Security Analysis and Improvement of an Image Encryption Cryptosystem Based on Bit Plane Extraction and Multi Chaos

This paper analyzes the security of image encryption systems based on bit plane extraction and multi chaos. It includes a bit-level permutation for high, 4-bit planes and bit-wise XOR diffusion, and finds that the key streams in the permutation and diffusion phases are independent of the plaintext image. Therefore, the equivalent diffusion key and the equivalent permutation key can be recovered by the chosen-plaintext attack method, in which only two special plaintext images and their corresponding cipher images are used. The effectiveness and feasibility of the proposed attack algorithm is verified by a MATLAB 2015b simulation. In the experiment, all the key streams in the original algorithm are cracked through two special plaintext images and their corresponding ciphertext images. In addition, an improved algorithm is proposed. In the improved algorithm, the generation of a random sequence is related to ciphertext, which makes the encryption algorithm have the encryption effect of a “one time pad”. The encryption effect of the improved algorithm is better than that of the original encryption algorithm in the aspects of information entropy, ciphertext correlation analysis and ciphertext sensitivity analysis.


Introduction
With the rapid development of computer and internet technology, all kinds of multimedia data including digital images are transmitted through a network and stored on a disk, which greatly facilitates people's work and life. Image information can easily be illegally copied, tampered with, spread, and used for other malicious damage in the process of image transmission. Therefore, it is necessary to adopt reliable image encryption technology to ensure the safe transmission and storage of digital images. As described in [1], the main techniques used in image encryption algorithms include chaotic mapping, DNA computing, neural networks, compressed sensing, cellular automata, wavelet transformation, and so on. However, chaos has become an ideal tool for designing secure and efficient encryption schemes due to the sensitivity, ergodicity and randomness of chaotic systems under the initial conditions and the system parameters, which coincides with the two basic principles of cryptography: diffusion and confusion. In 1998, Friedrich [2] proposed an alternative diffusion encryption architecture, which was later developed into a classical scrambling diffusion encryption architecture [3][4][5]. Based on this structure, scholars have proposed many image encryption algorithms [6][7][8][9][10][11][12][13][14]. Chai et al. [6] designed a color image encryption algorithm based on a four-wing hyperchaotic system and DNA coding. The generation of random sequences and DNA coding sequences used in the algorithm is related to plaintext. Wang et al. [7] proposed a new image encryption algorithm in which the cipher pixel value depends on two random, nonadjacent pixels and a chaos interference value. A new chaos-based image encryption algorithm was designed by Li et al. [8], which adopts the orbit perturbation and the dynamic state variable selection mechanisms. Zhu et al. [9] constructed a five-dimensional, discrete, hyper-chaotic map by combining the logistic map and the 3D discrete Lorenz map, and designed a block-based image encryption scheme 2 of 13 related to a plain image based on this chaotic system. A chaotic image encryption, using the Hopfield model and Hindmarsh-Rose neurons implemented on FPGA, was presented in [15], which was focused on finding suitable coefficient values of neurons to generate robust random binary sequences that can be used in image encryption. In [16], a new algorithm to improve the randomness of five chaotic maps that were implemented on a PIC micro-controller was proposed. The improved chaotic maps were tested to encrypt digital images in a wireless communication scheme, particularly on a machine to machine (M2M) link, via ZigBee channels.
The operation of the above algorithms was based on the pixel level. At the same time, the chaotic image encryption algorithm based on the bit-level technique has also attracted the attention of researchers due to its reliability and effectiveness [17][18][19]. Wang et al. [17] proposed a hyperchaos-based image encryption algorithm based on bit-level permutation and DNA encoding. In [18], a symmetric color image encryption algorithm adopting bit-permutation was presented, in which the key streams are closely related to the plain image. In 2018, an image encryption algorithm with an avalanche effect based on bit-level substitution was proposed in [19]. With the improvement of cryptanalysis and design level, it is becoming increasingly difficult to decipher encryption algorithms. However, some algorithms are insecure against various common cryptanalysis methods [20][21][22][23][24][25][26]. Huang et al. [20] presented a simple color image encryption algorithm, in which the permutation process and diffusion process are all related to plaintext. The authors claimed that the algorithm could resist chosen-or known-plaintext attacks efficiently. However, in 2020, Lin et al. [21] found that Huang et al.'s algorithm [20] could not resist chosenplaintext attacks and they proposed an enhanced algorithm to overcome the flaw. Diab and El-semary [22] broke an image encryption algorithm presented by Chen et al. [23]. An image block encryption algorithm with a sufficient security level and high encryption speed was proposed in [20], while Ma et al. [25] broke the equivalent secret keys successfully by giving five chosen plain images and the corresponding cipher images; Zhu et al. [26] cracked the equivalent key sequence for image obfuscation and image scrambling, respectively, by combining the chosen-plaintext attack and the chosen-ciphertext attack. In [27], Zhu et al. cracked a color image encryption scheme based on combined 1D chaotic maps [28]. An image encryption algorithm using an S-box generated by chaos [29] and a multiple chaotic Sboxes-based image encryption algorithm [30] was broken by Zhu et al. [31] and Lu et al. [32], respectively. It can be found from the literature [20,23,24,29,30] that the main reason why the above algorithms were cracked is that the equivalent key stream of the encryption system had nothing to do with plaintext.
In [33], an image encryption algorithm based on binary bit plane extraction and multiple chaotic maps was proposed, which includes a bit-level permutation for high, 4-bit planes and bit-wise XOR diffusion. It claimed that the algorithm has high security performance. However, the security analysis showed that the key in the bit plane permutation and the key in the diffusion phase are independent of the plain image or the cipher image; therefore, the equivalent diffusion key and the equivalent permutation key can both be obtained by adopting the chosen-plaintext attack. This paper is organized as follows. Section 2 concisely describes the original algorithm in [33]. In Section 3, the security of the algorithm is analyzed, and the equivalent key is cracked by the chosen-plaintext attack method. In Section 4, the experimental simulation is carried out. An improved image encryption algorithm is proposed in Section 5. Section 6 concludes the paper.

