ON THE SECURITY OF AN IMAGE ENCRYPTION METHOD Shujun Li and Xuan Zhen2

Institute of Image Processing, School of Electronics and Information Engineering Xian Jiaotong University, Xian, Shaanxi 710049, P. R. China Department of Electrical Engineering, Polytechnic University 5 MetroTech Center, Brooklyn, NY 11201
ABSTRACT
The security of digital images attracts much attention recently, and many different image encryption methods have been proposed. In 1999, J.-C. Yen and J.-I. Guo proposed a novel image encryption algorithm called BRIE (Bit Recirculation Image Encryption). This paper points out that BRIE is not secure enough from strict cryptographic viewpoint. It has been found that some defects exist in BRIE, and a knowdchosen-plaintext attack can break BRIE with only one knowdchosen plain-image. Experiments are made to verify the defects of BRIE and the feasibility of the attack. f(x,y)(O 5 x 5 A 4 - 1,0 5 y 5 N - l), the cipher-pixel f(z,y) is determined by the following equation:

f b , Y) = R O L P , ( f b , Y ) ) ,

(1)

where p = b(N x x y), q = a p x b(N x x y 1) and ROLF: is a cyclical shift by q bits in a direction controlled by p :

+ +

ROL

1. INTRODUCTION
In the digital world nowadays, the security of digital images becomes more and more important since the communications of digital products over open network occur more and more frequently. Furthermore, special and reliable security in storage and transmission of digital images is needed in many applications, such as pay-TV, medical imaging systems, military image communications and confidential video conferencing, etc. In order to fulfill such a task, many image encryption methods have been proposed [ 1-71, but some of them [2,6,7] have been known to be insecure [3,8,9]. In [ 11, a novel image encryption method called BRIE (Bit Recirculation Image Encryption) is proposed, which is a pixel transformation cipher. This paper points out some security defects in BRIE, and presents a knowdchose-plaintext attack to break BRIE with only one k n o d c h o s e n plain-image. Generally speaking, BRIE is not secure from strongly cryptographic viewpoint and should not be used in any strict applications. This paper is organized as follows. In Sect. 2, we firstly give a brief introduction of BRIE. The detailed analyses about the security defects of BRIE are made in Sect. 3. The knowhhosenplaintext attack is proposed in Sect. 4. Experimental results are also included in Sect. 3 and 4. Section 5 briefly discusses how to improve BRIE, and the last section concludes this paper.

Apparently, BRIE is a pixel transformation cipher, i.e., the cipherpixel at (qy) is uniquely determined by the plain-pixel at the same position. The authors of [ I ] claim that BRIE needs very low computation complexity, and has high security since b ( i ) contains M N 1 secure bits generated by the chaotic iterations. However, we will point out that some serious defects exist in BRIE, and that a knowdchosen-plaintext attack can break it. The BRIE encrypts the plain-image column by column, which is somewhat inconvenient in practice. In this paper, we modify BRIE to work in line mode, which will not essentially influence the security of BRIE.

3. SOME DEFECTS OF BRIE 3.1. Essential Defects of ROLP Operations

The ROLP operations controlled by pseudo-random chaotic sequence { b ( i ) } are the kernel of BRIE. But ROLP have two essential defects when it is used in BRIE, which both lower the security of BRIE and limit its applications in practice. 1) Some plain-pixels may keep unchanged (f(z, y) = f(z, y)) after encryption. If there are too many such pixels, the plainimage will roughly emerge from the cipher-image. The plainpixels can be divided into the following four classes. c 1 ) 0, 255: f(s, y) f(x,y), V a ,p. CZ) 85, 170: If (Y mod 2 = 0, f(z,y) = f(x,y) when q = a; if a+p mod 2 = 0, f(z, y) = f ( z , y ) whenq = a + P ; a n d i f a mod 2 = (a+p) mod 2 = 0, f(x, y) = f(x,y). C3) 17, 34, 51,68, 102, 119, 136, 153, 187, 204,221,237: If a mod 4 = 0, f(x, y) = f(x,y) when q = a; if a + p mod 4 = 0, f(x, y) = f(x,y) when q = a p; and if a mod 4 = ( a p) mod 4 = 0, f(x,y) E f ( z , y ) . C4)

