warwick.ac.uk/lib-publications
Manuscript version: Author’s Accepted Manuscript
The version presented in WRAP is the author’s accepted manuscript and may differ from the
published version or Version of Record.
Persistent WRAP URL:
http://wrap.warwick.ac.uk/112157
How to cite:
Please refer to published version for the most recent bibliographic citation information.
If a published version is known of, the repository item page linked to above, will contain
details on accessing it.
Copyright and reuse:
The Warwick Research Archive Portal (WRAP) makes this work by researchers of the
University of Warwick available open access under the following conditions.
Copyright © and all moral rights to the version of the paper presented here belong to the
individual author(s) and/or other copyright owners. To the extent reasonable and
practicable the material made available in WRAP has been checked for eligibility before
being made available.
Copies of full items can be used for personal research or study, educational, or not-for-profit
purposes without prior permission or charge. Provided that the authors, title and full
bibliographic details are credited, a hyperlink and/or URL is given for the original metadata
page and the content is not changed in any way.
Publisher’s statement:
Please refer to the repository item page, publisher’s statement section, for further
information.
Cryptanalyzing an image encryption algorithm based on autoblocking and
electrocardiography
Chengqing Lia,∗, Dongdong Lina, Jinhu L¨ub, Feng Haoc
aSchool of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, Hunan, China bAcademy of Mathematics and Systems Sciences, Chinese Academy of Sciences, Beijing 100190, China
cSchool of Computing Science, Newcastle University, Newcastle Upon Tyne NE1 7RU, UK
Abstract
This paper analyzes the security of an image encryption algorithm proposed by Ye and Huang [IEEE MultiMedia, vol. 23,
pp. 64-71, 2016]. The Ye-Huang algorithm uses electrocardiography (ECG) signals to generate the initial key for a chaotic system and applies an autoblocking method to divide a plain image into blocks of certain sizes suitable for subsequent encryption. The designers claimed that the proposed algorithm is “strong and flexible enough for practical applications”. In this paper, we perform a thorough analysis of their algorithm from the view point of modern cryptography. We find it is vulnerable to the known plaintext attack: based on one pair of a known plain-image and its corresponding cipher-image, an adversary is able to derive a mask image, which can be used as an equivalent secret key to successfully decrypt other
cipher-images encrypted under the same key with a non-negligible probability of 1/256. Using this as a typical counterexample,
we summarize security defects in the design of the Ye-Huang algorithm. The lessons are generally applicable to many other image encryption schemes.
Keywords: Known-plaintext attack, cryptanalysis, image encryption, chaotic cryptography, image privacy.
1. Introduction
Security and privacy of image data have become almost everyone’s concern as sharing and enjoying photos on social media are a part of our daily lives nowadays, which is strongly supported by human’s complex emotional needs, e.g., narcissism, popularity and belongingness. To cope with the challenges, a great number of image encryption and privacy protection schemes were proposed to conceal important information about the original image data from the unintended viewers [1, 2, 3]. The complex
dynamics of chaotic maps demonstrated in an
infinite-precision world are similar to the required
properties of a secure encryption system initially
summarized by Shannon, the father of information theory, in the late 1940s [4, Table 1]. The similarity attracts many security researchers to utilize various chaotic systems and methodologies for all kinds of cryptographic applications, including image encryption, video encryption, image privacy protection, public key infrastructure and hash. Some biometric personal features, e.g. fingerprint, iris, and
∗
Corresponding author.
Email address:[email protected](Chengqing Li)
electrocardiography (ECG) signals, are used for
identification and cryptography in various application scenarios, e.g. Internet of Things [5].
ECG records electrical changes of the skin arising from
the heart muscle’s electrophysiologic patterns of
depolarization and repolarization during each heartbeat. The dynamic properties of the time series of ECG,
measured by the 2D degree distribution of the
corresponding complex networks, can be used as a tool to
identify healthy persons from pathological groups. In
different cryptographic scenarios, the ECG signal is used
for various purposes. In [6], its characteristics in Fourier
domain are used as a key for realizing secure
communication and hash-based authentication among sensor nodes in a body area sensor networks (BANs). To assure an ECG signal is securely transmitted in BANs, it is first compressed with a compression algorithm called SPIHT (set partitioning in hierarchical trees) and then a
small portion of important coefficients in the compression
domain are encrypted using a well-known modern cipher
[7]. The importance of the compression coefficients is
evaluated in terms of their influence strength on
decompression. To keep a patient’s ECG information
private in an automatic online diagnosis system identifying
Preprint submitted to IEEE Multimedia June 11, 2018
six possible states of heart beat, four feature coefficients of the ECG signal are extracted and encrypted by a homomorphic encryption scheme before transmission to the system [8]. In [9], a feature extraction technique of ECG is proposed to accurately authenticate whether two ECG signals belong to the same person.
