arxiv: v2 [cs.cr] 29 Sep 2016

Transcription

1 Internatonal Journal of Bfurcaton and Chaos c World Scentfc Publshng Company Breakng a chaotc mage encrypton algorthm based on modulo addton and XOR operaton arxv: v [cs.cr] 9 Sep 016 Chengqng L 1 *, Yuansheng Lu 1, Leo Yu Zhang, and Mchael Z. Q. Chen 3 1 College of Informaton Engneerng, Xangtan Unversty, Xangtan , Hunan, Chna School of Mathematcs and Computatonal Scence, Xangtan Unversty, Xangtan , Hunan, Chna 3 Department of Mechancal Engneerng, The Unversty of Hong Kong, Hong Kong Ths paper re-evaluates the securty of a chaotc mage encrypton algorthm called MCKBA/ HCKBA and fnds that t can be broken effcently wth two known plan-mages and the correspondng cpher-mages. In addton, t s reported that a prevously proposed breakng on MCKBA/HCKBA can be further mproved by reducng the number of chosen plan-mages from four to two. The two attacks are both based on the propertes of solvng a composte functon nvolvng the carry bt, whch s composed of the modulo addton and the btwse OR operatons. Both rgorous theoretcal analyss and detaled expermental results are provded. Keywords: mage encrypton; chaos; chosen-plantext attack; carry bt. 1. Introducton The subtle smlartes between chaos and cryptography make chaos consdered as a specal way to desgn secure and effcent encrypton schemes [Chen et al., 4, 011]. Meanwhle, some cryptanalyss work demonstrated that some chaos-based encrypton schemes are vulnerable to varous conventonal attacks from the vewpont of modern cryptology [L et al., 4; Xao et al., 6; Solak et al., 010a,b]. In addton, some specfc securty flaws of chaos-based encrypton schemes were reported [Zhou & Au, 011; Chen et al., 01]. [Álvarez & L, 6] concluded some general approaches to evaluatng securty of chaosbased encrypton schemes. Due to the smplcty and low computaton complexty of btwse exclusve OR operaton and modulo addton, they are wdely used n tradtonal text encrypton schemes and hash functons. Possble generaton of carry bt by the modulo addton makes the two operatons are nether dentcal nor nterchangeable. Some propertes exstng n mult-round combnaton of the two basc operatons were derved to facltate dfferental attacks on some tradtonal text encrypton schemes or searchng collson of hash functons [Paul & Preneel, 5; Wang et al., 5]. Among many chaos-based encrypton schemes, the two operatons are the basc nvolved (even only) substtuton functons. In [L et al., 5], [L et al., 6], [L et al., 8], and [L et al., 9], the followng propertes about n-bt ntegers α, β, γ, x, y were found to support or enhance the proposed attacks on the correspondng encrypton schemes n turn. Correspondng author, chengqngg@gmal.com 1

2 C. L et al. If α β = n 1, then equaton (α x) = (β x) γ has unque soluton modulo n 1, where (a b) = (a + b) mod n ; Equaton (α β) (β γ) = (α β) (β γ) always exsts; If α β = γ, then α β γ; If (((x α) β) γ) x y, then y β (mod n 1 ). In 0, Yen et al. proposed a chaotc key-based algorthm (CKBA) by encryptng each pxel of a plan-mage by four possble operatons: XORng or XNORng t wth one of two predefned sub-keys. The exerted operaton s determned by a pseudo-random number sequence (PRNS) generated by teratng the logstc map [Yen & Guo, 0]. In, S. L et al. broke CKBA wth only one known/chosen-mage n [L & Zheng, ]. In 5, Socek et al. proposed an enhanced verson of CKBA (ECKBA) employng the followng four methods: 1) replacng the logstc map wth a pecewse lnear chaotc map (PWLCM); ) ncreasng the bt length of secret key to 18; 3) addng a modulo addton and an XOR operaton; 