EURASIP Journal on Applied Signal Processing 2005:8, 1277–1288 c ○ 2005 Hindawi Publishing Corporation Cryptanalysis of a New Signal Security System for Multimedia Data Transmission

Recently, a new signal security system called TDCEA (two-dimensional circulation encryption algorithm) was proposed for real-time multimedia data transmission. This paper gives a comprehensive analysis on the security of TDCEA. The following security problems are found: (1) there exist some essential security defects in TDCEA; (2) two known-plaintext attacks can break TDCEA; (3) the chosen-plaintext and chosen-ciphertext versions of the aforementioned two known-plaintext attacks can break TDCEA even with a smaller complexity and a better performance. Some experiments are given to show the security defects of TDCEA and the feasibility of the proposed known-plaintext attacks. As a conclusion, TDCEA is not suitable for applications that require a high level of security.


INTRODUCTION
In today's digital world, the security of multimedia data, for example, digital speech, image and video files, becomes more and more important due to their frequent transmission over open networks. In some real applications, such as pay-TV, medical imaging systems, military image/database communications, and confidential video conferences, highly secure and reliable storage and transmission of multimedia data are needed. To fulfill such a demand, many encryption schemes have been proposed as possible solutions [1,2,3,4,5,6,7,8,9,10,11,12,13,14]. Meanwhile, cryptanalysis work has also been developed, and some of the proposed schemes have been found to be insecure [9,10,15,16,17,18,19,20,21,22,23,24,25]. For a comprehensive survey of the state-of-the-art of image and video encryption, see [26].
The present paper focuses on a new signal security system recently proposed in [1,2], which is called the twodimensional circulation encryption algorithm (TDCEA). In fact, TDCEA is an enhanced version of a previous image encryption scheme proposed by the same authors in [3,4], named BRIE (bit recirculation image encryption), which is the 1D counterpart of TDCEA. The original BRIE scheme has been successfully cryptanalyzed in [19], showing its insecurity against known-/chosen-plaintext attacks. Although TDCEA is more complicated than BRIE by using 2D permutations, this paper will point out that such a 2D generalization cannot enhance the security of BRIE against known-/chosen-plaintext and chosen-ciphertext attacks. In addition, it will be shown that the security of TDCEA against bruteforce attack was much overestimated in [1,2]. Essentially, TDCEA is a permutation-only image cipher, which has been known to be insecure against known-/chosen-plaintext attacks [15,16,23,25].
The rest of this paper is organized as follows. The next section briefly introduces TDCEA and its 1D version BRIE. Section 3 discusses some general security defects of TDCEA. Two known-plaintext and chosen-plaintext attacks are given in Sections 4 and 5, respectively, with some experimental results for verification. Section 6 briefly discusses the chosenciphertext attack, a natural and simple generalization of the chosen-plaintext attack. Section 7 concludes the paper.

TDCEA
The basic idea used in TDCEA is secret bit rotations of every 64 consecutive bits (of 8 consecutive pixels), which are controlled by a chaotic pseudorandom binary sequence (PRBS). BRIE is the simplified version of TDCEA, by rotating only 8 bits in each pixel. To facilitate the description of TDCEA and BRIE, it is assumed that the plain image has size M × N, where M is the height and N is the width of the image.

