arxiv: v1 [cs.cr] 5 Dec 2007

Similar documents
arxiv: v1 [cs.cr] 18 Jul 2009

Cryptanalysis of a Multistage Encryption System

arxiv: v2 [cs.cr] 13 Oct 2016

Cryptanalysis of a computer cryptography scheme based on a filter bank

arxiv: v2 [cs.cr] 6 Aug 2017

Cryptanalyses of Some Multimedia Encryption Schemes

Breaking an encryption scheme based on chaotic Baker map

arxiv:nlin/ v1 [nlin.cd] 10 Aug 2006

Cryptanalysis of a data security protection scheme for VoIP

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Lecture Notes. Advanced Discrete Structures COT S

A general quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks

Multi-Map Orbit Hopping Chaotic Stream Cipher

Cryptanalyzing a nonlinear chaotic algorithm (NCA) for image encryption

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

A Chaotic Encryption System Using PCA Neural Networks

Introduction to Cryptology. Lecture 2

On the security of a chaotic encryption scheme: problems with computerized chaos in finite computing precision

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

Lecture 12: Block ciphers

Extended Criterion for Absence of Fixed Points

One-way Hash Function Based on Neural Network

arxiv:cs/ v1 [cs.cr] 2 Feb 2004

APPLICATION OF LAPLACE - MELLIN TRANSFORM FOR CRYPTOGRAPHY

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Towards Provable Security of Substitution-Permutation Encryption Networks

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Secure Communication Using H Chaotic Synchronization and International Data Encryption Algorithm

AES side channel attacks protection using random isomorphisms

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

RSA ENCRYPTION USING THREE MERSENNE PRIMES

Classical Cryptography

A Large Block Cipher Involving Key Dependent Permutation, Interlacing and Iteration

Lecture Notes. Advanced Discrete Structures COT S

Concurrent Error Detection in S-boxes 1

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

A Novel Image Encryption Algorithm Based on DNA Encoding and Spatiotemporal Chaos

Design and Hardware Implementation of a Chaotic Encryption Scheme for Real-time Embedded Systems

Impossible Differential Cryptanalysis of Mini-AES

A Large Block Cipher using an Iterative Method and the Modular Arithmetic Inverse of a key Matrix

A Non-symmetric Digital Image Secure Communication Scheme Based on Generalized Chaos Synchronization System

Analysis of Some Quasigroup Transformations as Boolean Functions

Chaos and Cryptography

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Image Encryption and Decryption Algorithm Using Two Dimensional Cellular Automata Rules In Cryptography

-Cryptosystem: A Chaos Based Public Key Cryptosystem

Cube attack in finite fields of higher order

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Modified Hill Cipher with Interlacing and Iteration

Cook-Levin Theorem. SAT is NP-complete

CRYPTOGRAPHY USING CHAOTIC NEURAL NETWORK

AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM

MATH3302 Cryptography Problem Set 2

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

All-Or-Nothing Transforms Using Quasigroups

Analysis of Hidden Field Equations Cryptosystem over Odd-Characteristic Fields

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

CSCI3381-Cryptography

Cryptography CS 555. Topic 2: Evolution of Classical Cryptography CS555. Topic 2 1

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Impossible Differential Attacks on 13-Round CLEFIA-128

Optimal XOR based (2,n)-Visual Cryptography Schemes

Block Ciphers and Feistel cipher

A New Algorithm to Construct. Secure Keys for AES

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

New Chaotic Permutation Methods for Image Encryption

Information and Communications Security: Encryption and Information Hiding

Solutions to the Midterm Test (March 5, 2011)

Week 7 An Application to Cryptography

CRYPTANALYSIS OF FRIDRICH S CHAOTIC IMAGE ENCRYPTION

CPSC 467b: Cryptography and Computer Security

Cryptography - Session 2

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

Beyond the MD5 Collisions

5618 IEEE TRANSACTIONS ON IMAGE PROCESSING, VOL. 26, NO. 12, DECEMBER 2017

Modified Hill Cipher for a Large Block of Plaintext with Interlacing and Iteration

Outline. Computer Science 418. Number of Keys in the Sum. More on Perfect Secrecy, One-Time Pad, Entropy. Mike Jacobson. Week 3

Diophantine equations via weighted LLL algorithm

Public Key Cryptography

Lecture 4: DES and block ciphers

Hill Cipher Modification based on Pseudo-Random Eigenvalues

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

A Novel Image Encryption Scheme Using the Composite Discrete Chaotic System

Dan Boneh. Stream ciphers. The One Time Pad

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Jay Daigle Occidental College Math 401: Cryptology

