Cryptanalyzing an image encryption scheme using reverse 2-dimensional chaotic map and dependent diffusion

Abstract

In the recent literature, many research studies have proven that Known and Chosen plaintext attacks are very efficient tools that are widely used to cryptanalyze partially or completely some chaos-based and non-chaos cryptosystems. In this paper, we addressed some weaknesses in the first Zhang et al., cryptosystem “An image encryption scheme using reverse 2-dimensional chaotic map and dependent diffusion”. First, we analyzed the encryption process of Zhang et al., and we found that the non-linear diffusion process can be removed because its argument is present in the ciphered image. Then, based on this observation we derived a partial cryptanalysis equation that removes the effect of the diffusion function and accordingly permits to recover the permuted version of the ciphered image. As a result of the previous operation, the brute-force attack became more suitable. In addition, we mounted a chosen plaintext attack based on a proposed chosen plain image. Consequently, the encryption key space is reduced or recovered for one round, also, the average values of NPCR and UCAI randomness parameters become small compared to the optimal values, and moreover, they are very low for specific pixel position attacks.

1 Introduction

In the last years, algorithms that are used to secure information become more important, specially with the rapid growth of multimedia networking and communication [1, 6, 24, 48]. For example, data security is one of the main obstacles against wide adoption of cloud computing [22]. In cryptography, two essential requirements are important in any cryptosystem: a high encryption throughput and a high security level. Normally, it is difficult to design a cryptosystem that can achieve these two requirements together. A trade off between security level and encryption speed depends on the target application [8, 11, 29], for example, some applications require a security level for some days or hours and a slow encryption time, while other applications require a high security level with extra computational time. Shannon in his research [38] defines the importance of confusion and diffusion effects, and stated that, “in a strongly ideal cipher all statistics of the cryptogram are independent of the particular key used”. The confusion property aims to make the statistical relationship between the cipher image and the secret key as complex as possible [33], whereas the diffusion property aims to make the statistical relationship between the plain image and the cipher image as complex as possible [9, 14, 18]. The diffusion process modifies the statistical properties of the plain image by spreading the effect of each bit/byte of the plain image all over the cipher image. As a result, the efficiency of using differential attacks is decreased significantly [5, 33, 45]. Based on Kerckhoffs’ principle [34], the security of the encryption algorithm should only be based on the secret key and all the system parts should be known for the public [15]. A cryptanalyst tried to break the cipher without knowing the secret key, with several levels of difficulties based on the available resources.

Any proposed cryptosystem should pass all statistical tests, and it should be evaluated regarding to the existing and known mathematical attacks.

The cryptanalysis research papers confirm that the security evaluation of cryptosystems by standard statistical tools is not a sufficient proof of their security [2, 7, 10, 16, 21, 32, 35, 36, 40,41,42,43, 47]. Also, in recent years many studies demonstrate the weaknesses of some chaos-based and non-chaos cryptosystems against the plain-chosen text attacks and against a combination of differential-chosen text attacks. For example, Y. Zhang et al., [51] broke a chaotic image encryption algorithm based on the Perceptron Model by finding the equivalent secret key, using only one pair of known-plaintext/ciphertext. Moreover, the proposed encryption algorithm “A simple, sensitive and secure image encryption algorithm based on hyper-chaotic system with only one round diffusion” [31] is cryptanalyzed by applying known plaintext and chosen plaintext attacks by Y. Zhang et al., [53]. Li et al., [20] broke a chaotic image encryption algorithm based on the modulo addition and XOR operation by using two known plain-images and the corresponding cipher-images. The attack is based on some properties of solving a composite function involving a carry bit, which is composed of the modulo addition and bitwise OR operations. Zhang and Xiao [49] carried out cryptanalysis of S-box-only chaotic image ciphers by using chosen plaintext attack, and demonstrated that the computational complexity of the attack is only O (128 L), where the constant L is the total number of pixels with respect to the image. Again, Y. Zhang et al., broke a novel image cipher based on mixed transformed logistic maps [54], by applying chosen plaintext attack, six odd integer keys and three chaotic keystreams equivalent to the chaotic keys were revealed. Liu and Liu [26] investigated the security of an image scheme based on a permutation layer carried out by the Cat-map and chaos-based substitution layer. Eight images are selected in revealing all keystreams. Where as when seven images are selected the block-Cat-map is broken. By using a combination of chosen-plaintext attack and differential attack, Y. Zhang et al., revealed all the keystream of an image scrambling based on chaotic sequences and Vigenère cipher In [55]. L. Y. Zhang et al., [50] applied the differential cryptanalysis on a chaos-based image encryption algorithm using an alternate structure. The differential attack can recover an equivalent secret key with only a small number of chosen plain-images. Finally, li et al., [19] pointed out that all permutation-only image ciphers are insecure against known/chosen-plaintext attacks in the sense that only O(log_L(MN)) known/chosen plain-images are sufficient to break the ciphers, where MN is the size of the image and L is the number of different pixel values. Also, it is found that the attack complexity is only O(n(MN)²), where n is the number of known/chosen plain-images used.

In the proposed work, partial cryptanalysis of the first Zhang et al., cryptosystem is carried out. It is based on a chosen plaintext attack and a mathematical model to remove the diffusion effect of the last round of dependent diffusion, decrease the security level based on differential attacks, and decrease the encryption key space (i.e., sometimes called sub-key, it is generated from the secret key for each new encryption round and the used mathematical function should be difficult to invert. [12, 30, 56]).

It is important to note that Zhang et al., cryptosystem can be secure when the variable n is greater than 2, but in this case the system becomes time consuming and not suitable for real-time applications.

This paper is organized as follows: Section 2 presents the cryptosystem of Zhang et al., [52]. In Section 3, the partial cryptanalysis of the Zhang et al., cryptosystem is described in detail. Section 4 presents our conclusion.

2 The first Zhang et al., cryptosystem

Two cryptosystems were designed based on Fridrich’s architecture in Zhang et al., paper [52]. The first consists of a dependent diffusion layer based on the reverse 2-D cat map. The second presents new mapping from a pseudo-random position to another for the confusion effect. The diffusion layer of both cryptosystems is based on the logistic map. In these versions, Zhang et al., tried to achieve the confusion and the diffusion effects sequentially. Then, the effect of one ciphered pixel is transferred to the next and so on. Only two rounds (in the first version) and one round (in the second version) of the diffusion-confusion process are/is needed instead of many rounds of separate confusion and diffusion processes used in the traditional structures such as Fridrich cryptosystem [46].

Our work is directed to the first Zhang et al., cryptosystem. The mathematical model of the first Zhang et al., cryptosystem, (Enc=the encryption process) is:-

$$ Enc =\left\{\begin{array}{l} \left[\begin{array}{c} x^{\prime}\\ y^{\prime} \end{array}\right] = \left[\begin{array}{cc} 1 & p_{i}\\ qi & p_{i}q_{i}+ 1 \end{array}\right] \left[\begin{array}{c} x\\ y \end{array}\right] (Mod N )\\ ciph(x,\ y)=arr(x^{\prime},\ y^{\prime}) \oplus f(t)\\ t=ciph(x,\ y) \end{array}\right. $$

(1)

The general block diagram of the first Zhang et al., cryptosystem is shown in Fig. 1. It consists of the following steps iterated n times (with n > 0):

1. 1.

   Selection: this step generates a random pair arr(r_x^j, r_y^j) from the whole image. The values of the variable r_x^j and the variable r_y^j are calculated using (2) and (3), where the variable j is a counter ranging from 0 to n − 1 encryption rounds.

   $$ {r_{x}}^{j}=(SQ_{1}(2000 + 100+j)\times 10^{9})mod\ 512 $$

   (2)
   $$ {r_{y}}^{j}=(SQ_{2}(2000 + 100+j)\times 10^{9})mod\ 512 $$

   (3)

   SQ₁ and SQ₂ series are calculated using (7).

2. 2.

   Array exchanges: the second step is to exchange the first byte arr(0, 0) with the random byte from the previous step arr(r_x^j, r_y^j).

