Cryptanalysis and Improved Image Encryption Scheme Using Elliptic Curve and Afﬁne Hill Cipher

: In the present era of digital communication, secure data transfer is a challenging task in the case of open networks. Low-key-strength encryption techniques incur enormous security threats. Therefore, efﬁcient cryptosystems are highly necessary for the fast and secure transmission of multimedia data. In this article, cryptanalysis is performed on an existing encryption scheme designed using elliptic curve cryptography (ECC) and a Hill cipher. The work shows that the scheme is vulnerable to brute force attacks and lacks both Shannon’s primitive operations of cryptography and Kerckchoff’s principle. To circumvent these limitations, an efﬁcient modiﬁcation to the existing scheme is proposed using an afﬁne Hill cipher in combination with ECC and a 3D chaotic map. The efﬁciency of the modiﬁed scheme is demonstrated through experimental results and numerical simulations.


Introduction
Modern day technology is highly interlinked with digital communication over the internet, however, the privacy of data during transmission is a highly important issue. For instance, when using multimedia for e-business, military organization, medical purposes, education, meteorology, space organization, etc., privacy and security are of the utmost interest [1]. Thus, due to the immense threat posed by hackers and hacking tools, there is an ongoing need for efficient cryptographic techniques to protect sensitive information provided over open network channels. In response to this need, a number of symmetric and asymmetric cryptographic techniques are in use to safeguard sensitive information. ECC is one of the newest and most popular asymmetric approaches used to support encryption techniques. The primary advantage of ECC lies in the fact that it is hard to solve the underlying elliptic curve discrete logarithm problem (ECDLP). Furthermore, owing to its shorter key length, ECC systems are more demanding and widely applicable. It is imperative to mention that the RSA system provides security with a 1024-3072 bit-length key, whereas ECC provides the same security with only a 160-256 bit-length key [2]. ECC has gained a respectable status among cryptographic researchers due to its low memory use, bandwidth savings, and lower power consumption in hardware implementations [3][4][5]. Digital images need to be securely transferred over communication channels while considering a reliable encryption scheme. Despite several advantages of ECC in image encryption, several issues must be considered before designing a cryptosystem, viz. key size, key space, and the chosen elliptic curve. The primary focus of encryption schemes is to enhance key strength in order to resist an exhaustive key search attack. If proper attention is paid when choosing elliptic curves, then the best known attacks are considerably weaker against solving ECDLP compared to the best algorithms for solving the discrete logarithm problem [6].
Recently, Dawahdeh et al. [7] proposed an encryption scheme combining the elliptic curve and Hill cipher techniques. This scheme is mainly intended to protect image data while ensuring fast transmission of highly correlated multimedia data. The idea underlying the said scheme is to change the Hill cipher technique from symmetric to asymmetric using the generated parameters of ECC to develop the secret key. However, there is a serious loophole in the existing scheme in the form of secret keys, which makes it vulnerable to brute force attacks.
The use of ECC in combination with other symmetric techniques has been widely used in image and text encryption schemes [2,[8][9][10][11][12][13]. In [8], the authors presented an efficient cryptosystem using an elliptic curve over finite rings in combination with S-boxes. The scheme in [12] proposed text encryption that could encrypt any script with defined ASCII values by making use of elliptic curves. Moreover, in [9] the authors made use of elliptic curves to simultaneously encrypt and compress multimedia data. On the other side, for instance, in Khoirom et al. [14], used cryptanalysis against the scheme in [9] to expose the secret key from the public key. Furthermore, Abd El-Latif et al. [10] presented an algorithm using a chaotic map and the elliptic curve which, while it seemed difficult to hack due to the complex structure of key generators, was broken through cryptanalysis by Hong et al. [15]. In this paper, cryptanalysis of the scheme proposed in [7] is carried out, revealing that the strength of the secret key can be easily broken through an exhaustive key search. Due to the linearity of the Hill cipher, it is vulnerable against smaller key spaces. Furthermore, the same weaker secret key is used to generated the self-invertible matrix, and is used for both encryption and decryption.
In this work, we examine the security of the scheme in [7] and develop a corresponding efficient and improved version for greater security of image data. Keeping in mind that ECC and affine Hill ciphers are popular encryption techniques that can provide better performance and higher levels of security, we revamp the existing scheme by replacing the Hill cipher by an affine Hill cipher in the key domain of SL m (F p ) and M m (F p ). Furthermore, the confusion and diffusion architecture of the scheme is covered via a 3D Arnold map using ECC and bit-wise XOR operations. In addition, the chaotic behavior of this novel scheme makes it more efficient, unpredictable, and strong in resisting illicit hackers [16,17]. Thus, systems modified with chaotic maps shows more efficacy than the normal symmetric and asymmetric systems. It is appropriate to mention that higher-dimensional chaotic maps are known for their high quality of encryption. In this direction, a combination of a private and a public technique is used to design a secure algorithm for image encryption in the presence of higher-dimensional chaotic maps [18]. The numerical outcomes demonstrate the efficiency and stalwartness of the proposed scheme. Furthermore, detailed comparisons with existing schemes [7,9,10,13,19,20] serve to validate the higher efficiency and security of the proposed scheme.
The outline of the article is as follows: Section 2 presents the basic mathematical theories involved; Section 3 highlights the encryption scheme of the cryptosystem [7]; in Section 4, the cryptanalysis of the scheme [7] and its improvement are explained; and Section 5 presents a demonstration of the improved version. Finally, experimental analysis is carried out in Section 6, detailed numerical simulations are presented in Section 7, and the conclusions of the work are presented in Section 8.

