Cryptanalysis and Improvement of a Medical Image-Encryption Algorithm Based on 2D Logistic-Gaussian Hyperchaotic Map

Abstract

The dynamic confrontation between medical image-encryption technology and cryptanalysis enhances the security of sensitive healthcare information. Recently, Lai et al. proposed a color medical image-encryption scheme (LG-IES) based on a 2D Logistic-Gaussian hyperchaotic map (Applied Mathematics and Computation, 2023). This paper identifies that the LG-IES suffers from vulnerabilities stemming from the existence of equivalent keys and the linear solvability of the diffusion equation, enabling successful attacks through crafted chosen-plaintext attacks and known-plaintext attacks. For an $M\times N$ image, a system of linear equations with rank r can be constructed, resulting in a reduction of the key space from $2^{32\times M\times N}$ to $2^{32\times (M\times N-r)}$. To address these security flaws, the improved ILG-IES integrates the SHA-3 Edge-Pixel Filling Algorithm (SHA-3-EPFA), which includes plaintext-related SHA-3 hashing for parameter generation, a chaos-driven 3 × 3 × 3 Unit Rubik’s Cube rotation to achieve cross-channel fusion, and edge-pixel filling rules for diffusion encryption. ILG-IES outperforms LG-IES in attack resistance (resists CPA/KPA/differential attacks) while maintaining comparable security indicators (e.g., NPCR 99.6%, UACI 33.5%) to reference schemes. In future work, SHA-3-EPFA can be embedded as an independent module into most permutation-diffusion-based image-encryption systems, offering new perspectives for securing sensitive color images.

1. Introduction

Medical imaging techniques such as computed tomography (CT), magnetic resonance imaging (MRI), X-rays, and ultrasound are essential tools in modern healthcare [1]. However, the increasing demand for digital medical images has also raised significant concerns about data privacy and security [2]. The potential for leaks and tampering of medical images poses serious risks to patient privacy due to the sensitive personal information and health data typically contained within these images [3]. Therefore, in the context of digital healthcare [4,5], the complex medical image encryption and effective cryptographic analysis techniques are crucial for protecting patient data and maintaining trust in medical imaging practices.

With the increasing demands for efficiency, traditional image encryption techniques [6,7] struggle to provide both the computational speed and robust security needed for modern digital image transmission. In response to these challenges, various advanced encryption methods have been introduced, including chaos-based encryption, DNA encoding [2,8,9], and compressive sensing [10,11,12]. These innovative approaches offer better adaptability and higher performance compared to traditional methods. Among these, chaotic systems have gained attention for their pseudorandomness and sensitivity to initial conditions and parameters, making them suitable for cryptographic applications [13,14]. To strengthen security further, chaos-based encryption methods often incorporate multiple chaotic cascades or high-dimensional chaotic mappings [15,16,17], which increase key complexity and scramble pixel positions more effectively. Among high-dimensional chaotic mappings, 2D Logistic-Gaussian hyperchaotic maps (2D-LGHM) stand out for better dynamic performance than traditional low-dimensional chaotic systems: it fuses the nonlinearity of Logistic maps with the statistical randomness of Gaussian distribution, producing hyperchaotic sequences with two or more positive Lyapunov exponents—this property enables more complex and unpredictable behavior, which is critical for enhancing the randomness of encryption keys and pixel scrambling [18,19]. Additionally, chaos theory is frequently combined with other techniques.

However, while chaotic-based image encryption has significantly enhanced the security and efficiency of digital image transmission, it also faces new and evolving threats. In this regard, the field of image cryptanalysis, which combines chaotic systems with mathematical techniques, has made significant progress in identifying and addressing these vulnerabilities. Chen et al. [20] proposed an image-encryption scheme based on the cryptographic properties of Latin squares [21], utilizing chaos to construct a Latin equation lookup table (LUT). However, Hu [22], Li [23], and Wu [24], among others, have successively exploited vulnerabilities through cryptanalysis algorithms such as CPA. To enhance the security of the original scheme, several modifications have been suggested, including using different Latin equations for each module in each round and employing high-dimensional chaotic maps to replace the diffusion equations. Despite these improvements, however, the diffusion equations still exhibit periodicity, which may allow attackers to identify patterns in the encryption process. Modifications such as using different Latin equations for each module in each round and adopting high-dimensional chaotic maps to replace diffusion equations have been proposed, yet the diffusion equations still exhibit periodicity. Chen et al. [25] proposed constructing linear XOR equations of the original equations and applying Gaussian elimination to recover the encrypted image in the context of high-speed scrambling and pixel-adaptive diffusion encryption algorithms. Gaur et al. [26] used an improved amplitude-phase retrieval algorithm combined with cubic and cube root operations to obtain the decryption key. It is important to recognize that, despite claims of high robustness and effectiveness by the authors when constructing such algorithms using algebraic knowledge, they may still be susceptible to targeted password attacks.

This paper performs a cryptanalysis on the LG-IES scheme proposed by Lai et al. [27], and identifies the weaknesses of algebraic structure in the system. On one hand, all Pseudorandom Number Generators (PRNGs) generated by chaos are independent of plaintext, leading to the existence of equivalent keys. On the other hand, the reversibility of the permutation process and the high correlation with edge pixels of the diffusion process result in the arrangement pixel being generalized into nine specific states, which makes the key leaked by the edge pixels. Furthermore, the single-channel encryption scheme fails to meet the requirements for protecting sensitive information in color medical images.

The main contributions of this work are as follows:

(1)

The cryptographic analysis of the color medical image-encryption scheme proposed by Lai et al. [27] is carried out, and some security defects are found. Furthermore, we propose a cryptanalysis method incorporating differential analysis, CPA, and KPA. Consequently, the LG-IES based on Shannon’s principle [28] is cracked.

(2)

An improved security enhancement scheme is proposed, which uses Secure Hash Algorithm 3 (SHA-3) to establish plaintext-related Rubik’s Cube rotation rules to realize edge-pixel perturbation between channels. The experimental results show that the improved diffusion structure has better chaotic performance and has passed the security analysis.

2. The Image-Encryption Scheme of Lai et al.

This section reviews an image-encryption scheme (LG-IES) proposed by Lai et al. [27]. The encryption steps include the chaotic map and the encryption process of LG-IES.

2.1. 2D Logistic-Gaussian Hyperchaotic Map

Lai et al. [27] construct a two-dimensional Logistic-Gaussian hyperchaotic map (2D-LGHM) with a wide range of hyperchaos, and the dynamical equation is as follows:

$$\left\{\begin{array}{c}{x}_{n+1}=k_{1}cos(e^{-a{x}_n^2}-b)\hfill \\ y_{n+1}=k_{2}cos\left(y_n(1-x_n)\right)\hfill \end{array}\right.$$

(1)

where x, y are the state variables, and $k_1$, $k_2$, a, b are the control parameters, respectively. It shall be established that this system exhibits hyperchaos when the parameters $k_1$, $k_2$, a, b are chosen as

$$(k_1,k_2,a,b)=(25,25,1,1)$$

(2)

2.2. Description of LG-IES

2.2.1. The Secret Key

The secret parameter K is composed of several elements:

-

$x_0,y_0$: Two different original initial value for the chaotic sequence.

-

$A_1,A_2$: The correlation coefficients for $x_0$ and $y_0$, respectively.

-

$r_0$: The original control parameter.

-

d: A perturbation coefficient.

The length of the key K is 256 bits, with $x_0$, $y_0$, $r_0$ and d each occupying 48 bits, and $A_1$ and $A_2$ each occupying 32 bits.

