Cryptanalysis of a New Color Image Encryption Using Combination of the 1D Chaotic Map

: Security of image communication is more and more important in many applications such as the transmission of military and medical images. To meet the requirement, a new color image encryption algorithm using a new one-dimension (1D) chaotic map was proposed recently, which can resist various attacks because the range of the new chaotic map is larger than that of the previous ones. In our study, the security of the new original method is analyzed and a novel attack method is proposed. It is demonstrated that the scheme is not secure under chosen-plaintext attack, by which the encrypted image can be successfully converted into the corresponding plaintext image without any error.


Introduction
Encryption of color image is a critical issue for confidentiality and security. Lots of encryption methods [1][2][3][4][5][6][7][8] using chaotic maps have been proposed for the excellent properties such as ergodicity and sensitivity to initial condition and control parameters. However, some cryptanalysis articles in [9][10][11][12][13][14] have verified the vulnerability of common chaotic encryption methods based on the permutation-diffusion structure. Hence, chaotic image encryption algorithms [15,16], combined with other special technologies, such as DNA, information entropy etc., have been nearly introduced. For example, the sensitivity mechanism is built up utilizing the information entropy of the plain-image in [16]. Cryptanalysis works have been correspondingly proposed in [17,18] to evaluate the security of image cryptosystems, which can improve the security of the existing cryptosystems. For example, Li et al. attacked the chaotic image encryption algorithm based on information entropy in [18].
Recently, some more chaotic image encryption algorithms based on Latin square have been designed [19][20][21] due to the cryptography property of Latin square. But Hu et al., found out an algebraic weakness in [22] and the chaotic image cipher is broken by chosen-plaintext attack with chosen ciphertext attack. In addition, Ge et al. in [23] found out the defect of the feedback image encryption algorithm with compound chaotic stream cipher based on perturbation and attacked the algorithm.
In [24], the image block encryption algorithm achieves high security level where three different chaotic maps are utilized respectively for controlling pixel shuffling, blocking size, and value encryption. However, Ma found out that there are some critical security defects in [25] and derive the secret key with a chosen plaintext attack.
Most cryptanalysis works have mainly focused on single round of permutation-diffusion image ciphers. However, most encryption schemes are based on multiple rounds of permutation-diffusion [26][27][28][29][30][31][32]. In [29], two rounds of permutation and pixel adaptive diffusion was proposed. In [32], an improved chaotic image encryption method using Latin square based on two rounds of permutation-diffusion

Review of the Original Scheme
Before encryption divides the color image with size M × N, this needs to be encrypted, into three grayscale images according to trichromatic theory. Then, link the grayscale images into another grayscale image with size M × 3N. The sequence S = {s 1 , s 2 , . . . s M×3N } is produced by reshaping the last gray image, and the length of which is M × 3N.
The flow diagram of the 1D chaotic encryption scheme is shown in Figure 1. In permutation phase, X, which is a chaotic sequence, is acquired by iterating the new chaotic system M × 3 N+N 0 times and discarding the former N 0 elements. The new chaotic map in [37] is defined by the following equation: where F chaos (u, x n ) is one of 1D chaotic maps as logistic, sine and Chebyshev maps. x n is the output chaotic sequence. u ∈ (0 , 10] and k ∈ [8,20] are the initial values. The parameters of u, k and N 0 are utilized as the security key. The permutation position vector X = {x 1 , x 2 , ... x M×3N } is acquired by sorting vector S in ascending order. The image pixel vector P, which is permuted, is acquired by the equation of P(i) = S(X (i)).
Appl. Sci. 2020, 10, x 2 of 11 diffusion was proposed, which has weak security defects. However, Ming Li et al. find out the equivalent key streams and attacked the scheme in [33] and attacked the scheme. However, most chaotic maps, used in generating the security key in encryption process, are multi-dimensional, which cause high level computation complexity. Recently, some 1D chaotic map encryption algorithms have been proposed in [34][35][36] which have lower computation complexity for software/hardware implementations. In [37] a new 1D chaotic map model is proposed where a new 1D chaotic map is made by using the classic chaotic map such as logistic, sine and Chebyshev maps. A bifurcation property of the chaotic map and the Lyapunov exponent, in addition to information entropy evaluation are much better than the classic chaotic system.
Aiming at [37], Hui Wang et al., found out an algebraic weakness of the cryptosystem in [38] and attacked its equivalent cryptographic scheme by chosen plaintext attack. The authors acquire the rotation factor by constructing two special functions and attack permutation with the methods in [39,40] which have high computation complexity. In this paper, a novel attack method to directly crack the original encryption scheme in [37] is proposed. The proposed method attacks the factor and diffusion using the properties of bit-level Xor and attacks permutation with a new scheme which has lower computation.
This paper organizes as follows. Section 2 overviews the new encryption method. Security of the scheme is analyzed and the attack scheme by chosen plaintext images is presented in Section 3. The simulation experiments to verify the proposed method are presented in Section 4. Conclusions are provided in Section 5.

