Cryptanalysis of an Image Encryption Algorithm Based on a 2D Hyperchaotic Map

Recently, an image encryption scheme based on a 2D hyperchaotic map is proposed. It adopts the permutation–diffusion architecture and consists of three steps, which are permutation, forward diffusion, and backward diffusion. In this paper, we break this cipher with both the chosen-plaintext attack (CPA) and the chosen-ciphertext attack (CCA). According to our analysis, we found the two complex diffusion processes could be simplified into two simple diffusions and a modular addition operation. Based on this, the equivalent key can be obtained with CPA and CCA. Detailed theoretical derivations and the results of experiments confirmed the feasibility of our attack methods. When the image size was 256×256, the running time of the attacks was less than 2 hours on a laptop with a 2.59 GHz Intel Core i7 and 16 GB DDR3 memory. Other sizes of images were also tested, and some rules were found. In addition, the probability of other attacks has also been discussed, and some suggestions for improvements are given. The source codes are publicly available and can be found online.


Introduction
With the dramatic developments of communication technology, we have witnessed in recent years increasing popularity of secure transmission of multimedia data. The image is a common data model, and cryptographic methods are of critical importance for information sharing. Unfortunately, images are different from text in terms of their inherent properties, such as the large data volume and high redundancy [1][2][3]. If we use the traditional textual encryption methods such as 3DES and AES to encrypt images, it tends to lead to low efficiency and cannot fulfill the requirement of real-time transmission. Therefore, many encryption methods specifically for images have been proposed [4,5].
Due to the features of initial value sensitivity, ergodicity, and random similarity [6,7], chaotic systems are able to meet the needs of encryption processes. Many encryption schemes based on chaos have been proposed [8][9][10][11][12]. Fridrich proposed the first permutationdiffusion architecture image encryption scheme in 1998 [1], which became a paradigm adopted by other people. Some encryption schemes combined various mathematical theories of interesting problems [13,14]; for example, Josephus Problem was employed in [13] for designing a secure and efficient image encryption scheme. Some encryption schemes combine DNA coding technologies to acquire the confusion effect similarly to S-box [15][16][17]. Most schemes encrypt the image as a whole, but a few methods divide the image into several small blocks for encryption; e.g., Zhang et al. [18] decomposed the plaintext image into two components, achieving faster encryption speed and higher security. Most of these methods are a combination of permutation and diffusion operations, but there exist a few permutation-only methods, such as [19].
• An image encryption scheme was broken by both CCA and CPA. • The equivalent process of original encryption algorithm is given. • Detailed theoretical derivations and experimental results are given to confirm the feasibility of our approaches. • The probabilities of other attack methods and some suggestions for improvements are also given.
The remainder of this paper is organized as follows. The second section briefly introduces the original image encryption scheme. Section 3 shows the theoretical analysis and derivation. Section 4 presents the equivalent process of the original image encryption scheme and the details of attacks. Experimental results are provided in Section 5. The possibility of other attacks and some suggestions for improvements are also discussed in Section 5. Finally, the last section concludes this work.

The Original Image Encryption Scheme
We briefly summarize the encryption scheme, and interested readers can find more details in [40].

Notation
Most of the notation adopted is listed in Table 1. Complementary descriptions are described as follows: • Generally, P and C denote the plaintext and ciphertext in an encryption scheme, respectively, and S refers to the intermediate result in a process. The plaintext image P is assumed to have a size of H × W.

•
The modular subtraction of two plaintext images is defined as their differential, denoted as ∆P.

•
The notation T represents the equivalent key matrix of the diffusion process. The notation SC represents the intermediate result of the target plaintext image and ciphertext image. Table 1. Summary of the notation.

Notation Description
A generally denotes an matrix, some also represent a value A(i,j) an element in row i, column j of a matrix

