Cryptanalysis and Improvement on an Image Encryption Algorithm Design Using a Novel Chaos Based S-Box

: This article performs the cryptanalysis of an image encryption algorithm using an S-box generated by chaos. The algorithm has the advantages of simple structure, high encryption efﬁciency, and good encryption performance. However, an attentive investigation reveals that it has some undiscovered security ﬂaws. The image cryptosystem is totally breakable under proposed chosen-plaintext attack, and only two chosen plain-images are required. An array equivalent to the S-box is constructed by an elaborately designed chosen-plaintext image, and the cipher-image is deciphered without having to know the S-box itself. Both mathematical deduction and experimental results validate the feasibility of the attacking scheme. Furthermore, an improved encryption scheme is proposed, in which a feedback mechanism is introduced, a bidirectional diffusion scheme is designed, and values of the ciphertext are associated with more parameters in each diffusion process. Testing results analysis verify that the improved cryptographic system can achieve a higher security level and has a better performance than some of the latest encryption algorithms.


Introduction
At present, more and more digital information needs to be transmitted in the public network. Therefore, ensuring the security of confidential or private information in transmission is particularly important. Encryption is the basic means to ensure the safe transmission of information. However, the method of image encryption can not be the same as those for text information encryption. In encrypting image information, people must consider some inherent characteristics of images, such as the large data characteristics of images, high redundancy characteristics, and the strong correlation between adjacent data [1]. Due to the many natural connections between chaos and cryptography, chaos becomes a good candidate in designing image encryption algorithms, and many image encryption algorithms using chaos have been proposed [2][3][4][5][6][7].
In recent years, many researchers are interested in constructing S-boxes using chaos, and applying S-boxes to image encryption. Wang et al. [8] designed S-boxes by chaotic Kent map and Logistic map and used the S-boxes for image encryption. Liu et al. [9] constructed a dynamic S-box to enhance the image encryption effect. Khan et al. [10] constructed a new S-box by using a random bit sequence generated by chaotic boolean functions and used the S-box for image encryption. Çavuşoglu et al. [11] put forward a new algorithm for generating S-box, with high complexity, by using a novel chaotic

Description of the Original Encryption Algorithm
The plain-text images to be encrypted in IESB are 8-bit gray-scale images of size M × N (rows × columns), which can be expressed by a matrix A = [a(i, j)], a(i, j) ∈ {0, 1, ..., 255}, i = 1, 2, . . . , M, j = 1, 2, . . . , N. Before encryption, the two-dimensional matrix A is transformed into a 1D (one-dimensional) pixel vector P = [p(1), p(2), ..., p(L)], where L = MN. In this paper, an integer i in the bracket "(i)" denotes the subscript of an element in an array. The main steps of IESB can be described briefly below.

The Secret Keys and Flow Chart of IESB
The mathematical model describing the hyper chaotic system employed in IESB is as follows: In Equation (1), a, b, c, and d are the system parameters. When a ∈ (0.55, 5.3), b ∈ [0.5, 2.5], c ∈ [1, 11.8], and d ∈ [−15.5, −0.5], system (1) is chaotic. The initial condition (x 0 , y 0 , z 0 ) and parameters (a, b, c, d) are utilized as secret keys in IESB. The flow chart of IESB can be shown in Figure 1.

Generating Chaotic Pseudo Random Number Sequences and S-Box
Firstly, based on system (1), three chaotic floating-point number sequences x, y, z are generated. Then, the three floating-point number sequences x, y, z are converted to three integer sequences X, Y, Z by chaos based pseudo random number generator (PRNG). Each element in X, Y, Z is a binary number of 8 bits and the three bit series have passed NIST tests. The S-box is created by using sequences X, Z and a novel S-box generation algorithm [15]. The S-box is a 16 × 16 sized matrix, and each number in the S-box is a unique decimal integer value between 0 and 255. The sequence Y = [y(1), y(2), …, y(L)] and the S-box will be used for image encryption, where L = M × N.

