Security Analysis of a Color Image Encryption Scheme Based on
Dynamic Substitution and Diffusion Operations
George Tes¸eleanu
1,2 a
1
Advanced Technologies Institute, 10 Dinu Vintil
˘
a, Bucharest, Romania
2
Simion Stoilow Institute of Mathematics of the Romanian Academy, 21 Calea Grivitei, Bucharest, Romania
Keywords:
Image Encryption Scheme, Chaos Based Encryption, Cryptanalysis.
Abstract:
In 2019, Essaid et al. proposed an encryption scheme for color images based on chaotic maps. Their solution
uses two enhanced chaotic maps to dynamically generate the secret substitution boxes and the key bytes used
by the cryptosystem. Note that both types of parameters are dependent on the size of the original image.
The authors claim that their proposal provides enough security for transmitting color images over unsecured
channels. Unfortunately, this is not the case. In this paper, we introduce two cryptanalytic attacks for Essaid
et al.s encryption scheme. The first one is a chosen plaintext attack, which for a given size, requires 256
chosen plaintexts to allow an attacker to decrypt any image of this size. The second attack is a a chosen
ciphertext attack, which compared to the first one, requires 512 chosen ciphertexts to break the scheme for a
given size. These attacks are possible because the generated substitution boxes and key bits remain unchanged
for different plaintext images.
1 INTRODUCTION
Because the use of social media is growing expo-
nentially, the protection of digital images has be-
come a sensitive topic. Therefore, the protection of
images against theft and illegal distribution has at-
tracted much attention. As a result, many researchers
have proposed a variety of image encryption schemes.
One of the most popular types of image encryption
schemes are those based on chaotic maps, due to their
high sensitivity to the previous states, initial condi-
tions or both. This property makes them highly desir-
able because their sensitivity makes it difficult to pre-
dict their behaviour or outputs. Hence, novel chaos
based cryptographic algorithms have been proposed
over the years. We refer the reader to (Zolfaghari
and Koshiba, 2022; Muthu and Murali, 2021; Hosny,
2020)for some surveys of such proposals. Unfortu-
nately, insufficient security analysis and a lack of de-
sign guidelines have led to the discovery of serious
security flaws in a substantial number of chaos based
image encryption schemes. To illustrate our point we
further present a list of broken schemes in Table 1.
Note that the list is not comprehensive.
In (Essaid et al., 2019) a chaos based encryption
a
https://orcid.org/0000-0003-3953-2744
scheme is proposed. The authors use the Enhanced
Logistic Map (ELM) and Enhanced Sine Map (ESM)
as pseudorandom number generators (PRNGs). Us-
ing these two PRNGs, Essaid et al. randomly gener-
ate two substitution boxes (s-boxes), which are then
used to compute the rest of the s-boxes required by
the cryptosystem. Then, the PRNGs are combined to
create the necessary key bytes. Since ELM and ESM
are simply used as PRNGs and the scheme’s weak-
ness is independent of the employed generators, we
omit their description and simply consider the two s-
boxes and the key bytes as being randomly generated.
In this paper we conducted a security analysis on
the Essaid et al. scheme. More precisely, we pro-
pose a chosen plaintext attack and a chosen ciphertext
attack that allow an attacker to decrypt all images of
a given size. In order to achieve this, we need the
corresponding ciphertexts of 256 chosen plaintexts or
the corresponding plaintexts of 512 chosen cipher-
texts. For completeness, we also analysed the Essaid
et al. scheme when all the s-boxes are randomly gen-
erated. This should be the most secure version of their
scheme, since there are no relationships between the
s-boxes that would allow an attacker to filter out the
correct key. Unfortunately, even when the s-boxes are
random, our proposed attacks succeed in recovering
the encrypted images except two or four pixels, de-
410
Te¸seleanu, G.
Security Analysis of a Color Image Encryption Scheme Based on Dynamic Substitution and Diffusion Operations.
DOI: 10.5220/0011646300003405
In Proceedings of the 9th International Conference on Information Systems Security and Privacy (ICISSP 2023), pages 410-417
ISBN: 978-989-758-624-8; ISSN: 2184-4356
Copyright
c
2023 by SCITEPRESS Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)
Table 1: Broken chaos based image encryption algorithms.
Scheme (Matoba and Javidi, 2004) (Wang et al., 2012) (Huang et al., 2014) (Khan, 2015) (Song and Qiao, 2015) (Chen et al., 2015)
Broken by (Wang et al., 2019) (Arroyo et al., 2013) (Wen et al., 2021) (Alanazi et al., 2021) (Wen et al., 2019) (Hu et al., 2017)
Scheme (Hu et al., 2017) (Niyat et al., 2017) (Hua and Zhou, 2017) (Pak and Huang, 2017) (Liu et al., 2018) (Shafique and Shahid, 2018)
Broken by (Li et al., 2019a) (Li et al., 2018) (Yu et al., 2021) (Wang et al., 2018) (Ma et al., 2020) (Wen and Yu, 2019)
Scheme (Sheela et al., 2018) (Wu et al., 2018) (Yosefnezhad Irani et al., 2019) (Khan and Masood, 2019) (Pak et al., 2019) (Mondal et al., 2021)
Broken by (Zhou et al., 2019) (Chen et al., 2020) (Liu et al., 2020) (Fan et al., 2021) (Li et al., 2019b) (Li et al., 2021)
pending on the type of attack.
