Cryptanalyzing and Improving an Image Encryption Algorithm Based on Chaotic Dual Scrambling of Pixel Position and Bit

An image encryption algorithm for the double scrambling of the pixel position and bit was cryptanalyzed. In the original image encryption algorithm, the positions of pixels were shuffled totally with the chaotic sequence. Then, the 0 and 1-bit positions of image pixels were scrambled through the use of another chaotic sequence generated by the input key. The authors claimed that the algorithm was able to resist the chosen-plaintext attack. However, through the analysis of the encryption algorithm, it was found that the equivalent key of the whole encryption algorithm was the scrambling sequence T in the global scrambling stage, the pixel bit level scrambling sequence WT and the diffusion sequence S. The generation of scrambling sequence T is related to the sum of all pixel values of the plaintext image, while the generation of WT and S is not associated with the image to be encrypted. By using a chosen-plaintext attack, these equivalent key streams can be cracked so as to realize the decoding of the original chaotic encryption algorithm. Both theoretical analysis and experimental results verify the feasibility of the chosen-plaintext attack strategy. Finally, an improved algorithm was proposed to overcome the defect, which can resist the chosen-plaintext attack and has the encryption effect of a “one time pad”.


Introduction
As we all know, all kinds of information are transmitted and stored through the network. Digital images have been widely used as a data format. Because digital images contain some personal privacy information or important confidential information, how to protect images is an important topic. For the security of image information, scholars have proposed many technologies, such as data hiding [1], encryption [2], and watermarking [3]. Among these technologies, image encryption technology is the most direct method, which converts the original visual image to a noise image [4,5]. Generally speaking, image encryption algorithms include scrambling and diffusion algorithms. The scrambling algorithm means changing the pixel position, while the diffusion algorithm means changing the pixel value. Due to the particularity of chaotic sequences, such as pseudo-random, aperiodic, and highly sensitive to control parameters and initial conditions, and the ability to generate a large number of chaotic sequences quickly and accurately, these characteristics make chaotic systems especially suitable for image encryption. Since Fridrich [6] first designed an image encryption algorithm based on a 2D chaotic map, researchers have designed various image encryption algorithms using chaotic systems [7][8][9][10][11][12][13][14]. Here, some typical image encryption algorithms are introduced as follows. Yang et al. [7] analyzed the dynamic characteristics of the fractional order laser chaotic system and designed an image encryption algorithm. In order to overcome the difficulty of key management in a "one-time pad" encryption scheme and resist the attack of chosen plaintext, Zhu et al. [8] proposed an image encryption algorithm based on chaos and SHA-256. The algorithm adopted the ciphertext feedback mechanism of a dynamic index; that is, the position index of the (log 256 (3 × M × N) + 4) pair of chosen plain images and the corresponding cipher images, where M × N and '3 are the size of the RGB color image and the number of color channels, respectively. The cryptanalysis of a hybrid secure image encryption scheme based on Julia set, and three dimensional Lorenz chaotic system was presented in [20], in which a practical chosen-plaintext attack was performed, which reveals that the cryptosystem, depending on only multiplication and bitwise XOR operation, could be effortlessly attacked. Ma et al. [21] gave a thorough security analysis of an image block encryption algorithm based on chaotic maps and found some critical security defects in the algorithm; then, the authors obtained an equivalent secret key from five chosen plain images and the corresponding cipher images. Zhu et al. [22] analyzed the security of image encryption systems based on bit-plane extraction and multi-chaos and recovered the equivalent diffusion key and the equivalent permutation key by only two special plaintext images and their corresponding cipher images. Liu et al. [23] analyzed the security performance of an image encryption algorithm based on a first-order time-delay system IEATD and the enhanced version IEACD and designed an efficient chosen-plaintext attack, and verified it with extensive experiments. Zhang [24] analyzed an image cryptosystem based on circular inter-intra pixels bit-level permutation and found some defects of it, such as its row-based scrambling being invalid for the special images and lacking diffusion operations in its processes. Meanwhile, the image encryption algorithm was cracked through the use of only a pair of chosen plaincipher images or a pair of known plain-cipher images. It can be seen that the main reason for the above algorithms to be cracked is that the keystream used by the encryption system is independent of the image to be encrypted, which makes the encryption system unable to resist the chosen-plaintext attack and chosen-ciphertext attack.
Deng et al. [25] proposed an image chaotic encryption algorithm with the double scrambling of the pixel position and bit. The algorithm uses Kent chaotic mapping to generate the key sequence and generates the parameters of the chaotic system and the number of pre-iterations, respectively, according to the characteristics of the plaintext pixel value and the input key. First, chaotic sequences were used to realize the global scrambling of image pixel positions. Secondly, according to another newly generated chaotic sequence, the 0-bit and 1-bit image pixel values were scrambled. The algorithm has the advantages of simple encryption and large key space and can resist the attacks of statistical analysis and differential analysis. However, through our in-depth analysis, it was found that the algorithm could not resist the attack of chosen plaintext. On the assumption that the sum of all the pixels of the plaintext image was an input parameter, we could successively crack three equivalent key streams of the encryption algorithm by 9 + ceil(log 256 m)+ ceil(log 256 n) plaintext gray images and their corresponding ciphertext images. This paper is arranged as follows: In Section 2, we briefly introduce the original encryption algorithm in reference [25]. In Section 3, the security of the original encryption algorithms in the literature [25] is analyzed, and the security vulnerabilities are found. The equivalent key streams of the original algorithm can be cracked one by one by using the chosen plaintext attack method. In Section 4, the proposed attack algorithm is simulated. An improved algorithm is proposed based on the original algorithm that can resist the chosen-plaintext attack in Section 5. In Section 6, the security of the improved algorithm is simulated and analyzed, and its superiority in resisting attacks is verified. Finally, the summary and conclusion of the full text are given in Section 7.

