Chin. Phys. B Vol. 22, No. 5 (2013) 050503

Cryptanalysis and improvement of a digital imageencryption method with chaotic map lattices∗

Wang Xing-Yuan(王兴元)† and Liu Lin-Tao(刘林涛)

Faculty of Electronic Information and Electrical Engineering, Dalian University of Technology, Dalian 116024, China

(Received 30 October 2012; revised manuscript received 23 November 2012)

A digital image encryption scheme using chaotic map lattices has been proposed recently. In this paper, two fatalflaws of the cryptosystem are pointed out. According to these two drawbacks, cryptanalysts could recover the plaintext byapplying the chosen plaintext attack. Therefore, the proposed cryptosystem is not secure enough to be used in the imagetransmission system. Experimental results show the feasibility of the attack. As a result, we make some improvements tothe encryption scheme, which can completely resist our chosen plaintext attack.

Keywords: cryptanalysis, chosen plaintext attack, image encryption, chaotic map lattice

PACS: 05.45.Gg, 05.45.Ra, 42.30.Va, 05.45.Vx DOI: 10.1088/1674-1056/22/5/050503

1. IntroductionChaos is a definitive and similar random process which

appears in a nonlinear system. A chaotic dynamics system hassome good features, such as sensitive dependence on initialconditions, ergodicity, non-periodicity, and non-convergence.Under the control of certain parameters, we can obtain verygood pseudo-random numbers. Therefore, chaotic cryptog-raphy has aroused extensive concern, and many researchershave proposed their chaotic cryptosystems over the years.Some cryptosystems are based on a low-dimensional chaoticmap[1–5] with obvious drawbacks, such as small key space,while others based on a high-dimensional chaotic map[6–9] aremore secure.

Though many cryptosystems based on chaotic maps areproposed, some of them are proved to be not secure enoughto be used to encrypt images. Cokai, Wang, Alvarez, andcoworkers[10–12] showed that a cryptosystem using a cat mapor a baker map should not be adopted when encrypting animage. Wang, Arroyo, Peng, Rhouma, and coworkers[13–16]

proved that some cryptosystems based on high-dimensionalchaotic maps and spatiotemporal chaotic maps are still not se-cure.

In this paper, we analyze the digital image encryptionscheme with chaotic map lattices proposed in Ref. [17]. Wechange the pixel value of the cryptosystems using one of theeight operations which is decided by the key stream generatedby chaotic map lattices. Though it seems secure enough, wefind that the method is vulnerable to the chosen plaintext at-tack, and has two fatal drawbacks: the unchanged key streamand two classes of operations used by the key stream.

This paper is organized as follows. Section 2 briefly intro-duces the cryptosystem under study. Section 3 demonstrates achosen plaintext attack that reveals the equivalent keys. Sec-tion 4 illustrates the success of our attack with simulation ex-amples. Section 5 improves the original encryption scheme.Finally, Section 6 presents the conclusions.

2. Description of the encryption algorithmThe cryptosystem proposed by Sun and Lu uses chaotic

map lattices (CMLs), which can be described as

x jn+1 = (1− ε) f (x j

n)+ ε f (x j−1n ), (1)

where x jn represents the state variable for the j-th site ( j =

1,2, . . . ,L, L is the lattice number in the CML) lattice, n is thediscrete time index, and ε is the coupling constant. In general,the periodic boundary condition x0

n = xLn is assumed, and the

mapping function f (xn) is chosen to be the logistic map

xn+1 = f (xn) = axn(1− xn), (xn ∈ (0,1), a ∈ (0,4]). (2)

The encryption scheme proposed is for an RGB image.RGB images use the RGB color model, which is an additivemodel where the three primary colors including red, green, andblue are combined to produce other colors. The integer num-bers between [0, 255] are used to describe these gray levels.The final displayed color is determined by these three compo-nents. In digital computer communication, each color level forred, green, and blue, is usually represented by an 8-bit value.

To change the parameter of the logistic map during theencryption process, the expression of the CML is adopted as

∗Project supported by the National Natural Science Foundation of China (Grant Nos. 61173183, 60973152, and 60573172), the Doctoral Program Foundationof Institution of Higher Education of China (Grant No. 20070141014), the Program for Excellent Talents in Universities of Liaoning Province, China (GrantNo. LR2012003), the Natural Science Foundation of Liaoning Province, China (Grant No. 20082165), and the Fundamental Research Funds for the CentralUniversities of China (Grant No. DUT12JB06).