Structure of the Paper. We provide the necessary
preliminaries in Section 2. In Section 3 we show how
an attacker can recover the private key and secret s-
boxes in a chosen plaintext scenario. We also provide
a key and s-boxes recovery attack in a chosen cipher-
text attack in Section 4. We conclude in Section 5.
Algorithm 1: Encryption algorithm.
Input: A plaintext p, an s-box list s, a secret seed seed and a
secret key k
Output: A ciphertext c
1 for i [0, H) and j [0, W) do
2 if i = 0 and j = 0 then
c
0,0
(seed k
0,0
+ s
0
[p
0,0
]) mod 256
3 else if j = 0 then
c
i,0
(c
i1,W 1
k
i,0
+ s
i
[p
i,0
]) mod 256
4 else c
i, j
(c
i, j1
k
i, j
+ s
i+ j
[p
i, j
]) mod 256
5 return c
2 PRELIMINARIES
Notations. In this paper, the subset {1, . . . , s 1}
N is denoted by [1, s). The action of selecting a ran-
dom element x from a sample space X is represented
by x
$
X, while x y indicates the assignment of
value y to variable x. In the case of matrices, the
operator assigns the values position by position and
the = operator tests the equality between all positions
of the two matrices. We use the C++ language op-
erator & as reference to a variable. By H and W we
denote an image’s height and width. Also, we denote
by L = H +W 1. Hexadecimal numbers will always
contain the prefix 0x.
2.1 Essaid et Al. Image Encryption
Scheme
In this section we present Essaid et al.s encryption
(Algorithm 1) and decryption (Algorithm 2) algo-
rithms as described in (Essaid et al., 2019). We further
consider two cases
s-boxes s
0
and s
1
are randomly generated and the
remaining ones are generated using Algorithm 3;
all the s-boxes in list s are randomly generated.
The first version is according to the original paper
(Essaid et al., 2019), while the second one is intro-
duced to show that the scheme remains broken even
if the s-boxes are chosen at random. Note that the
seed and the key bytes k
i, j
are randomly generated.
Algorithm 2: Decryption algorithm.
Input: A ciphertext c, an inverse s-box list s
1
, a secret seed
seed and a secret key k
Output: A plaintext p
1 for i [0, H) and j [0, W) do
2 if i = 0 and j = 0 then
p
0,0
s
1
0
[(c
0,0
seed k
0,0
) mod 256]
3 else if j = 0 then
p
i,0
s
1
i
[(c
i,0
c
i1,W 1
k
i,0
) mod 256]
4 else p
i, j
s
1
i+ j
[(c
i, j
c
i, j1
k
i, j
) mod 256]
5 return p
Algorithm 3: S-Box table generator.
Input: Two s-boxs s
0
and s
1
Output: An s-box list s
1 for i [2, L) and j [0, 256) do s
i
[ j] s
i2
[s
i1
[ j]]
2 return s
3 CHOSEN PLAINTEXT ATTACK
In a chosen plaintext attack (CPA), the attacker A has
temporary access to the encryption machine O
enc
and
can interrogate it on different inputs. Therefore, A
constructs some plaintexts that are useful for his at-
tack and then using O
enc
obtains the corresponding
ciphertexts.
We further show that Essaid et al.s image encryp-
tion scheme is insecure in the chosen plaintext sce-
nario, regardless of whether the generation method of
the s-boxes is random or Algorithm 3 is used. The
only difference between the two cases is the run time
of the attack.
3.1 Randomly Generated S-Boxes
Before formally stating our attack, we first provide an
example in order to provide the intuition behind our
CPA attack.
Example 3.1. We further assume that we encrypt im-
ages of height 3 and width 4. We present in Figure 1
Security Analysis of a Color Image Encryption Scheme Based on Dynamic Substitution and Diffusion Operations
411
how Essaid et al.s encryption algorithm (see Algo-
rithm 1) uses the generated s-boxes. We can see that
the algorithm uses the same s-box for each cell on a
given minor diagonal.
s
0
s
1
s
2
s
3
s
1
s
2
s
3
s
4
s
2
s
3
s
4
s
5
Figure 1: Used s-boxes in an image with H = 3 and W = 4.
Lets assume that the image I
pv
we want to encrypt
has the same pixel value pv everywhere. We further
write c
i, j
[pv] for the ciphertext byte c
i, j
computed for
I
pv
. Then, if we write the ciphertext equations for the
third minor diagonal we obtain
c
0,2
[pv] (c
0,1
[pv] k
0,2
+ s
2
[pv]) mod 256 (1)
c
1,1
[pv] (c
1,0
[pv] k
1,1
+ s
2
[pv]) mod 256 (2)
c
2,0
[pv] (c
1,3
[pv] k
2,0
+ s
2
[pv]) mod 256 (3)
From Equations (1) and (2) we derive
c
0,2
[pv] c
1,1
[pv]
(c
0,1
[pv] k
0,2
c
1,0
[pv] k
1,1
) mod 256. (4)
If we request O
enc
the ciphertexts for all 256
images I
0
, . . . , I
255
we obtain 256 equations of type
Equation (4). By checking all the values x and y that
satisfy
c
0,2
[pv] c
1,1
[pv]
(c
0,1
[pv] x c
1,0
[pv] y) mod 256,
for all pv values, we find the correct key pair
(k
0,2
, k
1,1
) and an equivalent key pair (k
0,2
0x80, k
1,1
0x80). The second solution is derived
from the following relations
c
0,2
[pv] (c
0,1
[pv] k
0,2
+ 128
+ s
2
[pv] + 128) mod 256
(c
0,1
[pv] k
0,2
0x80
+ s
2
[pv] 0x80) mod 256
c
1,1
[pv] (c
1,0
[pv] k
1,1
+ 128
+ s
2
[pv] + 128) mod 256
(c
1,0
[pv] k
1,1
0x80
+ s
2
[pv] 0x80) mod 256
which lead to
c
0,2
[pv] c
1,1
[pv] (c
0,1
[pv] x 0x80
c
1,0
[pv] y 0x80) mod 256.
