Security Analysis of a Color Image Encryption Algorithm Using a Fractional-Order Chaos

Fractional-order chaos has complex dynamic behavior characteristics, so its application in secure communication has attracted much attention. Compared with the design of fractional-order chaos-based cipher, there are fewer researches on security analysis. This paper conducts a comprehensive security analysis of a color image encryption algorithm using a fractional-order hyperchaotic system (CIEA-FOHS). Experimental simulation based on excellent numerical statistical results supported that CIEA-FOHS is cryptographically secure. Yet, from the perspective of cryptanalysis, this paper found that CIEA-FOHS can be broken by a chosen-plaintext attack method owing to its some inherent security defects. Firstly, the diffusion part can be eliminated by choosing some special images with all the same pixel values. Secondly, the permutation-only part can be deciphered by some chosen plain images and the corresponding cipher images. Finally, using the equivalent diffusion and permutation keys obtained in the previous two steps, the original plain image can be recovered from a target cipher image. Theoretical analysis and experimental simulations show that the attack method is both effective and efficient. To enhance the security, some suggestions for improvement are given. The reported results would help the designers of chaotic cryptography pay more attention to the gap of complex chaotic system and secure cryptosystem.


Introduction
Nowadays, with the rapid development of optical fiber broadband access network, 5G and other communication technologies, the security of multimedia data, especially digital images, is of particular interest in communication networks [1]. As everyone knows, encryption is an effective means of achieving security enhancements [2]. However, traditional text encryption algorithms such as AES, DES, and IDEA are not suitable for digital images because they featured with strong correlation between adjacent pixels. To deal with the problem, various methodologies are introduced to design different image ciphers. Among them, chaos-based image encryption is the most popular one, because chaos has characteristics of sensitivity to initial values, dense periodic points, and long-term unpredictability of orbits [3][4][5]. In the past two decades, chaotic image encryption technology has been widely discussed and has become a research hotspot [6]. To improve the security performance of chaotic image encryption technology, various chaotic systems with resistance to dynamic degradation are studied, including quantum chaotic map [7], fractional-order chaos [8], non-degenerated hyperchaos [9], economic chaotic map [10], and cascaded chaotic systems [11], etc. However, chaotic cryptography still lacks authoritative metrics, especially in terms of security. Accordingly, many reported chaotic encryption algorithms have been broken [12][13][14][15]. As shown in Table 1, some previous chaos-based ciphers are vulnerable upon various attack methods, including chosen-ciphertext attack [16], chosen-/knownplaintext attack [12], differential cryptanalysis [17], even cipher-only attack [18]. Therefore, research on security is extremely important and has received much attention [19][20][21][22][23][24][25][26][27][28][29][30][31][32][33]. Table 1. Some chaos-based ciphers broken by various attack methods.

