cause of this defect is that the generation of Latin cubes is independent of plaintext image. This vulnerability can be solved by introducing some statistical properties of plaintext, such as the sum of all pixel values, into the generation phase of the Latin cubes.
(2) The mechanism used in the diffusion phase is too simple to achieve the avalanche effect of cryptography, which makes the encryption algorithm vulnerable to differential attacks. To fulfill this demand, increasing the number of encryption rounds or exploiting some complex diffusion mechanisms are worthy options.

Conclusions
This paper investigates the security of a Latin-bit cube-based image chaotic encryption algorithm. The algorithm adopts a first-scrambling-diffusion-second-scrambling three-stage encryption scheme. Although the designer claims that the algorithm has passed various statistical tests, the security analysis results in this paper demonstrate that the algorithm has some security vulnerabilities. In particular, the generation of Latin cubes is independent of plain image, and the change in the number of bits in the cipher image follows the change of any one bit in the plain image with obvious regularity. Thus, the equivalent secret keys lx, α, β, γ can be cracked by a chosen plaintext attack and differential attack. Only a maximum of 2.5 × 3 √ w × h + 6 plain images are needed to decipher the equivalent secret keys. Theoretical analysis and numerical simulation experiment results verify the effectiveness of the analytical method.

Conflicts of Interest:
The authors declare no conflict and interest.