After computing k
0,2
, using Equation (1) we recover
the correct s-box entries
s
2
[pv] (c
0,2
[pv] c
0,1
[pv] k
0,2
) mod 256
and from Equation (3) we obtain
k
2,0
= (c
2,0
[0] s
2
[0] mod 256) c
1,3
[0].
We also obtain an equivalent s-box ˜s
2
from
˜s
2
[pv] (c
0,2
[pv] c
0,1
[pv] k
0,2
0x80) mod 256
and from Equation (3) we obtain
k
2,0
0x80 = (c
2,0
[0] ˜s
2
[0] mod 256) c
1,3
[0].
We can easily see that both the correct key bytes
k
0,2
, k
1,1
, k
2,0
and s-box s
2
, and the equivalent key
bytes k
0,2
0x80, k
1,1
0x80, k
2,0
0x80 and s-box
˜s
2
can be used for decryption. Since we cannot deter-
mine the order of the correct and equivalent key bytes
when we brute force x and y, we assume that the first
solution we obtain is the correct one.
We repeat the same procedure for the second, forth
and fifth minor diagonals. The only key bytes and s-
boxes that we cannot recover using the above tech-
nique are k
0,0
, k
2,3
, s
0
and s
5
.
The formal description of our chosen plaintext at-
tack is provided in Algorithm 4 and is a generalization
of the method presented in Example 3.1. For com-
pleteness, in Algorithm 4 we compute two possible
key, s-boxes pairs.Note that in order to be able to use
our attack we must have H, W 2.
The complexity of Algorithm 4 is O(2
24
L + HW )
and we need 256 oracle queries. For example, if we
encrypt 2 megapixels
1
images we obtain that the com-
plexity of Algorithm 4 is O (2
24
· 2
11.45
+ 2
20.87
) =
O(2
35.45
). In the case of 12 megapixels
2
, we obtain
O(2
24
· 2
12.77
+ 2
23.5
) = O(2
36.77
).
3.2 Essaid et Al.s Generation Method
for S-Boxes
As in the previous subsection, we begin with an ex-
ample.
Example 3.2. Compared to Example 3.1, in the case
of Essaid et al.s generation method it is enough to
compute ˜s
0,1
, ˜s
1,1
, ˜s
0,2
, ˜s
1,2
, ˜s
0,3
and ˜s
1,3
and the re-
maining s-boxes can be easily deduced using Algo-
rithm 3. Note that in this case we can also compute s
0
and s
5
.
The first thing that we do after deducing ˆs
0,1
, ˆs
1,1
,
ˆs
0,2
, ˆs
1,2
from the 256 encrypted images is to compute
ˆs
0,1
ˆs
0,2
, ˆs
0,1
ˆs
1,2
, ˆs
1,1
ˆs
0,2
, ˆs
1,1
ˆs
1,2
and check
which one coincides with ˆs
0,3
or ˆs
1,3
. This leads to
two possible combinations, one for ˆs
0,3
and one for
ˆs
1,3
. We denote the first combination by ˜s
0,1
, ˜s
0,2
and
˜s
0,3
and the second one by ˜s
1,1
, ˜s
1,2
and ˜s
1,3
.
Let pos [0, 2). After computing ˜s
pos,1
, ˜s
pos,2
and
˜s
pos,3
, the remaining s-boxes can be calculated as fol-
lows: ˜s
pos,4
= ˜s
pos,3
˜s
pos,2
, ˜s
pos,5
= ˜s
pos,4
˜s
pos,5
and
1
W × H = 1600 × 1200
2
W × H = 4000 × 3000
ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy
412
Algorithm 4: CPA attack (randomly generated).
1 for t [0, 256) do
2 for i [0, H) and j [0, W) do p
i, j
t
3 Send the plaintext p to the encryption oracle O
enc
.
4 Receive the ciphertext ¯c from the encryption oracle O
enc
.