The Original Image Encryption Cryptosystem
This section provides a brief introduction to the original encryption system of [33].

Logistic Chaotic Map and Cubic Logistic Chaotic Map
The logistic chaotic map and the cubic logistic chaotic map are used in the original algorithm. The logistic map is shown as In order to further determine the value range of parameter µ 1 when the logistic map generates a chaotic sequence, the bifurcation diagram and the Lyapunov exponent diagram of the logistic map are given as Figure 1. It is found that system (1) is chaotic when the control parameter µ 1 ∈ (3.57, 4) and x n ∈ (0, 1).

Logistic Chaotic Map and Cubic Logistic Chaotic Map
The logistic chaotic map and the cubic logistic chaotic map are used in the original algorithm. The logistic map is shown as In order to further determine the value range of parameter μ1 when the logistic map generates a chaotic sequence, the bifurcation diagram and the Lyapunov exponent diagram of the logistic map are given as Figure 1. It is found that system (1) is chaotic when the control parameter μ1 ∈ (3.57, 4) and xn ∈ (0, 1).
Similarly, in order to further determine the value range of parameter μ2 when the cubic logistic map generates a chaotic sequence, the bifurcation diagram and Lyapunov exponent diagram of the cubic logistic map are given as Figure 2. It is found that system (2) is chaotic when the control parameter μ2 ∈ (1.41, 1.59) and yn ∈ (0, 1). The cubic logistic map is defined as y n+1 = µ 2 y n (1 − y n )(2 + y n ) (2) Similarly, in order to further determine the value range of parameter µ 2 when the cubic logistic map generates a chaotic sequence, the bifurcation diagram and Lyapunov exponent diagram of the cubic logistic map are given as Figure 2. It is found that system (2) is chaotic when the control parameter µ 2 ∈ (1.41, 1.59) and y n ∈ (0, 1).