4) runnng all the basc encrypton functons multple tmes. To acheve a much better balance between encrypton load and securty of hgh level, n 7 Rao et al. proposed a modfed verson of CKBA (MCKBA) n [Rao & Gangadhar, 7] by employng a modular addton operaton lke [Socek et al., 5]. To further enhance the securty of MCKBA aganst brute-force attack, n 010 Gangadhar et al. replaced the logstc map wth a smple hyperchaos generator proposed n [Takahash et al., 4] and names the algorthm HCKBA (Hyper Chaotc-Key Based Algorthm) [Gangadhar & Rao, 010]. Snce the two schemes MCKBA and HCKBA share the same structure, [L et al., 011] analyzed them together and reported the followng ponts: Equvalent secret key of MCKBA/HCKBA can be obtaned from four pars of chosen-plantexts; Encrypton result of MCKBA/HCKBA s not senstve to changes of plan-mage; Encrypton result of MCKBA s not senstve to changes of two sub-keys. The lower bound on the number of queres (α, β) to solve unknown varable x n equaton n terms of modulo n 1 s 3 f n 4. y = (α x) (β x) (1) Ths paper re-evaluates the securty of MCKBA/HCKBA and reports the followng ponts: 1) some propertes of Eq. (1) are provded to support practcal approaches to solvng Eq. (1); ) MCKBA/HCKBA can be effcently broken wth two known-plantexts; 3) the chosen-plantext attack proposed n [L et al., 011] can be further mproved and the number of requred chosen-plantexts s only two. The rest of ths paper s organzed as follows. The mage encrypton algorthm under study s brefly ntroduced n Sec.. A known-plantext attack and an mproved chosen-plantext attack on the algorthm s presented n Sec. 3 wth expermental results. The last secton concludes ths paper.. The Chaotc Image Encrypton Algorthm Under Study The encrypton object of MCKBA s a gray-scale mage of sze M N (wdth heght), whch s scanned n the raster order and represented as a one dmensonal sequence I = I()} MN 1 =0. Then, a bnary sequence I b = I b (l)} 8MN 1 l=0 s constructed, where 7 j=0 I b(8 + j) j = I() for = 0 MN 1. Wth a pre-defned nteger parameter n, an n-bt number sequence J = J(k)} 8MN/n 1 s generated, where J(k) = n 1 j=0 I b(n k + j) j. In case (8MN) s not a multple of n, the sequence I b s padded wth some zero bts. Wthout loss of generalty, t s assumed that n can dvde (8MN) n ths paper. MCKBA operates on the ntermedate sequence J and obtans J = J (k)} 8MN/n 1, where J (k) = n 1 j=0 I b (n k + j) j. Fnally, cpher-mage I = I (k)} MN 1 s obtaned va I (k) = 7 j=0 I b (8 k + j) j. Based on the above prelmnary ntroducton, MCKBA s descrbed wth the followng four parts 1. 1 Snce the sole dfference between MCKBA and HCKBA s the generator of PRBS, only MCKBA s ntroduced here wth a concse and consstent form to llustrate the encrypton procedure.

3 Breakng a chaotc mage encrypton algorthm based on modulo addton and XOR operaton 3 The secret key: Two random numbers key 1, key 0,, n 1}, and the ntal condton x(0) (0, 1) of the logstc map x(k + 1) = 3.9 x(k) (1 x(k)), () where n 1 j=0 (key 1,j key,j ) = n/, key 1 = n 1 j=0 key 1,j j, key = n 1 j=0 key,j j, and denotes the exclusve OR (XOR) operaton. Intalzaton: Run Eq. () teratvely to generate a sequence x(k)} MN/(n) 1 and derve a pseudorandom bnary sequence (PRBS), b(l)} 16MN/n 1 l=0, from the 3-bt bnary representaton of elements of the sequence, namely x(k) = 3 j=1 b(3 k + j 1) j. Encrypton: For k = 0 8MN/n 1, encrypt the k-th plan-element of J va (J(k) key 1 ) key 1 f B(k) = 3; J (J(k) key 1 ) key 1 f B(k) = ; (k) = (3) (J(k) key ) key f B(k) = 1; (J(k) key ) key f B(k) = 0, where B(k) = b(k) + b(k + 1), and a