Convert the 48-bit binary numbers $x_0$, $y_0$, $r_0$ and d into floating-point numbers in the range $\left[0,1\right)$, and $A_1$ and $A_2$ into integers. The parameter K is then updated with the following equation:

$$\left\{\begin{array}{c}{x}_0^{\left(i\right)}=(x_0\times A_1+d)\mathrm{mod}1\\ y_0^{\left(i\right)}=(y_0\times A_2+d)\mathrm{mod}1\\ r_0^{\left(i\right)}=(r_0\times A_i+d)\mathrm{mod}1\end{array}\right.$$

(3)

where $i=1,2$. Using $x_0^{\left(1\right)}$ and $y_0^{\left(1\right)}$ as initial chaotic parameters, substitute them into Equation (1), then iterate $M\times N$ times to generate the y-sequence. Assign the generated values in row-major order to populate the $M\times N$ matrix S. Similarly, with $x_0^{\left(2\right)}$ and $y_0^{\left(2\right)}$ as initial parameters, one can generate another y-sequence for the $M\times N$ matrix R. This produces the chaotic matrices S and R.

2.2.2. One-Round Permutation

Sort each row (column) of S in ascending order to obtain the ordering matrices $O1$ ($O2$). Then, encode the matrices $O1=\left(O{1}_{i,j}\right)$ ($O2=\left(O{2}_{i,j}\right)$) to obtain the position matrices $Q1=\left((i,O{1}_{i,j})\right)$ ($Q2=\left((O{2}_{i,j},j)\right)$).

Next, the LG-IES scheme performs the permutation operation on the input image P to obtain the permutation image T, using position matrices $Q2$ and ordering matrices $O1$. Firstly, the positions of pixels of the original image P are represented by values from 1 to M × N. The new image is denoted as $P^{\prime }$. Secondly, we will use the elements $(O{2}_{i,j},j)$ of the position matrix $Q2$ as indices to mark the position in the matrix $P^{\prime }$. The rule is as follows: The intersection of the $O{2}_{i,j}$ row and the j column of the matrix $P^{\prime }$ is taken as the position marked by the position matrix $Q2$. Thirdly, we use the ordering matrix O1 to complete the permutation of positions. The specific rules are as follows: Each row i of the ordering matrix O1 is regarded as a permutation mapping ${\pi }_i$ from the set $(1,N)$ to itself. The elements of matrix $p^{\prime }$ marked by $(O{2}_{i,j},j)$ are permuted to the position $(O2(i,{\pi }_i\left(j\right)),{\pi }_i\left(j\right))$. As shown in Figure 1, the positions and rules of the permutation are determined by the chaotic matrix, effectively disrupting the row and column pixels of the plain image in a single round of permutations.

Figure 1. High-efficiency one (Pixel Scrambling Positions Marked by Red Squares) round permutation.

2.2.3. Two Round Diffusions

The multi-directional pixel substitution constructs a diffusion model. In this model, the pixel value at the current position is influenced by both the surrounding pixel values and its own state, resulting in a new pixel value that further affects pixels at other positions. The multi-directional diffusion method consists of two-round diffusion, each round contains two divergence equations. The divergence equation is as follows:

$$\overline{C}(i,j)=\left\{\begin{array}{c}I(i,j)+I(M-1,j)+⌊R(i,j)\times 2^{32}⌋\mathrm{mod}F,\mathrm{for}i=0,\hfill \\ I(i,j)+I(i,N-1)+⌊R(i,j)\times 2^{32}⌋\mathrm{mod}F,\mathrm{for}j=0,\hfill \\ I(i,j)+\overline{C}(i-1,j)+\overline{C}(i,j-1)+\overline{C}(i-1,j-1)+⌊R(i,j)\times 2^{32}⌋\mathrm{mod}F.\hfill \end{array}\right.$$

(4)

I represents the input image, and $\overline{C}$ denotes the output image after the divergence process. Here, $\lfloor ·\rfloor$ refers to the floor operation, $mod$ represents the modulo function, and $F=256$ specifies the color level of the image. The matrix R is a chaotic matrix generated as described in Section 2.2.1.

The input image I utilizes Equation (4) for the first divergence, resulting in $Q1$. The second divergence is then performed as follows: $Q1$ is rotated by 180 degrees to obtain the image $Q2$, and Equation (4) is applied again to produce the final password image C. Since then, from I to C, multi-directional pixel diffusion is realized. The whole diffusion process is shown in Figure 2.

Figure 2. Multi-directional pixels substitution.

2.2.4. Encryption Algorithm of LG-IES

LG-IES consists of one-round permutation and two-round same diffusion; the overall block diagram of encryption is shown in Figure 3. To encrypt the plain image P, the first round of diffusion is applied (as described in Section 2.2.3), producing the intermediate results $X1$, $X2$, and $X3$. Following this, a permutation (Section 2.2.2) transforms $X3$ into T. A second round of diffusion (Section 2.2.3) is then applied, resulting in $Y1$, $Y2$, and the ciphertext C. This sequence of operations, implemented through LG-IES, completes the encryption of P into C.

Figure 3. Block diagram of LG-IES.

In this paper, the decryption algorithm does not impact the security analysis and will not be elaborated on in detail (please refer to the original work [27]).

3. Cryptanalysis

This section analyzes the security of the image-encryption scheme presented by Lai et al. [27]. The relevant properties are listed in Section 3.1. Then the defects of the model are analyzed in Section 3.2, and the encryption algorithm can be finally cracked by cryptanalysis of each encryption process in Section 3.3.

3.1. Relevant Properties

Construct two $M\times N$ plain images, denoted as $P1$ and $P2$. It can define the difference image $\Delta P$ as $\Delta P(i,j)=P1(i,j)-P2(i,j)$. Similarly, the other differential images are defined such as $\Delta X1$, $\Delta X2$, $\Delta X3$, $\Delta T$, $\Delta Y1$, $\Delta Y2$, and $\Delta C$.

Proposition 1.

After one-round diffusion, the differential image $\Delta X3$ depends only on the differences between the original images $P1$ and $P2$ without any terms involving R.

Proof. 

There are three steps from the plain image P to image $X3$, which consists of two divergence equations and an image flipping. Next, they are analyzed as follows.

• The first divergence: $P\to X1$
  According to Equation (4) and the definition of difference image, $\Delta X1$ can be written as:

  $$\Delta X1(i,j)=\left\{\begin{array}{c}\Delta P(i,j)+\Delta P(M-1,j)\mathrm{mod}F,\mathrm{for}i=0,\hfill \\ \Delta P(i,j)+\Delta P(i,N-1)\mathrm{mod}F,\mathrm{for}j=0,\hfill \\ \Delta P(i,j)+\Delta X1(i-1,j)+\Delta X1(i,j-1)+\Delta X1(i-1,j-1)\mathrm{mod}F.\hfill \end{array}\right.$$

  (5)

  Here, due to the characteristics of the differential, the term $R(i,j)$ is eliminated, so the difference equation for the first divergence of the first-round result $X1$ does not include the chaotic matrix R.
• Rotation operation: $X1\to X2$
  The rotation operation does not change the difference relationship between the matrix elements. Therefore, the difference matrix $\Delta X2$ retains the same difference structure as $\Delta X1$ and still does not contain the terms of the chaotic matrix R.
• The second divergence: $X2\to X3$
  The difference equation for $X3$ is

  $$\Delta X3(i,j)=\left\{\begin{array}{c}\Delta X2(i,j)+\Delta X2(M-1,j)\mathrm{mod}F,\mathrm{for}i=0,\hfill \\ \Delta X2(i,j)+\Delta X2(i,N-1)\mathrm{mod}F,\mathrm{for}j=0,\hfill \\ \Delta X2(i,j)+\Delta X3(i-1,j)+\Delta X3(i,j-1)+\Delta X3(i-1,j-1)\mathrm{mod}F.\hfill \end{array}\right.$$

  (6)

  Similarly, in this differential analysis, the influence of the chaotic matrix R is eliminated. So it holds.

   □

Proposition 2.