5 c
t
¯c
6 for j [1, L 1) do
7 α max(0, j (W 1)); β min( j, H 1); pos 0
8 for x [0, 256) and y [0, 256) do
9 ctr 0
10 for t [0, 256) do
11 f c
t,α, jα
c
t,α+1, j(α+1)
mod 256
12 if j ̸= α + 1 then
g (c
t,α, jα1
xc
t,α+1, jα2
y) mod 256
13 else g (c
t,α, jα1
x c
t,α,W1
y) mod 256
14 if f = g then ctr ctr + 1
15 if ctr = 256 then
16
˜
k
pos,α, jα
x;
˜
k
pos,α+1, j(α+1)
y
17 for t [0, 256) do
˜s
pos, j
[t] (c
t,α, jα
c
t,α, jα1
x) mod 256
18 for t [0, 256) do ˜s
1
pos, j
[ ˜s
pos, j
[t]] t
19 for t [α + 2, β + 1) do
20
˜
k
pos,t, jt
((c
0,t, jt
˜s
pos, j
[0]) mod 256) c
0,t, jt1
21 pos pos + 1
22 return
˜
k, ˜s, ˜s
1
˜s
pos,0
= ˜s
pos,2
˜s
1
pos,1
. Once all the s-boxes are known,
we can easily compute the key
˜
k
pos
.
We remark that only one of the two solutions is
the correct one. We can see that from the following
relation
˜s
3
[i] = s
3
[i] 0x80 = s
2
[s
1
[i]] 0x80 = ˜s
2
[s
1
[i]].
Since ˜s
3
is not generated by ˜s
2
[ ˜s
1
[i]], we do not obtain
the equivalent key, s-boxes pair, and thus one of the
solutions will not decrypt images correctly.
The formal description of our chosen plaintext at-
tack is provided in Algorithm 5 and is a generalization
of the method presented in Example 3.2. The com-
plexity of Algorithm 5 is O(2
24
+ 2
8
L + HW ) and we
need 256 oracle queries. For example, if we encrypt
2 megapixels images we obtain that the complex-
ity of Algorithm 5 is O(2
24
+ 2
8
· 2
11.45
+ 2
20.87
) =
O(2
24.21
). In the case of 12 megapixels, we obtain
O(2
24
+ 2
8
· 2
12.77
+ 2
23.5
) = O(2
24.85
).
Note that according to (Essaid et al., 2019) the
security of their scheme is O(2
128
). Using 256 en-
crypted images and Algorithm 5, we lower the secu-
rity strength of Essaid et al.s scheme from 128 bits to
approximately 24 bits.
Algorithm 5: CPA attack (Essaid et al.s generation
method).
6 for j [1, 4) do
7 α max(0, j (W 1)); pos 0
8 for x [0, 256) and y [0, 256) do
9 ctr 0
10 for t [0, 256) do
11 f c
t,α, jα
c
t,α+1, j(α+1)
mod 256
12 if j ̸= α + 1 then
g (c
t,α, jα1
xc
t,α+1, jα2
y) mod 256
13 else g (c
t,α, jα1
x c
t,α,W1
y) mod 256
14 if f = g then ctr ctr + 1
15 if ctr = 256 then
16 ˜x
pos, j1
x; ˜y
pos, j1
y
17 for t [0, 256) do
18 ˆs
pos, j1
[t]
(c
t,α, jα
c
t,α, jα1
x) mod 256
19 pos pos + 1
20 for i [0, 2) and j [0, 2] do
21 for t [0, 256) do f = ˆs
i,0
[ ˆs
j,1
[t]]
22 if f = ˆs
0,2
then ˜s
0,1
ˆs
i,0
; ˜s
0,2
ˆs
j,1
; ˜s
0,3
ˆs
0,2
23 if f = ˆs
1,2
then ˜s
1,1
ˆs
i,0
; ˜s
1,2
ˆs
j,1
; ˜s
1,3
ˆs
1,2
24 for pos [0, 2) do
25 for j [4, L) and t [0, 256) do
˜s
pos, j
[t] ˜s
pos, j2
[ ˜s
pos, j1
[t]]
26 for j [1, L) and t [0, 256) do ˜s
1
pos, j
[ ˜s
pos, j
[t]] t
27 for t [0, 256) do ˜s
pos,0
[t] ˜s
pos,2
[ ˜s
1
pos,1
[t]]
28 for t [0, 256) do ˜s
1
pos,0
[ ˜s
pos,0
[t]] t
29 for i [0, H) and j [0, W) do
30 if i = 0 and j = 0 then
˜
k
pos,0,0
= (c
0,0,0
˜s
pos,0
[0]) mod 256
31 else if j = 0 then
˜
k
pos,i,0
= (c
0,i,0
˜s
pos,i
[0]) mod 256
32 else
˜
k
pos,i, j
= (c
0,i, j
˜s
pos,i+ j
[0]) mod 256
33 return
˜
k, ˜s, ˜s
1
4 CHOSEN CIPHERTEXT
ATTACK
Compared to the chosen plaintext attack, in a chosen
ciphertext attack (CCA), A has temporary access to
the decryption machine O
dec
. Therefore, A constructs
some ciphertexts that are useful for his attack and then
using O
dec
obtains the corresponding plaintexts.
In this scenario, we provide two types of attacks
against Essaid et al.s cryptosystem, one for images
with odd width and one for images with even width.
Again the s-box generation method is irrelevant to the
success of the attacks, the only thing that is affected
is their run time.
4.1 Randomly Generated S-Boxes
We first provide an example for images with odd
width and then one for images with even width. After,
Security Analysis of a Color Image Encryption Scheme Based on Dynamic Substitution and Diffusion Operations
413
we present the formal description of our CCA attack.
