arxiv: v1 [cs.cr] 5 Dec 2007

Transcription

1 Cryptanalysis of an image encryption scheme based on the Hill cipher Chengqing Li a,, Dan Zhang b, and Guanrong Chen a arxiv: v1 [cscr] 5 Dec 2007 a Department of Electronic Engineering, City University of Hong Kong, Kowloon Tong, Hong Kong SAR, China b College of Computer Science and Technology, Zhejiang University, Hangzhou , Zhejiang, China Abstract This paper studies the security of an image encryption scheme based on the Hill cipher and reports its following problems: 1) there is a simple necessary and sufficient conditionthatmakesanumberofsecretkeysinvalid;2)itisinsensitivetothechange of the secret key; 3) it is insensitive to the change of the plain-image; 4) it can be broken with only one known/chosen-plaintext; 5) it has some other minor defects Key words: cryptanalysis, encryption, Hill cipher, known-plaintext attack CLC: TN918, TP Introduction 2 The history of cryptography can be traced back to the secret communication 3 among people thousands of years ago With the development of human society 4and industrial technology, theories and methods of cryptography have been 5changed and improved gradually, and meanwhile cryptanalysis has also been 6developed In 1949, Shannon published his seminar paper Communication 7theory of secrecy systems [1], which marked the beginning of the modern 8cryptology 9In the past two decades, the security of multimedia data has become more 10and more important However, it has been recognized that the traditional 11text-encryption schemes cannot efficiently protect multimedia data due to 12some special properties of the multimedia data, such as strong redundancy Corresponding author: Chengqing Li (swiftsheep@hotmailcom) Preprint submitted to J of Zhejiang University SCIENCE 24 October 2018

2 13and bulk size of the uncompressed data To meet this challenge, a number 14of special image encryption schemes based on some nonlinear theories were 15proposed [2 4] Yet, many of them are found to be insecure from the view 16 point of cryptography [5 17] 17 In [18], Ismail et al tried to encrypt images efficiently by modifying the clas- 18sical Hill cipher [19] This paper studies the security of the scheme proposed 19in [18] and reports the following findings: 1) there exist a number of invalid 20secret keys; 2) the scheme is insensitive to the change of the secret key; 3) 21the scheme is insensitive to the change of the plain-image; 4) the scheme can 22be broken with only one known/chosen plain-image; 5) the scheme has some 23 other minor performance defects 24The rest of this paper is organized as follows The next section briefly in- 25troduces the encryption scheme to be studied Section 3 presents detailed 26 cryptanalysis of the scheme The last section concludes the paper 272 The image encryption scheme to be studied The scheme proposed in [18] scans the gray scales of a plain-image P (or one channel of a color image) of size M N in a raster order and divides it into MN/m vectors of size m: {P l } MN/m l=1, where P l = {P((l 1) m + 1),,P((l 1) m+m)} (the last vector is padded with some zero bytes if MN can not be divided by m) Then, the vectors {P l } MN/m l=1 are encrypted in increasing order with the following function: C l = (P l K l ) mod 256, (1) where K 1 = (K 1 [i,j]) m m, K 1 [i,j] Z 256, the initial state of K l 2 is set to be K l 1, and then every row of K l is generated iteratively with the following function, for i = 1 m: K l [i,:] = (IV K l ) mod 256, (2) 28where IV is a vector of size 1 m and IV [i] Z 256 Finally, the cipher-image is obtained as C = {C l } MN/m 29 l=1 30The secret key of the encryption scheme includes three parts: m, K 0, and IV The decryption procedure is the same as the above encryption procedure except that Eq (1) is replaced by the following function: P l = (C l K 1 l ) mod 256, (3) 2

