Cryptanalysis of a novel image encryption scheme based on improved hyperchaotic sequences

Optics Communications 285 (2012) 4946–4948

Contents lists available at SciVerse ScienceDirect

Optics Communications journal homepage: www.elsevier.com/locate/optcom

Cryptanalysis of a novel image encryption scheme based on improved hyperchaotic sequences ¨ zkaynak a,n, Ahmet Bedri O ¨ zer b, Sırma Yavuz c Fatih O a

Firat University, Department of Software Engineering, 23119 Elazig, Turkey Firat University, Department of Computer Engineering, 23119 Elazig, Turkey c Yıldız Technical University, Department of Computer Engineering, 34349 Istanbul, Turkey b

a r t i c l e i n f o

a b s t r a c t

Article history: Received 15 May 2012 Received in revised form 30 June 2012 Accepted 19 July 2012 Available online 23 August 2012

Chaotic cryptography is a new field that has seen a significant amount of research activity during the last 20 years. Despite the many proposals that use various methods in the design of encryption algorithms, there is a definite need for a mathematically rigorous cryptanalysis of these designs. In this study, we analyze the security weaknesses of the ‘‘C. Zhu, A novel image encryption scheme based on improved hyperchaotic sequences, Optics Communications 285 (2012) 29–37’’. By applying chosen plaintext attacks, we show that all the secret parameters can be revealed. & 2012 Elsevier B.V. All rights reserved.

Keywords: Chaos based cryptography Cryptanalysis Chosen-plaintext attack

1. Introduction The most attractive feature of deterministic chaotic systems is the highly unpredictable and random-looking nature of chaotic signals. There are some common features of chaos and cryptography such as sensitivity to initial conditions and parameters, random like behavior and unstable orbits with long periods, depending upon the precision of the numerical implementation. In cryptography, rounds of encryption lead to the desired diffusion and confusion properties of the algorithm. Similarly, chaotic system iterations spread the initial region over the entire phase space. This is similar to the diffusion and confusion properties since the parameters of the chaotic system may represent the key of the encryption algorithm. As a result, many proposals dealing with chaos based cryptography have been published in the last twenty years [1–4]. One interesting property of the chaotic cryptography is that the researchers in this field design new systems instead of analyzing the existing ones [5–14]. As the number of studies is insufficiently low, new designs are prone to even simple attacks. The conducted cryptanalysis studies demonstrate that many chaos based image encryption algorithms examined by only statistical methods can be easily broken down [15–20]. For an encryption system, having satisfactory statistical properties is one of the necessary conditions in order to achieve the security of the system, while it is not sufficient by itself. It is known that some linear encryption systems

pass the statistical tests. However, as these systems possess algebraic dependency, they can be easily broken. For this reason, analysis of the algebraic structure of the chaos based encryption algorithms and identification of weak transformations are also very critical for the security of the system. In this study, we cryptanalyze the image cryptosystem recently proposed in Ref. [5]. The cryptosystem uses the hyper chaotic systems to generate secret key sequences. The cryptosystem performs the encryption process with two-round diffusion operation. However, this is not enough to make the cryptosystem secure. Algebraic dependencies have been found in the proposed cryptosystem. Secret parameters of cryptosystem have been obtained using only a few a pair of plaintext/ciphertext. The outline of the study is as follows. In the next section we describe the proposed encryption algorithm in detail. In Section 3, we demonstrate a chosen-plaintext attack that reveals all the secret parameters. Finally, we give concluding remarks.

2. Description of the encryption algorithm In this section, we describe the encryption algorithm in detail. The secret keys of the algorithm are the initial values x0, y0, z0 and w0 of hyper chaotic system. Hyper chaotic system is a set of differential equations given as :

x ¼ aðyxÞ þ yz :

n

Corresponding author. Tel.: þ90 532 4660760; fax: þ 90 424 2367064. ¨ zkaynak), E-mail addresses: ozkaynak@firat.edu.tr (F. O ¨ zer), [email protected] (S. Yavuz). bedriozer@firat.edu.tr (A.B. O 0030-4018/$ - see front matter & 2012 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.optcom.2012.07.106

y ¼ cxyxzw : z ¼ xybz :

w ¼ dwxz

ð1Þ

¨ zkaynak et al. / Optics Communications 285 (2012) 4946–4948 F. O

where a, b, c and d are constant parameters when a ¼35; b ¼8/3; c¼ 55; and d ¼1.3, setting the integration step h¼ 0.001. The encryption steps are as follows: Step 1. Plain-image is a 256 Gy-scale image of size L¼M1  M2, it is an integer matrix of M1 rows M2 columns, in which the values range from 0 to 255. Its data can be treated as a one-dimensional vector P¼{p1, p2, y, pL}. Step 2. The hyper chaotic system in Eq. (1) is used to generate the chaotic key stream K ¼{k1,k2, y, kL}. Step 3. The first round of diffusion operation is as follows: c1 ¼ p1  ðmodðC 0 þ k1 ,256Þ  k1 Þ ci ¼ pi  ðmodðci1 þ ki ,256Þ  ki1 Þ,