Figure 2: Ciphertext patterns for H = 3 and W = 5.
Example 4.1. We further assume that we decrypt im-
ages of height 3 and width 5. In the first part of the
attack we use ciphertexts of type C
0
(t) (see Figure 2).
If we explicit the relations for the forth minor diago-
nal we obtain
s
3
[p
0,3
[t]] (2 t k
0,3
) mod 256 (5)
s
3
[p
1,2
[t]] (1 t k
1,2
) mod 256 (6)
s
3
[p
2,1
[t]] (1 t k
2,1
) mod 256. (7)
Since we consider all t values, in Equations (5)
and (6) permutation s
3
iterates through all its values.
Therefore, all we need is to find the t values for which
p
0,3
= p
1,2
. Therefore, we define
tab
0
[p
0,3
[t]] t and tab
1
[p
1,2
[t]] t,
and using Equations (5) and (6) we obtain
(2 tab
0
[i] k
0,3
) (1 tab
1
[i] k
1,2
) mod 256,
for all i values. By checking all the values x and y
that satisfy
(2 tab
0
[i] x) (1 tab
1
[i] y) mod 256,
for all i values, we find the correct key pair (k
0,3
, k
1,2
)
and the equivalent key pair (k
0,3
0x80, k
1,2
0x80).
As in Example 3.1, we consider that the first solu-
tion is the correct one. Once the first two key bytes
are known, we can easily compute the third s-box us-
ing Equation (5) and the third key byte using Equa-
tion (7).
We repeat the process for the second and sixth mi-
nor diagonals. In the second part of our attack, we
use ciphertexts of type C
1
(t) (see Figure 2) and then
we use the same procedure as before for the third and
fifth minor diagonal. The only key bytes and s-boxes
that we cannot recover using the above technique are
k
0,0
, k
2,4
, s
0
and s
6
.
Example 4.2. For the even width case, we consider
images of height 3 and width 6. In this case we use
the same procedure as in Example 4.1, but instead
of using C
0
(t) and C
1
(t) ciphertext patterns, we use
C
2
(t) and C
3
(t) (see Figure 3). The only difference
between the even and odd width cases is that in the
even case we cannot recover k
0,1
, k
1,0
and s
1
. This is
because in the even case we could not put t on the last
cell in the first line of C
2
(t) without interfering with
the recovery of the other bytes and s-boxes.
Note that we can recover the two key bytes and
one s-box if we create one additional ciphertext pat-
tern that satisfies the previously stated condition (see
Figure 3: Ciphertext patterns for H = 3 and W = 6.
Figure 4). However, we have to ask 256 more oracle
queries. Therefore, we decided that is more practical
to lose the ability to decrypt two extra bytes, than to
ask the additional queries, since images can still be
recognized without them. For example, an emoji has
a resolution of 32× 32 and removing the four pixels it
does not affect the informational content.
Figure 4: Additional ciphertext pattern for H = 3 and W =
6.
Algorithm 6: Helper functions.
1 Function choose plaintext(parity)
2 for t [0, 256) do
3 for i [0, H) and j [0, W ) do
4 α max(0, i + j (W 1))
5 if i + j parity mod 2 then c
i, j
t
6 else if i = α then c
i, j
2
7 else c
i, j
1
8 Send the ciphertext c to the decryption oracle
O
dec
.
9 Receive the plaintext ¯p from the decryption
oracle O
dec
.
10 p
t
¯p
11 return p
t
12 Function partial attack(low, upp, p
t
, &
˜
k, & ˜s, & ˜s
1
)
13 for j [low, upp) and at each step increment j with
2 do
14 α max(0, j (W 1)); β min( j, H 1);
pos 0
15 for t [0, 256) do tab
0
[p
t,α, jα
] = t;
tab
1
[p
t,α+1, j(α+1)
] = t
16 for x [0, 256) and y [0, 256) do
17 ctr 0
18 for t [0, 256) do
19 f (2 tab
0
[t] x) mod 256
20 g (1 tab
1
[t] y) mod 256
21 if f = g then ctr ctr + 1
22 if ctr = 256 then
23
˜
k
pos,α, jα
x;
˜
k
pos,α+1, j(α+1)
y
24 for t [0, 256) do
˜s
pos, j
[t] (2tab
0
[t] x) mod 256
25 for t [0, 256) do ˜s
1
pos, j
[ ˜s
pos, j
[t]] t
26 for t [α +2, β + 1) do
27
˜
k
pos,t, jt
((c
t, jt
˜s
pos, j
[p
255,t, jt
) mod 256)
c
t, jt1
28 pos pos + 1
The formal description of our chosen ciphertext
attack is provided in Algorithm 7 and is a general-
ization of the methods presented in Examples 4.1 and
ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy
414
Algorithm 7: CCA attack (randomly generated).
1 Function main odd()
2 p
t
choose plaintext(0)
3 partial attack(1, L 1, p
t
,
˜
k, ˜s, ˜s
1
)
4 p
t
choose plaintext(1)
5 partial attack(2, L 1, p
t
,
˜
k, ˜s, ˜s
1
)
6 return
˜
k, ˜s, ˜s
1
7 Function main even()
8 p
t
choose plaintext(0)
9 partial attack(3, L 1, p
t
,
˜
k, ˜s, ˜s
1
)
10 p
t
choose plaintext(1)
11 partial attack(2, L 1, p
t
,
˜
k, ˜s, ˜s
1
)
12 return
˜
k, ˜s, ˜s
1
4.2. For completeness, in Algorithm 7 we compute
two possible key, s-boxes pairs just as in Algorithm 4.