b = a b = a b. Decrypton: The decrypton procedure s smlar to that of the encrypton except that Eq. (3) s replaced by (J (k) key 1 ) key 1 f B(k) = 3; (J (k) key 1 ) key 1 f B(k) = ; J(k) = (J (4) (k) key ) key f B(k) = 1; (J (k) key ) key f B(k) = 0, where a b = (a b + n ) mod n. 3. Cryptanalyss Assume that two plan-mages and the correspondng cpher-mages encrypted wth the same secret key are avalable, and let J 1 = J 1 (k)} 8MN/n 1 and J = J (k)} 8MN/n 1 denote the correspondng ntermedate sequences, respectvely. Then, one can assure that the two sequences and the correspondng encrypted results J 1 = J 1 (k)}8mn/n 1 and J = J (k)}8mn/n 1 satsfy J 1(k) J (k) (J 1 (k) key 1 ) (J (k) key 1 ) f B(k), 3}; = (5) (J 1 (k) key ) (J (k) key ) f B(k) 0, 1}. No matter what the value of B(k) s, the above equaton can be represented n the form of Eq. (1). In ths secton, we frst present some propertes of the kernel functon (1) on obtanng ts soluton and then llustrate how to obtan an equvalent secret key of MCKBA/HCKBA wth two known plan-mages and two chosen plan-mages, respectvely Some propertes of the kernel functon Property 1. Equvalent form of Eq. (1) ỹ = y α β = (α x) (β x) α β (6) can be represented as an teraton form ỹ +1 = c +1 c +1, c +1 = (x α ) (x c ) (α c ), c +1 = (x β ) (x c ) (β c ), where c 0 0, c 0 0, x = n 1 =0 x, α = n 1 =0 α, β = n 1 =0 β, ỹ = n 1 =0 ỹ (These notatons are the same herenafter.). (7)

4 4 C. L et al. Proof. Set c 0 = 0, one can calculate c +1 from c and α va c +1 = (x α ) (x c ) (α c ) (8) for = 0 n. So, c +1 denote the carry bt generated by x and α n the -th bt plane. Set c 0 = 0, one can then obtan c +1 = (x β ) (x c ) (β c ) for = 0 n. Smlarly, c +1 denote the carry bt generated by x and β n the -th bt plane. Obvously, ỹ 0 = (α 0 x 0 ) (β 0 x 0 ) α 0 β 0 0. Then, the ( + 1)-th bt plane of Eq. (6) can be represented as ỹ +1 = (α +1 c +1 x +1 ) (β +1 c +1 x +1 ) α +1 β +1 = c +1 c +1, where = 0 n. So, ỹ can be easly calculated teratvely accordng to Eq. (7) for = 0 n, whch can also be done va checkng Table 1 lstng the values of ỹ +1 under all possble dfferent values of α, β, ỹ, x, and c. Table 1. The values of ỹ +1 correspondng to the values of α, β, ỹ, x, and c. (x, c ) (α, β, ỹ ) (0, 0, 0) (0, 0, 1) (0, 1, 0) (0, 1, 1) (1, 0, 0) (1, 0, 1) (1, 1, 0) (1, 1, 1) (0, 0) (0, 1) (1, 0) (1, 1) Property. Gven (α, β, ỹ, ỹ +1 ), no nformaton about x, c and c can be obtaned (Note that c 0 and c 0 are excluded snce they are pre-defned constants.) f and only f (4α + β + ỹ ) 0, 6}. Proof. Snce only the data n the 0, 6-th column (zero-based) of Table 1 are dentcal, t s mpossble to obtan any nformaton about x, c and c from (α, β, ỹ, ỹ +1 ) f and only f (4α + β + ỹ ) 0, 6}. Property 3. Gven (α, β, ỹ, ỹ +1 ), the unknown bt x can be determned va x = α ỹ +1, f and only f (4α + β + ỹ ) 1, 7}. Proof. Only under the cases shown n the 1, 7-th column of Table 1, x can be determned by (α, β, ỹ, ỹ +1 ) wthout knowledge of c. It s easy to verfy that x = α ỹ +1 n terms of value. Property 4. Gven (α, β, ỹ, ỹ +1 ), carry bts c and c can be determned va c = β ỹ +1 and c = β ỹ +1 ỹ f and only f (4α + β + ỹ ) 3, 5}. Proof. Only under the cases shown n the 3, 5-th column of Table 1, c can be determned by (α, β, ỹ, ỹ +1 ) wthout knowledge of x. It s easy to verfy that c = β ỹ +1 n terms of value. Then, one can obtan c = β ỹ +1 ỹ snce c = c ỹ. Property 5. Gven (α, β, ỹ, ỹ +1 ), the scope of the unknown bts x, c can be narrowed va (0, 0), (1, 1)} f ỹ +1 = 0; (x, c ) (0, 1), (1, 0)} f ỹ +1 = 1, (9) f and only f (4α + β + ỹ ), 4}.