Detailed Description of the Original Encryption Algorithm
The secret key of the original encryption algorithm contains four parameters: x 0 , µ 1 , y 0 , µ 2 . The encryption objects of the original algorithm are a gray image and an RGB color image with size of H × W (height × width). For the convenience of the description, only the gray image is discussed, and the encryption algorithm of the RGB color image is basically the same. The plain image is defined as P = {p(i, j)}, and the permuted image and the cipher image are defined as P = {p (i, j)} and C = {c(i, j)}, respectively. The encryption process includes three stages, as follows: Step 1: Bit plane decomposition. The plain image P = {p(i, j)} is decomposed into 8-bit planes P k = {p k (i, j)} (k = 1, 2,..., 8), given by

Detailed Description of the Original Encryption Algorithm
The secret key of the original encryption algorithm contains four parameters: , respectively. The encryption process includes three stages, as follows: Step 1: Bit plane decomposition. The plain image Here, let Zm represent the set [0, m − 1], so p(i, j) ∈ Z256, pk(i, j) ∈ Z2, P1 and P8 are the lowest and highest bit planes, respectively; Step 2: Bit-level permutation. The permutation process is only for the high, 4-bit planes, the 8-th bit plane is described as an example. Firstly, given the initial value y0 and the control parameter 2 μ , the cubic logistic map is iterated to get two real sequences, {y1, y2,…, yH} with length H and {yH+1, yH+2,…, yH+W} with length W, respectively. Then, the two real number sequences are sorted in ascending order to obtain the position in- Here, let Z m represent the set [0, m − 1], so p(i, j) ∈ Z 256 , p k (i, j) ∈ Z 2 , P 1 and P 8 are the lowest and highest bit planes, respectively; Step 2: Bit-level permutation. The permutation process is only for the high, 4-bit planes, the 8-th bit plane is described as an example. Firstly, given the initial value y 0 and the control parameter µ 2 , the cubic logistic map is iterated to get two real sequences, {y 1 , y 2 , . . . , y H } with length H and {y H+1 , y H+2 , . . . , y H+W } with length W, respectively. Then, the two real number sequences are sorted in ascending order to obtain the position index sequence RS = {rs(i)} H i=1 and CS = {cs(j)} W j=1 , respectively. Then, using the two sequences RS and CS, the permutation bit plane Similarly, through Equation (4), the permuted bit planes P 5 , P 6 , P 7 can be obtained from P 5 , P 6 , P 7 , respectively. Finally, the permuted image P is obtained though Equation (5) where p 1 , p 2 , p 3 , p 4 are the low 4-bit planes, and p 5 , p 6 , p 7 , p 8 are the high 4-bit planes, respectively; Step 3: Bit-wise XOR diffusion. Firstly, setting x 0 and µ 1 as the initial value and control parameter of the logistic map, respectively, a real matrix R = {r(i, j)} H,W i=1,j=1 is obtained by iterating the logistic map H × W times. Then, a mask image M = {m(i, j)} H,W i=1,j=1 is obtained by Equation (6) m(i, j) = mod f loor r(i, j) × 10 5 , 256 Then, through Equation (7), the ciphertext C = {c(i, j)} H,W i=1,j=1 can be obtained as It can be seen that the key set of the encryption system in [33] is keys = {µ 1 , x n , µ 2 , y n }. If we choose an accuracy of 10 −14 for the four variables (µ 1 , x 0 , µ 2 , y 0 ), we obtain a key space of 10 56 ≈ 2 187 . As [34][35][36] pointed out, the effective key space of the image encryption system should be greater than 2 100 in order to prevent brute force attacks, so the key space of our algorithm is sufficiently large to resist against brute force attacks.