2. BRIE ALGORITHM
The basic idea of BRIE is the bit recirculation of the pixels, which is controlled by a chaotic pseudo-random binary sequence. The secret keys of BRIE are two integers a, p and the initial condition x ( 0 )of a one-dimensional chaotic system. Assume the size of the plain-image is M x N . Run the chaotic system to make a chaotic otbit { ~ ( i ) } /Then z generate ~ . a pseudo-random binary sequence (PRBS) { b ( i ) } z tfrom the 8-bit binary representation of z(i) = O.b(8i O)b(8i 1 ) . . . b(8i 7). For the plain-pixel

Please contact us via hooklee@mail . com.

I Different repeated pattems exist in the binary representation of different pixels: C1) eight repeated bits - 0 (00000000), 1 (1 1 1 1 1 1 1 1 ) ; C2) four repeated 2-bit segments- 85 (01010101),170 (10101010);C3) two repeated 4-bit segments - 1 7 (OOOlOOOl), etc.; C4 - no repeated pattem.

0-7803-7622-6/02/$17.0002002 IEEE

I1 - 925

IEEE ICIP 2002

All other gray values: If a mod 8 = 0, f(z,y) = f(z, y) when q = a; if a+p mod 8 = 0, f(z, y) = f ( ~y) , when q = a+P; and if a mod 8 = ( a p) mod 8 = 0, f(z, y) 3 f(z, y). 2) For a sub-region in the plain-image with fixed gray value,

at most fou? gray values will be contained in the corresponding sub-region of the cipher-image. Such a fact will make the edge of this sub-region appear in the cipher-image.

In fact, the second fact can be extended to more general case. For a given sub-region, if all gray values are close and only a few LSBs of the values are different, there will be enough similar pixels in the sub-cipher-region to cause the edge to emerge in the cipher-image. Generally speaking, the larger the sub-region is and the closer the gray values are, the more clear the edge will be. In Fig. 2, Lenna.bmp and Miss.bmp are shown as examples. In the cipher-images, we can find many important edges of the plain-images.

3.2. Security Problem about a , p

The selection of a, p is not mentioned in [I]. We find a , ,B must yield the following three restrictions to avoid possible insecurity, the number of such values is only 7 x 7 - 7 - 2 = 40, which is dramatically small and will be useful for cryptanalysis. R1) 1 5 a 5 7, 1 5 p 5 7 . Consider ROLP; = ROLP,9+, this restriction is natural. R2) a # 8 . If a /3 = 8, beyond half pixels will obey f(z, y) = f(z,y) (recall the discussion in the last subsection). Such a fact will cause the plain-image is roughly leaked from the cipher-image. In Fig. 3, we give the results about Lenna.bmp and ) 0.75. Miss.bmp when a = 6, ,B = 2, ~ ( 0 =

a) TestPattern.bmp

b) Encrypted TestPattembmp

Fig. 1. A special image encrypted with BRIE

a) Encrypted Lenna.bmp

b) Encrypted Miss.bmp

Fig. 3. Lenna.bmp and Miss.bmp encrypted by BRIE, a = 6, /3 = 2, z(0) = 0.75 (compare them with Fig. 2)
R 3 ) a mod 8 # 1 , 7 o r ( a + p ) mod 8 # 1,7. Ifthe B = 6 or a = 7, ,B = 2), restriction is not satisfied (when a = 1,, all plain-pixels will be encrypted by one-bit R O L P operation since ROLPJ = ROLPi-, and ROLP; = ROLP,. Consequently, rather larger visual information of the plain-image will leak from the cipher-image. When a = 1,,8 = 6, s(0) = 0.75, the results about Lenna.bmp and Miss.bmp are given in Fig. 4. We can see the cipher-images contain so many strong edges that one eavesdropper can guess the plain-image.
3.3. Low Practical Security to Brute-Force Attack
In [I], the authors claimed that there are 2 M N J f possible 1 encryption results since the cipher-image is determined by { b ( i ) } z F . Because all { b ( i ) } keep secret to illegal users and the reconstruction of the chaotic orbit { ~ ( i ) } is ~ rather ~ difficult, BRIE is secure enough. However, the above statement is not true because of the following fact: total M N 1 bits are uniquely determined by the chaotic system and its initial condition ~ ( 0 )Once . one gets z(O), he can easily reconstruct { b ( i ) } z yto decrypt the cipherimage. z(0) can be determined by brute-force searching. Of course, to break BRIE, we also should know a, ,f?besides ~ ( 0 ) . Now let us calculate the total number of available secret keys. Assume the chaotic systems is iterated with floating-point anthmetic of double precision, then ~ ( 0 will ) have 63 meaningful bits

