Cryptanalysis of a New Chaotic Image Encryption Technique Based on Multiple Discrete Dynamical Maps

Recently, a new chaotic image encryption technique was proposed based on multiple discrete dynamic maps. The authors claim that the scheme can provide excellent privacy for traditional digital images. However, in order to minimize the computational cost, the encryption scheme adopts one-round encryption and a traditional permutation–diffusion structure. Through cryptanalysis, there is no strong correlation between the key and the plain image, which leads to the collapse of cryptosystem. Based on this, two methods of chosen-plaintext attacks are proposed in this paper. The two methods require 3 pairs and 258 pairs of plain and cipher images, respectively, to break the original encryption system. The simulation results show the effectiveness of the two schemes.


Introduction
In this era of big data, information security has always been a sensitive topic [1]. Image files as one of the most typical multimedia information will inevitably pass through unstable and unsafe channels, and probably resulting in information leakage. Criminals intercept important information by certain technical means to change and transmit it at will, causing a series of information security problems [2]. Over the years, a large number of researchers have proposed a variety of image encryption ideas and strived to solve the security of image transmission. Among them, chaos-based methods are more suitable for image encryption than DES [3] and AES [4] because of the characteristics of pseudo-randomness and sensitivity. Therefore, chaos-based image encryption schemes have sprung up owing to the researchers who are investing a lot of time and effort in this field [5][6][7][8][9][10][11][12].
So far, many chaos-based image encryption schemes have been based on the permutationdiffusion structure proposed by Fridrich [13]. However, some encryption schemes [14][15][16][17][18] are insecure, which have been cracked by some researchers with known/chosen-ciphertext attacks or known/chosen-plaintext attacks [19][20][21][22][23]. Hu et al. in [17] found security vulnerabilities in the scheme [24] and carried out cryptanalysis and improvement. In the improved scheme, different secret keys were proposed to eliminate vulnerabilities in two rounds of diffusion. However, this scheme was still cracked by Li et al. in [25], who found a linear relationship of diffusion and used chosen-plaintext attacks. These broken encryption schemes are problematic because the key is fixed-it cannot be adapted to different plain images. At this point, the plain/cipher images can be constructed. The generated plain/cipher is then used to infer the key. To overcome this shortcoming, Hsiao et al. in [26] proposed a color image encryption scheme that uses the sum of plain image pixels to enhance the secret key space. The sum of its pixels (Mod 256) is set as the basic parameter of chaotic sequence. Since the sum of

Majid's Encryption Scheme
The specific steps are as follows: Step 1 Input a 256 × 256 × 3 plain image, divide it into three channels, and then separate the single-channel image into 32 × 32 blocks.
Step 2 Generate a chaotic sequence using a two-dimensional Henon chaotic map and perform pixel permutation within blocks of each channel in order.
Step 3 Perform random permutation between blocks of each channel orderly.
Step 4 Use a circle chaotic map to execute the first diffusion for each channel.
Step 5 Use a Duffing chaotic map to execute the second diffusion for each channel.

Cryptanalysis
This section mainly introduces the preparation work and two schemes to eliminate the diffusion effect and obtain equivalent displacement mapping. The feasibility of the two schemes is verified by simulation experiments.