Description of the Original Encryption Algorithm
The original encryption algorithm to be analyzed in this paper is from reference [25]. In this section, we first undertake a concise description of this algorithm.

Chaotic System
The chaotic system used in the original encryption system is the Kent map [26], and its mapping function is shown in Equation (1).
When the initial value x 0 of the Kent map satisfies x 0 ∈ (0, 1), and the control parameter a satisfies a ∈ (0, 1), the Kent map has a positive Lyapunov exponent, which indicates that the Kent map is a chaotic system. We take the initial value x 0 = 0.43765, a = 0.8976; the results obtained by 30,000 iterations of Equation (1) are shown in Figure 1. It can be seen from Figure 1 that the iteration value covers the entire interval, which indicates that system (1) has chaotic characteristics such as pseudorandom, boundedness, ergodicity, etc.

Description of the Original Encryption Algorithm
The original encryption algorithm to be analyzed in this paper is from reference [25]. In this section, we first undertake a concise description of this algorithm.

Chaotic System
The chaotic system used in the original encryption system is the Kent map [26], and its mapping function is shown in Equation (1).
When the initial value x0 of the Kent map satisfies x0 ∈ (0, 1), and the control parameter a satisfies a ∈ (0, 1), the Kent map has a positive Lyapunov exponent, which indicates that the Kent map is a chaotic system. We take the initial value x0 = 0.43765, a = 0.8976; the results obtained by 30,000 iterations of Equation (1) are shown in Figure 1. It can be seen from Figure 1 that the iteration value covers the entire interval, which indicates that system (1) has chaotic characteristics such as pseudorandom, boundedness, ergodicity, etc.

Encryption Process
The encryption algorithm mainly includes two parts. The first part is the global scrambling based on pixel position. The second part is the scrambling process based on the bit level and the diffusion operation of the intermediate ciphertext.

Global Scrambling of Pixel Positions
The pixel position scrambling operation is mainly to break the correlation of adjacent pixels. The specific steps are as follows: Step 1: Convert the digital image matrix A with the size of m × n into a one-dimensional sequence P with the length of m × n. P = (p(1), p(2), …, p(mn)) Step 2: Calculate the sum of all the pixel values, and use formula (2) and formula (3) to calculate the control parameter a of the Kent mapping and pre-iteration number K + mn of the Kent map, respectively.

Encryption Process
The encryption algorithm mainly includes two parts. The first part is the global scrambling based on pixel position. The second part is the scrambling process based on the bit level and the diffusion operation of the intermediate ciphertext.