3. 3.

   Dependent diffusion: the cryptosystem goes to the dependent diffusion layer for m rounds (m = 2 in the Zhang et al., cryptosystem case), which also includes three stages.

   1. (a)

      New position estimation: in the dependent diffusion layer the first step is to calculate the new byte position (x^′, y^′) from the old byte position (x, y) using (4).

      $$ \left[\begin{array}{c} x^{\prime}\\ y^{\prime} \end{array}\right]= \left[\begin{array}{cc} 1 & p_{i}\\ qi & p_{i}q_{i}+ 1 \end{array}\right] \left[\begin{array}{c} x\\ y \end{array}\right] (Mod N) $$

      (4)

      where the variable N is the square root of the test image. Variables p_i and q_i are calculated using the following equations:

      $$ p_{i}=(SQ_{1}(2000+i)\times 10^{9})mod\ 512 $$

      (5)
      $$ q_{i}=(SQ_{2}(2000+i)\times 10^{9})mod\ 512 $$

      (6)

      The variable i is a counter ranging from 0 to m − 1. The two sequences SQ₁ and SQ₂ used in (2, 3, 5), and (6) are calculated using the following equation:

      $$ f(x_{n})=\alpha \times x_{n-1}(1-x_{n-1}) $$

      (7)

      Where the initial values x_− 1 = 0.12345678912345 for SQ₁, and for SQ₂ is x_− 1 = 0.67856746347633. The value of α is set to 3.99999.

   2. (b)

      Calculation of the local ciphered pixel: the next step of the dependent diffusion layer is to calculate the ciph(x, y) value using the following equation:

      $$ ciph(x,\ y)=arr(x^{\prime},\ y^{\prime}) \oplus f(t) $$

      (8)

      where

      $$ f(t)={\left[\alpha\left( \frac{t}{1000}\right)\times \left[1-\frac{t}{1000}\right]\times 1000\right] mod\ 256} $$

      (9)
   3. (c)

      Update of t: the last step of the dependent diffusion layer is to change the value of the variable t using (10).

      $$ t=ciph(x,\ y) $$

      (10)

      The initial value t₀ is defined by the following equation:

      $$ t_{0}=[4\times {key}_{d} \times (1-{key}_{d})\times 1000]mod\ 256. $$

      (11)

      Where the initial value of the diffusion key variable key_d = 0.33456434300001.

Fig. 1

Zhang et al., image encryption cryptosystem architecture

3 Research objectives

In the proposed work, the first Zhang et al., cryptosystem is presented and analyzed in order to perform the following research objectives:

1. 1.

   Deriving a mathematical equation to recover a per-mutated version of the ciphered image.

2. 2.

   Removing the diffusion effect.

3. 3.

   Applying the Chosen Plaintext Attack (CPA).

4. 4.

   Applying brute force attack and CPA together.

5. 5.

   Decreasing the UACI and NPCR values significantly.

6. 6.

   One encryption round and two dependent diffusion rounds have been broken completely. Moreover, the partial cryptanalysis equation is used to significantly decrease the robustness of the cryptosystem for two encryption rounds and two dependent diffusion rounds (assumed secure in the Zhang et al., cryptosystem) regarding differential attacks.

4 Partial cryptanalysis of Zhang et al., cryptosystem

In this section, the number of depended diffusion rounds and cryptanalysis levels are presented. The partial cryptanalysis equation and the used scenario are described to decrease the key space. Based on our chosen image the CPA is analyzed. NPCR and UACI values are reproduced using our proposed equation.

4.1 Conditions for the proposed partial cryptanalysis

The proposed partial cryptanalysis is highly dependent on the number of encryption rounds. The conditions and the level of the proposed cryptanalysis are summarized in Table 1.

Table 1 Partial cryptanalysis level

The Zhang et al., cryptosystem is susceptible to the brute force attack for (n = 1, m = 1), where as for other cases it seems to be secure. The robustness against the brute force attack is described in detail in Section 4.3.1. Regarding differential attacks, the Zhang et al., cryptosystem does not pass this type of attack because after applying our partial cryptanalysis, the UACI and NPCR values become too far from the optimal values. Section 4.3.5 presents a detailed study of this type of attacks. Finally, the used encryption keys of the Zhang et al., cryptosystem can be recovered as described in Section 4.3.4.

4.2 Partial cryptanalysis method and the scenario principle

In fact, the encryption key space of the diffusion function f(t) (8) can be removed from the calculation of the total encryption key space independently of the used key, because the t values are clearly presented in the ciphered image. This is the core of the partial cryptanalysis method. To prove the correctness of the above assumptions, we derive the following scenario:

• \(ciph_{0}=arr_{{k^{\prime }}_{0}} \oplus f(t_{0})\)

• \(ciph_{1}=arr_{{k}_{1}^{\prime }} \oplus f(t_{1})=arr_{{k}_{1}^{\prime }} \oplus f(ciph_{0})\)

• \(ciph_{2}=arr_{{k}_{2}^{\prime }} \oplus f(t_{2})=arr_{{k}_{2}^{\prime }} \oplus f(ciph_{1})\)

• \(ciph_{3}=arr_{{k}_{3}^{\prime }} \oplus f(t_{3})=arr_{{k}_{3}^{\prime }} \oplus f(ciph_{2})\)

• \(ciph_{4}=arr_{{k}_{4}^{\prime }} \oplus f(t_{4})=arr_{{k}_{4}^{\prime }} \oplus f(ciph_{3})\)

• \(ciph_{k}=arr_{{k}_{k}^{\prime }} \oplus f(t_{k})=arr_{{k}_{k}^{\prime }} \oplus f(ciph_{k-1})\),

Where \(arr_{{k^{\prime }}_{0}}\) is coming from the plain image of the current encryption round, ciph₀ is the first ciphered pixel which is the result of (8), (as an example, \(arr_{{k^{\prime }}_{0}}\) in the case of n = 1, m = 1 it is the original plain image (arr(x^′, y^′)), while in the case of n = 1, m = 2 it is the encrypted image which is the output of (1) (i.e ciph(x, y)) and so on).

From the last equation in the previous sequences, we can write the main partial cryptanalysis equation of the Zhang et al., cryptosystem as:

$$ arr_{{k}_{k}^{\prime}}=ciph_{k} \oplus f(ciph_{k-1}) $$

(12)

where

• k = x × N + y

• k^′ = x^′× N + y^′ ((x^′, y^′) is the new position calculated from the old one (x, y), (4)).

Note that \(arr_{{k}_{k}^{\prime }}\) is the input pixel of the last dependent diffusion round (m) in the last encryption round (n) and ciph_k is the ciphered pixel. As the function f(t) is known, (12) can be used to remove the diffusion effect of the last (m and n) rounds from the ciphered pixels. This allows recovery of a permuted version of the previous ciphered image.

4.3 Partial Cryptanalysis results and benefits

The proposed partial cryptanalysis scenario can be used by the cryptanalyst to perform one of the following attacks:

1. 1.

   Decrease the encryption key space of the whole cryptosystem.

2. 2.

   Perform partial cryptanalysis of the Zhang et al., cryptosystem for (n = 1, m = 1) and (n = 1, m = 2).

3. 3.

   Decrease the UACI and NPCR values significantly.

4.3.1 Decreasing the encryption key space of the whole cryptosystem

The brute-force attack is the basic attack that can be used against any cryptosystem. It trys all possible keys until the correct key is found. In the worst case, all possible keys in the key space are tested [37, 39]. From (4), it is clear that the key space of the 2-D cat map for Zhang et al., cryptosystem is N² for one encryption round and one dependent diffusion round (n = 1, m = 1), where N is the square root of the image size. In (9), the key space of the function f(t) is independent of the image size, and it is 2⁸ for (n = 1, m = 1). The time complexity spent on performing the brute force attack on Zhang et al., cryptosystem is:

$$KS=(S_{1} \times S_{2})^{n\times m}, $$

where the parameter KS is the total encryption key space, S₁ represents the encryption key space for the standard 2-D cat map, and S₂ represents the encryption key space for the logistic map implemented by a lookup table S₁ = N², S₂ = 2⁸, and so

$$KS=(N^{2} \times 2^{8})^{n\times m}. $$

For one encryption round and one dependent diffusion round (n = 1, m = 1).