5 Breakng a chaotc mage encrypton algorthm based on modulo addton and XOR operaton 5 Proof. Referrng to the cases shown n the, 4-th column of Table 1, the scope of (x, c ) can be narrowed accordng to value of ỹ +1. It s easy to obtan Eq. (9) from Table 1. Therefore, the f part of the property s proven. Note that the number of possble values of (4α + β + ỹ ) s only eght, and the suffcent and necessary condtons on obtanng dfferent nformaton on x and c under other sx cases have been presented. Therefore, the only f part of the property s also proven. Property 6. If (α 1 β 1 ) = 1 and ỹ = 1, one has c = α 1, where 1,,, n }. Proof. When (α 1, β 1 ) = (1, 0) and ỹ = 1, one can get c = 1 from Eq. (7) no matter the value of x 1. Smlarly, one has c = 0 when (α 1, β 1 ) = (0, 1) and ỹ = 1. So, the property s proven. Property 7. Gven α, β, ỹ, some bts among the (n 1) least sgnfcant bts of x n Eq. (6) can be determned from the least sgnfcant bt to the most sgnfcant one. Proof. The concrete approaches to solvng Eq. (1) and determnng the carry bts can be dvded nto the followng two classes of operatons. Obtanng nformaton on x 0 and c 1 : Accordng to how much nformaton on x 0 and c 1 can be obtaned, (α 0, β 0, ỹ 0 ) s further classfed as the followng two cases. (a) (4α 0 + β 0 + ỹ 0 ) 0, 6}: Referrng to Property, x 0 can not be determned n ths case, but one can obtan c 1 = 0 f α 0 = 0. (b) (4α 0 + β 0 + ỹ 0 ), 4}: As c 0 = 0, one can obtan 0 f ỹ 1 = 0; x 0 = (10) 1 f ỹ 1 = 1, from Eq. (9). Then, one can further obtan 0 f ỹ 1 = 0; c 1 = 1 f α 0 = 1 and ỹ 1 = 1; 0 f α 0 = 0 and ỹ 1 = 1. Obtanng nformaton on x, c and c +1 for = 1 n : Accordng to how much nformaton on x, c and c +1 can be obtaned by checkng (α, β, ỹ ) and the obtaned nformaton on c for = 1 n n order, (α, β, ỹ ) s categorzed as the followng four cases. (a) (4α + β + ỹ ) 0, 6}: Referrng to Property, no nformaton on x can be determned n ths case. The value of c +1 can be determned by Eq. (8) f (b) (4α + β + ỹ ) 1, 7}: One has c + α } 0, } s known. (11) x = α ỹ +1 (1) from Property 3. If c has been determned, one can obtan c +1. Even c s stll unknown, one can confrm c +1 by Eq. (8) f (α + x ) = 0 or (α + x ) = s known. (c) (4α + β + ỹ ), 4}: If c has been determned, based on Property 5 one can obtan 1 ỹ +1 f c = 1; x = (13) ỹ +1 f c = 0, and further confrm the value of c +1. (d) (4α + β + ỹ ) 3, 5}: Referrng to Property 4, one can obtan c = β ỹ +1. As confrmaton of c s equvalent to that of c, the latter s not mentoned.

6 6 C. L et al. 3.. Known-plantext attack Known-plantext attack s one of the classc attack models where the attacker (or cryptanalyst) can access both some plantexts and the correspondng encrypton results encrypted wth the same secret key. In [Gangadhar & Rao, 010, Sec. 3.], the orgnal authors clamed that HCKBA has strong vulnerablty aganst known-plantext attack. However, we found MCKBA/HCKBA s very weak aganst the attack, whch s supported by the propertes of Eq. (1) shown n the prevous subsecton. Under the scenaro of known-plantext attack, breakng MCKBA/HCKBA s to determne some nformaton of ts equvalent secret key, key1, key and B(k)} 8MN/n 1, by solvng Eq. (5) and utlzng some propertes of MCKBA/HCKBA. From Property 7, one can see that some bts of key1 and key can be obtaned from Eq. (5) for any k 0,, 8MN/n 1}, where the other unknown bts are just set as zero. Let key(k) denote the obtaned soluton of Eq. (5) and s(k, ) represent key(k) s confrmed defntely or not,.e. set s(k, ) = 1 f key(k) s confrmed by Eq. (10), Eq. (1), or Eq. (13); otherwse set s(k, ) = 0, where key(k) = n 1 =0 key(k), and k = 0 8MN/n 1. Then, one may reconstruct set key1, key} from key(k)} 8MN/n 1 and s(k, )} 8MN/n 1,n,=0 by dentfyng and combnng the known bts belongng to the same number, whch s descrbed by the followng steps. Step 1): Set K = key(0), key(1),, key(8mn/n 1)}. Delete some elements of K to assure that every par of elements of K has at least one dfferent confrmed bt. Step ): Search for the frst two elements n K whose number of confrmed bts are most but the confrmed bts of the two elements are not all the same. Let Seed(0) and Seed(1) denote the