When $\Delta T$ satisfies the condition that all pixel values are zero except at a single position where $\Delta T(i,j)=1$, with $i\in \{0,1,\dots ,M-1\}$ and $j\in \{0,1,\dots ,N-1\}$, there exists some certain relationships between the differential image $\Delta T$ and the differential ciphertext $\Delta C$:

(1) When $\Delta T(0,j)=1$,

• If $j=0$, $\Delta C$ satisfies

  $$\left\{\begin{array}{c}\Delta C(0,N-1)=1\hfill \\ \Delta C(M-1,0)=1\hfill \end{array}\right.$$

  (7)
• Else if $j\in \{1,2,\dots ,N-2\}$, $\Delta C$ satisfies

  $$\left\{\begin{array}{c}\Delta C(0,N-j-1)=2\hfill \\ \Delta C(M-2,0)=2\hfill \\ \Delta C(M-1,0)=0\hfill \end{array}\right.$$

  (8)
• Else if $j=N-1$, $\Delta C$ satisfies

  $$\left\{\begin{array}{c}\Delta C(M-1,0)=2\hfill \\ \Delta C(0,N-1)=1\hfill \end{array}\right.$$

  (9)

(2) When $\Delta T(i,N-1)=1$,

• If $i=0$, $\Delta C$ satisfies Equation (9).
• Else if $i\in \{1,2,\dots ,M-2\}$, $\Delta C$ satisfies

  $$\Delta C(M-i-1,0)=3$$

  (10)
• Else if $i=M-1$, $\Delta C$ satisfies

  $$\left\{\begin{array}{c}\Delta C(m,0)=1\hfill \\ \Delta C(0,n)=1\hfill \end{array}\right.$$

  (11)

  where $m\in \{1,2,\dots ,M-1\}$ and $n\in \{1,2,\dots ,N-1\}$.

(3) When $\Delta T(M-1,j)=1$,

• If $j=0$, $\Delta C$ satisfies

  $$\left\{\begin{array}{c}\Delta C(0,N-1)=2\hfill \\ \Delta C(M-1,0)=1\hfill \end{array}\right.$$

  (12)
• Else if $j\in \{1,2,\dots ,N-2\}$, $\Delta C$ satisfies

  $$\Delta C(0,N-j-1)=3$$

  (13)
• Else if $j=N-1$, $\Delta C$ satisfies Equation (11).

(4) When $\Delta T(i,0)=1$,

• If $i=0$, $\Delta C$ satisfies Equation (7).
• Else if $i\in \{1,2,\dots ,M-2\}$, $\Delta C$ satisfies

  $$\left\{\begin{array}{c}\Delta C(M-i-1,0)=2\hfill \\ \Delta C(0,N-2)=2\hfill \\ \Delta C(0,N-1)=0\hfill \end{array}\right.$$

  (14)
• Else if $i=M-1$, $\Delta C$ satisfies Equation (12).

(5) In addition to the above, when $\Delta T(i,j)=1$, $\Delta C$ satisfies

$$\left\{\begin{array}{c}\Delta C(m,0)=0\hfill \\ \Delta C(0,n)=0\hfill \end{array}\right.$$

(15)

where $m\in \{M-i,\dots ,M-1\}$ and $n\in \{N-j,\dots ,N-1\}$.

Proof. 

Assume that $T1$ and $T2$ are two input images satisfying $T1-T2=\Delta T$. In Equation (13), if the image $\Delta T$ satisfies $\Delta T(M-1,j)=1$ where $j\in \{1,2,\dots ,N-2\}$. Then image $\Delta T$ is defined as shown in Equation (16),

$$\Delta T={\left[\begin{array}{ccccc}0& \dots & 0& \dots & 0\\ ⋮& \ddots & ⋮& \ddots & ⋮\\ 0& \dots & 1& \dots & 0\end{array}\right]}_{M\times N}$$

(16)

The diffusion process in the LG-IES scheme is as follows. The elements $\Delta Y1(M-1,j)=\Delta T(M-1,j)+\Delta Y1(M-1-1,j)+\Delta Y1(M-1,j-1)+\Delta Y1(M-1-1,j-1)=2$ and $\Delta Y1(0,j)=\Delta T(0,j)+\Delta T(M-1,j)=1$ are directly calculated according to Equation (5). Then rotate $\Delta Y1(M-1,j)$ ($\Delta Y1(0,j)$) by 180 degrees to obtain $\Delta Y2(0,N-j-1)=2$ ($\Delta Y2(M-1,N-j-1)=1$). Finally, it can directly compute to obtain $\Delta C(0,N-j-1)=3$ from Equation (6). The matrix form of the ciphertext difference $\Delta C$ is as follows:

$$\Delta C={\left[\begin{array}{ccccccc}\ast & \dots & 2M-1& \underline{3}& 0& \dots & 0\\ ⋮& \ddots & ⋮& ⋮& ⋮& \ddots & ⋮\\ 0& \dots & \ast & \ast & \ast & \dots & \ast \end{array}\right]}_{M\times N}$$

(17)

Therefore, the relationship between $\Delta T$ and $\Delta C$ is established, and Equation (13) is proved. The proof process for other equations is similar and will not be repeated here (see Appendix A).    □

Note: Table 1 provides a detailed example of the evolution for a $5\times 5$ matrix. When $\Delta C(0,3)=3$, corresponding to $\Delta T(4,1)=1$, it satisfies Equation (13) (with $M=N=5$ and $j=1$). This table reflects the change process from $\Delta T(4,1)$ to $\Delta C(0,3)$.

Table 1. The proof of Equation (13).

Permuted image	$\Delta T$
	$\left[\begin{array}{ccccc}0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0\\ 0& 1& 0& 0& 0\end{array}\right]$
First diffused image	$\Delta Y1$
	$\left[\begin{array}{ccccc}0& 1& 0& 0& 0\\ 0& 1& 2& 2& 2\\ 0& 1& 4& 8& 12\\ 0& 1& 6& 18& 38\\ 0& 2& 9& 33& 89\end{array}\right]$
Rotated image	$\Delta Y2$
	$\left[\begin{array}{ccccc}89& 33& 9& 2& 0\\ 38& 18& 6& 1& 0\\ 12& 8& 4& 1& 0\\ 2& 2& 2& 1& 0\\ 0& 0& 0& 1& 0\end{array}\right]$
Second diffused image (Cipher image)	$\Delta C$
	$\left[\begin{array}{ccccc}89& 33& 9& 3& 0\\ 38& 178& 226& 239& 242\\ 12& 236& 132& 86& 55\\ 2& 252& 110& 73& 214\\ 0& 254& 104& 32& 63\end{array}\right]$

Note: Red-colored values in the matrices indicate key focused values in cryptanalysis.

Proposition 3.

Assume that $x_1$, $x_2$, …, $x_n$ belongs to the set $\{0,1,...,255\}$, i.e., $x_1$, $x_2$, …, $x_n$$\in F_{2^8}$, and $r\in Z^{+}$. If $F=256$, then it has

$$\begin{array}{cc}\hfill & \left(\left(x_1\mathit{mod}F\right)+\left(x_2\mathit{mod}F\right)+\dots +\left(x_n\mathit{mod}F\right)+r\right)\mathit{mod}F\hfill \\ \hfill & =(x_1+x_2+\dots x_n+r)\mathit{mod}F\hfill \end{array}$$

(18)

Proof. 

According to the nature of modular operations, it has

$$\begin{array}{cc}\hfill x_1\mathrm{mod}F& =x_1-k_1\times F\hfill \\ \hfill x_2\mathrm{mod}F& =x_2-k_2\times F\hfill \\ \hfill & \dots \hfill \\ \hfill x_n\mathrm{mod}F& =x_n-k_n\times F\hfill \end{array}$$

(19)

where $k_1$, $k_2$ and $k_n$ are integers. Plug these expressions (19) into the left-hand side of Equation (18), it obtains

$$\begin{array}{cc}\hfill & \left((x_1-k_{1}F)+(x_2-k_{2}F)+\dots +(x_n-k_{n}F)+r\right)\mathrm{mod}F\hfill \\ \hfill & =\left(x_1+x_2+\dots +x_n+r-(k_1+k_2+\dots +k_n)F\right)\mathrm{mod}F\hfill \end{array}$$

(20)

so it holds.    □

3.2. Model Analysis

(1) In LG-IES, the authors only utilize a secret parameter K (in Section 2.2.1) to generate chaotic matrices used for encryption, which exhibit low correlation with the plain image, leading to the existence of equivalent keys. This approach produces the same PRNGs across different plaintext images of equal size, allowing the encryption to be deciphered without knowledge of the actual secret key.