Note that in order to be able to use our attack we must
have H 2 and W 3.
The complexity of Algorithm 7 is the same as the
complexity of Algorithm 4, namely O(2
24
L + HW ).
The only difference between the two attacks is that
in the case of Algorithm 7 we need 512 decryption
oracle queries.
Algorithm 8: More helper functions.
1 Function partial attack(low, upp, p
t
, f lag, &
˜
k, & ˜s, & ˜s
1
)
2 for j [low, upp) and at each step increment j with 2 do
3 α max(0, j (W 1)); pos 0
4 for t [0, 256) do tab
0
[p
t,α, jα
] = t;
tab
1
[p
t,α+1, j(α+1)
] = t
5 for x [0, 256) and y [0, 256) do
6 ctr 0
7 for t [0, 256) do
8 f (2 tab
0
[t] x) mod 256
9 g (1 tab
1
[t] y) mod 256
10 if f = g then ctr ctr + 1
11 if ctr = 256 then
12 ˜x
pos, j1 f lag
x; ˜y
pos, j1 f lag
y
13 for t [0, 256) do ˆs
pos, j1 f lag
[t]
(2 tab
0
[t] x) mod 256
14 pos pos + 1
15 Function extract key(pos, &
˜
k)
16 for i [0, H) and j [0, W) do
17 if i = 0 and j = 0 then
˜
k
pos,0,0
= (c
0,0,0
˜s
pos,0
[p
255,0,0
]) mod 256
18 else if j = 0 then
˜
k
pos,i,0
= (c
0,i,0
˜s
pos,i
[p
255,i,0
]) mod 256
19 else
˜
k
pos,i, j
= (c
0,i, j
˜s
pos,i+ j
[p
255,i, j
]) mod 256
4.2 Essaid et Al.s Generation Method
for S-Boxes
In the case of Essaid et al.s generation method is
enough to compute three s-boxes using the ideas from
Examples 4.1 and 4.2. Then using similar techniques
as the ones from Example 3.2 we can recover all the
s-boxes, and implicitly all the key bytes.
The formal description of our chosen ciphertext
attack is provided in Algorithm 9. The complexity of
Algorithm 9 is the same as the complexity of Algo-
rithm 5, namely O(2
24
+2
8
L +HW ). The only differ-
ence is that in the case of Algorithm 9 we need 512
oracle queries.
Similar to the case of the CPA attack, using 512
decrypted images and Algorithm 9, we managed to
lower the security strength of Essaid et al.s scheme
from 128 bits to approximately 24 bits.
Algorithm 9: CCA attack (Essaid et al.s generation
method).
1 Function main odd()
2 p
t
choose plaintext(0)
3 partial attack(1, 4, p
t
, 0,
˜
k, ˜s, ˜s
1
)
4 p
t
choose plaintext(1)
5 partial attack(2, 3, p
t
, 0,
˜
k, ˜s, ˜s
1
)
6 for i [0, 2) and j [0, 2] do
7 for t [0, 256) do f = ˆs
i,0
[ ˆs
j,1
[t]]
8 if f = ˆs
0,2
then ˜s
0,1
ˆs
i,0
; ˜s
0,2
ˆs
j,1
; ˜s
0,3
ˆs
0,2
9 if f = ˆs
1,2
then ˜s
1,1
ˆs
i,0
; ˜s
1,2
ˆs
j,1
; ˜s
1,3
ˆs
1,2
10 for pos [0, 2) do
11 for j [4, L) and t [0, 256) do
˜s
pos, j
[t] ˜s
pos, j2
[ ˜s
pos, j1
[t]]
12 for j [1, L) and t [0, 256) do ˜s
1
pos, j
[ ˜s
pos, j
[t]] t
13 for t [0, 256) do ˜s
pos,0
[t] ˜s
pos,2
[ ˜s
1
pos,1
[t]]
14 for t [0, 256) do ˜s
1
pos,0
[ ˜s
pos,0
[t]] t
15 extract key(pos,
˜
k)
16 return
˜
k, ˜s, ˜s
1
17 Function main even()
18 p
t
choose plaintext(0)
19 partial attack(3, 4, p
t
, 1,
˜
k, ˜s, ˜s
1
)
20 p
t
choose plaintext(1)
21 partial attack(2, 5, p
t
, 1,
˜
k, ˜s, ˜s
1
)
22 for i [0, 2) and j [0, 2] do
23 for t [0, 256) do f = ˆs
i,0
[ ˆs
j,1
[t]]
24 if f = ˆs
0,2
then ˜s
0,2
ˆs
i,0
; ˜s
0,3
ˆs
j,1
; ˜s
0,4
ˆs
0,2
25 if f = ˆs
1,2
then ˜s
1,2
ˆs
i,0
; ˜s
1,3
ˆs
j,1
; ˜s
1,4
ˆs
1,2
26 for pos [0, 2) do
27 for j [5, L) and t [0, 256) do
˜s
pos, j
[t] ˜s
pos, j2
[ ˜s
pos, j1
[t]]
28 for j [2, L) and t [0, 256) do ˜s
1
pos, j
[ ˜s
pos, j
[t]] t
29 for t [0, 256) do ˜s
pos,1
[t] ˜s
pos,3
[ ˜s
1
pos,2
[t]]
30 for t [0, 256) do ˜s
1
pos,1
[ ˜s
pos,1
[t]] t
31 for t [0, 256) do ˜s
pos,0
[t] ˜s
pos,2
[ ˜s
1
pos,1
[t]]
32 for t [0, 256) do ˜s
1
pos,0
[ ˜s
pos,0
[t]] t
33 extract key(pos,
˜
k)
34 return
˜
k, ˜s, ˜s
1
5 CONCLUSIONS