c) Miss.bmp

d) Encrypted Miss.bmp

Fig. 2. Lenna.bmp and Miss.bmp encrypted by BRIE, a = 5, p = 1, z(0) = 0.75

Apparently, if the cipher-image have many unchanged pixels and/or the plain-image have many sub-regions with fixed gray values, it will be possible to obtain some useful information about the plain-image by only observing the cipher-image. In Fig. 1, we give the experimental result about a specially designed image, which contains pixels in all four classes (The gray values of the 16 squares are respectively 0, 17, 34, ..., 221,237, 255). The related parameters are a = 2, p = 4, r(0)= 0.75 and the chaotic system is selected as logistic map with control parameter 3.9.
2The number is determined by the fixed gray value: C1- 1, C2 - 1 or 2,C3 - 1 3, C4- 1 N 4.
N

I1 - 926

a) Encrypted Lenna.bmp

b) Encrypted Miss.bmp

much smaller than C4 pixels. Consequently, the mask array Q can be employed to decrypt other cipher-images encrypted by BRIE with same keys. If the size of the cipher-images is not larger than the size of Q, the plain-images can be entirely recovered except a few plain-pixels. Select Lenna.bmp as the knowdchosen plainimage, we obtain a mask array Q and then successfully cryptanalyze the cipher-image of Miss.bmp. The mask array Q and decrypted Miss.bmp are given in Fig. 5 , where Q is transformed to a pseudo-random image f~ as follows: F Q ( z ,y) = q(z,y) x 32. We can see a few pixels in Miss.bmp cannot be correctly cryptanalyzed because of the corresponding pixels in Lenna.bmp are C1 C 3 pixels.

Fig. 4. Lenna.bmp and Miss.bmp encrypted by BRIE, a = 1,p = 6, z(0) = 0.75 (compare them with Fig. 2)
(the sign bit must be zero since z(0) 2 0). Consider the number of available a, p is 40, the total number of keys is 40 x 263. The exact computation complexity of the brute-force attack is estimated as follows. For each key, LMN/8] chaotic iterations are needed to generate { b ( i ) } z t , and M N ROLP operations are needed to decrypt the cipher-image. Assume one chaotic iteration and one ROLP operation consume same time, the average attack complexity of BRIE to brute-force attack will be (40 x 2 6 3 / 2 ) x 9 M N / 8 = 267.5 x MN, which is much smaller than Z M N when M , N are not too small. Assume M = N = 512 = 2, which is the typical size of a large digital image, the attack complexity will be only 267.5 x M N = 285.5<< 2MN = 2262144.Consider the rapid progress of digital computers and distributed arithmetic, the complexity is required to be not lower than 2lZ8for a strict cipher [IO]. Apparently, BRIE can not provide enough security. As a result, the security of BRIE is overestimated by the authors of [ I], even under brute-force attack.

a) Mask array Q

b) Decrypted Miss.bmp by Q

Fig. 5. Cryptanalyze Miss.bmp using mask array Q generated from knowdchosen Lenna.bmp, a = 5 , p = 1,z(0) = 0.75
Using Q as the cryptanalytic tool has two problems: a) For a cipher-image whose size is larger than M x N , only M x N pixels can be recovered. If the image is much larger than M x N , the recovered part cannot reflect the whole scene of the plainimage. See Fig. 6 for the cryptanalytic result of a larger image Peppers.bmp, whose size is 384 x 384 (larger than 256 x 256). b) If the knowdchosen image contains too less C4 pixels, there will not be enough efficient q(z, y) to decrypt cipher-pixels. The second problem can be overcome by increasing the number of knowdchosen plain-images.