The Encryption Procedures
The encryption scheme under study is a permutation-diffusion architecture. It consists of four steps: row shifting, column shifting, forward diffusion and backward diffusion. The row and column shifting can be considered as permutation operations, and the subsequent operations are diffusion. Figure 1 is an overall flowchart of the encryption scheme. The function max(x, y) returns the greater number of x and y. The secret key generates encryption elements through the chaotic system for the encryption process.  1. Generation of the key stream.
(a) Iterate the following 2D hyperchaotic system, i.e., Equation (1), (m + N) times to obtain the secret key flow sequence X and Y of the permutation process, where N is the greater number of H and W. The sequences X and Y discarded the first m values to get the more stable chaotic sequences. The parameters and initial values of the 2D hyperchaotic map, which include h, r, X(0) and Y(0), are the secret keys of the encryption scheme, where h ∈ [3,7] and r ∈ [2,6]. In the original encryption paper, the author used h = 5, r = 5, X(0) = 0.5, and Y(0) = 0.5. Interested readers can find more information about the 2D hyperchaotic map in [40][41][42].
(b) Vectors R1 and C1 for permutation are generated by X and Y through Equation (2). The function floor() rounds the original number to the nearest integer less than or equal to it.
(c) Iterate the same chaotic system, i.e., Equation (1), (n + H × W) times to obtain the secret key flow sequence X1 and Y1. The sequences X1 and Y1 discard the first n values to get the more stable chaotic sequences. The sequences X2 and Y2 are then obtained by Equation (3). The function round() rounds the original number to the nearest integer.
X2(i) = (round(1000(|X1(i) × 10 16 | − floor(|X1(i)| × 10 16 )))) mod 256 Y2(i) = (round(1000(|Y1(i) × 10 16 | − floor(|Y1(i)| × 10 16 )))) mod 256 . ( (d) Finally, we can get the matrixes D1 and D2 for forward and backward diffusion from X2 and Y2 by Equation (4). The function reshape() is used to change the size of a matrix. If the input is a matrix of size M × N and the output is a matrix of size H × W, then it must satisfy M × N = H × W. The elements of the matrix are read by column and stored by column. The function reshape(X, M, N) returns the M-by-N matrix whose elements are taken column-wise from X.
2. Row shifting The image P is row-permuted with chaotic sequences X and R1. The permutation principles are shown in Figure 2. For the input image with size 4 × 4, R1(i) = 1, when X(i) > 0, the principle is shown in Figure 2a; for X(i) < 0, the process is shown in Figure 2b. 3. Column shifting Similarly, the column-permuted result is obtained by chaotic sequences Y and C1. The permutation principles are shown in Figure 3. For the input image with size 4 × 4, C1(i) = 1, when Y(i) > 0, the principle is shown in Figure 3a; when Y(i) < 0, the process is shown in Figure 3b.

Forward diffusion
With the help of D1 generated before, the forward diffusion is implemented according to Equation (5), in which S2 is the forward diffusion result and S1 represents the input image after row and column shifting, i = 2, 3, 4, · · · , H; j = 2, 3, 4, · · · , W.
5. Backward diffusion Similarly, the backward diffusion process is performed with the matrix D2, which is generated before. The diffusion operation is described in

Security Analysis
The original encryption scheme has two main steps, which are permutation and diffusion. The secret key generates the key stream at each step through a novel chaotic system. For the permutation phase, we use a permutation matrix as the equivalent key. For the diffusion phase, the equivalent keys are two matrices. According to our analysis, it is enough to use only one matrix as the equivalent key in the diffusion phase.
Before describing the attack method, we give some necessary conclusions and prove them.

Theorem 1.
If we only consider the diffusion phase of the encryption scheme, each pixel value of the ciphertext is the sum of the pixel values of the plaintext and the corresponding location value of the equivalent key matrix, which is given by where f p (i, j) represents a variable that is related to the values of plaintext and its location and T(i, j) represents the corresponding value of the equivalent key matrix T which is dependent on the secret key.
Proof of Theorem 1. We prove the forward diffusion process, which has four diffusion principles. The backward diffusion is symmetric with the forward diffusion and has the same theorem.

1.
For the first formula of the forward diffusion phase, i.e., the first subformula of Equation (5), we are able to obtain Obviously, Equation (8) satisfies the form of Equation (7). So the first value of the pixel satisfies Equation (7).