Global Scrambling of Pixel Positions
The pixel position scrambling operation is mainly to break the correlation of adjacent pixels. The specific steps are as follows: Step 1: Convert the digital image matrix A with the size of m × n into a onedimensional sequence P with the length of m × n. P = (p(1), p(2), . . . , p(mn)) Step 2: Calculate the sum of all the pixel values, and use Formulas (2) and (3) to calculate the control parameter a of the Kent mapping and pre-iteration number K + mn of the Kent map, respectively. a = sum/10 8 (2) Step 3: Take the result a calculated by the formula (2) as the control parameter of the Kent map, set x 0 as the initial value of Kthe ent map, and iterate the Kent map K + mn times to generate a chaotic sequence with the length of K + mn. Discard the first K values to obtain the sequence L with the length of mn. L = (l(1), l(2), . . . , l(mn)).The chaotic sequence L is sorted in ascending order to obtain the ordered sequence L' = (l'(1), l'(2), . . . , l'(mn)) and the new sequence T = (t(1), t(2), . . . , t(mn)) is used to record the position of each element in the original sequence L Step 4: Use the sequence T to scramble the plaintext sequence P according to the Formula (4) to obtain scrambled image P' = (p'(1), p'(2), . . . , p'(mn)) p (i) = p(t(i)), i = 1, 2, 3, . . . , mn It can be seen that the generation of the sequence T in the global scrambling stage is related to the image to be encrypted. Different encrypted images have different scrambling sequences T.

Scrambling and Diffusion Based on the Bit Level of Pixel Values
Step 1: Reset the control parameter a 2 of the Kent mapping and iterate Kent map K 2 + mn times to generate a chaotic sequence with the length of K 2 + mn. Discard the first K 2 values to obtain the sequence D with the length of mn, where D = (d(1), d(2), . . . , d(mn)).
Step 2 Step 3: Convert the pixel value P'(i) in the scrambled image P' into a binary form to generate an array P Bit = {Bit (1), Bit Step 4: Use the following Equations (5) and (6) to re-encrypt the intermediate ciphertext C' to obtain the final ciphertext sequence C = {c(1), c(2), . . . , c(mn)}.
In particular, c(0) is required for the encryption of the first point (i = 1), and c(0) = 98 is a constant. The decryption process is the reverse process of the encryption process, which is not repeated here.
In this stage, we especially noticed that when generating the chaotic sequence D, the parameter a 2 and the iteration number K 2 of the Tent map were not correlated with the plaintext image. That is to say, the generation of the chaotic sequence D was independent of the plaintext image, which is the key to cracking the encryption algorithm. It can be seen that the operation in this stage completely depended on the position index sequence WT and the sequence S = (s(1), s(2), . . . , s(mn)), and the generations of these two sequences are completely transformed from the chaotic sequence D, while the generation of D has no relationship with the image to be encrypted.

Security Analysis of Original Image Chaotic Encryption Algorithm
From the encryption process of the original algorithm, we can see that the equivalent keys of the entire encryption algorithm are the scrambling sequence T, the pixel bit position scrambling sequence WT, and the diffusion sequence S. The generation of the scrambling Entropy 2023, 25, 400 6 of 17 sequence T is related to the sum of all the pixel values of the plaintext image, while the generations of WT and S are transformed from the chaotic sequence D, and the generation of D is not correlated with the image to be encrypted. That is to say, WT and S, which are used to encrypt different plaintext images, remain unchanged, which is the key to cracking the original algorithm. Next, we will crack the sequence WT and S one by one using the chosen plaintext attack method. Then, the global scrambling sequence T is cracked based on the assumption that the sum of all pixels of the plaintext image is an input parameter. The so-called chosen plaintext attack [27] means that the attacker temporarily obtains the right to use the encryption machine. Therefore, he can encrypt any plaintext and obtain the corresponding ciphertext to decode all or part of the plaintext and keys.

Cracking Diffusion Sequence S
The specific steps to crack sequence S are as follows: Step 1: Use the original algorithm to encrypt an image P 0 with the same size as the target ciphertext and all zero pixel values. It can be seen from the encryption process that pixel scrambling and bit position scrambling have no effect on P 0 ; that is, the intermediate ciphertext C 0 obtained after pixel scrambling and the bit position scrambling satisfies C 0 = P 0 . Therefore, the ciphertext C obtained by encrypting the image P 0 is shown in the Formula (7): Step 2: S can be solved from Equation (7), as shown in the Formula (8).