Mathematical Concept Of Elliptical Curves
Let q > 3 be a prime number, and let F q be a field of integers modulo q. The elliptic curve E is an algebraic curve defined as the set of all pairs (x, y) ∈ F q × F q satisfying Equation (1), defined as follows: with an imaginary point at infinity denoted by O, where, a, b ∈ F q such that 4a 3 + 27b 2 ≡ 0 (mod q). The discriminant condition indicates that the curve is non-singular, that is, it has no self-intersections or vertices. The set of all the points on the curve forms a finite Abelian group with O as an identity element. The elliptic curve over some finite field F q is denoted by E q (a, b) and is a special type of polynomial equation [2,6]. Elliptic curve operations such as point addition, point doubling, and point multiplication are discussed in [7], and examples of elliptic curves over R are shown in Figure 1. Elliptic Curve Diffie-Hellman Key Exchange (ECDH) is an advanced analogy to Diffie-Hellman Key Exchange. In the modified proposed algorithm, the secret keys of a 3D Arnold map are shared through an ECDH scheme. The representation of key exchange can be performed similarly to the Diffie-Hellman protocol, and it is a relatively difficult task to find a suitable elliptical curve. The curve should satisfy certain conditions, as discussed above, in order achieve good security. The exchange of the key parameters between user A and user B can be achieved using the following steps ((i)-(v)): Public element: Select an elliptic curve E q (a, b) with the parameters a, b ∈ F q , with q a large prime of at least 160-bit length and a generator point G of order r, i.e., rG = O on the elliptic curve. (ii) User A Generate: Select a random private key η A ∈ [1, q − 1] and calculate P A = η A G (iii) User B Generate: Select a random private key η B ∈ [1, q − 1] and calculate P B = η B G (iv) User A calculate secret key: User B calculate secret key:

Affine Hill Cipher
An affine Hill cipher is a classical symmetric cipher suitable for encryption schemes, and is defined as follows: AX + B, here A ∈ SL m (F p ) and B ∈ M m (F p ), are the secret key parameters of the same size as the generated blocks of X. The key elements of an affine Hill cipher are chosen from SL m (F p ), called a special linear group of matrices over some finite field F p , while M m (F p ) is called a group of matrices over some finite field F p of order m, and is used to provide a larger key space. Mathematically, SL m (F p ) is a subgroup of a general linear group of matrices GL m (F p ), and is defined in Equation (2): with cardinality equal to Furthermore, the group of matrices over some finite field F p is defined in Equation (3): with cardinality equal to |M m (F p )| = p m 2 .
The affine Hill cipher for block matrices of order m × m is defined in Equation (4): where, S m×m ∈ SL m (F p ) and M m×m ∈ M m (F p ) are the two key parameters, B m×m is the original data block, and E m×m is the encrypted block.