In (Essaid et al., 2019), the authors described an im-
age encryption scheme that they claimed provided a
security strength of 128 bits. Unfortunately, in this
paper we showed that the actual security strength of
Essaid et al.s scheme is roughly 24 bits. To achieve
Security Analysis of a Color Image Encryption Scheme Based on Dynamic Substitution and Diffusion Operations
415
our security bound, we devised a chosen plaintext at-
tack which needs 256 queries to the encryption ora-
cle. We also describe a chosen ciphertext attack which
needs 512 queries to the decryption oracle and has
a complexity of O(2
24
). For completeness, we also
show how to attack Essaid et al.s cryptosystem when
all its s-boxes are randomly generated. In this case,
using our CPA or CCA attacks, we lower the security
strength to 36 bits.
REFERENCES
Alanazi, A. S., Munir, N., Khan, M., Asif, M., and Hus-
sain, I. (2021). Cryptanalysis of Novel Image Encryp-
tion Scheme Based on Multiple Chaotic Substitution
Boxes. IEEE Access, 9:93795–93802.
Arroyo, D., Diaz, J., and Rodriguez, F. (2013). Cryptanaly-
sis of a One Round Chaos-Based Substitution Permu-
tation Network. Signal Processing, 93(5):1358–1364.
Chen, J., Chen, L., and Zhou, Y. (2020). Cryptanalysis of a
DNA-Based Image Encryption Scheme. Information
Sciences, 520:130–141.
Chen, J.-x., Zhu, Z.-l., Fu, C., Zhang, L.-b., and Zhang, Y.
(2015). An Efficient Image Encryption Scheme Using
Lookup Table-Based Confusion and Diffusion. Non-
linear Dynamics, 81(3):1151–1166.
Essaid, M., Akharraz, I., Saaidi, A., and Mouhib, A. (2019).
A New Approach of Image Encryption Based on
Dynamic Substitution and Diffusion Operations. In
SysCoBIoTS 2019, pages 1–6. IEEE.
Fan, H., Zhang, C., Lu, H., Li, M., and Liu, Y. (2021).
Cryptanalysis of a New Chaotic Image Encryption
Technique Based on Multiple Discrete Dynamical
Maps. Entropy, 23(12):1581.
Hosny, K. M. (2020). Multimedia Security Using Chaotic
Maps: Principles and Methodologies, volume 884.
Springer.
Hu, G., Xiao, D., Wang, Y., and Li, X. (2017). Cryptanal-
ysis of a Chaotic Image Cipher using Latin Square-
Based Confusion and Diffusion. Nonlinear Dynamics,
88(2):1305–1316.
Hua, Z. and Zhou, Y. (2017). Design of Image Cipher Using
Block-Based Scrambling and Image Filtering. Infor-
mation sciences, 396:97–113.
Huang, X., Sun, T., Li, Y., and Liang, J. (2014). A Color
Image Encryption Algorithm Based on a Fractional-
Order Hyperchaotic System. Entropy, 17(1):28–38.
Khan, M. (2015). A Novel Image Encryption Scheme
Based on Multiple Chaotic S-Boxes. Nonlinear Dy-
namics, 82(1):527–533.
Khan, M. and Masood, F. (2019). A Novel Chaotic Im-
age Encryption Technique Based on Multiple Discrete
Dynamical Maps. Multimedia Tools and Applications,
78(18):26203–26222.
Li, M., Lu, D., Wen, W., Ren, H., and Zhang, Y. (2018).
Cryptanalyzing a Color Image Encryption Scheme
Based on Hybrid Hyper-Chaotic System and Cellular
Automata. IEEE access, 6:47102–47111.
Li, M., Lu, D., Xiang, Y., Zhang, Y., and Ren, H. (2019a).
Cryptanalysis and Improvement in a Chaotic Image
Cipher Using Two-Round Permutation and Diffusion.
Nonlinear Dynamics, 96(1):31–47.
Li, M., Wang, P., Liu, Y., and Fan, H. (2019b). Crypt-
analysis of a Novel Bit-Level Color Image Encryp-
tion Using Improved 1D Chaotic Map. IEEE Access,
7:145798–145806.
Li, M., Wang, P., Yue, Y., and Liu, Y. (2021). Cryptanaly-
sis of a Secure Image Encryption Scheme Based on a
Novel 2D Sine–Cosine Cross-Chaotic Map. Journal
of Real-Time Image Processing, 18(6):2135–2149.