(2) We observe that there is a potential risk of differential attack through the Proposition 1. The reason for this is that the influence of the chaotic matrix R is canceled out by differential analysis during the diffusion process. This enables the attacker to design a differential input combination such that the output matches the expected pattern, allowing them to obtain feature information of the original image.

(3) In the multi-directional diffusion process of Section 2.2.3, the image T is supplemented using the rightmost and bottommost edge pixels. During the first round of diffusion, it acts on the leftmost and topmost pixels. After rotation, the leftmost and topmost pixels move to the rightmost and bottommost edge pixels. During the second round of diffusion, the new rightmost and bottommost pixels act on the new leftmost and topmost pixels.

The way the edge pixels are complemented and diffused carries a certain regularity. Thus, the leftmost and topmost pixels of the cipher image C are influenced by the edge pixels of the input image T. This allows an attacker to predict the corresponding positions in the cipher image from the known edge pixels, which reduces the randomness and security of the encryption and leads to vulnerabilities.

(4) In LG-IES, the scheme applies the same encryption process to each channel, resulting in a lack of correlation between the channels. This might lead to a lack of cohesion in the encryption scheme, thereby reducing its security.

3.3. Chosen-Plaintext and Known-Plaintext Attacks

Step 1: Identification of Permutation Patterns

(1) $M\times N$ sets of special input pairs $(P1,P2)$ are constructed.

(2) Assuming $\Delta P$ satisfies $\Delta P=P1-P2$, after first round of diffusion, $M\times N$ intermediate ciphertext images $\Delta X3$ are obtained.

(3) According to Proposition 1 and Equation (4), each differential image $\Delta X3$ satisfies $\Delta X3(i,j)=1$ for an unique pixel $(i,j)$, with all other pixels set to 0, where $i\in \{0,1,\dots ,M-1\}$ and $j\in \{0,1,\dots ,N-1\}$.

(4) The differential image set $\Delta T$ is obtained by applying a permutation operation to $\Delta X3$. Each differential image $\Delta T$ corresponds to a single non-zero pixel, $\Delta T(xi,yj)=1$, with all other pixels set to 0, where $xi\in \{0,1,\dots ,M-1\}$ and $yj\in \{0,1,\dots ,N-1\}$.

(5) After LG-IES encryption, the ciphertext $\Delta C$ is obtained.

(6) According to Property 2, eve infers the positional mapping from $(i,j)$ to $(xi,yj)$ in the final ciphertext $\Delta C$, and she can obtain an equivalent substitution transformation.

The image set $\Delta P$, obtained based on $(P1,P2)$, ensures that every position in the $M\times N$ matrix $\Delta X3$ obtained after one diffusion has exactly one occurrence of the value 1 across the set of differential images. Example 1 gives a $3\times 3$ example to demonstrate the construction of a special image $\Delta X3$.

Example 1.

Given two matrices $P1$ and $P2$ as follows:

$$P1=\left[\begin{array}{ccc}0& 0& 1\\ 0& 0& 3\\ 1& 2& 0\end{array}\right],P2=\left[\begin{array}{ccc}2& 3& 0\\ 3& 0& 0\\ 0& 0& 1\end{array}\right]$$

(21)

The difference between $P1$ and $P2$, denoted as $\Delta P$, is computed element-wise:

$$\Delta P=P1-P2=\left[\begin{array}{ccc}-2& -3& 1\\ -3& 0& 3\\ 1& 2& -1\end{array}\right]$$

(22)

According to Proposition 1, it generates the differential images. The images $\Delta X1$, $\Delta X2$, and $\Delta X3$ are derived as follows:

$$\Delta X1=\left[\begin{array}{ccc}0& -1& 0\\ 0& -1& 1\\ 0& 1& 0\end{array}\right],\Delta X2=\left[\begin{array}{ccc}0& 1& 0\\ 1& -1& 0\\ 0& -1& 0\end{array}\right],\Delta X3=\left[\begin{array}{ccc}0& 0& 0\\ 1& 0& 0\\ 0& 0& 0\end{array}\right]$$

(23)

Here, $\Delta X3$ is a special differential image where the pixel at position $(1,0)$ is set to 1, and all other pixels are 0. This corresponds to one of its differential images in our set of $M\times N$ differential images.

Step 2: Extraction of Diffused Chaotic Matrix R

Any known-plaintext image P is processed through LG-IES to generate the corresponding ciphertext image C. By establishing a system of linear equations based on the relationships between each element of P and C, the chaotic matrix R can be solved.

Example 2.

The plain image P can be arbitrary, and for ease of demonstration, a specially constructed $3\times 3$ all-zero matrix P is defined as follows:

$$P=\left[\begin{array}{ccc}0& 0& 0\\ 0& 0& 0\\ 0& 0& 0\end{array}\right]$$

(24)

P is then processed through the LG-IES encryption system, resulting in the corresponding ciphertext image C, given by:

$$C=\left[\begin{array}{ccc}223& 45& 228\\ 75& 88& 106\\ 15& 77& 196\end{array}\right]$$

(25)

Let the intermediate cipher image $Y2$ be defined as:

$$Y{2}^{\left(a\right)}=\left[\begin{array}{ccc}a& b& c\\ d& e& f\\ g& h& i\end{array}\right]$$

(26)

Substitute Equation (26) into Equation (4) to obtain Equation (25). Solve the simultaneous equations to derive Equation (27).

$$(R\times 2^{32})=\left[\begin{array}{ccc}223-a-c-g& 45-b-h& 228-c-i\\ 75-d-f& 1-e& 1-f\\ 15-g-i& 155-h& 181-i\end{array}\right]$$

(27)

For example, $181-i=(R\times 2^{32})(2,2)=C(2,2)-C(1,2)-C(2,1)-C(1,1)-i+256\times k=196-106-77-88-i+256\times 1$.

According to the chaotic matrix (27) and the one-to-one mapping permutation from $X3$ to T obtained in Step 2, we can subsequently obtain $X1$ (see Equation (A1a) in the Appendix B), $X2$ (A1b), $X3$ (A1c), T (A1d), $Y1$ (A1e), and $Y2$ (A1f).

This forms a linear self-consistent loop of the encryption system LG-IES, allowing us to solve the system by establishing the relevant equations between Equation (26) and Equation (A1f) in the Appendix B, i.e., $Y{2}^{\left(a\right)}=Y{2}^{\left(b\right)}$, as follows:

$$\left\{\begin{array}{cc}\hfill a& =150-240a-333b-358c-334d-209e-409f-356g-407h-267i\hfill \\ \hfill b& =68-105a-146b-156c-148d-92e-181f-156g-179h-116i\hfill \\ \hfill c& =150-27a-36b-40c-36d-23e-44f-41g-44h-31i\hfill \\ \hfill d& =142-75a-105b-113c-104d-65e-128f-111g-128h-84i\hfill \\ \hfill e& =61-59a-82b-87c-82d-52e-100f-87g-100h-64i\hfill \\ \hfill f& =166-10a-15b-15c-17d-9e-21f-15g-18h-11i\hfill \\ \hfill g& =76-5a-4b-9c-4d-3e-5f-8g-5h-8i\hfill \\ \hfill h& =4-10a-17b-15c-15d-9e-18f-15g-21h-11i\hfill \\ \hfill i& =252-32a-40b-47c-40d-26e-49f-47g-49h-35i\hfill \end{array}\right.$$

(28)

Resulting in:

$$\begin{array}{c}a=73,b=576-2h,c=64,d=2h-397,\\ e=61,f=271-h,g=193,i=161\end{array}$$

(29)

The chaotic matrix is then obtained

$$(R\times 2^{32})=\left[\begin{array}{ccc}149& h-19& 3\\ 457-h& 196& h-14\\ 173& 155-h& 20\end{array}\right]$$

(30)

The complexity analysis is as follows:

Each element of chaos in Equation (30) has $2^{32}$ possible values. In the $3\times 3$ example above, by reducing the unknowns in the chaotic matrix R to a single parameter h, the entire matrix can be expressed as a function of h. Consequently, the key space shrinks from $2^{288}$ to $2^{32}$, losing 256 bits of security.