The 3-D Arnold Map
The chaos 3D Arnold transform defined in Equation (5) is used by extending the classical 2D Arnold transform defined in Equation (6) [21]: where, (x , y , z ) are modified values and the parameters a 1 , a 2 , a 3 and a 4 are chosen from the curve E p (a, b). The 3D Arnold map is chaotic in nature, and is one of the finest members of the higher-dimensional chaotic maps used for the scrambling process [22]. In this approach, dual encryption by Arnold transform is achieved by permutation and substitution. The transform is simplified, as defined in Equation (7): where, n is the image size, m represents the gray levels, and z is a one-dimensional array of length n used to further enhance the diffusion using bit-wise XOR operation.

Scheme Proposed by Dawahdeh et al. [7]
The scheme in [7] presents a cryptosystem designed through the ECC and Hill cipher technique. The secret key for a Hill cipher is obtained from ECC, and later an involuturay matrix is generated from the shared key to be used for both encryption and decryption [23]. Before encryption, both parties should agree on the elliptic curve parameters {q, a, b, G}, where, G is one of the generating points of the curve. The sender and receiver choose their private keys η A , η B from the domain [1, q − 1], and can generate their corresponding public keys P A = η A G and P B = η B G over E q (a, b), respectively. The encryption scheme in [7] is described through Algorithms 1 and 2.
Algorithm 1: Elliptic curve key generation over some E q (a, b).

Cryptanalysis and Improvement
Cryptanalysis is the breakdown of codes through different cryptanalytic attacks. The hardness of ECC lies in ECDLP, as solving such an algorithm is computationally infeasible. The authors convert the Hill cipher technique from symmetric to asymmetric in order to operate the scheme using a shared secret key. The scheme in [7] suggests large primes for higher security of the shared key (x, y) over E q (a, b). The ordered pairs xG = (x 1 , y 1 ) and yG = (x 2 , y 2 ) are generated over E q (a, b) to form the key matrix K m , which is vulnerable and could be collapsed by a brute force attack.

Brute Force Attack on the Scheme in [7]
A brute force attack is a classical cryptanalysis approach which tests all the possible sets of keys by treating the encryption method as a black box [6]. The security of the scheme in [7] lies in xG and yG. Because Equation (8) As K m is generated from K and P i is the plain text block, this implies that it is only necessary to to find x i , y i ; i = 1, 2 under modulo 256. Because each parameter is eight bits, a total possible choice to find through exhaustive key search is of length 2 32 , i.e., only 4,294,967,296 matrices of order 2, which is vulnerable to brute force attacks through modern high-speed technology. To resist such a brute force attack, the key space of the image encryption scheme should be larger than 2 128 [24,25]. Thus, the brute force attack can successfully estimate 56-64 bit length within a few hours or a day [6]. Even the COPA-COBANA (Cost-Optimized Parallel Code Breaker) machine can break such an algorithm in less than a day, and its computational power is up to 64 bits [26]. Jack, in [27], breaks down the Hill cipher for n = 2 with an IBM 650 machine, and finds it impractical and highly complex for higher values of n. The same is the case here; the only unknowns are x i , y i ; i = 1, 2 under modulo 256 of bit length 2 32 , and no confusion of pixel values is present, thus, such a system can possibly hacked or collapsed through contemporary high-speed technology.

Improvement
The limitations of the scheme are that it lacks the confusion property and smaller key space. Thus, the scheme can be upgraded to include the confusion and diffusion properties with an enlarged key space in order to fill the accessible gap of the extant scheme [7].
A modified and improved version of the existing scheme is presented using ECC and an affine Hill cipher in a chaotic environment to adjust the major limitations of the scheme in [7]. To extend the key space, a group of involuntary matrices are replaced by a SL m (F p ) and M m (F p ) domain over some finite field F p to achieve a higher level of diffusion in the scheme. Furthermore, a chaos map is employed in the scheme to scramble all the positions of the image by choosing the key parameters from the public domain E q (a, b).

