An Efficient Chosen-Plaintext Attack on an Image Fusion Encryption Algorithm Based on DNA Operation and Hyperchaos

This paper proposes a more efficient attack method on an image fusion encryption algorithm based on DNA operation and hyperchaos. Although several references have reported some methods to crack the image encryption algorithm, they are not the most efficient. The proposed chosen-plaintext attack method can break the encryption scheme with (4×N/M+1) or (M/(4×N)+1) chosen-plaintext images, which is much less than the number of chosen-plaintext images used in the previous cracking algorithms, where M and N represent the height and width of the target ciphertext image, respectively. The effectiveness of the proposed chosen-plaintext attack is supported by theoretical analysis, and verified by experimental results.


Introduction
With the rapid development of computer and communication technology, multimedia information, such as image, audio, and video, has become the main carrier of network information because of its clarity and vividness, and has been widely used and spread. Images always involve sensitive events, such as business, military, medical, and political affairs. Ensuring the security of images transmitted and stored on public networks has attracted unprecedented attention in the field of cryptography and information security. Image data has the characteristics of large amounts of data and a high correlation between adjacent pixels, so traditional encryption algorithms, such as DES and AES, are not suitable for image encryption [1,2]. The development of the chaos theory opens up a new way of encrypting images. Chaos is a kind of complex and seemingly random physical phenomenon produced by a certain nonlinear system. The sequence generated by chaos is pseudo-random, aperiodic, highly sensitive to control parameters and initial conditions, and can be generated quickly and accurately. These characteristics make the chaotic system especially suitable for image encryption. In recent years, many digital image encryption algorithms have been proposed [3][4][5][6][7][8]. In addition, some algorithms combined with other mathematical models on the basis of chaos, such as Kumar et al. [9], proposed the idea of combining deoxyribose nuclear acid (DNA) encoding with elliptic curve public key cryptosystem. Ahmad et al. [10] proposed a compression sensing and noise-tolerant image encryption scheme based on a chaotic map and orthogonal matrix. In order to improve the encryption speed, Aleksandra V et al. [11] constructed adaptive chaotic maps and proposed an image encryption algorithm based on these chaotic maps, which has a fast encryption speed.
Compared with information encryption, the main task of cryptanalysis is to study how to decipher the cryptosystem without knowing the key. It requires the cryptanalyzer to decode the secret key or the equivalent key by analyzing the security vulnerabilities of the ciphertext and encryption system without knowing the secret key, and then recover the

Chen Hyper-Chaotic System
The chaotic system used in the original algorithm is the Chen's hyper-chaotic system, which is defined as follows: In Equation (1), a, b, c, d, g are the system parameters; when a =36, b = 3, c = 28, d = 16, and −0.7 ≤ g ≤ 0.7, the Chen's hyper-chaotic system is in a hyper-chaotic state and can generate four chaotic sequences. When set g = 0.54 and the step size t = 0.001, we take the four-order Runge-Kutta method to solve the equations and obtain sequences x, y, z, and w. The hyper-chaotic attractors are show in Figure 1.

Chen Hyper-Chaotic System
The chaotic system used in the original algorithm is the Chen's hyper-chaotic system, which is defined as follows: (1) In Equation (1), a, b, c, d, g are the system parameters; when a =36, b = 3, c = 28, d = 16, and −0.7 ≤ g ≤ 0.7, the Chen's hyper-chaotic system is in a hyper-chaotic state and can generate four chaotic sequences. When set g = 0.54 and the step size t = 0.001, we take the four-order Runge-Kutta method to solve the equations and obtain sequences x, y, z, and w. The hyper-chaotic attractors are show in Figure 1.