Review of the Original Scheme
Before encryption divides the color image with size M × N, this needs to be encrypted, into three grayscale images according to trichromatic theory. Then, link the grayscale images into another grayscale image with size M × 3N. The sequence   The flow diagram of the 1D chaotic encryption scheme is shown in Figure 1. In permutation phase, X, which is a chaotic sequence, is acquired by iterating the new chaotic system M × 3 N+N0 times and discarding the former N0 elements. The new chaotic map in [37] is defined by the following equation: x x x is acquired by sorting vector S in ascending order. The image pixel vector P, which is permuted, is acquired by the In the diffusion phase, the diffused image pixel sequence C is acquired by the following equation:  In the diffusion phase, the diffused image pixel sequence C is acquired by the following equation: where C(0) is P(M × 3N) and D is the diffusion sequence which is obtained by Equation (3): 3 of 10 The new cipher sequence of C' is acquired after C is rotated to the left by the quantity of lp which is used as the security key, too. The eventual cipher image is obtained by reshaping C' into RGB images.

Chosen-Plaintext Attack
The attack scheme is proposed in this part. Compared with other chaotic encryption algorithms, the rotation step is added in [37]. The rotation amount lp is used as the security key. If lp can be acquired, the permutation and diffusion steps can be attacked by imitating the attack method in [17]. Hence, the proposed attack method can be divided into two phases. In the first phase, we find the rotating amount of lp and the diffusion matrix D by shifting the Xor operations. In the second phase, we attack the permutation with some special plaintext images by imitating the attack method in [17]. We denote the original image I and the corresponding encrypted image C I.

The First Phase of Attack
The two special properties of the Xor operator are utilized and the properties are given as below.
The process for find out lp and D is conducted as the following steps.
Step 1: Choose a plaintext color image Z of size M × N, the elements of which are all zero-pixel values. Z can be expressed as below.
The encrypted image C Z is obtained from the encryption method above. Divide Z into three images according to RGB theory. The sequence of C' corresponding to C Z is acquired by linking the three grayscale images and the length of that is M × 3N. Denote the obtained sequence C after the diffusion. The diffusion equation corresponding to Z can be expressed according to Property 1, as below: Obtain the pixel sequence C according to Equation (5) as below: where D remains unchanged in the encryption process. C' is obtained by rotating C by the quantity of lp to the left as the follow sequence: C" is obtained by rotating C' once to the left as the following sequence: Appl. Sci. 2020, 10, 2187 4 of 10 G is acquired according to Property 2 by the equation G(i) = C (i) ⊕ C (i) and given as below: Step 2: Choose a plaintext color image Q with all k pixel values and the size of which is M × N. Q can be expressed as below.
The encrypted image C Q is obtained from the encryption system above. Divide Q into three images according to RGB theory. The sequence of C q ' corresponding to C Q is acquired by linking the three gray scale images and the length of that is M × 3N. Then we denote the obtained sequence C q after the diffusion. The diffusion equation corresponding to Q can be expressed as follows: Following this, we can obtain the pixel sequence of C q according to Equation (5), as below: where D remains unchanged in the encryption process. C' is obtained by rotating C by the quantity of lp to the left as the following sequence: C q is obtained by rotating C' once to the left as the following sequence: G q is acquired according to the Equation G q (i) = C q (i) ⊕ C q (i) and is given below: Compared with Equation (9), we can't directly get D(i) from Equation (15), but D(i) can be acquired except D(1) by D = mod(G q − k, 256).
Step 3: W of size M × 3N is obtained by W(i) = mod(G q (i) − G(i), 256) as below: Appl. Sci. 2020, 10, 2187 lp can be obtained according to the position of p in W by the following equation: where Pos p is the position of p.
Step 4: C can be obtained by rotating C' to the right lp times. D(1) can be obtained by: The permuted matrix P corresponding to the original can be obtained by: Now we discuss if we can get lp by the two special plains where one is with all k 1 pixel values and the other is with all k 2 pixel values according to Equations (12) and (13). where We can get lp from Equation (20) since all the pixel values of W except p are the same. The above steps can be expressed as in Algorithm 1. Since the rotation amount lp and the diffusion matrix D have been obtained, the permuted image P I can be acquired by Algorithm 1.