Proposed Methodology of the Improved Scheme
An improved encryption scheme is proposed to secure communication of images over public channels. In this scheme, 4 × 4 blocks are generated from the original image matrix and then diffused by an affine Hill cipher using the key matrices chosen from SL m (F p ) and M m (F p ), where, m = 4 and p are a prime number of at least 8 bits in length. Furthermore, the key parameters for the chaotic map are generated from the chosen elliptic curve E q (a, b) over some finite field F q to scramble the position of pixels, and over the scrambled values a bit-wise XOR operation is performed with the generated Arnold map sequence, as discussed in Algorithm 3.
After segregation of color planes {I r , I g , I b } from plain image.
for i ← 1:length(i) do B j M ← Mul_block(I i r,g,b ,k 1 ); // Multiplication of each block with key k 1 end 4.
for i ← 1:length(i) do B i A ← Add_block(B j M , k 2 ); // Addition of each block with key k 2 end 5.
B j ← Merge_block(B i A ) // Concatenate the image blocks back to original size 6.

Experimental Results
The results described in this section were obtained in Matlab 2020a with a Core-i3 supporting environment with 4 GB RAM on a Windows 7 system. The images were chosen from USC-SIPI databases. The experimental results are shown in Figures 2-4.

Key Space Analysis
The key space is the set of all possible choices that can be used to encrypt an image. Thus, schemes with a larger key space support greater robustness against exhaustive key search attacks. In the proposed scheme, factors supporting the key space are the elements of SL m (F p ), M m (F p ), and the parameters of the Arnold map shared through ECC. The total for the key space is summarized below: • The choices for SL m (F p ) during the encryption process are defined as follows: • M m (F p ) works as an additive key element in the affine Hill cipher, with possible choices p m 2 . • The publicly shared parameters for the Arnold map through ECC can be reduced up to 256 4 choices.
Thus, the size of generalised key space is defined by Equation (10): The keyspace defined in Equation (10) is strong enough against brute force attacks. For experimental results, we have chosen m = 4 and p = 223, for an approximate key space of 10 82 = 2 272 , which is large enough to resist brute force attacks. Thus, the scheme is be appropriate for secure communication purposes.

Key Sensitivity
After achieving confusion and diffusion in a scheme, the sensitivity of keys is necessary to check the security of an algorithm. In this scheme, the sensitivity of an algorithm is checked in the worst-case scenario when parameters are 99% known with a bit change in key parameters. The sensitivity results for different cases of the algorithm are shown in Figures 5 and 6, and are sufficient to support the sensitivity of the algorithm. The change in 3D Arnold key parameters at both stages of confusion through shuffling and the diffusion through XOR operation are shown in Figures 5c,d and 6c

Histogram Analysis
A histogram analysis is a graphical representation between pixel values and the intensity values of the data to present the frequency distribution information. A secure and good encryption scheme produces the evenly distributed data of the cipher images. The results of the test images are shown in Figures 7-11. The distribution plot of the cipher images shows a uniform distribution, implying that the encrypted data are secure and that such an algorithm cannot leak information to outsiders. Now, the uniformity of the data through the chi-square test can be ensured using Equation (11): where, O k and E k = mn 256 are the observed and expected frequency, respectively, of an image with size mn. At significance level α = 1% and α = 5% with 255 degrees of freedom, the critical chi-square values to pass the hypothesis uniformity are χ 2 (0.01,255) = 310.4574 and χ 2 (0.05,255) = 293.2478, respectively. Table 1 shows the chi-square values on a set of images at significance levels of 1% and 5%.

Correlation Analysis
Correlation refers to the relationship between adjacent pixels. Thus, in plain images a strong correlation among the pixels is found with a dense correlation graph, while in cipher images a low correlation among the adjacent pixels with an evenly distributed graph is found. The correlation for input and cipher images in the horizontal (H), vertical (V) and diagonal (D) directions is presented in Figure 12.
Furthermore, the correlation graphs of the images and their corresponding cipher images in different directions are shown in Figure 12. From Figure 12, it can be seen that the correlation graph of cipher images is uniformly distributed throughout the domain, with an ideal value of correlation coefficient in all directions shown in Tables 2 and 3. The equation used to calculate the correlation coefficient value is taken as given in Equation (12). where, and where, N is number of pixels, E(x) is the expectation, and D(x) is the variance.

Quality Measure
The parameters used to measure the quality between plain images and cipher images are as follows [19].

