Differential cryptanalysis of a medical image cryptosystem with multiple rounds

Differential cryptanalysis of a medical image cryptosystem with multiple rounds

Computers in Biology and Medicine 65 (2015) 69–75 Contents lists available at ScienceDirect Computers in Biology and Medicine journal homepage: www...
Download PDF
761KB Sizes 0 Downloads 46 Views
Report

Computers in Biology and Medicine 65 (2015) 69–75

Contents lists available at ScienceDirect

Computers in Biology and Medicine journal homepage: www.elsevier.com/locate/cbm

Differential cryptanalysis of a medical image cryptosystem with multiple rounds Lei Chen, Shihong Wang n School of Sciences, Beijing University of Posts and Telecommunications, Beijing 100876, China

art ic l e i nf o

a b s t r a c t

Article history: Received 10 April 2015 Accepted 27 July 2015

Recently, Fu et al. proposed a chaos-based medical image encryption scheme that has permutation– substitution architecture. The authors believe that the scheme with bit-level cat map shuffling can be achieved at high level of security even if it is only applied with a few encryption rounds. However, we find that the scheme cannot resist differential cryptanalysis. The differential cryptanalysis shows that the security of the original scheme depends only on permutation key instead of on all of the keys. Moreover, 17 chosen plain-images can reveal equivalent permutation key for 1-round and 2-round encryption. We propose a novel analysis method called double differential cryptanalysis comparison (DDCC) that is valid to break multi-round encryption with 16N 2 þ 1 chosen plain-images, where N 2 is the size of the image. We also point out several weaknesses of the cryptosystem. The theoretical analysis and simulation results indicate that the encryption scheme is insecure. & 2015 Elsevier Ltd. All rights reserved.

Keywords: Chaos-based image encryption Differential cryptanalysis Permutation–substitution architecture Discrete cat map

1. Introduction With the rapid development of computer technology, a variety of medical images, such as Computed Tomography (CT), Magnetic Resonance Imaging (MRI) images, are processed, delivered and stored in digital format. Security of digital medical images becomes critical since these images contain patients' personal information which could be very sensitive. Any compromise of the security of this kind of data could result in leakage of patient's health information with serious privacy consequence. Thus, it is essential to investigate secure encryption algorithms for digital medical images. The conventional block ciphers, such as the Data Encryption Standard (DES), the Advanced Encryption Standard (AES) and the International Data Encryption Algorithm (IDEA), etc., are usually used to protect textual data. However, they are not suitable for encrypting medical images with large data capacity and high redundancy because they require a large computational time in practical applications. Thus, a number of image encryption schemes have been proposed, especially chaos-based algorithms. The characteristics of chaotic systems, such as sensitive to initial conditions and system parameters, ergodicity and randomness property, have similarities with essential design principles of a cryptosystem. So far, many scholars have designed image encryption schemes based on chaotic maps [1–11]. In 1998, Fridrich [1] suggested that a chaosbased image encryption algorithm should be composed of two

n

Corresponding author. Tel.: þ 86 10 62282452. E-mail address: [email protected] (S. Wang).

http://dx.doi.org/10.1016/j.compbiomed.2015.07.024 0010-4825/& 2015 Elsevier Ltd. All rights reserved.

processes: one phase is to permute image pixels and another phase to alter the pixel values. This architecture is called as permutation– diffusion, permutation–substitution or Fridrich's architecture. Subsequently, many chaos-based algorithms utilize this structure [2,4,5,7,8]. These algorithms use sorting of chaotic sequences [5] and chaotic maps as permutation methods, such as Arnold cat map [2,8], baker map and standard map [4]. Similarly, non-linear function [4], chaotic keystream [2,5,7,8], etc., can be applied to substitution process. In [2,5], both of them use the Chen's system to generate chaotic sequences in substitution process, this hyperchaotic system can obtain large key space. In [7], logistic maps is applied in both permutation and substitution process, but the key will be changed in each round to achieve high security. Further, Pareek et al. [3] propose a scheme based on 16-pixel blocks. Each block contains eight types of encryption operations, one of which is determined by the outcome of the logistic map. In [6], Huang et al. introduce pixel-chaotic-shuffle (PCS) method combined with four differential chaotic systems, which can achieve a good confusion effect. Fu et al. [8] propose a medical image encryption scheme with bit-level permutation and further substitution for achieving high level of security. In this paper, we call this image cipher Fu's scheme. Recently, Wang et al. [9] present an image encryption based on dynamic S-boxes, which are constructed by the logistic map and the Kent map. The pixels of plain-image are substituted by S-boxes for encryption. In addition, Zhou et al. [10] and Som et al. [11] have proposed selective encryption schemes that only encrypt part of a plain image and improve encryption speed. However, some chaos-based image algorithms have been analyzed and found to be insecure from the viewpoint of modern

