On the Security of a Class of Diffusion Mechanisms for Image Encryption Risk (IEEE 2017).


The need for fast and strong image cryptosystems motivates researchers to develop new techniques to apply traditional cryptographic primitives in order to exploit the intrinsic features of digital images. One of the most popular and mature technique is the use of complex dynamic phenomena, including chaotic orbits and quantum walks, to generate the required key stream. In this paper, under the assumption of plaintext attacks we investigate the security of a classic diffusion mechanism (and of its variants) used as the core cryptographic primitive in some image cryptosystems based on the aforementioned complex dynamic phenomena. We have theoretically found that regardless of the key schedule process, the data complexity for recovering each element of the equivalent secret key from these diffusion mechanisms is only O(1). The proposed analysis is validated by means of numerical examples. Some additional cryptographic applications of this paper are also discussed. Index Terms—Cryptanalysis, diffusion, image encryption, plaintext attack.


THE RECENT years increase in the popularity of the Internet and multimedia communication has resulted in the fast development of information exchange and consumer electronics applications. However, it has also led to an increase in the demand of secure and real-time transmission of these data. The easiest way to cope with this is to consider the multimedia stream as a standard bit stream and apply traditional cryptographic approaches like 3DES [1] and AES [2] with proper mode of operation. Yet, the desire for cryptosystems more efficient and specifically designed for multimedia stream has drawn increasing research attention in the past decade. In this concern, some researchers suggested incorporating the traditional ciphers into the multimedia coding procedure then selectively encrypting part of the data volume [3]–[5] and the rest advocated designing specialized ciphers by taking advantage of the particular structure of multimedia data [6]. The image cryptosystems discussed below belong to the latter category.


In order to correctly evaluate the security level of a diffusion mechanism either in known- or CP attack scenario, we clarify here the power of the adversary. In the KP attack model, the adversary has access to some plaintexts and their corresponding ciphertexts. In the CP attack model, we assume that the adversary can obtain ciphertexts from any plaintext of his choice. In both scenarios, the attacker requires only one encryption machine (computing oracle) and the goal of the attack is either to collect information on the secret key Seed or, equivalently, on the key stream(s) KSA(Seed) generated from Seed. Note that security evaluation of the discussed diffusion mechanisms under other cryptanalysis models, such as bruteforce attack, is as important as the evaluation of them under KP attack, but they are not the focus of this paper. Also, the setting here is slightly different from literature works [49]–[51], where the computing oracle is defined as a machine that faithfully calculates the output of DEA (4) and (5) under given parameters. Hereinafter, we will consider only the problem of recovering KSA(Seed).


The cryptosystems shown in the previous section are based either on a single round permutation-diffusion architecture (Parvin’s and Yang’s cipher) or on a bidirectional diffusion stage (Norouzi’s cipher). In this paper, we focus our attention on the security of the considered diffusion schemes in a plaintext attack. To this aim, we will neglect at this moment all the effects of the permutation schemes in [19], [22], and [23], which will be considered in Section VI only, along with the security of the whole cryptosystems. Mathematically, we assume that all elements of the key streams U and V used for permutation in Parvin’s cryptosystem are zeros, and that U and V in Yang’s cryptosystem are both given by the identity permutation. Note that a similar approach, with a general quantitative plaintext attack on permutation-only image ciphers can be found in [38]. In the diffusion mechanism proposed by Parvin we will show that the problem of finding the key stream K used in the diffusion scheme with a KP attack is equivalent to solving the DEA (αk)⊕(βk) = y, where α, β, y are known parameters and k is unknown. Note that the same DEA, under the assumption that α and β can be freely chosen, has already been analyzed by other works, that are also briefly reviewed.


The underlying strategy is to study the relationship between cipher-images produced by some bottom-line chosen plain-images whose elements are invariant with respect to row and column permutations. Similar ideas are also employed to analyze other chaosbased cryptosystems [21], [35]. Here, we suppose that an image having fixed gray value is available and denote it as P1 = 0 = [p1(i, j) ≡ 0]H,W . Then, we set p1(1, 1) = 128 and keep all the other pixels unchanged and denote the modified image by P2 = [p2(i, j)]H,W . Fig. 6(a) and (b) depict the cipher-images corresponding to P1 and P2, respectively. Here, H = W = 512 is chosen. The difference of the two cipherimages is shown in Fig. 6(c). Find the first pixel whose value is 128 and denote its position by (i1, j1). Referring to (6)– (8), it can be concluded that u(1) = ((j1 − 1) mod H) + 1 and v(1) = ((i1 − 1) mod W) + 1. Repeating this test for all the diagonal pixels of P1, U, and V, the key streams for row and column permutations, can be retrieved completely. Combining with the analysis presented in Section V-A, the data complexity of the CP attack is O(1) + max(H, W) with an overwhelming probability.


Considering the three cryptosystems proposed in [19], [22], and [23] as case studies, we have studied the security properties of equations: 1) (α k) ⊕ (β k) = y and 2) (α k) ⊕ g(β, k) = y. The underlying theory of the key scheduling process employed in these example cryptosystems ranges from chaotic/hyper-chaotic function to quantum computation, which are regarded as having different characteristics. However, our analyses reveal that all the three ciphers are very weak upon plaintext attacks. Specifically, the equivalent key streams used in these designs can be retrieved using a small number of plain-images. We provide a sufficient condition to determine the unknown k of equation 1) under the KP attack scenario. The relationship of our result and the existing ones under CP attack assumption [21], [54], [55] is also investigated. The algorithms provided and the extensive numerical experiments confirm that both equations 1) and 2) can be solved using only O(1) known plaintexts. In this concern, it is readily to conclude that most image ciphers based on a single round permutation-diffusion architecture are insecure with respect to plaintext attacks. This paper can be extended to investigate diffusion equations which involve more complex cryptographic primitives, such as modulo multiplication [35].