The Encryption Procedure
The encryption procedure consists of two steps which are described below. The first step is bitwise XOR encryption with sequence Y: where, p(i) and p′(i) are the i-th pixel value of the plaintext image and the intermediate ciphertext image, respectively. The symbol ⨁ symbolizes XOR operation performed in binary bits. After the bitwise XOR operation, each byte is converted to a decimal value and the intermediate ciphertext The second step is sub-byte operation with the 16 × 16 sized S-box: Suppose the 16 × 16 sized S-box is expressed as SB = [sb(j, k)], j = 1, 2, …, 16, k = 1, 2, …, 16. In fact, SB is a collection of all elements on the finite field GF (2 8 ), namely, each value of sb(j, k) is a specific integer in the set {0, 1, 2, ..., 255}. The sub-byte operation process is actually mapping each pixel value p′(i) of the intermediate ciphertext image into an element sb(j, k) in S. The mapping rules from p′(i) to sb(j, k) can be explained in detail below. Firstly, a pixel value p′(i) is represented as binary form (b8b7…b2b1)2. Then, let j = (b8b7b6b5)2 + 1, k = (b4b3b2b1)2 + 1, and j = 1, 2, …, 16, k = 1, 2, …, 16. Finally, one can obtain the i-th cipher pixel value c(i) = sb(j, k). After all cipher pixel values are determined, the encrypted image array C = [c(1), c (2), …, c(L)] is obtained. In a general way, the effect of the S-box is equivalent to an abstract function fs: p'(i) ∊ GF(2 8 ) → c(i) ∊ GF(2 8 ), which is a one-toone mapping function fs [•]. Namely, if fs[x] = fs[y] holds, then x = y must hold. The mapping from p′(i) to c(i) can be expressed as:

Generating Chaotic Pseudo Random Number Sequences and S-Box
Firstly, based on system (1), three chaotic floating-point number sequences x, y, z are generated. Then, the three floating-point number sequences x, y, z are converted to three integer sequences X, Y, Z by chaos based pseudo random number generator (PRNG). Each element in X, Y, Z is a binary number of 8 bits and the three bit series have passed NIST tests. The S-box is created by using sequences X, Z and a novel S-box generation algorithm [15]. The S-box is a 16 × 16 sized matrix, and each number in the S-box is a unique decimal integer value between 0 and 255. The sequence Y = [y(1), y(2), . . . , y(L)] and the S-box will be used for image encryption, where L = M × N.

The Encryption Procedure
The encryption procedure consists of two steps which are described below. The first step is bitwise XOR encryption with sequence Y: where, p(i) and p (i) are the i-th pixel value of the plaintext image and the intermediate ciphertext image, respectively. The symbol symbolizes XOR operation performed in binary bits. After the bitwise XOR operation, each byte is converted to a decimal value and the intermediate ciphertext The second step is sub-byte operation with the 16 × 16 sized S-box: Suppose the 16 × 16 sized S-box is expressed as SB = [sb(j, k)], j = 1, 2, . . . , 16, k = 1, 2, . . . , 16. In fact, SB is a collection of all elements on the finite field GF (2 8 ), namely, each value of sb(j, k) is a specific integer in the set {0, 1, 2, ..., 255}. The sub-byte operation process is actually mapping each pixel value p (i) of the intermediate ciphertext image into an element sb(j, k) in S. The mapping rules from p (i) to sb(j, k) can be explained in detail below. Firstly, a pixel value p (i) is represented as binary form (b 8 b 7 . . . b 2 b 1 ) 2 . Then, let j = (b 8 b 7 b 6 b 5 ) 2 + 1, k = (b 4 b 3 b 2 b 1 ) 2 + 1, and j = 1, 2, . . . , 16, k = 1, 2, . . . , 16. Finally, one can obtain the i-th cipher pixel value c(i) = sb(j, k). After all cipher pixel values are determined, the encrypted image array C = [c(1), c(2), . . . , c(L)] is obtained. In a general way, the effect of the S-box is equivalent to an abstract function fs: p'(i) ∈ GF(2 8 ) → c(i) ∈ GF(2 8 ), which is a one-to-one mapping function fs [•]. Namely, if fs[x] = fs[y] holds, then x = y must hold. The mapping from p (i) to c(i) can be expressed as:

