Cryptanalysis of symmetric key image encryption using chaotic Rossler system

Optik 135 (2017) 200–209

Contents lists available at ScienceDirect

Optik journal homepage: www.elsevier.de/ijleo

Original research article

Cryptanalysis of symmetric key image encryption using chaotic Rossler system Dolendro Singh Laiphrakpam ∗ , Manglem Singh Khumanthem Department of Computer Science and Engineering, National Institute of Technology, Manipur 795001, India

a r t i c l e

i n f o

Article history: Received 16 September 2016 Received in revised form 2 December 2016 Accepted 24 January 2017 Keywords: Symmetric key cryptography Image encryption Rossler chaotic system Cryptanalysis

a b s t r a c t The paper cryptanalyses the symmetric key image encryption scheme proposed by Mrinal et al. [1]. The encryption scheme proposed by Mrinal et al. uses Rossler chaotic system for generating three chaotic sequences which are used for creating the cipher image. A secret key of 128 bits is used to generate the initial conditions for the Rossler chaotic system. The equations used for generating the initial conditions in Mrinal et al. encryption scheme have got a loophole. The loophole is utilized to carry out the cryptanalysis on the cipher image generated using Mrinal et al. encryption scheme. Simulation results show that the encryption scheme can be easily cryptanalysed to revealed the exact plain image. An improved version is proposed with statistical and security analyses to ascertain the practicability of the encryption scheme. © 2017 Elsevier GmbH. All rights reserved.

1. Introduction With the improvement in technology, multimedia data are easily transferred and shared. To avoid unauthorized access to the data sent across the insecure network, the data are converted to unintelligible data using cryptographic scheme. The chaotic systems are increasingly used in cryptographic operation as they are very sensitive to the initial condition and got a random looking long period. Various authors have used chaotic system for image encryption operation [2–6]. Many of the encryption schemes that use the chaotic system without rigorous security analyses have been cryptanalysed. Ozkaynak et al. [7] cryptanalysed the chaos-based encryption scheme proposed by Zhu [8] using chosen-plaintext attack and all the secret parameters are revealed. Tu et al. [9] cryptanalysed an image encryption scheme proposed [10] based on Logistic map. The cryptanalysis was performed using chosen-plaintext attack and other flaws associated with the differential attack are also pointed out where Number of pixels change rate (NPCR) was found to be low for minimally different plain images input. Improvement of the encryption scheme was also suggested to avoid the chosen-plaintext attack. Akhavan et al. [11] cryptanalysed an image encryption scheme proposed by Eslami et al. [12] based on total shuffling using chosenplaintext attack. The shuffling map used was also recovered with a limited number of chosen-plain images. El-Latif et al. [13] cryptanalysed an image encryption scheme proposed in [14]. In this paper, Mrinal et al. [1] encryption scheme is cryptanalysed and an improve version is also suggested.

∗ Corresponding author. E-mail address: [email protected] (D.S. Laiphrakpam). http://dx.doi.org/10.1016/j.ijleo.2017.01.062 0030-4026/© 2017 Elsevier GmbH. All rights reserved.

D.S. Laiphrakpam, M.S. Khumanthem / Optik 135 (2017) 200–209

201

Fig. 1. Chaotic attractor of the Rossler system.

2. Mrinal et al. symmetric encryption scheme The symmetric encryption scheme proposed by Mrinal et al. uses Rossler chaotic system [15] for generating three chaotic sequences. Rossler equation is given as: dx = −y − z dt

(1)

dy = x + ay dt

(2)

dz = b + z(x − c) dt

(3)

where a = b = 0.2, c = 5.7 and {x0 , y0 , z0 } = initial condition. Plot of chaotic sequence generated using Rossler system is shown in Fig. 1. 2.1. Mrinal et al. encryption algorithm 1. Initial conditions for Rossler system is obtained using the secret 128 bits key as:



x0 = mod

K16 ×

 y0 = mod

K16 ×

 z0 = mod

K16 ×

5 



i

mod(Ki × 10 , 1), 1

i=1 5 

 mod(Ki+5 × 10

i+5

, 1), 1

i=1 5 

(4)

(5)

 mod(Ki+10 × 10

i+10

, 1), 1

(6)

i=1

2. Using the Rossler system with initial conditions obtained from Step 1, a = b = 0.2 and c = 5.7 three chaotic sequences xi = {x1 , x2 , . . ., xk }, yi = {y1 , y2 , . . ., yk } and zi = {z1 , z2 , . . ., zk } are generated, where k = M × N and M and N are the dimensions of the plain image. 3. Convert the chaotic sequence xi , yi , zi into two-dimensional arrays as x(i,j) , y(i,j) , z(i,j) respectively. 4. Convert values in x(i,j) , y(i,j) , z(i,j) to byte value in the range of 0 (zero) and 255 by using mod operation as: x(i,j) = mod(x(i,j) × 10000, 256)

(7)

y(i,j) = mod(y(i,j) × 10000, 256)

(8)

z(i,j) = mod(z(i,j) × 10000, 256)

(9)

202

D.S. Laiphrakpam, M.S. Khumanthem / Optik 135 (2017) 200–209

Fig. 2. Mrinal et al. [1] encryption process.

5. Perform bit-wise XOR operation between the plain image pixel values I(i,j) and the chaotic sequence x(i,j) to generate a chaotic image EI. EI (i,j) = I(i,j) ⊕ x(i,j)

(10)

6. Using the chaotic sequences y(i,j) and z(i,j) , perform bit-wise XOR operation to generate a new chaotic sequence yz(i,j) . yz (i,j) = y(i,j) ⊕ z(i,j)

(11)

Shuffle the pixel values in EI(i,j) using yz(i,j) to get the cipher image CI. Shuffling operation in explained in Section 2.2. Pictorial representation of Mrinal et al. encryption algorithm is shown in Fig. 2. 2.2. Shuffling operation Fig. 3 shows the various steps involved in shuffling operation. For simplicity consider matrix A of size 5 × 5 represent chaotic sequence yz(i,j) and matrix D of size 5 × 5 represent EI(i,j) . Sort matrix A in ascending order to get matrix B. Matrix C represents the position matrix of elements in B(i,j) with respect to position in matrix A. Using matrix C, the elements in matrix D are shuffled row-wise to generate matrix E. The pixel values in matrix E are shuffled column-wise using elements from matrix C to generate matrix F. 2.3. Mrinal et al. decryption algorithm Perform Steps 1–4 as performed during encryption operation. Generate yz(i,j) for shuffling operation. Sort yz(i,j) in ascending order to get matrix B. Get the position matrix C using yz(i,j) and B. The pixel values in cipher image CI are shuffled back to EI using position matrix C in reverse way to that of encryption operation. Perform bit-wise XOR operation between EI(i,j) and x(i,j) to get the plain image. 3. Cryptanalysis of Mrinal et al. symmetric image encryption scheme The encryption scheme proposed by Mrinal et al. [1] suffers from a major loophole. As given in Step 1 of encryption algorithm proposed by Mrinal et al., the initial conditions for x0 , y0 and z0 are all operated with mod 1(one). So, for any key K, the initial conditions x0 , y0 and z0 will always be 0(zero). The intermediate cipher image EI is obtained by bit-wise XOR operation of chaotic sequence x(i,j) with the pixel values of the plain image. The position matrix C is generated using the chaotic sequences yi and zi . The intermediate cipher image EI is shuffled along row wise and column wise using position matrix C to produce the cipher image CI.

D.S. Laiphrakpam, M.S. Khumanthem / Optik 135 (2017) 200–209

203

Fig. 3. (a) Sample elements of yz(i,j) , (b) sorted elements of yz(i,j) row-wise in ascending order, (c) position matrix, (d) sample elements of EI(i,j) , (e) row-wise shuffled matrix D using matrix C and (f) column-wise shuffled matrix E using matrix C.

An adversary can easily generate the chaotic sequences xi , yi and zi using the initial conditions as 0(zero), a = b = 0.2 and c = 5.7. The position matrix C can be derived from yi and zi . So, for any plain image encrypted using Mrinal et al. encryption scheme, the cipher image CI can be rearranged to intermediate cipher image EI using matrix C. The exact plain image can be revealed by bit-wise XOR operation of intermediate cipher image EI with chaotic sequence x(i,j) . 4. Simulation of cryptanalysis operation The simulation was performed on an intel core i7 2.20 GHz laptop using Mathematica 10. The sample images are obtained from [16]. Fig. 4(a) and (d) shows two plain images. Fig. 4(b) and (e) is the cipher images of the two plain images generated using Mrinal et al. encryption scheme using key K1 = “as*&∧%$1234VGHax” and K2 = “NITMANIPUR795001” respectively. Convert the 16 characters to its equivalent ASCII values: “as*&∧%$1234VGHax”: {97, 115, 42, 38, 94, 37, 36, 49, 50, 51, 52, 86, 71, 72, 97, 120}. “NITMANIPUR795001”: {78, 73, 84, 77, 65, 78, 73, 80, 85, 82, 55, 57, 53, 48, 48, 49}. Using the Eqs. (4)–(6) as proposed by Mrinal et al., the initial keys generated using key K1 are:



x0 = mod 120 ×

5 



i

mod(Ki × 10 , 1), 1

i=1

where Ki = {97, 115, 42, 38, 94}



y0 = mod 120 ×

10 

 i+5

mod(Ki+5 × 10

, 1), 1

i=6

where Ki+5 = {37, 36, 49, 50, 51}



z0 = mod 120 ×

15 



mod(Ki+10 × 10i+10 , 1), 1

i=11

where Ki+10 = {52, 86, 71, 72, 97} The initial keys are:

204

D.S. Laiphrakpam, M.S. Khumanthem / Optik 135 (2017) 200–209

Fig. 4. (a) Plain Tank image, (b) cipher Tank image generated using key K1, (c) decrypted image without using key K1, (d) plain Lena image, (e) cipher Lena image generated using key K2 and (f) decrypted image without using key K2.

x0 = 0 y0 = 0 z0 = 0 Similarly for key K2, the initial keys generated using Eqs. (4)–(6) are:

 x0 = mod 49 ×

5 

 i

mod(Ki × 10 , 1), 1

i=1

where Ki = {78, 73, 84, 77, 65}



y0 = mod 49 ×

10 

mod(Ki+5 × 10

 i+5

, 1), 1

i=6

where Ki+5 = {78, 73, 80, 85, 82}



z0 = mod 49 ×

15 

mod(Ki+10 × 10

 i+10

, 1), 1

i=11

where Ki+10 = {55, 57, 53, 48, 48} The initial keys are: x0 = 0 y0 = 0 z0 = 0 Irrespective of the 16 characters, the initial keys are always 0(zero). The chaotic sequences {xi , yi , zi } can be easily generated by assigning initial keys {x0 , y0 , z0 } = {0, 0, 0} with a = b = 0.2 and c = 5.7. The generated chaotic sequences {xi , yi , zi } are converted to byte value denoted as {x(i,j) , y(i,j) , z(i,j) } using the Eqs. (7)–(9) given by Mrinal et al. encryption algorithm. An attacker can derive at position matrix C using sequences y(i,j) and z(i,j) . The cipher images given in Fig. 4(b) and (e) is scrambled back to intermediate cipher image EI using position matrix C. The pixel values in the intermediate cipher image EI are XOR with sequence x(i,j) and converted to image as shown in Fig. 4(c) and (f). The cipher image is successfully deciphered without the knowledge of the 128 bits key represented as 16 characters.

D.S. Laiphrakpam, M.S. Khumanthem / Optik 135 (2017) 200–209

205

Fig. 5. (a) Plain Boat image, (b) plain Airplane image, (c) plain Aerial image, (d) cipher Boat image, (e) cipher Airplane image and (f) cipher Aerial image.

Fig. 6. (a) Histogram of plain Boat image and (b) histogram of cipher Boat image.