Preparations
Proposition 1. For the encryption scheme of the permutation-diffusion structure, using the all-zero image can break the diffusion transform to obtain the equivalent diffusion matrix.
Proof. Assuming that the plain image of 256 × 256 × 3 is P i , the permutation transformation expression is defined as: where F i (.) is the permutation transform of the image, S is the permutation-only image of plain image P i . During the permutation transformation, the pixel value P i (i, j) in the plain image only corresponds to the pixel value S(i, j) in the permutation-only image of row i and column j. The expression of image diffusion transformation is as follows: where ⊕ is the XOR operation, D i is the diffusion matrix, and D is the image after diffusion transformation. Finally, the cipher image C i corresponding to the plain image P i is obtained as shown in Equation (8).
The permutation phase will not change the original pixel value of the image but simply changes the pixel position of the previous image. A plain image of all zero pixels is still with all zero pixels after permutation. Then, one will obtain the cipher image C 0 from the all-zero image P 0 after the diffusion step.
It can be seen that after a round of permutation and diffusion of all-zero image P 0 , the cipher image C 0 obtained at this time is exactly equal to diffusion matrix D i . Then, the permutation-only image S can be obtained by XOR operation in Equation (10). Proof.
where D 1 is the first diffusion matrix and D 2 is the second diffusion matrix. At this time, according to the reversible operation of XOR, the XOR result of the next two matrices is calculated firstly as follows: Finally, the pixel value of D i (i, j) is obtained and XOR operation is performed with the pixel value of S(i, j). Then, Proposition 3. Suppose a plain image is denoted by P 1 , and P 2 is obtained by changing n pixels of image P 1 . Then, P 1 and P 2 are encrypted to obtain the cipher images C 1 and C 2 . So, C 1 and C 2 will have n different pixel values. The pixel value of each position in the plain image is one-to-one mapped to the pixel value of a certain position in the cipher image, that is, there is a mapping relationship between them.
Proof. The encryption process for plain image P 1 is as follows: where F 1 is the first intra-block pixel displacement and F 2 is the second inter-block displacement. Image S 1 represents the permutation-only image after two permutations, K 1 is the diffusion XOR matrix for the first time, and K 2 is the diffusion XOR matrix for the second time. Position (i , j ) is the transposition of Position (i, j). The encryption process for plain image P 2 is as follows: According to proposition 2, image S 1 and S 2 after two diffusions can be considered equivalent to those being processed by one linearly transformed diffusion.
where K (i , j ) is the XOR result of K 1 (i , j ) and K 2 (i , j ). Since the permutation rules for P 1 and P 2 are the same, the permutation positions for P 1 and P 2 are the same. Now, assuming that the number of different pixel values n = 1, there is only one different pixel value at (i , j ) between P 1 and P 2 . Therefore, in XOR, all pixels at the same positions will have the same values, except the one at (i , j ). Then, Change the pixel values of P 1 (1,1) and P 1 (1,2) to obtain image P .
The image P is encrypted to obtain the cipher image C 51 , and the image P is encrypted to obtain the cipher image C 52 . There are two different pixels between C 1 and C 51 .
In this case, C 56 has two non-zero values, the positions of the two non-zero values are represented by (X 11 , Y 11 ) and (X 12 , Y 12 ), where X represents the row and Y represents the column. These two non-zero values are the encrypted positions of P (1,1) and P (1,2).
There are two different pixels between C 1 and C 52 .
In this case, C 57 has two non-zero values, the positions of the two non-zero values are represented by (X 13 , Y 13 ) and (X 14 , Y 14 ). These two non-zero values are the encrypted positions of P (1,1) and P (1,3).
So, (X 11 , Y 11 ) is the same position as (X 13 , Y 13 ), and (X 12 , Y 12 ) is different from (X 14 , Y 14 ). The comparison between C 51 and C 52 shows that there is only one pixel difference.