DNA Sequence and XOR Operation
The DNA sequence consists of four kinds of deoxynucleotides: adenine (A), thymine (T), cytosine (C), and guanine (G), in which A is paired with T, and C is paired with G. Similarly, in binary, 0 and 1 are complementary, so for two binary numbers, 00 and 11, 01 and 10 are complementary. Four bases are used: A, C, G, and T to encode 00, 01, 10, and 11, respectively. There are 24 types of encoding rules using the four bases A, C, G, and T to encode 00, 01, 10, and 11, respectively. Nevertheless, only eight of them can be seen in Table 1 which satisfy the Watson-Crick complementary rule [1]. Note that a DNA decoding rule is the reverse operation of a DNA encoding rule. For a gray image with 256 gray levels, each pixel can be encoded as a DNA sequence with the length of 4 and the encoding operation can be implemented by defining a function DNAcode (value, rule). For example, the value 184 of a pixel can be encoded as a DNA sequence "TCTG" by using the encoding rule 3, namely, DNAcode (184, 3) which outputs the result of "TCTG". Conversely, a DNA sequence with the length of 4 can be decoded as an integer in the range of [0, 255], and the decoding operation can be expressed as a function of DNAdecode (strDNA, rule). For example, DNAdecode ("TCTG", 3) outputs the result of 184. The original algorithm adopts encoding rules 3 and 4.

DNA Sequence and XOR Operation
The DNA sequence consists of four kinds of deoxynucleotides: adenine (A), thymine (T), cytosine (C), and guanine (G), in which A is paired with T, and C is paired with G. Similarly, in binary, 0 and 1 are complementary, so for two binary numbers, 00 and 11, 01 and 10 are complementary. Four bases are used: A, C, G, and T to encode 00, 01, 10, and 11, respectively. There are 24 types of encoding rules using the four bases A, C, G, and T to encode 00, 01, 10, and 11, respectively. Nevertheless, only eight of them can be seen in Table 1 which satisfy the Watson-Crick complementary rule [1]. Note that a DNA decoding rule is the reverse operation of a DNA encoding rule. For a gray image with 256 gray levels, each pixel can be encoded as a DNA sequence with the length of 4 and the encoding operation can be implemented by defining a function DNAcode (value, rule). For example, the value 184 of a pixel can be encoded as a DNA sequence "TCTG" by using the encoding rule 3, namely, DNAcode (184, 3) which outputs the result of "TCTG". Conversely, a DNA sequence with the length of 4 can be decoded as an integer in the range of [0, 255], and the decoding operation can be expressed as a function of DNAdecode (strDNA, rule). For example, DNAdecode ("TCTG", 3) outputs the result of 184. The original algorithm adopts encoding rules 3 and 4. XOR operation for DNA sequences is performed according to traditional XOR in the binary. Corresponding to eight kinds of DNA encoding schemes, eight kinds of DNA XOR rules also exist, but the XOR operation rules used in the original algorithm are those shown in Table 2, which can be implemented by defining a function DNAxor (strDNA1, strDNA2). For example, DNAxor ("A", "A") outputs "G" and DNAxor ("C", "T") outputs "A".

The Concrete Description of the Original Algorithm
The flow of the encryption algorithm can be redescribed in Figure 2. The secret key set of the original algorithm includes the initial values (x 0 , y 0 , z 0 , w 0 ) of Chen's hyper-chaotic system and a randomly generated key image K. In Figure 2, P represents the plaintext image, and C represents its corresponding ciphertext image. P, K and C are all matrices of size M×N.   A  00  00  01  01  10  10  11  11  T  11  11  10  10  01  01  00  00  G  01  10  00  11  00  11  01  10  C  10  01  11  00  11  00  10  01 XOR operation for DNA sequences is performed according to traditional XOR in the binary. Corresponding to eight kinds of DNA encoding schemes, eight kinds of DNA XOR rules also exist, but the XOR operation rules used in the original algorithm are those shown in Table 2, which can be implemented by defining a function DNAxor (strDNA1, strDNA2). For example, DNAxor ("A", "A") outputs "G" and DNAxor ("C", "T") outputs "A".