For the $M\times N$ image, the initial key space is given by $2^{32\times M\times N}$. Referring to Example 2 in this section, an $M\times N$ system of linear equations (as shown in Equation (28)) can be derived, with the rank (r) defined as the maximum number of linearly independent rows or columns in the coefficient matrix of the system. The key space reduction based on the rank (r) of the equation system is as follows:

(1)

When $r=M\times N$, the key space shrinks by $100\%$, reducing from $2^{32\times M\times N}$ to 1.

(2)

When $r<M\times N$, the key space shrinks by a factor of $2^{32\times r}$, and the security (in terms of bits) is reduced by $32(M\times N-r)$ bits.

This significant reduction makes the encryption scheme highly vulnerable to brute-force attacks, with the time complexity of this process presented in Table 2. This feasibility is enabled by modern computing technologies, which can practically exhaust the smaller search space.

Table 2. Reduced Key Space and Time to Solve for Matrix R Across Image Sizes and Types.

Image Size	Rank r	Reduced Key Space	Time to Solve for R
	6	$2^{96}$	$0.018\mathrm{s}$
$3\times 3$	8	$2^{32}$	$0.021\mathrm{s}$
	9	1	$0.024\mathrm{s}$
	4000	$2^{3008}$	$0.32\mathrm{s}$
$64\times 64$	4050	$2^{1408}$	$0.35\mathrm{s}$
	65,536	1	$0.41\mathrm{s}$
	64,000	$2^{49,152}$	$4.2\mathrm{s}$
$256\times 256$	65,000	$2^{17,152}$	$4.8\mathrm{s}$
	65,536	1	$5.3\mathrm{s}$

4. Proposed SHA-3-EPFA

Based on the LG-IES proposed by Lai et al. [27], this paper presents an enhanced scheme for the medical image encryption, and provides simulation as well as security analysis.

4.1. Encryption Scheme

The LG-IES suffers from vulnerabilities stemming from the existence of equivalent keys and the linear solvability of the diffusion equation, enabling successful attacks through crafted chosen-plaintext attacks and known-plaintext attacks. To address these vulnerabilities and overcome the limitation of 2D planar image encryption in the original scheme, we introduce a color medical image-encryption scheme based on the SHA-3 Edge-Pixel Filling Algorithm (SHA-3-EPFA), referred to as ILG-IES. This encryption scheme comprises two main components: an auxiliary algorithm, SHA-3-EPFA (Steps 1 to 6), and the primary encryption scheme (described in Step 7). Before each round of divergence (Equation (4)), the SHA-3-EPFA component is responsible for generating edge-filled pixel values by leveraging the principles of rotation and displacement within a Rubik’s Cube in three-dimensional space, thereby introducing pixel-level channel fusion and enhancing randomness. Meanwhile, the primary encryption scheme performs the actual encryption operations. Assuming the input image size is $M\times N\times 3$, the structure of SHA-3-EPFA is illustrated in Figure 4, while the overall block diagram of ILG-IES is shown in Figure 5. The steps of ILG-IES in detail are as follows:

Figure 4. SHA-3-EPFA (Only Key Steps Shown). (a) Divide the rotation area, (b) rotate Rubik’s Cube, and (c) obtain new pixels to fill.

Figure 5. Block diagram of ILG-IES.

Step 1: Partitioning of the Rubik’s Cube rotation area (Figure 4a)

(1) Given a color input image I of $M\times N\times 3$, a subset $I^{\prime }$ is obtained by excluding the elements of the first row and the first column from I.

(2) The color image $I^{\prime }$ with dimensions $(M-1)\times (N-1)\times 3$, where $M=256$ and $N=256$, is sequentially divided into $85\times 85$ unit Rubik’s Cubes, each of size $3\times 3\times 3$.

Step 2: Generating the Plaintext-Related Matrix

(1) Calculate the sum of all elements across the three subimages of $I^{\prime }$ to obtain s.

(2) Calculate $v_i$ according to Equation (31), where $i\in \{1,2,$$\dots ,N\times 3\}$.

$$v_i=\left(\left(s\mathrm{mod}256\right)+i\right)\mathrm{mod}256$$

(31)

(3) Fill the $v_i$ row-wise into a $N\times 3$ matrix to obtain V.

Step 3: Generating the Chaos-Related Matrices

(1) Using $x_0^{\left(1\right)}$ and $y_0^{\left(1\right)}$ in Section 2.2.1 as initial chaotic parameters, substitute them into Equation (1), then iterate $M\times N+M\times N\times 3=M\times N\times 4$ times to generate the y-sequence.

(2) Extract the elements from the $M\times N+1$ to the $M\times N\times 4$ positions of the y-sequence, and arrange them in rows to obtain a new chaotic matrix A.

(3) Using $x_0^{\left(2\right)}$ and $y_0^{\left(2\right)}$ as initial chaotic parameters, substitute them into Equation (1), then iterate $M\times N+M\times N=M\times N\times 2$ times to generate another $y^{\prime }$-sequence.

(4) Extract the elements from the $M\times N+1$ to the $M\times N\times 2$ positions of the $y^{\prime }$ sequence, and obtain the chaotic sequence w.

Step 4: Obtaining Rubik’s Cube Parameters

(1) The matrices V and A are concatenated along the first dimension to obtain a three-dimensional matrix B with size $(M+1)\times N\times 3$.

(2) Applying the SHA-3 hash function to this matrix B generates a 256-bit hash value.

(3) The first 16 digits of this hash value are designated as a group labeled $H1$, and each subsequent set of 16 digits is labeled as $H2$, $H3$, and $H4$, respectively.

(4) Calculate the parameters controlling the rotation of the Rubik’s Cube using Equation (32).

$$\begin{array}{c}\left\{\begin{array}{c}t=\sum H1\times 2^{10}\mathrm{mod}10\hfill \\ r\left(i\right)=\left(w\left((i+\sum H2)\mathrm{mod}(M\times N)\right)\times 2^{10}\right)\mathrm{mod}3\hfill \\ p\left(i\right)=\left(w\left((i+\sum H3)\mathrm{mod}(M\times N)\right)\times 2^{10}\right)\mathrm{mod}3\hfill \\ q\left(i\right)=\left(w\left((i+\sum H4)\mathrm{mod}(M\times N)\right)\times 2^{10}\right)\mathrm{mod}3+1\hfill \end{array}\right.\hfill \end{array}$$

(32)

where t denotes the number of rotations, r denotes the dimension of the rotation, p denotes the specific layer or index of the rotation operation, q denotes the angle of the rotation, and $i\in \{0,1,\dots ,t\}$.

The equation below outlines a detailed rotation strategy:

$$\begin{array}{cc}\hfill & \left\{\begin{array}{c}r\left(i\right)==0,rotationontheYOZplane(X-axis).\hfill \\ r\left(i\right)==1,rotationontheXOZplane(Y-axis).\hfill \\ r\left(i\right)==2,rotationontheXOYplane(Z-axis).\hfill \end{array}\right.\hfill \\ \hfill & \left\{\begin{array}{c}q\left(i\right)==1,rotate90degreescounterclockwise.\hfill \\ q\left(i\right)==2,rotate180degreescounterclockwise.\hfill \\ q\left(i\right)==3,rotate270degreescounterclockwise.\hfill \end{array}\right.\hfill \end{array}$$

(33)

Step 5: Rotating the Image (Figure 4b)

Rotate each unit Rubik’s Cube in the image $I^{\prime }$ based on t, r, p and q to realize pixels scrambling in the selected area. The new image is denoted as $new{I}^{\prime }$. Algorithm 1 describes the rotation process of the unit Rubik’s Cube.

