Cryptanalysis and Improvement of a Chaotic Map-Based Image Encryption System Using Both Plaintext Related Permutation and Diffusion

In theory, high key and high plaintext sensitivities are a must for a cryptosystem to resist the chosen/known plaintext and the differential attacks. High plaintext sensitivity can be achieved by ensuring that each encrypted result is plaintext-dependent. In this work, we make detailed cryptanalysis on a published chaotic map-based image encryption system, where the encryption process is plaintext Image dependent. We show that some designing flaws make the published cryptosystem vulnerable to chosen-plaintext attack, and we then proposed an enhanced algorithm to overcome those flaws.


Introduction
With the rapid progress in digital technology and mobile devices, people have produced more and more user-generated information in these few years; besides texts, most of them are multimedia data, such as images and videos. With the increasing of information security and privacy protection issues, researchers have proposed lots of encryption algorithms [1] against unauthorized access to those user-generated media data.
As suggested in [2], the main techniques used to develop image encryption algorithms can roughly be divided into the following six categories: chaotic map, DNA computing, cellular automata, wavelet transmission, neural networks, and compressive sensing. The extreme initial value sensitivity and high randomness of the chaotic systems make the chaotic maps the most popular tool in digital image encryption algorithms. This is because the chaotic systems have some useful properties, like being ergodic, highly sensitive to initial conditions, and pseudo-randomness, which fit the essential requirements for building a practical cryptosystem [3]. Fridrich [4] proposed the first image encryption algorithm based on a chaotic map in 1998. After that, a large number of digital image encryption algorithms that were based on chaotic maps were proposed [3], and the references therein. Since Liu et al. addressed lots of the chaotic map-based image encryption algorithms published on signal processing and information technology-related Journals before 2019, our following discussions will mainly focus on related works [5][6][7][8][9][10] posted on the Entropy Journal, most recently.
In order to prevent an Image exchanging system from brute force and differential attacks, [5] presented a new image encryption mechanism, in which the Enhanced Logistic Map (ELM) and some simple encryption techniques, such as block scrambling, modified zigzag transformation, and chaotic-map based key generation, are used. The results of encryption are evaluated from six different security measures. The corresponding results demonstrate the security, reliability, efficiency, and flexibility of the proposed method. Sine-Tent map (STM) is intended in [7] to widen the chaotic range and to improve the shambolic performance of one-dimensional (1D) discrete chaotic maps. Based on STM, a novel double S-box based color image encryption algorithm is recommended, which offers better applicability in real-time image encryption. Notice that, in [7], the 256-bit hash value of a randomly sampled noise signal is applied to serve as the one-time initial values of the proposed system. Since there is only one operation, XOR, is used to diffuse the pixels; the encryption process can be executed very fast. [8] presents a chaotic-map based image encryption algorithm, where Logistic and Henon maps are used.
High key and high plaintext sensitivities are a must for a cryptosystem to resist the chosen/known plaintext and the differential attacks. High plaintext sensitivity can be achieved by ensuring that each encrypted result is plaintext-dependent. To reach this goal, [9] suggested that the surrounding of a plaintext image could be surrounded by a sequence generated from the SHA-256 hashed value of the corresponding plaintext. For conquering the same challenges, in [10], both the permutation and the diffusion stages of the proposed color image encryption scheme are related to the original plain image. For keeping high system efficiency, only one round of plaintext tied permutation and diffusion operations are performed for obtaining the cipher image. Moreover, the proposed approach can be applied to real-time image encryption directly since there is no need to send original image dependent security keys to the receiver. Our work is highly inspired by and related to [10]; we will explore it further in the next section.
In general, the analyses of encryption and decryption algorithms show that all of the algorithms, as mentioned above, have a good encryption effect, anti-attack ability, and high security. However, a minor designing flaw may make encryption algorithms vulnerable, even if they are chaotic-based. In the following, we will take the high plaintext sensitivity related work: "A simple Chaotic map-based Image Encryption System Using Both Plaintexts Related Permutation and Diffusion (CIES-UBPRPD)", as proposed by Huang et al. [10], as an example to illustrate our above statement.
In a plain data-dependent cryptosystem, like CIES-UBPRPD, the cryptanalysis complexity is mostly increased. Therefore, the security level of the system will also be enhanced. Even though the experiments given in CIES-UBPRPD [10] showed lots of advantages when compared with conventional approaches, some designing flaws have been found by us. In this work, we first break a simplified version of CIES-UBPRPD with a chosen-plaintext attack, to demonstrate the effect of the discovered flaws. Subsequently, we make a few adjustments on CIES-UBPRPD and show that the modified version does relieve the defect of the original CIES-UBPRPD.
The rest of this paper is organized, as follows. Section 2 briefly describes the process of CIES-UBPRPD. In Section 3, we pointed out some design flaws of CIES-UBPRPD and demonstrated the effects of the weaknesses by issuing a chosen-plaintext attack against a simplified version of it. Afterwards, a modified version of CIES-UBPRPD is provided in Section 4. With the added supplements, the security level and the completeness of CIES-UBPRPD can be enlarged significantly. Some experimental results of the modified CIES-UBPRPD are presented in Section 5, in order to verify our previous claim, where the associated security analysis is also included. Finally, Section 6 concludes this writeup.