Method 1
In the original encryption scheme, a 256 × 256 × 3 plain image P was used, which was divided into three channel images: The color cipher image C is obtained by merging the three channels. The original encryption scheme is expressed as follows: where F 1 is the first intra-block pixel permutation and F 2 is the second inter-block permutation. In the original encryption scheme, the same permutation matrices F 1 and F 2 were used for the three channels. Matrix K 1 is the same matrix used for the first diffusion of the three channels, while K 2 , K 3 , and K 4 are the same for the second diffusion of the three channels. Since the original scheme used different diffusion matrices for P R , P G and P B , it is necessary to consider the matrices used in the two diffusions. According to proposition 2, two diffusion matrices are transformed into one diffusion matrix for XOR operation. where K 12 is the XOR matrix of K 1 and K 2 , K 13 is the XOR matrix of K 1 and K 3 , and K 14 is the XOR matrix of K 1 and K 4 . As shown in Figure 1, the position of the plain image is still one-to-one mapped to a certain position of the second permutation-only image. So, the two permutation matrices F 1 and F 2 can be linearly transformed into a permutation matrix F, as shown in the following formula: Entropy 2021, 23, x FOR PEER REVIEW 7 of 17  An all-zero matrix is still an all-zero zero matrix after permutation. As follows, Equation (29) can be transformed into Equation (30).
According to proposition 1, three diffusion matrices K12, K13 and K14 can be obtained.
The process of obtaining three diffusion matrices is shown in Figure 2. The all-zero image P0 is encrypted to obtain the merged cipher image C0. The three channel images C In method 1, the obtained diffusion matrix is used to eliminate the diffusion effect, and the main steps are described as follows: Step 1 Construct an all-zero image P0 with 256 × 256 × 3, and the influence of two permutations is eliminated by the all-zero matrix.
Step 3 Then, permutation-only images can be obtained through Equation (32). In the cipher image C, the red channel image CR XOR diffusion matrix K12 is permutation-only image SR, the green channel image CG XOR diffusion matrix K13 is permutation-only image SG, and the red channel image CB XOR diffusion matrix K14 is permutation-only image SB. Three channel images, SR, SG, and SB, are merged to obtain color permutation-only image S. Then, we can construct an all-zero image P 0 of size 256 × 256 × 3 and use the all-zero matrix to obtain the diffusion matrix. The constructed all-zero image P 0 is shown as follows: We divide the image P 0 into three channels and i=1, j=1 . After encryption, the cipher images of three channel are An all-zero matrix is still an all-zero zero matrix after permutation. As follows, Equation (29) can be transformed into Equation (30). According to proposition 1, three diffusion matrices K 12 , K 13 and K 14 can be obtained.
The process of obtaining three diffusion matrices is shown in Figure 2. The all-zero image P 0 is encrypted to obtain the merged cipher image C 0 . The three channel images C R 0 , C G 0 and C B 0 of cipher image C 0 can be transformed into three diffusion matrices K 12 , K 13 and K 14 .
where  In method 1, the obtained diffusion matrix is used to eliminate the diffusion effect, and the main steps are described as follows: Step 1 Construct an all-zero image P 0 with 256 × 256 × 3, and the influence of two permutations is eliminated by the all-zero matrix.
Step 3 Then, permutation-only images can be obtained through Equation (32). In the cipher image C, the red channel image C R XOR diffusion matrix K 12 is permutationonly image S R , the green channel image C G XOR diffusion matrix K 13 is permutationonly image S G , and the red channel image C B XOR diffusion matrix K 14 is permutationonly image S B . Three channel images, S R , S G , and S B , are merged to obtain color permutation-only image S. .

Obtain Equivalent Permutation Mapping
In the previous section, the effects of diffusion can be eliminated by means of methods 1 and 2. In this way, we can obtain a permutation-only image of all the cipher images.
In this section, the substitution matrices F 1 and F 2 used in P R , P G and P B in the original encryption scheme are the same. Two permutation matrices, F 1 and F 2 , can be linearly transformed into one permutation matrix, F, so the permutation matrix F of each of the three channels is universal.
Cryptanalysis is used in [34] to obtain equivalent permutation matrices on the basis of a permutation-only image. Therefore, we can construct the chosen-plaintext image to obtain the corresponding equivalent permutation mapping F , so that we can eliminate the influence of two permutations and the plain image P can be restored.
Based on Lemma 1 in [35], equivalent permutation mapping can be revealed by n pairs of plain/cipher images.
where g is the gray level of the image and M and N are the rows and columns of the plain image. In the original encryption scheme, 256 × 256 × 3 plain image is used, which is divided into three 256 × 256 channels for permutation transformation. The size of each channel is 256 × 256, which is a total of 65,536 pixel values. Therefore, g = 256, M = 256, N = 256, n pairs of plain/cipher images can be obtained from Equation (37).
By calculating n = 2, the corresponding equivalent permutation map F can be solved by using two pairs of plain/cipher images.
The three channel images P R , P G , and P B are stretched into column vectors, which can be expanded to a two-digit representation in base 256.
where the element (a1) (a2) corresponds to 256 × a1 + a2 of A. The chosen-plaintext image A is divided into two bitplane images, A 1 and A 2 . Then, A 1 and A 2 are used to construct 2 pairs of plain/cipher images. Two cipher images C A1 and C A2 are obtained by encrypting two plain images, A 1 and A 2 . Plain image A 1 is divided into three channel images: and C b2 = {C b2 (i, j)} 256,256 i=1, j=1 . After the Equation (41) transformation, the red channel images A r1 and A r2 are transformed into matrices P r1 = {P r1 (i, j)} 256,256 i=1, j=1 . Transforming the green channels A g1 and A g2 into matrices P g1 = P g1 (i, j)