Division Property: a New Attack Against Block Ciphers

Outline. CPSC 418/MATH 318 Introduction to Cryptography. Information Theory. Partial Information. Perfect Secrecy, One-Time Pad

Network Security Based on Quantum Cryptography Multi-qubit Hadamard Matrices

A Color Image Encryption Scheme Based on Arnold Scrambling and Quantum Chaotic

Efficient Arnold and Singular Value Decomposition based Chaotic Image Encryption

Revisit and Cryptanalysis of a CAST Cipher

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Great Theoretical Ideas in Computer Science

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Cryptanalysis of the Wu}Dawson Public Key Cryptosystem

Distinguishing Attack on Common Scrambling Algorithm

Cryptography Lecture 4 Block ciphers, DES, breaking DES

ORYX. ORYX not an acronym, but upper case Designed for use with cell phones. Standard developed by. Cipher design process not open

Transcription:

Cryptanalysis of an image encryption scheme based on the Hill cipher Chengqing Li a,, Dan Zhang b, and Guanrong Chen a arxiv:07120693v1 [cscr] 5 Dec 2007 a Department of Electronic Engineering, City University of Hong Kong, Kowloon Tong, Hong Kong SAR, China b College of Computer Science and Technology, Zhejiang University, Hangzhou 310027, Zhejiang, China Abstract This paper studies the security of an image encryption scheme based on the Hill cipher and reports its following problems: 1) there is a simple necessary and sufficient conditionthatmakesanumberofsecretkeysinvalid;2)itisinsensitivetothechange of the secret key; 3) it is insensitive to the change of the plain-image; 4) it can be broken with only one known/chosen-plaintext; 5) it has some other minor defects Key words: cryptanalysis, encryption, Hill cipher, known-plaintext attack CLC: TN918, TP39308 11 Introduction 2 The history of cryptography can be traced back to the secret communication 3 among people thousands of years ago With the development of human society 4and industrial technology, theories and methods of cryptography have been 5changed and improved gradually, and meanwhile cryptanalysis has also been 6developed In 1949, Shannon published his seminar paper Communication 7theory of secrecy systems [1], which marked the beginning of the modern 8cryptology 9In the past two decades, the security of multimedia data has become more 10and more important However, it has been recognized that the traditional 11text-encryption schemes cannot efficiently protect multimedia data due to 12some special properties of the multimedia data, such as strong redundancy Corresponding author: Chengqing Li (swiftsheep@hotmailcom) Preprint submitted to J of Zhejiang University SCIENCE 24 October 2018

13and bulk size of the uncompressed data To meet this challenge, a number 14of special image encryption schemes based on some nonlinear theories were 15proposed [2 4] Yet, many of them are found to be insecure from the view 16 point of cryptography [5 17] 17 In [18], Ismail et al tried to encrypt images efficiently by modifying the clas- 18sical Hill cipher [19] This paper studies the security of the scheme proposed 19in [18] and reports the following findings: 1) there exist a number of invalid 20secret keys; 2) the scheme is insensitive to the change of the secret key; 3) 21the scheme is insensitive to the change of the plain-image; 4) the scheme can 22be broken with only one known/chosen plain-image; 5) the scheme has some 23 other minor performance defects 24The rest of this paper is organized as follows The next section briefly in- 25troduces the encryption scheme to be studied Section 3 presents detailed 26 cryptanalysis of the scheme The last section concludes the paper 272 The image encryption scheme to be studied The scheme proposed in [18] scans the gray scales of a plain-image P (or one channel of a color image) of size M N in a raster order and divides it into MN/m vectors of size m: {P l } MN/m l=1, where P l = {P((l 1) m + 1),,P((l 1) m+m)} (the last vector is padded with some zero bytes if MN can not be divided by m) Then, the vectors {P l } MN/m l=1 are encrypted in increasing order with the following function: C l = (P l K l ) mod 256, (1) where K 1 = (K 1 [i,j]) m m, K 1 [i,j] Z 256, the initial state of K l 2 is set to be K l 1, and then every row of K l is generated iteratively with the following function, for i = 1 m: K l [i,:] = (IV K l ) mod 256, (2) 28where IV is a vector of size 1 m and IV [i] Z 256 Finally, the cipher-image is obtained as C = {C l } MN/m 29 l=1 30The secret key of the encryption scheme includes three parts: m, K 0, and IV The decryption procedure is the same as the above encryption procedure except that Eq (1) is replaced by the following function: P l = (C l K 1 l ) mod 256, (3) 2