The Cryptanalysis and Chosen-Plaintext Attacks
In general, we assume that the attacker knows the details of the cryptographic algorithm under analysis, and this assumption is called the Kerckhoff hypothesis. Namely, the opponent or attacker knows the algorithm of the encryption system, but does not own the decryption secret keys. With regard to the chosen-plaintext attack, the opponent or attacker can temporarily get the opportunity to use the encryption machinery, so the opponent or attacker can select some special plain images and encrypt the selected plain images to obtain their corresponding cipher images. By using the known plaintext-ciphertext pairs, the attacker can break the key or target ciphertext image encrypted by the cryptographic system.

The Algorithm of Cryptanalysis and Chosen-Plaintext Attacks
In IESB, the constituent elements of the secret key set include (x 0 , y 0 , z 0 , a, b, c, and d). It is worth noting that the chaotic sequence Y and the S-box can act as an equivalent to the secret keys. The sequence Y and S-box are not related to the image to be encrypted. In other words, different encrypted images have the same keys Y and S-box. Assuming such a premise, the pixel array of the target cipher image to be recovered is C = [c(1), c(2), . . . , c(L)]. We use P = [p(1), p(2), . . . , p(L)] to represent the pixel array of the plaintext image corresponding to C. P is unknown and is to be deciphered. Our scheme of chosen-plaintext attack can be described in detail as follows. Step According to Equations (3) and (4), we get the following relationship between C0 and Y: Step 2. Consider such a fact that, pixel values of the encrypted image have only 256 levels over the set {0, 1, ..., 255}. Hence, each level has an average of L/256 times appearing in C0, which is bigger than or equal to 256 due to L ≥ 65,536. Find a pixel value with at least of 256 times appearing in C0. Let us say that m is one of the values that satisfies the condition. That is to say, there are at least 256 elements in C0 equal to m.
Step 3. Constructing the second chosen-plaintext image vector The Matlab code of constructing P1 is shown in Algorithm 1: if j = = 256 9.
Step 5. For each element c0(i), find out where it is in S and obtain a position index array u.
Initially, set an array u = [u(i)] and u(i) = 0, i = 1, 2, . . . , L. For each i = 1, 2, . . . , L, find out where c0(i) in S. If c0(i) = s(j), then record the number j corresponding to c0(i). Therefore, let u(i) = j. Due to the following map relations: s(j) = fs[y 0 (j − 1)], and c0(i) = fs[y(i)], hence, the following results are obtained by c0(i) = s(j) and j = u(i): Step 6. For each element c(i), find out where it is in S and obtain a position index array v.

Initially, set an array v = [v(i)]
and v(i) = 0, i = 1, 2, . . . , L. For each i = 1, 2, . . . , L, find out where c(i) in S. If c(i) = s(k), then record the number k corresponding to c(i). Therefore, let v(i) = k. Because of the following map relations: s(k) = fs[y 0 (k − 1)], and c(i) = fs[y(i) p(i)], hence, the following results are obtained by c(i) = s(k) and k = v(i): Step 7. Utilize u and v to recover the plaintext image.

Examples of Chosen-Plaintext Attacks
To is a maximal integer that satisfies floor(x) ≤ x, and the value of mod(x, y) is the remainder when x is divided by y. Then, we get a new sequence T by using the sequence X and Z, namely, T(i) = X(i) Z(i), i = 1, 2, . . . , L. For simplicity, we select 256 different values from the sequence T and use these values to form the S-box matrix, which is shown in Table 1. The first 16 numbers in the sequence Y are also given here for reference, which are shown in Equation (14).  110  108  239  99  42  160  187  36  157  222  152  50  92  199  30  249  161  198  138  16  208  106  130  212  189  181  64  248  34  191  240  224  4  62  111  103  126  53  128  205  251  172  39  132  183  3  94  185  247  158  237  41  244  216  52  154  250  223  8  168  25  93  221  238  26  202  21  136  2  67  15  195  6  121  51  1  69  63  148  167  209  135  107  137  97  231  71  176  233  47  14  76  56  230  213  24  232  57  80  40  95  175  5  100  104  22  206  169  124  49  165  170  19  112  147  193  139  82  245  27  225  214  101  174  59  43  227  142  156  68  171  72  252  105  17  120  9  0  48  31  178  23  The plaintext image used in the experiment is the Cameraman with a size of 256 × 256, which come from the test image database of the Computer Vision Group at University of Granada. The plaintext image Cameraman is shown in Figure 2a and the encrypted image is shown in Figure 2b. The recovered image by using our chosen-plaintext attacks is the image in Figure 2c, which is exactly the same as the original image shown in Figure 2a. Through the image Cameraman as an example, our attack attains demonstration. The recovered image by using our chosen-plaintext attacks is the image in Figure 2c, which is exactly the same as the original image shown in Figure 2a. Through the image Cameraman as an example, our attack attains demonstration.
The one-dimensional pixel vector of cipher image encrypted by IESB is Suppose P is unknown, we use PP = [pp(1), pp(2), pp (3), pp (4)] to represent the plaintext version recovered from C.
The first chosen-plaintext image is P0 = [0, 0, ..., 0], whose size is 256 × 256. Then the corresponding cipher image C0 is obtained by using the IESB, whose first four pixel values are We find the pixel value 1 repeats more than 256 times in C0, and let m = 1. Then the second chosen-plaintext image P1 is constructed according to the method mentioned in Section 3.1, and the first four non-zero elements of P1 are listed for the readers' reference: p1(752) = 1, p1(1342) = 2, p1(1796) = 3, p1(2117) = 4. Then, the corresponding cipher image C1 is obtained, and the first four elements of
The one-dimensional pixel vector of cipher image encrypted by IESB is Suppose P is unknown, we use PP = [pp(1), pp(2), pp(3), pp(4)] to represent the plaintext version recovered from C. The first chosen-plaintext image is P0 = [0, 0, ..., 0], whose size is 256 × 256. Then the corresponding cipher image C0 is obtained by using the IESB, whose first four pixel values are We find the pixel value 1 repeats more than 256 times in C0, and let m = 1. Then the second chosen-plaintext image P1 is constructed according to the method mentioned in Section 3.1, and the first four non-zero elements of P1 are listed for the readers' reference: p1(752) = 1, p1(1342) = 2, p1(1796) = 3, p1(2117) = 4. Then, the corresponding cipher image C1 is obtained, and the first four elements of the image C1 are [125, 217, 251, 228, ...]. Then, the array S is obtained by using C0 and C1 and the method mentioned in Section 3.1, and all the 256 elements of the array S are listed below, among them, seven important figures worthy of attention are underlined. That is: Seek c0(i) and c(i) in S, we get the following results:

The Improved Image Encryption Scheme
The original algorithm IESB has the advantages of simple structure and high encryption efficiency. However, there is a security flaw in the cryptosystem, which results in that the IESB can not resist a chosen-plaintext attack. To overcome the security flaws, we redesign a new and improved image chaotic encryption scheme in this section.

Algorithm Description of the Improved Scheme
The improved encryption scheme consists of a three stage of process: Generate chaotic key sequences {X, Y, Z} and S-box, the first round diffusion, and the second round diffusion. The algorithm steps in our improved image encryption scheme are as follows: Step 1. Set the initial conditions x 0 , y 0 , z 0 system parameters a, b, c, d of system (1). Read the plain image I of size M × N and transform its 2D matrix into a 1D pixel sequence P = [p(1), p(2), ..., p(L)], where L = MN.
Step 2. Iterate the chaotic system (1) Step 8. Transform the 1D ciphertext image pixel sequence C into a 2D matrix CI, then the cipher image is obtained.
The operation steps of the decryption are the inverse process of the above encryption operation. In our improved encryption process, the core algorithm is the diffusion operation, which repeats two rounds. The first one is performed in the forward order (i = 1~L), the second round is performed in the reverse order (i = L~1), and a feedback mechanism is introduced in the diffusion encryption process so that the former encrypted pixel value affects the ciphertext value of the latter pixel. Thus, the pixel at any position changes slightly and almost all ciphertext will change, making the algorithm highly sensitive to plaintext. In addition, values of the ciphertext are associated with more parameters in the two rounds of the diffusion encryption formula. Even if the attacker obtains the corresponding ciphertext with special selected plaintext, i.e., known p(i) and c(i), the secret keys {s(i), y(i), seed} can not be solved by the encryption relation, and the target ciphertext can not be decrypted directly. Therefore, our improved scheme can effectively resist chosen-plaintext attacks.

Performance Test and Analysis of the Improved Scheme
In order to confirm the security performance of the improved algorithm and to compare it with Reference [15] and other literature, we use the gray-scale image Lena of size 256 × 256 for simulation. The software and hardware environment for the simulation are the same as those in the Section 3.2. The initial secret key parameters used in the simulation are as: a = 1.0, b = 1.0, c = 2.0, d = −3.0, x 0 = 1.0, y 0 = −1.0, z 0 = 0.01, and seed = 35. The encryption results of the gray-scale Lena image is exhibited in Figure 3. From the results, one can see that the cipher image has nothing to do with the corresponding original plaintext image, and it becomes unrecognizable. two rounds. The first one is performed in the forward order (i = 1 ~ L), the second round is performed in the reverse order (i = L ~ 1), and a feedback mechanism is introduced in the diffusion encryption process so that the former encrypted pixel value affects the ciphertext value of the latter pixel. Thus, the pixel at any position changes slightly and almost all ciphertext will change, making the algorithm highly sensitive to plaintext. In addition, values of the ciphertext are associated with more parameters in the two rounds of the diffusion encryption formula. Even if the attacker obtains the corresponding ciphertext with special selected plaintext, i.e., known p(i) and c(i), the secret keys {s(i), y(i), seed} can not be solved by the encryption relation, and the target ciphertext can not be decrypted directly. Therefore, our improved scheme can effectively resist chosen-plaintext attacks.

Performance Test and Analysis of the Improved Scheme
In order to confirm the security performance of the improved algorithm and to compare it with Reference [15] and other literature, we use the gray-scale image Lena of size 256 × 256 for simulation. The software and hardware environment for the simulation are the same as those in the Section 3.2. The initial secret key parameters used in the simulation are as: a = 1.0, b = 1.0, c = 2.0, d = −3.0, x0 = 1.0, y0 = −1.0, z0 = 0.01, and seed = 35. The encryption results of the gray-scale Lena image is exhibited in Figure 3. From the results, one can see that the cipher image has nothing to do with the corresponding original plaintext image, and it becomes unrecognizable.

Histogram Analysis
A histogram can reveal the pixel values distribution situation in an image. Usually, the histogram of a meaningful plain image has a non-uniform distribution. For an image encryption algorithm with high security, the encrypted image must have the histogram with an uniform distribution. For the image Lena, the histograms of plain, and its cipher image, are available in Figures  3c, 3d. We can see that the histogram of the plain image is non-uniform, and the histogram of the cipher image is almost flat and uniform like the distribution of random data. Hence, the improved encryption scheme completely conceals the pixel distribution information of the original image, and can resist statistical attacks.

Pixels Correlation Analysis
Usually, adjacent pixels in a meaningful image have a very high correlation. A high security encryption algorithm must destroy the relevance between adjacent pixels in an image. The correlation coefficient is the index to measure the correlation between adjacent pixels. The smaller the absolute value of correlation coefficient, the lower the correlation between adjacent pixels. The correlation coefficient γ xy of adjacent pixels is computed as:

Histogram Analysis
A histogram can reveal the pixel values distribution situation in an image. Usually, the histogram of a meaningful plain image has a non-uniform distribution. For an image encryption algorithm with high security, the encrypted image must have the histogram with an uniform distribution. For the image Lena, the histograms of plain, and its cipher image, are available in Figure 3c,d. We can see that the histogram of the plain image is non-uniform, and the histogram of the cipher image is almost flat and uniform like the distribution of random data. Hence, the improved encryption scheme completely conceals the pixel distribution information of the original image, and can resist statistical attacks.

Pixels Correlation Analysis
Usually, adjacent pixels in a meaningful image have a very high correlation. A high security encryption algorithm must destroy the relevance between adjacent pixels in an image. The correlation coefficient is the index to measure the correlation between adjacent pixels. The smaller the absolute value of correlation coefficient, the lower the correlation between adjacent pixels. The correlation coefficient γ xy of adjacent pixels is computed as: Conv(x, y) where x and y are pixel values of two adjacent pixels in the image, γ xy is the correlation coefficient of two adjacent pixels x and y. To compute correlation coefficients of the original plain image and its corresponding cipher image, we sampled all horizontally adjacent pairs of pixels. The results for the Lena image is listed in Table 2. Evidently, the encrypted image using our improved encryption scheme has smaller absolute values of correlation coefficient than the schemes in [2,15,23,24].