two seed elements and delete them from K. Step 3): Check each element of K n turn and do the followng two operatons f t has one confrmed bt whch s dfferent from that of Seed(): 1) update Seed(1 ) by combnng all the confrmed bts of the element nto that of Seed(1 ); ) delete the element from K, where 0, 1}. Step 4): Repeat Step 3) teratvely tll the numbers of confrmed bts of Seed(0) and Seed(1) are not ncreased n the whole step. Step 5): Termnate the whole search operaton when all bts of Seed(0) and Seed(1) are confrmed bts; otherwse repeat Step ) through Step 4) tll the cardnalty of K s less than. Let us study the probablty on obtanng x and c wth one par of α, β and ỹ under assumpton that α, β and x dstrbutes over 0,, n 1} unformly. Frst, one has P rob(c 0 = 1) = 0 and P rob(c = 1) = 3 4 P rob(c 1 = 1) P rob(c 1 = 0) for = 1 n 1. Solve the above teraton functon, one can obtan P rob(c = 1) = Obvously, one has P rob(ỹ 0 = 0) = 1. Observe Table 1, one can see that the value of ỹ s determned by the values of ỹ 1, c 1, x 1, α 1 and β 1 for = 1 n 1. Consderng all possble cases, one has ( ( 1 P rob(ỹ = 0)=P rob(ỹ 1 = 0) P rob(c 1 = 0) ) ( ( 1 +P rob(ỹ 1 = 1) P rob(c 1 = 0) = 3 4 P rob(ỹ 1 = 0) + 1 P rob(ỹ 1 = 1) for = 1 n 1. Solve the teraton functon, one can obtan ( 1 + P rob(c 1 = 1) ) + P rob(c 1 = 1) + 1 )) 1 1 ( )) P rob(ỹ = 0) = (14) From the proof of Property 7, one can frst calculate P rob[c 0 ] = 1, P rob[c 1 ] = P rob((4α 0 + β 0 + ỹ 0 )

7 Breakng a chaotc mage encrypton algorthm based on modulo addton and XOR operaton 7 0, 6}) 1 + P rob((4α 0 + β 0 + ỹ 0 ), 4}) 1 = = 3 4 and P rob[c ]=P rob((4α + β ) 0, 6})P rob(ỹ 1 = 0)P rob[c 1 ]P rob(condton (11) holds) +P rob((4α + β ) 0, 6})P rob(ỹ 1 = 1) (P rob[c 1 ] + (1 P rob[c 1 ])P rob((α + x ) 0, })) +P rob((4α + β ), 4})P rob(ỹ 1 = 0)P rob[c 1 ] + P rob((4α + β ), 4})P rob(ỹ 1 = 1) = 1 P rob(ỹ 1 = 0)P rob[c 1 ] ( P rob(ỹ 1 = 1) P rob[c 1 ] + (1 P rob[c 1 ]) 1 ) + 1 P rob(ỹ 1 = 0)P rob[c 1 ] + 1 P rob(ỹ 1 = 1) ( 1 =P rob[c 1 ] P rob(ỹ 1 = 0) ( 7 =P rob[c 1 ] ) P rob(ỹ 1 = 1) ) (15) for = n 1, where P rob[a] denotes the probablty that the bt a can be confrmed. Fnally, one has P rob[x 0 ] = 1 and P rob[x ]= 1 P rob(ỹ = 1) + 1 P rob(ỹ = 0)P rob[c ] (16) for = 1 n. Incorporate Eq. (14) and Eq. (15) nto Eq. (16), one can obtan that P rob[x 0 ] = 1, P rob[x 1 ] = 0.406, P rob[x ] = , and P rob[x ] 0.37 for 3. Now, one can assure that key1 and key can not be confrmed defntely wth a probablty smaller than or equal to (1 0.37) n 0 = 0.63 n 0 and 0.63 (8MN/n n 0) respectvely, where n 0 s cardnalty of the set k B(k), 3}, k = 0 8MN/n 1}. Note that confrmaton of the bts of x n Eq. (1) s determned by α, β, and the used unknown varable x, and no any bt can be confrmed under some cases (See the examples shown n Table ). In addton, as for plantext chose from natural mages, α follows Gaussan dstrbuton. But, we can stll beleve that the set key1, key} can be reconstructed n a hgh probablty snce the values of n 0 and 8MN/n n 0 are both very large n general. Table. The number of confrmed bts of x n Eq. (1) under some sets of (α, β, ỹ) when n = 8, where ỹ s determned by (α, β, x) va Eq. (1). x (α, β) (0, 1) (17, 54) (31, 10) (44, 93) (51, 95) (73, 79) (87, 1) (15, 16) Referrng to Proposton 1 and Eq. (3), one can obtan the scope of B(k), 1, 3} f (J 1 B(k) = (k) J 1(k)) mod = 0; 0, } otherwse, for k = 0 8MN/n 1. Proposton 1. Assume that a and x are both n-bt ntegers and n Z +, ((a x) x) has the same party as a and ((a x) x) has opposte party as a. (17)