Security Analysis of the Original Algorithm and Chosen-Plaintext Attack
Through the security analysis, we found that the encryption system has the following security defects: (1) The chaotic sequences used for encryption are independent of the plaintext image. In other words, when the keys are fixed, the chaotic sequences used for encryption are unchanged for different plaintext images of the same size; (2) The diffusion part is too simple, as only XOR diffusion is adopted, in which neither a nonlinear function nor a complicated diffusion mechanism is involved. Therefore, the algorithm is not sensitive to plain images; (3) Permutation and diffusion are independent of each other, and there is no relationship between them. Therefore, the permutation and diffusion parts of the original algorithm can be deciphered by the strategy of divide and conquer.
From the encryption process of the original algorithm, it can be found that two sequences, RS and CS, are used in the scrambling process, and the chaotic sequence, M, is used in the diffusion phase. Therefore, the equivalent key streams of the original algorithm are M, RS and CS. If the equivalent key streams are cracked, the original encryption system will be cracked.
The so-called chosen-plaintext attack and selective plaintext attack refer to the following process. In addition to not knowing the secret keys used by the cryptosystem, the attacker understands the working mechanism of the encryption algorithm and has the opportunity to use the encryption machine of the cryptosystem. Therefore, the attacker can choose some special plaintext images and obtain the corresponding ciphertext images, thereby deciphering the equivalent secret keys of the cryptosystem or the target ciphertext image.

Cracking of Equivalent Key M in the Diffusion Phase
For bit-level permutation, if all the bits of the input plaintext image are the same, that is, all are 0 or all are 1, then the corresponding permutation image is exactly the same as the plain image. For example, by choosing the image P 0 = {p 0 (i, j) = 0} H,W i=1,j=1 , whose pixel values are all 0, as the input plain image, the result, P 0 , after bit-level permutation is exactly the same as the original plain image, that is P 0 = P 0 . The attacker obtains the cipher image ,j=1 corresponding to P 0 . Finally, according to formula (7), the attacker Therefore, the equivalent key M is cracked in the diffusion phase.

Breaking Bit-Level Permutation
From the permutation of Formula (4), we find that the essence of permutation is to exchange the rows and columns of the bit plane matrix. After permutation, the elements of the same row are still in the same row, and the elements of the same column are in the same column.
In the original algorithm, the bit plane whose element was 0 or 1 is permuted, so the sequences, RS and CS, can be recovered by constructing a special bit plane. Taking the 8-th bit plane as an example, a special plain image is constructed so that its 8-th bit plane has the following form:

Specific Steps of Chosen-Plaintext Attack
The specific steps of our chosen-plaintext attack are as follows: Step 1: The chosen-plaintext attack means that the attacker has the access right of the encryptor and can construct the ciphertext corresponding to any plaintext. Thus, as shown in Section 3.1, by choosing the all-zero image, P 0 , as the input plain image, one gets the corresponding cipher image, C 0 , then M = C 0 ; Step 2: Select a special plaintext image so that its 8-th bit plane has the form of matrix (11) and so the selected plain image can be the following matrix image, PP After encryption, obtain the cipher image, CP, corresponding to PP, then obtain the permuted image PP of PP is by using the cracked diffusion key M, the elements of which are shown in Equation (13) pp (i, j) = c 0 (i, j) ⊕ m(i, j) Entropy 2021, 23, 505 7 of 13 Step 3: Extract the 8-th bit plane PP 8 of PP , as shown in Section 3.2. By comparing the numbers of element 1 in each row of PP 8 , the vector RS is obtained. Similarly, the vector, CS, is also obtained by comparing the numbers of element 1 in each column of PP 8 ; Step 4: As for a given cipher image, C, firstly the permuted image, P , is obtained by using the diffusion key M though Equation (14) Extract the 5-8th bit planes of P , then perform reverse permutation on the 5-8th bit planes of P to obtain the 5-8th bit planes of the plaintext image P by using the sequences CS and RS. The 1-4th bit planes of P are exactly the same as that of P . In this way, all the eight-bit planes of P are obtained, and then the plain image P can be obtained by Formula (3).

The Discussion
In [37], the algorithm in [33] is cracked, but for an 8-bit grayscale image of size 256 × 256, the data complexity of the attack method required for breaking the algorithm is O(log 2 (H × W)) = O (19), while only one special plaintext image and its corresponding ciphertext image is needed to decode the scrambling sequences, RS and CS, in our method. As such, the complexity of our attack algorithm is greatly reduced.