Ciphers Broken by Attack Methods
Fridrich et al. [34] in 1998 Xie et al. [16] in 2017 Chosen-ciphertext attack Zhao et al. [35] in 2015 Norouzi et al. [36] in 2017 Chosen-plaintext attack Ye [37] in 2010 Li et al. [18] in 2017 Cipher-only attack Zhou [38] in 2015 Chen et al. [17] in 2016 Differential cryptanalysis Song et al. [15] in 2015 Wen et al. [13] in 2019 Chosen-plaintext/cipertext attacks Shafique et al. [14] in 2018 Wen et al. [12] in 2019 Chosen-plaintext attack As described in Ref. [39], fractional-order chaotic systems have higher complexity and more optional key parameters and can be used as a competitive encryption scheme. Correspondingly, image encryption algorithms based on fractional-order chaotic systems have attracted the attention of researchers in recent years [35,[40][41][42]. In 2013, Wang et al. [40] introduced a fractional-order chaos into image encryption for the first time, and gave some experiments to verify its performance. Since then, many image encryption schemes based on fractional-order chaotic systems have been proposed [35,41,42]. For example, in 2017, Zhang et al. [41] proposed a color image encryption scheme combing with fractionalorder hyperchaotic system and DNA encoding. Yet, cryptanalysts have reported that some fractional-order chaotic image encryption algorithms have some fatal security issues. Exactly, Norouzi et al. [36] pointed out that the image cipher that using an improper fractional-order chaotic system was insecure, which was proposed in [35]. As far as we know, there are still few research studies concerning cryptanalysis on the ciphers based on fractional-order chaotic systems. Moreover, considering that each cryptosystem has its intrinsic characteristics, it is necessary and urgent to perform cryptanalysis on these existing ciphers.
In 2015, a color image encryption algorithm based on a fractional-order hyperchaotic system was proposed [42]. In color image encryption algorithm using a fractional-order hyperchaotic system (CIEA-FOHS), using the pseudo-random sequences generated by the fractional-order hyperchaotic system, RGB-inter permutation, RGB-intra permutation and pixel diffusion are successively performed to get cipher images from plain images. Meanwhile, the relevant pixel correlation, histogram and other experimental analysis are given to verify its security performance. However, from the perspective of cryptanalysis, we found some security defects as follows: • The existence of an equivalent key. CIEA-FOHS encrypts the image using a pseudorandom sequence generated by fractional-order chaos. However, these sequences are not related to plaintext. Thus, these sequences can be considered as equivalent keys. • Two-stage permutations can be equivalently simplified to only once. The reason is that the two permutations only change the position of the pixel without changing the value of the pixel. • The paradigm of the diffusion part is insecure. According to the conclusion of Ref. [43], a class of diffusion encryption using module addition and XOR operations can be cracked with only two special plain images and their corresponding cipher images. Unfortunately, CIEA-FOHS is also the case.
Based on the three points, CIEA-FOHS cannot resist against a chosen-plaintext attack method with the divide-and-conquer strategy. More specifically, under the scenario of chosen-plaintext attack, firstly an equivalent diffusion key is obtained, and then an equivalent permutation key is achieved, and finally the original images can be restored from the encrypted images with the equivalent keys.

The Encryption Algorithm under Study
In this section, the fractional-order hyperchaotic system used in Reference [42] is presented, and then the specific steps of CIEA-FOHS are introduced.

Fractional-Order Hyperchaotic System
The fractional-order hyperchaotic system used in CIEA-FOHS is derived from Ref. [39], given as where x, y, z, w are the four state variables, t is the fractional derivative under the definition of Caputo and α is the derivative order. The attractor of the fractional-order hyperchaotic system is shown in Figure 1.

Description of CIEA-FOHS
As shown in Figure 2, CIEA-FOHS consists of three main parts: inter-permutation, intra-permutation and pixel diffusion. It is noted that, a two-dimensional image is transformed into an one-dimensional sequence in raster scan order. Specifically, a color plain image I of size H × W × 3 is converted into three sequences of length H × W expressed as: IR, IG, and IB, which correspond to the three RGB channels of the image. The main contents are briefly introduced as follows: • The Secret Key: The secret keys of CIEA-FOHS include (t f , α, h, x 0 , y 0 , z 0 , w 0 ), where t f is the fractional derivative defined by Caputo definition, α is the dimension, h is the step size for discretization, and (x 0 , y 0 , z 0 , w 0 ) are the four initial values of the fractional-order hyperchaotic system defined in Equation (1), respectively. In CIEA-FOHS, these keys are used to generate some chaos-based pseudo-random sequences for encryption [42]. • Initialization: In Equation (1), by selecting the secret key as the initial values and parameters and iterating L times, one gets four chaos-based pseudo-random sequences The RGB-inter permutation refers to the process of pixel replacement between channels. This stage is implemented by two control vectors {selE i } L i=1 and {selLen i } L i=1 , which are given as is used to switch channels, as shown in Table 2, and {selLen i } L i=1 is to control the position and length of the permutation pixel, given as Table 2. The stutas of RGB-inter permutation under six rules.