In [10], a personalized information encryption scheme using ECG signals with chaotic functions was proposed. In this scheme, the Lyapunov exponent of an ECG signal is used as the initial states of two pseudorandom number generators composed of a logistic map and a Henon map, respectively. As selection of chaotic map is a core step in the design of a chaos-based cryptosystem, some unimodal maps like logistic map can weaken security of the supported cryptosystem [11]. In addition, dynamics of any chaotic map in the digital domain are degenerated and may
seriously influence the security of the supporting
encryption function [12, 13]. The paper [10] skipped the problem and did not provide any information on the
concrete functions used for diffusion and confusion, which
violates some basic design principles summarized in [4]. To improve the scheme proposed in [10], Ye and Huang proposed an image encryption algorithm based on autoblocking and electrocardiography (IEAE) in [14]. Their method is to use an ECG signal to generate the initial keys to control the whole encryption process
composed of block-wise matrix multiplications. This
paper re-evaluates the security of IEAE and we find that
IEAE is susceptible to a known-plaintext attack. In
addition, the security defects in IEAE are summarized, along with lessons for avoiding similar pitfalls in the design of image encryption schemes.
The rest of the paper is organized as follows. Section 2 presents a description of IEAE. Detailed cryptanalytic results on IEAE are given in Section 3. The last section concludes the paper.
2. Image encryption algorithm based on autoblocking and electrocardiography (IEAE)
The encryption object of IEAE is a gray-scale image of size M × N, denoted by I = {Ii,j}iM=,1N,j=1. The whole
plain-image is divided into blocks of size p1× p2 and is
encrypted blockwise by IEAE. Let C denotes the
corresponding cipher-image. Then, the basic parts of
IEAE can be described as follows.
• The secret key: non-negative integersω1,ω2,µ1,µ2used
for array indexes; control parameter of Logistic map
xn=µ·xn−1·(1−xn−1), (1)
µ ∈ [3.9,4]; positive integer control parameters of
generalized Arnold map
xn+1
yn+1
!
= 1b 1+aa·b!· xn
yn
!
mod 1, (2)
aandb, where (xmodn)=x−n· bx/nc.
• Public parameter: iteration numberR.
• Initialization:
1) Given an ECG signalZ={zi}Li=1, its largest Lyapunov
exponent,λ, is calculated by Wolf’s algorithm proposed
in [15]:
– Step 1: Transform the signalZinto a sequence in an
m-dimensional phase space,Y={Yi}L
∗
i=1, where
Yi=[z(i−1)m+1,z(i−1)m+2,· · ·,z(i−1)m+m],
L∗=bL/mc. Initialize indexesk=1 andt
k=1.
– Step 2: Calculate the distance
Lk=kYtk −Yt0kk,
whereYt0
k is the directional nearest neighbor point of
Ytk in the phase space, and the angle between
−−−−−→
YtkYt0k−1
and−Y−−−tkY→t0k,θ, is smaller than 30
◦whenk>1.
– Step 3: As the evolution and replacement procedure depicted in Fig. 1, incrementally increase the values
oftkandtk0at the same time until the distance between
Ytk andYt0k is larger than the threshold value. Then,
set their current distance asL0
k,k=k+1, andtk=tk−1.
– Step 4:RepeatStep 2andStep 3untiltk>L∗.
– Step 5:Calculate the largest Lyapunov exponent
λ= 1
tk−1 q
X
k=1
log2 L
0
k
Lk
!
, (3)
whereqis the total number of the replacement steps.
2
L
3
L
1
t t2
1
L
3 L 1
L
2
L
3
t
1
2
4
[image:3.595.315.537.617.696.2]t
Figure 1: Schematic representation of the evolution and
replacement procedure estimating the largest Lyapunov exponent from a phase space.