Algorithm 1 Obtain the Rotation Amount lp and the Diffusion Matrix D
1: Set the plain image Z 2: Obtain the encrypted image pixel sequence C' after the reshape Cz 3: Obtain the sequence C" 4: G(i) ← C (i) ⊕ C (i) 5: D ← G except D(1) 6: Set the plain image Z 7: Obtain the encrypted image pixel sequence C q after the reshape Cz 8: Obtain the sequence C q 9:

The Second Phase of Attack
In the following description m, n and µ are all positive integers. The plaintext sequences need to be divided into block. S, R and U represent the plaintext sequence in one division. The process of attacking permutation is as follows.
Step 1: Consider a plain sequence S and set it: Appl. Sci. 2020, 10, 2187 6 of 10 where S{i} = [i, i, . . . i] l 1 , l 1 = M × 3N/Ω and call S{i} first order sub-block. Convert S into the R, G and B color image with the size of M × N and the permutation sequence P S corresponding to S can be obtained after the first phase.
Step 2: Choose pixel P S ( j). If P S ( j) = m, the pixel in S corresponding to P S ( j) would be one pixel which is in S{m}. Register the position of j in Set INDEX{m}. All the pixels of P S would be registered in one set.
Step3: Consider a plain sequence R of size M × 3N and divide it into Ω first order blocks R(i), i = 0, 1, ..., Ω. Divide each block into Ω second order blocks R{i} j j = 0, 1, ..., Ω and set: The permutation sequence P R corresponding to R can be obtained after the first phase.
Step 4: Choose pixel P R (t) t ∈ Index{m}. If P S (t) = n, the pixel in R corresponding to P R (t) would be one pixel which is in R{m}{n}. Register the position of t in set Index{m}{n}. All the pixels of P R (t) would be registered in one second order set. If l 2 = 1, each Index{m}{n} would include only one element and we can get all the corresponding permuted positions corresponding the elements in R. If l 2 > 1, repeat Step 3, 4 until the element quantity of l = 1 and get the position matrix X'. The number of times of divisions is f and f = ceil log Ω (M × 3N) . The permutation attack process can be expressed as in Algorithm 2.  Table 1. f ascends when Ω descends and image size ascends according to Table 1. If the size of I is 256 × 256 and Ω = 256, f = 3. At the first time of division the plaintext sequence S can be set as: At the second time of division the plaintext sequence R can be set as: 255) (0 0 0) (1 1 1) · · · (255) · · · (0 0 0) (1 1 1) · · · (255)] 256×256×3 At the third time of division the plaintext sequence R can be set as: Appl. Sci. 2020, 10, 2187 7 of 10 In the above sequences the right subscripts represent the length of the vectors. Convert S, R and U into a color image, respectively, as shown in Figure 2a-c where most of the images of Figure 2a, b is white. Obviously, we can recover the corresponding original image I according to the above two phases.  Figure 3(a2,b2,c2,d2,e2). We attack the lp and diffusion using the steps in the first phase in Section 3. The retrieved permutation-diffusion images and retrieved permutation-only images are obtained as in Figure 3(a3,b3,c3,d3,e3) and Figure  3(a4,b4,c4,d4,e4), respectively. After attacking permutation in the second phase in Section 3, the restored images are obtained which have been shown in Figure 3(a5,b5,c5,d5,e5). Figure  3(a5,b5,c5,d5,e5) coincides with the original images, compared with Figure 2(a1,b1,c1,d1,e1). The recovery performance evaluation can also be made by root mean square error (RMSE). Denoting the original image I and the recovered image I', RMSE defined as below. Obviously, we can recover the corresponding original image I according to the above two phases.