Algorithm 1: Unit Rubik’s Cube Rotation.

Input: cube (The Rubik’s Cube before rotation)     Output: newcube (The Rubik’s Cube after rotation)     for i in range$\left(t\right)$ :       if $r\left[i\right]==0$ :         $newcube\left[p\left[i\right],:,:\right]=np.rot90\left(cube\left[p\left[i\right],:,:\right],q\left[i\right]\right)$       elif $r\left[i\right]==1$ :         $newcube\left[:,p\left[i\right],:\right]=np.rot90\left(cube\left[:,p\left[i\right],:\right],q\left[i\right]\right)$       elif $r\left[i\right]==2$ :         $newcube\left[:,:,p\left[i\right]\right]=np.rot90\left(cube\left[:,:,p\left[i\right]\right],q\left[i\right]\right)$       $cube$ update

Step 6: Filling the Edges of the Image (Figure 4c)

(1) Using Equation (34), obtain the padded pixel values $new{I}^{\prime }$$(i,j,channel)$,

$$\left\{\begin{array}{c}i=(s\times k)\mathrm{mod}255+1\hfill \\ j=(2\times s\times k)\mathrm{mod}255+1\hfill \\ channel=(s\times k)\mathrm{mod}3\hfill \end{array}\right.$$

(34)

where $k\in \{1,2,\dots ,N\times 3+M\times 3\}$.

(2) When $k\in \{1,2,\dots ,N\times 3\}$, select the corresponding $N\times 3$ pixels from $new{I}^{\prime }$ to be used for column-wise and dimension-wise filling of $up\_edg{e}_{(N\times 3)}$.

(3) When $k\in \{N\times 3+1,N\times 3+2,\dots ,N\times 3+M\times 3\}$, select the corresponding $M\times 3$ pixels from $new{I}^{\prime }$ to be used for row-wise and dimension-wise filling of $left\_edg{e}_{(M\times 3)}$.

Step 7: Obtaining the Improved Scheme: ILG-IES

(1) The plain image P undergoes Steps 1 to 6 to obtain the padded pixels, and using Equation (35), the diffused image $X1$ is obtained.

$$\begin{array}{c}\overline{C}(i,j,channel)=\hfill \\ \left\{\begin{array}{c}I(i,j,channel)+up\_edge(j,channel)+⌊R(i,j,channel)\times 2^{32}⌋\mathrm{mod}F\mathrm{for}i=0\hfill \\ I(i,j,channel)+left\_edge(i,channel)+⌊R(i,j,channel)\times 2^{32}⌋\mathrm{mod}F\mathrm{for}j=0\hfill \\ I(i,j,channel)+\overline{C}(i-1,j,channel)+\overline{C}(i,j-1,channel)+\overline{C}(i-1,j-1,\hfill \\ channel)+⌊R(i,j,channel)\times 2^{32}⌋\mathrm{mod}F\hfill \end{array}\right.\hfill \end{array}$$

(35)

Here, $channel\in \{0,1,2\}$ denotes the color channel index, and $R(i,j,channel)$ is shared identically across all channels, i.e., $R(i,j,channel)=R(i,j)$ for all $channel$.

(2) Rotate $X1$ by 180 degrees to obtain $X2$.

(3) $X2$ undergoes Steps 1 to 6, and then, using Equation (35), $X3$ is obtained.

(4) Perform the permutation of Section 2.2.2 to obtain T.

(5) T undergoes Steps 1 to 6, and then, using Equation (35), $Y1$ is obtained.

(6) Rotate $Y1$ by 180 degrees to obtain $Y2$.

(7) $Y2$ undergoes Steps 1 to 6, and then, using Equation (35), the cipher image C is obtained.

4.2. Decryption Process

The overall decryption process of ILG-IES is as follows.

Step 1: Using Equation (36), the encrypted image C is decrypted to recover the partial image $Y{2}^{\prime }$, which represents the section of image $Y2$ before the multi-directional pixel substitution. That is, $Y{2}^{\prime }=Y2[2:M,2:N,:]$.

$$\begin{array}{cc}\hfill & Q2(i,j,channel)=C(i,j,channel)-C(i-1,j,channel)-C(i,j-1,\hfill \\ \hfill & channel)-C(i-1,j-1,channel)-⌊R(i,j,channel)\times 2^{32}⌋\mathrm{mod}F\hfill \end{array}$$

(36)

where $i\ne 0$, $j\ne 0$, and $channel\in \{0,1,2\}$.

Step 2: Calculate the sum of $Y{2}^{\prime }$, matrix V is obtained by referring to Step 2 in Section 4.1.

Step 3: Generate chaos through 2D-LGHM. Referring to the above encryption process, we obtain the matrices S and R, and the SHA-3-EPFA related matrix A and sequence w.

Step 4: Refer to Step 4, 5 and 6 in Section 4.1, obtain the relevant parameters t, r, p and q for the Rubik’s Cube rotation. Apply these parameters to rotate the region $Y{2}^{\prime }$, and then derive the pixel matrices $up\_edge$ and $left\_edge$ for edge filling.

Step 5: Using $up\_edge$ and $left\_edge$, restore the pixels in the upmost and leftmost columns, as in Equation (37). Thus, the entire $Y2$ is restored.

$$\begin{array}{c}Q2(i,j,channel)=\hfill \\ \left\{\begin{array}{cc}\hfill C(i,j,channel)-up\_edge(j,channel)-⌊R(i,j,channel)\times 2^{32}⌋\mathrm{mod}F& \hfill \mathrm{for}i=0\\ \hfill C(i,j,channel)-left\_edge(i,channel)-⌊R(i,j,channel)\times 2^{32}⌋\mathrm{mod}F& \hfill \mathrm{for}j=0\end{array}\right.\hfill \end{array}$$

(37)

Step 6: Rotate $Y2$ by 180 degrees to obtain $Y1$.

Step 7: Repeat the steps from Step 1 to Step 5 to restore T.

Step 8: Referring to Section 2.2.2, the index matrix O and Q are obtained according to matrix S, and then Equation (38) is used to recover the permuted image $X3$.

$$X3\left(O2\left(i,{\pi }_i\left(j\right)\right),{\pi }_i\left(j\right)\right)=T(O{2}_{i,j},j)$$

(38)

Step 9: Repeat the steps from Step 1 to Step 8 to sequentially recover $X2$, $X1$, and the plain image P.

5. Simulation Results and Security Analysis

The comparative experimental evaluation is conducted to quantify the resilience enhancement of the proposed scheme against adversarial attacks relative to the baseline approach. Furthermore, its cryptographic security is benchmarked against contemporary encryption paradigms, including DNA-based cryptography, differential cryptanalysis, and deep learning-driven encryption frameworks.

5.1. Simulation Results

Three images are randomly downloaded from color medical image datasets and preprocessed to a size of $256\times 256\times 3$. The images are named “image_1” [29], “image_2” [30], and “image_3” [31]—with their original sources accessible via the following URLs: “image_1” from the Glaucoma Dataset (https://doi.org/10.1145/3603765.3603779 (accessed on 21 September 2025)), “image_2” from the 3D Medical Image Reconstruction Dataset (https://www.ircad.fr/research/data-sets/ (accessed on 21 September 2025)), and “image_3” from the ISIC 2024 Skin Image Archive (https://www.isic-archive.com/(accessed on 21 September 2025))—as shown in Figure 6a. These images are then processed using ILG-IES with SHA-3-EPFA added. The simulation results of Figure 6c are obtained through encryption, visually obscuring the medical information. The images after direct decryption are shown in Figure 6e, which is not significantly different from the original images. The time cost of the encryption and decryption process is shown in Table 3.

Figure 6. (a) plain images, (b) histogram of (a), (c) cipher images, (d) histogram of (c), (e) recovered images.

Table 3. Time Overhead Comparison Between LG-IES and ILG-IES.