Rule selE(i)
Permutation status where pos is the starting position, length is the length of the permautation pixels, and sum is the cumulative function. • Stage 2. RGB-intra permutation: respectively, and their values range [1, L].
to permute ER, EG and EB respectively, given as Perform pixel diffusion on ER, EG and EB, and then get three channels of the cipher image C. Exactly, the three channels CR, CG and CB are defined as where i = 1 ∼ L, ⊕ is bitwise XOR operation, mod represents modulo operation, and CR 0 = SX L , CG 0 = SY L , and CB 0 = SZ L . Here, three diffusion sequences SX, SY and SZ are generated by SX i = round(x i ) × 10 14 , SY i = round(y i ) × 10 14 and SZ i = round(z i ) × 10 14 respectively, where round is a rounding operation on real numbers.
Decryption is the inverse of encryption and is not described in detail here.

Preliminary Analysis of CIEA-FOHS
Referring to the basic assumptions of cryptanalysis, everything about the cryptosystem is public and only the secret key is unknown for attackers [13]. Chosen-plaintext attack is a common and powerful method of cryptanalysis. It assumes that attackers can arbitrarily choose the plaintext that is conducive to deciphering and obtain the corresponding ciphertext [12]. Under the scenario of chosen-plaintext attack, attackers can construct special plain images, such as all black and all white, and obtain the corresponding cipher images to analyze the target cipher.
From the perspective of cryptanalysis, two-stage permutations of CIEA-FOHS can be treated as a global pixel permutation because they only change the pixels' position without their values. The difference is that the number of pixels performing the permutation is 3HW instead of HW. Then, the algorithm structure of CIEA-FOHS is actually a classic single-round permutation-diffusion. Moreover, the generation process of all chaos-based pseudo-random sequences is independent of the plain image, which means that these sequences can be regarded as an equivalent key. The reason is that, in the case of a given secret key, these sequences are fixed for encrypting different plain images with the same size. Then, CIEA-FOHS can be equivalently simplified as Figure 3, where PM is an equivalent permutation key and three diffusion sequences SX, SY and SZ serve as an equivalent diffusion key. Based on the above, under the scenario of chosen-plaintext attack and the strategy of divide and conquer, one can get the equivalent keys and then recover the original plain images. Specifically, firstly choose some plain images with same pixel values to cancel the permutation and get the corresponding plain images to obtain the diffusion key; then achieve the permutation key by the method of Reference [12]; finally, recover the images by the equivalent keys.

Analysis on the Diffusion Part
In this section, based on chosen-plaintext attack, it is assumed that the plaintext image with the same pixel value is selected, and the corresponding ciphertext image is obtained.

•
Step 1. Choose the all-zero plain image I (0) and get the corresponding cipher image The reason for choosing the all-zero image is that the permutation is invalid at this time, and the diffusion can be eliminated to the greatest extent. Then, Equation (4) becomes when i = 1, one has CR Step 2. Choose two special plain images and get the corresponding cipher images to Referring to [43,44], the two chosen plaintexts are pure-color images with pixel values of 85 and 170, represented as I (85) and I (170) , respectively. Because for the combined operation of module addition and bitwise XOR, choosing these two plain images can minimize the number of solutions for SX, SY, SZ. Under the plain image I (85) and its corresponding cipher image C (85) , one gets Similarly, given the plain image I (170) and its corresponding cipher image C (170) , one has By performing bitwise on Equations (6) and (7), one further gets where+ is defined as a+b ∆ = mod (a + b, 256). It is worth pointing out that the reason why 85 and 170 are chosen as the attack images is that their binary are 01010101 and 10101010 respectively. At this time, the number of possible solutions of SX i , SY i , SZ i is the smallest, which is two. More precisely, the difference between the two solutions is 128. Then, based on Equation (8), we propose Alogrithm 1 to determine Step 3. Eliminate the diffusion part by SX, SY, SZ.
Corresponding to Equation (4), the decryption process of diffusion is given as Thus, ER, EG, EB can be restored from CR, CG, CB with SX, SY, SZ, respectively.
Input: SX L , SY L , SZ L , two chosen plain images I (85) and I (170) , and their corresponding cipher images C (85) and C (170) .