70

L. Chen, S. Wang / Computers in Biology and Medicine 65 (2015) 69–75

cryptology [12–18]. Li et al. [12] point out that for a permutationonly image cipher, it is possible to reconstruct the permutation matrix by comparing a number of the known plain-images and the corresponding cipher-images. This is because the pixel values before and after the permutation are unchanged. They consider that the permutation-only image cipher is vulnerable against known/chosen-plaintext attacks in the sense that only Oðlog L ðMNÞÞ known/chosen plain-images are enough to break the ciphers, where MN is the size of the image and L is the number of different pixel values. Also, they find that the attack complexity is Oðlog L ðMNÞðMNÞ2 Þ. Li et al. [13] optimize the analysis above by a binary tree classification method and a multi-branch tree classification method, and the corresponding spatial complexity and computational complexity are only OðMNÞ and Oðlog L ðMNÞMNÞ, respectively. Li et al and Li and Lo [12,13] have demonstrated that the permutation-only schemes are insecure, but their cryptanalysises cannot apply to the permutation–diffusion (permutation–substitution) encryption type [1]. Rhouma et al. [14] and Çokal et al. [15] analyze permutation–diffusion image encryption algorithms [5,2], respectively. But their cryptanalysises only focus on one-round encryption rather than multi-round cases. Solak et al. [16] propose a chosen-cipher text attack method and broke multi-round encryption of Fridrich's algorithm. However, the difficulty of their analysis method is increasing with higher encryption rounds. If the number of rounds is enough, the attack method proposed is infeasible. Recently, Zhang et al. [18] have analyzed the security of Fu's scheme with one-round encryption by using similar analysis method of Refs. [14] and [15], and proposed an improved version of Fu's scheme. They only change the structure from permutation–substitution to permutation–substitution–permutation. In other words, they simply add another permutation process. We find that their improved scheme is still insecure, it cannot resist differential attacks. In this paper, we also analyze Fu's scheme by using differential cryptanalysis with chosen-plaintexts. We propose a new analysis method called double differential cryptanalysis comparison (DDCC). This method is feasible for multi-round encryption. The rest of the paper is organized as follows. Section 2 introduces some preliminaries about cat map and the properties of modular arithmetic. Section 3 briefly describes the original medical image encryption scheme. In Section 4, we analyze the security of this scheme by differential cryptanalysis in detail, and simulation results are presented in Section 5. In Section 6, we point out the defects of the cryptosystem. Finally, we conclude this paper.

2. Preliminaries 2.1. Discrete cat map The discrete cat map is usually used in permutation operation for image encryption and denoted by " 0# " #" # x 1 p x ¼ mod N; ð1Þ y0 q pq þ1 y

Fig. 1. Architecture of the original image cryptosystem.

where p; q A ½1; N 1, and ðx; yÞ and ðx0 ; y0 Þ are the pixel positions of an original image and its permutated image, respectively. To further shuffle pixel positions, Eq. (1) is iterated m times and it yields " 0# " #m " #  " # x x 1 p x a b ¼ mod N ¼ mod N; ð2Þ y0 y q pq þ 1 c d y where a; b; c; d A ½1; N  1. 2.2. Properties and propositions of modular arithmetic Assume that A, B and N are integers. The modular arithmetic between them has the following properties.   Property 1. ðA  BÞ mod N ¼ ðA mod N Þ  ðB mod NÞ mod N:   Property 2. ðA  BÞ mod N ¼ ðA mod N Þ  ðB mod N Þ mod N: Property 3. For an equation Ax ¼ B mod N, if and only if gcdðA; NÞ divides B, the equation must have a solution or multiple solutions, and the number of solutions is equal to gcdðA; NÞ, where gcdðA; NÞ is the greatest common divisor of A and N. The unique solution x  AϕðNÞ  1 B mod N, where ϕðNÞ is Euler's totient function. Proposition. Known two pairs of permutation relationship of Eq. (2), ðx1 ; y1 Þ mapping to ðx01 ; y01 Þ and ðx2 ; y2 Þ mapping to ðx02 ; y02 Þ, a limited number of solutions, a; b; c and d, can be determined. Proof. According to Eq. (2) we have the following formulas: x01 ¼ ax1 þby1 mod N;

ð3aÞ

y01

¼ cx1 þdy1 mod N;

ð3bÞ

x02 ¼ ax2 þby2 mod N;

ð4aÞ

y02 ¼ cx2 þdy2 mod N:

ð4bÞ

We subtract Eq. (4a) multiplied by y1 from Eq. (3a) multiplied by y2 , according to Property 1 and Property 2 we have x01 y2  x02 y1 mod N ¼ aðx1 y2  x2 y1 Þ mod N:

ð5Þ

Due to Property 3, we can solve the parameter a of Eq. (5). The parameter a may have either one solution or a limited number of solutions. For the latter case, we utilize the other mapping relationship that satisfies Eq. (2) to further confirm the right parameter. Converting Eqs. (3) and (4) into different forms, we have x01 x2  x02 x1 mod N ¼ bðx2 y1  x1 y2 Þ mod N; y01 y2  y02 y1 mod N ¼ cðx1 y2 x2 y1 Þ mod N; y01 x2  y02 x1 mod N ¼ dðx2 y1  x1 y2 Þ mod N:

ð6Þ

Same as Eq. (5), we can solve the parameters b; c and d.

3. Description of the medical image cryptosystem The original medical image cryptosystem is a permutation– substitution architecture [8], shown in Fig. 1. In Fig. 1, the permutation process is based on bit-level permutations one of which uses different permutation keys, and then all bit-planes are combined again. Bit-level permutation uses discrete cat map with m round iterations, i.e., Eq. (2) with m Z 1. The substitution process is a pixellevel substitution. The whole permutation and substitution process has n rounds, n Z 1. Both permutation key and substitution key are unchanged in each round. In Fig. 1, M is a plain-image, C ðnÞ its output encrypted image, and P ðtÞ and C ðtÞ are the t  th round permutation-image and substitution-image, respectively, t ¼ 1; 2; …; n. Throughout the paper, we adopt uppercase symbols stand for images. For example, an image P ðtÞ of size N  N, its pixel values

L. Chen, S. Wang / Computers in Biology and Medicine 65 (2015) 69–75

can be written as one-dimensional array pðtÞ ðjÞ, j ¼ 0; 1; …; N 2  1, or two-dimensional array pðtÞ ðj1 ; j2 Þ, j1 ; j2 ¼ 0; 1; …; N  1.