2.
For the second formula of the forward diffusion phase, it is derived by: If we add both sides of this equation, we get Substitute Equation (8) into Equation (9). We obtain Equation (10).
It was found that Equation (10) also satisfies the form of Equation (7). In other words, the values of the first row satisfy Equation (7). 3.
The derivation of the third part is very similar to that of the second stage. For the third formula of forward diffusion, it is deduced from: Similarly, we can conclude We were able to find that Equation (11) also satisfies the form of Equation (7). In other words, the values of the first column satisfy Equation (7). 4.
In this section, we use a method which is similar to mathematical induction. As shown in Figure 4, if we assume that both pixel values, a and b, satisfy Equation (7), which is able to deduce that the value c also satisfies Equation (7), then if both the pixels of the first row and first column satisfy Equation (7), we can deduce that all the pixels satisfy Equation (7). It seems that this theorem will be transferred from the left and upper pixels to the middle pixels. If we suppose Equations (12) and (13) are correct and substitute Equations (12) and (13) into the last formula of forward diffusion, we can obtain Equation (14).
From Equation (14), we can deduce that if we suppose the pixel C(i, j − 1) and pixel C(i − 1, j) satisfy Equation (7), then pixel C(i, j) satisfies Equation (7). These pixels correspond to the pixels a, b, and c of Figure 4. With i = 2 and j = 2, the pixels C(1, 2) and C(2, 1) satisfyEquation (7). Both the pixels of the first row and the first column satisfy Equation (7), which can be derived from the previous proof. Therefore, all the pixels of the image satisfy Equation (7).

Theorem 2.
If we only consider the diffusion phase, the differential of ciphertexts is related to the differential of plaintexts. More specifically, the module subtraction of the pixel value of the ciphertext images is the module subtraction of the plaintext images after the diffusion process without encryption parameters.
Proof of Theorem 2. From the conclusion in Theorem 1, we can obtain

The Equivalent Processes
According to our analysis, the original encryption algorithm is equivalent to the combination of some simple processes, in which the encryption elements consist of a permutation matrix and an equivalent diffusion matrix.

The Equivalent Encryption Process
The equivalent encryption process comprises four phases, i.e., permutation, simple forward diffusion, simple backward diffusion, and modular addition with the equivalent key matrix.

Permutation
The plaintext image permutes its pixels with the permutation matrix through Equation (16). An illustration is shown in Figure 5.
4. Modular addition with the equivalent key The final ciphertext image C will be generated using the diffusion result S2 and the equivalent key matrix T through Equation (19).

The Decryption Process
Corresponding to the equivalent encryption process, the decryption process consists of four steps. They are modular subtraction, inverse backward diffusion, inverse forward diffusion, and inverse permutation.

Modular subtraction with an equivalent key matrix
The immediate result S2 will be obtained from Equation (20), where C represents the final ciphertext image and T represents the equivalent key matrix.

Inverse permutation
The plaintext image P will be obtained using the intermediate result S and permutation matrix from Equation (23). An illustration is shown in Figure 6.

The Proposed Chosen-Plaintext Attack
In a chosen-plaintext attack scenario, the attackers can freely select a set of plaintexts and get the corresponding ciphertexts. Then, the information of secret key or encryption elements will be derived by these known plaintext-ciphertext pairs. The attackers use them to recover the target plaintext.
When we take an all-zero image as input, the permutation result is also an all-zero image. Then, we use the images before and after diffusion to obtain the equivalent key at this stage. When encryption elements in the diffusion stage are acquired, the encryption algorithm is simplified into a permutation process. The special plaintext-ciphertext pairs are then constructed to obtain the equivalent permutation matrix. Finally, we recover the plaintext using the previously obtained equivalent key.
Algorithm 1 reveals the process of the proposed chosen-plaintext attack. The details of Algorithm 1 are described below. Ci = encrypt(Pi); 9: end for 10: // step3: obtain log L (HW) middle results with the diffusion matrix T and the ciphertexts which are obtained in the step2 11: for i = 1 to log L (HW) do 12: Si =inverseDiffusionAttack(Ci − T); 13: end for 14: // step4: obtain the equivalent permutation matrix by the input plaintexts and the middle results 15: for i = 1 to log L (HW) do 16: JolfaeiAlgorithmAdd(Pi, Si); 17: end for 18 1. Construct an all-zero matrix and obtain the equivalent key T.

•
The permutation process has no effect on an all-zero image, so we can get one pair of input and output of the diffusion phase. • According to Theorem 1, i.e., C(i, j) = f P (i, j) + T(i, j), when P0 = zeros(H, W), then C0 = T. 2. Initialize log L (HW) matrices and get the corresponding ciphertexts

•
The function JolfaeiAlgorithmGeneration() is used to generate specially designed plaintexts of JolfaeiAlgorithm(). The function JolfaeiAlgorithmAdd() takes the specially designed plaintext-ciphertext pairs as input to the JolfaeiAlgorithm(). Readers can find more information in Appendix A.
3. Obtain log L (HW) middle results with the diffusion matrix T.