256,256
i=1, j=1 , the blue channel images A b1 and A b2 are transformed into a matrix By method 1 or 2, the permutation-only images i=1, j=1 of C r1 , C g1 and C b1 are obtained, and permutation-only images Then, it can be observed that all elements in image S r are the permutation order of image P r1 , all elements in image S g are the permutation order of image P g1 , and all elements in image S b are the permutation order of image P b1 . We know that the permutation matrices of the three channels are the same, and any of the three channels are stretched row by row to form a vector F = {F (i)} 66,256 i=1 . Therefore, F is an equivalent permutation mapping. Figure 6 shows the flow to obtain this equivalent permutation mapping F . The main steps of equivalent permutation mapping are described as follows: Step 1 Two plain images A 1 and A 2 were encrypted to obtain two cipher images: C A1 and C A2 . The cipher image C A1 is divided into three channel images: C r1 , C g1 , and C b1 .
The cipher image C A2 is divided into three channel images: C r2 , C g2 , and C b2 . Step 2 By using method 1 or 2, the permutation-only images S r1 , S g1 , and S b1 of C r1 , C g1 , and C b1 are obtained first, and after that, the permutation-only images S r2 , S g2 , and S b2 of C r2 , C g2 , and C b2 are obtained.
Equations (45) and (46). ( , ) The cipher image CA2 is divided into three channel images: Cr2, Cg2 and Cb2. The permutation-only images Sr2, Sg2, and Sb2 of the three channel images are retrieved by Equations (47) and (48). Figure 6. The flow chart to obtain this equivalent permutation mapping.
Method 1 (i) Three equivalent diffusion matrices, K 12 , K 13 , and K 14 , are known. The red channel image C r1 is XORed with the diffusion matrix K 12 of the cipher image C A1 to obtain the permutation-only image S r1 . The green channel image C g1 is XORed with the diffusion matrix K 13 to obtain the permutation-only image S g1 , and the blue channel image C b1 is XORed with the diffusion matrix K 14 to obtain the permutation-only image S b1 . .
(43) (ii) The red channel image C r2 is XORed with the diffusion matrix K 12 of the cipher image C A2 to obtain the permutation-only image S r2 . The green channel image C g2 is XORed with the diffusion matrix K 13 to obtain the permutation-only image S g2 , and the blue channel image C b2 is XORed with the diffusion matrix K 14 to obtain the permutation- Method 2 (i) The cipher image C A1 is divided into three channel images: C r1 , C g1 , and C b1 . The permutation-only images S r1 , S g1 , and S b1 of the three channel images are retrieved by Equations (45) and (46).
(ii) The cipher image C A2 is divided into three channel images: C r2 , C g2 and C b2 . The permutation-only images S r2 , S g2 , and S b2 of the three channel images are retrieved by Equations (47) and (48).
Step 3 Image S r , S g and S b are obtained from Equation (42). Any of the three channel images are stretched row by row to form F = {F (i)} 66,256 i=1 . Therefore, F is an equivalent permutation mapping. Figure 7 shows the permutation-only images of the constructed plain images A 1 and A 2 , where the first column is the plain images A 1 and A 2 , the second column is the encrypted images of the first column, and the third, fourth, and fifth columns are permutation-only images of the three channels retrieved from the second column. Since the permutation maps of the three channels in the original encryption scheme are the same, the permutation-only images of the three channels are the same.
Step 3 Image Sr, Sg and Sb are obtained from Equation (42). Any of the three channel images are stretched row by row to form F′ = {F′(i)} 66256 i=1 . Therefore, F′ is an equivalent permutation mapping. Figure 7 shows the permutation-only images of the constructed plain images A1 and A2, where the first column is the plain images A1 and A2, the second column is the encrypted images of the first column, and the third, fourth, and fifth columns are permutation-only images of the three channels retrieved from the second column. Since the permutation maps of the three channels in the original encryption scheme are the same, the permutation-only images of the three channels are the same.