Information Entropy Analysis
Information entropy is a common index to judge the randomness of an information source. Let s be an information source, and its information entropy is computed as: where P(s i ) denotes the occurrence probability of symbol s i , 2 n is the total states of the information source. If P(s i ) = 1/2 n , then the information source is completely random. For an image with 256 gray-scale, the pixel values have 2 8 levels, so the ideal value of information entropy is 8. The information entropy of an encrypted image should be as close as possible to 8. The information entropy results of encrypted images by our improved scheme and schemes in References [9,15,23] are listed in Table 3. The results show that all entropy values are significantly closer to the ideal value eight, so the randomness is satisfactory. Besides, our improved scheme has better results than References [9,15,23]. Hence, our improved encryption scheme is more capable of resisting entropy-based attacks. In order to resist differential attacks, a fine encryption scheme should be very sensitive to minor alterations in plain images and any key components. When the key remains the same, if the plaintext to be encrypted changes slightly, causing a huge change in the ciphertext, the encryption algorithm is said to be highly sensitive to plaintext. When the encrypted plaintext is kept the same, if the encryption key changes slightly, the ciphertext will change dramatically. The encryption algorithm is said to be highly sensitive to the key. The number of the pixel change rate (NPCR) and the unified average changing intensity (UACI) are two metrics to measure sensitivity. NPCR and UACI are defined as: where, c 1 (i, j) and c 2 (i, j) represent pixel values of two cipher images at the same position (i, j). D(i, j) represents the difference between c 1 (i, j) and c 2 (i, j). If c 1 (i, j) = c 2 (i, j) then D(i, j) = 0, otherwise D(i, j) = 1. For an 8-bit gray image, the optimal value of NPCR is NPCR E = 99.61%, the optimal value of UACI is UACI E = 33.46%. When analyzing the sensitivity of the algorithm to the content of the plaintext, we encrypt two images, one is Lena, the other is Lena with one pixel p(4000) and has a minor alteration value of + 1. Then, NPCR and UACI values are calculated from two ciphertext images. Table 4 exhibits the values of NPCR and UACI. From Table 4, one can see that the NPCR and UACI scores are quite near to the respective optimal values. Among these four algorithms, our improved scheme has the best performance. In fact, the IESB algorithm is not sensitive to plaintext, so both the PCR and UACI values, with regard to plaintext sensitivity, are close to zero. It is worth pointing out that the results of NPCR = 99.62987 and UACI = 31.83459 are also given in Reference [15], but the meaning is completely different. That is, the results are based on the difference between a plaintext image and the corresponding ciphertext image, not on the difference between the two ciphertext images. To evaluate the key sensitivity, at first, we encrypt Lena image with keys (x 0 = 1.0, y 0 = −1.0, z 0 = 0.01, a = 1.0, b = 1.0, c = 2.0, d = −3.0, and seed = 35). Then, we added 10 −14 to one of the floating-point key values, and +1 to the integer seed of the key, while all others stayed unchanged, and we encrypt the same plain image Lena again. Then, NPCR and UACI values are calculated from two ciphertext images. Table 5 shows the experimental results. From Table 5, one can see that our improved encryption scheme is sensitive to all secret keys. The secret key parameters used in our proposed improved scheme includes the three initial state values (x 0 , y 0 , z 0 ), four parameters (a, b, c, d), and one integer seed. The first seven parameters are all floating-point numbers, and the seed ∈ [0, 255]. Hence, for the working precision of 10 14 with a floating-point number, our key space is found to be more than 256 × 10 14 × 7 ≈ 2 334 . Key space in our improved encryption scheme is larger than the key space of 2 199 in Reference [2], 2 226 in Reference [15], 10 45 in Reference [23]. Because the key space is large enough, our improved algorithm can resist brute-force attack.
A general problem concerning the use of chaotic systems in encryption is given by References [25][26][27][28] when chaotic systems are implemented on finite precision machines (e.g., computers). The impact of this problem on the proposed encryption scheme is mainly to narrow for the key space. In addition, the randomness of the key sequence is reduced, but this factor has little effect on the security of the encryption scheme.

Computation Efficiency
To demonstrate speed performance in the proposed improved scheme, the encryption time cost by our improved scheme, and the scheme in Reference [15], are measured, respectively, under the same computing environment [15]. The time cost by our improved scheme is 2.325 s, while it takes 2.465 s by the scheme in Reference [15]. It can be seen that our improved scheme has a slightly faster encryption speed than the scheme in Reference [15]. The low time cost in our improved scheme is due to the discarding binary XOR operations.

Conclusions
This paper analyzed a chaotic S-box based image encryption algorithm (IESB) in detail. We found that the S-box and the secret key stream Y of the system are the equivalent keys of the cryptosystem. The equivalent keys are not related to the image to be encrypted. For the above reasons, the original algorithm (IESB) can not resist chosen-plaintext attacks. We ascertained that the encrypted image can be deciphered with only two chosen plain-images. An ingenious method of constructing explicit chosen-plaintext is found, and an equivalent array of S-box is constructed. We just need the equivalent sequence of S-box without knowing the S-box and the secret key stream Y itself to decipher the target ciphertext. The attacking scheme has been proved by theoretical analysis and supported by experimental results. As an optimization method, a new and improved image encryption scheme is developed to conquer these flaws of the original algorithm. In the improved scheme, a feedback mechanism is introduced, a bidirectional diffusion scheme is designed, and values of the ciphertext are associated with more parameters in each diffusion process. Experimental results and security analysis certify that the improved encryption scheme can achieve a higher security level and has a better performance than some recently proposed encryption algorithms.
As for image encryption technology, some future studies is worth considering, such as efficient image encryption technology in resource-constrained mobile social network [29], sensor network communication environment [30]. And searchable encryption [31], which is a very promising direction in the field of cloud computing.