Cracking Equivalent Bit Scrambling Matrix WT
In order to obtain the equivalent position matrix, the WT of bit scrambling, eight images TP i , and a pixel value of 2 i−1 are constructed, i ∈ [1, 2, 3, 4, 5, 6, 7, 8] Input the constructed eight images TP i into the original encryption algorithm to obtain the corresponding ciphertexts TC i , and then use the equivalent key S decoded in step 1 to obtain eight intermediate ciphertexts TC i ' . Taking TC 1 ' as an example, suppose that TC 1 (1, 1) = 64, and it is converted into the following binary (0, 1, 0, 0, 0, 0, 0, 0, 0), it can be found that the pixel value changes from the initial (0, 0, 0, 0, 0, 0, 0, 1) to (0, 1, 0, 0, 0, 0) after bit scrambling; that is, the bit scrambling encryption process change the digit 1 from the eighth-bit before encryption to the second bit after encryption, compared to the scrambling rule of the WT(1, 1) position that can be obtained, The rule changes of other positions can also be obtained. The changes are stored in the matrix WT1, which is the equivalent scrambling rule matrix of the first bit of the eight bit binary number with bit scrambling. The same method can obtain all 8-bit digital bit scrambling rules and store the obtained transformation rules in the matrix WT with size m × n × 8. WT is the complete equivalent key of bit scrambling.

Cracking of Global Scrambling Sequence T of Pixel Position
For the ciphertext image C to be cracked, the scrambled image P' can be recovered according to the equivalent key streams WT and S, which were cracked in the previous Sections 3.1 and 3.2. Since the scrambling operation does not change the pixel value of the image, the sum of the pixel values of plaintext image P can be calculated from P'. Our cracking algorithm is based on the assumption that the sum of all pixels in the plaintext image is an input parameter.
If the sequence P' is converted into a matrix A' of m × n in Section 2.2.1, the scrambling process in Section 2.2.1 is equivalent to the following scrambling process: That is, the pixel value of (i, j) is assigned the position of the original image matrix A to the pixel value of (i', j') of A'.The correspondence between position (i, j) and position (i', j') depends on an m × n matrix AT, and AT depends entirely on the scrambling sequence T. For example, for a 3 × 4 matrix AT.
According to matrix AT, the pixel value of (2, 1) is assigned the position of the original image matrix A to the pixel value of (1, 1) for the position of A', the pixel value of (3, 4) is assigned the position of A to the pixel value of the (1, 2) position of A', the pixel value of the (1, 1) position of A is assigned to the pixel value of the (1, 3) position of A', the pixel value of the (2, 3) position is assigned to the pixel value of (3, 4) position of A', and so on. Therefore, cracking the scrambling sequence T is equivalent to cracking the matrix AT.
Here, we break the matrix AT into two cases.