Definitions and notations
First, some definitions and notations are given in order to introduce TDCEA and BRIE. Assuming two matrices M and M of size m × n, where m is the height and n is the width, two mapping operations are defined as follows. When M is a 1 × n vector, the 1D version of the above 2D rotation mapping is denoted by ROLR q p : M → M , which is defined to circularly rotate M in the left (when p = 0) or right (when p = 1) direction, by q elements.
(i) The secret key: two integers α, β, and the initial condition x(0) ∈ (0, 1) of the following chaotic logistic map: (ii) The initialization procedure: run the chaotic logistic map from x(0) to generate a chaotic sequence, , where a denotes the smallest integer that is not less than a. From the 8-bit binary representation of x(k) as is determined by the following equation: The decryption procedure is denoted by In [19], BRIE was successfully cryptanalyzed and the following security problems were pointed out.
(1) The key space is too small and the security against the brute-force attack was much overestimated. (2) There exist some essential defects, which makes it possible for an attacker to get some visual information of the plain image by observing the cipher image. (3) BRIE is not secure against known-/chosen-plaintext attacks, since only one known/chosen plain image is enough to get an equivalent key, a mask array Q = [q(x, y)] M−1,N−1 x=0,y=0 , where q(x, y) satisfies (4) It is easy to get the subkeys α, β and the most significant 8 bits of the chaotic state x(k), as a replacement of the subkey x(0), from the mask array Q obtained above.  in raster order. 1 Then, the plain image can be divided into MN/8 blocks:

TDCEA
where f (8) Rewrite each block f (8) i=0, j=0 , by assigning the 64 bits in the current block in the raster order f (8k + i) = 7 j=0 M k (i, j) · 2 j . In the same way, the 8 pixels of each block of the cipher image can be represented by an 8 Based on the matrix representations of the plain/cipher images, the working mechanism of TDCEA can be described as follows.
(iii) The encryption procedure.
Step (1). Horizontal rotations: for i = 0 ∼ 7 (i.e., for each value of i from 0 to 7, the same hereinafter) do Step (2). Vertical rotations: for The decryption procedure is a simple reversion of the above encryption procedure, as follows. 1 Note that in [1,2] TDCEA is described directly for 1D signals. In this paper, we prefer to explicitly mention the transform from 2D images to 1D signals, so as to emphasize the relation between BRIE and TDCEA (which is not mentioned in [1,2]).

Essential defects of circulations
In [19], some essential defects of the ROLR operation were found: (1) some plain pixels may keep unchanged after encryption, so the plain image will roughly emerge if there are too many such pixels; (2) for a subregion in the plain image with a fixed gray value, at most eight gray values 2 will be contained in the corresponding subregion of the cipher image, which will lead the edge of this subregion to appear in the cipher image. The second fact is also true for subregions with close pixel values.
Although TDCEA extends the shift operation to two dimensions, the above defects of ROLR cannot be completely removed. As an extreme example, when all elements in M k are 0-bits or 1-bits, it is obvious that M k ≡ M k , which means TDCEA cannot encrypt blocks with fixed pixel value 0 (black) or 255 (white) at all. To test the performance of TDCEA compared with BRIE, we have encrypted the same test image used in [19] for BRIE, with the following parameters: (α, β) = (2, 4), x(0) = 34816/2 17 ≈ 0.2656, µ = 128317/2 15 ≈ 3.9159. The encryption result is shown in Figure 1, from which one can see that the 16 squares in the plain image remain fixed in the cipher image, though the fixed gray values have been changed for most squares. Comparing this result with those given in [19, Figure 1], it is obvious that the security defects of BRIE are not enhanced by TDCEA.
As a second example to test the possible enhancement of TDCEA on the BRIE security, we also tested the encryption performance of TDCEA on some general natural images containing many smooth areas. As known, the pixels within a smooth area generally have close pixel values, which are found similar to the squares with fixed gray values shown in Figure 1 when TDCEA is applied for encryption. Two images, "House" and "Cameraman," are selected for testing.

Low practical security against brute-force attacks
In [1,2], it was claimed that the complexity of TDCEA against brute-force attack is O(2 17MN/8 ) since 17MN/8 secret bits are used in the encryption/decryption procedures. However, this statement is not true due to the following reason: all 17MN/8 bits are uniquely determined by the initial condition x(0) and the control parameter µ of the logistic map (1), which have only 34 secret bits. Moreover, not all values of µ can ensure the chaoticity of the logistic map [27], so we can assure that the number of possible different chaotic bit sequences is smaller than 2 34 .
Considering that the computational complexity of TD-CEA is O(MN), that is, 49MN operations of all kinds [1, Section 2.5], and the number of all possible values of (α, β) is 25, the total complexity against the brute-force attack is (2 139264 ), the complexity claimed in [1,2]. Obviously, the security of TDCEA against brute-force attacks was overestimated too much in [1,2].

KNOWN-PLAINTEXT ATTACKS
The known-plaintext attack is the attack of reconstructing the secret key or its equivalent with some known plaintexts and their corresponding ciphertexts, which is practical and occurs more and more frequently in today's networked world [28]. Although it was claimed that TDCEA can efficiently resist this kind of attacks [1, Section 2.6], we propose two different known-plaintext attacks in this section to effectively break TDCEA. One attack requires a few number of known plain texts, and another requires only one.

Known-plaintext attack 1: getting permutation matrices as an equivalent key
The insecurity of BRIE against known-/chosen-plaintext attacks is caused by the fact that the ROLR operation is actually composed of secret permutations of all 8 bits of each pixel value. As shown in [25], all permutation-only ciphers are not secure against known-/chosen-plaintext attacks. Apparently, TDCEA falls into the category of permutation-only ciphers, since the circulation rotations are actually secret permutations of all 64 bits of each 8-pixel block. As a result, if an attacker knows (or chooses) a number of plain blocks and cipher blocks at the same position, k, it is possible for him to partially (or even completely) reconstruct the bit permutation by comparing M k and M k . This is the basic principle of the first type of known-/chosen-plaintext attacks to be discussed below. Apparently, for the kth pixel block f (8) (k) and its cipher block f (8) (k), the encryption transformation can be represented by an , he can use these matrices as an equivalent key to decrypt any cipher image encrypted with the same key.
In [25], a general algorithm was proposed for deriving the secret permutations (i.e., the permutation matrices) from a number of known plain images and their corresponding cipher images. This algorithm depends on the fact that the secret permutations do not change the values of the permuted elements. As a result, one can compare the values of the elements of the plain images and the cipher images to reveal the secret permutations. Here, we show how to optimally realize the general algorithm for TDCEA and discuss the breaking performance.
Given n known plain images f 0 ∼ f n−1 and their corresponding cipher images f 0 ∼ f n−1 , denoting the kth 8 × 8 bit matrix of the lth plain image and cipher image by i=0, j=0 , respectively, the algorithm of deriving the permutation matrix W k is de-scribed as follows.
Note. When n is larger than the word length of the longest integer (which is 32 or 64 for most computers), it may be impossible to store M k (i, j) as a normal integer in a computer. In this case, one has to divide M k (i, j) into multiple short integers for storage and computation (i.e., to use long-integer techniques). Since the long-integer technique is easy for implementations and n is generally smaller than 32 in most attacking scenarios, 3 here we do not pay special attention to this issue. Step (2). Get multivalued permutation matrix, Step (3). Derive an estimation of the permutation matrix W k from W k .
Apparently, if and only if each element of W k contains only one pixel position, that is, the measure of every element of W k is 1, one can uniquely get the permutation matrix W k ; otherwise, only an estimated version W k can be derived. In other words, W k = W k holds if and only if the cardinality of When #( W k ) = P < 64, with n i (i = 1 ∼ P) denoting the measure of the P different elements in W k , one can easily deduce that there are P i=1 (n i !) possible estimations of W k in total. Thus, the task of Step (3) is to determine one estimated permutation matrix from all possible P i=1 (n i !). Although many different methods can be used to realize Step (3), the following simple algorithm is enough in most cases to achieve an acceptable performance. (1) find the first position (i , j ) satisfying M k (i, j) = M k (i , j ) and F k (i , j ) = 0; (2) set W k (i, j) = (i , j ) and F k (i , j ) = 1.

Note that
Step (2) is also incorporated into the above algorithm, which is very useful in reducing the total complexity.
Next, we will see how many known plain images are enough to achieve an acceptable breaking performance. Roughly, the larger the n, the less the P i=1 (n i !), the more accurate the estimated permutation matrix W k , and so the better the breaking performance will be. As a result, by estimating the mathematical expectation of n i , one can conceptually derive a lower bound for n. To simplify the following analyses, we assume that each element in M l,k distributes uniformly over {0, 1} and any two elements are independent of each other. Then, one can see that there are two types of elements in each W k (i, j): (i) the only real position, which absolutely occurs; (ii) other fake positions, each of which occurs in W k (i, j) with a probability of 1/2 n , since any two bits in a bit matrix are identical with a probability of 1/2.
This theoretical result has been verified by experiments as shown in Figures 4 and 5. Note that the above analysis can also be derived from the general result given in [25]. Though the above result is deduced under the assumption that {M l,k } is an i.i.d. sequence, it can be qualitatively generalized to other distributions of {M l,k }. Our experiments show that the above theoretical result essentially holds for most natural images. For a randomly selected key, (α, β) = (2, 2), x(0) = 33578/2 17 ≈ 0.2562, µ = 129518/2 15 ≈ 3.9526, a set of known plain images (all natural images) are randomly selected for testing. When n = 8, the plain image "Peppers" (Figure 4a) and its cipher image (Figure 4b) are used to verify the breaking performance based on MN/8 estimated permutation matrices, . The recovered plain image is shown in Figure 4c. It is found that almost all visual information contained in the original plain image has been successfully recovered, though only 38012/65536 = 58% of plain pixels are correct in value. With some noise reduction algorithms, one can further enhance the recovered plain image. One enhanced result with a 3 × 3 median filter is shown in Figure 4d.  Figure 5 shows the percentage of correctly recovered plain pixels with respect to n, the number of known plain images. One can see that the breaking performance is good when n ≥ 8. Also, it is found that the breaking performance of the natural image is better than the noisy image under the same condition, which is attributed to the correlation existing in the natural image for decryption as discussed in [25]. It can also be observed that the slope of the two lines in Figure 5 are very flat when n ≥ 16, this is also due to the correlation of the known images (e.g., the MSBs of adjacent pixels are the same with a high probability).
This known-plaintext attack has two disadvantages: (1) the number of required known plain images is somewhat large; (2) with n known plain images of size M × N, this attack can only decrypt cipher images of size not greater than M×N. In the following subsection, we will introduce another known-plaintext attack, by which we can get the secret keys with only one known plain image (but with a larger complexity).

Known-plaintext attack 2: getting the secret key from one known plain image
The known-plaintext attack introduced in this subsection is actually an optimized brute-force attack. By utilizing the correlation information existing between two consecutive chaotic states and the control parameter µ, the multiplicative search of the two subkeys x(0) and µ can be reduced to be the additive search of two chaotic states x(k) and x(k + 1). This can dramatically reduce the attack complexity. Also, since  each guessed chaotic state can be verified by a few number of 8-pixel blocks, not by the whole known plain image, the attack complexity can be further reduced.
The basic idea of this attack is based on the following facts: (1) each permutation matrix W k is uniquely determined by the current chaotic state x(k) and the two subkeys α, β; (2) two consecutive chaotic states x(k) and x(k Once an attacker gets the right values of any two consecutive chaotic states, he can immediately get an estimation of µ, and then completely break TDCEA if α and β are also known. To get the right value of a chaotic state x(k) corresponding to the kth bit matrix M k , one can use the permutation information existing in M k and M k . When there are t 0-bits and (64 − t) 1-bits in M k , one can calculate that the number of all possible values of M k is C(t) = 64 t = 64!/t!(64 − t)!. In comparison, the number of all possibilities of each permutation matrix is equal to the number of all possible values of the 3-tuple data (x(k), α, β), which is less than N s = 2 17 · 25. When 5 ≤ t ≤ 59, one has C(t) N s (see Figure 6). This means that the probability that a wrong value of (x(k), α, β) coincides with W k is close to zero, that is, one can exhaustively search all possible values of (x(k), α, β) to find a few number of candidates of the right value. Apparently, such an exhaustive searching procedure is optimized when t = 32.
Carrying out the above procedure on two consecutive bit matrices, one can find some candidates of two consecutive chaotic states, x(k) = 0.b(17k + 0) · · · b(17k + 16) and x(k + 1) = 0.b(17k + 17) · · · b(17k + 33). Then, an estimated value of the subkey µ can be derived as Due to the quantization errors introduced in the finiteprecision arithmetic, generally so µ = µ. Fortunately, following the error analysis of µ given in [22,Appendix], it has been shown that when (i) Step (1). Find the first two consecutive plain blocks f (8) (k) and f (8) (k + 1), whose corresponding bit matrices M k and M k+1 both have about 32 0-bits.
Note. Assuming that each bit in M k distributes uniformly and independently, one can deduce that where t is the number of nonzero elements of M k and 0 ≤ s ≤ 32. When s = 4, P s ≈ 0.7396, which is sufficiently large for an attacker to find valid plain-blocks within all the MN/8 blocks. (ii) Step (2). Exhaustively search all possible values of (x(k), α, β) and record those coinciding with M k and M k . Assume that m 1 candidates are recorded in total: Step (3). Search all possible values of x(k + 1) and all values of (α, β) and record those coinciding with M k+1 and M k+1 . Assume that m 2 candidates are recorded in total: Step (4). For i = 0 ∼ m 1 − 1 and j = 0 ∼ m 2 − 1, do the following operations.
Assuming that x j (k + 1) ≥ 2 −n , exhaustively search all possible 2 n+3 values of µ within the neighborhood of µ. For each searched value, iterate the logistic map from x i (k +1) to x i (MN/8−1). If every chaotic state x i (l) and (α * i , β * i ) agree with M l and M l (l = k + 2 ∼ MN/8 − 1), then the attack completes.
Combining the above results, one concludes that the total complexity is O(2 36 ), which is practically small even for a PC and much smaller than O(2 60 ), the complexity of the simple brute-force attack shown in Section 3.3. Figure 7 shows an experimental result of the recovered plain image "Peppers," where the fifth and sixth pixel blocks are chosen to exhaustively search the secret key. As a result, all chaotic states from x(5) are successfully derived and only (5 · 8 = 40) leading plain pixels at the left-bottom corner are not recovered correctly.

CHOSEN-PLAINTEXT ATTACKS
Chosen-plaintext attacks are enhanced (and generally stronger) versions of known-plaintext attacks, with some intentionally chosen plaintexts and their corresponding ciphertexts [28]. In these attacks, the two known-plaintext attacks introduced in the previous section can be significantly enhanced.

Chosen-plaintext attack 1: getting permutation matrices as an equivalent key
As discussed in Section 4.1, if #( W k ) = 64, the permutation matrix W k can be uniquely determined. Apparently, it is easy to ensure #( W k ) = 64 by choosing the following six plain images for all With the above six chosen plain images, #( W k ) = 64 holds so all MN/8 permutation matrices can be uniquely determined, which can then be used to decrypt any cipher image of size not greater than MN. The time complexity of such an attack is of the same order as the known-plaintext attack with n = 6 known plain images, that is, O(16 (6 + 15) In fact, due to a special weakness of TDCEA, even two chosen plain images are enough to completely reconstruct each 8 × 8 permutation matrix. Recalling the encryption procedure of TDCEA, one can see that 2D secret rotations are merely a simple combination of 1D rotations in two directions: 8 horizontal rotations followed by 8 vertical rotations. Such a property makes the division of the 2D secret rotations possible in chosen-plaintext attacks with only two plain images. In cryptanalysis, we call such attacks divideand-conquer (DAC) attacks. The DAC chosen-plaintext attack can be described as follows.