71

 kðjÞ  kðj 1Þ  …  kð0Þ  cð  1Þ; j ¼ 0; 1; …; N 2  1: ð10Þ ¼ C ð1Þ 1

C 2ð1Þ

We calculate the differential image ΔC  and its ð1Þ pixel values Δcð1Þ ðjÞ ¼ cð1Þ 1 ðjÞ  c2 ðjÞ. Inserting Eq. (10) into the equality above yields ð1Þ

3.1. Bit-level permutation process based on the cat map Assume that a plain-image M is an eight-bit gray image of size N  N. The detailed permutation process is described in the following three steps. Step 1. The plain-image M is separated into 8 independent bitplanes, one of which is a binary image, i.e., its pixel values are 0 or 1. Step 2. Each of eight bit-planes is shuffled by using Eq. (2) with different parameters pi ; qi ; i ¼ 0; 1; …; 7. These parameters are secret permutation key. According to Eq. (2) known the parameters pi ; qi ; m and the parameters ai ; bi ; ci ; di are equivalent for the permutation process, so ai ; bi ; ci ; di are called as the equivalent permutation key. Step 3. The permutation-image P is obtained by combining all the eight shuffled bit-planes together.

ð1Þ Δcð1Þ ðjÞ ¼ p1ð1Þ ðjÞ  pð1Þ 1 ðj  1Þ  …  p1 ð0Þ ð1Þ ð1Þ  pð1Þ 2 ðjÞ  p2 ðj  1Þ  …  p2 ð0Þ:

ð11Þ

We define the permutation operation as the following form P 1ð1Þ ¼ F p ðM 1 Þ ¼ F p8 ðM 1  8 Þ‖F p7 ðM 1  7 Þ‖…‖F p1 ðM 1  1 Þ, where M 1  i and F pi ðM 1  i Þ stand for the ith bit plane of the image M 1 and its permutation plane, the symbol ‖ a concatenation of different bitplanes. Define the differential of two permutation-images P ð1Þ 1 and ð1Þ P 2ð1Þ , ΔP ð1Þ ¼ P ð1Þ  P , so 1 2

ΔP ð1Þ ¼ F p8 ðΔM  8 Þ‖F p7 ðΔM  7 Þ‖…‖F p1 ðΔM  1 Þ; where ΔM ¼ M 1  M 2 ¼ ΔM  8 ‖ΔM  7 ‖…‖ΔM  1 . values of ΔP ð1Þ are written as

ð12Þ The

Δpð1Þ ðjÞ ¼ Δm  8 ði8;j Þ‖Δm  7 ði7;j Þ‖…‖Δm  1 ði1;j Þ; Δpð1Þ ðj  1Þ ¼ Δm  8 ði8;j  1 Þ‖Δm  7 ði7;j  1 Þ‖…‖Δm  1 ði1;j  1 Þ; …;

The pixel-level substitution process consists of the following three steps: Step 1. Iterate logistic map and generate chaotic sequence ð7Þ

From Eq. (13) we can see that the different positions of eight bit-planes map to a same position after bit-plane permutations. Considered Eqs. (12) and (13), Eq. (11) is converted to the following form: Δcð1Þ ðjÞ ¼ Δm  8 ði8;j Þ  Δm  8 ði8;j  1 Þ  …  Δm  8 ði8;0 Þ‖ Δm  7 ði7;j Þ  Δm  7 ði7;j  1 Þ  …  Δm  7 ði7;0 Þ‖

where the initial value zð0Þ and the parameter μ are the substitution key. Step 2. The keystream sequence kðjÞ is generated by   kðjÞ ¼ f loor zðjÞ  1014 mod 256; j ¼ 0; 1; 2; …; N 2  1; ð8Þ where the operation of f loor ðxÞ denotes the largest integer not larger than x. Step 3. Encrypt the pixel values of the image P from left to right, from top to bottom, and generate a cipher-image C. The pixel values cðjÞ of C and pðjÞ of P satisfy cðjÞ ¼ pðjÞ  kðjÞ  cðj 1Þ; j ¼ 0; 1; …; N 2  1;

ð9Þ

where the symbol  denotes bitwise XOR and cð  1Þ is a constant. 4. Differential cryptanalysis In this section, we first present the differential cryptanalysis of the whole cryptosystem. The analysis shows that any cipherimages can be successfully recovered by an equivalent permutation key, when a plain image and its cipher-image are known. Our goal of cryptanalysis is to get the equivalent permutation key. We will present how to obtain it by using differential cryptanalysis at three different encryption rounds: n ¼ 1, n ¼ 2 and n Z 3. 4.1. Differential cryptanalysis of the whole cryptosystem In this subsection, we will analyze the whole cryptosystem by differential cryptanalysis. First, we consider a situation with oneround encryption, i.e., n ¼ 1. Take two plain-images M 1 and M 2 , and obtain corresponding cipher-images C 1ð1Þ and C 2ð1Þ . According to Eq. (9) we have the following pixel values ð1Þ cð1Þ 1 ðjÞ ¼ p1 ðjÞ



pð1Þ 1 ðj 1Þ

…

p1ð1Þ ð0Þ

ð13Þ

Δpð1Þ ð0Þ ¼ Δm  8 ði8;0 Þ‖Δm  7 ði7;0 Þ‖…‖Δm  1 ði1;0 Þ:

3.2. Pixel-level substitution process based on chaotic sequence

zðjÞ ¼ μzðj  1Þð1  zðj  1ÞÞ; zðjÞ A ½0; 1; μ A ½3:57; 4;

pixel

……‖ Δm  1 ði1;j Þ  Δm  1 ði1;j  1 Þ  …  Δm  1 ði1;0 Þ ð14Þ Reshaping Eq. (14), we have ΔC

ð1Þ

ð1Þ ð1Þ ¼ ΔC ð1Þ  8 ‖ΔC  7 ‖……‖ΔC  1 ¼ g p8 ðΔM  8 Þ‖g p7 ðΔM  7 Þ‖……‖g p1 ðΔM  1 Þ

ð15Þ

where the function defined g pi ð UÞ is an operation related to the permutation of the ith bit-plane. From Eqs. (14) and (15) we can see the differential cipher-image ΔC ð1Þ is completely irrelevant to the keystream sequence kðjÞ, and only determined by the differential plain-image ΔM. Second, we analyze two-round encryption, i.e., n ¼ 2. We ð2Þ calculate the differential image ΔC ð2Þ ¼ C ð2Þ and its pixel 1  C2 ð2Þ values Δc ðjÞ by ð2Þ Δcð2Þ ðjÞ ¼ p1ð2Þ ðjÞ  pð2Þ 1 ðj  1Þ  …  p1 ð0Þ  ð2Þ ð2Þ pð2Þ 2 ðjÞ  p2 ðj 1Þ  …  p2 ð0Þ:

ð16Þ

ð2Þ Defining the differential ΔP ð2Þ ¼ P ð2Þ 1  P 2 , from Eq. (12) we have ð1Þ ð1Þ ΔP ð2Þ ¼ F p8 ðΔC ð1Þ  8 Þ‖F p7 ðΔC  7 Þ‖…‖F p1 ðΔC  1 Þ:

ð17Þ

Considering Eqs. (16) and (17), we have the following equation similar to Eq. (14) ð1Þ ð1Þ Δcð2Þ ðjÞ ¼ Δcð1Þ  8 ði8;j Þ  Δc  8 ði8;j  1 Þ  …  Δc  8 ði8;0 Þ‖ ð1Þ ð1Þ ð1Þ Δc  7 ði7;j Þ  Δc  7 ði7;j  1 Þ  …  Δc  7 ði7;0 Þ‖::::::‖ ð1Þ ð1Þ Δcð1Þ  1 ði1;j Þ  Δc  1 ði1;j  1 Þ  …  Δc  1 ði1;0 Þ

Same as Eq. (15), we also have ð2Þ ð2Þ ΔC ð2Þ ¼ ΔC ð2Þ  8 ‖ΔC  7 ‖……‖ΔC  1 ð1Þ ð1Þ ¼ g p8 ðΔC  8 Þ‖g p7 ðΔC  7 Þ‖……‖g p1 ðΔC ð1Þ  1Þ

ð18Þ

72

L. Chen, S. Wang / Computers in Biology and Medicine 65 (2015) 69–75

¼ g p8 ðg p8 ðΔM  8 ÞÞ‖g p7 ðg p7 ðΔM  7 ÞÞ‖……‖g p1 ðg p1 ðΔM  1 ÞÞ ¼ g 2p8 ð

Δ

M  8 Þ‖g 2p7 ð

Δ

M  7 Þ‖……‖g 2p1 ð

ΔM  1 Þ

ð19Þ

From Eq. (19) we can see the differential cipher-image ΔC is a result of differential plain-image ΔM. Similarly for n ¼ 1 and n ¼ 2, the differential cipher-image ΔC ðnÞ for n-round encryption is denoted by ð2Þ

ΔC ðnÞ ¼ gnp8 ðΔM  8 Þ‖gnp7 ðΔM  7 Þ‖……‖gnp1 ðΔM  1 Þ:

ð20Þ

From Eq. (20) we can draw the following three conclusions: (i) Operation on each bit-plane of a differential cipher-image is independent, thus can be analyzed independently even with eight bit-planes. (ii) The differential cipher-image is completely irrelevant to the keystream sequence, which means no correlation between the differential cipher-image and the substitution key. Thus we do not need to consider the substitution key, which make it possible to greatly reduce the key space of the cryptosystem. This is the key point we want to emphasize in our cryptanalysis. (iii) The differential cipher-image is a result of the differential plain-image ΔM and the operation g pi ð UÞ. If M 2 is a blank image all pixel values of which are zero, the differential cipherimage is only dependent on M 1 and the permutation key. By choosing special M 1 , we may find the permutation key. Through the conclusion (ii), we know that the differential cipher-image of the cryptosystem only depends on the permutation key instead of on the substitution key. Assuming an attacker knows the permutation key, a plain-image M 2 and its cipherðnÞ image C ðnÞ can be recovered as the 2 , any cipher-image C 1 following: ðnÞ Step 1. Calculate the differential ΔC ðnÞ ¼ C ðnÞ 1  C2 . Step 2. Reconstruct ΔP ðnÞ from ΔC ðnÞ . According to Eq. (9) we have

ΔcðnÞ ðjÞ ¼ ΔpðnÞ ðjÞ  ΔcðnÞ ðj  1Þ; j ¼ 0; 1; …; N 2  1

ð21Þ

and it leads to

ΔpðnÞ ðjÞ ¼ ΔcðnÞ ðjÞ  ΔcðnÞ ðj  1Þ; j ¼ 0; 1; …; N 2  1:

ð22Þ

Reshape the sequence Δp ðjÞ and obtain ΔP . Step 3. Compute ΔC ðn  1Þ by the inverse permutation of Eq. (2) with the permutation key or its equivalent key. Step 4. Repeat the steps 2 and 3 n time and get the final differential image ΔM. Since the differential ΔM ¼ M 1  M 2 , the original plain-image can be recovered as the form M 1 ¼ ΔM  M 2 . ðnÞ

ðnÞ

Throughout the analysis above, we can conclude that once the permutation key or its equivalent key is obtained, the cryptosystem is fully broken. In Section 5, we will give a simulation result. Our next focus is how to obtain the equivalent permutation key at different round encryption. 4.2. Obtaining the equivalent permutation key at 1- round encryption First choose two plain-images M 0 and M 1 , ΔM ¼ M 0  M 1 , obtain the corresponding cipher-images C ð1Þ and C ð1Þ 0 1 , and their ð1Þ ð1Þ ð1Þ differential image ΔC ¼ C 0  C 1 . We restructure the differenð1Þ tial permutation image ΔP ð1Þ ¼ P ð1Þ 0  P 1 through Eq. (22). Comparing ΔP ð1Þ and ΔM, we will find the possible permutation relationship of Eq. (2).

Here, we give an example, M 0 and M 1 are two special images. M 0 is a blank image and M 1 a blank image with only one nonzero pixel m1 ð0; 1Þ ¼ 1 such that we only focus on the lowest bit-plane. Obviously, there is only a nonzero pixel in ΔP ð1Þ , which can be computed through ΔC ð1Þ . Assuming that the nonzero pixel Δpð1Þ ðlÞ ¼ Δpð1Þ ðx01 ; y01 Þ, l ¼ x01  N þ y01 , we establish one mapping relationship of Eq. (2), i.e., from ð0; 1Þ to ðx01 ; y01 Þ. We solve Eq. (2), and obtain b0 ¼ x01 and d0 ¼ y01 . If we take another blank plainimage M 2 with one nonzero pixel m2 ð1; 0Þ ¼ 1, we have Δpð1Þ ðx02 ; y02 Þ ¼ 1, so a0 ¼ x02 , c0 ¼ y02 . To obtain the permutation parameters of all bit-planes, we may choose special nonzero pixel values, m1 ð0; 1Þ ¼ 2i , m2 ð1; 0Þ ¼ 2i , i ¼ 1; 2; …; 7. Using the differential analysis above, we further get the other bit-plane permutation parameters ai ; bi ; ci ; di . To extract all the permutation parameters, we need only 17 trials (17 chosen plain-images) and that will be less time consuming. 4.3. Obtaining the equivalent permutation key at 2-round encryption In this case, we adopt two-way differential comparison, forward differential and backward differential analysis, to obtain the equivalent permutation key. We take two special plain-images, a blank image M 0 and a blank image M 1 with one nonzero pixel m1 ð0; 1Þ ¼ 1, and obtain ð2Þ their cipher-images C ð2Þ 0 and C 1 , respectively. Then we construct the backward differential image ΔP ð2Þ from Eq. (22). From Eq. (9) we calculate the forward differentials Δcð1Þ ðjÞ ¼ c0ð1Þ ðjÞ  c1ð1Þ ðjÞ by ð1Þ ð1Þ ð1Þ Δcð1Þ ðjÞ ¼ pð1Þ 0 ð0Þ  p1 ð0Þ  p0 ð1Þ  p1 ð1Þ  …  ð1Þ pð1Þ 0 ðjÞ  p1 ðjÞ:

ð23Þ

Due to chosen M 0 and M 1 , note that the permutation images ð1Þ P ð1Þ 0 and P 1 are a blank image and a blank image with one nonzero pixel, respectively. Assume that the nonzero pixel of M 1 is mapped to p1ð1Þ ðx01 ; y01 Þ, l ¼ N  x01 þ y01 , where l ¼ 0; 1; :::; N 2  1. From Eq. (23) we conclude that the differential sequence is ( Δcð1Þ ðjÞ ¼ 0; j ¼ 0; 1; …; l  1; ð24Þ Δcð1Þ ðjÞ ¼ 1; j ¼ l; l þ 1; …; N 2  1: Since the permutation operation of the cat map does not change the number of the pixel value differential “0” in ΔP ð2Þ and ΔC ð1Þ , we obtain the number l from ΔP ð2Þ , and further the positionðx01 ; y01 Þ by the equality l ¼ N  x01 þ y01 . Finally we establish one mapping relationship from ð1; 0Þ to ðx01 ; y01 Þ in Eq. (2). By choosing another plain-image M 2 with one nonzero pixel m2 ð1; 0Þ ¼ 1 and by obtaining the corresponding equality 0 l ¼ N  x02 þ y02 , we have another mapping relationship from ð1; 0Þ to ðx02 ; y02 Þ. According to the two mapping relationships above, we extract four parameters a0 ; b0 ; c0 ; d0 . As the same in Section 4.2, we use 17 chosen plain-images to get all permutation parameters. 4.4. Obtaining the equivalent permutation key at n Z 3 rounds If the encryption rounds n Z3, the differential cryptanalyses in Sections 4.2 and 4.3 are useless. Therefore, we propose an analysis method called double differential cryptanalysis comparison (DDCC). To facilitate the following analysis, we define two sets of special plain images M α and M β , each of which has N 2 images. M α ¼ fM α;0 ; M α;1 ; …; M α;N2  1 g, M α;0 ¼ ð1; 0; 0; …; 0Þ, M α;1 ¼ ð0; 1; 0; 0; …; 0Þ,…, M α;N2  1 ¼ ð0; 0; …; 0; 1Þ.M β ¼ fM β;0 ; M β;1 ; …; M β;N2  1 g, M β;0 ¼ ð1; 1; …; 1Þ, M β;1 ¼ ð0; 1; 1; …; 1Þ, M β;2 ¼ ð0; 0; 1; 1; …; 1Þ, …, M β;N2  1 ¼ ð0; 0; …0; 1Þ. Define a blank image M 0 . After 1-round encryption, the corresponding cipher-images for the two plainð1Þ 2 images M 0 and M α;i are C ð1Þ 0 and C α;i , 0 ≤i ≤N  1:

L. Chen, S. Wang / Computers in Biology and Medicine 65 (2015) 69–75

Using the forward differential analysis of Eq. (23), we compute

ð1Þ ð1Þ ΔC ð1Þ α;i ¼ C α;i  C 0 and it leads to

2 ΔC ð1Þ α;i ¼ M β;j ¼ M β;j  M 0 ¼ ΔM β;j ; 0 r i; j rN  1:

ð25Þ

2 Note that ΔC ð1Þ α;i must be equal to one of ΔM β;j , j A ½0; N  1, and this is a basis for the DDCC method to be used. If knowing the indexes i and j in Eq. (25), similar to the analysis of Section 4.3 we would establish one mapping relationship of Eq. (2). However, the problem is that the relationship between M α;i and M β;j is uncertain. To find the relationships, the characteristics of corresponding available cipher-images differentials would be analyzed. Here, we use DDCC method to extract the fixed relationships of M α;i and M β;j . First we compute two cipher-image differential sets. Taking M 0 and M α;i , we calculate n  round cipher-image differðnÞ ðnÞ entials ΔC ðnÞ i ¼ 0; 1; :::; N 2  1. Similarly, α;i ¼ C 0  C α;i , ðnÞ ðnÞ ðnÞ ΔC β;j ¼ C 0  C β;j for M0 and Mβ;i , j ¼ 0; 1; :::; N 2  1: Due to Eq. (25) and unchanged permutation and substitution keys, the ðtÞ ðtÞ ðtÞ ðtÞ ðtÞ differentials ΔC ðtÞ α;i ¼ ΔC α;i  ΔC 0 and ΔC β;j ¼ ΔC β;j  ΔC 0 have the following relationships

Δ

C ð2Þ α;i 9

Δ

Δ

C ð3Þ α;i 9

ΔC ð2Þ β;j ;

:::

C ð1Þ β;j ; ð26Þ

ðn  1Þ ΔC ðnÞ ; α;i 9 ΔC β;j

where the symbol 9 denotes completely equivalent relationship. We can obtain the differential ΔC ðn1Þ from ΔC ðnÞ α;i through Eq. (26) β;j ðnÞ ðnÞ and the differential ΔP β;j from ΔC β;j by Eq. (22). In addition, since the permutation process from ΔC ðn1Þ to ΔP ðnÞ β;j β;j does not change the numbers of differentials “0” and “1”, we may detect the permutation relationship of Eq. (2). Next we will give the detailed steps. ðnÞ First, construct the differentials ΔP ðnÞ β;j from ΔC β;j i ¼ 0; 1:; …; ðnÞ 2 N  1. Second, compare the differentials ΔP β;j to ΔC ðnÞ α;i , and then ðnÞ classify M α;i from ΔC ðnÞ α;i and M β;j from ΔP β;j . Let lα;i and lβ;j stand ðnÞ for the numbers of the pixel differentials “0” inΔC ðnÞ α;i and ΔP β;j , respectively. Lα ¼ flα;0 ; lα;1 ; lα;2 ; …g, Lβ ¼ flβ;0 ; lβ;1 ; lβ;2 ; …g, where 0 r lα;i ; lβ;j r N 2  1. Lα  Lβ : Since the numbers of the pixel differðnÞ ential value “0” in ΔC ðnÞ α;i and ΔP β;j remain unchanged, if lα;i ¼ lβ;j and they are unique in the sets of Lα and Lβ , a one-to-one relationship between M α;i and M β;j is established. Third, based on M α;i andM β;j above and Eq. (24), one mapping relationship of Eq. (2) is found. Usually we can find several pairs of lα;i and lβ;j such that lα;i ¼ lβ;j are unique in the sets of Lα and Lβ . After having enough one-to-one pairs of lα;i and lβ;j , we will extract all the parameters a0 ; b0 ; c0 ; d0 . In Section 5, simulation examples will be given. In the sets of M α and M β , if we change the nonzero pixel values from 1 to 2i , i ¼ 1; 2; …; 7, using DDCC we can extract the secret permutation parameters of the ith independent bit-plane, i.e., ai ; bi ; ci ; di . This double differential analysis need 16N 2 þ 1 image trials, usually smaller than that of brute force attack N 16 . If N ¼ 512, the difficulty of DDCC is 222 þ 1, much less than that of brute force attack 2144 .