3 where (K l Kl 1 31 ) mod 256 = I, the identity matrix 323 Cryptanalysis 3331 Some Defects of the Scheme Invalid keys 35Aninvalidkeyisakeythatfailstoensurethesuccessoftheencryptionscheme 36From the following Fact 1 and Corollary 1, one can see that one secret key 37in the above-described scheme is invalid if and only if gcd(k 1,256) 1 or 38IV [i] mod 2 = 0 39Fact 1 A matrix K is invertible in Z n if and only if gcd(det(k),n) = 1 40 ( m Proposition 1 det(k l ) = ) IV[i] det(k l 1 ) Proof: According to Eq (2), there is a relation between K l and K l 1, as follows: K l = m IV[i]K l 1 [i,:] IV [1]K l [1,:]+ m IV [i]k l 1 [i,:] i=2 mod 256 (4) m 1 IV[i]K l [i,:]+iv [m]k l 1 [m,:] 41 Subtracting i 0 1 IV[i]K l [i,:] from K l [i 0,:] for i 0 = m 2, one gets K l = m IV [i]k l 1 [i,:] m IV [i]k l 1 [i,:] i=2 mod 256 (5) IV[m]K l 1 [m,:] Subtracting K l[i 0,:] from K l[i ,:] for i 0 = 2 m, one has 3

4 K l = IV[1]K l 1 [1,:] IV[2]K l 1 [2,:] mod 256 (6) IV [m]k l 1 [m,:] ( m Obviously, det(k l ) = det(k l ) = det(k l ) = completes the proof of the proposition ( m l 1det(K1 Corollary 1 det(k l ) = IV [i]) ) ) IV [i] det(k l 1 ), which 46 Proof: The result directly follows from Proposition Insensitivity to the change of the secret key 48Although it is claimed in [18, Sec 5] that the encryption scheme is very sen- 49sitive to the change of the sub-keys K 1, IV, this is not true 50Let sfirststudytheinfluenceonk l 2 ifonlyonebitofk 1 ischangedwithout 51loss of generality, assume that the n-th significant bit of K 1 (1,j 0 ) is changed from zero to one, where 0 n 7 Let K 52 l denote the modified version of K l The change D l = K 53 l K l can be presented by the following two equations: D l [:,j 0 ] = D l [:,j] 0,for j j 0, (7) m IV [i]d l 1 [i,j 0 ] IV[1]D l [1,j 0 ]+ m IV [i]d l 1 [i,j 0 ] i=2 mod 256, IV [i]d l [i,j 0 ]+IV [m]d l 1 [m,j 0 ] (8) m 1 where D 1 [1,j 0 ] = 2 n 54, D 1 [i,j 0 ] = 0, i = 2 m Since IV[i] mod 2 0, D l [i,j 0 ] 0 always exist From Eq (8), one can see that D l [i,j 0 ] 2 n exists, which means that only the n 0 -th bit of C l [j 0 ] may possibly be changed, where n 0 n Note also that there is no influence on C l if (P l D l [:,j 0 ]) mod 256 = 0 4

5 To verify the above analysis, an experiment has been carried out using a plainimage Lenna with the secret key m = 4,IV = ( ),K 1 = (9) Onlythe5-thsignificantbitofK 1 [1,2]ischanged,namely K 55 1 [1,2] = (K 1 [1,2]+ 2 5 ) mod 256 Let C denote the cipher-image corresponding to K 56 1 The bit- 57planes of difference C C are shown in Fig 1, which demonstrates the very 58weak sensitivity of the encryption scheme with respect to K 1 a) 0 4-th b) 5-th c) 6-th d) 7-th Fig 1 The bit-planes of C C when one bit of K 1 is changed 59Now, consider the influence on K l 2 if only one bit of IV is changed Without 60loss of generality, assume the n-th significant bit of IV [1] is changed from 61zero to one Similarly, let D l denote the change of K l Due to the extremely 62complex formulation of D l 3, only D 2 is shown here D 2 [:,j] = 63where j = 1 m K 1 [1,j]2 n D 2 [1,j](IV[1]+2 n )+K 2 [1,j]2 n D 2 [2,j]+IV [2]D 2 [2,j] mod 256, (10) D 2 [2,j]+ m 1 IV [i]d 2 [i,j] i=2 64To see the influence of the change of IV, an experiment has been carried out 65 using plain-image Lenna, with the same secret key shown in Eq (9) above Only the 5-th significant bit of IV[1] is changed, namely ĨV [1] = (IV [1] ) mod 256Thebit-planesofdifferencebetweencipher-imagescorresponding to IV and ĨV, respectively, are shown in Fig