Chosen-plaintext attack 2: getting the secret key
In the first chosen-plaintext attack, one can get 16 values, s k (0) ∼ s k (7) and r k (0) ∼ r k (7), for each pixel block f (8) (k). Based on the 16 values, the second known-plaintext attack discussed in Section 4.2 can be dramatically enhanced in most cases by introducing a much more effective way of deriving the 17 secret bits, b(17k + 0) ∼ b(17k + 16), of the chaotic state x(k).
To simplify the following discussions, create a new vector, rs k (i) (i = 0 ∼ 15), which satisfies that for all i = 0 ∼ 7, rs k (i) = r k (i) and for all i = 8 ∼ 15, rs k (i) = s k (i − 8).
Recalling the encryption procedure of TDCEA, it is obvious that the 16 values {rs k (i)} 15 i=0 have a deterministic relation with the 17 secret bits b(17k + 0) ∼ b(17k + 16). Such a relation can be used to facilitate an exhaustive search of the 17 secret bits, that is, the search of the kth chaotic state x(k) = 0.b(17k + 0) · · · b(17k + 16).
Since one can guess the value of #(S) by observing the cardinality of the set {rs k (0), . . . , rs k (15)} ⊆ S, it is possible to search (α, β) in part of all possible values to reduce the attack complexity. Apparently, the success probability of such a guess is P e = Prob[S = {rs k (0), . . . , rs k (15)}]. Since the theoretical deduction of P e is rather difficult, experiments are performed to test all 2 17 possible values of b(17k + 0) ∼ b(17k + 16). It results in that P e = 122684/2 17 ≈ 0.936, which is sufficiently large. Note that it is easy to further increase the success probability of the guess, by observing n > 1 blocks at the same time. In doing so, the success probability will be greater than P (n) e = 1 − (1 − P e ) n under the assumption that the chaotic bits for different blocks distribute uniformly and independently. As n increases, P (n) e will approach 1 exponentially. In real attacks, even n = 2 is enough in almost all cases, since P (2) e ≈ 0.996. If all guessed values determined by #({rs k (0), . . . , rs k (15)}) fail to pass the verification, it means that the rare event {rs k (0), . . . , rs k (15)} ⊂ S occurs. 6 In this case, one has to continue to exhaustively search all other values of (α, β).
When the real value of (α, β) belongs to (C4) class, the average complexity of the chosen-plaintext attack is also smaller than the one of its known-plaintext counterpart, since the value of (α, β) can be immediately determined 7 with a sufficiently high probability, P (n) e ≈ 1, that is, only when the rare event {rs k (0), . . . , rs k (15)} ⊂ S occurs, one needs to exhaustively search the value of (α, β).

CHOSEN-CIPHERTEXT ATTACKS
Chosen-ciphertext attacks are mirror versions of chosenplaintext attacks, in which a cryptanalyst attempts to determine the secret key from knowledge of plaintexts that correspond to ciphertexts chosen by the attacker [28]. For TD-CEA, due to the symmetry of the encryption and decryption procedures, one can carry out chosen-ciphertext attacks, in very much the same way as the chosen-plaintext attacks discussed in Section 5.

CONCLUSIONS
In this paper, the security of the recently proposed encryption scheme for multimedia transmission, called TDCEA [1,2], has been analyzed carefully. Some defects existing in TDCEA have been found and diagnosed. Two methods of known-plaintext attacks and their chosen-plaintext attack counterparts have been proposed to break the scheme. In addition, a chosen-ciphertext attack has been mentioned briefly. Both theoretical and experimental analyses have been given to demonstrate the defects of TDCEA and to verify the feasibility of the proposed known-plaintext attacks. In conclusion, TDCEA is not suggested for applications that require a high level of security level.