ð2Þ 2 ri r L

ð3Þ

Step 4. The second round of diffusion operation is as follows: c1 ¼ c1  ðmodðcL þk1 ,256Þ  k1 Þ ci ¼ pi  ðmodðci1 þ ki ,256Þ  ki1 Þ,

ð4Þ 2 ri r L

ð5Þ

where cipher-image is denoted by one-dimensional vector C¼ {c1, c2, y, cL}. The integer C0 in Eq. (2) is chosen as 3.

3. Chosen-plaintext attack In the chosen-plaintext attack, the attacker chooses a plain image and somehow obtains the corresponding ciphered image. By analyzing the plain-ciphered image pair, he tries to reveal the secret parameters. Before the chosen-plaintext attack, some equations used in the attack are given below. An important rule is Kerckhoffs’ principle: the security of the encryption scheme must depend only on the secrecy of the key, and not on the secrecy of the algorithm. Since parameter C0 is not used as the key in the algorithm, cryptanalyst knows this value. Parameter C0 and all probable values of k1 can take are processed to find the probable values which Eq. (6) can take. C0 ¼3 is determined in the algorithm. The values that Eq. (6) can take for C0 ¼3 are {3, 5, 7, 13, 15, 29, 31, 61, 63, 125, 127, 253}. The probable values that Eq. (6) can take for different values of C0 were shown in Table 1. As seen in Table 1, the selected C0 value only influences the number of values that Eq. (6) can take. Even though the number of probable candidate values calculated for C0 ¼214 in table was compared to brute force attack, it was observed that there occurs a significant contraction in key space. Table 1 Outputs of Eq. (6) for different C0 values. Value of C0

Outputs of Eq. (6)

1 2 15 16 63 64 97 127 128 159 214

{1, 3, 7, 15, 31, 63, 127} {2, 6, 14, 30, 62, 126} {15, 17, 19, 23, 31, 49, 51, 55, 63, 113, 115, 119, 127, 241, 243, 247} {16, 48, 112} {63, 65, 67, 71, 79, 95, 127, 193, 195, 199, 207, 223} {64} {97, 99, 103, 111, 127, 159, 161, 163, 167, 175, 191, 225, 227, 231, 239} {127, 129, 131, 135, 143, 159, 191} {128} {97, 99, 103, 111, 127, 159, 161, 163, 167, 175, 191, 225, 227, 231, 239} {42, 46, 54, 58, 62, 86, 90, 94, 106, 110, 118, 122, 126, 214, 218, 222, 234, 238, 246, 250} {2, 6, 14, 30, 62, 126} {1, 3, 7, 15, 31, 63, 127}

254 255

4947

In next steps, it was shown that how the definite value of Eq. (6) can be found independently from the number of values that Eq. (6) can take. modðC 0 þk1 ,256Þ  k1

ð6Þ

Another property used in the attack originates from the associative property of the XOR operation. In Eq. (7), this property of the XOR operation is shown. ða  bÞ  ðc  bÞ ¼ ða  cÞ  ðb  bÞ ¼ ða  cÞ  0 ¼ ða  cÞ

ð7Þ

Assume that for any P¼{p1, p2, y, pL}, the values C ¼{c1, c2, y, cL}, are known. For ease of understanding, assume that a small image with dimensions of 2  2 would be encrypted. For encryption algorithm, the same parameters selected in Ref. [5] were used. The secret key stream produced by using hyper chaotic system was calculated as (137, 15, 14, 90). In the attack, (0, 0, 0, 0) pixel values were chosen as plain image. As a result of the encryption algorithm, the pixel value of the ciphered-image was obtained as (245, 16, 181, 241). As a result of the first diffusion process, intermediate values are calculated as follows. c1 ¼ 0  ðmodð3 þ k1 ,256Þ  k1 Þ

ð8Þ

c2 ¼ 0  ðmodðc1 þk2 ,256Þ  k1 Þ

ð9Þ

c3 ¼ 0  ðmodðc3 þk3 ,256Þ  k2 Þ

ð10Þ

c4 ¼ 0  ðmodðc3 þk4 ,256Þ  k3 Þ

ð11Þ

For the second diffusion process, calculations are made as follows. 245 ¼ c1  ðmodðc4 þk1 ,256Þ  k1 Þ