The Concrete Description of the Original Algorithm
The flow of the encryption algorithm can be redescribed in Figure 2. The secret key set of the original algorithm includes the initial values (x0, y0, z0, w0) of Chen's hyper-chaotic system and a randomly generated key image K. In Figure 2, P represents the plaintext image, and C represents its corresponding ciphertext image. P, K and C are all matrices of size M×N. The encryption algorithm can be briefly re-described as follows: Step 1: Convert image P and K into binary matrices, then carry out DNA encoding operation with rule 3 for these two binary matrices. According to Table 1, two encoded matrices Pe and Ke can be obtained.
Step 2: Generate two chaotic sequences through Chen's hyper-chaotic system under the initial condition of {x0, y0, z0, q0} and system parameters of The encryption algorithm can be briefly re-described as follows: Step 1: Convert image P and K into binary matrices, then carry out DNA encoding operation with rule 3 for these two binary matrices. According to Table 1, two encoded matrices P e and K e can be obtained.
Step 2: Generate two chaotic sequences x = {x i } m i = 1 , y = {y i } 4n i = 1 through Chen's hyper-chaotic system under the initial condition of {x 0 , y 0 , z 0 , q 0 } and system parameters of {a, b, c, d, k}. Then, the two real number sequences are arranged in ascending order to obtain a row position index sequence lx = {lx(i)} m i = 1 and a column position index sequence ly = {ly(i)} 4n i = 1 , respectively.
Step 4: DNA XOR operation is performed on P s and K s to obtain P c , according to the XOR operation rules listed in Table 2.
Step 5: The fourth encoding rule which is complementary to the third encoding rule is used to decode P c , and the final ciphertext image C is obtained.

Security Analysis of the Original Algorithm and Chosen-Plaintext Attack
The definition of chosen-plaintext attack is as follows. In addition to not knowing the secret keys used by the cryptosystem, the attacker understands the working mechanism of the encryption algorithm and has the opportunity to use the encryption machine of the cryptosystem. Therefore, the attacker can choose some special plaintext images and obtain the corresponding ciphertext images, thereby deciphering the equivalent secret keys of the cryptosystem or the target ciphertext image.
In the whole process of encryption algorithm, the initial secret keys of the cryptosystem are not related to the image content, so the key matrices lx, ly, and K s are not changed when the image to be encrypted is varied. Therefore, the key matrices lx, ly, and K s can be cracked by chosen-plaintext attack. The key matrices lx, ly, and K s are the equivalent keys of the cryptosystem, and the virtual frame of Figure 2 is equivalent to the encryption machine of the cryptosystem.
To crack a target cipher image CI, our chosen-plaintext attack algorithm is divided into three stages, which will be described from Sections 3.1-3.3.

Extracting Key Matrix Ks
In order to decode the key image K s , we only need to choose one special plaintext image. The steps of the algorithm to extract key matrix K s are as follows: Step 1: Select a special plaintext image P whose pixel values are all zeros, and then use rule 3 in the Table 1 to encode P and to obtain the matrix P e . It is easy to know that all elements in P e are "G".
Step 2: Find the ciphertext image C corresponding to P by using the encryption machine. Then, use rule 4 to encode C to obtain P c .
Step 3: Find K s . Because all elements in P e are all "G", scrambling has no effect on P e . That is, P s = P e . According to the XOR operation rules in Table 2 and the Formula (4), the attacker can obtain the arranged key image K s . The calculation process is as follows: where, i = 1, 2, 3, . . . , M, j = 1, 2, 3, . . . , 4N.