Experimental Simulations of Cracking
The experimental image is an 8-bit grayscale image, Cameraman, of size 256 × 256. The process is as follows: choose keys x 0 = 0.8578, µ 1 = 3.6832, y 0 = 0.3476, µ 2 = 1.5866; encrypt the image, Cameraman, size 256 × 256, with a pixel value of 0, and a special image of size 256 × 256 as Formula (12) to obtain the corresponding encrypted image, as shown in Figure 3b,d,f. According to Figure 3d, the mask matrix, M, can be decrypted without knowing the key. The permutation sequences, RS and CS, can be decrypted by combining the matrix, M, and Figure 3f. Therefore, all the equivalent keys can be decrypted. Furthermore, any encrypted image can be decrypted by using the equivalent keys. After attacking the encrypted image, Figure 3b, the recovered image is shown in Figure 4. encrypt the image, Cameraman, size 256 × 256, with a pixel value of 0, and a special image of size 256 × 256 as Formula (12) to obtain the corresponding encrypted image, as shown in Figure 3b,d,f. According to Figure 3d, the mask matrix, M, can be decrypted without knowing the key. The permutation sequences, RS and CS, can be decrypted by combining the matrix, M, and Figure 3f. Therefore, all the equivalent keys can be decrypted. Furthermore, any encrypted image can be decrypted by using the equivalent keys. After attacking the encrypted image, Figure 3b, the recovered image is shown in Figure 4.

The Improved Algorithm and Security Analysis
The main reason why the original algorithm is cracked is that the equivalent keys M, RS and CS of the original encryption algorithm are independent of the plain image. According to the five suggestions given in [37], we propose the improved algorithm of [33]. The key set of the improved algorithm is exactly the same as that of the original algorithm. Compared with the original algorithm of [33], the improved algorithm can resist chosen-plaintext attack and has better security performance.

The Improved Encryption Algorithm
The specific steps of the improved encryption algorithm are as follows: Step 1: In the permutation phase, the initial value y0 of chaotic map (2) is related to the sum of the pixel values of the 8-th bit plane of the plain image

The Improved Algorithm and Security Analysis
The main reason why the original algorithm is cracked is that the equivalent keys M, RS and CS of the original encryption algorithm are independent of the plain image. According to the five suggestions given in [37], we propose the improved algorithm of [33].
The key set of the improved algorithm is exactly the same as that of the original algorithm. Compared with the original algorithm of [33], the improved algorithm can resist chosenplaintext attack and has better security performance.

The Improved Encryption Algorithm
The specific steps of the improved encryption algorithm are as follows: Step 1: In the permutation phase, the initial value y 0 of chaotic map (2) is related to the sum of the pixel values of the 8-th bit plane of the plain image Then, y 0 is updated with sum: In this way, the two permutation sequences, RS and CS, will be related to the plain image. The permutation process is exactly the same as the original algorithm; Step 2: The permuted image, P = {p (i, j)}, and the real matrix, R = {r(i, j)}, of the original algorithm are all transformed into one-dimensional vector sequences P = {p (1), p (2), · · · , p (H × W)} and R = r(1), r(2), . . . , r(H × W) , respectively shown from left to right and from top to bottom. The ciphertext sequence C = {c(1), c(2), . . . , c(H × W)} is generated according to Formulas (17)- (21), then sequence C is transformed into a matrix of size H × W to obtain the final cipher image; Obviously, kt(i) ∈ [1, i − 1]. i = 2, 3, 4, . . . , H × W.
It can be seen from Equation (19) that the generation of the key, M, is related to the cipher image, so the key, M, used for encrypting different plaintext is different. Therefore, the improved algorithm can resist a chosen-plaintext attack. Furthermore, the ciphertext Entropy 2021, 23, 505 9 of 13 feedback mechanism is adopted in the Formulas (20) and (21), which overcomes the weakness that the original algorithm is not sensitive to the plain image.
Step 8: Combine 8-bit planes to obtain the restored original image, P, by