Summary of the Attack Strategy
In this section, we provide a detailed overview of the attack process in methods 1 and 2.
3.4.1. Detailed Process of Method 1 Step 1 Based on propositions 1 and 2, the three equivalent diffusion matrices K12, K13 and K14 are obtained from the all-zero image (shown in Figure 2) as described in Section Obtain the permutation-only images of the chosen plain image: the first column (a1,b1) is the constructed plain images A 1 and A 2 ; the second column (a2,b2) is the corresponding cipher images; the third column (a3,b3), the fourth column (a4,b4), and the fifth column (a5,b5) retrieve the second column for three channels of permutation-only images.

Summary of the Attack Strategy
In this section, we provide a detailed overview of the attack process in methods 1 and 2.

Detailed Process of Method 1
Step 1 Based on propositions 1 and 2, the three equivalent diffusion matrices K 12 , K 13 and K 14 are obtained from the all-zero image (shown in Figure 2) as described in Section 3.2.1. The diffusion effect is eliminated through the known matrices K 12 , K 13 and K 14 . Then the permutation-only images of the three channel images C R , C G and C B are obtained through the three matrices as shown in the sub-steps (shown in Figure 3).

Sub-Steps
The red channel image C R XORing equivalent diffusion matrix K 12 is the permutation-only image S R , the green channel image C G XORing diffusion matrix K 13 is the permutation-only image S G , and the red channel image C B XORing diffusion matrix K 14 is the permutation-only image S B .
Step 2 The equivalent permutation mapping F can be obtained from 2 pairs of plain/cipher images (shown in Figure 6) in Section 3.3. The detailed sub-steps are as follows: Sub-Step 1 Two plain images A 1 and A 2 were encrypted to obtain two cipher images C A1 and C A2 . The cipher image C A1 is divided into three channel images C r1 , C g1 and C b1 . The cipher image C A2 is divided into three channel images C r2 , C g2 and C b2 . Sub-Step 2 Based on Section 3.2.1, the permutation-only images S r1 , S g1 and S b1 of C r1 , C g1 and C b1 were obtained, and the permutation-only images S r2 , S g2 and S b2 of C r2 , C g2 and C b2 were obtained (shown in Figure 7). Sub-Step 3 S r , S g and S b are obtained from Equation (42). All the three channels are stretched row by row to form an equivalent permutation mapping F .
Step 3 Invoke Algorithm 1 to obtain deciphered images P R , P G and P B . Merge the three channel images for obtaining image P.
Algorithm 1 Obtain the decrypted image P.

Detailed Process of Method 2
Step 1 Based on proposition 3, one can construct 256 different plain images {P x } 255 x=0 and encrypt them to obtain 256 different cipher images {C x } 255 x=0 (shown in Figure 4) in Section 3.2.2. For the three channel images C R , C G and C B of the given cipher image C. Equations (34) and (35) are used to eliminate the diffusion effect. The permutation-only images S R , S G and S B of the three channels are retrieved (shown in Figure 5).
Step 2 The equivalent permutation mapping F can be obtained from 2 pairs of plain/cipher images (shown in Figure 6) as described in Section 3.3. The detailed sub-steps are the same as the three sub-steps of step 2 in Section 3.4.1.
Step 3 Invoke Algorithm 1 to obtain deciphered images P R , P G and P B . Then, image P is obtained by merging the three channel images.