6 69Comparing Fig 1 and Fig 2, one can see that the sensitivty with respect 70to IV is much stronger than the one with respect to K 1, which agrees with 71the above theoretical analysis But one bit change of a sub-key of a secure 72 cipher should cause every bit of the ciphertext changed with a probability of 1 Obviously, the sensitivity of the encryption scheme with respect to sub-keys 73 K 2 1, IV is very far from this requirement 74 a) 0 4-th b) 5-th c) 6-th d) 7-th Fig 2 The bit-planes of C C when one bit of IV is changed Insensitivity to the change of the plain-image 76 This property is especially important for image encryption since an image and 77 its watermarked version may be encrypted simultaneously 78Since the role of P l in Eq (1) is exactly the same as that of IV in Eq (2), 79the analysis about its insensitivity to the change of the plain-image can be 80 carried out just like the case about the sub-key IV discussed above Some other problems 82 The encryption scheme has the following additional problems: 83 (1) cannot encrypt plain-image of a fixed value zero; (2) efficiency of implementation is low: From [20, Thorem 233], one can see that the number of invertible matrices of size m m in Z 256 is GL(m,Z 256 ) = 2 m 1 7m2 k=0 (2 m 2 k ) (11) Thus, the probability that a matrix of size m m in Z 256 is invertible is p m = 27m2 m 1 k=0 (2m 2 k ) 2 8m2 = m (1 2 k ) 1 k=1 3 (12) So, it needs O(3m 2 ) ando(m 2 MN) times of computations, respectively, for checking the reversibility of K 1 and for calculating {Kl 1 } MN/m l=1 6

7 Note that these computations have no direct contributions to protecting the plain-image (3) the scope of sub-key m is limited: As discussed above, the larger the value m the higher the computational cost (4) the confusion capability is weak: This problem is caused by the linearity of the main encryption function To demonstrate this defect, the encryption result of one special plain-image is shown in Fig 3, where Figure 3b) also effectively disproves the conclusion about the quality of encryption results given in [18, Sec 4] a) plain-image b) cipher-image Fig 3 A special test image, Test pattern Known/Chosen-Plaintext Attack 96 The known/chosen-plaintext attack works by reconstructing the secret key or 97 its equivalent based on some known/chosen plaintexts and their corresponding 98ciphertexts For this encryption scheme, the equivalent key {K l } MN/m l=1 can be reconstructed from m plain-images P (1) P (m) and their corresponding cipherimages C (1) C (m) by using K l = P (B) l C (1) l C (2) l C (m) l mod 256, (13) 7

8 where P (B) l = P (1) l P (2) ḷ P (m) l 1 (14) Thereversibility ofp (B) 99 l can be ensured by utilizing more than m plain-images 100or by choosing m special plain-images Note that the above known/chosen- 101plaintext attack can be carried out with only one know/chosen plain-image due to the very short period of sequence {K l [:,j]} MN/m 102 l=1 for j = 1 m To 103study the period of this sequence, 10,000 tests have been done for a given 104value of IV of size 1 3, where K 1 is selected randomly The numbers of tests where the corresponding sequence {K l (:,1)} MN/m 105 l=1 has period p, N p, 106with some values of IV, is shown in Table 1, which shows that the period of {K l [:,j]} MN/m 107 l=1 is indeed very short Table 1 Values of N p with some values of IV, p = 2 s, s = 3 9 IV N 8 N 16 N 32 N 64 N 128 N 256 N 512 (91, 63, 45) (113, 25, 219) (253, 115, 17) (1, 3, 5) (5, 121, 247) Conclusion 109In this paper, the security and performance of an image encryption scheme 110based on the Hill cipher have been analyzed in detail It has been found that 111the scheme can be broken with only one known/chosen plain-image There 112 is a simple necessary and sufficient condition that makes a number of secret 113keys invalid In addition, the scheme is insensitive to the change of the se- 114 cret key/plain-image Some other performance defects have also been found 115 In conclusion, the encryption scheme under study actually has much weaker 116 security than the original Hill cipher, therefore is not recommended for appli- 117cations 8