Analysis of Improved Algorithm to Resist Chosen-Plaintext Attack
The improved algorithm can resist the chosen-plaintext attack, which is reflected in two aspects. Firstly, from Formulas (15) and (16), it can be seen that the scrambling sequences, RS and CS, produced in the scrambling stage are related to the plaintext image, and the sequences, RS and CS, used to encrypt the different images are different. Secondly, from Equations (19) and (20), we can see that the generation of m(i) is related to the previous ciphertext value c (i − 1), and the generation of kt(i) is related to m(i). Therefore, the sequences, m(i) and kt(i), used to encrypt different images are different. In short, the improved algorithm has the effect of "one-time pad".

Comparison of Ciphertext Security Performance between Improved Algorithm and Original Algorithm
In order to further highlight the advantages of the improved algorithm, we will compare it with the original algorithm from the aspects of information entropy, ciphertext correlation analysis and ciphertext sensitivity.
(1) Comparison of Information Entropy The ideal value of entropy for an 8-bit gray-scale image is 8. The closer the value is to 8, the more uncertain the image is, and the more uniform the distribution of image pixel value is. Table 1 shows the information entropy of the cipher images Rice, Cameraman, Lena and Pepper, which were encrypted by the improved algorithm and the original algorithm. Compared to the original algorithm and other algorithms, the improved algorithm is closer to the ideal situation, that is, the encryption effect of this algorithm is better. Table 1. Information entropy of ciphertext image.

Images
The Improved Algorithm The Original Algorithm Ref. [38] Ref. [39] (2) Comparison of Correlation Coefficient In general, there is a strong correlation between the adjacent pixels of the plaintext image, while the correlation between the adjacent pixels of the ciphertext image is close to zero. Table 2 shows the correlation coefficient of the cipher images of Cameraman and Peppers encrypted by the improved algorithm and the original algorithm in the horizontal direction, the vertical direction and the diagonal direction, respectively.

(3) Comparison of Plaintext Sensitivity
The number of pixels change rate (NPCR) and unified average changing intensity (UACI) are commonly used to measure the sensitivity of encryption algorithms to plaintext. The formulas for the calculation of NPCR and UACI are found in [10]. For the 256 levels of the grayscale images, the expected values of NPCR and UACI are 99.6094% and 33.4635%, respectively.
We have performed 20 groups of tests. In each test, we randomly selected one pixel in the plain image Cameraman, changed its value with 1 bit and encrypted it. Finally, we calculated the NPCR and UACI values between any two pairs of ciphertext image. The results are shown in Table 3. From Table 3, one can see that the NPCR and UACI values are very close to the ideal values in the improved algorithm, while in the original algorithm, the values of NPCR and UACI are close to 0. This is mainly because the original algorithm does not adopt the ciphertext feedback mechanism in the diffusion stage, so the original algorithm is not sensitive to plaintext.

Conclusions
In this paper, the security performance of a recent chaotic image encryption cryptosystem based on bit planes extraction and multiple chaotic maps is cryptanalyzed in detail. It is found that the equivalent key streams M, RS and CS can be recovered separately in the scenario of a chosen-plaintext attack. In order to overcome the shortcomings of the original algorithm, which cannot resist the chosen-plaintext attack and is not sensitive to plaintext, we propose an improved encryption algorithm. The innovation of the improved algorithm lies in that the key set of the encryption system is the same as that of the original algorithm, but the equivalent sequences, M, RS and CS, used to encrypt different images, are different, which has the effect of a one-time pad.
The improved algorithm has the advantages of high security and resistance to chosenplaintext attacks. However, it also has the following defects: from Formulas (19) and (20), we can see that in the encryption process, we need to switch back and forth between the floating-point operation and the integer operation (that is, one floating-point operation, one integer operation, switching back and forth), which is not conducive to hardware implementation. Therefore, it is still necessary to design a secure and efficient image encryption algorithm based on chaos.