Image Size	Scheme Type	Test Medical Image	Encryption/Decryption Time (s)
			Encryption Time (s)	Decryption Time (s)
256 × 256	LG-IES	image_1	0.38/0.53	0.42/0.53
		image_2	0.39/0.53	0.43/0.56
	ILG-IES	image_3	0.38/0.52	0.41/0.55
256 × 256 × 256	LG-IES	image_1	8.25/9.83	8.63/11.23
		image_2	8.51/8.54	8.87/9.87
	ILG-IES	image_3	8.38/8.90	8.72/9.02
512 × 512 × 512	LG-IES	image_1	18.72/22.13	19.35/23.58
		image_2	16.34/17.05	15.68/15.98
	ILG-IES	image_3	17.13/18.89	16.23/16.52

5.2. Key Sensitivity

According to Section 2.2.1, the key is defined as the initial input of the parameters for the 2D Logistic-Gaussian hyperchaotic map. In the improved scheme, the key is represented as $K=\{x_0,y_0,r_0,A_1,A_2\}$. Given that the key space in this context is $2^{256}$, the probability of an adversary successfully cracking the key through probabilistic means is exceedingly low.

To analyze the impact of minor changes in the key on the differences between two encrypted images of the same plaintext, we randomly select 1 bit from the key space of K and invert it. This process introduces a slight modification to the key parameters, leading to different chaotic sequences being generated. These modified sequences are then used to encrypt the plaintext image. We conduct 1000 independent experiments, computing the number of pixel change rate (NPCR), uniform average change intensity (UACI), and blocked average changing intensity (BACI) to measure the differences between the resulting pairs of cipher images. The average values of these metrics are presented in Table 4. NPCR, UACI, and BACI are quantitative indicators used to assess the differences between two images, and the calculation formula is shown below.

$${\displaystyle NPCR(P1,P2)=\frac{1}{MN}\sum _{i=1}^M\sum _{i=1}^N\left|\mathrm{S}ign\left(P_1(i,j)-P_2(i,j)\right)\right|\times 100\%}$$

(39)

$${\displaystyle UACI(P1,P2)=\frac{1}{MN}\sum _{i=1}^M\sum _{i=1}^N\frac{\left|(P_1(i,j)-P_2(i,j)\right|}{255-0}\times 100\%}$$

(40)

$$\begin{array}{cc}\hfill & {\displaystyle BACI(P1,P2)=\frac{1}{(M-1)(N-1)}\sum _{i=1}^{(M-1)(N-1)}\frac{1}{6}(\left|d_{i1}-d_{i2}\right|+}\hfill \\ \hfill & \left|d_{i1}-d_{i3}\right|+\left|d_{i1}-d_{i4}\right|+\left|d_{i2}-d_{i3}\right|+\left|d_{i2}-d_{i4}\right|+\left|d_{i3}-d_{i4}\right|)/255\hfill \end{array}$$

(41)

where

$$\mathrm{S}ign\left(x\right)=\left\{\begin{array}{c}1,x>0\\ 0,x=0\\ -1,x<0\end{array}\right.$$

(42)

$$D=\mathrm{a}bs(P_1-P_2),D_i=\left(\begin{array}{cc}{d}_{i1}& d_{i2}\\ d_{i3}& d_{i4}\end{array}\right)$$

(43)

The calculated average values of NPCR, UACI, and BACI are very close to their theoretical values. This indicates that the differences among the ciphertext images obtained by encrypting “image_1”, “image_2”, and “image_3” with slightly altered keys are significant. Therefore, it can be concluded that each randomly selected key from the key space is effective.

Table 4. Key sensitivity analysis results.

	NPCR		UACI		BACI
	LG-IES	ILG-IES	LG-IES	ILG-IES	LG-IES	ILG-IES
image_1	99.6740	99.6119	33.4584	33.5656	26.7960	26.8272
image_2	99.5889	99.6358	33.2972	33.4185	26.7474	26.7764
image_3	99.5453	99.6002	33.4222	33.5392	26.7254	26.8079
Ref. [32]	99.6189		33.4707		-
Ref. [33]	99.8515		33.5136		-
Ref. [34]	99.6168		33.4833		-
Ref. [35]	99.6350		33.3100		-
Theoretical value	99.6094		33.4635		26.7712

Note: All values are in percentages (%).

5.3. Plaintext Sensitivity Analysis

Plaintext sensitivity refers to the difference between two ciphertexts obtained by encrypting two plain images with slight differences using the same key. For medical images, certain details such as lesions or abnormal areas may occupy only a small portion of the image. These minor differences are often the critical information in medical images. Therefore, high plaintext sensitivity ensures that these key details are sufficiently obscured during the encryption process, preventing attackers from extracting sensitive data by analyzing local information in the encrypted images.

In this analysis, we randomly select an image from “image_1”, “image_2”, and “image_3” and denote it as P. A pixel point $(i,j)$ within P is then randomly chosen, and its value is modified to $P^{\prime }(i,j)mod256$, resulting in a slightly adjusted plain image $P^{\prime }$. This process is repeated 1000 times, encrypting separately. Each time, the NPCR between the cipher images C and $C^{\prime }$ is calculated. The final results of the improved scheme are plotted as shown in Figure 7. where it can be observed that the calculated values closely approach the ideal values $(99.6094\%$, $33.4635\%$, $26.7712\%)$. In LG-IES, the average NPCR value obtained was $99.6231\%$, whereas in the improved scheme with SHA-3-EPFA added, the NPCR value reached $99.6318\%$. This demonstrates that when encrypting with LG-IES enhanced by SHA-3—EPFA, two plaintext images differing by only one bit will produce significantly different ciphertext images. In addition, compared with the original scheme, the algorithm exhibits higher sensitivity to plaintext, possessing excellent differential resistance, which ensures sufficient confidentiality and privacy for color medical images.

Figure 7. Plaintext sensitivity analysis.

5.4. Histogram Analysis

When the histogram of a ciphertext image displays a uniform distribution of pixel values or a high degree of mixing, it indicates that the encryption algorithm possesses enhanced security, making statistical attacks more challenging. As shown in Figure 6, the histograms of each channel in the images encrypted using the improved scheme exhibit a uniform distribution. This demonstrates that the enhanced encryption algorithm effectively conceals the image information.

The ${\chi }^2$ distribution is defined as follows:

$${\displaystyle {\chi }^2=\sum _{i=0}^{255}\frac{{(f_i-g)}^2}{g}}$$

(44)

where $g=MN/256$, $f_i$ is the observed pixel proportion of each gray level.

We further compare the balance of the ciphertext histograms between the original and improved schemes. A smaller ${\chi }^2$ indicates a more balanced histogram, and for grayscale images with a grayscale level of 256, the chi-square is 293 at the common significance level $\alpha =0.05$. Table 5 lists the chi-square results of different channels and the same type of scheme. The chi-square values of the improved scheme are slightly lower than those of the original scheme and are generally below the threshold. This implies that the null hypothesis of histogram uniformity cannot be rejected at a significance level of 0.05. The addition of SHA-3-EPFA encryption results in more balanced histograms.

Table 5. Each channel chi-square test for histogram analysis.

	R		G		B
	LG-IES	ILG-IES	LG-IES	ILG-IES	LG-IES	ILG-IES
image_1	254.34	272.12	29.81	284.00	222.12	263,14
image_2	274.55	255.32	274.06	238.30	251.64	242.45
image_3	236.32	218.99	270.45	233.89	261.43	228.01
Ref. [32]	275.23
Ref. [33]	258.00
Ref. [34]	275.00
Ref. [35]	250.33

5.5. Correlation Analysis

Ordinary image pixels are usually highly correlated, and one pixel will often reveal the information of surrounding pixels, which can be used by the opponent to predict the plain image. Therefore, the goal of the encryption algorithm is to reduce this correlation as much as possible. To quantify the linear correlation between pixels, Pearson correlation coefficients [36] are calculated using 5000 randomly selected pixels from each channel. The equation for correlation is as follows:

$$r_{xy}={\displaystyle \frac{\mathrm{cov}(x,y)}{\sqrt{D\left(x\right)}\sqrt{D\left(y\right)}}}$$

(45)

where

$$E\left(x\right)=\frac{1}{N}{\sum }_{i=1}^N{x}_i$$

(46)

$$D\left(x\right)=\frac{1}{N}{\sum }_{i=1}^N{\left(x_i-E\left(x\right)\right)}^2$$

(47)

$$\mathrm{cov}(x,y)=\frac{1}{N}{\sum }_{i=1}^N\left(x_i-E\left(x\right)\right)\left(y_i-E\left(y\right)\right)$$

(48)

$x_i$ and $y_i$ denote the gray value of the pixel pair, $N=5000$ is the number of selected pixel pairs.