Obtain the equivalent permutation matrix
• The function JolfaeiAlgorithm(), i.e., Jolfaei's algorithm [2], is a chosen-plaintext attack method for permutation-only image encryption algorithms. Interested readers can find more details in Appendix A.

Recover the plaintext •
The function inversePermute() refers to the process of Equation (23).

The Proposed Chosen-Ciphertext Attack
In cryptanalysis, in contrast to chosen-plaintext attack, chosen-ciphertext attackers are able to obtain the plaintexts of the ciphertexts which they specially designed. After that, attackers acquire secret encryption elements or equivalent key streams. The plaintext that attackers wish to recover is retrieved after easily obtaining the necessary information.
For the current encryption algorithm under study, we found that making a differential of the ciphertexts eliminates the equivalent key stream of the diffusion phase. With this property, we can simplify the encryption algorithm to a permutation-only process. We can use the existing algorithm to obtain the equivalent permutation matrix. After obtaining the middle results, we can also obtain the equivalent key of diffusion. When all the necessary information has been collected, we then recover the plaintext as we did in chosen-plaintext method.
Algorithm 2 discloses the process of the proposed chosen-ciphertext attack. The details of Algorithm 2 are described below.

•
The functions diffusionAttack() are the processes of Equations (17) and (18). 2. Get the equivalent permutation matrix • The differential of plaintexts and the differential of ciphertexts follow the same permutation principle. Thus, we can use these differentials to obtain the permutation matrix by Jolfaei's algorithm.

Obtain an intermediate result with the permutation matrix.
• The function permute() is the process of Equation (16).

Experimental Results
This section presents the experiment results, which well validate the feasibility of our attack (The test images. Available online: https://sipi.usc.edu/database/database.php?volume=misc (accessed on 20 October 2022)). The proposed attacks and the studied encrytption schemes were implemented by simulations using matlab 2021a on a laptop with specifications of 2.59 GHz Intel Core i7 and 16 GB DDR3 memory, and the source code is openly accessible (The source code. Available online: https://github.com/F-cook/attack_test.git (accessed on 20 October 2022)).
The experimental results show the plaintext image was recovered successfully. The recovered image is exactly same as the plaintext image. Both CCA and CPA recovered the image without any error. When the image size was 256 × 256, the running time of CPA was 6776.714213s, and that of CCA was 6754.676951s. The original image is shown in Figure 7a, and the encrypted is shown in Figure 7b. Figure 7c shows the image recovered by CPA, and Figure 7d shows the image recovered by CCA. In addition, other sizes of images were also tested in our experiments. The running times of our attacks on different sizes of images are shown in Figure 8. All the images which were tested in our experiments are gray images. The original encryption scheme was designed for gray images and regards a color image as three gray images. Therefore, our methods are also applicable to color images, and the attack time on a color image is three times as long as that on a gray image of the same size. It is worth mentioning that all the experimental results were obtained in our computing environment, which was a laptop with computing specifications of 2.59 GHz Intel Core i7 and 16 GB DDR3 memory. The running time of attack methods varied greatly in different environments.
It is found that as the image size becomes greater, the running time of the CPA and CCA increases rapidly. The CPA is a little faster than CCA. This is because the CCA needs to build more complex inputs to obtain the equivalent secret key.

The Probabilities of Other Attacks
As mentioned above, chosen-plaintext and chosen-ciphertext attacks are effective against the original encryption algorithm, and both attack methods exploit the weaknesses of the scheme. Below we briefly discuss the feasibility of known-plaintext and ciphertextonly attacks.
In the scenario of a known-plaintext attack, the attacker has a set of ciphertexts to which they know the corresponding plaintexts. The attacker cannot control the plaintextciphertexts pairs. In this case, random plain-ciphertext pairs often bring redundant information that is helpful in attacking the secret key system. If only the scrambling process is considered, in order to obtain a complete equivalent key stream, an extremely large number of random plaintext and ciphertext pairs are required, which makes it impossible to implement an attack in reality.
If an encryption system is resistant to known-plaintext attacks, then it must be resistant to ciphertext-only attacks. In the scenario of a ciphertext-only attack, the cryptanalyst has access only to a collection of ciphertexts. Attackers can generally guess the ciphertext corresponding to some plaintexts based on some plaintext format information, etc., and infer the secret key information based on the correspondence between very few plaintext ciphertexts. However, for the encryption system analyzed in this article, it is difficult to obtain a small amount of guessed information, and it is impossible to crack the entire encryption system.