Computational Complexity Analysis
In our cryptanalysis, method 1 used three chosen plain images to attack the original encryption scheme, one all-zero image to obtain the diffusion matrix and two chosen plain images to obtain the equivalent permutation mapping. For a cipher image with a size of 256 × 256 × 3, the data complexity is O (3 × 256 × 256 × 3), which is close to O (2 23 ). Method 2 used 258 chosen plain images to attack the original encryption scheme. A total of 256 chosen plain images were used to eliminate the diffusion effect, and 2 chosen plain images were used to obtain the equivalent permutation mapping. Similarly, for a cipher image with a size of 256 × 256 × 3, the data complexity is O (258 × 256 × 256 × 3), which is close to O (2 26 ). More remarkably, method 1 is faster, but method 2 can break the diffusion phase of Majid's encryption scheme more subtly.

Experimental Results
The simulation experiment was performed on a personal computer (Intel Core i5-10210U 2.11 GHz CPU, 16 GB). All experiments were carried out using MATLAB R2020a. In the simulation experiments, we used the same initial values as the Majid's scheme. The two attack methods are identical in the steps of obtaining equivalent permutation mapping F but different in the steps of eliminating diffusion effect. We implemented these two attack methods using some different experimental images for accuracy. It can be found from Table 1 that the two methods will cause time differences due to different computational complexity, and different images will also cause time differences in different attack processes. However, the two solutions we proposed are sufficient in terms of real-time requirements. The simulation results of the two attack methods in this paper are shown in Figure 8. Figure 8(a1,b1,c1) are the images of "Lena", "Sailboat", and "Pepper". They are encrypted by the original cryptosystem as plain images, and the encrypted images are shown in Figure 8(a2,b2,c2). Then, we can execute two attack methods, respectively. The encrypted image can be restored to permutation-only images first, and then the decrypted image, as shown in column 3, column 4, and column 5 in Figure 8. Figure 8(a6,b6,c6) show the combined images of the three channels, that is, the recovered decrypted images. After comparison, we find that the decrypted image is consistent with the plain image, which confirms the feasibility of our attack methods. by the original cryptosystem as plain images, and the encrypted images are shown in Figure 8(a2,b2,c2). Then, we can execute two attack methods, respectively. The encrypted image can be restored to permutation-only images first, and then the decrypted image, as shown in column 3, column 4, and column 5 in Figure 8. Figure 8(a6,b6,c6) show the combined images of the three channels, that is, the recovered decrypted images. After comparison, we find that the decrypted image is consistent with the plain image, which confirms the feasibility of our attack methods.  Figure 8. Experimental results of method 1 and method 2: (a1,b1,c1) are plain images; (a2,b2,c2) are the cipher images of (a1,b1,c1); three channel images (a3-a5) are recovered from (a2); three channel images (b3-b5) are recovered from (b2); three channel images (c3-c5) are recovered from (c2); (a6,b6,c6) final deciphered image. Figure 8. Experimental results of method 1 and method 2: (a1,b1,c1) are plain images; (a2,b2,c2) are the cipher images of (a1,b1,c1); three channel images (a3-a5) are recovered from (a2); three channel images (b3-b5) are recovered from (b2); three channel images (c3-c5) are recovered from (c2); (a6,b6,c6) final deciphered image.

Conclusions
In this paper, we cryptanalyzed a new chaotic image encryption technique based on multiple discrete dynamic maps, which adopts one-round encryption and permutationdiffusion structure. (1) The permutation-diffusion structure of one-round execution is found to be insecure because the cipher image generated by the all-zero image is the same as the diffusion matrix of the XOR phase. (2) The original encryption scheme's secret key is irrelevant to the plain image, leading to the successful attack of the two proposed methods. The simulation results show that both of our methods are feasible.
In view of the original encryption scheme, we put forward some reasonable suggestions. (1) There should be strong correlation between the key and the plain image.
(2) Multiple rounds of encryption should be adopted since it is difficult to avoid security problems with only one round of encryption. (3) Add nonlinear substitution phase to the encryption scheme as appropriate. (4) For the diffusion stage, some pixels in the plain image should be fused to complicate the diffusion, so as to avoid obtaining the diffusion matrix directly.