With N = 512

$$KS=(2^{18} \times 2^{8})^{1}. $$

The cryptanalysis time complexity is 2²⁶ which is less than 2¹²⁸.

Equation (12) can be used to find the permuted plain image which means that the encryption key space of the parameter t can be removed from the encryption key space analysis:

$$KS=(2^{18})^{1}. $$

The cryptanalysis time complexity is 2¹⁸ which is less than 2¹²⁸.

For one encryption round, two dependent diffusion rounds (n = 1, m = 2), (N = 512) and if we assume that the Zhang et al., cryptosystem encrypts a plain image P into a cipher image C₁ in the first dependent diffusion round, and then encrypts the cipher image C₁ into a cipher image C₂ in the second dependent diffusion round. Using (12) we can at least find non-order C₁ pixels easily within 10 ms. To find the original plain image P (at n = 1, m = 2), the cryptanalytic system needs 10 ms to obtain the cipher image C₁ from the cipher image C₂. For each possible value of the encryption keys p₂ and q₂, the ciphered image C₁ is decrypted using the brute-force attack for all possible values of the encryption keys p₁ and q₁:

KS = (S₁)², S₁ = 2³⁶, The cryptanalysis time complexity is 2³⁶ which is less than 2¹²⁸.

For one encryption round, one dependent diffusion round (i.e., n = 1, m = 1), and (N = 256),

$$KS=(S_{1})^{1}, S_{1}= 2^{16}, $$

The cryptanalysis time complexity is 2¹⁶ which is less than 2¹²⁸.

For one encryption round, two dependent diffusion rounds (i.e., n = 1, m = 2), and (N = 256)

$$KS=(S_{1})^{2}, S_{1}= 2^{32}: $$

The cryptanalysis time complexity is 2³² which is less than 2¹²⁸.

Note that, the possible values of the encryption keys p₁ and q₁ are completely independent for each round. Which opens the possibility of using parallel cryptanalysis.

4.3.2 Chosen plaintext attack (CPA) on the first Zhang et al., cryptosystem

The CPA is defined as a cryptanalysis model when the adversary has the capability of choosing some plaintexts and encrypting them. The adversary studies the corresponding ciphertexts to obtain some information on the used keys or even to reduce the security level of the cryptosystem [3, 13, 17, 23]. From this well-known definition, we can choose a plaintext and encrypt it without knowing the encryption keys, and our objective is to calculate the encryption keys. The following scenario describes the proposed partial crytpanalysis of the first Zhang et al., cryptosystem. The chosen plain image is used to find the encryption keys (q₁, p₁) of the first dependent diffusion round. Using these keys we can decipher any ciphered image with the same encryption keys (this scenario is only applicable in the case where n = 1, m = 1). We choose a specific plain image P of size 512 × 512 × 1 byte. This plain image is chosen to help us in the process of finding the encryption keys (q₁, p₁). Indeed, we try to fill each position with a predefined value to decrease the range of possible values of the encryption keys q₁ and p₁.

The possible pixel value ranges from 0 to 255 and, the Zhang et al., image size has 512 rows and 512 columns. We fill every two rows with the same pixel value except pixels 0,1 and 2 (the justification of this exception is described later). Knowing the plain pixel value helps to determine the row which is related to the value of (p₁). To determine the value of (q₁, which refers to the column number) the second and the fourth rows are filled using the sequential series 1, 2, 3, 4, …255, 1, 2, 3, 4, …255, 1, 2. Now, the exceptions are:

• A pixel value of 0 has been placed in the top left of the plain image, which is not a useful pixel because of the second step of the Zhang et al., (Array Exchanges).

• A pixel value of 1 has been placed in three rows (it can be any pixel of value 2, 3, …255 the idea here is to have three rows instead of two filled with the same value. We can replace the fifth row by 2^′s instead of 1^′s with no major changes, but we cannot add 0 more than one time in the whole image).

For example, assuming that the decrypted value is 5, then by looking at the following given matrix P, we can be sure that only rows (1, 3, 9 or 10) contain this value. This will be helpful in the process of finding values of the encryption keys q₁ and p₁ as illustrated below. The chosen plain image P is encrypted, and the ciphered image (C₁) is obtained. A group of ciphered pixels is used to analyze the encryption process and to try to recover the encryption keys. For this we introduce the steps:

First encryption key calculations (q ₁)

To find the value of the encryption key q₁, as described before, the second and the fourth rows are only helpful to decrease the possible values of the encryption key q₁. Two steps are carried out:

First Step :

As mentioned before, q₁ refers to the column position. Using the ciphered pixel at position (x = 1, and y = 0), the plain pixel position (x^′, y^′) is calculated using (4):

$$\begin{array}{@{}rcl@{}} x^{\prime} &=& 1 \times x +p_{1} \times y = 1 + 0 = 1 \implies \mathbf{x}^{\prime}=\mathbf{1},\\ y^{\prime} &=& q_{1} \times x +(q_{1} \times p_{1}+ 1) \times y y^{\prime}=q_{1} \times 1 +(q_{1} \times p_{1}+ 1) \times 0 \implies \mathbf{y}^{\prime}=\mathbf{q}_{\mathbf{1}}, \end{array} $$

This means that from the value of the ciphered pixel ciph(1, 0), the value of the plain pixel arr(1, q₁) can be easily calculated using (12): arr(1, q₁) = ciph_k ⊕ f(ciph_k− 1), where ciph_k = ciph(1, 0) and ciph_k− 1 is calculated using (13).

$$ (x_{previous},y_{previous})=\left\{\begin{array}{ll} (x-1,N-1), & \quad k\ \text{is a multiple of N}\\ (x,y-1), & \quad \text{otherwise} \end{array}\right. $$

(13)

So, arr(1, q₁) = ciph(1, 0) ⊕ f(ciph(0, 511)).

The ciphered pixels (ciph(1, 0), ciph(0, 511)) are known. The function f(t) is also known. The plain pixel value arr(1, q₁) is located in row number 1 of the plain image P. The only unknown parameter is the column position which is q₁, ranging from 0 to 511.

Equation (14) is used to decrease the key space of the encryption key q₁.

$$ q_{1} \in \left\{\begin{array}{ll} \text{Skip this value}, & \quad arr(1,\ q_{1})= 0\\ \{0,\ 255,\ 510\}, & \quad arr(1,\ q_{1})= 1\\ \{1,\ 256,\ 511\}, & \quad arr(1,\ q_{1})= 2\\ \{arr(1,\ q_{1})-1,\ arr(1,\ q_{1})+ 254\}, & \quad \text{otherwise} \end{array}\right. $$

(14)

If arr(1, q₁) = 0, it is skipped since it can come from any position of the chosen plain image P (Fig. 1 justifies this, since the first pixel is swapped with a random pixel from the whole image). If arr(1, q₁) = 1, the value can be located in one of three positions on row number 1 (second row): [(1, 0), (1, 255) or (1, 510)], As a result, the possible values of q₁ are 0, 255 or 510. If that arr(1, q₁) = 2, the value can be located in one of three positions on row number 1: [(1, 1), (1, 256) or (1, 511)]. Finally, if arr(1, q₁) > 2, the value can be located in one of two positions on row number 1: [(1, arr(1, q₁) − 1) or (1, arr(1, q₁) + 254)] which are the positions containing the arr(1, q₁) value.