5. Improved Mrinal et al. encryption scheme Mrinal et al. encryption scheme can be improved by replacing the Eqs. (4)–(6) used to generate the initial keys. In the improved version, the initial keys are generated by computing secure hash algorithm (SHA) on the plain image. From the hash value, the initial conditions for Rossler chaotic system are obtained as: x0 = H[[1; ; 16]] × 10−16 −16

y0 = H[[17; ; 32]] × 10

−16

z0 = H[[33; ; 48]] × 10

(12) (13) (14)

where H[[i;; j]]: digits at location i to j in the SHA hash value. Fig. 5 shows the plain images and their corresponding cipher images generated using the improved Mrinal et al. encryption scheme where the initial keys are obtained using Eqs. (12)–(14). The initial keys can be shared to the communicating party using a strong public key encryption scheme. 6. Security and statistical analyses 6.1. Histogram analysis Histogram of an image gives the frequency distribution of the pixels. In a normal image, the frequency distribution of pixels is uneven. In cipher image, the pixel values are evenly distributed, avoiding any statistical knowledge about the image to an adversary. Fig. 6 shows the histogram of plain and cipher Boat image. 6.2. Key space and key sensitivity The difficulty level of cryptanalysis using Brute-force attack increases as the bit length of key size increases. The initial keys consist of three random values in the range of 0(zero) to 1(one) each of precision 1016 . So total key

206

D.S. Laiphrakpam, M.S. Khumanthem / Optik 135 (2017) 200–209

Fig. 7. Images showing test against key sensitivity. (a) Encrypted image, (b) image decrypted after using correct key and (c) image decrypted with one bit change from the correct key. Table 1 Correlation coefficients for cipher images. Image

Horizontal

Vertical

Diagonal

Boat Air plane Aerial image Truck

0.0051485 −0.0066495 0.0009462 −0.0061735

−0.0003382 −0.0088317 −0.0146035 −0.0089528

−0.0074269 0.0161824 0.0075206 0.0061888

space is 1016*3 around 160 bits. To test the sensitivity of the key used, the cipher image is decrypted using the correct initial keys and another with a bit change in the initial keys. Fig. 7(a) shows an encrypted image using initial keys as x0 = 0.6508650281129252, y0 = 0.2047732941953761 and z0 = 0.5301385799741076. Fig. 7(b) shows a decrypted image using the correct initial keys and Fig. 7(c) shows a decrypted image with one bit change from the initial keys x0 = 0.6508650281129252, y0 = 0.2047732941953761 and z0 = 0.5301385799741077. 6.3. Chosen plain-text attack Chosen plain-text attack is a case in which the adversary can get the corresponding cipher image for a plain image of his/her choice. The improved version of Mrinal et al. encryption scheme uses SHA value computed using the plain image to generate the initial conditions for Rossler chaotic system. Each plain image has got a unique SHA value. So, even if the adversary has access to multiple pairs of plain/cipher data, the data are not related in any way to another cipher data. Thus, the encryption scheme overcomes chosen plain-text attack. 6.4. Correlation analysis Correlation represents the relationship between two or more variables. Plain images have correlation coefficient tending toward 1 and cipher images have correlation coefficient tending toward 0. Correlation coefficient is computed as: Correlation[v1 , v2 ] =

Covariance[v1 , v2 ] Standard Deviation[v1 ] × Standard Deviation[v2 ]

(15)

Correlation analysis was performed along horizontal, vertical and diagonal components after choosing 10000 random coordinate points. Correlation coefficients for cipher images along horizontal, vertical and diagonal direction is given in Table 1. Fig. 8 shows the correlation graph for plain and cipher Boat image. 6.5. Differential attack analysis Commonly used tools to determine the resistance against Differential attack are Number of Changing Pixel Rate (NPCR) and Unified Averaged Changed Intensity (UACI). NPCR and UACI are calculated by generating cipher images from minimally different plain images. Let C and C be the two cipher images generated from minimally different plain images. NPCR and UACI are calculated as:



i,j

NPCR = and

T

 UACI =

D(i, j)

i,j

× 100%

 | |Ci,j − Ci,j

L×T

(16)

(17)

D.S. Laiphrakpam, M.S. Khumanthem / Optik 135 (2017) 200–209

207

Fig. 8. (a) Horizontal correlation graph for plain image, (b) vertical correlation graph for plain image, (c) diagonal correlation graph for plain image, (d) horizontal correlation graph for cipher image, (e) vertical correlation graph for cipher image and (f) diagonal correlation graph for cipher image. Table 2 Entropy, NPCR and UACI values for cipher images. Image