2) Iterate Eq. (1) P steps from initial condition ¯
x0 = Rem(|λ| ·108) with the control parameter µ and
obtain integer sequence {x¯1,x¯2,· · ·,x¯P} via the
conversion function
f(x)=x·1014mod 256, (4)
where P = (p1 · p2) +256, and Rem(x) returns the
fractional part ofx.
3) Iterate Eq. (2) Q steps from
(x0,y0) = (|λ|,Rem(|λ| ·105)) and assign the obtained
sequence {xr+1,yr+1,xr+2,yr+2,· · ·xr+MN/2,yr+MN/2}
converted by Eq. (4) into M×N matrixDin the raster
order, wherer=x¯µ1, andQ=r+MN/2.
4) Assign sequence{x¯µ3,x¯µ3+1,· · ·x¯µ3+p1·p2}into p1×p2
matrixC0in the raster order, where
µ3=
p1,p2
X
i=1,j=1
Ii,j
mod 256+1, (5)
• The encryption procedure:
– Step 1: DivideIandDintor1·r2 sub-blocks of size
p1×p2, which is automatically selected from a fixed
look-up table via random entries. Table 1 shows the
table used for plain-images of size 256×256. In this
case, indexes
q1=bx¯ω1·10
14cmod 3,
q2=bx¯ω2·10
14cmod 3. (6)
For example, the block size is set as (p1,p2)=(8,16)
if (q1,q2) = (0,1). If p1 - M or p2 - N, some zero
pixels are padded to the plain-image to make equations
[image:4.595.78.254.570.633.2]M=r1·p1andN=r2·p2both exist.
Table 1: Block sizes for plain-image of size 256×256.
H H
H H
H q1
q2 0 1 2
0 (8,8) (8,16) (8,32)
1 (16,8) (16,16) (16,32)
2 (32,8) (32,16) (32,32)
– Step 2: Encrypt thek-th block of plain-imageI,Ik, by
Ck=
(Ik+v·Dk+Ck−1) mod 256 ifk<r1·r2;
(Ik+Ck−1) mod 256 ifk=r1·r2,
(7) fork = 1 ∼(r1·r2), wherev = x¯µ2, andDkdenotes
the k-th block divided in Step 1). To facilitate the
following description, we unify the two functions in Eq. (7) as the same form,
Ck=(Ik+v·Dk+Ck−1) mod 256, (8)
by settingDk≡0 ifk=r1·r2.
• Step 3: Repeat the above stepRtimes.
• The decryption procedure is the inverse version of Eq. (8), and operates
Ik=
(Ck−v·Dk−Ck−1) mod 256 ifk<r1·r2;
(Ck−Ck−1) mod 256 ifk=r1·r2,
(9) fork=(r1·r2)∼1.
3. Cryptanalysis of IEAE
In [14], the authors claimed that “the keystream
generated is related to the plain-image, so it can effectively
resist all kinds of differential attacks.” However, we argue
that the statement is not true. Furthermore, we report the underlying mechanisms relating to the insecurity of some basic parts of IEAE.
3.1. Known-plaintext attack on IEAE
The known-plaintext attack is a cryptanalysis model assuming that the attacker can access a set of plaintexts and the corresponding ciphertexts encrypted by the same
secret key. If an encryption scheme cannot withstand
known-plaintext attack, every secret key should only be used only once in one encryption session, which would incur complex management of secret keys and very high
cost. According to Kerckhoffs’s principle, an encryption
algorithm should be secure even if everything about the algorithm, except the secret key, is public knowledge, which is reformulated by Shannon as “the enemy knows
the system”. In [14], the authors claimed that
“known-plaintext and chosen-plaintext attacks are
infeasible for the proposed encryption algorithm” based on
the sensitivity of matrixC0on the change of plain-images,
caused by the mechanism shown in Eq. (5). Actually, the sensitivity mechanism is cancelled due to the modulo
addition in Eq. (5), which occurs with probability 1/256 if
every pixel in the plain-images is distributed uniformly.