8 8 C. L et al. Proof. Exstence of four equatons ((1 + x 0 ) mod ) x 0 1, ((0 + x 0 ) mod ) x 0 0, ((1 + x 0 ) mod ) x 0 0, ((0 + x 0 ) mod ) x 0 1, s ndependent of x 0, so the proposton s proved. Proposton. Assume that a and x are both n-bt ntegers, n Z +, one has the followng two equatons (a x) x = (a x n 1 ) (x n 1 ), (a x) x = (a x n 1 ) (x n 1 ). Proof. See the proof of Proposton 1 n [L et al., 011]. Accordng to the pre-defned condton key1 key, there are only two possble combnatons of key1 and key. Let (key1, key ) denote the searched verson of (key1, key). Proposton llustrates that the unknown most sgnfcant bt of key1 = n 1 j=0 key1 j j and key = n 1 j=0 key1 j j has no nfluence on decrypton of MCKBA/HCKBA. Then, one can further obtan the approxmate value of B(k), B (k), and the n 1 least sgnfcant bts of key1 and key by the followng two dfferent ways: W1) For k = 0 8MN/n 1, one has 3 f F (key1, J 1(k), J 1 (k)) = 0, F (key, J 1(k), J 1 (k)) 0 or F (key1, J (k), J (k)) = 0, F (key, J (k), J (k)) 0; f G(key1, J 1(k), J 1 (k)) = 0, G(key, J 1(k), J 1 (k)) 0 B or G(key1 (k) =, J (k), J (k)) = 0, G(key, J (k), J (k)) 0; 1 f F (key1, J 1(k), J 1 (k)) 0, F (key, J 1(k), J 1 (k)) = 0 or F (key1, J (k), J (k)) 0, F (key, J (k), J (k)) = 0; 0 f G(key1, J 1(k), J 1 (k)), G(key, J 1(k), J 1 (k)) = 0 or G(key1, J (k), J (k)) 0, G(key, J (k), J (k)) = 0, where F (x, α, y) = y ((α x) x), G(x, α, y) = y ((α x) x). Note that Eq. (17) makes only two condtons n Eq. (18) need beng verfed. Obvously, one can assure that n j=0 key 1,j j = n j=0 key 1,j j, n j=0 key,j j = n j=0 key,j j. W) When there exsts 0,, n } satsfyng that s(k, ) = 1, one can obtan B (k) = (18), 3} 0, 1} f key(k) key ; f key(k) key1, (19) for k = 0 8MN/n 1. Then, the value of B(k) can be obtaned by settng B (k) = B (k) B(k) for k = 0 8MN/n 1. Fnally, one can conclude that (key1, key ) = ( n =0 key1, n =0 key ), and B (k)} 8MN/n 1 can work together as equvalent secret key of MCKBA/HCKBA due to that (key1, key, B(k)) = (a, b, c) and (key1, key, B(k)) = (b, a, (c + ) mod 4) are equvalent for Eq. (4). Now, let s study the success probablty of the above two methods. The success of the method W1) depends on exstence of one of the eght condton n Eq. (18). As F (x, α, y) = 0 f and only f G(x, α, y ( n 1)) = 0, only one of the two functons need beng studed. Obvously, F (x, 0, y) y, F (x, n 1, y) y n 1 (0).

9 Breakng a chaotc mage encrypton algorthm based on modulo addton and XOR operaton 9 So, B(k) can not be confrmed by Eq. (18) when J 1 (k) 0, n 1 } and J (k) 0, n 1 } exst at the same tme. It s very hard to derve the probablty for other cases theoretcally. Instead, we calculate the probablty that F (x 1, α, y) = F (x, α, y) = 0 va smulaton, where n 1 (x 1,j x,j ) = n/, (1) j=0 x 1 = n 1 j=0 x 1,j j, x = n 1 j=0 x,j j. Assume key1, key dstrbutes unformly, the dstrbuton of probablty F (key1, α, y) = F (key, α, y) = 0 under dfferent values of α and some values of n s shown n Fg n = α n = α n = α Fg. 1. (1). The probablty F (x 1, α, y) = F (x, α, y) = 0 under dfferent value of α, where x 1, x satsfy the constrant condton The success of the method W) can be analyzed as follows. Assume key1, key dstrbutes unformly, one can get the probablty that at least one bt (exclude the most sgnfcant bt) of key(k) satsfy s(k, ) = 1 and one condton of Eq. (19) s n 1 ( ) ( ) n 1 P rob[eq. (19) holds]=1 (P rob[x ]) (1 P rob[x ]) n 1 1 =0 n 1 ( ) ( n =0 ( ) 1 n 1 n 1 ( n 1 =1 =0 ( ) 3 n 1 =1. 4 ) ( 1 1 ) ( 1 ) ) n 1 ( ) 1 From the above analyss, one can see that B(k), k = 0 8MN/n 1, can be determned wth a probablty larger than 1 ( 3 n 1 4) when α, β and x n Eq. (1) dstrbutes unformly. Although pxels of natural mages follow Gaussan dstrbuton, and J 1 (k) and J (k) n Eq. (5) do not dstrbute unformly, we stll can beleve that the success probablty of ths method s very hgh snce only one bt satsfyng the condtons n Eq. (19) s needed, especally when n s relatvely large. To verfy the real performance of the above analyss, a number of experments are carred out on some plan-mages of sze wth the method W1) when n = 3. When x 0 = / 3, key 1 = , and key = Two known plan-mages Peppers and Baboon, and the correspondng cpher-mages are adopted. Equvalent key key1, key and B (k)} 8MN/n 1 s used to decrypt another cpher-mage shown n Fg. a) and the recovered result s shown n Fg. b), whch s