The Situation That the Number of Lines and Columns of Ciphertext Image C to Be Cracked Does Not Exceed 256
In this case, only two special plaintext images needed to be constructed. The construction matrix P 1 reflects the change rule of each column, and P 2 reflects the change rule of each row.
Here, m < 256, n < 256. Input P 1 and P 2 into the encryption system to obtain the corresponding ciphertext C 1 and C 2 , and use the equivalent keys S and WT, recovered from 3.1 and 3.2 to recover the ciphertext P 1 and P 2 after the global scrambling of the pixel values. The equivalent global scrambling matrix AT can be obtained by P 1 and P 2 . For example: Scramble P 1 and P 2 to obtain P1 and P2 , respectively. 25,400 P 1 determines the column label, and P 2 determines the row label. Therefore, the matrix determined by P 1 and P 2 is AT' is equal to AT.
The Situation That the Number of Lines and Columns of Cracked Ciphertext Image C Is Greater than 256 In this case, we have the following cracking steps.
Step 1: L c special plaintext images I ck (k = 0, 1, . . . , L c −1) are required to construct a matrix reflecting the change rule of each column, and the size of each I ck is m × n. The element values of column i of matrix I ck are the same and satisfy Formula (10). Moreover, L c meets Formula (9) [28] L c = ceil(log 256 n) where the ceil (x) means rounding up the x and the floor (x) means rounding down x.
To explain the problem more clearly, suppose m = 294 and n = 289. L c = 2 special plaintext images I c0 and I c1 need to be constructed according to Equation (9), and I c0 and I c1, which were constructed according to Equation (10), have the following forms: Input I c0 and I c1 into the original encryption system to obtain the corresponding ciphertext C 0 and C 1 . Use the equivalent keys obtained in Sections 3.1 and 3.2 to recover the ciphertext I c0 ' and I c1 of I c0 and I c1 after the global scrambling of pixel values. Then, according to Formula (11), use I c0 and I c1 to construct matrix P 1 , which reflects the change rule of each column.
Step 2: L r special plaintexts I rk (k = 0,1, . . . , L r −1) are required to construct a matrix reflecting the change rule of each row and the size of I rk is m × n. The element values of row i of matrix I rk are the same and satisfy formula (13). Moreover, L r meets the Formula (12) [28] L r = ceil(log 256 m) where ceil (x) means rounding up the x and floor (x) means rounding down x. To explain this problem more clearly, suppose m = 294 and n = 289. Then, L r = 2 special plaintext images I r0 and I r1, need to be constructed according to Equation (12). I r0 and I r1, constructed according to Equation (13), have the following forms:  . . .
Input I r0 and I r1 into the original encryption system to obtain the corresponding ciphertext C 0 and C 1 and recover I r0 and I r1 of I r0 and I r1 only after the global scrambling of pixel values by using the equivalent keys obtained in Sections 3.1 and 3.2. According to Formula (14), use I r0 and I r1 to construct matrix P 2 , which reflects the change rule of each row: Matrix P 1 determines column labels, and matrix P 2 determines row labels. The equivalent global scrambling matrix AT can be obtained through the matrix P 1 and the matrix P 2 . So far, all the equivalent key streams of the original algorithm were cracked by 9 + ceil(log 256 m) + ceil(log 256 n) special plaintext images.

Experimental Simulation
In order to verify the effectiveness of our attack algorithm, an experimental simulation of chosen plaintext attacks was carried out according to the analysis in Section 3. The simulation experiment adopted the Matlab2015a platform and the images "cameraman" of size 256 × 256 and "pepper" of size 384 × 512, respectively. According to the previous analysis, eleven special plaintext images were required to crack the ciphertext image of size 256 × 256: a plaintext image with all pixel values of zero, eight plaintext images TP i with all pixel values of 2 i − 1 , i ∈ [1,2,3,4,5,6,7,8], and two plaintext images with pixel values such as image matrix P 1 and P 2 constructed in Section 3.3. Compared with cracking the ciphertext image of size 256 × 256, thirteen special plaintext images were required to crack the ciphertext image of size 384 × 512. A plaintext image with all pixel values of zero eight plaintext images TP i with all pixel values of 2 i − 1 , i ∈ [1, 2, 3, 4, 5, 6, 7, 8], and four plaintext images with pixel values such as image matrix I c0 , I c1 and I r0 , I r1 were constructed in Section 3.3. The simulation results are shown in Figure 2.

The Improved Encryption Algorithm
To sum up, the original image encryption algorithm had the following defects: (1) The equivalent keys of the whole encryption algorithm are the scrambling se-

The Improved Encryption Algorithm
To sum up, the original image encryption algorithm had the following defects: (1) The equivalent keys of the whole encryption algorithm are the scrambling sequence T, the pixel bit position scrambling sequence WT, and the diffusion sequence S. The generation of the scrambling sequence T is related to the sum of all pixel values of the plaintext image, while the generations WT and S are all the transformation of the chaotic sequence D, and the generation of D was not correlated with the image to be encrypted. That is to say, WT and S were used to encrypt different plaintext images and remained unchanged, which is the key to cracking the original algorithm.
(2) The operation in the bit scrambling stage and the operation in the diffusion stage are all too simple.
In order to eliminate the safety defects of the original algorithm, we put forward some improvement measures on the basis of being loyal to the original algorithm. The algorithm flow chart of the improved algorithm is shown in Figure 3.

The Improved Encryption Algorithm
To sum up, the original image encryption algorithm had the following defects: (1) The equivalent keys of the whole encryption algorithm are the scrambling sequence T, the pixel bit position scrambling sequence WT, and the diffusion sequence S. The generation of the scrambling sequence T is related to the sum of all pixel values of the plaintext image, while the generations WT and S are all the transformation of the chaotic sequence D, and the generation of D was not correlated with the image to be encrypted. That is to say, WT and S were used to encrypt different plaintext images and remained unchanged, which is the key to cracking the original algorithm.
(2) The operation in the bit scrambling stage and the operation in the diffusion stage are all too simple.
In order to eliminate the safety defects of the original algorithm, we put forward some improvement measures on the basis of being loyal to the original algorithm. The algorithm flow chart of the improved algorithm is shown in Figure 3. The steps of the improved encryption algorithm are as follows.
Step 1: Assume that the plaintext image matrix is A with size m × n. Scramble the plaintext image according to the method introduced in Section 2.2.1 to obtain the scrambled image sequence P' = (p'(1), p' (2), …, p'(mn)).
Step 2: The bit-level scrambling operation is performed on P' to obtain the middle ciphertext C'. The scrambling method is the same as the method in Section 2.2.2. The steps of the improved encryption algorithm are as follows.
Step 1: Assume that the plaintext image matrix is A with size m × n. Scramble the plaintext image according to the method introduced in Section 2.2.1 to obtain the scrambled image sequence P' = (p'(1), p'(2), . . . , p'(mn)).
Step 2: The bit-level scrambling operation is performed on P' to obtain the middle ciphertext C'. The scrambling method is the same as the method in Section 2.2.2.

Algorithm 1: The improved encryption algorithm
Input: Plaintext image A and encryption keys. Output: Ciphertext image C Step 1: Generate key streams t(i), d(i), and WT(i) Step 2: Convert the digital image matrix A into a one-dimensional sequence P and scramble the plaintext sequence P. for i = 1:m*n P'(i) = P(t(i)) End Step 3: Convert P'(i) into binary P Bit (i), and then use WT(i) to scramble P Bit (i) to obtain P' Bit (i) and convert P' Bit (i) into a decimal number C'(i) Step 4: Generate V p (i), S p (i) and Kt(i)

Decryption Algorithm of Improved Algorithm
The decryption process is the reverse of the encryption process. The specific steps are as follows: Step 1: Set the control parameters of the chaotic system using the existing key, and iterate the Kent chaotic map to obtain the sequence D = (d(1), d(2), . . . , d(mn)) with the length of mn. From Equation (15), we can infer that v p (mn) = 0, and further infer that s p (mn) = 0 from Equation (16) and c'(mn) = c (mn) from equation (18), and further from Equation (15), we can infer that v p (mn − 1) = c'(mn) and obtain the value of s p (mn − 1) from the Equation (16) and at the same time, kt(mn) can be solved from the Equation (17). Finally, by using s p (mn − 1) and kt(mn), according to Equation (18), c' (mn − 1) can be solved. By analogy, c'(mn − 2), c'(mn − 3), . . . , c'(2) are decrypted, respectively, and then v p (1) is calculated, and c'(1) is decrypted.
Step 2: Use the existing key, the C' recovered in the previous step can be used to recover P'; the plaintext image matrix recovers A from P'. This process is the reverse process of the encryption process, which is not repeated here.

Experimental Simulation
The key to the improved encryption algorithm is the same as that of the original algorithm. Set the initial value of tent mapping x 0 = 0.3987623, a 2 = 0.8739, k 2 = 3000, the simulation experiment adopts matlab2015a platform, and the image "cameraman" of size 256 × 256 and the image "pepper" of size 384 × 512 are selected, respectively. The experimental results are shown in Figure 4. The experimental results show that the improved encryption algorithm has a good encryption effect and can decrypt without error.
Step 2: Use the existing key, the C' recovered in the previous step can be used to recover P'; the plaintext image matrix recovers A from P'. This process is the revers process of the encryption process, which is not repeated here.

Experimental Simulation
The key to the improved encryption algorithm is the same as that of the origina algorithm. Set the initial value of tent mapping x0 = 0.3987623, a2 = 0.8739, k2 = 3000, th simulation experiment adopts matlab2015a platform, and the image "cameraman" o size 256 × 256 and the image "pepper" of size 384 × 512 are selected, respectively. Th experimental results are shown in Figure 4. The experimental results show that th improved encryption algorithm has a good encryption effect and can decrypt withou error.

Security Analysis of the Improved Algorithm
The improved algorithm is as faithful as possible to the original algorithm, including pixel position scrambling, bit-level scrambling, and pixel diffusion operations. Therefore, the improved algorithm has the same excellent characteristics as the original algorithm, such as good statistical characteristics, and the algorithm is sensitive to the plaintext or the keys. More importantly, the improved algorithm can resist the chosen plaintext attack.

Information Entropy Analysis of Ciphertext Image
The more chaotic the ciphertext image is, the greater the image information entropy, the less information the ciphertext image provides, and the better the encryption effect. The calculation formula of information entropy is as follows: where p i is the probability of the occurrence of the ith order gray value. For 256-level grayscale images, n = 256. When the probability distribution of the ciphertext is equal to the probability distribution: that is, when the probability of each value between [0 255] is 1/256, the entropy is 8-bit, which is the maximum value. The information entropy of the four digital images "rice", "cameraman", "autumn", and "pepper" encrypted by the improved algorithm and the original algorithm is shown in Table 1. It can be seen that the information entropy of the four ciphertext images obtained by the improved algorithm is slightly larger than that obtained by the original algorithm, which is very close to 8 bits. It shows that the randomness and unpredictability of the encrypted image are very high. For a natural image, adjacent pixels are very close, with strong correlation and great redundancy of image information. One of the goals of image encryption is to eliminate this redundancy and reduce the correlation between adjacent pixels. In order to evaluate the plaintext image and ciphertext image, we randomly selected 4000-pixel points as reference points, took the adjacent pixel points along the horizontal, vertical, and diagonal directions to form pixel pairs, and used the correlation coefficient formula (20) to calculate the correlation coefficient values of plaintext image and corresponding ciphertext image in these three directions, The correlation coefficients of adjacent elements of the obtained original image and ciphertext image are shown in Table 2.
where x i and y i represent the gray values of the adjacent two pixels, respectively, and n represents the number of selected pairs of pixels. It can be seen from Table 2 that there are strong linear relationships between adjacent pixels of plaintext images in three directions, while the relationships between adjacent pixels of ciphertext images in three directions are random, which means that the redundancy and correlation of the pixels are eliminated.

Analysis of the Algorithm Sensitivity to the Plaintext Image
The sensitivity of the encryption algorithm to the plaintext image means that the encrypted ciphertext image is completely different from the original ciphertext image, even if there is only a small change in the plaintext image. The sensitivity of encryption algorithms to plaintext can be measured by using the concept of the number of pixels change rate (NPCR) and unified average change intensity (UACI). The calculation formulas of NPCR and UACI are (21) and (22), respectively. where: where M × N is the size of the image, c(i, j) represents the pixel in a coordinate (i, j) of the ciphertext image corresponding to the original plaintext image, and c'(i, j) represent the pixel in a coordinate (i, j) of the ciphertext image corresponding to the changed plaintext image. For 256-bit grayscale images, the expected values of NPCR and UACI are 99.6094% and 33.4635%, respectively. In the improved algorithm, 200 pixels in each image were randomly selected, and their pixel values were changed. The maximum, minimum, average and maximum, minimum, and average values of NPCR and UACI calculated from the results are listed in Table 3, respectively. At the same time, the original algorithm was used for the same operation. The maximum, minimum, average and maximum, minimum, and average values of NPCR and UACI are listed in Table 4, respectively. They are very close to ideal values. It can be seen that the change in the gray value of a pixel in the original image led to the change in almost all the gray values of pixels in the improved encrypted image and the original encryption algorithm. A secure encryption algorithm should be sensitive to the key in order to resist bruteforce attacks. Key sensitivity means that if the decryption key is slightly different from the correct key, no useful information about the plaintext image can be obtained from the decryption result. We set the initial value of tent mapping x 0 = 0.3987623 + 10 −10 , a 2 = 0.8739, k 2 = 3000 to decrypt the original ciphertext images of Figure 4a,c, and the decryption result is shown in Figure 5. It can be seen that no information about the original image can be obtained in the decrypted image, which also shows the high sensitivity of the algorithm to the key. In the same way, if the keys a 2 and K 2 have a slight error, the decrypted image will also be a chaotic image.
brute-force attacks. Key sensitivity means that if the decryption key is slightly differe from the correct key, no useful information about the plaintext image can be obtaine from the decryption result. We set the initial value of tent mapping x0 = 0.3987623 + 10 − a2 = 0.8739, k2 = 3000 to decrypt the original ciphertext images of Figure 4a,c, and the d cryption result is shown in Figure 5. It can be seen that no information about the origin image can be obtained in the decrypted image, which also shows the high sensitivity the algorithm to the key. In the same way, if the keys a2 and K2 have a slight error, th decrypted image will also be a chaotic image.