Figure 8a–c present scatter plots of the three plain images in horizontal, vertical, and diagonal directions, while Figure 8d–f illustrate the correlation in their corresponding encrypted images. Table 6 is the correlation calculation result of “image_1”, where H, V, and D represent horizontal, vertical, and diagonal directions, respectively. In the ciphertext image, the adjacent pixels in various directions are dispersed across the matrix area, with their correlation approaching 0 and outperforming the original scheme. This indicates that the proposed cryptosystem can effectively remove the strong correlation between adjacent pixels of the plain image.

Figure 8. Correlation of plain images and cipher images in horizontal, vertical, and diagonal directions, respectively.

Table 6. Correlation analysis.

		Image_1	LG-IES	ILG-IES	Ref. [32]	Ref. [33]	Ref. [37]	Ref. [35]
R	H	0.9868	−0.0026	0.0014	0.0044	0.0134	−0.0018	0.0012
	V	0.9747	−0.0093	−0.0023	−0.0022	−0.0122	0.0043	0.0021
	D	0.9899	−0.0236	0.0018	0.0029	−0.0009	0.0007	0.0015
G	H	0.9765	−0.0027	0.0016	0.0027	0.0100	−0.0003	−0.0014
	V	0.9732	−0.0052	−0.0033	−0.0033	−0.0002	0.0013	0.0015
	D	0.9787	0.0169	−0.0036	0.0002	0.0128	0.0017	0.0021
B	H	0.9848	−0.0053	−0.0049	0.0008	0.0019	−0.0023	−0.0013
	V	0.9788	−0.0089	−0.0018	−0.0010	−0.0107	−0.0004	0.0003
	D	0.9821	−0.0199	0.0023	0.0031	−0.0098	−0.0010	0.0017

5.6. Entropy Analysis

The information entropy of an image reflects the uncertainty of the image information, and the calculation formula is as follows:

$${\displaystyle H=-\sum _{i=0}^{L}p\left(i\right){log}_{2}p\left(i\right)}$$

(49)

where L is the number of grayscale levels of the image, and $p\left(i\right)$ represents the probability of occurrence of grayscale value i.

Calculate the gray entropy of the plaintext “image_1”, “image_2”, “image_3” and the cipher images before and after the improved cryptosystem. The results are shown in Table 7. The entropy value of the encrypted images is very close to the entropy value of a randomly generated color image of the same size, which is measured to be $7.62825$. The improved encryption scheme can make the information entropy of the image close to the ideal value; therefore, the algorithm maintains high security and confidentiality.

Table 7. Entropy analysis.

	Image_1		Image_2		Image_3		Ref. [32]	Ref. [33]	Ref. [34]	Ref. [37]	Ref. [35]
	LG-IES	ILG-IES	LG-IES	ILG-IES	LG-IES	ILG-IES
R	7.9973	7.9975	7.9969	7.9969	7.9971	7.9972	7.9971	7.9971	7.9970	7.9959	7.9896
G	7.9971	7.9973	7.9971	7.9976	7.9970	7.9973	7.9972	7.9970	7.9978	7.9951	7.9996
B	7.9969	7.9976	7.9980	7.9974	7.9970	7.9968	7.9972	7.9970	7.9987	7.9957	7.9996

5.7. Noise and Cropping Attacks

Color medical images often contain important diagnostic information, such as the color and edge details of the lesion. The addition of noise may interfere with these details and thus affect the doctor’s diagnosis. If the encryption algorithm cannot maintain the key features of the decrypted image under noise attack, the application of the algorithm in the medical field may not be robust enough. The experiment introduces 1%, 3%, 5%, and 10% salt and pepper noise to the encrypted “image_1”, creating noisy versions as illustrated in Figure 9a–d. These noisy images are then decrypted, producing four corresponding distorted images shown in Figure 9e–h.

Figure 9. Simulation results of noise attacks. (a–d) encrypted “image_1”, respectively, add 1%, 2%, 3%, and 5% of salt and pepper noise; (e–h) the corresponding decrypted images.

Cropping attacks destroy parts of these areas, causing the decrypted image to lose important information. Evaluating the performance of the encryption algorithm under cropping attacks can ensure that even if part of the image information is lost, as much diagnostic information as possible is retained after decryption, or the missing part of the information is clearly marked. The experiment randomly selects any $100\times 100$ positions of the encrypted “image_1” for cropping attacks, as shown in Figure 10a–d, and decrypts them to obtain the distorted images as shown in Figure 10e–h.

Figure 10. Simulation results of cropping attacks. (a–d) randomly crop $100\times 100$ size of the encrypted “image_1”, (e–h) the corresponding decrypted images.

Apparently, after noise and cropping attacks, despite some loss of information or anomalies, the scheme can still decrypt the cryptographic images affected by partial (important) data destruction into globally visible images. Color images show better robustness when subjected to external interference, and can well prevent critical medical information from being recovered and leaked by unauthorized visitors.

5.8. Attacks Resistance Analysis

To evaluate the security of the proposed scheme, the same CPA and differential analysis methods as the original scheme were employed. We constructed two specific images: an all-zero image and an image where only one pixel is set to 1 while all others are set to 0. These images were encrypted separately, and then the difference between them was calculated. Figure 11a shows the difference image obtained using the original scheme, while Figure 11b shows the difference image obtained using our scheme. Our scheme not only overcomes the occurrence of a large number of zero pixels at the edges, eliminating discernible patterns, but also further achieves inter-channel fusion, thereby increasing the ciphertext complexity. Based on this, the complexity of attacks on the cipher image is $2^{1572864}$, equivalent to a brute-force attack. Thus, it can effectively resist the attacks proposed in the cryptanalysis of this paper. Table 8 compares the resistance of the proposed scheme and other schemes to various attacks. It can be seen that SHA-3-EPFA can resist a variety of attacks and has good robustness in the same type of advanced schemes.

Figure 11. Contrast resistance attacks.

Table 8. Attacks on various schemes.

	Chosen-Plaintext Attack	Chosen-Ciphertext Attack	Ciphertext-Only Attack	Known-Plaintext Attack	Differential Attack
SHA-3-EPFA	√	-	-	√	√
Ref. [32]	√	√	-	-	-
Ref. [33]	-	-	-	-	√
Ref. [34]	√	-	-	√	√
Ref. [37]	-	-	-	-	-
Ref. [35]	√	-	-	√	√

6. Conclusions

In this paper, a chaotic image cipher based on algebraic operations is analyzed. We prove that there are some vulnerabilities in this cryptosystem, and we can partially crack the chaotic matrices by constructing special images and establishing linear equations to reduce the secret key space. In addition, in view of the reversibility of the permutation process and the edge correlation and linear features of diffusion, we also propose a three-dimensional image rotation based on SHA-3 that implements an edge-pixel filling algorithm. The experimental results and security analysis show that the improved cryptosystem has good robustness and security while resisting the chosen-plaintext attack.

The proposed SHA-3-EPFA not only enhances the security performance of the original scheme, resisting CPA, KPA, and DC attacks, but it can also be embedded as an independent module into most permutation-diffusion-based encryption models for pixel position perturbation in future work. This is particularly effective for multi-channel images, such as color images, breaking the limitation of traditional encryption methods that only confuse pixels within individual channels. It enables pixel interaction between channels, allowing the encryption algorithm to achieve overall integrity and transferability with relatively low computational overhead.