Second Step :

To further decrease the possible range values of the encryption key q₁, another ciphered pixel at position (x = 3, and y = 0) is considered. The pixel is located in the fourth row. The position (x^′, y^′) of the corresponding plain pixel is calculated using (4):

$$\begin{array}{@{}rcl@{}} x^{\prime} &=& 1 \times x +p_{1} \times y x^{\prime}= 3 + 0 = 3 \implies \mathbf{x}^{\prime}=\mathbf{3},\\ y^{\prime} &=& q_{1} \times x +(q_{1} \times p_{1}+ 1) \times y y^{\prime}=q_{1} \times 3 +(q_{1} \times p_{1}+ 1) \times 0 \implies \mathbf{y}^{\prime}=\mathbf{3}\mathbf{q}_{\mathbf{1}}, \end{array} $$

Using (12) and (13)

$$arr(3,\ 3q_{1})=ciph(3,\ 0) \oplus f(ciph(2,\ 511)), $$

The second decrypted pixel arr(3, 3q₁) is located in row number 3, and the column position 3q₁, with 0 ≤ 3q₁ ≤ 511. Equation (15) is used to decrease the key space of the encryption key q₁ (simplification of (15) is given in Appendix A).

$$ 3q_{1} \in \left\{\begin{array}{ll} \text{Skip this value}, & \quad arr(3,\ 3q_{1})= 0\\ \{253,\ 508\}, & \quad arr(3,\ 3q_{1})= 1\\ \{254,\ 509\}, & \quad arr(3,\ 3q_{1})= 2\\ \{0,\ 255,\ 510\}, & \quad arr(3,\ 3q_{1})= 3\\ \{1,\ 256,\ 511\}, & \quad arr(3,\ 3q_{1})= 4\\ \{a,b\}, & \quad \text{otherwise} \end{array}\right. $$

(15)

where

$$ a= \left\{\begin{array}{ll} \frac{arr(3,\ 3q_{1})-3}{3}, & \quad (arr(3,\ 3q_{1})-3)\ MOD\ 3 = 0\\ \frac{arr(3,\ 3q_{1})+ 509}{3}, & \quad (arr(3,\ 3q_{1})-3 + 512)\ MOD\ 3 = 0\\ \frac{arr(3,\ 3q_{1})+ 1021}{3}, & \quad \text{otherwise} \end{array}\right. $$

(16)

$$ b= \left\{\begin{array}{ll} \frac{arr(3,\ 3q_{1})+ 252}{3} ,&\quad (arr(3,\ 3q_{1})+ 252)\ MOD\ 3 = 0\\ \frac{arr(3,\ 3q_{1})+ 764}{3}, &\quad (arr(3,\ 3q_{1})+ 252 + 512)\ MOD\ 3 = 0\\ \frac{arr(3,\ 3q_{1})+ 1276}{3}, &\quad \text{otherwise} \end{array}\right. $$

(17)

From the previous four ciphered pixels (ciph(1, 0), ciph(0, 511), ciph(3, 0) and ciph(2, 511)), the exact value of the encryption key q₁ is calculated by finding the overlap values between the first and the second steps. More details of this analysis are given in the Appendix A.

Second encryption key calculations (p ₁)

To find the value of the encryption key p₁ (which refers to the row position), at least two steps are needed:

First Step :

From the ciphered pixel at the (x = 0, and y = 1) position, the plain pixel position (x^′, y^′) is calculated using (4):

$$\begin{array}{@{}rcl@{}} x^{\prime} \!&=&\! 0 \times x +p_{1} \times 1 x^{\prime}\,=\,0+p_{1}\,=\,p_{1} \implies \mathbf{x}^{\prime}=\mathbf{p}_{\mathbf{1}},\\ y^{\prime} \!&=&\! q_{1} \!\times\! x \,+\,(q_{1} \times p_{1}+ 1) \!\times\! y y^{\prime}\!=q_{1} \times 0 +(q_{1} \times p_{1}+ 1) \times 1 \!\implies\! \mathbf{y}^{\prime}\,=\,\mathbf{q}_{\mathbf{1}} \times \mathbf{p}_{\mathbf{1}}+\mathbf{1}. \end{array} $$

Using (12), the value of arr(p₁, p₁q₁ + 1) is calculated: arr(p₁, p₁q₁ + 1) = ciph(0, 1) ⊕ f(ciph(0, 0)).

The decrypted pixel arr(p₁, p₁q₁ + 1) is located at row number p₁ of the chosen plain image P. Here we focus on finding the p₁ value (p₁ ranges from 0 to 511). Equation (18) is used to decrease the encryption key space p₁ as:

$$ p_{1} \in \left\{\begin{array}{ll} \text{Skip this value}, &\quad arr(p_{1},\ p_{1}q_{1}\,+\,1)\,=\,0\\ \{0,\!\ 1,\!\ 3,\!\ 4,\!\ 511 \}, &\quad arr(p_{1},\ p_{1}q_{1}\,+\,1)\,=\,1\\ \{1,\!\ 2,\!\ 3\}, &\quad arr(p_{1},\ p_{1}q_{1}\,+\,1)\,=\,2\\ \{1,\!\ 3,\!\ arr(p_{1},\!\ p_{1}q_{1}\,+\,1)\!\times\!2\,-\,1,\ arr(p_{1},\!\ p_{1}q_{1}\,+\,1)\!\times\! 2\}, &\quad \text{otherwise} \end{array}\right. $$

(18)

To justify (18), firstly, assume that arr(p₁, p₁q₁ + 1) = 1, from the chosen plain image P, the plain pixel value 1 is located in five rows [0, 1, 3, 4, 511], and so, the possible values of the encryption key p₁ are: [0, 1, 3, 4, 511]. Secondly, assume that arr(p₁, p₁q₁ + 1) = 2, then this value is located in three rows: [1, 2, 3], and so, the possible values of the encryption key p₁ are: [1, 2, 3]. Thirdly, assume that arr(p₁, p₁q₁ + 1) = 3, then this value is located in four rows [1, 3, 5, 6], and so, the possible values of the encryption key p₁ are: [1, 3, 5, 6]. Finally, for any value such that arr(p₁, p₁q₁ + 1) > 2, this value can be located in one of four rows [1, 3, arr(p₁, p₁q₁ + 1) × 2 − 1, arr(p₁, p₁q₁ + 1) × 2], and so, the possible values of the encryption key p₁ are [1, 3, arr(p₁, p₁q₁ + 1) × 2 − 1, arr(p₁, p₁q₁ + 1) × 2].

Second Step :

To further decrease the range values of the encryption key p₁, another ciphered pixel at position (x = 0, and y = 2) is considered. The position (x^′, y^′) of the corresponding plain pixel is calculated using (4):

$$\begin{array}{@{}rcl@{}} x^{\prime} \!&=&\! 1 \!\times\! x \,+\, p_{1} \!\times\! y \!\implies\! x^{\prime} \,=\, 0 \,+\, 2p_{1} \,=\, 2p_{1} \!\implies\! \mathbf{x}^{\prime} \,=\, \mathbf{2}\mathbf{p}_{\mathbf{1}},\\ y^{\prime} \!&=&\! q_{1} \!\times\! x \,+\, (q_{1} \!\times\! p_{1} \,+\, 1) \!\times\! y \!\!\implies\! y^{\prime} \,=\, q_{1} \!\times\! 0 \,+\, (q_{1} \!\times\! p_{1} \,+\, 1) \!\times\! 2 \!\!\implies\!\! \mathbf{y}^{\prime} \,=\, \mathbf{2}(\mathbf{q}_{\mathbf{1}} \!\times\! \mathbf{p}_{\mathbf{1}} \,+\, \mathbf{1}), \end{array} $$

Again, using (12) the value of arr(2p₁, 2p₁q₁ + 2) is calculated as:

$$arr(2p_{1},\ 2p_{1}q_{1}+ 2)=ciph(0,\ 2) \oplus f(ciph(0,\ 1)) $$

This pixel arr(2p₁, 2p₁q₁ + 2) is located at row 2p₁ of the chosen plain image P. The following (19) is used to decrease the key space of the encryption key p₁ as:

$$ p_{1} \in \left\{\begin{array}{ll} \text{Skip this value}, &\quad arr(2p_{1},\!\ 2(p_{1}q_{1}\,+\,1))\,=\,0\\ \{0,\!\ 2,\!\ 256,\!\ 258 \}, &\quad arr(2p_{1},\!\ 2(p_{1}q_{1}\,+\,\!1)))\,=\,1\\ \{1,\!\ 257\}, &\quad arr(2p_{1},\!\ 2(p_{1}q_{1}\,+\,1))\,=\,2\\ \{arr(2p_{1},\!\ 2(p_{1}q_{1}\,+\,1)),\!\ arr(2p_{1},\!\ 2(p_{1}q_{1}\,+\,1))\,+\,256\}, &\quad \text{otherwise} \end{array}\right. $$