†Corresponding author. E-mail: wangxy@dlut.edu.cn© 2013 Chinese Physical Society and IOP Publishing Ltd http://iopscience.iop.org/cpb　　　http://cpb.iphy.ac.cn

050503-1

Chin. Phys. B Vol. 22, No. 5 (2013) 050503

follows:

x jn+1 = (1− ε) f (x j

n,a j)+ ε f (x j−1n ,a j−1), (3)

f (x jn,a j) = (3.9+0.1a j)x j

n(1− x jn), (4)

where j = 1,2, . . . ,8, x0n = x8

n, and ε is set to be 0.99. Thesystem parameter a j ∈ (0,1). The initial condition of f , x j

0 ∈(0,1) serves as the secret key, denoted as a = {a1,a2, . . . ,a8}and x j

0 = {x10,x

20, . . . ,x

80}, respectively.

The encryption process can be summarized as follows.(i) Read four pixels from the image file. Dr(i), Dg(i), and

Db(i) denote the components of red, green, and blue of the i-thpixel, respectively.

(ii) Iterate Eq. (3) using the key, then the system can haveeight output variables: x1

n,x2n, . . . ,x

8n, simultaneously. Compute

K jn using

K jn = int(x j

n×2u)mod(2v), (5)

where u is set to be 52, and v is set to be 32.(iii) Calculate N using the following formula:

N = mod(x jn×1013,8). (6)

Since N ∈ [0,7], we select the corresponding group to performthe encryption operation if N equals the group number of thesequence of the group.

Operation 0 Invert the bits of all three RGB bytes.Operation 1 Dr(i)⊕K1

n , Dg(i)⊕K2n , and Db(i)⊕K3

n .Operation 2 Encryption operation:

Sr(i) = (Dr(i)+K1n )mod(2v),

Sg(i) = (Dg(i)+K2n )mod(2v),

Sb(i) = (Db(i)+K3n )mod(2v).

Decryption operation:

Dr(i) = (Sr(i)−K1n ) mod (2v),

Dg(i) = (Sg(i)−K2n ) mod (2v),

Db(i) = (Sb(i)−K3n ) mod (2v).

Here, Sr(i), Sg(i), and Sb(i) are ciphered image, ⊕ means bit-wise XOR, and “mod” denotes the modulus operation.

Operation 3 Encryption operation:

NOT(Dr(i)⊕K1n ),

NOT(Dg(i)⊕K2n ),

NOT(Db(i)⊕K3n ).

Decryption operation:

[NOT(Sr(i))]⊕K1n ,

[NOT(Sg(i))]⊕K2n ,

[NOT(Sb(i))]⊕K3n .

Operation 4 Similar to operation 1 except that K4n , K5

n ,and K6

n are used instead of K1n , K2

n , and K3n .

Operation 5 Similar to operation 2 except that K4n , K5

n ,and K6

n are used instead of K1n , K2

n , and K3n .

Operation 6 Similar to operation 3 except that K4n , K5

n ,and K6

n are used instead of K1n , K2

n , and K3n .

Operation 7 No operation is made.(iv) Repeat processes (i)–(iii) for the next 12 pixels of the

image file.(v) After encryption of a block of 16 pixels of the image

file, modify the session keys a jn as follows:

a jn = 1−mod(x j

n + x j+2n ,1), ( j = 1,2, . . . ,8). (7)

After modifying the secret key in the above manner, re-peat steps (i)–(iv) until the entire image file is exhausted.

3. Chosen plaintext attackWhen analyzing a cryptosystem, the general assumption

is that the cryptanalyst knows everything about the cryptosys-tem, such as the design and working mechanism, except thesecret key. An attack of a cryptosystem means that cryptan-alyst can obtain the plaintext without the key. Traditionally,there are four classical types of attack. (i) Cipher text only:the cryptanalyst only possesses a collection of cipher texts. (ii)Known cipher text: the attacker has some plaintext/cipher-textpairs. (iii) Chosen plaintext: the attacker can choose arbitraryplaintexts and have the corresponding cipher texts. (iv) Cho-sen cipher text: the cryptanalyst can choose an arbitrary ciphertext and have the corresponding plaintexts.

Any cryptosystem which cannot resist any of the abovefour attacks is insecure. Though the encryption scheme understudy has fast encryption speed, it has two fatal drawbacks.(i) The key-stream generated by the CML remains unchangedwhen encrypting an image. (ii) The encryption operations se-lected from the eight kinds of operation when changing thepixel values remain the same. Based on these two points, wecan conduct the chosen plaintext attack. First, we must saythat the value of v should be 8 in the encryption scheme understudy since each component is represented by an 8-bit value.Checking the eight kinds of operations carefully, we find thatthe encryption function at operation 0 can be replaced by

Sr(i) = Dr(i)⊕ k1,

Sg(i) = Dg(i)⊕ k2,

Sb(i) = Db(i)⊕ k3, (8)

where k1 = k2 = k3 = 255. Similarly, the encryption functionat operation 3 can be replaced by

Sr(i) = Dr(i)⊕ k1,

050503-2

Chin. Phys. B Vol. 22, No. 5 (2013) 050503

Sg(i) = Dg(i)⊕ k2,

Sb(i) = Db(i)⊕ k3, (9)

where k1 = K1n ⊕255, k2 = K2

n ⊕255, and k3 = K3n ⊕255.