Analysis of Anti Chosen-Plaintext Attack
The ability of the improved algorithm to resist the chosen-plaintext attack is em phatically analyzed. Obviously, compared with the original algorithm, it can be see that the random key streams s p (i) and kt(i) used in the diffusion phase were related to th intermediate ciphertext C' from formulas (15)- (17). That is, the s p (i) and kt(i) used to e crypt different images was different. Therefore, the s p (i) and kt(i) obtained by the ch sen-plaintext attack were different from the s p (i) and kt(i) used in the cracked target im age. So the algorithm can resist the chosen-plaintext attack. On the other hand, the d cryption key of the improved algorithm was the same as that of the original algorithm The improved algorithm can resist the attack of the chosen plaintext and has the encry tion effect of a "one time pad" but does not increase the burden of key transmission.

Analysis of Anti Chosen-Plaintext Attack
The ability of the improved algorithm to resist the chosen-plaintext attack is emphatically analyzed. Obviously, compared with the original algorithm, it can be seen that the random key streams s p (i) and kt(i) used in the diffusion phase were related to the intermediate ciphertext C' from Formulas (15)- (17). That is, the s p (i) and kt(i) used to encrypt different images was different. Therefore, the s p (i) and kt(i) obtained by the chosen-plaintext attack were different from the s p (i) and kt(i) used in the cracked target image. So the algorithm can resist the chosen-plaintext attack. On the other hand, the decryption key of the improved algorithm was the same as that of the original algorithm. The improved algorithm can resist the attack of the chosen plaintext and has the encryption effect of a "one time pad" but does not increase the burden of key transmission.

Time Cost Analysis
The time cost is an important index for evaluating encryption algorithms. The time cost and test results of several images are shown in Table 5 below. The time cost of the encryption process mainly includes the generation of chaotic sequencing, the scrambling of the spatial domain, the scrambling of bit, and the diffusion operation. The time cost of the decryption process mainly includes the generation of chaotic sequence, the space domain inversion scrambling, the bit inversion scrambling operation, and the diffusion operation. Therefore, we can see that the proposed algorithm can show fast speeds.

Conclusions
This paper analyzes the security of an image encryption algorithm with the double scrambling of the pixel position and bit and finds its security loopholes. According to the method of chosen-plaintext attack, for a ciphertext grayscale image with a size of m × n, only 9 + ceil(log 256 m) + ceil(log 256 n) special plaintext grayscale images and their corresponding ciphertext images are required to obtain the equivalent keys, thus realizing the cracking of the original chaotic encryption algorithm. A simple numerical example and several simulation experiments demonstrate the effectiveness of the proposed attack method. From the encryption process of the original algorithm, it can be seen that the equivalent keys of the entire encryption algorithm are the scrambling sequence T, the pixel bit position scrambling sequence WT, and the diffusion sequence S. The generation of the scrambling sequence T is related to the sum of all pixel values of the plaintext image, while the generations of WT and S are the transformation of the chaotic sequence D, and the generation of D is not correlated with the image to be encrypted. That is to say, WT and S, which are used to encrypt different plaintext images, remain unchanged, which is the key to cracking the original algorithm. In order to solve the security defects of the original algorithm, an improved algorithm has been proposed to overcome the defect, which can resist the chosen-plaintext attack and has the encryption effect of a "one time pad". Finally, various security analyses are carried out for the improved algorithm.