9 1185 Acknowledgement 119 This research was supported by the City University of Hong Kong under the 120 SRG project References 122[1] C E Shannon, Communication theory of secrecy systems, Bell System 123 Technical Journal 28 (4) (1949) [2] S Li, G Chen, X Zheng, Chaos-based encryption for digital images and 125 videos, in: B Furht, D Kirovski (Eds), Multimedia Security Handbook, 126 CRC Press, LLC, 2004, Ch 4, pp , preprint available online at [3] S Li, Analyses and new designs of digital chaotic ciphers, PhD thesis, School 129 of Electronic and Information Engineering, Xi an Jiaotong University, Xi an, 130 China, available online at (2003) 131[4] C Li, Cryptanalyses of some multimedia encryption schemes, Master s thesis, 132 Department of Mathematics, Zhejiang University, Hangzhou, China, available 133 online at (May 2005) 134[5] C Li, S Li, D Zhang, G Chen, Cryptanalysis of a chaotic neural network 135 based multimedia encryption scheme, Lecture Notes in Computer Science (2004) [6] C Li, S Li, G Chen, G Chen, L Hu, Cryptanalysis of a new signal security 138 system for multimedia data transmission, EURASIP Journal on Applied Signal 139 Processing 2005 (8) (2005) [7] C Li, S Li, D Zhang, G Chen, Chosen-plaintext cryptanalysis of a clipped- 141 neural-network-based chaotic cipher, Lecture Notes in Computer Science (2005) [8] C Li, S Li, D-C Lou, On the security of the Yen-Guo s domino signal 144 encryption algorithm (DSEA), Elsevier Journal of Systems and Software 79 (2) 145 (2006) [9] S Li, C Li, K-T Lo, G Chen, Cryptanalysis of an image encryption scheme, 147 Journal of Electronic Imaging 15 (4) (2006) article number [10] C Li, S Li, G Álvarez, G Chen, K-T Lo, Cryptanalysis of two chaotic 149 encryption schemes based on circular bit shift and xor operations, Physics 150 Letters A 369 (1-2) (2007) [11] G Alvarez, S Li, Some basic cryptographic requirements for chaos-based 152 cryptosystems, International Journal of Bifurcation and Chaos 16 (8) (2006)

10 154[12] D Arroyo, C Li, S Li, G Alvarez, Cryptanalysis of 155 a computer cryptography scheme based on a filter bank, available online at (2007) 157 [13] C Li, S Li, M Asim, J Nunez, G Álvarez, G Chen, On the security defects of an image encryption scheme, Cryptology eprint Archive: Report 2007/397, available online at (2007) 160[14] S Li, C Li, K-T Lo, G Chen, Cryptanalysis of an image scrambling 161 scheme without bandwidth expansion, accepted by IEEE Transactions 162 on Circuits and Systems for Video Technology, available online at (2007) 164[15] J Zhou, Z Liang, Y Chen, A O C, Security analysis of multimedia encryption 165 schemes based on multiple huffman table, IEEE Signal Processing Letters 14 (3) 166 (2007) [16] S Li, G Chen, A Cheung, B Bhargava, K-T Lo, On the design of 168 perceptual MPEG-video encryption algorithms, IEEE Transactions on Circuits 169 and Systems for Video Technology 17 (2) (2007) [17] G Alvarez, S Li, L Hernandez, Analysis of security problems in a medical 171 image encryption system, Computers in Biology and Medicine 37 (3) (2007) [18] IAIsmail,MAmin,HDiab,Howtorepairthehillcipher,JournalofZhejiang 174 University SCIENCE A 7 (12) (2006) [19] L S Hill, Cryptography in an algebraic alphabet, The American Mathematical 176 Monthly 36 (1929) [20] J Overbey, W Traves, J Wojdylo, On the keyspace of the hill cipher, 178 Cryptologia 29 (1) (2005)