(19)

To justify (19), we consider the following cases:

Firstly, assume that the decrypted pixel value is arr(2p₁, 2p₁q₁ + 2) = 1, so from the chosen plain image P, the plain pixel value 1 is located in five rows [0, 1, 3, 4, 511], and the possible values of the encryption key p₁ are as follows:

Using the equality equation 2p₁ = 0, it gives that p₁ ∈{0, 256}. While the equality equations 2p₁ = 1, 2p₁ = 3 and 2p₁ = 511 have no integer solution, since the right-hand side is odd and the left-hand side is even and the modulus value is even. The equality equation 2p₁ = 4, it gives that p₁ ∈{2, 258}.

Secondly, assume that the decrypted pixel value is arr(2p₁, 2p₁q₁ + 2) = 2, then the plain pixel value 2 is located in three rows [1, 2, 3], and the possible values of the encryption key p₁ are as follows:

The equality equations 2p₁ = 1 and 2p₁ = 3 have no integer solution. While the equality equation 2p₁ = 2, it gives that p₁ ∈{1, 257}.

Thirdly, assume that the decrypted pixel value is arr(2p₁, 2p₁q₁ + 2) = 3, then the plain pixel value 3 is located in four rows [1, 3, 5, 6], and the possible values of the encryption key p₁ are as follows:

The equality equations 2p₁ = 1, 2p₁ = 3 and 2p₁ = 5 have no integer solution. While the equality equation 2p₁ = 6, it gives that p₁ ∈{3, 259}.

Finally, for any decrypted pixel value such that arr(2p₁, 2p₁q₁ + 2) > 2, the possible values of p₁ are as follows:

$$p_{1}=arr(2p_{1},\ 2p_{1}q_{1}+ 2) \text{ or } p_{1}=arr(2p_{1},\ 2p_{1}q_{1}+ 2)+ 256. $$

Note that in the most cases the first and the second steps are sufficient to find the encryption key value of p₁. However, if the overlap between the obtained range values of the encryption key p₁ in the first step and the obtained range values of p₁ in the second step is not a single value, then the following calculation is required.

Extra Step :

To find the exact value of the encryption key p₁, the plain pixel position (x^′, y^′) is calculated from the ciphered position pixel at (x = 0, y = 3), using (4):

$$\begin{array}{@{}rcl@{}} x^{\prime} \!&=&\! 1 \!\times\! x +p_{1} \!\times\! y\,=\,0 + 3p_{1}\,=\,3p_{1} \!\implies\! \mathbf{x}^{\prime}\,=\,\mathbf{3}\mathbf{p}_{\mathbf{1}},\\ y^{\prime} \!&=&\! q_{1} \!\times\! x \,+\,(q_{1} \!\times\! p_{1}\,+\,1) \!\times\! y\,=\,q_{1} \!\times\! 0 +(q_{1} \times p_{1}+ 1) \times 3 \!\implies\! \mathbf{y}^{\prime}=\mathbf{3}(\mathbf{q}_{\mathbf{1}} \times \mathbf{p}_{\mathbf{1}}+\mathbf{1}), \end{array} $$

Again, here the plain pixel arr(3p₁, 3(q₁ × p₁ + 1)) is calculated from the ciphered pixels ciph(0, 3) and ciph(0, 2) using (12). Now (20) is used to decrease the encryption key space of the encryption key p₁. To simplify the notation of the calculations, assume:

$$ 3p_{1} \!\!\in\!\! \left\{\!\!\begin{array}{ll} \text{Skip this value}, & arr(3p_{1}, 3(p_{1} \!\times\! q_{1} \,+\, 1)) \,=\, 0\\ \{0,\! 1,\! 3,\! 4,\! 511 \}, & arr(3p_{1}, 3(p_{1}\!\times\! q_{1} \,+\, 1)) \,=\, 1\\ \{1,\! 2,\! 3\}, & arr(3p_{1}, 3(p_{1} \!\times\! q_{1} \,+\, 1)) \,=\, 2\\ \{1,\! 3,\! arr(3p_{1}, 3(p_{1} \!\!\times\! q_{1} \,+\, 1)) \,-\, \!1, arr(3p_{1}, 3(p_{1} \!\times\! q_{1} \,+\, 1))\}, & \text{otherwise} \end{array}\right. $$

(20)

Regarding p₁,

$$ p_{1} \in \left\{\begin{array}{ll} \text{Skip this value}, &\quad arr(3p_{1},\ 3(p_{1}\times q_{1}+ 1))= 0\\ \{0,\ 1,\ 171,\ 172,\ \ 341 \}, &\quad arr(3p_{1},\ 3(p_{1}\times q_{1}+ 1))= 1\\ \{1,\ 171,\ 342\}, &\quad arr(3p_{1},\ 3(p_{1}\times q_{1}+ 1))= 2\\ \{1,\ 171,\ a,\ b\}, &\quad \text{otherwise} \end{array}\right. $$

(21)

Where

$$ a= \left\{\begin{array}{ll} \frac{(arr(3p_{1},\ 3(p_{1}\times q_{1}+ 1))) \times 2 - 1}{3}, &\quad ((arr(3p_{1},\!\ 3(p_{1}\!\times\! q_{1}\,+\,1))) \!\times\! 2 \,-\, 1)\ MOD\ 3\,=\,0)\\ \frac{(arr(3p_{1},\ 3(p_{1}\times q_{1}+ 1))) \times 2 + 511}{3}, &\quad (((arr(3p_{1},\!\ 3(p_{1}\!\times\! q_{1}\,+\,1)))\!\times\! 2\,+\,511)\ MOD\ 3\,=\,0)\\ \frac{(arr(3p_{1},\ 3(p_{1}\times q_{1}+ 1))) \times 2 + 1023}{3}, &\quad \text{otherwise} \end{array}\right. $$

(22)

$$ b= \left\{\begin{array}{ll} \frac{(arr(3p_{1},\ 3(p_{1}\times q_{1}+ 1))) \times 2}{3}, &\quad ((arr(3p_{1},\!\ 3(p_{1}\!\times\! q_{1}\,+\,1))) \!\times\! 2 )\ MOD\ 3\,=\,0)\\ \frac{(arr(3p_{1},\ 3(p_{1}\times q_{1}+ 1))) \times 2 + 512}{3}, &\quad (((arr(3p_{1},\!\ 3(p_{1}\!\times\! q_{1}\,+\,1)))\!\times\! 2\,+\,512)\ MOD\ 3\,=\,0)\\ \frac{(arr(3p_{1},\ 3(p_{1}\times q_{1}+ 1))) \times 2 + 1024}{3}, &\quad \text{otherwise} \end{array}\right. $$

(23)

Simplification of (20) is given in Appendix A.

4.3.3 Time complexity analysis of the CPA

To evaluate the Time Complexity (TC) of the proposed CPA in the previous section, we need the following operations (later it is referred as TC_CPA):

1. 1.

   One execution of (12) to find the arr(1, q₁).

2. 2.

   TC to perform (14).

3. 3.

   One execution of (12) to further decrease the range values of the encryption key q₁ during the first step.

4. 4.

   TC to perform (15).

5. 5.

   XOR and shifting operations to find the overlap between the first and the second steps.

6. 6.

   One execution of (12) to find the arr(p₁, p₁ × q₁ + 1).

7. 7.

   TC to perform (18).

8. 8.

   One execution of (12) to further decrease the range values of the encryption key p₁ during the second step.

9. 9.

   TC to perform (19).