4. KNOWNICHOSEN-PLAINTEXTATTACK
If one can get only one plain-image, he can break BRIE easily and fast, which corresponds to the knowdchosen-plaintext attack in cryptanalysis. As we know, the known-plaintext and chosenplaintext attacks will be very meaningful if a same key is used to encrypt more than one plaintexts, especially in the case that a larger number of plaintexts are all encrypted with a same key. For a good cipher, the capability to resist known-plaintext attack is very important and generally needed. It is because of the following fact: the key management will be very complex, inconvenient and inefficient in many applications, if any key must not be used to encrypt more than one plaintexts [lo].

4.2. Finding the Secret Keys from Q

Obviously, the best solution to the problems of Q is to get the secret keys of BRIE a,p and z(0). Once Q is obtained, we can p and equivalent z(0) by the following steps. deduce a, Step 1: Assume a= 1 7 and p = 1 7. Step 2: If a, p disobey the restrictions R1, R2 and R3 described in Sect. 3.2, go to Step 1; Step 3: Calculate the following four values: q( 1) = a, q(2) = ~y+p,q(3)=8-q(l),q(4)=8-4(2). Step 4: Find 16 continuous C4 pixels in the knowdchosen plainimage, generally it is easy for most images. Step 5: Get 16 bits b(1) b(16) from the mask values q(z,y) corresponding to the 16 C4 plain-pixels as follows: if q(z,y) = q(1) or q(2), b(i) = 0; otherwise b(i) = 1. Ste 6 Generate, two binary decimals using b( 1) 7 b( 16): zl = b(i) x 2- and 12 = ELl b(i 8 ) x 2-. Step 7: If 22 and z1 yield the equation of the employed chaotic system, mark the current aand p as a candidate for the right a and p. Go to Step 1 until a= 7 and /3 = 7. Step 8: Search the right a and /3 in all marked candidates. Step 9: Brute-forcedly search the other n - 8 bits of 21, where n is the meaningful bit number of the chaotic orbit. In the above procedure, if the 16 continuous C4 pixels are the first 16 pixels of plain-images, then z1 = z(0); otherwise z1 is
N

4.1. Breaking BRIE with Mask Array Q

Assume the knowdchosen plain-image is f and its cipher-image is f (both M x N ) . For the plain-pixel f ( z , y ) , the cipherpixel f(z,y) must be one of the 8 values: ROLP,(f(z, y)) R O L P J ( f ( z y)). , By comparing f ( z ,y) and f(z,y), we can easily find at least one integer q(z,y), which satisfies f(z,y) = ROLP$Y)(f(z, y)). Repeat this procedure, we can get amask array Q = [q(z,y ) l ~ If~f(z, ~ y) . is a gray value in class C4 (recall Sect. 3.1), q(z,y) can be used to decrypt any cipher-pixels at (2, y). If f ( z ,y) is a gray value in class C1 C 3 , generally q(z, y) cannot be used to decrypt cipher-pixels at (2, y). Fortunately, for most digital images, the number of C1 C 3 pixels is

8 :

If f(z, y) belongs to class C4, only unique such integer exists. For ; class CI, the number of such integers are 7; for C2, the number is 3 or 4 for C3, the number is 1 or 2.

I1 - 927

7. ACKNOWLEDGEMENT
The authors would like to thank Dr. Xuanqin Mou and Prof. Yuanlong Cai at Xian Jiaotong University for their supports on this paper, Miss Yanghui Cao and Luhua Gong at Xian Jiaotong University for their helps in the preparation of this paper. Also, we thank one anonymous reviewer for hisher useful comments to enhance the clarity of this paper.