73

5. Simulation results In this section, first we will simulate how to find the equivalent permutation key of Eq. (2) by DDCC method. Second, we will present how a cipher-image can be recovered if we know the equivalent permutation key. The parameters of the original cryptosystem serve as n ¼ 20; m ¼ 13; p0 ¼ 11; q0 ¼ 59; μ ¼ 3:97986509862838; x0 ¼ 0:64246417998982:

ð27Þ

Choosing 128  128 images, we will test 215 þ1 images to extract the equivalent permutation key of the lowest bit-plane. Adopting the parameters of Eqs. (27) and (2) leads to 

1

11

59

650

13

 mod 128 ¼

113

123

43

74

 ð28Þ

After 215 þ 1 plain-mages, i.e., 214 M α;i , 214 M β;i and M 0 , utilizing DDCC method we can find 50 one-to-one relationships between M α;i and M β;i , as shown in Table 1. We take two pairs of them and have the following mapping relationship, from ð79; 68Þ of M α;10180 to ð11; 109Þ of M β;1517 , from ð5; 113Þ of M α;753 to ð0; 1Þ of M β;1 . By Property 3 of Section 2, we know that the parameter a0 has  gcd ðx1 y2  x2 y1 Þ; N solutions. As gcdðð79  113  5 68Þ; 128Þ ¼ 1, only one unique solution exists and it is a0  ð79  113  5  68Þ63 ð11  113  5  68Þ mod 128 ¼ 113:

ð29Þ

Adopting the mapping relationship above, we recover four parameters of Eq. (2), a0 ¼ 113, b0 ¼ 123, c0 ¼ 43 and d0 ¼ 74, which coincide with formula (28). To show the generality of the simulation above, we repeated the experiments for other different parameters. Table 2 lists the number of one-to-one mapping relationship between M α;i and M β;j for different parameters p0 , q0 , n and m. The simulation results show that our DDCC method is effective. Next, we will present how a cipher-image can be recovered if we know the equivalent permutation key, one plain-image and its cipher-image. Use the same parameters of Eq. (27) for all bitplanes for simplicity. Two plain-images M 1 and M 2 , and the corresponding cipher-image C 1ð20Þ and C 2ð20Þ are shown in Fig. 2 (a), (b), (c) and (d), respectively, where M 1 is unknown and M 2 known. First, compute the cipher-image differential ΔC ð20Þ ¼ C 1ð20Þ  C 2ð20Þ , as shown in Fig. 2 (e). Restructure ΔP ð20Þ from ΔC ð20Þ by Eq. (22), and then determine ΔC ð19Þ by the inverse permutation of Eq. (2) with the recovered parameters Eq. (28). Similarly repeating the process above 20 times, we finally obtain the differential plain-image ΔM ¼ M 1  M 2 from ΔP ð1Þ by the inverse permutation of Eq. (2), as shown in Fig. 2(f). Known M 2 , the cipher-image C 1ð20Þ is correctly recovered, as shown in Fig. 2(g).

Table 1 Established 50 one-to-one mapping coordinate pairs at n ¼ 20; m ¼ 13 and p0 ¼ 11; q0 ¼ 59. {(0,0),(0,0)} {(79,68),(11,109)}{(5,113),(0,1)}{(79,80),(79,101)}{(47,70),(97,33)} {(101,105),(8.81)}{(23,4),(19,5)} {(18,4),( 94,46)} {(33,3),( 2,105)} {(102,15),( 59,120)} {(11,69),(2,75)}{(48,3),(33,110)} {(65,11),(122,25)}{(120,47),(13,62)} {(115,92),(119,105)} {(24,27),(17,86)}{(55,98),( 93,17)} {(78,112),(62,122)} {(111,92),(51,61)}{(18,87),(63,44)} {(80,44),(116,40)}{(105,43),(2,17)} {(31,109),( 14,55)} {(74,98),(64,66)} {(24,101),(31,58)} {(4,90),(2,48)}{(75,96),(59,89)} {(44,101),(115,22)}{(47,113),(10,15)}{(95,69),(22,103)} {(81,79),(54,113)}{(55,86),(25,25)}{(36,75),(109,58)} {(25,10),(87,23)}{(11,86),(45,53)} {(15,63),(100,59)}{(34,88),(74,38)} {(21,114),(11,123)}{(61,14),(39,75)} {(15,119),(76,107)} {(95,115),(48,51)}{(52,59),(77,74)}{(9,52),(117,11)} {(42,64),(74,14)}{(110,83),(111,120)} {(127,87),(92,123)}{(107,65),( 118,67)} {(98,31),(39,108)} {(34,41),(53,16)}{(49,41),(84,21)}

74

L. Chen, S. Wang / Computers in Biology and Medicine 65 (2015) 69–75

6. Vulnerability analysis According to the design principle of confusion and diffusion for encryption algorithms, a bit-level cat map shuffling algorithm proposed by Fu et al. can achieve good confusion effect, compared to a pixel-level cat map shuffling algorithm. However, Fu's cryptosystem cannot resist against differential cryptanalysis, and the weaknesses of the scheme are as follows. (i) In the permutation process, the bit-level shuffling of 8-bit planes is independent, which does not achieve good confusion effect between bit-planes. (ii) The diffusion effect of the algorithm mainly depends on the substitution process, and previous cipher-pixel only affects subsequent cipher-pixels through Eq. (9). Utilizing Eq. (9), it is easy to get the differential permutation-image of the last encryption round through the differential cryptanalysis of Eqs. (10)–(12). (iii) The algorithm uses same secret key in each round, including the permutation and the substitution keys. Unchanged round-key leads to similar diffusion and confusion effect. (iv) The diffusion rule of Eq. (9) in substitution process is quite vulnerable to differential cryptanalysis, as differential cipher-images eliminate the keystream component. This problem makes the key space of the cryptosystem greatly reduced. In addition, the authors do not consider that the cat map of Eq. (2) has the following adverse features. The pixel point (0, 0) always maps to itself, which is bad for confusion effect. The iteration number of the cat map has periodicity, thus it is necessary to

choose an appropriate iteration. The cycle length is related to the image size and the parameters p and q. In Table 3, we list some cycle lengths for different image sizes.