Liu, L., Hao, S., Lin, J., Wang, Z., Hu, X., and Miao, S.
(2018). Image Block Encryption Algorithm Based on
Chaotic Maps. IET Signal Processing, 12(1):22–30.
Liu, Y., Qin, Z., Liao, X., and Wu, J. (2020). Cryptanaly-
sis and Enhancement of an Image Encryption Scheme
Based on a 1-D Coupled Sine Map. Nonlinear Dy-
namics, 100(3):2917–2931.
Ma, Y., Li, C., and Ou, B. (2020). Cryptanalysis of an
Image Block Encryption Algorithm Based on Chaotic
Maps. Journal of Information Security and Applica-
tions, 54:102566.
Matoba, O. and Javidi, B. (2004). Secure Holographic
Memory by Double-Random Polarization Encryption.
Applied Optics, 43(14):2915–2919.
Mondal, B., Behera, P. K., and Gangopadhyay, S. (2021). A
Secure Image Encryption Scheme Based on a Novel
2D Sine–Cosine Cross-Chaotic (SC3) Map. Journal
of Real-Time Image Processing, 18(1):1–18.
Muthu, J. S. and Murali, P. (2021). Review of Chaos De-
tection Techniques Performed on Chaotic Maps and
Systems in Image Encryption. SN Computer Science,
2(5):1–24.
Niyat, A. Y., Moattar, M. H., and Torshiz, M. N. (2017).
Color Image Encryption Based on Hybrid Hyper-
Chaotic System and Cellular Automata. Optics and
Lasers in Engineering, 90:225–237.
Pak, C., An, K., Jang, P., Kim, J., and Kim, S. (2019). A
Novel Bit-Level Color Image Encryption Using Im-
proved 1D Chaotic Map. Multimedia Tools and Ap-
plications, 78(9):12027–12042.
Pak, C. and Huang, L. (2017). A New Color Image En-
cryption Using Combination of the 1D Chaotic Map.
Signal Processing, 138:129–137.
Shafique, A. and Shahid, J. (2018). Novel Image Encryption
Cryptosystem Based on Binary Bit Planes Extraction
and Multiple Chaotic Maps. The European Physical
Journal Plus, 133(8):1–16.
Sheela, S., Suresh, K., and Tandur, D. (2018). Image En-
cryption Based on Modified Henon Map Using Hy-
brid Chaotic Shift Transform. Multimedia Tools and
Applications, 77(19):25223–25251.
Song, C. and Qiao, Y. (2015). A Novel Image Encryption
Algorithm Based on DNA Encoding and Spatiotem-
poral Chaos. Entropy, 17(10):6954–6968.
Wang, H., Xiao, D., Chen, X., and Huang, H. (2018). Crypt-
analysis and Enhancements of Image Encryption Us-
ICISSP 2023 - 9th International Conference on Information Systems Security and Privacy
416
ing Combination of the 1D Chaotic Map. Signal pro-
cessing, 144:444–452.
Wang, L., Wu, Q., and Situ, G. (2019). Chosen-Plaintext
Attack on the Double Random Polarization Encryp-
tion. Optics Express, 27(22):32158–32167.
Wang, X., Teng, L., and Qin, X. (2012). A Novel Colour
Image Encryption Algorithm Based on Chaos. Signal
Processing, 92(4):1101–1108.
Wen, H. and Yu, S. (2019). Cryptanalysis of an Image
Encryption Cryptosystem Based on Binary Bit Planes
Extraction and Multiple Chaotic Maps. The European
Physical Journal Plus, 134(7):1–16.
Wen, H., Yu, S., and L
¨
u, J. (2019). Breaking an Image
Encryption Algorithm Based on DNA Encoding and
Spatiotemporal Chaos. Entropy, 21(3):246.
Wen, H., Zhang, C., Huang, L., Ke, J., and Xiong, D.
(2021). Security Analysis of a Color Image Encryp-
tion Algorithm Using a Fractional-Order Chaos. En-
tropy, 23(2):258.
Wu, J., Liao, X., and Yang, B. (2018). Image Encryption
Using 2D H
´
enon-Sine Map and DNA Approach. Sig-
nal processing, 153:11–23.
Yosefnezhad Irani, B., Ayubi, P., Amani Jabalkandi, F.,
Yousefi Valandar, M., and Jafari Barani, M. (2019).
Digital Image Scrambling Based on a New One-
Dimensional Coupled Sine Map. Nonlinear Dynam-
ics, 97(4):2693–2721.
Yu, F., Gong, X., Li, H., and Wang, S. (2021). Differ-
ential Cryptanalysis of Image Cipher Using Block-
Based Scrambling and Image Filtering. Information
Sciences, 554:145–156.
Zhou, K., Xu, M., Luo, J., Fan, H., and Li, M. (2019).
Cryptanalyzing an Image Encryption Based on a
Modified Henon Map Using Hybrid Chaotic Shift
Transform. Digital Signal Processing, 93:115–127.
Zolfaghari, B. and Koshiba, T. (2022). Chaotic Image
Encryption: State-of-the-Art, Ecosystem, and Future
Roadmap. Applied System Innovation, 5(3):57.
Security Analysis of a Color Image Encryption Scheme Based on Dynamic Substitution and Diffusion Operations
417