Extracting lx and ly
From the permutation Formula (2), we can find that the essence of permutation is to exchange the rows and columns of the matrix P e . After permutation, the elements of the same row are still in the same row, and the elements of the same column are still in the Entropy 2021, 23, 804 6 of 13 same column. Taking a plain image P e of size 4×4 as an example, suppose P e and P s have the forms as Because the number of elements "A" in each row (column) of P e is different, the sequence lx and ly can be obtained by comparing the number of elements "A" in each row and column of P s . According to Formula (4), the elements in row i of P s correspond to the elements in row lx(i) of P e . Therefore, the number of "A" in row i of P s is equal to the number of "A" in row lx(i) of P e , i = 1, 2, 3, 4. As the result, it can be inferred that lx = [3,2,4,1]. Similarly, the elements in column j of P s correspond to the elements in column ly(j) of P e . Therefore, the number of "A" in column j of P s is equal to the number of "A" in column ly(j) of P e , j = 1, 2, 3, 4. As the consequence, it can be inferred that ly = [2,1,4,3].
Suppose the target cipher image C has M rows and N columns, namely, the corresponding DNA encoded image has the size of M×4N. If M = 4N = L, then the encoded image P e has L rows and L columns, which is the simplest case. In this simplest case, lx and ly can be cracked completely only through one chosen-plaintext image whose encoded image P e has the form as However, if M < 4N or M > 4N, we need more chosen-plaintext images to crack all the elements in lx and ly. Let L = min(M, 4N), here min(x, y) returns the smaller one of x and y. The specific chosen-plaintext attack method to crack lx and ly can be described in detail as follows: Step 1: Initialize lx as a row vector of M characters and ly as a row vector of 4N characters. Let L = min(M, 4N). The function min(a, b) returns the smallest one of a and b.
Step 2: Choose a special plaintext image P whose encoded image is P e , and a subimage, consisting of the first L rows and the first L columns of image P e , which has the form of Equation (6). Namely, row 1 has only one character of "A" at the first column, row 2 has two characters of "A" at the first two columns, . . . , row L has L characters of "A" at the first L columns, and all of the remaining elements are "G". By acquiring its corresponding cipher image C, one can obtain its corresponding image P c . Then, find the image P s by using P c and the known (cracked) image K s . By comparing P s and P e , we can obtain L elements of lx and L elements of ly. If M = 4N = L, then the attack algorithm is over.
Step 3: If L = M < 4N, then let m = ⌈ 4×N/L ⌉ − 1, r = 4N − m×L, and continue to select m plaintext images; each encoded image P e has the forms as shown in Figure 3.  In Figure 3, each matrix Pe is divided into sub-blocks with continuous L columns; the last sub-block may be less than L columns. There is only one sub-block in Pe, as each selected plaintext image has both the character "A" and "G", and the elements of the remaining sub-blocks are all "G". If r > 0, then the number of "A" in the last column of the last chosen-plaintext image is r. If r = 0, then the number of "A" in the last column of the last chosen-plaintext image is L. By using one of the m chosen plaintext images, one can obtain L or r elements of ly. The pseudo code of the algorithm in Step 3 is as follows:  In Figure 3, each matrix P e is divided into sub-blocks with continuous L columns; the last sub-block may be less than L columns. There is only one sub-block in P e , as each selected plaintext image has both the character "A" and "G", and the elements of the remaining sub-blocks are all "G". If r > 0, then the number of "A" in the last column of the last chosen-plaintext image is r. If r = 0, then the number of "A" in the last column of the last chosen-plaintext image is L. By using one of the m chosen plaintext images, one can obtain L or r elements of ly. The pseudo code of the algorithm in Step 3 is as follows: end if for j ← n×L+1:n×L+h P e (1:j-n×L, j) ← 'A'; end for j P ← Do DNA decode on P e with rule 3; C ← Encrypt P by using the encryption machine of original algorithm; P c ← Do DNA encode on C with rule 4; P s ← Do DNAxor with P c and K s ; for j ← 1:4N n j ← The number of "A" in column j of P s ; if n j > 0 ly(j) ← n×L+n j ; end if end for j end for n  In Figure 4, each matrix Pe is divided into sub-blocks with continuous L rows; the last sub-block may be less than L rows. There is only one sub-block in Pe for each selected plaintext image which has both the character "A" and "G", and the elements of the remaining sub-blocks which are all "G". If r > 0, then the number of "A" in the last row of the last chosen-plaintext image is r. If r = 0, then the number of "A" in the last row of the last chosen-plaintext image is L. By using one of the m chosen plaintext images, one can obtain L or r elements of lx. The pseudo code of the algorithm in Step 4 is as follows:  In Figure 4, each matrix P e is divided into sub-blocks with continuous L rows; the last sub-block may be less than L rows. There is only one sub-block in P e for each selected plaintext image which has both the character "A" and "G", and the elements of the remaining sub-blocks which are all "G". If r > 0, then the number of "A" in the last row of the last chosen-plaintext image is r. If r = 0, then the number of "A" in the last row of the last chosen-plaintext image is L. By using one of the m chosen plaintext images, one can obtain L or r elements of lx. The pseudo code of the algorithm in Step 4 is as follows: n×L+h P e (i, 1:i−n×L) ← 'A'; end for i P ← Do DNA decode on P e with rule 3; C ← Encrypt P by using the encryption machine of original algorithm; P c ← Do DNA encode on C with rule 4; P s ← Do DNAxor with P c and K s ; Using the decoded key matric K s , permutation array lx and ly, the target ciphertext image can be decrypted. The pseudo code of the algorithm to decryption CI is as follows: P c ← Do DNA encode on CI with rule 4; P s ← Do DNAxor with P c and K s ; for i ← 1:M for j ← 1:4N P e (lx(i), ly(j)) ← P s (i, j); end for j end for i P ← Do DNA decode on P e with rule 3; According to the algorithm described above, we can see that the number of chosenplaintext images needed to decipher lx and ly may be 1, or Therefore, the total number of chosen-plaintext images needed to decipher all the secret keys of {Ks, lx, ly} are 2, or ⌈ 4×N/M ⌉ +1, or ⌈ M/(4×N) ⌉ +1, respectively.