10. 10.

    One execution of (12) to perform the Extra Step to further decrease the range values of the encryption key p₁ during the second step.

11. 11.

    TC to perform (20).

12. 12.

    XOR and shifting operations to find the overlap between the first and the second steps.

The time complexity of the proposed CPA can be determined using the basic operations required to achieve one execution from (12) to (20). 2 logical Shift operations, 5 logical IF operations, 7 XOR operations, 15 addition and subtraction operations, 15 multiplication and divition operations, and 98 lock up and memory access operations are needed. In terms of instruction complexity, the required TC is 7 XOR operations, 5 logical If statements and 2 shift operations. In terms of execution time, all these operations take less than 5 ms in our simulation enviroment. (see the given examples in Appendix A.)

4.3.4 Combination of brute-force and chosen plaintext attacks

In the case where n = 1, m = 2, which is assumed as a secured case as it is mentioned in [52] at page 2074 “In Algorithm 1, the round numbers m and n as shown in Fig. 7 are selected as 2 and 1, respectively”, the algorithm can be partially cryptanalyzed. A combination of the aforementioned attacks are used to find the encryption key pairs (p₁, q₁, p₂, q₂) and then to find any plain image, ciphered by these pairs of keys. First, the Zhang et al., cryptosystem is used to encrypt our chosen plain image: the chosen plain image P, is encrypted in the first dependent diffusion round (n = 1, m = 1) with the encryption key parameters (p₁, q₁) to obtain the middle cipher image (C₁). In the second dependent diffusion round (n = 1, m = 2), the middle ciphered image (C₁) with encryption key parameters (p₂, q₂) is ciphered to obtain the cipher image (C₂). The cryptanalysis scenario is carried out as:

1. 1.

   Using (12) and the cipher image (C₂), the permuted version of the middle ciphered image (C₁) can be recovered in 10 ms.

2. 2.

   To guess the encryption key pair (p₂, q₂), in the worst case, we need to try 2⁹ possible encryption keys for the encryption key p₂ as well as for the encryption key q₂. For each guess (p₂, q₂), the required time to reorder the middle ciphered image pixels C₁ is 5 ms (achieved by inverse permutation). The proposed CPA in Section 4.3.2 is used to find the encryption key pair (p₁, q₁) of the first dependent diffusion round at (n = 1, m = 1) within 5 ms.

   Time analysis In the worst case, the process requires less than two hours to find the values of the encryption keys (p₁, q₁) and (p₂, q₂) (for the image of size 512 × 512) since, the number of all possible encryption keys (p₂, q₂) is 2¹⁸ keys. The total time to find (p₁, q₁) and (p₂, q₂) is referred as T_{n= 1, m= 2}:

   $$\mathrm{T}_{n = 1, m = 2} = \mathrm{T}_{1} + \mathrm{T}_{2} \times \mathrm{T}_{3} $$

   T₁ is the required time to calculate (C₁) from (C₂) which is 10 ms.

   T₂ is the required time to guess the second encryption key (p₂, q₂) and to order C₁ pixels. It is TC_CPA for each try. In the worst case it requires 2¹⁸ × TC_CPA.

   T₃ is the required time to achieve the proposed attack of Section 4.3.2, which is less than the TC_CPA for each guess.

   T_{n= 1, m= 2} = 10 + 2¹⁸ × TC_CPA × 5 ≈ 110 minutes (i.e., O(2²²)), when TC_CPA = 5.

To generalize the time complexity, assume the used image size is N. For each dependent diffusion round, number of bits for each key is Log₂(N). The time complixety of the proposed attack depends on the image size and number of dependent diffusion round. Fprmally,

$$ TC= 2^{m \times 2 \times Log_{2}(N)} $$

(24)

where, m is number of dependent diffusion round, and N is image size. In order to have secure version of the proposed Zhang et al., cryptosystem, TC should be greater than or equal to 2¹²⁸. Thus, m × 2 × Log₂(N) ≥ 128. Assume N = 512, m should be greater than 7. However, in this case, the Zhang et al., cryptosystem is time consuming, because each dependent diffusion round needs 10 ms. The total time required is 70 ms, which means that the Running Speed (RS) of the 512 × 512 gray image is \(RS=\frac {512 \times 512}{0.070} = 3.58\) Mega bytes per second. This not suitable for real-time application or even high speed encryption applications.

4.3.5 Decreasing the UACI and NPCR values significantly

In this section, a sample experiment is carried out to show the effect of using (12) on the security level of the proposed Zhang et al., cryptosystem exactly in terms of differential attacks.

A cryptosystem should be sensitive to one-bit changes in the plaintext. This requirement is important to resist the known plaintext and the chosen plaintext attacks [25, 28]. In a chosen plaintext attack, more than one plaintext (with one-bit changes between them) is selected to analyze the difference between the corresponding ciphertexts. The measurement tool to test the sensitivity of any cryptosystem regarding these attacks is carried out as: Select P₁ as the first plain image, change one bit in P₁ and name it P₂. (i.e., P₁ and P₂ are exactly the same except for one bit, to be more accurate, this bit should be located at the beginning, middle or the end of the tested image/block). Then both images (P₁ and P₂) are encrypted using the same secret key. This encryption produces two cipher images Cd₁ and Cd₂. Most researchers use two security parameters to measure the resistance of any chaos-based cryptosystem against a plaintext sensitivity attack (differential attacks introduced by Eli Biham and Adi Shamir [4]). These parameters are the Number of Pixel Change Rate (NPCR) and the Unified Average Changing Intensity (UACI), given by the equations:

$$ NPCR= \frac{1}{L \times C \times P} \times \sum\limits_{p = 1}^{P}\sum\limits_{i = 1}^{L}\sum\limits_{j = 1}^{C} D(i,\ j,\ p) \times 100\% $$

(25)

where

$$ D(i,\ j,\ p)=\left\{\begin{array}{l} 0,\ \;\;\;\; \text{ if } \;\;\; Cd_{1}(i,\ j,\ p) = Cd_{2}(i,\ j,\ p) \\ 1,\ \;\;\;\; \text{ if } \;\;\; Cd_{1}(i,\ j,\ p) \neq Cd_{2}(i,\ j,\ p) \end{array}\right. $$

(26)

$$ UACI= \frac{1}{L \times C \times P \times 255} \times \sum\limits_{p = 1}^{P}\sum\limits_{i = 1}^{L}\sum\limits_{j = 1}^{C}|Cd_{1}(i,\ j,\ p)-Cd_{2}(i,\ j,\ p)| \times 100\% $$

(27)

The optimal NPCR value is 99.61%, and the optimal UACI value is 33.46% [27, 44].

We try to reproduce the NPCR and UACI results of the Zhang et al., cryptosystem using exactly the same parameters as were used in Zhang et al., cryptosystem analysis. (i.e., Barbara 512 × 512 × 1 gray-scale image, x_− 1 = 0.12345678912345 for SQ₁, x_− 1 = 0.67856746347633 for SQ₂. The value of the constant α is set to 3.99999, and the diffusion key key_d = 0.33456434300001, with n = 2, m = 2). steps performed are:

1. 1.

   Encrypting the Barbara image (i.e., P₁) using the first Zhang et al., cryptosystem and using the same secret keys mentioned above to obtain the ciphered image Cd₁. Then, changing one bit in the Barbara image (i.e., P₂) and encrypting it to obtain another ciphered image Cd₂. The UACI and NPCR are calculated between the two ciphered images Cd₁ and Cd₂.

2. 2.

   The ciphered images Cd₁ and Cd₂ are used as input for the partial cryptanalysis process based on (12) to remove the diffusion effect in less than 1 ms and the UACI and NPCR are recalculated again (in Table (2), the UACI for this case is UACI_p while the NPCR in this case is the NPCR_p).

The results obtained in Table 2, measured by the UACI_p and the NPCR_p (index _p refers to the calculated NPCR and UACI values after applying our cryptanalysis (12), show that for some pixel positions [(511, 511), (0, 0) and (125, 87)], with a one-bit change value (the LSB bit), Zhang et al., cryptosystem is not secure.

Table 2 Sample of NPCR and UACI results under the same parameters and conditions in the original research paper for all pixel positions

We have done the same experiment explained above, for two pixel positions, but in relation to the nature of the image and to the secret key of the Logistic map. The results given in Table 3, of the parameters UACI_p, NPCR_p, show the sensitivity of Zhang et al., cryptosystem regarding the image under test and the used secret key of the Logistic map. The used values of Key 1 and Key 2, are:

• Key 1:x_− 1 = 0.4251533555101169 for SQ₁, and x_− 1 = 0.80288094729453419 for SQ₂, the initial value of the key_d = 0.2251045258949553.

• Key 2:x_− 1 = 0.96368297372356337 for SQ₁, and x_− 1 = 0.80925931577501753 for SQ₂, the initial value of the key_d = 0.50190740684224977.

Table 3 Sample of NPCR qnd UACI results

5 Conclusion

In this paper, one of the fastest chaos-based cryptosystems, namely the Zhang et al., cryptosystem is studied and analyzed. We partially cryptanalyzed it using a combination of a precise plaintext, as chosen plaintext attack, and a brute-force attack, for parameters (n = 1, m = 2). Next, after removing the diffusion effect using (12), we succeeded in significantly decreasing the security level measured by the well-known parameters NPCR and UACI, by applying the differential attacks for (n = 2, m = 2).

Appendix A: Numerical example on chosen plaintext attack of the first Zhang et al., cryptosystem

The Justification of (15) is given as: (15) is used to decrease the number of possible column positions (i.e., the range of the encryption key q₁). Using the chosen plain image P matrix, the row of the arr(3, 3q₁) is 3.

Firstly, assume that arr(3, 3q₁) = 0, then, this value is skipped. Secondly, assume that arr(3, 3q₁) = 1, then, this value can be located in one of two column positions in row number 3 [(3, 253) or (3, 508)] (see the chosen plain P matrix for more details). Thirdly, assume that arr(3, 3q₁) = 2, then, this value can be located in one of two column positions in row number 3 [(3, 254) or (3, 509)]. Fourthly, assume that arr(3, 3q₁) = 3, then, this value can be located in one of three column positions in row number 3 [(3, 0), (3, 255) or (3, 510)]. Fifthly, assume that arr(3, 3q₁) = 4, this value can be located in one of three column positions in row number 3 [(3, 1), (3, 256) or (3, 511)]. Finally, for all arr(1, q₁) > 4, these values can be located in one of two column positions in row number 3 [(3, arr(3, 3q₁) − 3) or (1, arr(1, q₁) + 252)]. Now, let us take the case when the arr(3, 3q₁) = 4 as an example, without loss of generality, i.e., 3q₁ ∈{1, 256, 511}.

Firstly, the equality equation 3q₁ = 1; to solve this equation, which contains the module operation, the encryption key value q₁ is calculated as:

$$q_{1} = \text{ the integer value of } \left( \frac{1}{3}, \frac{1 + 512}{3}, \frac{1 + 512+ 512}{3}\right) \implies q_{1}= 171. $$

Secondly, the equality equation 3q₁ = 256, then the encryption key q₁ = the integer value of \(\left (\frac {256}{3}, \frac {256 + 512}{3}, \frac {256 + 512+ 512}{3}\right ) \implies q_{1}= 256\).

Finally, the equality equation 3q₁ = 511, then the encryption key q₁ = the integer value of \(\left (\frac {511}{3}, \frac {511 + 512}{3}, \frac {511 + 512+ 512}{3}\right ) \implies q_{1}= 341\).

For all other values (arr(3, 3q₁) > 4), there is a general scheme to calculate the range of the encryption key q₁ values (i.e., a and b parameters in (15)). Now, let us take arr(3, 3q₁) = 5 as another example. i.e., 3q₁ ∈{2, 257}.

Firstly, the equality equation 3q₁ = 2, then: the encryption key q₁ = the integer value of \(\left (\frac {2}{3}, \frac {2 + 512}{3}, \frac {2 + 512+ 512}{3}\right ) \implies q_{1}= 342\).

Secondly, the equality equation 3q₁ = 257.

The encryption key q₁ = the integer value of \(\left (\frac {257}{3}, \frac {257 + 512}{3}, \frac {257 + 512+ 512}{3}\right ) \implies q_{1}= 427\).

From previous developments, we can deduce the following rules for (15):

1. 1.

   In the case where arr(3, 3q₁) ∈{1, 2}, then we have two positions given by: arr(3, 3q₁) + 252 or arr(3, 3q₁) + 507.

2. 2.

   In the case where arr(3, 3q₁) ∈{3, 4}, then we have three positions given by: arr(3, 3q₁) − 3, arr(3, 3q₁) + 252 or arr(3, 3q₁) + 507.

3. 3.

   In the case where arr(3, 3q₁) > 4, then we have two positions given by: arr(3, 3q₁) − 3 or arr(3, 3q₁) + 252.

To justify (20), assume that the ciphered pixel value is one (i.e., T = 1 in (20)). From the chosen plain image P, the value 1, is located in five rows, actually in positions [0, 1, 3, 4, 511], and so: 3p₁ ∈{0, 1, 3, 4}.

Firstly, the equality equation 3p₁ = 0; to solve this equation, which contains the module operation, the encryption key p₁ is calculated as: the encryption key p₁ =the integer value of \(\left (\frac {0}{3}, \frac {0 + 512}{3}, \frac {0 + 512+ 512}{3}\right ) \implies p_{1}= 0\).

Secondly, the equality equation 3p₁ = 1.

The encryption key p₁ = the integer value of \(\left (\frac {1}{3}, \frac {1 + 512}{3}, \frac {1 + 512+ 512}{3}\right ) \implies p_{1}= 171\).

Thirdly, the equality equation 3p₁ = 3.

The encryption key p₁ =the integer value of \(\left (\frac {3}{3}, \frac {3 + 512}{3}, \frac {3 + 512+ 512}{3}\right ) \implies p_{1}= 1\). Fourthly, the equality equation 3p₁ = 4, then the encryption key p₁ =the integer value of \(\left (\frac {4}{3}, \frac {4 + 512}{3}, \frac {4 + 512+ 512}{3}\right ) \implies p_{1}= 172\).

Finally, the equality equation 3p₁ = 511.

The encryption key p₁ = the integer value of \(\left (\frac {511}{3}, \frac {511 + 512}{3}, \frac {511 + 512+ 512}{3}\right ) \implies p_{1}= 341\), p₁ ∈{0, 1, 171, 172, 341}. The same analysis is used for the other values of the variable T, where for T = 2, there are only three possible rows, and for T > 2, there are four possible rows.

Example 1

Calculation of the encryption keys p₁and q₁.

A chosen plain image P is encrypted using 3 randomvalues of the secret key of the Logistic map, namely:[x_− 1, SQ₁], [x_− 1, SQ₂],[key_d, t_− 1]. The following values are obtained from the Lena encrypted image for:[n = 1, m = 1],

$$\begin{array}{@{}rcl@{}} && \mathbf{ciph}(\mathbf{1},\ \mathbf{0})=\mathbf{190},\\ && \mathbf{ciph}(\mathbf{0},\ \mathbf{511})=\mathbf{27},\\ && \mathbf{ciph}(\mathbf{3},\ \mathbf{0})=\mathbf{149},\\ && \mathbf{ciph}(\mathbf{2},\ \mathbf{511})=\mathbf{159},\\ && \mathbf{ciph}(\mathbf{0},\ \mathbf{1})=\mathbf{132},\\ && \mathbf{ciph}(\mathbf{0},\ \mathbf{0})=\mathbf{165},\\ && \mathbf{ciph}(\mathbf{0},\ \mathbf{2})=\mathbf{140},\\ && \mathbf{ciph}(\mathbf{0},\ \mathbf{1})=\mathbf{132}. \end{array} $$

For the first decrypted pixel, using (12) we obtain:

$$\begin{array}{@{}rcl@{}} arr(1,\ q_{1}) &=& ciph(1,\ 0) \oplus f(ciph(0,\ 511)),\\ arr(1,\ q_{1}) &=& 190 \oplus f(27),\\ arr(1,\ q_{1}) &=& 190 \oplus 105,\\ arr(1,\ q_{1}) &=& 215. \end{array} $$

Using (14), the encryption key q₁values are restricted to:

$$q_{1} \in \{215-1,\ 215 + 254\} \implies q_{1} \in \{214,\ 469\}. $$

For thesecond decrypted pixel, using (12) we obtain:

$$\begin{array}{@{}rcl@{}} && arr(3,\ 3q_{1})=ciph(3,\ 0) \oplus f(ciph(2,\ 511)),\\ && arr(3,\ 3q_{1})= 149 \oplus f(159),\\ && arr(3,\ 3q_{1})= 149 \oplus 22,\\ && arr(3,\ 3q_{1})= 131. \end{array} $$

Using (15), the encryption key value q₁ ∈{a, b}.

To find the value of the parameter a of (15), the following conditions are met:

$$\begin{array}{@{}rcl@{}} && ((131-3)\ MOD\ 3)= 2,\\ && ((131 + 509)\ MOD\ 3)= 1,\\ && ((131 + 1021)\ MOD\ 3)= 0. \end{array} $$

The last condition allows us to calculate the value of parametera:

$$a=\frac{arr(3,\ 3q_{1})+ 1021}{3} \implies a = 384. $$

To findthe value of the parameter b in (15), the following conditions are met:

$$\begin{array}{@{}rcl@{}} && ((131 + 252)\ MOD\ 3)= 2,\\ && ((131 + 764)\ MOD\ 3)= 1,\\ && ((131 + 1276)\ MOD\ 3)= 0. \end{array} $$

The last condition allows us to calculate the value of parameter b:

$$b = 469,\text{ so}, q_{1} \in \{384,\ 469\}. $$

The overlap between thefirst range {214, 469}and the second{384, 469}range gives the exact valueof the encryption key q₁:q₁ = 469.

To calculate the exact value of the encryption keyp₁, weconsider the third decrypted pixel and (12), then:

$$\begin{array}{@{}rcl@{}} && arr(p_{1},\ p_{1}q_{1}+ 1)=ciph(0,\ 1) \oplus f(ciph(0,\ 0)),\\ && arr(p_{1},\ p_{1}q_{1}+ 1)= 132 \oplus f(165),\\ && arr(p_{1},\ p_{1}q_{1}+ 1)= 132 \oplus 39,\\ && arr(p_{1},\ p_{1}q_{1}+ 1)= 163. \end{array} $$

Now by using (18), the encryption key p₁valuesare restricted to:

$$p_{1} \in \{1,\ 3,\ 163\times 2-1,\ 163\times 2\}\implies p_{1} \in \{1,\ 3,\ 325,\ 326\}. $$

Finally, the exact valueof the encryption key p₁is obtained by using the fourth decrypted pixel and (12), as follows:

$$\begin{array}{@{}rcl@{}} && arr(2p_{1},\ 2p_{1}q_{1}+ 2)=ciph(0,\ 2) \oplus f(ciph(0,\ 1)),\\ && arr(2p_{1},\ 2p_{1}q_{1}+ 2)= 140 \oplus f(132),\\ && arr(2p_{1},\ 2p_{1}q_{1}+ 2)= 140 \oplus 202,\\ && arr(2p_{1},\ 2p_{1}q_{1}+ 2)= 70. \end{array} $$

Using (19):

$$p_{1} \in \{70,\ 326\}. $$

The overlap between thefirst range ({1, 3, 325, 326}) and the secondrange ({70, 326}) gives the exactvalue of the encryption key p₁:p₁ = 326.

Remark 1

The above procedure can be used to find any encryption keysp₁andq₁parameters.

Example 2

The original image P is encrypted using new random values ofkey_dand x_− 1, where x_− 1 for SQ₁is differed from the value for SQ₂. Also, Lena image of the same size is encrypted using the same dynamic keys, The followingvalues are obtained from the encrypted image of P:

$$\begin{array}{@{}rcl@{}} && \mathbf{ciph}(\mathbf{1},\mathbf{0})=\mathbf{226}\\ && \mathbf{ciph}(\mathbf{0},\mathbf{511})=\mathbf{166}\\ && \mathbf{ciph}(\mathbf{3},\mathbf{0})=\mathbf{142}\\ && \mathbf{ciph}(\mathbf{2},\mathbf{511})=\mathbf{64}\\ && \mathbf{ciph}(\mathbf{0},\mathbf{1})=\mathbf{87}\\ && \mathbf{ciph}(\mathbf{0},\mathbf{0})=\mathbf{45}\\ && \mathbf{ciph}(\mathbf{0},\mathbf{2})=\mathbf{202}\\ && \mathbf{ciph}(\mathbf{0},\mathbf{1})=\mathbf{87}\\ && arr(1,q_{1})=ciph(1,0) \oplus f(ciph(0,511))\\ && arr(1,q_{1})= 226 \oplus f(166)\\ && arr(1,q_{1})= 190 \oplus 41\\ && arr(1,q_{1})= 203\\ && q_{1} \in \{203-1,203 + 254\}\\ && q_{1} \in \{202,457\} \end{array} $$

$$\begin{array}{@{}rcl@{}} && arr(3,3q_{1})=ciph(3,0) \oplus f(ciph(2,511))\\ && arr(3,3q_{1})= 142 \oplus f(64)\\ && arr(3,3q_{1})= 142 \oplus 239\\ && arr(3,3q_{1})= 97\\ && ((97-3)\ MOD\ 3)= 1\\ && ((97 + 509)\ MOD\ 3)= 0\\ && ((97 + 1021)\ MOD\ 3)= 2 \end{array} $$

Then

$$\begin{array}{@{}rcl@{}} && a = 202\\ && ((97 + 252)\ MOD\ 3)= 1\\ && ((97 + 764)\ MOD\ 3)= 0\\ && ((97 + 1276)\ MOD\ 3)= 2\\ && b = 287\\ && q_{1} \in \{202,287\} \end{array} $$

The overlap of the first and the second solutions is at

$$\mathbf{q}_{\mathbf{1}}=\mathbf{202} $$

To calculate the exactvalue of the dynamic key p₁,for the third decrypted pixel, using (12):

$$\begin{array}{@{}rcl@{}} && arr(p_{1},p_{1}q_{1}+ 1) = ciph(0,1) \oplus f(ciph(0,0))\\ && arr(p_{1},p_{1}q_{1}+ 1) = 87 \oplus f(45)\\ && arr(p_{1},p_{1}q_{1}+ 1) = 87 \oplus 171\\ && arr(p_{1},p_{1}q_{1}+ 1) = 252\\ && p_{1} \in \{1,3,252\times 2-1,252\times 2\}\\ && p_{1} \in \{1,3,503,504\} \end{array} $$

For p₁ = 1

$$arr(1,203)= 204 $$

So this value is rejected Forp₁ = 3

$$arr(3,202\times 3 + 1)=arr(3,95)=Mod(Mod(95,255)+ 3,255)= 98 $$

also,this value is rejected

$$\begin{array}{@{}rcl@{}} && arr(2p_{1},2p_{1}q_{1}+ 2)=ciph(0,2) \oplus f(ciph(0,1))\\ && arr(2p_{1},2p_{1}q_{1}+ 2)= 202 \oplus f(87)\\ && arr(2p_{1},2p_{1}q_{1}+ 2)= 202 \oplus 61\\ && arr(2p_{1},2p_{1}q_{1}+ 2)= 247\\ && p_{1} \in \{247,503\} \end{array} $$

The overlap of the first and the second solutions is at

$$\mathbf{p}_{\mathbf{1}}=\mathbf{503} $$

Now, the encrypted Lena image is decrypted using these dynamicvalues(q₁ = 202, p₁ = 503).