Analysis on the Permutation Part
Once the diffusion part is broken, CIEA-FOHS degenerates into a permutation-only cipher. Based on existing research, it cannot resist a chosen-plaintext attack. The basic idea of attacking permutation-only is to construct a special plain image with unequal element values, and get the corresponding permuted image. Taking 2 × 2 × 3 as an example, the process of solving PM is described below.
Obviously, one can recover (IR, IG, IB) from (ER, EG, EB) with PM. However, the situation may be more complicated for large size images. For an 8-bit image, the pixel value range is [0, 255]. Thus, when 3HW > 256, PM cannot be determined by only one chosen plain image and its corresponding cipher image. Fortunately, this problem has been solved in our latest research [12,13]. The basic idea is to combine multiple chosen plain images in a weighted manner to form a matrix with different elements, and the number of chosen plain images required for attacking permutation is log 256 (3HW) , where . is the rounding up operation.
Based on the above, the steps for attacking permutation are briefly summarized as follows: • Step 1. Choose some special plain images and get their corresponding cipher images to determine the permutation matrix PM; • Step 2. Use the permutation matrix PM to recover the original images from the permuted images.

The Proposed Chosen-Plaintext Attack Method
Following the above-mentioned discussion, CIEA-FOHS cannot resist the attack method proposed in this paper. The flowchart of the attack method is shown in Figure 4, and the specific steps based on chosen-plaintext attack are given as: firstly, get an equivalent diffusion key (SX, SY, SZ) by the method in Section 3.2; secondly, achieve the permutation matrix PM by the method in Section 3.3; finally, recover the original images with the equivalent keys.  Moreover, the complexity required for the attack method is discussed here. In terms of data complexity, for color images of size H × W × 3, the number of chosen plain images required to decipher diffusion and permutation is 3 and log 256 (3HW) , respectively. Hence, the total data complexity required is O(3 + log 256 (3HW) ).

Experimental Verifications and Discussions
To verify our security analysis, the algorithm steps of CIEA-FOHS strictly follow Ref. [42]. Although Due to the complexity of fractional-order chaos, some parameters may not be completely consistent, but this does not affect the effectiveness of security analysis. We conduct simulation verification on the proposed image cryptosystem based on a PC (personal computer) with MATLAB r2018b. The running PC is installed with Windows 10 64-bit OS (operating system), Intel(R) Core(TM) i5-8265U CPU @ 1.60 GHz and 8 GB memory. We select some typical images listed in Table 3 for experiments. Among them, the image "Lenna" of size 256 × 256 × 3 given in Ref. [42] is also included. In Equation (1), we set the experimental secret key parameters for h = 0.001, α = 104, t f = 100, x 0 = 1.002, y 0 = 0.949, z 0 = 0.997 and w 0 = 1.103.
• Case 1. Breaking CIEA-FOHS with an image of size 2 × 2 × 3: In order to better illustrate the attack process, we first adopt an extremely simple image with a size of 2 × 2 × 3. A pair of the given target plain and cipher images I and C is shown in Figure 5a,c respectively, and their histograms are shown in Figure 5b,d respectively. Accordingly, the numerical matrices of I and C are: Thirdly, by Step 3 in Section 3.2, the corresponding permuted image shown in Figure 8c can be restored from the targeted cipher image Figure 8a with SX SY SZ. Fourthly, following Step 1 in Section 3.3, construct some special attack images to obtain the permutation matrix PM. For images of size 2 × 2 × 3, the process of solving PM is exactly the same as Section 3.3. Then, we determine the PM as Equation (10) Secondly, based on Step 2 in Section 3.2, choose the two plain images, I (85) and I (170) , and get the corresponding cipher images, C (85) and C (170) , which are shown in Figure 10a-d, respectively. Furthermore, one determines SX i , SY i , SZ i for i = 1 ∼ L − 1 by Algorithm 1.
Thirdly, by the method in Section 3.3, choose the three plain images (shown in Figure 11a-f) and get the corresponding cipher images (shown in Figure 11g-l), and then use Algorithm 1 again to obtain their corresponding permuted images (shown in Figure 11m-r). Then, we can get PM. Finally, we recover the original image from the cipher image of "Lenna" shown in Figure 12a. First, the permuted image shown in Figure 12c is obtained from the cipher image with (SX, SY, SZ). Then, the plain image is restored by PM, which is shown in Figure 12e. Without loss of generality, we do the experiments based on other images with different sizes. The experimental results are shown in Table 3 and Figure 13. They both verify the effectiveness of our attack method. Besides, it can be seen from Table 3 that the proposed attack is efficient. Taking the image "Lenna" of size 256 × 256 × 3 as an example, when the encryption time is 0.6391 s, the time needed for the corresponding attack is just 129.4039 s. Even if the image size increases, the time required for the attack is still within an acceptable range. Thus, it verifies that our method is computationally feasible.
Moreover, we verified the data complexity required for the attack. As discussed in Section 3.4, the total data complexity required for breaking CIEA-FOHS is O(3 + log 256 (3HW) ). In our experiment with chosen-plaintext attack, the number of attack images required for sizes 2 × 2 × 3 and 100 × 100 × 3 are 4 and 5, respectively. And for sizes 300 × 200 × 3, 256 × 256 × 3 and 512 × 512 × 3, the number of attack images required are all 6. Therefore, the experimental verification is consistent with the theoretical calculation. Table 3. The time required for breaking CIEA-FOHS by our proposed attack method (unit: second).

Time
Step 1 Step 2 Step 3 Step 1 Step 2 Attacking Time

Suggestions for Improvement
On the basis of the above, CIEA-FOHS is insecure against a chosen-plaintext attack method because of its inherent security defects. To enhance the security, some suggestions for improvement are listed below: • Suggestion 1. Ensuring the substantial security contribution of the fractional-order chaos to the corresponding cipher. The attractor phase diagram of the fractionalorder hyperchaotic system is shown in Figure 1, which shows the extremely complex dynamics. Undoubtedly, fractional-order chaos is one of the preferred sources of entropy for encryption. However, due to the negligence of algorithm design, CIEA-FOHS has serious security defects and is attacked.
• Suggestion 2. Security analysis should be implemented from the perspective of cryptography, not limited to numerical statistical verification. As Ref. [45] points out, many encryption algorithms have excellent statistical analysis results, but they are still insecure. In fact, good statistical analysis results are only a necessary and not a sufficient condition for security. Some security flaws are difficult to reflect with numerical statistical results, but they can be clearly revealed by theoretical security analysis. For example, the existence of an equivalent key makes CIEA-FOHS vulnerable to cryptographic attacks. Given the implementation of detailed cryptographic security analysis, these flaws can be avoided, thereby improving security.

Conclusions
In this paper, a detailed security analysis of a color image encryption algorithm named CIEA-FOHS using a fractional-order chaos was performed. From the perspective of cryptanalysis, this paper found that CIEA-FOHS can be broken by a chosen-plaintext attack method, owing to its some inherent security defects. Theoretical analysis and experimental simulations show that the attack method is both effective and efficient for attacking CIEA-FOHS. Although the fractional-order chaotic system has complex dynamics, the algorithm defects may cause insecurity. The reported results would help the designers of chaotic cryptography pay more attention to the gap between complex chaotic system and secure cryptosystem.