Mean Square Error (MSE)
The MSE is calculated between the input and the output image using Equation (15). The results shown in Table 4 support the robustness of the proposed algorithm: where, I p and I c are the input and output image, respectively, of size N M.

Peak Signal to Noise Ratio (PSNR)
PSNR is a quality measure between input and output images using Equation (16). A good level of encryption is identified when PSNR is less than 10 db. The calculated test values of PSNR are demonstrated in Table 4: where, n is the bits per pixel and MSE is as defined in Equation (15).

Structural Similarity Index (SSIM)
The SSIM is a measure of the input and output image that checks the quality of the encryption algorithm. The SSIM values should be approximate to zero for the output images for a secure algorithm, and can be calculated using Equation (17), defined below: where, σ pc , (µ p , µ c ), and (σ p , σ c ) are the covariance, mean, and standard deviation of the plain and cipher images, respectively. Moreover, c and c are the variables to be stabilized.
The experimental values are provided in Table 4, and are close to the ideal value of zero.

Differential Attack Analysis
A differential attack is a type of cryptanalysis used to analyze secret keys through different cipher images. In this approach, a small modification is carried out on the pixel intensity values of the original images to attempt to find the difference between the corresponding cipher images in order to observe the relationship between the plain and cipher images. The differential measurements used to find the resilience of the system through the number of the pixel change rate (NPCR) and unified average changing intensity (UACI) are defined in Equations (18) and (19): where, T is the total size of the image, C 1 and C 2 are cipher images differing by a single pixel value, and D(i, j) is defined as For analysis, the computed results are provided in Table 5 and compared in Table 6.

Shannon's Entropy Analysis
The Shannon's entropy is proportional to the measure of uncertainty. The ideal entropy value of random data is 8 [28]. Thus, an efficient encryption scheme has an entropy value that approximates the ideal value and is uniform with the gray values of the image. In Table 7, entropy values are shown for different images as calculated by Equation (20): where, p(m i ) is the probability of source m i . Table 7 and Figure 13 show the calculated entropy values of the input and output images; the values approximate the ideal value, which is a strong indication of the randomness and security of the data. Thus, the improved version of the scheme achieves a perfect level of permutation to secure the secret information. Furthermore, Tables 8 and 9 compare the entropy results with existing several schemes, and the results justify the security of the proposed scheme against entropy attacks.

Noise Attacks
Due to effects from the transmission channels, the data may be affected by noise signals.
To check the effect of noise on the sensitivity of information, different noise effects on the data can be used to check the resistance of the algorithm against noise attacks. A number of noise techniques are available to check this, such as salt and pepper and Gaussian noise in different proportions. Thus, Figures 14 and 15 show the noise-affected images by salt and pepper and Gaussian noise in a visible form, respectively. It can be seen in Table 10 and Figure 15 that maximum information can be retrieved, which is a good indication of the scheme's performance.

Occlusion Attack
The durability of the system was checked against data loss through malicious destruction or deliberate attempts to damage image integrity. Occlusion attack analysis checks the recovery rate of damaged data. Thus, the encrypted baboon.jpeg image was subjected to different portions of data loss to check the data recovery rate . Figures 16a-d  The quality measures for checking the recovery rate of the affected images are provided in Table 10 and Figure 17. The results indicate that the images can be visualized, and are able to be successfully recovered against such attacks.

Conclusions
In the present paper, a serious loophole in the grayscale image encryption scheme proposed in [7] based on ECC and a Hill cipher is highlighted. The performed analysis demonstrates that the existing scheme is vulnerable and can be collapsed by a brute force attack. The competence of the scheme is in its 32-bit key length, which can be hacked using contemporary technology. To circumvent these limitations, a modified and improved version of the scheme is proposed using the classical affine Hill cipher in combination with ECC and a chaotic map for color images. The numerical and statistical results presented in Tables 5-9, the uniformity of the histogram in Figure 9, and the uniform distribution of the adjacent pixels in Figure 12 in the cipher images are enough to infer the reliability of the newly proposed method. Nevertheless, the present article lays the foundations for future work on mapping the pixel values onto E q (a, b) to remove the maximum use limitation of ECDLP, and the scheme could potentially be optimized for text encryption.