7. Conclusion In this paper, we analyze the security of a medical image encryption scheme with permutation–substitution type. We demonstrate that the original cryptosystem is vulnerable against the differential attack, and the differential cryptanalysis shows that the security of the original scheme only depends on permutation key instead of on all of the keys, thus the key space is greatly reduced. Adopting 17 chosen plain-images can break 1-round and 2-round encryption system and all the secret permutation parameters can be revealed by differential cryptanalysis. More importantly, we choose two special plain-image sets and propose the DDCC method that extracts the equivalent permutation key with 16N 2 þ 1 plain-images, where N2 is the size of images. Simulation results confirm the effectiveness of the DDCC method for breaking multi-round encryption and show that any cipher-image can be recovered by the equivalent permutation key when a plain image and its cipher-image are known. Finally we summarize the security vulnerabilities of the cryptosystem. A secure cryptosystem not only has good statistical properties, such as histogram, information entropy and correlation of adjacent pixels, but also resists all kinds of attacks.

Table 2 The number of one-to-one mapping relationship between M α;i and M β;j for different parameters n, m, p0 and q0 .

n ¼ 5; m ¼ 7 n ¼ 10; m ¼ 7 n ¼ 15; m ¼ 13 n ¼ 20; m ¼ 13

p0 ¼ 11; q0 ¼ 59

p0 ¼ 31; q0 ¼ 82

p0 ¼ 40; q0 ¼ 96

48 35 40 50

41 52 40 44

394 383 550 540

Table 3 Some cycle lengths of the cat map at parameters p ¼ 1; q ¼ 1 for different image sizes. Image size

256  256

128  128

256  256

512  512

Cycle length

48

96

192

384

Fig. 2. The recovered plain-image process known the permutation key. An original plain-image and its cipher-image in (a) and (b). A known plain-image and its cipherimage in (c) and (d). (e) The differential image of (b) and (d). (f) The differential image of (a) and (c). (g) The recovered plain-image of (b).

L. Chen, S. Wang / Computers in Biology and Medicine 65 (2015) 69–75

Conflicts of interest statement The authors declared that they have no conflicts of interest in this work. References [1] J. Fridrich, Symmetric ciphers based on two-dimensional chaotic maps, Int. J. Bifurc. Chaos 8 (06) (1998) 1259–1284. [2] Z.H. Guan, F. Huang, W. Guan, Chaos-based image encryption algorithm, Phys. Lett. A 346 (1-3) (2005) 153–157. [3] N.K. Pareek, V. Patidar, K.K. Sud, Image encryption using chaotic logistic map, Image Vis. Comput. 24 (9) (2006) 926–934. [4] K.W. Wong, B.S.H. Kwok, W.S. Law, A fast image encryption scheme based on chaotic standard map, Phys. Lett. A 372 (15) (2008) 2645–2652. [5] T. Gao, Z. Chen, A new image encryption algorithm based on hyper-chaos, Phys. Lett. A 372 (4) (2008) 394–400. [6] C.K. Huang, H.H. Nien, Multi chaotic systems based pixel shuffle for image encryption, Opt. Commun. 282 (11) (2009) 2123–2127. [7] X. Wang, J. Zhao, H. Liu, A new image encryption algorithm based on chaos, Opt. Commun. 285 (5) (2012) 562–566. [8] C. Fu, W.H. Meng, Y.F. Zhan, et al., An efficient and secure medical image protection scheme based on chaotic maps, Comput. Biol. Med. 43 (8) (2013) 1000–1010.

75

[9] X. Wang, Q. Wang, A novel image encryption algorithm based on dynamic S-boxes constructed by chaos, Nonlinear Dyn. 75 (3) (2014) 567–576. [10] Y.C. Zhou, K. Panetta, S. Agaian, A lossless encryption method for medical images using edge maps, in: Proceedings of the IEEE Engineering in Medicine and Biology Society Conference, 2009, pp. 3707–3710. [11] S. Som, S. Sen, A non-adaptive partial encryption of grayscale images based on chaos, Procedia Technol. 10 (2) (2013) 663–671. [12] S.J. Li, C.Q. Li, G.R Chen, et al., A general cryptanalysis of permutation-only multimedia encryption algorithms, Signal Process.: Image Commun. 23 (3) (2004) 212–223. [13] C.Q. Li, K.T. Lo, Optimal quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks, Signal Process.: Image Commun. 91 (4) (2011) 949–954. [14] R. Rhouma, S. Belghith, Cryptanalysis of a new image encryption algorithm based on hyper-chaos, Phys. Lett. A 372 (38) (2008) 5973–5978. [15] C. Çokal, E. Solak, Cryptanalysis of a chaos-based image encryption algorithm, Phys. Lett. A 373 (15) (2009) 1357–1360. [16] E. Solak, C. Çokal, O.T. Yildiz, Cryptanalysis of Fridrich's chaotic image encryption, Int. J. Bifurc. Chaos 20 (5) (2009) 1405–1413. [17] E. Solak, R. Rhouma, S. Belghith, Cryptanalysis of a multi-chaotic systems based image cryptosystem, Opt. Commun. 283 (2) (2010) 232–236. [18] L.B. Zhang, Z.L. Zhu, B.Q. Yang et al., Cryptanalysis and improvement of an efficient and secure medical image protection scheme, Math. Probl. Eng. 2015 (2015).