The encryption functions at operations 1, 4, 6, and 7 canalso be replaced by Eq. (8), but the values of k1, k2, and k3 aredifferent. The encryption function at operations 2 and 5 can bereplaced by

Sr(i) = (Dr(i)+ k1) mod (28),

Sg(i) = (Dg(i)+ k2) mod (28),

Sb(i) = (Db(i)+ k3) mod (28). (10)

The values of k1, k2, and k3 are decided by the operation groupnumber. Thus, the eight kinds of operations can be dividedinto two classes. The equivalent key stream is k1, k2, and k3

used to encrypt all the pixels. To recover the plaintext fromcipher text, we just need to obtain the k1, k2, and k3 sequenceand the operation class for any pixel, since the two operationclasses are both reversible.

3.1. Extracting the equivalent key stream

Choose a plaintext image P0 whose pixel components areall 0. The corresponding cipher image is C0. According toEqs. (8) and (10), we can see that the three component val-ues of any pixel in C0 are just the values of k1,k2, and k3 usedto encrypt this pixel. In short, we obtain the equivalent keystream.

3.2. Deciding the operation class

We choose plaintext/cipher-text pairs Pj and C j ( j =1,2, . . . ,7). The three components of any pixel in Pj are all2 j−1. Then, we can assert that the j-th pixel can be thought tobe encrypted by Eq. (8) if equation (11) holds. Otherwise, itcan be thought to be encrypted by Eq. (10).

Prj(s, t) =Cr

j(s, t)⊕Cr0(s, t),( j = 1,2, . . . ,7). (11)

Here, Crj(s, t) represents the R component of the pixel at s-th

row and r-th column in C j, and Prj(s, t) represents the R com-

ponent of the pixel at s-th row and r-th column in Pj. Theassertion can be proved as follows.

If equation (11) does not hold, it can be easily seen thatthe pixel must be encrypted by Eq. (10). Now suppose thatequation (11) holds, but the pixel is encrypted by Eq. (10),then we can obtain the following results. Since the pixel isencrypted by Eq. (10), equation (11) can be changed into

Prj(s, t) = ((Pr

j(s, t)+ k1)mod(28))⊕ k1,

( j = 1,2, . . . ,7). (12)

Express k1 in binary mode

k1 = k81k7

1k61k5

1k41k3

1k21k1

1. (13)

Let j= 1 in Eq. (12), we have

1 = ((1+ k1)mod(28))⊕ k1. (14)

If k11 = 1 and k2

1 = 0, k1 +1 can be given by

k1 +1 = k81k7

1k61k5

1k41k3

110, (15)

then ((1+k1)mod(28))⊕k1 = 3 6= 1. When k21 = 1, k1+1 can

be represented by

(k1 +1)mod(28) = k811k7

11k611k5

11k411k3

1100. (16)

Then, ((1+ k1)mod(28))⊕ k1 = k8111k7

111k6111k5

111k4111k3

11111 6=1. Hence, we let k1

1 = 0. Let j = 2,3, . . ., 7 in Eq. (12), wehave

k21 = k3

1 = k41 = k5

1 = k61 = k7

1 = 0. (17)

Then, k1 = 0 or k1 = 128. However, in these two cases, equa-tion (10) can be replaced by Eq. (8). The assertion holds.

At last, for any cipher image, we can obtain the plaintextimage using the following method. If equation (11) holds, then

Pr(s, t) =Cr(s, t)⊕Cr0(s, t),

Pg(s, t) =Cg(s, t)⊕Cg0(s, t),

Pb(s, t) =Cb(s, t)⊕Cb0(s, t). (18)

Otherwise,

Pr(s, t) = (Cr(s, t)+256−Cr0(s, t))mod(256), (19)

Pg(s, t) = (Cg(s, t)+256−Cg0(s, t))mod(256), (20)

Pb(s, t) = (Cb(s, t)+256−Cb0(s, t))mod(256). (21)

4. Experimental resultsWe encrypt the images of Lena.bmp and Baboon.bmp

with size of 512×512 using the method proposed in Ref. [17],and then break them using our chosen plaintext attack de-scribed above. We run this process by Microsoft VisualC++6.0 on computer with 3-GHz CPU, 512-MB memory, andMicrosoft Windows XP operation system. The keys we chooseare:

a1 = 0.234567, a2 = 0.334567, a3 = 0.814567,

a4 = 0.512345, a5 = 0.123456, a6 = 0.234567,

a7 = 0.4534589, a8 = 0.654321,

x10 = x2

0 = x30 = x4

0 = x50 = x6

0 = x70 = x8

0 = 0.3456789.