ð12Þ

16 ¼ c2  ðmodð245 þ k2 ,256Þ  k1 Þ

ð13Þ

181 ¼ c3  ðmodð16 þ k3 ,256Þ  k2 Þ

ð14Þ

241 ¼ c4  ðmodð181 þ k4 ,256Þ  k3 Þ

ð15Þ

For c2 in Eq. (13), if the value c2 calculated in Eq. (9) is used, the equation given in Eq. (16) is found. As shown in Eq. (7), if the equation is rearranged by using the associative property of the XOR operation, the equation in Eq. (17) is obtained. 16 ¼ 0  ðmodðc1 þ k2 ,256Þ  k1 Þ  ðmodð245 þ k2 ,256Þ  k1 Þ

ð16Þ

16 ¼ modðc1 þ k2 ,256Þ  modð245 þk2 ,256Þ

ð17Þ

It was previously shown that there are 12 different values for c1 in Eq. (17) (modð3þ k1 ,256Þ  k1  3,5,7,13,15,29,31,61,63, 125,127,253Þ. By using possible (c1, k2) pairs in Eq. (17), the exact value of c1 can be found (c1 ¼5). After this, different values for key k2 satisfying the Eq. (17) are found. By trying different plaintext/ ciphertext pairs, the possible space for k2 is narrowed. After trying nearly four pairs, it was observed that the possible number of key k2 is two. The value of key k1 could be found through Eq. (8) by knowing the exact value of c1. At this stage of the attack, the values of secret (c1, k1, c2, k2) were identified. By using these parameters in the other equations, the values of the all secret parameters of the system can be identified. In order to illustrate attack, we give simulation results for the 256  256 traditional Lena image with 8-bit gray-scale. Simulations are performed under Visual Studio 10 running on Windows 7 with Intel Core i5 2.53 GHz processor and 3 GB RAM. The secret parameters are chosen from the example in Ref. [5]. The secret parameters are recovered successfully in less than 5 min.

4948

¨ zkaynak et al. / Optics Communications 285 (2012) 4946–4948 F. O

4. Conclusion In many chaos based image encryption algorithms, the secret parameters are generated by iterating one or more chaotic systems starting with secret initial conditions and parameters. In attacking these algorithms, the attacker aims to reveal the intermediate secret parameters rather than the chaotic system parameters. In this study, we gave a complete break of a chaosbased image encryption algorithm. We demonstrated that the secret keys can be revealed using chosen plaintext attacks. References [1] L. Kocarev, S. Lian, Chaos Based Cryptography Theory Algorithms and Applications, Springer-Verlag, 2011. [2] J.M. Amigo, L. Kocarev, J. Szczapanski, Physics Letters A 366 (2007) 211. [3] G. Jakimoski, L. Kocarev, IEEE Transactions on Circuits and Systems I 48 (2) (2001) 163.

[4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20]

G. Alvarez, S. Li, International Journal of Bifurcation Chaos 16 (8) (2006) 2129. C. Zhu, Optics Communications 285 (1) (2012) 29. X. Wang, J. Zhao, H. Liu, Optics Communications 285 (5) (2012) 562. V. Patidar, N.K. Pareek, G. Purohit, K.K. Sud, Optics Communications 284 (19) (2011) 4331. C. Fu, B. Lin, Y. Miao, X. Liu, J. Chen, Optics Communications 284 (23) (2011) 5415. G. Zhang, Q. Liu, Optics Communications 284 (12) (2011) 2775. R. Ye, Optics Communications 284 (22) (2011) 5290. H. Liu, X. Wang, Optics Communications 284 (16–17) (2011) 3895. A. Akhshani, S. Behnia, A. Akhavan, H. Abu Hassan, Z. Hassan, Optics Communications 283 (17) (2010) 3259. C.K. Huang, H.H. Nien, Optics Communications 282 (11) (2009) 2123. X. Tong, M. Cui, Z. Wang, Optics Communications 282 (14) (2009) 2722. X. Wang, G. He, Optics Communications 284 (24) (2011) 5804. E. Solak, R. Rhouma, S. Belghith, Optics Communications 283 (2) (2010) 232. X. Ge, F. Liu, B. Lu, W. Wang, Physics Letters A 375 (5) (2011) 908. C. Li, S. Li, K. Lo, Communications in Nonlinear Science and Numerical Simulation 16 (2) (2011) 837. E. Solak, C. C - okal, Information Sciences 181 (1) (2011) 227. R. Rhouma, E. Solak, S. Belghith, Communications in Nonlinear Science and Numerical Simulation 15 (7) (2010) 1887.