Proposition 1. Given any round number R,D0 ={D0k}r1r2
k=1
is the equivalent secret key of IEAE for other plain-images generating the same value ofµ3, where
D0k=
Ck− k
X
h1=1
h1
X
h2=1 · · ·
hR−2
X
hR−1=1
k−hR−1+1
X
i=1
| {z }
R times
Ii
mod 256. (10)
Proof. Observing Eq. (8), one has
Ck=(Ik+v·Dk+Ck−1) mod 256
=(Ik+Ik−1+v·(Dk+Dk−1)+Ck−2) mod 256
.. . = k X
i=1
Ii+v· k
X
i=1
Di+C0
mod 256,
for any k ∈ {1,2,· · ·,r1 ·r2}. When R = 2 and the
relationship betweenCkandIkbecomes
Ck=
k X
i=1
Ii+v· k
X
i=1
Di+C0+v·Dk+Ck−1
mod 256 = k X
i=1
Ii+v· k
X
i=1
Di+C0+v·Dk+
k−1
X
i=1
Ii+v· k−1
X
i=1
Di+C0+v·Dk−1+Ck−2
mod 256 = 2 X
h1=1
k−h1+1
X
i=1
Ii+v·
2
X
h1=1
k−h1+1
X
i=1
Di+2C0+
v·
k
X
i=k−1
Di+· · ·+I1+v·D1+C0
mod 256,
= k X
h1=1
k−h1+1
X
i=1
Ii+v· k
X
h1=1
k−h1+1
X
i=1
Di+v· k
X
i=1
Di+k·C0
mod 256.
As for any value of round numberR, the relationship can
be similarly derived:
Ck=
k X
h1=1
h1
X
h2=1 · · ·
hR−2
X
hR−1=1
k−hR−1+1
X
i=1
| {z }
Rtimes
Ii+D0k
mod 256, (11)
where
D0k= v· k X
h1=1
h1
X
h2=1 · · ·
hR−2
X
hR−1=1
k−hR−1+1
X
i=1
| {z }
Rtimes
Di
+
k
X
h1=1
h1
X
h2=1 · · ·
hR−3
X
hR−2=1
k−hR−2+1
X
i=1
| {z }
R−1 times
Di+· · ·+ k
X
i=1
Di + k X
h1=1
h1
X
h2=1 · · ·
hR−4
X
hR−3=1
k−hR−3+1
X
i=1
| {z }
R−2 times
i·C0
mod 256,
From Eq. (11), one can see that the mask image
D0 = {D0
k} r1r2
k=1 can work as the equivalent key of IEAE,
which completes the proof of this proposition.
Given one pair of plain-image and the corresponding cipher-image, a mask image can be constructed as
Proposition 1, which can be used to decrypt a
cipher-image when the following two conditions hold at the same time: 1) it is encrypted by IEAE with the same secret key and public parameter as the given cipher-image; 2) its corresponding plain-image can generate the same
value ofµ3as the given plain-image. To check the validity
of the proposed attack, we performed a number of experiments with some secret keys and more than 256
plain-images of size 512×512. When the secret key and
parameter are set as [14], namelya =1,b =1,ω1 = 50,
ω2 = 50, µ = 3.999,µ1 = 20,µ2 = 15, andR = 3, the
plain-image “Lenna” and its results of encryption and decryption are shown in Fig. 2a), b), and c), respectively. A number of cipher-images encrypted with the same secret key as that of Fig. 2b) were decrypted by using the equivalent secret key obtained by the above attack, which
is shown in Fig. 2e). Among them, the cipher-image
shown in Fig. 2d) was successfully decrypted since the corresponding plain-image shown in Fig. 2f) can generate
the sameµ3as the plain-image “Lenna” by Eq. (5).
3.2. Security defects of IEAE
Using IEAE as a representative example, we analyze here the underlying mechanisms for its security defects, which also exist in many other image encryption schemes.
• The real structure of Logistic map in digital computer
In a finite-precision digital computer, dynamics of any chaotic maps satisfying a well-known chaos definition
a) b) c)
d) e) f)
Figure 2: The results of IEAE cryptosystem and the proposed
known-plaintext attack method: a) “Lenna”; b) encrypted
“Lenna”; c) decrypted “Lenna”; d) encrypted “Baboon” with the
same secret key; e) mask imageD0
; f) the breaking result of the encrypted “Baboon.”