Related Work
In the original CIES-UBPRPD [10], all the arrays are started with index one, while in this work, we use an equivalent description but change all array indexes starting from zero. For the ease of discussion, except for the array indexes, most of our notations follow the usage that was adopted in [10]. Arnold's Cat Map (ACM) is a well-known two-dimensional chaotic system proposed by the Russian mathematician Vladimir I. Arnold [11]. ACM is usually replaced by its generalized form to achieve higher security and higher randomness, as shown in Equation (1): where (x, y) and (x , y ) denote the positions of the original pixel and the target pixel, a and b are the system parameters, while M and N are the image's height and width, respectively. After obtaining the target position (x , y ), from Equation (1), the two pixels that are located at (x, y) and (x , y ) will swap their pixel values with each other.

Chebyshev Map
Chebyshev map [12] is a one-dimensional chaotic system that can be formulated, as shown in Equation (2): where x n ∈ [−1, 1] and a ∈ N is again one of the system parameters. For a ≥ 2, chaotic behavior of Equation (2) holds. The initial value x 0 of the above equation is considered as part of the secret key. In CIES-UBPRPD, a is fixed at 4.

Image Encryption Algorithm
On the bases of ACM and Chebyshev map, the above-mentioned Chaotic map-based Image Encryption System-CIES-UBPRPD-was proposed by Huang et al. [10], where the most eye-catching property of the algorithm is its plaintext data-dependent encryption process. The encryption process of the original CIES-UBPRPD consists of the following two stages:

Permutation Stage
Step 1. Iterate the Chebyshev map defined in Equation (2) M × N + n 0 + 9 times, discard the first n 0 terms to avoid the harmful effect, and obtain the chaotic sequence x n , which contains (M × N + 9) elements.
Step 3. Calculate sum r , sum g , and sum b based on the following equations: where P R , P G , and P B represent the Red, Green, and Blue channels of the plain image P, respectively. Step 4. Calculate the system parameters by using the following equations: where (b r , a r ), b g , a g , and (b b , a b ) are pairs of parameters used to permute P R , P G , and P B , respectively. Moreover, mod (x, m) denotes the calculation of "x mod m".
Step 5. Permute P R , P G , and P B using the following modified Cat Map with the corresponding parameters: x where x ∈ {0, 1, · · · , M − 1} and y ∈ {0, 1, · · · , N − 1}. The scanning sequence is started from left to right and from top to bottom. After P R , P G and P B are shuffled, we get the permuted image P * .
Step 3. Calculate C R_P , C G_P , and C B_P by using the following equations: Step 4. Transform C R_P , C G_P , and C B_P into three grayscale images with size M × N, and then merge them into one color cipher image C, with size M × N × 3.
Notice that the permutation processes executed in Step 5 involved parameters sum r , sum g, and sum b , which are input (plaint) image data-dependent (cf. Equations (4) and (5)). Notice that, as pre-described in Section 1, the encryption process only includes one round permutation stage and diffusion stage. Conceptually and theoretically, if the encryption process of a cryptosystem is plaintext data-dependent, the associated cryptanalysis is much complicated. Therefore, the corresponding security level of the system is much enhanced, as compared with its data-independent counterpart.

Image Decryption Algorithm
Similarly, also from [10], the decryption process of the original CIES-UBPRPD consists of the following five steps: Step 1. Transform C R , C G , and C G into three 1D arrays C R_P , C G_P , and C B_P , respectively, by row-major ordering.
Step 5. Reconstruct P R , P G , and P B by using the Cat Maps defined in Equation (1), but now the scanning sequence is started from right to left and from bottom to top.

Cryptanalysis
Cryptanalysis is a must procedure for any cryptosystem to be applied to any real applications. We launched a few analyses on CIES-UBPRPD when we learned it from [10]. This section is organized, as follows. Section 3.1 reports the security weaknesses we found and Section 3.2 presents the attack that we used to break a simplified version of the original CIES-UBPRPD.

Equivalent Classes in Keyspace
After detailed analyses of CIES-UBPRPD, we found that two secret key groups key 1 = (x 0 , k 1 , k 2 , k 3 , n 0 ) and key 2 = x 0 , k 1 , k 2 , k 3 , n 0 could play indistinguishable roles to each other, in the original cryptosystem, if the following conditions are satisfied: For demonstration, here we choose key 1 = (0.7, 784533, 763092, 777777, 1500) and key 2 = (0.7, 353173, 676820, 307761, 1500), which satisfy all of the conditions given in Equation (14). First, we use key 1 to encrypt the benchmark image Lena (left, Figure 1) and obtain the corresponding cipher image (middle, Figure 1). Subsequently, we use key 2 to decrypt the cipher image and obtain the recovered image (right, Figure 1). we use 1 to encrypt the benchmark image Lena (left, Figure 1) and obtain the corresponding cipher image (middle, Figure 1). Subsequently, we use 2 to decrypt the cipher image and obtain the recovered image (right, Figure 1). The above example implies that one can split the set of all keys into equivalence classes that are based on the conditions given in Equation (14), and the effects of keys belonging to the same equivalence classes will be indistinguishable to each other in CIES-UBPRPD. This property shrinks the effective keyspace from (10 16 × (10 12 − 10 5 ) 3 × 1500) ≈ 2 183 to (10 16 × 2 8 × 2 8 × 2 8 × 2 32 × 1500) ≈ 2 120 (since 10 12 ≈ 2 40 , we can assume 1 , 2 and 3 are of 40-bit long), which is far less than what [10] initially claimed.

Low Sensitivity to the Change of Plaintext
Once the secret key group is chosen, and the summation of pixel values in each channel is given, then the parameters used in the Cat Map are always fixed. Having the same settings means that the permutation mapping will be fixed no matter what the plain image is. Furthermore, there is no crosschannel interaction during permutation and diffusion stages in the original CIES-UBPRPD, which suggests that errors inside one channel will not propagate to the other channels. Therefore, we can construct two similar plain images where only their R channels are different, but their sum of R channel remains the same. Additionally the corresponding cipher images of these two images will have no differences in G and B channels. This situation violates the diffusion property that a chaotic-map based cryptosystem is looking for.
For demonstration, we modify the standard Lena image by increasing the first-pixel value by 1 and decreasing the second-pixel value also by 1 in the R channel, and then compare the corresponding cipher image with that of the standard Lena image. The results are shown in Figure 2 and Table 1, the details of two widely used measures, number of pixels change rate (NPCR) and unified average changing intensity (UACI), will be given in Section 5.2.5.  The above example implies that one can split the set of all keys into equivalence classes that are based on the conditions given in Equation (14), and the effects of keys belonging to the same equivalence classes will be indistinguishable to each other in CIES-UBPRPD. This property shrinks the effective keyspace from (10 16 × 10 12 − 10 5 ) 3 × 1500 ≈ 2 183 to 10 16 × 2 8 × 2 8 × 2 8 × 2 32 × 1500 ≈ 2 120 (since 10 12 ≈ 2 40 , we can assume k 1 , k 2 and k 3 are of 40-bit long), which is far less than what [10] initially claimed.

Low Sensitivity to the Change of Plaintext
Once the secret key group is chosen, and the summation of pixel values in each channel is given, then the parameters used in the Cat Map are always fixed. Having the same settings means that the permutation mapping will be fixed no matter what the plain image is. Furthermore, there is no cross-channel interaction during permutation and diffusion stages in the original CIES-UBPRPD, which suggests that errors inside one channel will not propagate to the other channels. Therefore, we can construct two similar plain images where only their R channels are different, but their sum of R channel remains the same. Additionally the corresponding cipher images of these two images will have no differences in G and B channels. This situation violates the diffusion property that a chaotic-map based cryptosystem is looking for.
For demonstration, we modify the standard Lena image by increasing the first-pixel value by 1 and decreasing the second-pixel value also by 1 in the R channel, and then compare the corresponding cipher image with that of the standard Lena image. The results are shown in Figure 2 and Table 1, the details of two widely used measures, number of pixels change rate (NPCR) and unified average changing intensity (UACI), will be given in Section 5.2.5. Table 1. Number of pixels change rate (NPCR) and unified average changing intensity (UACI) Values Between the Two Cipher Images Given in Figure 2.

Chosen-Plaintext Attack
As stated by Bruce Schneier [13], in academic cryptography, a weakness or a break in a scheme is usually defined quite conservatively: it might require impractical amounts of time, memory, or known plaintexts. It also might require the attacker to be able to do things many real-world attackers cannot. For example, the attacker might need to choose particular plaintexts to be encrypted or even to ask for plaintexts to be encrypted while using several keys related to the secret key. Furthermore, it might only reveal a small amount of information, enough to prove the cryptosystem imperfect, but too little to be useful to real-world attackers. Finally, an attack might only apply to a weakened version of cryptographic tools, like a reduced-round block cipher, as a step towards breaking the full system.
Following the principles of cryptanalysis stated above, we now present a chosen-plaintext attack that works if the size of all images equals 256 × 256 pixels.

Extraction of the Permutation Matrix
1. Construct a special plain image , such that 2. Encrypt using CIES-UBPRPD to obtain the corresponding cipher image . We denote the image after permutation stage as * (an intermediate product during the execution of the whole encryption process).

Chosen-Plaintext Attack
As stated by Bruce Schneier [13], in academic cryptography, a weakness or a break in a scheme is usually defined quite conservatively: it might require impractical amounts of time, memory, or known plaintexts. It also might require the attacker to be able to do things many real-world attackers cannot. For example, the attacker might need to choose particular plaintexts to be encrypted or even to ask for plaintexts to be encrypted while using several keys related to the secret key. Furthermore, it might only reveal a small amount of information, enough to prove the cryptosystem imperfect, but too little to be useful to real-world attackers. Finally, an attack might only apply to a weakened version of cryptographic tools, like a reduced-round block cipher, as a step towards breaking the full system.
Following the principles of cryptanalysis stated above, we now present a chosen-plaintext attack that works if the size of all images equals 256 × 256 pixels.

1.
Construct a special plain image P, such that

2.
Encrypt P using CIES-UBPRPD to obtain the corresponding cipher image C. We denote the image after permutation stage as P * (an intermediate product during the execution of the whole encryption process). 3.
Let us use R channel as an example: select two different positions (a, b) and (x, y), where a, b, x, y ∈ {0, 1, · · · , 255} and construct another special plain image P , such that

4.
Encrypt P to obtain its cipher image C . From Section 3.1.2, we knew that P and P share the same parameters used in ACM; thus, they have the same permutation mapping. Let us denote the first position of different values that occurred in C R and C R , following the raster-scan order, as ∆C. It means that P * , which means either P R (a, b) = 0 or P R (x, y) = 2 will be moved to the position ∆C after performing the permutation stage. This property reveals some information regarding the permutation behavior of CIES-UBPRPD. We define ((a, b), (x, y), ∆C) as a tuple of constraints.

5.
Choose a different (a, b) or (x, y), repeat Step 3 to Step 4 several times and collect all of the produced constraint tuples, and then define the associated collection of constraint tuples as a set S.
Using the brute-force searching algorithm, denoted as Algorithm 1 in the following, to find b r andâ r for all of the above chosen plain images, whereâ r = a r mod256. In the specifically considered case, all of the images are of size 256 × 256 × 3, a r , andâ r are equivalent in the permutation stage. Actually, we do not need to know what a r exactly is, but only its last eight bits. If Algorithm 1 outputs more than one candidate pair, let us go back to Step 3 to collect more constrained tuples and iterate this step until only one pair is left. 8.
Making changes to G and B channels, repeat the procedures listed in Step 3 to Step 7 and obtain b g ,â g , b b , andâ b , whereâ g = a g mod256 andâ b = a b mod256. 9.
We denote these three values as 1 , 2 , and 3 , respectively, for convenience.

Extraction of the Diffusion Matrix
First, we convert above-mentioned into 1D array _ by row major ordering. We can now obtain the diffusion matrix , according to is a 1D array transformed from * by row major ordering. Notice that the first element of the diffusion matrix is not used in the cryptosystem, so we can just assign (0) = 0.
So far, we have already extracted 1 , 2 , 3 , and the diffusion matrix , which are all the required information for decrypting the cipher image.

Recovering the Original Plain Image
Assume that the cipher image is with the size 256 × 256 × 3, and the attacker already extracts 1 , 2 , 3 , and the diffusion matrix according to the analyses given above. The attacker can decrypt using the following steps: 1. Transform , , and into three 1D arrays _ , _ , and _ , respectively, in row major ordering. 2. Calculate the required parameters, as follows.

Extraction of the Diffusion Matrix
First, we convert above-mentioned C R into 1D array C R_P by row major ordering. We can now obtain the diffusion matrix D, according to i ∈ {1, 2, · · · , M × N − 1}, and P * R_P is a 1D array transformed from P * R by row major ordering. Notice that the first element of the diffusion matrix is not used in the cryptosystem, so we can just assign D(0) = 0.
So far, we have already extractedk 1 ,k 2 ,k 3 , and the diffusion matrix D, which are all the required information for decrypting the cipher image.

Recovering the Original Plain Image
Assume that the cipher image is C with the size 256 × 256 × 3, and the attacker already extractsk 1 , k 2 ,k 3 , and the diffusion matrix D according to the analyses given above. The attacker can decrypt C using the following steps: 1.
Transform C R , C G , and C B into three 1D arrays C R_P , C G_P , and C B_P , respectively, in row major ordering.

2.
Calculate the required parameters, as follows.
Reconstruct P R , P G , and P B by using ACM, but now the scanning sequence is from right to left and from bottom to top.
We rescale the standard Lena to 256 × 256 × 3 and encrypt it with CIES-UBPRPD, and then crack the cipher image with the proposed chosen-plaintext attack. Figure 3 shows the simulation result. and ∈ {1,2, ⋯ , × − 1}. Subsequently, transform these three arrays into two-dimensional (2D) arrays * , * , and * , respectively. 4. Reconstruct , , and by using ACM, but now the scanning sequence is from right to left and from bottom to top.
We rescale the standard Lena to 256 × 256 × 3 and encrypt it with CIES-UBPRPD, and then crack the cipher image with the proposed chosen-plaintext attack. Figure 3 shows the simulation result.

The Weaknesses of the Original CIES-UBPRPD
We can crack the original CIES-UBPRPD by the chosen-plaintext attack comes from its following weaknesses: 1. Misuse of the modulo operation. A value's remainder divided by 256 equals to the last eight bits in its binary representation. This operation makes the last eight bits of the value more important than the rest parts. This unequal importance in bits gives us a large number of clues for finding the equivalent classes of parameters in CIES-UBPRPD. 2. The parameters used in ACM are not very sensitive to the initial plain images. As we pointed out in Section 3.1.2, images that have the same , , and share the same system parameters. Thus, it is vulnerable to differential attacks. 3. The diffusion matrix (process) depends only on secret keys, but not the plain images. Once we cracked one cipher image and extracted the diffusion matrix, we can use it to decrypt the other cipher images.

The Weaknesses of the Original CIES-UBPRPD
We can crack the original CIES-UBPRPD by the chosen-plaintext attack comes from its following weaknesses:

1.
Misuse of the modulo operation. A value's remainder divided by 256 equals to the last eight bits in its binary representation. This operation makes the last eight bits of the value more important than the rest parts. This unequal importance in bits gives us a large number of clues for finding the equivalent classes of parameters in CIES-UBPRPD.

2.
The parameters used in ACM are not very sensitive to the initial plain images. As we pointed out in Section 3.1.2, images that have the same sum r , sum g , and sum b share the same system parameters. Thus, it is vulnerable to differential attacks.

3.
The diffusion matrix (process) depends only on secret keys, but not the plain images. Once we cracked one cipher image and extracted the diffusion matrix, we can use it to decrypt the other cipher images.

The Enhanced CIES-UBPRPD
In the enhanced encryption algorithm, instead of the summations of pixel values in each channel, the corresponding SHA-256 hashed values are used as one of the features of a plain image, and this replacement still makes the associated diffusion matrix plaintext-dependent. SHA-256 is a secure cryptographic hash that belongs to SHA-2 families. The hash value served as an external secret key; however, it is dangerous to reuse the same external key when encrypting the same image. Therefore, we add a random number with the precision of 10 −16 as an additional input to SHA-256 each time that we calculate the hash value. In this way, we can use the hashing output as a one-time key.

Image Encryption Algorithm
Permutation Stage

1.
Use x 0 as the initial value and iterate the Chebyshev map (n 0 + 131) times, discard the first n 0 elements to avoid the harmful effect, and obtain the chaotic sequences x n , which contain 131 elements. That is, x n = {x 0 , x 1 , · · · , x 130 }.

3.
Calculate the parameters by following equations: Permute P using the following three-dimensional (3D) cat map: where i ∈ {0, 1, · · · , M − 1}, j ∈ {0, 1, · · · , N − 1}, and k ∈ {0, 1, 2} is used to indicate the color channel. The scanning sequence is from R channel to B channel, from left to right and from top to bottom. After this step, we get the permuted image P * .
Diffusion Stage

2.
Use y 0 = cos a+cos b+cos c+cos d+x 0 5 as the new initial value and iterate the Chebyshev map (3 × M × N + n 0 ) times, discard the first n 0 elements and generate another chaotic sequence y n , which contains 3 × M × N elements. That is,

3.
Calculate the diffusion matrices D R , D G , and D B according to:

5.
Transform C R_P , C G_P , and C B_P into three grayscale images with size M × N, and then merge them into color cipher image C with size M × N × 3.
Transform C R , C G , and C G into three 1D arrays C R_P , C G_P , and C B_P respectively, by row-major ordering.

2.
Calculate the chaotic sequence x nq in the same way as the encryption process.

3.
Calculate the parameters a, b, c, d in the same way as the encryption process.

4.
Calculate the diffusion matrices D R , D G , and D B in the same way as the encryption process.

6.
Reconstruct P R , P G , and P B by using 3D cat map in Equation (15), but now the scanning sequence is from B channel to R channel, from right to left, and from bottom to top.

Verification of Encryption and Decryption Algorithms
We apply the proposed algorithm to several testing images (all o f size 512 × 512 × 3) to demonstrate the algorithm's performance. The secret keys are set, as follows: x 0 = 0.3, k 1 = 111111, k 2 = 222222, k 3 = 333333, and n 0 = 1000. Figure 4 shows the encryption and decryption results. From the results, we can say that the cipher images are noise-like and irrelevant to the plain images. , where = (( + + + ) ⊗ ( 1 + 2 + 3 ))mod256 and ∈ {1,2, ⋯ , × − 1} . Subsequently, transform these three arrays into 2D arrays * , * and * , respectively. 6. Reconstruct , , and by using 3D cat map in Equation (15), but now the scanning sequence is from B channel to R channel, from right to left, and from bottom to top.

Verification of Encryption and Decryption Algorithms
We apply the proposed algorithm to several testing images (all 512 × 512 × 3 ) to demonstrate the algorithm's performance. The secret keys are set, as follows: 0 = 0.3, 1 = 111111, 2 = 222222, 3 = 333333, and 0 = 1000. Figure 4 shows the encryption and decryption results. From the results, we can say that the cipher images are noise-like and irrelevant to the plain images.

KeySpace Analysis
Keyspace is defined as the cardinality of the set of all possible keys. Having a large keyspace is an important factor for ensuring a cryptosystem to resist the brute force attack. The best-known attack complexity of SHA-256 is in the order of 2 128 . The range of the rest keys are: 0 ∈ (0,1), 1 , 2 , 3 ∈ [10 5 . . . 10 12 ] and 0 ∈ [1000, 2500]. If 0 has the precision of 10 −16 , the keyspace of the proposed

KeySpace Analysis
Keyspace is defined as the cardinality of the set of all possible keys. Having a large keyspace is an important factor for ensuring a cryptosystem to resist the brute force attack. The best-known attack complexity of SHA-256 is in the order of 2 128 . The range of the rest keys are: x 0 ∈ (0, 1), k 1 , k 2 , k 3 ∈ 10 5 ...10 12 and n 0 ∈ [1000, 2500]. If x 0 has the precision of 10 −16 , the keyspace of the proposed scheme can reach to 2 128 × 10 16 × 10 12 − 10 5 × 10 12 − 10 5 × 10 12 − 10 5 × 1500 ≈ 2 311 , which is much larger than 2 100 and enough to make the brute force attack invalid.

Histogram Analysis
An image's histogram reflects the distribution of its pixels' intensity values, which reveals some statistical information of the image to attackers. To against statistical attacks, the histogram of cipher images generated from a secure encryption system should be flat. The distributions of cipher images' histograms are close to uniformly, indicating that the cipher images are nearly random, and it is rather tough to retrieve any useful statistical information from them, as we can see in Figures 5 and 6.

Correlation Analysis
In a natural image (or plain image), two adjacent pixels usually have strong correlation with each other. In contrast, the correlation coefficient of a cipher image should be decreased to zero in order to prevent statistical attacks. We use Equation (16) to measure the correlation of all adjacent pixels at horizontal, vertical, diagonal, and anti-diagonal directions: Here, x and y are the two adjacent pixel values and N is the number of pairs of adjacent pixels.
The correlation coefficients of all plain images are close to 1, while those of cipher images are nearly 0, as shown in Table 2. Furthermore, we randomly select 2000 pairs of adjacent pixels at the four specific directions from the R channel of the standard Lena image and its corresponding cipher image, and then plot the scatter diagrams in Figure 7. Here, and are the two adjacent pixel values and is the number of pairs of adjacent pixels. The correlation coefficients of all plain images are close to 1, while those of cipher images are nearly 0, as shown in Table 2. Furthermore, we randomly select 2000 pairs of adjacent pixels at the four specific directions from the R channel of the standard Lena image and its corresponding cipher image, and then plot the scatter diagrams in Figure 7.

Key Sensitivity Analysis
A cryptosystem might suffer from differential attacks if cipher images that are generated from different keys are similar. Thus, a secure encryption algorithm should be highly sensitive to all keys, which means even a tiny change in the secret key will lead to a completely different cipher image. Figure 4 illustrates the plain, cipher, and decrypted Lena images. We change H, x 0 , k 1 , k 2 , k 3 , and n 0 by one bit (i.e., 10 −16 for x 0 and 1 for H, k 1 , k 2 , k 3 and n 0 ) to obtain six new cipher images, and the results are shown in Figure 8. Figure 9 shows the differential results between these six cipher images and the cipher image obtained in Figure 4b. Furthermore, we use the six one-bit difference key groups to decrypt Figure 4b, and the decrypting results are shown in Figure 10. different keys are similar. Thus, a secure encryption algorithm should be highly sensitive to all keys, which means even a tiny change in the secret key will lead to a completely different cipher image. Figure 4 illustrates the plain, cipher, and decrypted Lena images. We change , 0 , 1 , 2 , 3 , and 0 by one bit (i.e., 10 −16 for 0 and 1 for , 1 , 2 , 3 and 0 ) to obtain six new cipher images, and the results are shown in Figure 8. Figure 9 shows the differential results between these six cipher images and the cipher image obtained in Figure 4b. Furthermore, we use the six one-bit difference key groups to decrypt Figure 4b, and the decrypting results are shown in Figure 10.   . The Differential Results Between the Six Cipher Images given in Figure 8 and the Cipher Image has given in Figure 4b. Notice that, without notation confusion, the Original Ciphertext Lena Image is denoted as Image c, here. Figure 9. The Differential Results Between the Six Cipher Images given in Figure 8 and the Cipher Image has given in Figure 4b. Notice that, without notation confusion, the Original Ciphertext Lena Image is denoted as Image c, here.
(d) |c−c4| (e) |c−c5| (f) |c−c6| Figure 9. The Differential Results Between the Six Cipher Images given in Figure 8 and the Cipher Image has given in Figure 4b. Notice that, without notation confusion, the Original Ciphertext Lena Image is denoted as Image c, here.

Plaintext Sensitivity Analysis
Similar to key sensitivity, a secure encryption algorithm should also be very sensitive to plain images. We use NPCR (number of pixels change rate) and UACI (unified average changing intensity) to measure the difference between two cipher images, which are defined, as follows: and c 1 and c 2 are two cipher images. The theoretical values of NPCR and UACI between two different cipher images are 99.6094% and 33.4635%, respectively. We evaluate plaintext sensitivity, as follows. First, we randomly select x 0 , k 1 , k 2 , k 3 , n 0 from the keyspace, encrypt the test image p 1 , and with it to get the cipher image c 1 . Second, we randomly select a position in p 1 , increasing each channel's value by 1 in some places to obtain a modified image p 2 . Next, we encrypt p 2 to obtain a cipher image c 2 . Subsequently, calculate the NPCR and UACI values between c 1 and c 2 . Repeat this process 200 times and list the averaged NPCR and UACI values in Table 3. Both the averaged NPCR and UACI values for all tested images are very close to their theoretical optimal ones, which means the enhanced CIES-UBPRPD algorithm do sensitive to the plain input images, as shown in Table 3.

Robustness Analyses
Cipher images can easily be polluted during the transmission through a public channel, as pointed out by one of the anonymous reviewers; therefore, the robustness of a secure image encryption scheme is also an essential performance merit. For testing the robustness of the proposed image encryption scheme, the noise-adding attack and the partial occlusion attack in the ciphertext domain are investigated.
(a) Noise-adding Attack: the ciphered and the de-ciphered images that are presented in Figure 11 are obtained based on the enhanced CIES-UBPRPD, in which the testing ciphertext images have been contaminated by adding with different degrees of salt-and-pepper noises. For performance analysis, we employ the widely used Peak Signal-to-Noise Ratio (PSNR) to evaluate the algorithm's restoring ability. That is where, O is the decrypted image obtained from the clean cipher image and D is the decrypted image obtained from the polluted cipher image. Generally, a higher PSNR indicates a better quality or ability of reconstruction. Table 4 shows the PSNRs of the proposed approach against the noise-adding attack. (b) Partial-occlusion Attack. The ciphered and the de-ciphered images that are presented in Figure 12 are obtained based on the enhanced CIES-UBPRPD, in which the testing ciphertext images have been contaminated by occluding some parts of them (i.e., zeroing out those pixel values) that are depicted by the black segments. Similar to the noise-adding attack, PSNR is used to evaluate the proposed approach's restoring ability against this attack, as shown in Table 5. , O is the decrypted image obtained from the clean cipher image and D is the decrypted image obtained from the polluted cipher image. Generally, a higher PSNR indicates a better quality or ability of reconstruction. Table 4 shows the PSNRs of the proposed approach against the noise-adding attack.
(a) Clean Cipher Image (b) Cipher Image with (c) Cipher Image with (d) Cipher Image with Noise-density 0.1 (10%) Noise-density 0.2 Noise-density 0.3 (e) de-ciphered image of (a) (f) de-ciphered image of (b) (g) de-ciphered image of (c) (h) de-ciphered image of (d) Figure 11. Robustness of the Proposed Approach Against the Noise-adding Attack. (b) Partial-occlusion Attack. The ciphered and the de-ciphered images that are presented in Figure 12 are obtained based on the enhanced CIES-UBPRPD, in which the testing ciphertext images have been contaminated by occluding some parts of them (i.e., zeroing out those pixel values) that are depicted by the black segments. Similar to the noise-adding attack, PSNR is used to evaluate the proposed approach's restoring ability against this attack, as shown in Table 5. (a) Clean Cipher Image (b) Cipher Image with (c) Cipher Image with (d) Cipher Image with Noise-density 0.1 (10%) Noise-density 0.2 Noise-density 0.3 (e) de-ciphered image of (a) (f) de-ciphered image of (b) (g) de-ciphered image of (c) (h) de-ciphered image of (d) Figure 11. Robustness of the Proposed Approach Against the Noise-adding Attack. (b) Partial-occlusion Attack. The ciphered and the de-ciphered images that are presented in Figure 12 are obtained based on the enhanced CIES-UBPRPD, in which the testing ciphertext images have been contaminated by occluding some parts of them (i.e., zeroing out those pixel values) that are depicted by the black segments. Similar to the noise-adding attack, PSNR is used to evaluate the proposed approach's restoring ability against this attack, as shown in Table 5. (e) de-ciphered image of (a) (f) de-ciphered image of (b) (g) de-ciphered image of (c) (h) de-ciphered image of (d) Figure 12. Robustness of the Proposed Approach Against the Partial-occlusion Attack. From Figures 11 and 12, we can still recognize the de-ciphered images, even if the clean cipher images are contaminated by noise-adding or partial-occlusion attacks. This implies that the robustness of the enhanced CIES-UBPRPD is acceptable to practical image security applications.  From Figures 11 and 12, we can still recognize the de-ciphered images, even if the clean cipher images are contaminated by noise-adding or partial-occlusion attacks. This implies that the robustness of the enhanced CIES-UBPRPD is acceptable to practical image security applications.

Discussions
In the past few years, combining both compression and encryption in a single algorithm to reduce the complexity is a new tempting approach for securing data during transmission and storage [14][15][16][17][18]. This new approach aims to extend the functionality of compression algorithms to achieve both compression and encryption simultaneously in a single process without an additional encryption stage. Employing the new combined simultaneous compression-encryption approach highly reduces the required resources for encryption (computational and power resources), according to [15] and [18]. Owing to such an attractive property, lots of works are devoted to this topic [19][20][21][22][23], some of them are also chaotic map based. In [22], we proposed three techniques for enhancing various chaos-based joint compression and encryption (JCAE) schemes. They respectively improved the execution time, compression ratio, and estimation accuracy of three different chaos-based JCAE schemes. However, all of the above-mentioned works are plain image independent. Therefore, for enhancing the security level further, how to design an effective plain Image dependent JCAE scheme is one of our future research directions.
Since steganography can also be utilized to conceal the private information, such as to provide privacy protection of medical images, as pointed out by one of the anonymous reviewers, besides Image Encryption and Decryption, Image Steganography is another worthy of noticing area in the field of Image Security. Interested readers are referred to the following informative writeups, although it is not within the scope of this work [24,25].

Conclusions
In this paper, we make detailed cryptanalysis on a published chaotic map-based image encryption system, where the encryption process is plaintext Image dependent. We show that some designing weaknesses make the published cryptosystem vulnerable to chosen-plaintext attack, and we then proposed an enhanced algorithm to overcome those weaknesses.
In summary, we use the SHA-256 hash value instead of the sum of each channel as a "plaintext feature", so the enhanced CIES-UBPRPD has higher plaintext sensitivity than its original counterpart. Moreover, the newly proposed encryption process includes the cross-channel interaction, which can resist the Chosen Plaintext Attack that we launched. Since the SHA-256 hash value also serves as an external key, making the improved Keyspace reaches to 2 311 , which is larger than the effective Keyspace 2 120 of the original CIES-UBPRPD. Besides the security and the robustness, we also take the execution time into account to provide a full performance baseline for comparing the original and the proposed image encryption algorithms, as suggested by one of the anonymous reviewers. Since the calculation amount of the enhanced CIES-UBPRPD is larger than that of the original CIES-UBPRPD, as shown in Table 6, the execution time of the proposed algorithm will be slightly slower than that of its original counterpart. Our implementation is conducted on Intel Core i7-8700 CPU @ 3.2GHz and 32GB RAM with Windows 10 OS, and written in Python. The value of the proposed algorithm for practical usage in image security is justified, according to the security, the robustness, and the timing performance analyses. Finally, since the currently proposed chosen-plaintext attack can be only effective to all RGB-Colored images of size 256 × 256 pixels, finding an attack that can be applied to more general cases is one of the possible future extensions. We humbly hope that this paper will remind researchers to pay more attention when building their chaotic-based image encryption algorithms in the future.

Conflicts of Interest:
The authors declare no conflict of interest.