Entropy

NPCR (%)

UACI (%)

Boat Air plane Aerial image Truck

7.9993 7.9993 7.9994 7.9991

99.61 99.63 99.62 99.62

33.47 33.48 33.46 33.42

where



D(i, j) =

0

 if Ci,j = Ci,j

 1 if Ci,j = / Ci,j

(18)

T = total number of pixels. L = the largest pixel value. Theoretical ideal values for NPCR and UACI are 100% and 33.3% respectively. Calculated NPCR and UACI values for various images are shown in Table 2. As SHA value drastically changes even for a bit change, the initial keys are drastically different for two minimally different plain images. So, the cipher images C and C are totally different. 6.6. Entropy analysis Entropy is computed as: N 

H(X) = −

P(xi ) log2 P(xi )

(19)

i=1

where P(xi ) is the probability mass function. Entropy is used to denote the degree of randomness. If the entropy value is close to 8, the image is considered to exhibit high randomness. Table 2 shows the calculated entropy value. 6.7. Randomness test To test the randomness of the cipher data generated using an encryption scheme, National Institute of Standards and technology (NIST) designed a statistical test suite consisting of fifteen different tests. In each test p-value is calculated. If the p-value is greater than 0.01 for all the fifteen tests, the proposed scheme is considered to pass the randomness test with the

208

D.S. Laiphrakpam, M.S. Khumanthem / Optik 135 (2017) 200–209

Table 3 Randomness test. Test

p-Value Airplane

The Frequency (Monobit) Test Frequency Test within a Block The Runs Test Longest-Run-of-Ones in a Block The Binary Matrix Rank Test Discrete Fourier Transform Test Non-overlapping Template Matching Overlapping Template Matching Test Maurer’s “Universal Statistical” Test The Linear Complexity Test The Serial Test p-Value 1 p-Value 2 The Approximate Entropy Test The Cumulative Sums Test Random Excursions Test X =−4 X =−3 X =−2 X =−1 X=1 X=2 X=3 X=4 Random Excursions Variant Test X =−9 X =−8 X =−7 X =−6 X =−5 X =−4 X =−3 X =−2 X =−1 X=1 X=2 X=3 X=4 X=5 X=6 X=7 X=8 X=9

Aerial

Boat

0.175472 0.081136 0.789618 0.346689 0.598617 0.788737 0.471026 0.564202 0.970999 0.652099

Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass

0.454968 0.953272 0.668726 0.109635 0.275336 0.504939 0.238088 0.410823 0.971070 0.141435

Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass

0.976863 0.515005 0.973513 0.796286 0.723836 0.067660 0.091428 0.979907 0.971162 0.872080

Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass

0.257022 0.508738 0.616326 0.124713

Pass Pass Pass Pass

0.119964 0.064874 0.452641 0.708331

Pass Pass Pass Pass

0.218938 0.056701 0.976126 0.967457

Pass Pass Pass Pass

0.105828 0.772718 0.470412 0.750643 0.718067 0.167933 0.701981 0.821954

Pass Pass Pass Pass Pass Pass Pass Pass

0.469726 0.326065 0.684250 0.385768 0.655318 0.353820 0.549940 0.195616

Pass Pass Pass Pass Pass Pass Pass Pass

0.587011 0.618990 0.811563 0.943010 0.543043 0.916977 0.408938 0.743661

Pass Pass Pass Pass Pass Pass Pass Pass

0.332123 0.310974 0.329900 0.417195 0.396943 0.428938 0.451996 0.203011 0.190869 0.627086 0.489911 0.503798 0.553008 0.454801 0.450275 0.314699 0.093154 0.037926

Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass

0.413213 0.667686 0.758504 0.694795 0.573919 0.320808 0.457110 0.780812 0.530953 0.847127 0.549665 0.290901 0.329768 0.421818 0.503841 0.491193 0.415017 0.516496

Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass

0.551245 0.779575 0.655642 0.686890 0.961577 0.561647 0.271865 0.199520 0.338323 0.664595 0.609293 0.871633 0.594310 0.735946 0.823280 0.992004 0.644231 0.871212

Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass Pass

confidence of 99%. To test the randomness of the cipher image generated, the cipher image is tested with NIST statistical test suite and computed p-value is tabulated in Table 3. 7. Conclusion The paper cryptanalyses the encryption algorithm proposed by Mrinal et al. revealing the exact plain image from the cipher image without the need of correct key K. The process of generating the initial conditions from the key K given in Step 1 of Mrinal et al. encryption algorithm has a loophole. Since mod 1(one) to any integer value gives 0(zero), any key K generates initial conditions x0 , y0 , z0 for Rossler chaotic system as 0(zero). Using this loophole, the chaotic sequences x(i,j) , y(i,j) , z(i,j) are easily generated and cryptanalysis is performed. To overcome the cryptanalysis attack performed in this paper, Eqs. (4)–(6) given in Mrinal et al. encryption scheme are replaced by values obtained using SHA as given in Eqs. (12)–(14). Statistical and security analyses of the improved Mrinal et al. encryption scheme indicate the robustness and feasibility of the encryption scheme. References [1] K.M. Mrinal, K. Madhumita, K.S. Sandesh, K.B. Vivek, Symmetric key image encryption using chaotic Rossler system, Secur. Commun. Netw. 7 (2014) 2145–2152. [2] L. Wenhao, S. Kehui, Z. Congxu, A fast image encryption algorithm based on chaotic map, Opt. Lasers Eng. 84 (2016) 26–36.

D.S. Laiphrakpam, M.S. Khumanthem / Optik 135 (2017) 200–209

209

[3] B. Akram, A.A.E. Ahmed, B. Safya, A novel image encryption scheme based on substitution–permutation network and chaos, Signal Process. 128 (2016) 155–170. [4] L. Liu, S. Miao, A new image encryption algorithm based on logistic chaotic map with varying parameter, SpringerPlus 5 (2016) 289; M. Khan, A novel image encryption scheme based on multiple chaotic S-boxes, Nonlinear Dyn. 82 (2015) 527–533. [5] H. Khanzadi, M. Eshghi, S.E. Borujeni, Image encryption using random bit sequence based on chaotic maps, Arab. J. Sci. Eng. 39 (2) (2014) 1039–1047. [6] C.K. Huang, C.W. Liao, S.L. Hsu, Y.C. Jeng, Implementation of gray image encryption with pixel shuffling and gray-level encryption by single chaotic system, Telecommun. Syst. 52 (2013) 563–571. [7] F. Ozkaynak, A.M. Ozer, S. Yavuz, Cryptanalysis of a novel image encryption scheme based on improved hyperchaotic sequences, Opt. Commun. 285 (2012) 4946–4948. [8] C. Zhu, A novel image encryption scheme based on improved hyperchaotic sequences, Opt. Commun. 285 (2012) 29–37. [9] G. Tu, X. Liao, T. Xiang, Cryptanalysis of a color image encryption algorithm based on chaos, Optik 124 (2013) 5411–5415. [10] W. Xingyuan, T. Lin, Q. Xue, A novel colour image encryption algorithm based on chaos, Signal Process. 92 (4) (2012) 1101–1108. [11] A. Akhavan, A. Samsudin, A. Akhshani, Cryptanalysis of “An improvement over an image encryption method based on total shuffling”, Opt. Commun. 350 (2015) 77–82. [12] Z. Eslami, A. Bakhshandeh, An improvement over an image encryption method based on total shuffling, Opt. Commun. 286 (2013) 51–55. [13] R. Bechikh, H. Hermassi, A.A.A. El-Latif, R. Rhouma, S. Belghith, Breaking an image encryption scheme based on a spatiotemporal chaotic system, Signal Process.: Image Commun. 39 (2015) 151–158. [14] S. Chun-Yan, Q. Yu-Long, Z. Xing-Zhou, An image encryption scheme based on new spatiotemporal chaos, Optik 124 (2013) 3329–3334. [15] O.E. Rossler, An equation for continuous chaos, Phys. Lett. 57A (5) (1976) 397–398. [16] Sample images, http://sipi.usc.edu/database/ (accessed 03.09.16).