At the beginning, we iterate CML 200 times to avoid tran-sient effect. The experimental results are shown in Fig. 1. Wecan see that the recovered images are identical with the origi-nal ones, which implies that the original algorithm is not suit-able to be used in image encryption system with high securitylevel.

050503-3

Chin. Phys. B Vol. 22, No. 5 (2013) 050503

(a) (b) (c) (d)

(e) (f) (g)

Fig. 1. (color online) Experimental attack results. (a) Equivalent key-stream image; (b) original image; (c) cipher image; (d) recovered image; (e) originalimage; (f) cipher image; (g) recovered image.

5. RemedySince the color image encryption method proposed in

Ref. [17] is not secure enough, now we give a remedy to en-hance it.

From the encryption process, we can see that the equiva-lent keys are the encryption operation selected from the eightoperation groups as well as the values of k1, k2, and k3. Un-fortunately, both the two parts of the equivalent keys remainthe same, which is the fatal drawback, and can be seen fromEqs. (5)–(10). The fact that the key stream depends on neitherthe plain-text image nor the cipher image is the original reasonfor the fatal drawback. To make the proposed image encryp-tion scheme able to resist chosen plain-text attacks, we mustassociate the encryption system with the plaintext image or ci-pher image. To achieve the goal, in step (v) of the encryptionprocess, we modify the session keys a j

n using the following

formula:

a jn = 1−mod

(x j

n + x j+2n +

R+G+B256×3

,1),

( j = 1,2, . . . ,8), (22)

instead of Eq. (7). The other encryption steps remain un-changed. Here, R, G, and B are the three color componentsof the previous cipher image pixel.

In this way, we do not change the frame of the schemeproposed in Ref. [17], but different state variables will begenerated when encrypting different images, leading to dif-ferent sequences of k1, k2, and k3 and different operationschosen to be used. Thus, the chosen plaintext attack proposedin this paper will be ineffective. We show the experimen-tal results of our chosen plaintext attack on the improvedencryption scheme in Fig. 2. Figures 2(a) and 2(d) are the

(a) (b) (c)

(d) (e) (f)

Fig. 2. (color online) Improved experimental results. (a) original image; (b) cipher image; (c) recovered image; (d) original image; (e) cipher image; (f)recovered image.

050503-4

Chin. Phys. B Vol. 22, No. 5 (2013) 050503

original images of lena.bmp and Baboon.bmp with size (512×512), respectively. We can see that the chosen plaintext attackis completely ineffective.

6. Conclusions

In this paper, we give a complete break of the spatiotem-poral chaotic encryption system proposed for RGB images.The main weakness is that the key stream generated dependson neither the plaintext image nor the ciphered image. Theoperations chosen to encrypt the pixels remain unchangedtoo. Based on these fatal drawbacks, we choose eight pairsof plaintext/cipher-text to recover the plaintext of any cipherimage. Experimental results show that our method can suc-cessfully decrypt the cipher image. Therefore, the encryptionalgorithm under study is not supposed to be used for imagetransmission. Finally, we improve the encryption scheme, andthe experimental results show that the improved encryption

scheme can completely resist the chosen plaintext attack weproposed in this paper.

References[1] Pareek N K, Patidar V and Sud K K 2006 Image Vis. Comput. 24 926[2] Gao H J, Zhang Y S, Liang S Y and Li D Q 2006 Chaos Soliton. Fract.

29 393[3] Zhang G J and Liu Q 2011 Opt. Commun. 284 2775[4] Fu C, Chen J J, Zou H, Meng W H, Zhan Y F and Yu Y W 2012 Opt.

Express 20 2363[5] Chen G R, Mao Y B and Chui C K 2004 Chaos Soliton. Fract. 21 749[6] Huang C K and Nien H H 2009 Opt. Commun. 282 2123[7] Guan Z H, Huang F J and Guan W J 2005 Phys. Lett. A 346 153[8] Gao T G and Chen Z Q 2008 Phys. Lett. A 372 394[9] Xu S J, Chen X B, Zhang R, Yang Y X and Guo Y C 2012 Phys. Lett.

A 376 1003[10] Cokai C and Solak E 2009 Phys. Lett. A 373 1357[11] Wang K, Pei W J, Liu H Z and He Z Y 2005 Phys. Lett. A 343 432[12] Alvarez G and Li S J 2006 Phys. Lett. A 352 78[13] Wang X Y and He G X 2012 Chin. Phys. B 21 060502[14] Arroyo D, Li C Q, Li S J, Alvarez G and Halang W A 2009 Chaos

Soliton. Fract. 41 2613[15] Peng J, Zhang D and Liao X F 2009 Fundamen. Inform. 90 269[16] Rhouma R and Safya B 2008 Phys. Lett. A 372 5973[17] Sun F Y and Lu Z W 2011 Chin Phys. B 20 040506

050503-5