Experiments and Analysis
A series of simulation experiments have been carried out to verify our attacking scheme with an Intel(R) Core(TM) i5-5300 CPU 2.  Figure 3(a2,b2,c2,d2,e2). We attack the lp and diffusion using the steps in the first phase in Section 3. The retrieved permutation-diffusion images and retrieved permutation-only images are obtained as in Figure 3(a3,b3,c3,d3,e3) and Figure 3(a4,b4,c4,d4,e4), respectively. After attacking permutation in the second phase in Section 3, the restored images are obtained which have been shown in Figure 3(a5,b5,c5,d5,e5). Figure 3(a5,b5,c5,d5,e5) coincides with the original images, compared with Figure 2(a1,b1,c1,d1,e1). The recovery performance evaluation can also be made by root mean square error (RMSE). Denoting the original image I and the recovered image I', RMSE defined as below.
In all the experiments, the values of RMSE are all zeros which mean the recovered images are all the same as the corresponding original images. In other words, the original images are accurately recovered. Therefore, the attack results demonstrate the effectiveness of the cryptanalysis.
The running times of the proposed scheme and Chen's scheme in terms of attacking lp and diffusion and attacking permutation are shown in Table 2. The images are chosen in different sizes including 256 × 256, 512 × 512 and 1024 × 1024. From Table 2, the average running time of attacking the amount of lp and diffusion in two schemes is almost the same. But the average running time of attacking permutation in the proposed method is less than that in Chen's scheme. The total average running time of the proposed method attacking the encrypted images of size 256 × 256 is 3.9151 s which is 1.33 s less than that of Chen's scheme. The difference values of attacking the encrypted the images with size 512 × 512 and 1024 × 1024 are about 2.80 s and 18.2 s, respectively. Therefore, the cryptanalysis speed of the proposed method is better than the existing scheme.
In all the experiments, the values of RMSE are all zeros which mean the recovered images are all the same as the corresponding original images. In other words, the original images are accurately recovered. Therefore, the attack results demonstrate the effectiveness of the cryptanalysis. Figure 3. Images from Column 1 to Column 5 are original images, cipher images, retrieved permutation-diffusion images, retrieved permutation-only images, restored images.
The running times of the proposed scheme and Chen's scheme in terms of attacking lp and diffusion and attacking permutation are shown in Table 2 Table 2, the average running time of attacking the amount of lp and diffusion in two schemes is almost the same. But the average running time of attacking permutation in the proposed method is less than that in Chen's scheme. The total average running time of the proposed method attacking the encrypted images of size 256 256  is 3.9151 s which is 1.33 s less than that of Chen's scheme. The difference values of attacking the encrypted the images with size 512 512  and 1024 1024  are about 2.80 s and 18.2 s, respectively. Therefore, the cryptanalysis speed of the proposed method is better than the existing scheme. Table 2. Execution time (seconds).

Image Size Image
The Proposed Scheme Chen's Scheme Figure 3. Images from Column 1 to Column 5 are original images, cipher images, retrieved permutation-diffusion images, retrieved permutation-only images, restored images.

Conclusions
This paper attacks a new color image encryption algorithm combining a few the 1D chaotic maps which has been recently proposed in [37]. The encryption process depends on the linear-nonlinear-linear structure of the encryption algorithm. The vulnerability of this algorithm is revealed, and the attacking scheme is developed by the chosen plaintext attack in Section 3, based on the security weakness. Experimental results demonstrate the attack scheme of this paper can completely collapse the encryption algorithm and has low computation complexity.