where (K l Kl 1 31 ) mod 256 = I, the identity matrix 323 Cryptanalysis 3331 Some Defects of the Scheme 34 311 Invalid keys 35Aninvalidkeyisakeythatfailstoensurethesuccessoftheencryptionscheme 36From the following Fact 1 and Corollary 1, one can see that one secret key 37in the above-described scheme is invalid if and only if gcd(k 1,256) 1 or 38IV [i] mod 2 = 0 39Fact 1 A matrix K is invertible in Z n if and only if gcd(det(k),n) = 1 40 ( m Proposition 1 det(k l ) = ) IV[i] det(k l 1 ) Proof: According to Eq (2), there is a relation between K l and K l 1, as follows: K l = m IV[i]K l 1 [i,:] IV [1]K l [1,:]+ m IV [i]k l 1 [i,:] i=2 mod 256 (4) m 1 IV[i]K l [i,:]+iv [m]k l 1 [m,:] 41 Subtracting i 0 1 IV[i]K l [i,:] from K l [i 0,:] for i 0 = m 2, one gets K l = m IV [i]k l 1 [i,:] m IV [i]k l 1 [i,:] i=2 mod 256 (5) IV[m]K l 1 [m,:] Subtracting K l[i 0,:] from K l[i 42 0 1,:] for i 0 = 2 m, one has 3

K l = IV[1]K l 1 [1,:] IV[2]K l 1 [2,:] mod 256 (6) IV [m]k l 1 [m,:] 43 44 45 ( m Obviously, det(k l ) = det(k l ) = det(k l ) = completes the proof of the proposition ( m l 1det(K1 Corollary 1 det(k l ) = IV [i]) ) ) IV [i] det(k l 1 ), which 46 Proof: The result directly follows from Proposition 1 47 312 Insensitivity to the change of the secret key 48Although it is claimed in [18, Sec 5] that the encryption scheme is very sen- 49sitive to the change of the sub-keys K 1, IV, this is not true 50Let sfirststudytheinfluenceonk l 2 ifonlyonebitofk 1 ischangedwithout 51loss of generality, assume that the n-th significant bit of K 1 (1,j 0 ) is changed from zero to one, where 0 n 7 Let K 52 l denote the modified version of K l The change D l = K 53 l K l can be presented by the following two equations: D l [:,j 0 ] = D l [:,j] 0,for j j 0, (7) m IV [i]d l 1 [i,j 0 ] IV[1]D l [1,j 0 ]+ m IV [i]d l 1 [i,j 0 ] i=2 mod 256, IV [i]d l [i,j 0 ]+IV [m]d l 1 [m,j 0 ] (8) m 1 where D 1 [1,j 0 ] = 2 n 54, D 1 [i,j 0 ] = 0, i = 2 m Since IV[i] mod 2 0, D l [i,j 0 ] 0 always exist From Eq (8), one can see that D l [i,j 0 ] 2 n exists, which means that only the n 0 -th bit of C l [j 0 ] may possibly be changed, where n 0 n Note also that there is no influence on C l if (P l D l [:,j 0 ]) mod 256 = 0 4

To verify the above analysis, an experiment has been carried out using a plainimage Lenna with the secret key 11 2 3 7 8 5 19 103 m = 4,IV = (3 9 17 33),K 1 = (9) 201 203 119 150 7 9 21 35 Onlythe5-thsignificantbitofK 1 [1,2]ischanged,namely K 55 1 [1,2] = (K 1 [1,2]+ 2 5 ) mod 256 Let C denote the cipher-image corresponding to K 56 1 The bit- 57planes of difference C C are shown in Fig 1, which demonstrates the very 58weak sensitivity of the encryption scheme with respect to K 1 a) 0 4-th b) 5-th c) 6-th d) 7-th Fig 1 The bit-planes of C C when one bit of K 1 is changed 59Now, consider the influence on K l 2 if only one bit of IV is changed Without 60loss of generality, assume the n-th significant bit of IV [1] is changed from 61zero to one Similarly, let D l denote the change of K l Due to the extremely 62complex formulation of D l 3, only D 2 is shown here D 2 [:,j] = 63where j = 1 m K 1 [1,j]2 n D 2 [1,j](IV[1]+2 n )+K 2 [1,j]2 n D 2 [2,j]+IV [2]D 2 [2,j] mod 256, (10) D 2 [2,j]+ m 1 IV [i]d 2 [i,j] i=2 64To see the influence of the change of IV, an experiment has been carried out 65 using plain-image Lenna, with the same secret key shown in Eq (9) above Only the 5-th significant bit of IV[1] is changed, namely ĨV [1] = (IV [1]+ 66 2 5 67 ) mod 256Thebit-planesofdifferencebetweencipher-imagescorresponding to IV and ĨV, respectively, are shown in Fig 2 68 5