Simulation Experiments for Deciphering
To verify the effectiveness of the proposed chosen-plaintext attack algorithm, we give some experimental results on several representative images with different sizes. The secret key parameters of the cryptosystem are set as    Figure 8a, and its corresponding ciphertext image is shown in

Case 4:
A simple numerical example in the case of M=4N. The original image is a simple image with a size of 8×2, whose matrix is shown in Equation (7) and the matrix of its corresponding ciphertext image is shown in Equation (8). In this case, M = 8, N = 2, and the total number of chosen-plaintext images needed to decipher the target cipher image of Equation (8) is ⌈4×N/M⌉+1 = 2. The two chosen-plaintext images are shown in Equations (9) and (10), respectively. The cracked image is shown in Equation (11), which coincides with Equation (7) Case 5: A simple numerical example in the case of M > 4N. The original image is a simple image with a size of 9×2, whose matrix is shown in Equation (12) and the matrix of its corresponding cipher image is shown in Equation (13). In this case, M = 9, N = 2, and the total number of chosen-plaintext images needed to decipher the target ciphertext image of Equation (13) is ⌈M/(4×N)⌉+1 = 3. The three chosen-plaintext images are shown from Equations (14)-(16), respectively. The cracked image is shown in Equation (17)

Case 4:
A simple numerical example in the case of M = 4N. The original image is a simple image with a size of 8×2, whose matrix is shown in Equation (7) and the matrix of its corresponding ciphertext image is shown in Equation (8). In this case, M = 8, N = 2, and the total number of chosen-plaintext images needed to decipher the target cipher image of Equation (8) is ⌈ 4×N/M ⌉ +1 = 2. The two chosen-plaintext images are shown in Equations (9) and (10), respectively. The cracked image is shown in Equation (11), which coincides with Equation (7) Case 5: A simple numerical example in the case of M > 4N. The original image is a simple image with a size of 9×2, whose matrix is shown in Equation (12) and the matrix of its corresponding cipher image is shown in Equation (13). In this case, M = 9, N = 2, and the total number of chosen-plaintext images needed to decipher the target ciphertext image of Equation (13) is ⌈ M/(4×N) ⌉ +1 = 3. The three chosen-plaintext images are shown from Equations (14)-(16), respectively. The cracked image is shown in Equation (17)

Conclusions
In this paper, the security of a novel image fusion encryption algorithm, based on DNA coding and a hyper-chaotic system, was analyzed in detail. We find that the key stream has nothing to do with the plaintext image and that the plaintext image can be finally cracked by a chosen-plaintext attack. The chosen-plaintext attack algorithm is described with intuitive and clear expression. In our attack algorithm, it only needs ⌈ 4×N/M ⌉ +1 (if