10 10 C. L et al. dentcal wth the orgnal verson. From the experment, we found that only a lttle pxels (no more than ten pxels for plan-mage of sze 51 51) are not recovered correctly when n 8. Ths agree wth our expectaton as the probablty that none of condton of Eq. (18) and condton (0) are satsfed become larger when n s smaller. a) b) Fg.. The decrypton result of another cpher-mage encrypted wth the same secret key: a) cpher-mage; b) decrypted plan-mage Chosen-plantext attack Chosen-plantext attack s an enhanced verson of known-plantext attack, where the plantext can be chosen arbtrarly to obtan the nformaton about the secret key n a more effcent way. In ths subsecton, the chosen-plantext attack on MCKBA/HCKBA s brefly ntroduced due to the followng two ponts: 1) the known-plantext attack on MCKBA/HCKBA works well n a relatvely hgh probablty and the chosen-plantext verson can mprove ts performance a lttle; ) the underlyng theorem supportng the attack proposed n [L et al., 011, Theorem 1] s not rght and corrected n Proposton 3. Proposton 3. Assume that α, β, x are all n-bt ntegers, then a lower bound on the number of queres (α, β) to solve Eq. (1) n terms of modulo n 1 for any x s 1 f n = ; f n >. Proof. When n =, one can obtan x 0 = ỹ 1 by choosng (α 0, β 0 ) = (1, 0). When n >, ỹ 1 may be equal to zero or one no matter what (α 0, β 0 ) s, whch means that t s mpossble to satsfy the condton of Property 3 for any x. So, we have to resort to another query (α, β ). Let α, β, y, ỹ and c denote the counterparts of α, β, y, ỹ, and c correspondng to (α, β ). Gven a set of (α +k, β +k ) and (α +k, β +k ), one can obtan (c +k+1, ỹ +k+1 ) and (c +k+1, ỹ +k+1 ) from (c +k, ỹ +k ) and (c +k, ỹ +k ), respectvely, where, k are non-negatve ntegers. Let arrows of plan head and V-back head denote x +k = 0 and x +k = 1, respectvely, Fg. 3 llustrates the mappng relatonshp between (c +k, ỹ +k, c +k, ỹ +k ) and (c +k+1, ỹ +k+1, c +k+1, ỹ +k+1 ) for a gven (α +k, β +k, α +k, β +k ), where k = 0, 1. Snce (c 0, ỹ 0, c 0, ỹ 0 ) (0, 0, 0, 0), the dashed arrows n Fg. 3 descrbe operatons of Eq. (6) n the two least sgnfcant bt planes correspondng to two sets of (α, β). Note that the data n the thrd column s exactly the same as the frst one. Therefore, Fg. 3 demonstrates operatons of Eq. (6) under all dfferent bt levels f the varable goes through t, where t = 0 n/ and + k n 1. Referrng to Fg. 3, t can be easly verfed that 1 y, y } s always satsfed, whch means that x can be derved from Table 1. Under scenaro of chosen-plantext attack, one may make the plantext satsfy that at least one par of elements n (J 1 (k), J (k)) B(k) 0, 1}} whose -th bt plane satsfy the condton of Property 3.

11 Breakng a chaotc mage encrypton algorthm based on modulo addton and XOR operaton 11 αβ 01 α α β = + 1β + 1 = 10 α 1β c y% c y% x = 0 x = 1 c c y % y% x + = x + = c c 01 y % + + y% a) Fg. 3. Relatonshp between (c +k, ỹ +k, c +k, ỹ +k ) and (c +k+1, ỹ +k+1, c +k+1, ỹ +k+1 ) for a gven (α +k, β +k, α +k, β +k ), where k = 0, 1. The same case exsts for (J 1 (k), J (k)) B(k), 3}}. The expected chosen-plantext can be obtaned n a hgh probablty by assgnng (J 1 (k), J (k)) wth one of the two sets of number gven n Corollary 3.1 randomly. Compared wth the known-plantext attack, the chosen-plantext attack has the followng two superor performances: 1) the set key1, key} can be reconstructed wth much less complexty and much hgher degree of accuracy; ) the bts of key(k) can be confrmed wth a lttle hgher probablty. Corollary 3.1. The (n 1) least sgnfcant bts of x n Eq. (1) can be determned easly by settng (α, β) wth the followng two sets of numbers ( n/ 1 ) ( n/ 1 ) } () 4 j mod n, (10) 4 j mod n, j=0 j=0 ( n/ 1 ) ( n/ 1 ) } (10) 4 j mod n, (01) 4 j mod n, j=0 and checkng the correspondng ỹ = y α β. Proof. The proof s straghtforward and therefore omtted. j=0 4. Concluson In ths paper, the securty of the mage encrypton algorthm MCKBA/HCKBA has been restuded n detal. Based on some propertes of a composte functon composed of the modulo addton and the XOR operaton, a known-plantext attack and an mproved chosen-plantext attack were provded to determne an equvalent secret key of MCKBA/HCKBA. The cryptanalyss provded n ths paper sheds some lght on breakng other encrypton schemes based on multple combnaton of the modulo addton and XOR operatons. Acknowledgement Ths research was supported by the Natonal Natural Scence Foundaton of Chna (No ), Scentfc Research Fund of Hunan Provncal Educaton Department (No. 11B14), and Research Fund of Xangtan Unversty (No. 011XZX16).

12 1 REFERENCES References Álvarez, G. & L, S. [6] Some basc cryptographc requrements for chaos-based cryptosystems, Internatonal Journal of Bfurcaton and Chaos 16, Chen, F., Wong, K.-W., Lao, X. & Xang, T. [01] Perod dstrbuton of generalzed dscrete arnold cat map for N=pe, IEEE Transactons on Informaton Theory 58, Chen, G., Mao, Y. & Chu, C. K. [4] A symmetrc mage encrypton scheme based on 3D chaotc cat maps, Chaos, Soltons & Fractals 1, Chen, J., Zhou, J. & Wong, K.-W. [011] A modfed chaos-based jont compresson and encrypton scheme, IEEE Transactons on Crcuts and Systems II 58, Gangadhar, C. & Rao, K. D. [010] Hyperchaos based mage encrypton, Internatonal Journal of Bfurcaton and Chaos 19, L, C., Chen, M. Z. Q. & Lo, K.-T. [011] Breakng an mage encrypton algorthm based on chaos, Internatonal Journal of Bfurcaton and Chaos 1, L, C., L, S., Asm, M., Nunez, J., Alvarez, G. & Chen, G. [9] On the securty defects of an mage encrypton scheme, Image and Vson Computng 7, L, C., L, S. & Lou, D.-C. [6] On the securty of the Yen-Guo s domno sgnal encrypton algorthm (DSEA), Journal of Systems and Software 79, L, C., L, S., Zhang, D. & Chen, G. [5] Chosen-plantext cryptanalyss of a clpped-neural-networkbased chaotc cpher, Lecture Notes n Computer Scence 3497, L, S., Chen, G. & Mou, X. [4] On the securty of the Y-Tan-Sew chaotc cpher, IEEE Transactons on Crcuts and Systems II: Express Brefs 51, L, S., L, C., Chen, G. & Lo, K.-T. [8] Cryptanalyss of the RCES/RSES mage encrypton scheme, Journal of Systems and Software 81, L, S. & Zheng, X. [] Cryptanalyss of a chaotc mage encrypton method, Proceedngs of IEEE Internatonal Symposum on Crcuts and Systems, pp Paul, S. & Preneel, B. [5] Near optmal algorthms for solvng dfferental equatons of addton wth batch queres, Lecture Notes n Computer Scence 3797, Rao, K. & Gangadhar, C. [7] Modfed chaotc key-based algorthm for mage encrypton and ts VLSI realzaton, Proceedngs of the 7 15th Internatonal Conference on Dgtal Sgnal Processng, pp Socek, D., L, S., Maglveras, S. S. & Furht, B. [5] Enhanced 1-D chaotc key-based algorthm for mage encrypton, Proceedngs of the Frst IEEE/CreateNet Internatonal Conference on Securty and Prvacy for Emergng Areas n Communcaton Networks (SecureComm 5), pp Solak, E., Cokal, C., Yldz, O. T. & Bykoglu, T. [010a] Cryptanalyss of Frdrch s chaotc mage encrypton, Internatonal Journal of Bfurcaton and Chaos 0, Solak, E., Rhouma, R. & Belghth, S. [010b] Cryptanalyss of a mult-chaotc systems based mage cryptosystem, Optcs Communcatons 83, Takahash, Y., Nakano, H. & Sato, T. [4] A smple hyperchaos generator based on mpulsve swtchng, IEEE Transactons on Crcuts and Systems II-Express Brefs 51, Wang, X., La, X., Feng, D., Chen, H. & Yu, X. [5] Cryptanalyss of the hash functons MD4 and RIPEMD, Lecture Notes n Computer Scence 3494, Xao, D., Lao, X. & Wong, K.-W. [6] Improvng the securty of a dynamc look-up table based chaotc cryptosystem, IEEE Transactons on Crcuts and Systems II: Express Brefs 53, Yen, J.-C. & Guo, J.-I. [0] A new chaotc key-based desgn for mage encrypton and decrypton, Proceedngs of IEEE Internatonal Symposum on Crcuts and Systems, pp Zhou, J. & Au, O. C. [011] On the securty of chaotc convolutonal coder, IEEE Transactons on Crcuts and Systems I-Regular Papers 58,