8. REFERENCES
[ 11 Jui-Cheng Yen and Jim-In Guo, A new image encryption

algorithm and its VLSI architecture, in Pmc. IEEE Workshop Signal Processing Systems, 1999, pp. 430-437. [2] Jui-Cheng Yen and Jiun-In Guo, A new chaotic key-based design for image enciyption and decryption, in Pmc. IEEE ISCAS, 2000, vol. 4, pp. 49-52. 31 Howard Cheng and Xiaobo Li, Partial encryption of compressed images and videos, IEEE Trans. Signal Processing, vol. 48, no. 8, pp. 2439-2451,2000. 41 Jiri Fridrich, Symmetric ciphers based on two-dimensional chaotic maps, Int. J. Bifurcation and Chaos, vol. 8, no. 6, pp. 1259-1284, 1998. 51 Josef Scharinger, Fast encryption of image data using chaotic kolmogrov flows, J. Electmnic Imaging, vol. 7, no. 2, pp. 3 18-325, 1998. [6] Henry Ker-Chang Chang and Jiang-Long Liu, A linear quadtree compression scheme for image encryption, Signal Processing: Image Communication, vol. 10, pp. 279-290, 1997. [7] C. Alexopoulos, Nikolaos G. Bourbakis, and N. Ioannou, Image encrytion method using a class of fractals, J. Electronic Imaging, vol. 4, no. 3, pp. 25 1-259, 1995. [8] Jim-Ke Jan and Yuh-Min Tseng, Onthe security of image encryption method, Information Processing Letters, vol. 60, pp. 261-265, 1996.

c) Decrypted Peppers.bmp by Q

Fig. 6. Cryptanalyze Peppers.bmp using mask array Q generated from knowdchosen Lenna.bmp, CY = 5, ,L? = 1, z(0) = 0.75

a equivalent key of z(0) since zl also can be used to generate chaotic sequence after 2 1 . The search complexity of the above procedure is chiefly determined by Step 9. When n = 63 (double precision floating-point arithmetic), it is 2 5 5 , which is still rather large. But compared with the complexity of simple bruteforce attack (see Sect. 3.3), the key entropy decreases by at least log,(40 x 28) x 13.3 bits.

5. IMPROVING BRIE
To improve the security of BRIE to brute-force attack and the attack of getting the secret keys from Q, some simple modifications will be efficient, such as increasing the bit number of z(O), adding control parameters of the chaotic system to the secret keys. But neither of them can improve the security to the knowdchosenplaintext attack with Q. To escape from the knowdchosen-plaintext attack based on Q, some complicated modifications should be made, such as cascading an extra cipher to perturb the cipher-image after BRIE [lo], or using pseudo-randomly generated cr and /3 by cipherpixels or added secret keys [ 11, 121. Here, the security of the modified BRIE will be ensured by the new parts, not the BRIE itself.

[9] Shujun Li and Xuan Zheng, Cryptanalysis of a chaotic image encryption method, Pmc. IEEE ISCAS 2002, to be
published. [IO] Bruce Schneier, Applied Cyptography, John Wiley & Sons, Inc., New York, second edition, 1996.

[ I I] Tohru Kohda and Akio Tsuneda, Statistics of chaotic binary sequences, IEEE Trans. Information Technology, vol. 43, no. 1, pp. 104-1 12, 1997.
[I21 Li Shujun, Mou Xuanqin, and Cai Yuanlong, Pseudorandom bit generator based on couple chaotic systems and its applications in stream-cipher cryptography, in Pmgress in Cryptology - INDOCRYPT 2001. 2001, Lectuer Notes in Computer Science, vol. 2247, pp. 316-329, SpringerVerlag, Berlin.

6. CONCLUSION In this paper, we point out the insecurity of a novel image encryption method proposed in [ 11. Detailed cryptanalytic investigations are given and a knowdchosen-plaintext attack is presented to break this image encryption method. We suggest not using it in strict applications, except it can be ensured that any secret key will never been used repeatedly to encrypt more than one plainimages.

I1 - 928