69Comparing Fig 1 and Fig 2, one can see that the sensitivty with respect 70to IV is much stronger than the one with respect to K 1, which agrees with 71the above theoretical analysis But one bit change of a sub-key of a secure 72 cipher should cause every bit of the ciphertext changed with a probability of 1 Obviously, the sensitivity of the encryption scheme with respect to sub-keys 73 K 2 1, IV is very far from this requirement 74 a) 0 4-th b) 5-th c) 6-th d) 7-th Fig 2 The bit-planes of C C when one bit of IV is changed 75 313 Insensitivity to the change of the plain-image 76 This property is especially important for image encryption since an image and 77 its watermarked version may be encrypted simultaneously 78Since the role of P l in Eq (1) is exactly the same as that of IV in Eq (2), 79the analysis about its insensitivity to the change of the plain-image can be 80 carried out just like the case about the sub-key IV discussed above 81 314 Some other problems 82 The encryption scheme has the following additional problems: 83 (1) cannot encrypt plain-image of a fixed value zero; (2) efficiency of implementation is low: From [20, Thorem 233], one can see that the number of invertible matrices of size m m in Z 256 is GL(m,Z 256 ) = 2 m 1 7m2 k=0 (2 m 2 k ) (11) Thus, the probability that a matrix of size m m in Z 256 is invertible is p m = 27m2 m 1 k=0 (2m 2 k ) 2 8m2 = m (1 2 k ) 1 k=1 3 (12) 84 85 So, it needs O(3m 2 ) ando(m 2 MN) times of computations, respectively, for checking the reversibility of K 1 and for calculating {Kl 1 } MN/m l=1 6

86 87 88 89 90 91 92 93 94 Note that these computations have no direct contributions to protecting the plain-image (3) the scope of sub-key m is limited: As discussed above, the larger the value m the higher the computational cost (4) the confusion capability is weak: This problem is caused by the linearity of the main encryption function To demonstrate this defect, the encryption result of one special plain-image is shown in Fig 3, where Figure 3b) also effectively disproves the conclusion about the quality of encryption results given in [18, Sec 4] a) plain-image b) cipher-image Fig 3 A special test image, Test pattern 95 32 Known/Chosen-Plaintext Attack 96 The known/chosen-plaintext attack works by reconstructing the secret key or 97 its equivalent based on some known/chosen plaintexts and their corresponding 98ciphertexts For this encryption scheme, the equivalent key {K l } MN/m l=1 can be reconstructed from m plain-images P (1) P (m) and their corresponding cipherimages C (1) C (m) by using K l = P (B) l C (1) l C (2) l C (m) l mod 256, (13) 7

where P (B) l = P (1) l P (2) ḷ P (m) l 1 (14) Thereversibility ofp (B) 99 l can be ensured by utilizing more than m plain-images 100or by choosing m special plain-images Note that the above known/chosen- 101plaintext attack can be carried out with only one know/chosen plain-image due to the very short period of sequence {K l [:,j]} MN/m 102 l=1 for j = 1 m To 103study the period of this sequence, 10,000 tests have been done for a given 104value of IV of size 1 3, where K 1 is selected randomly The numbers of tests where the corresponding sequence {K l (:,1)} MN/m 105 l=1 has period p, N p, 106with some values of IV, is shown in Table 1, which shows that the period of {K l [:,j]} MN/m 107 l=1 is indeed very short Table 1 Values of N p with some values of IV, p = 2 s, s = 3 9 IV N 8 N 16 N 32 N 64 N 128 N 256 N 512 (91, 63, 45) 0 0 0 0 0 1463 8537 (113, 25, 219) 14 34 127 561 3561 5703 0 (253, 115, 17) 6 20 72 284 1081 8537 0 (1, 3, 5) 0 0 98 284 1081 8537 0 (5, 121, 247) 7 36 132 561 3561 5703 0 1084 Conclusion 109In this paper, the security and performance of an image encryption scheme 110based on the Hill cipher have been analyzed in detail It has been found that 111the scheme can be broken with only one known/chosen plain-image There 112 is a simple necessary and sufficient condition that makes a number of secret 113keys invalid In addition, the scheme is insensitive to the change of the se- 114 cret key/plain-image Some other performance defects have also been found 115 In conclusion, the encryption scheme under study actually has much weaker 116 security than the original Hill cipher, therefore is not recommended for appli- 117cations 8