Some Suggestions for Improvements
The original encryption scheme is vulnerable to both chosen-plaintext and chosenciphertext attacks. The complex encryption can be equivalent to simple processes, and the equivalent key can be obtained by CCA or CPA. In order to improve the security of the original encryption algorithm, some potentially useful suggestions are given below.

•
It is suggested that the secret key includes plaintext-related information. The plaintextdependent ciphers are highly resistant to plaintext attacks. Hash value and the hamming distance are common technologies which have high security. • Multiple rounds of encryption are recommended. Multiple rounds of encryption help ciphers to achieve a high level of security. Different keys can be used in different rounds, but there should not be too many rounds so as not to affect the encryption efficiency. • Some random information can be added to the encryption process. Random encryption elements cannot be obtained by various attacks and are very helpful to improve the security level of the encryption scheme.

Limitations and Future Works
Our proposed attack methods, which include CPA and CCA, are special for the original encryption scheme. In other words, they are not universal and cannot be applied to other different image ciphers. However, the idea of obtaining the equivalent key and eliminating the diffusion process may be applied to future cryptanalysis works. In addition, the original encryption scheme may have other flaws which can be used to break it. The permutation process is line by line, which will lead to unrandom results. There may be a more simple way to break the scheme. We only demonstrated the feasibility of our approaches in this paper.
We will explore the more general method to break a family of image encryption schemes. These schemes may have similar encryption processes or common weaknesses. We will use the weaknesses to obtain the equivalent key to break the scheme. More effective attack methods will be proposed. The corresponding suggestions will be also given to resist similar attacks. We believe that better image encryption schemes will be designed in the future.

Conclusions
In this paper, a permutation-diffusion image encryption based on a 2D hyperchaotic cap was cryptanalyzed, and two attacks, CPA and CCA, were proposed. The equivalent key of the original encryption was obtained, and the transformed process was also described in detail. The theory of the attack method was given by the detailed formula derivation. Different sizes of images were tested in the experiments to demonstrate the feasibility of the two attacks. The other attacks were discussed, and some suggestions for improvements were given. We believe that the ideas of this paper will provide an example of similar cryptanalysis works and give suggestions for the design of image schemes in the future.
Author Contributions: C.Z. carried out numerical simulation and analysis; J.C. and D.C. studied the proofs of relevant theories; C.Z. wrote the paper; J.C. and D.C. revised the manuscript. All authors have read and agreed to the published version of the manuscript. Acknowledgments: Special thanks to ABDULHAMID VICTOR IBRAHIM for his editing and modification of the paper.

Conflicts of Interest:
The authors declare that they have no conflict of interest.

Appendix A. The introduction of Jolfaei's Algorithm
Jolfaei's algorithm [2] is a chosen-plaintext attack for permutation-only ciphers. When the size of plaintext image is H × W, the required plaintext-ciphertext pairs are log L (HW) .
Permutation processes change the positions of pixels of the input image. An image which is of size H × W with L different color intensities has H × W locations and at most L different pixel values. Thus, one plaintext-ciphertext image pair determines at most L positions of an image. The number n of plaintext-ciphertext image pairs required to break the permutation-only image cipher must satisfy Equation (A1).
L n ≥ HW.
Based on Equation (A2), we found that the number n is at least log L (HW). To minimize the amount of chosen plain images required, we designed the plaintext with specific rules.
To illustrate the special plaintext design rule, consider a 5 × 5 image. If the L = 3, then the permutation can be determined by log 3 (5 × 5) = 3 plaintext-ciphertext image pairs. The three special plaintext images are shown in Figure A1. The chosen-plaintext images are obtained by splitting the first image into three. The complete permutation rules are obtained by these chosen-plaintext images and their ciphertext images.
inverse permutation (2,2) (1,1) Lastly, we utilize an example to illustrate the complete attack procedure. We propose a permutation principle, which is shown in Figure A2, and H = W = L = 2. The complete attack process for obtaining the permutation matrix is shown in Figure A3. Firstly, we construct the chosen plaintexts from the plaintext image. Then we obtain the ciphertexts corresponding to the chosen plaintexts. After that, we find all possible cases based on the obtained plaintext-ciphertext pairs. Finally, we obtain the correct scrambling rule by taking the intersection of all possible outcomes.