in the infinite domain will definitely be degraded. Reliability of numerical solution of some chaotic
dynamical systems is questionable [16]. Given an
arithmetical domain (all possible representable
numbers) and a rounding method, thefunctional graph
of a chaotic map is determined. Just as [14, Fig. 1], a great number of research papers use the change trend of the positive Lyapunov exponent of digital chaotic maps with respect to control parameters to demonstrate
complex degree of their dynamics. The metric only
measures the maps from the macroscopic perspective. Actually, the calculated Lyapunov exponent in the digital domain is the change trend of the underlying functional graph along some evolution orbits (paths). So, some subtle properties of the digital chaotic map are omitted [17], such as short period cycles. To show this point, Fig. 3 depicts the functional graph of Logistic
map with µ = 61/24 in the arithmetic domain
{0,1,2,· · · ,26}under three quantization methods. Some
small-sized connected components are omitted with a relatively high probability, which may lead to security defects of the supported system. Note that the structure of the functional graph of Logistic map implemented in a high precision is very similar to that in a lower precision [17]. Figure 4 presents the functional graph of Logistic map in a 9-bit floating-precision domain.
• Low efficiency of the method generating PRNS
In the field of image encryption, many schemes use
fn(x)= f(10m·x) modD (12)
to convert a floating-point number into an n-bit integer
number, where f(x) is a quantization function, e.g. ceil,
and floor. In computer, complexity of multiplication of
two s-bit binary numbers isO(sα), whereα ∈ (1.35,2]
depending on the specific multiplication algorithm, e.g., Booth’s algorithm and Karatsuba algorithm. As
10m=2·(22+1)m=
m
X
i=0
m i
!
·23m−2i,
the number of “1” in the binary representation of 10m,
n0, is largely proportional tom. In a machine adopting
the “shift and add” algorithm, the computational
complexity is proportional to n0. Figure 5 depicts how
the binary length of 10m, dlog
2(10m)e = dmlog2(10)e,
andn0changes with respect tomwhenm∈ [1,50]. As
for Eq. (4) and Eq. (6), one has m =14,n0 = 17, and
only the eight and two least significant bits are adopted, respectively. So, computations on most computed bits are wasted.
• Period behavior of the generalized Arnold map
In e-bit fixed-precision arithmetical domain, Eq. (2) is
equivalent to
x0
n+1
y0
n+1
!
= b10 1+aa00·b0
!
· x 0
n
y0
n
!
mod 2e, (13)
wherea0 = amod 2e, b0 = bmod 2e, x0
n = bxn ·2ec,
andy0
n =byn·2ec. To visualize the real structure of the
generalized Arnold map, we depict its functional graph with two sets of parameters in Fig. 6, where the number in each node denotes
zn=xn0+(y
0
n·2 e),
and e = 4. The whole graph shown in Fig. 6a) is
[image:6.595.54.285.110.283.2]composed of 8 connected components (CC) of period 16, 8 CC of period 8, 8 CC of period 4, 11 CC of period 2, and 8 self-connected nodes. So, the support of [14, Fig. 2] on random behavior of the generalized Arnold map is groundless. Actually, it only plots a short orbit (path) in a connected component obtained in the digital computer. In addition, although the maximal Lyapunov exponent of the generalized Arnold map is positive, it is a metric measuring the overall dynamics of a system, which may fail to demonstrate complex dynamics (randomness) of the system in a local domain.
• Incapability of the test metrics adopted by IEAE
27 5 17 59 46 15 49 54 10 47 61 1 53 43 11 21 32 62 37 20 57 58 38 52 9 18 35 31 36 42 24 39 13 12 44 6 40 51 34 28 60 33 14 2 26 23 25 7 45 48 63 8 16 41 56 3 50 19 30 29
22 64 0 4 55 a) 7 17 26 5 62
40 57 2
47 24
48
4 14
56
50 27 8
63 36 42 35 22 37 60 28 53 29 55 64 0 41 23 1 30 3 32 61 31 10 11 33 34 43 54 20 9 44 15 12 52 58 6 39 19 25 13 45 21 51 16 59 46 18 38 49 b) 31
6 43 10 29 36
[image:7.595.61.538.111.266.2]30 9 33 54 55 13 58 14 21 50 16 17 42 46 48 2 32 62 8 56 27 22 63 1 0 64 4 38 59 25 39 5 12 26 18 52 45 40 19 23 7 41 24 47 57 51 34 61 11 3 60 37 35 15 44 53 28 49 20 c)
Figure 3: The functional graph of Logistic map withµ=61/24under 6-bit fixed-point precision for different quantization strategies: a)
floor; b) round; c) ceil, where the numberiin each node denotes valuei/26.
272 62 29 368 20 76 108 11 12 10 42 152 38 13 144 46 40 3 672 544 736 432 184 800 72 176 352 576 256 128 248 960 48 168 896 496 224 480 768 50 116 400 992 120 52 192 31 864 512 32 336 112 96 26 304 24 200 928 88 608 84 54 16 216 640 60 208 58 384 1024 0 9 416 124 34 7 240 92 704 25 832 320 22 80 19 28 288 21 104 5 36 27 100 464 136 68 232 17 448 64 18 6 14 56 23 15 4 1 44 160 30 8 2 72 84 88 25 80 20 272 68 30 1024 19 0 800 304 92 26 21 76 256 46 7 2 608 124 416 400 896 128 62 34 208 120 216 36
17 60 10 384 224 27 640 960 64 240 864 672 368 352 232 320 448 496 160 96 116 18 992 9 32 5 23 24 168 22 512 13 48 6 248 736 704 768 288 108 11 8 42 28 16 38 3 1 104 200 136 336 432 58 100 832 29 44 15 54 152 464 12 144 480 40 192 112 56 576 928 31 52 544 14 176 50 184 4 496 960 576 184 192 224 52 800 48 864 672 232 168 13 14 512 28 21 104 46 44 160 352 29 18 832 704 256 76 54 272 736 768 84 240 23 288 68 64 176 480 144 464 42 448 152 544 50 12 6 22 19 80 5 11 88 40 304 24 3 1024 124 416 608 928 26 7
384 200 2
[image:7.595.56.540.306.449.2]100 72 27 248 20 216 15 896 640 128 62 17 0 8 16 108 112 31 4 30 36 60 368 1 116 136 992 32 10 38 9 400 208 120 56 58 336 432 34 320 96 92 25
Figure 4: The functional graph of Logistic map withµ = 123/25 under 9-bit floating-point precision, where significant digits (the
significand) and exponent both occupy 4 bits and the numberiin each node denotes valuei/210.
0 5 10 15 20 25 30 35 40 45 50 m 0 20 40 60 80 100 120 140 160 170 y
y=n0 y=dmlog2(10)e
Figure 5: The bit length of 10mand the number of “1” in its binary
presentation.
– Key Space and Sensitivity: The size of the key space
of IEAE is bounded by the number of available of
ECG signals, which incur complex burdens of secure storage and transmission of the sensitive information and may violate the availability principle of security [18]. Just like the dynamics of any chaotic system are degenerated in digital world [13], the sensitivity of digitized ECG signals with respect to a sampled person and time also worsens to some extents. Furthermore, due to the addition and division in
Eq. (3), totally different ECG signals may own the
same largest Lyapunov exponent. So, the statement in
[14], “ECG is like a one-time keypad–different
people will have different ECGs, so the keys will not
be used twice”, is questionable.
– Histograms: As shown in [2], an attacker cannot
efficiently obtain some meaningful information from
the uniform histogram of pixels, but can learn important statistic information about the plain-image from the histogram of bits. So, changing the objects of histogram may make the statement in [14, Fig. 6]
[image:7.595.62.278.494.656.2]10 50
65 247
61 183 130 67 12 117 118
170 245 240 254 119 160 116 121 49 107 229 120
115 243 222 192 166 164 103 196 249 233 250 199 180205 138207
75 252
97 76 231 110 89 72 109 235 106 93 211 210 80 100 26 40 146 19 147 17 38 37 220 175 24 144 36 236 34 141 31 209
159 161 35 234 52 91 181 178 63 0 194 90 206 145 198 2 202 87 51 165 139 182 43 169 224 3 131 11 238 39 185 186 221 189 226 56
158 22 13 5
157 133 6 94 4 200 225 99 204 237 126 246 253 255 125 244 127 124 162 168
58 53 73 79 191 14 69 172 122 242 251 123 132 108 223 227 98 113 112 187 140 101 239 104
105 92 241 111 114 64 54 174 68 197 218
88 85 184 248 219 203 193 44 154 46 18 16 151 152 23 25 153 163 27 20 156 29 32 41 155 149 150 30 21 148 28 42 74 45 171 66 167 70 33 78 8 15 212 190 95 9 177 217 71 208 59 60 232 173 230 47 48 213 82 195 216 228 83 55 86 134 77 81 214 84 96 102 188 176 215 129 137 142 135 201 7 57 62 1 143 179 a)
54 242 18 86 244 112 164 44 124 66 198 130 108 134 70 6 228 36 172 96 40 104 32 26 248 62 94 250 2 178 194 234 246 34
162 106 170
42 98 204 226 76 140 12 59
197 45 133 159 189
81 123 205 95 72 229 37 64 223 251
141 101 77 125
187 17
237 5 173 31
126
60 90
100
158 236
216 184 58
220
80 84 180 48 82 150 118 50
92
166 120 252
196 238
68 88 230 46
174 102 110 38 240 208 212 168
116 160
182
148 114
52 176 144 20 4 132
224
156 152 232
16 190 188 28
56 24 122
209 145 253 186 74 138 10 202 254 61 119 27 183 163 3 91 7 75 79 111 39 235 53 25 219 217 247 117 155 136 99 89 107 203 55 195 128 43 181 8 15 47 11 171 67 231 199 71 175 245 227 143 103 139 153 109 69 179 221 57 151 115 157 215 165 13 121 167 135 131 239 207 35 0
147 255 49 85 78 14
[image:8.595.80.516.111.380.2]193 154 233 137 161 214 222 146 9 33 142 218 206 30 22 210 21 213 177 105 149 65 113 241 191 97 73 127 41 83 129 169 200 225 1 19 63 201 211 243 93 29 185 51 23 249 87 192 b)
Figure 6: Functional graphs of generalized Arnold maps inZ24: a)a0=7,b0=8; b)a0=12,b0=14.
become invalid.
– Differential Attack: Differential attack is to find
information about the secret key of an encryption
scheme by studying how differences between
plaintexts can affect the resultant difference between
the corresponding ciphertexts, which is unrelated to
the index UACI measuring how plaintext influences
the corresponding ciphertext.
– Correlation Coefficients: Weak correlation among
adjacent pixels is only a necessary (not sufficient)
condition for an invisible cipher-image, which is only related with the capability resisting statistical analysis
from a single cipher-image. In fact, position
permutation is a sufficient way to reduce correlation
coefficients among neighbouring elements in a
plain-image [4].
– Efficiency: In [14], it is claimed that “implementing
encryption using the proposed algorithm is fast”. In fact, the fast running speed of IEAE is built on the simple linear encryption function by sacrificing security. Note that the computational load spent on direct encryption of a plain-image is proportional to the number of plain-bytes and is unrelated with the
block size. Even worse, a substantial part of the
limited computational load of IEAE is wasted in the
processes generating pseudorandom binary
sequences. Among them, the computation of the
largest Lyapunov exponent involves very complex operations (see Sec. 2 or [15]) and the final computational complexity dependents on the specific used algorithmic. Furthermore, Wolf’s method is also very dependant on the length of the time series and in parameters selection (i.e., the embedding dimension and the time delay). Such a dependence could incur
differences between similar configurations in
different computers or setups, which may lead to
slightly different initial conditions of Logistic map.
For example, the same configuration for computing logarithm in Eq. (3) has to be adopted by both secure communication sides. All these dependency problems erode the practicality of IEAE. To obtain a satisfying
balance between efficiency, usability, and security,
selecting some important data in the compressing domain of a plain-image for encryption is a practical approach.
4. Conclusion
This paper analyzed security of an image encryption algorithm based on autoblocking and electrocardiography, and showed that the algorithm was very weak against the
known-plaintext attack. Security defects in the analyzed algorithm were summarized to inform designers of image encryption schemes about common pitfalls and help them improve security levels protecting image data in the current cyberspace.
Acknowledgements
This work was supported by the National Natural Science Foundation of China (no. 61772447, 61532020).
References
[1] L. Bao, S. Yi, and Y. Zhou, “Combination of sharing matrix and image encryption for lossless (k,n)-secret image sharing,” IEEE Transactions on Image Processing, vol. 26, no. 12, pp. 5618–5631, Dec 2017.
[2] C. Li, D. Lin, and J. L¨u, “Cryptanalyzing an image-scrambling encryption algorithm of pixel bits,”IEEE MultiMedia, vol. 3, pp. 64–71, 2017.
[3] E. Y. Xie, C. Li, S. Yu, and J. L¨u, “On the cryptanalysis of Fridrich’s chaotic image encryption scheme,”Signal Processing, vol. 132, pp. 150–154, 2017.
[4] G. Alvarez and S. Li, “Some basic cryptographic requirements for chaos-based cryptosystems,”International Journal of Bifurcation and Chaos, vol. 16, no. 8, pp. 2129–2151, 2006.
[5] P. Peris-Lopez, L. Gonz´alez-Manzano, C. Camara, and J. M. de Fuentes, “Effect of attacker characterization in ECG-based continuous authentication mechanisms for internet of things,”Future Generation Computer Systems, vol. 81, pp. 67–77, 2018.
[6] Z. Zhang, H. Wang, A. V. Vasilakos, and H. Fang, “ECG-cryptography and authentication in body area networks,” IEEE Transactions on Information Technology in Biomedicine, vol. 16, no. 6, pp. 1070–1078, Nov 2012.
[7] T. Ma, P. L. Shrestha, M. Hempel, D. Peng, H. Sharif, and H.-H. Chen, “Assurance of energy efficiency and data security for ECG transmission in basns,” IEEE Transactions on Biomedical Engineering, vol. 59, no. 4, pp. 1041–1048, Apr 2012.
[8] M. Barni, P. Failla, R. Lazzeretti, A.-R. Sadeghi, and T. Schneider, “Privacy-preserving ECG classification with branching programs and neural networks,”IEEE Transactions on Information Forensics and Security, vol. 6, no. 2, pp. 452–468, Jun 2011.
[9] S. I. Safie, J. J. Soraghan, and L. Petropoulakis, “Electrocardiogram (ECG) biometric authentication using pulse active ratio (par),”IEEE Transactions on Information Forensics and Security, vol. 6, no. 4, pp. 1315–1322, DEC 2011.
[10] C.-K. Chen, C.-L. Lin, C.-T. Chiang, and S.-L. Lin, “Personalized information encryption using ECG signals with chaotic functions,”
Information Sciences, vol. 193, pp. 125–140, 2012.
[11] D. Arroyo, G. Alvarez, and V. Fernandez, “On the inadequacy of the logistic map for cryptographic applications,” https://arxiv.org/abs/0805.4355, 2008.
[12] G. Alvarez, J. M. Amig´o, D. Arroyo, and S. Li, “Lessons learnt from the cryptanalysis of chaos-based ciphers,” in Chaos-Based Cryptography. Springer, 2011, pp. 257–295.
[13] Q. Wang and et al., “Theoretical design and FPGA-based implementation of higher-dimensional digital chaotic systems,”
IEEE Transactions on Circuits and Systems I: Regular Papers, vol. 63, no. 3, pp. 401–412, 2016.
[14] G. Ye and X. Huang, “An image encryption algorithm based on autoblocking and electrocardiography,”IEEE MultiMedia, vol. 23, no. 2, pp. 64–71, 2016.
[15] A. Wolf, J. B. Swift, H. L. Swinney, and J. A. Vastano, “Determining Lyapunov exponents from a time series,” Physica D: Nonlinear Phenomena, vol. 16, no. 3, pp. 285–317, 1985, www.mathworks.com/matlabcentral/fileexchange/48084.
[16] R. Lozi, “Can we trust in numerical computations of chaotic solutions of dynamical systems?” inTopology and dynamics of Chaos: In celebration of Robert Gilmore’s 70th birthday. World Scientific, 2013, pp. 63–98.
[17] C. Li, B. Feng, S. Li, J. Kurths, and G. Chen, “Dynamic analysis of chaotic maps as complex networks in the digital domain,” https: //arxiv.org/pdf/1410.7694, 2017.
[18] W.-S. Yap, R. C.-W. Phan, B.-M. Goi, W.-C. Yau, and S.-H. Heng, “On the effective subkey space of some image encryption algorithms using external key,”Journal of Visual Communication and Image Representation, vol. 40, pp. 51–57, 2016.
![Fig. 2] on random behavior of the generalized Arnoldmap is groundless. Actually, it only plots a short orbit(path) in a connected component obtained in the digital](https://thumb-us.123doks.com/thumbv2/123dok_us/9430274.448468/6.595.54.285.110.283/behavior-generalized-arnoldmap-groundless-actually-connected-component-obtained.webp)