1185 Acknowledgement 119 This research was supported by the City University of Hong Kong under the 120 SRG project 7002134 121References 122[1] C E Shannon, Communication theory of secrecy systems, Bell System 123 Technical Journal 28 (4) (1949) 656 715 124[2] S Li, G Chen, X Zheng, Chaos-based encryption for digital images and 125 videos, in: B Furht, D Kirovski (Eds), Multimedia Security Handbook, 126 CRC Press, LLC, 2004, Ch 4, pp 133 167, preprint available online at 127 http://wwwhookleecom/pubhtml 128[3] S Li, Analyses and new designs of digital chaotic ciphers, PhD thesis, School 129 of Electronic and Information Engineering, Xi an Jiaotong University, Xi an, 130 China, available online at http://wwwhookleecom/pubhtml (2003) 131[4] C Li, Cryptanalyses of some multimedia encryption schemes, Master s thesis, 132 Department of Mathematics, Zhejiang University, Hangzhou, China, available 133 online at http://eprintiacrorg/2006/340 (May 2005) 134[5] C Li, S Li, D Zhang, G Chen, Cryptanalysis of a chaotic neural network 135 based multimedia encryption scheme, Lecture Notes in Computer Science 3333 136 (2004) 418 425 137[6] C Li, S Li, G Chen, G Chen, L Hu, Cryptanalysis of a new signal security 138 system for multimedia data transmission, EURASIP Journal on Applied Signal 139 Processing 2005 (8) (2005) 1277 1288 140[7] C Li, S Li, D Zhang, G Chen, Chosen-plaintext cryptanalysis of a clipped- 141 neural-network-based chaotic cipher, Lecture Notes in Computer Science 3497 142 (2005) 630 636 143[8] C Li, S Li, D-C Lou, On the security of the Yen-Guo s domino signal 144 encryption algorithm (DSEA), Elsevier Journal of Systems and Software 79 (2) 145 (2006) 253 258 146[9] S Li, C Li, K-T Lo, G Chen, Cryptanalysis of an image encryption scheme, 147 Journal of Electronic Imaging 15 (4) (2006) article number 043012 148[10] C Li, S Li, G Álvarez, G Chen, K-T Lo, Cryptanalysis of two chaotic 149 encryption schemes based on circular bit shift and xor operations, Physics 150 Letters A 369 (1-2) (2007) 23 30 151[11] G Alvarez, S Li, Some basic cryptographic requirements for chaos-based 152 cryptosystems, International Journal of Bifurcation and Chaos 16 (8) (2006) 153 2129 2151 9

154[12] D Arroyo, C Li, S Li, G Alvarez, Cryptanalysis of 155 a computer cryptography scheme based on a filter bank, available online at 156 http://arxivorg/abs/07105471 (2007) 157 [13] C Li, S Li, M Asim, J Nunez, G Álvarez, G Chen, On the security defects of an image encryption scheme, Cryptology eprint Archive: Report 2007/397, 158 159 available online at http://eprintiacrorg/2007/397 (2007) 160[14] S Li, C Li, K-T Lo, G Chen, Cryptanalysis of an image scrambling 161 scheme without bandwidth expansion, accepted by IEEE Transactions 162 on Circuits and Systems for Video Technology, available online at 163 http://eprintiacrorg/2006/215 (2007) 164[15] J Zhou, Z Liang, Y Chen, A O C, Security analysis of multimedia encryption 165 schemes based on multiple huffman table, IEEE Signal Processing Letters 14 (3) 166 (2007) 201 204 167[16] S Li, G Chen, A Cheung, B Bhargava, K-T Lo, On the design of 168 perceptual MPEG-video encryption algorithms, IEEE Transactions on Circuits 169 and Systems for Video Technology 17 (2) (2007) 214 223 170[17] G Alvarez, S Li, L Hernandez, Analysis of security problems in a medical 171 image encryption system, Computers in Biology and Medicine 37 (3) (2007) 172 424 427 173[18] IAIsmail,MAmin,HDiab,Howtorepairthehillcipher,JournalofZhejiang 174 University SCIENCE A 7 (12) (2006) 2022 2030 175[19] L S Hill, Cryptography in an algebraic alphabet, The American Mathematical 176 Monthly 36 (1929) 306 312 177[20] J Overbey, W Traves, J Wojdylo, On the keyspace of the hill cipher, 178 Cryptologia 29 (1) (2005) 59 72 10

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback