On the Security of a Latin-Bit Cube-Based Image Chaotic Encryption Algorithm

Abstract

In this paper, the security analysis of an image chaotic encryption algorithm based on Latin cubes and bit cubes is given. The proposed algorithm adopts a first-scrambling-diffusion- second-scrambling three-stage encryption scheme. First, a finite field is constructed using chaotic sequences. Then, the Latin cubes are generated from finite field operation and used for image chaotic encryption. In addition, according to the statistical characteristics of the diffusion image in the diffusion stage, the algorithm also uses different Latin cube combinations to scramble the diffusion image for the second time. However, the generation of Latin cubes in this algorithm is independent of plain image, while, in the diffusion stage, when any one bit in the plain image changes, the corresponding number of bits in the cipher image follows the change with obvious regularity. Thus, the equivalent secret keys can be obtained by chosen plaintext attack. Theoretical analysis and experimental results indicate that only a maximum of $2.5\times \sqrt[3]{w\times h}+6$ plain images are needed to crack the cipher image with $w\times h$ resolution. The size of equivalent keys deciphered by the method proposed in this paper are much smaller than other general methods of cryptanalysis for similar encryption schemes.

1. Introduction

Image chaotic encryption algorithms have attracted some special attention in the field of information security [1,2,3,4,5,6,7]. In recent years, many image chaotic encryption schemes combined chaos theories with other technologies, such as one-time keys [8], bit-level permutation [9], DNA operations [10,11,12,13], parallel computing system [14], matrix semi-tensor product theory [15], cellular automata [16,17], neural network [18,19], Latin square or Latin cube [20,21,22], and so on, have been proposed. However, the security issues of image chaotic encryption algorithms have also attracted much attention. As a basic requirement of security, the ciphertext image of the image chaotic encryption algorithm must have good uniformity. In addition, the algorithm must have a large enough key space to resist brute force attacks. For instance, in order to show the security of the image chaotic encryption algorithm in the statistical sense, the key space analysis, statistical analysis, and differential analysis of the chaos encryption algorithm proposed in [23] and its corresponding extended algorithm are given in Sections 4 and 5 of [23], respectively. However, the high uniformity of ciphertext does not mean that the encryption algorithm has high security performance. For example, in [24], the security analysis of an image chaotic encryption algorithm proposed in [16] is given, and it is found that the generation of key stream is related to the sum of pixel values of plain images. Under the premise of satisfying the sum of pixel values of a plain image unchanged, only two pixel values of cipher image are changed corresponding to the variation of two pixel values of a plain image, which is vulnerable to differential attack. Therefore, the equivalent secret keys can be obtained by selecting 512 plain images. In [25], the cryptanalysis of a DNA encoding-based image scrambling and diffusion encryption algorithm proposed in [10] is reported to find that the scrambling algorithm is also independent of plain image, so that it can be deciphered by chosen plaintext attack. In addition, by choosing some specific plain images, the original image chaotic encryption algorithm can be simplified into scrambling-only encryption algorithm, which has been proven to be insecure [26,27]. In [28], the security analysis of an image encryption algorithm based on a compound chaotic system proposed in [29] is given, and it is pointed out that there are a large number of equivalent secret keys in the image chaotic encryption algorithm. In [30], an 8D self-synchronous and feedback-based chaotic stream cipher using the lower 8 bits of one state variable for encryption is proposed. However, in [31], most of the secret keys are successfully acquired by means of a divide and conquer attack, known plaintext attack, and a chosen ciphertext attack, respectively. In [32], the security analysis of a Latin square based image chaotic encryption algorithm proposed in [22] is given to find the security vulnerabilities both in the diffusion stage and in the scrambling stage through chosen text attack. In [33], the chosen plaintext attack is adopted for the safety performance assessment of a 1D combinatorial chaotic encryption algorithm proposed in [34]. In addition, in [35], the chosen plaintext attack is also utilized for analyzing the security of a bit cube-based image chaotic encryption algorithm proposed in [36]. In addition, some chaotic cipher designers have also discovered the importance of cryptanalysis. For example, in Section 3 of [37], the resistance to the four classic attack methods is analyzed in detail. The analysis shows that the proposed encryption algorithm has resistance to the chosen plaintext attack because it is sensitive to the initial parameters.

In 2019, an image chaotic encryption algorithm based on orthogonal Latin cubes and bit cubes is given in [20]. First, a chaotic sequence is generated by logistic mapping, and it is further arranged in ascending order to obtain its corresponding chaotic index sequence. Next, a finite field is constructed by the chaotic index sequence, and three orthogonal Latin cubes are also generated. Then, the generated three orthogonal Latin cubes are used for the first-scrambling-diffusion- second-scrambling three-stage encryption. Although the designer claims that the algorithm has passed various statistical tests, the analysis results in this paper demonstrate that the algorithm has at least two security vulnerabilities as follows:

(1)

The generation of Latin cubes in this algorithm is independent of plain image.

(2)

When any one bit in the plain image changes, the corresponding number of bits in the cipher image follows the change with obvious regularity.

Based on the above-mentioned security vulnerabilities, this paper adopts both chosen plaintext attack and differential attack for analyzing the safety performance for the image chaotic encryption algorithm proposed in [20]. First, a full zero plain image and multiple non-full zero plain images are selected, and the differential operation is performed between the cipher image corresponding to this full zero plain image and the cipher image corresponding to those non-full zero plain images. On the premise that the sum of bit 1 in each differential operation is even, the chaotic index sequence $lx$ can be deciphered. Next, based on the obtained $lx$, and on the condition that there exists an intersection in the solutions of unary quadratic equation on finite field $GF\left(q\right)$, the secret keys $\alpha$, $\beta$, $\gamma$ can be further deciphered.

The rest of the paper is organized as follows: Section 2 briefly introduces the image chaotic encryption algorithm. Section 3 presents the security analysis. Section 4 gives the steps for deciphering image chaotic encryption algorithm. Section 5 demonstrates the numerical simulation experiments. Section 6 gives some improvement suggestions for the image chaotic encryption algorithm. Finally, Section 7 concludes the paper.

2. Description of an Image Chaotic Encryption Algorithm

2.1. A Brief View of an Image Chaotic Encryption Algorithm

In [20], the image chaotic encryption algorithm consists of secret keys selection, Latin cube generation, scrambling encryption, and diffusion encryption, as shown in Figure 1, where ${key}_0$, ${\mu }_0$, $\alpha$, $\beta$, $\gamma$ are the secret keys, $x_n$$(n=0,1,2,\cdots )$ is a chaotic sequence generated by Logistic mapping, $lx$ is a chaotic index sequence, $L_1$, $L_2$, $L_3$ are three Latin cubes, P is a 2D plain gray image, M is a bit cube representation of P, $S_1$ is a first-scrambling image of M, D is a diffusion image of $S_1$, $S_2$ is a second-scrambling image of D, E is a 2D cipher gray image of $S_2$, and B is generated by $L_1$. When the size of the image is $w\times h$, the length of $x_n$ and $lx$ is $q=\sqrt[3]{8\times w\times h}$, the side length of Latin cubes and bit cubes is $q=\sqrt[3]{8\times w\times h}$, and the secret keys $\alpha ,\beta ,\gamma \in \{0,1,2,\cdots ,q-1\}$. Note that an appropriate image size $w\times h$ should be selected to ensure that $q=\sqrt[3]{8\times w\times h}=2\times \sqrt[3]{w\times h}$ is an even number. In Figure 1, $L_1,L_2,L_3\in \{0,1,2,\cdots ,q-1\}$ are Latin cubes, $M,S_1,D,S_2,B\in \{0,1\}$ are bit cubes, P is a 2D plain gray image, E is a 2D cipher gray image, $p_k,p_t,s_1,b,d,e_k\in \{0,1\}$ are 1D bit sequences corresponding to $P,S_1,B,D,E$, and $t=T\left(k\right)$ is a position scrambling rule corresponding to the first-scrambling stage.

2.2. Logistic Map

According to Figure 1, the chaotic sequence is generated through logistic mapping, given by

$$x_{n+1}=\mu x_n(1-x_n),$$

(1)

where $n=0,1,2,\cdots$, $x_n\in (0,1)$, $0\le \mu \le 4$. When $\mu >3.573815$, Equation (1) is chaotic.

2.3. Generation of Latin Cubes

Let the side length of $L_1$, $L_2$, $L_3$ be $q=\sqrt[3]{8\times w\times h}$, where q is an even number. For a given $(l_1,l_2,l_3)$, one gets $L_1(l_1,l_2,l_3)={\psi }_1$, $L_2(l_1,l_2,l_3)={\psi }_2$, $L_3(l_1,l_2,l_3)={\psi }_3$, $0\le {\psi }_1,{\psi }_2,{\psi }_3\le q-1$. If $(l_1,l_2,l_3)\ne (l_1^{\prime },l_2^{\prime },l_3^{\prime })$, $({\psi }_1,{\psi }_2,{\psi }_3)\ne ({\psi }_1^{\prime },{\psi }_2^{\prime },{\psi }_3^{\prime })$, then $L_1,L_2,L_3$ are orthogonal to each other [38]. When $q=3$, one gets three orthogonal Latin cubes, as shown in Figure 2a, and the corresponding triple tuple is shown in Figure 2b, respectively.

The algorithm for generating Latin cubes proposed in [20] is implemented by replacing the ordered set $\{0,1,2,\dots ,q\}$ in the generation method proposed in [38] with the chaotic index sequence $lx$. The detailed steps for generating three orthogonal Latin cubes by means of a finite field are in Algorithm 1.

Algorithm 1 Steps for Generation of Latin Cubes.

Input:    Secret keys ${key}_0,{\mu }_0,\alpha ,\beta ,\gamma$; Side length $q=\sqrt[3]{8\times w\times h}$; Output:    Three orthogonal Latin cubes $L_1$, $L_2$ and $L_3$; 1: Generate the chaotic sequence $x=\{x_0,x_1,\dots ,x_{q-1}\}$ by using Logistic mapping. 2: Obtain the corresponding chaotic index sequence $lx=\{c_0,c_1,\cdots ,c_i,\cdots ,c_{q-1}\}$ by arranging $x=\{x_0,x_1,\dots ,x_{q-1}\}$ in ascending order, where $0\le c_i,i\le q-1$, satisfying $lx\left[i\right]=c_i$. Note that the chaotic index sequence $lx$ can only be determined after the sequence value $c_i$ and the sequence number i are simultaneously obtained. When the sequence value $c_i$ is obtained, but the sequence number i is uncertain, the general form of the chaotic index sequence $lx$ is in the form of $$lx=\{c_{i_0},c_{i_1},\cdots ,c_{i_k},\cdots ,c_{i_{q-1}}\},$$ (2) where $0\le c_{i_k}{i}_k\le q-1$, $i_0\ne i_1\ne \cdots \ne i_k\ne \cdots \ne i_{q-1}$, $lx\left[i_k\right]=c_{i_k}$. In the following, $\xi$ or ${\xi }^{\prime }$ denotes the sequence value and $i_{\xi }$ or $i_{{\xi }^{\prime }}^{\prime }$ denotes the sequence number in Equation (2), respectively. 3: Construct a finite field by using chaotic index sequence $lx$, and then one gets the orthogonal Latin cubes on the finite field, given by $$\left\{\begin{array}{c}{L}_1\left(l_1,l_2,l_3\right)={\alpha }^2\times c_{l_1}+\alpha \times c_{l_2}+c_{l_3},\hfill \\ L_2\left(l_1,l_2,l_3\right)={\beta }^2\times c_{l_1}+\beta \times c_{l_2}+c_{l_3},\\ L_3\left(l_1,l_2,l_3\right)={\gamma }^2\times c_{l_1}+\gamma \times c_{l_2}+c_{l_3},\end{array}\right.$$ (3) where “+” denotes addition operation on the finite field, “×” denotes multiplication operation on the finite field, $\alpha ,\beta ,\gamma \in lx$, $c_{l_1}$, $c_{l_2}$, $c_{l_3}$ are sequence values of $lx$. 4: return$L_1$, $L_2$, $L_3$.

2.4. Steps for Image Chaotic Encryption

According to Figure 1, and taking a plain gray image with $512\times 512$ resolution as an example, one has $q=\sqrt[3]{512\times 512\times 8}=128$. The steps for image chaotic encryption are in Algorithm 2.

Algorithm 2 Steps for Image Chaotic Encryption.

Input:   Secret keys ${key}_0,{\mu }_0,\alpha ,\beta ,\gamma$; Plaintext image P; Output:   Ciphertxet image E; 1: Convert the 2D plain gray image P into the bit cube M; 2: Obtain three orthogonal Latin cubes $L_1$, $L_2$, $L_3$ by Algorithm 1; 3: Scramble bit cube M by using three orthogonal Latin cubes $L_1,L_2,L_3$, and get the corresponding first-scrambling image $S_1$ in the form of bit cube, such that $$S_1\left(l_1,l_2,l_3\right)=M\left(L_1\left(l_1,l_2,l_3\right),L_2\left(l_1,l_2,l_3\right),L_3\left(l_1,l_2,l_3\right)\right).$$ (4) 4: Obtain the diffusion bit cube $B\left(l_1,l_2,l_3\right)$ by using Latin cube $L_1$, given by $$B\left(l_1,l_2,l_3\right)=\left\{\begin{array}{ll}0,\hfill & \mathrm{if}{L}_1\left(l_1,l_2,l_3\right)\ge 64,\\ 1,& \mathrm{if}{L}_1\left(l_1,l_2,l_3\right)<64.\end{array}\right.$$ (5) Then, get the diffusion 1D bit sequence $b\left[t\right]$ corresponding to diffusion bit cube $B(l_1,l_2,l_3)$ as $$b\left[t\right]=B\left(⌊t/{128}^2⌋,⌊t/128⌋\%128,t\%128\right),$$ (6) where $t\in \{0,1,2,\cdots ,q^3-1\}$, $⌊·⌋$ is a round down operation, and “%” is a modulo operation. 5: Convert $S_1(l_1,l_2,l_3)$ into the 1D bit sequence $s_1\left[t\right]$ as $$s_1\left[t\right]=S_1\left(⌊t/{128}^2⌋,⌊t/128⌋\%128,t\%128\right).$$ (7) Then, get the 1D bit sequence $d\left[t\right]$ by using $s_1\left[t\right]$ and $b\left[t\right]$ as $$d\left[t\right]=s_1\left[t\right]\oplus d[t-1]\oplus b\left[t\right],$$ (8) where $0\le t\le {128}^3-1$, $d[-1]=0$, “⊕” denotes bitwise exclusive or operation. 6: Calculate $G\left(d\right)=\left({\sum }_{i=0}^{q^3-1}d\left[i\right]\right)$, and convert the 1D bit sequence $d\left[t\right]$ into the bit cube $D(l_1,l_2,l_3)$. Then, get the bit cube $S_2\left(l_1,l_2,l_3\right)$ by utilizing $D(l_1,l_2,l_3)$, such that $$S_2\left(l_1,l_2,l_3\right)=\left\{\begin{array}{ll}D\left(L_2\left(l_1,l_2,l_3\right),L_3\left(l_1,l_2,l_3\right),L_1\left(l_1,l_2,l_3\right)\right),\hfill & (G\left(d\right)\%2=0),\hfill \\ D\left(L_3\left(l_1,l_2,l_3\right),L_1\left(l_1,l_2,l_3\right),L_2\left(l_1,l_2,l_3\right)\right),\hfill & \left(G\right(d)\%2=1),\end{array}\right.$$ (9) where $G\left(d\right)\%2\in \{0,1\}$ denotes the modular 2 operation on $G\left(d\right)$. 7: Convert the bit cube $S_2(l_1,l_2,l_3)$ into the 2D cipher gray image E with $512\times 512$ resolution. 8: returnE.

An example of encrypting a gray image with $2\times 4$ resolution using the original encryption algorithm is shown in Figure 3. Figure 3a shows the three Latin cubes and the corresponding bit cubes L used for encryption. Figure 3b shows the encryption process. The numbers in the cells of P and E represent pixel values, and the bit values are represented in the cells of $S_1$, B, and $S_2$. The red cells in M indicate that they are bit representations of the red cell corresponding to P, i.e., the binary representation of 166 is ${\left(10100110\right)}_2$.

3. Security Analysis

According to Figure 1, it is found that the generation of three orthogonal Latin cubes $L_1,L_2,L_3$ is not related to the plain image. When the secret keys are given, the three orthogonal Latin cubes $L_1,L_2,L_3$ remain unchanged for different input plain images, which are provided a prerequisite for chosen plaintext attack. Therefore, one can decipher the equivalent secret keys $lx,\alpha ,\beta ,\gamma$ corresponding to the original secret keys ${key}_0,{\mu }_0,\alpha ,\beta ,\gamma$.

3.1. Analysis of Chaotic Index Sequence $lx$

3.1.1. Relation between the First-Scrambling Image $S_1$ and the Plain Image M

Proposition 1.

Suppose that M is the bit cube representation of P; $S_1$ is the first-scrambling image of M. The relationship between M and $S_1$ satisfies $S_1(i_0,i_0,i_{\xi })=M(\xi ,\xi ,\xi )$, where $lx\left[i_0\right]=0$, $lx\left[i_{\xi }\right]=\xi$, $i_0,\xi \in \{0,1,2,\cdots ,q-1\}$, $i_0$ denotes the sequence number corresponding to the sequence value 0, and $i_{\xi }$ denotes the sequence number corresponding to the sequence value ξ.

Proof. 

Let $l_1=l_2=i_0,l_3=i_{\xi }$, and substitute them into Equation (4), then, one gets

$$S_1(i_0,i_0,i_{\xi })=M(L_1(i_0,i_0,i_{\xi }),L_2(i_0,i_0,i_{\xi }),L_3(i_0,i_0,i_{\xi })).$$

(10)

In addition, let $l_1=l_2=i_0,l_3=i_{\xi }$, and substitute them into Equation (3), then, one gets

$$\left\{\begin{array}{c}{L}_1(i_0,i_0,i_{\xi })={\alpha }^2\times c_{i_0}+\alpha \times c_{i_0}+c_{i_{\xi }},\hfill \\ L_2(i_0,i_0,i_{\xi })={\beta }^2\times c_{i_0}+\beta \times c_{i_0}+c_{i_{\xi }},\hfill \\ L_3(i_0,i_0,i_{\xi })={\gamma }^2\times c_{i_0}+\gamma \times c_{i_0}+c_{i_{\xi }}.\hfill \end{array}\right.$$

(11)

Since $lx\left[i_0\right]=0$, $lx\left[i_{\xi }\right]=\xi$, one has $lx\left[i_0\right]=c_{i_0}=0$, $lx\left[i_{\xi }\right]=c_{i_{\xi }}=\xi$. In addition, substituting $c_{i_0}=0$ and $c_{i_{\xi }}=\xi$ into Equation (11), one gets

$$L_1(i_0,i_0,i_{\xi })=L_2(i_0,i_0,i_{\xi })=L_3(i_0,i_0,i_{\xi })=\xi .$$

(12)

In addition, substituting Equation (12) into Equation (10), it follows that $S_1(i_0,i_0,i_{\xi })=M(\xi ,\xi ,\xi )$ holds. The proof is finished. □

3.1.2. The First Case for Analysis of Chaotic Index Sequence $lx$

Suppose that the 1D bit sequence corresponding to plain image $P_0$ is ${\left\{p_0\left[i\right]\right\}}_{i=0}^{q^3-1}={\left\{0\right\}}_{i=0}^{q^3-1}$, the cipher image corresponding to plain image $P_0$ is $E_0$, the 1D bit sequence corresponding to cipher image $E_0$ is ${\left\{e_0\left[i\right]\right\}}_{i=0}^{q^3-1}$, and the 1D bit sequence corresponding to plain image $P_k$ is ${\left\{p_k\left[i\right]\right\}}_{i=0}^{q^3-1}$, where $p_k\left[i\right]$ is given by

$$p_k\left[i\right]=\left\{\begin{array}{cc}1,\hfill & \mathrm{if}i=k,\hfill \\ 0,\hfill & \mathrm{if}i\ne k.\hfill \end{array}\right.$$

(13)

In addition, suppose that the cipher image corresponding to plain image $P_k$ is $E_k$, the 1D bit sequence corresponding to cipher image $E_k$ is ${\left\{e_k\left[i\right]\right\}}_{i=0}^{q^3-1}$, the 1D bit sequence corresponding to plain image $P_{k_1{k}_2}=P_{k_1}\oplus P_{k_2}$ is ${\left\{p_{k_1{k}_2}\left[i\right]\right\}}_{i=0}^{q^3-1}={\left\{p_{k_1}\left[i\right]\oplus p_{k_2}\left[i\right]\right\}}_{i=0}^{q^3-1}$, the cipher image corresponding to plain image $P_{k_1{k}_2}$ is $E_{k_1{k}_2}$, the 1D bit sequence corresponding to cipher image $E_{k_1{k}_2}$ is ${\left\{e_{k_1{k}_2}\left[i\right]\right\}}_{i=0}^{q^3-1}$, the 1D bit sequence corresponding to plain image $P_{k_1{k}_2{k}_3}=P_{k_1}\oplus P_{k_2}\oplus P_{k_3}$ is ${\left\{p_{k_1{k}_2{k}_3}\left[i\right]\right\}}_{i=0}^{q^3-1}={\left\{p_{k_1}\left[i\right]\oplus p_{k_2}\left[i\right]\oplus p_{k_3}\left[i\right]\right\}}_{i=0}^{q^3-1}$, the cipher image corresponding to $P_{k_1{k}_2{k}_3}$ is $E_{k_1{k}_2{k}_3}$, and the 1D bit sequence corresponding to $E_{k_1{k}_2{k}_3}$ is ${\left\{e_{k_1{k}_2{k}_3}\left[i\right]\right\}}_{i=0}^{q^3-1}$.

Proposition 2.

Suppose that the cipher image corresponding to plain image $P_k$ is $E_k$, the 1D bit sequence corresponding to cipher image $E_k$ is ${\left\{e_k\left[i\right]\right\}}_{i=0}^{q^3-1}$, the cipher image corresponding to plain image $P_0$ is $E_0$, and the 1D bit sequence corresponding to cipher image $E_0$ is ${\left\{e_0\left[i\right]\right\}}_{i=0}^{q^3-1}$. A differential operation is performed in the form of ${\sum }_{i=0}^{q^3-1}\left(e_0\left[i\right]\oplus e_k\left[i\right]\right)=q^3-m_{k,0}$, in which $e_k\left[i_l\right]=e_0\left[i_l\right](l=1,2,\cdots ,m_{k,0};i_l\in \{0,1,2,\cdots ,q^3-1\})$, $q^3$ is an even number. If $(q^3-m_{k,0})\%2=q^3\%2-m_{k,0}\%2=m_{k,0}\%2=0$, then $T\left(k\right)=m_{k,0}$ holds, where $T\left(k\right)$ denotes the position scrambling rule in the first-scrambling stage, k denotes the position of the k-th bit before the first-scrambling of plain image, and $T\left(k\right)$ denotes the position of k-th bit after the first-scrambling of plain image.

Proof. 

According to Equation (6), the relationship between the coordinates $(l_1,l_2,l_3)$ of bit cube $B(l_1,l_2,l_3)$ and the position t of 1D bit sequence $b\left[t\right]$ corresponding to $B(l_1,l_2,l_3)$ is given by

$$\left\{\begin{array}{c}{l}_1=⌊t/q^2⌋=⌊t/{128}^2⌋,\hfill \\ l_2=⌊t/q⌋\%q=⌊t/128⌋\%128,\hfill \\ l_3=t\%q=t\%128.\hfill \end{array}\right.$$

(14)

On the other hand, the relationship between the coordinates $(\xi ,\xi ,\xi )$ of bit cube $M(\xi ,\xi ,\xi )$ and the position k of 1D bit sequence $p_k\left[i\right]$ in Equation (13) is given by

$$k=\xi (q^2+q+1).$$

(15)

Thus, the relationship between the position of t-th bit after the first-scrambling of plain image and the position of k-th bit before the first-scrambling of plain image is given by

$$t=T\left(k\right)=T\left(\xi (q^2+q+1)\right).$$

(16)

(1) Consider the first-scrambling stage. In the first-scrambling stage, only change the bit position, but the bit value should remain unchanged. Suppose that the input 1D bit sequence corresponding to plain image $P_k$ is $p_k$, after the first-scrambling of plain image, the corresponding output 1D bit sequence is $p_t$. According to Equation (16), the relationship between position t and k satisfies $t=T\left(k\right)$. In particular, if the input 1D bit sequence corresponding to plain image $P_0$ is $p_0={\left\{p_0\left[i\right]\right\}}_{i=0}^{q^3-1}={\left\{0\right\}}_{i=0}^{q^3-1}$, after the first-scrambling of plain image, the corresponding output 1D bit sequence is $p_t={\left\{p_t\left[i\right]\right\}}_{i=0}^{q^3-1}$, then one has $p_t=p_0={\left\{0\right\}}_{i=0}^{q^3-1}$. (2) Consider the diffusion stage. Take the output 1D bit encryption sequence ${\left\{p_o\left[i\right]\right\}}_{i=0}^{q^3-1}$ in the first-scrambling stage as the input 1D bit sequence in the diffusion stage. According to Equation (8), diffuse ${\left\{p_o\left[i\right]\right\}}_{i=0}^{q^3-1}$ by using the diffusion 1D bit sequence ${\left\{b\left[i\right]\right\}}_{i=0}^{q^3-1}$, obtain the corresponding output ${\left\{d_o\left[i\right]\right\}}_{i=0}^{{128}^3-1}$ in the diffusion stage. By substituting $s_1\left[i\right]=p_o\left[i\right]=0$ into Equation (8), one has

$$\left\{\begin{array}{cc}\hfill d_o\left[0\right]& =p_o\left[0\right]\oplus d_o[-1]\oplus b\left[0\right]=0\oplus 0\oplus b\left[0\right]=b\left[0\right],\hfill \\ \hfill d_o\left[1\right]& =p_o\left[1\right]\oplus d_o\left[0\right]\oplus b\left[1\right]=0\oplus d_o\left[0\right]\oplus b\left[1\right]=b\left[0\right]\oplus b\left[1\right],\hfill \\ \hfill d_o\left[2\right]& =p_o\left[2\right]\oplus d_o\left[1\right]\oplus b\left[2\right]=0\oplus d_o\left[1\right]\oplus b\left[2\right]=b\left[0\right]\oplus b\left[1\right]\oplus b\left[2\right],\hfill \\ \hfill \cdots & \\ \hfill d_o\left[i\right]& =b\left[0\right]\oplus b\left[1\right]\oplus b\left[2\right]\cdots \oplus b\left[i\right],\hfill \end{array}\right.$$

(17)

where $i=0,1,2,\cdots ,q^3-1$, $d_0[-1]=0$. Similarly, take the output 1D bit encryption sequence ${\left\{p_t\left[i\right]\right\}}_{i=0}^{q^3-1}$ in the first-scrambling stage as the input 1D bit sequence in the diffusion stage. According to Equation (8), diffuse ${\left\{p_t\left[i\right]\right\}}_{i=0}^{q^3-1}$ by using the diffusion 1D bit sequence ${\left\{b\left[i\right]\right\}}_{i=0}^{q^3-1}$ and obtain the corresponding output ${\left\{d_t\left[i\right]\right\}}_{i=0}^{{128}^3-1}$ in the diffusion stage. By substituting $s_1\left[i\right]=p_t\left[i\right]$ into Equation (8), and also by utilizing Equation (17), one has

$$\left\{\begin{array}{c}{d}_t\left[0\right]=p_t\left[0\right]\oplus d_t[-1]\oplus b\left[0\right]=0\oplus 0\oplus b\left[0\right]=d_o\left[0\right],\hfill \\ d_t\left[1\right]=p_t\left[1\right]\oplus d_t\left[0\right]\oplus b\left[1\right]=0\oplus d_o\left[0\right]\oplus b\left[1\right]=0\oplus b\left[0\right]\oplus b\left[1\right]=d_o\left[1\right],\hfill \\ \cdots \hfill \\ d_t\left[t\right]=p_t\left[t\right]\oplus d_t[t-1]\oplus b\left[t\right]=1\oplus d_o[t-1]\oplus b\left[t\right]=1\oplus d_o\left[t\right]=\overline{d_o\left[t\right]},\hfill \\ d_t[t+1]=p_t[t+1]\oplus d_t\left[t\right]\oplus b[t+1]=0\oplus d_t\left[t\right]\oplus b[t+1]=\overline{d_o\left[t\right]}\oplus b[t+1]=\overline{d_o[t+1]},\hfill \\ \cdots \hfill \\ d_t\left[i\right]=p_t\left[i\right]\oplus d_t[i-1]\oplus b\left[i\right]=1\oplus d_o[i-1]\oplus b\left[i\right]=\overline{d_o\left[i\right]},\hfill \end{array}\right.$$

(18)

where $d_t[-1]=0$. According to Equation (18), one has

$$\left\{\begin{array}{cc}{d}_t\left[i\right]=d_o\left[i\right]\hfill & (0\le i<t),\hfill \\ d_t\left[i\right]=\overline{d_o\left[i\right]}\hfill & (t\le i\le (q^3-1\left)\right),\hfill \end{array}\right.$$

(19)

where $\overline{d_o\left[i\right]}$ denotes the bitwise NOT of $d_o\left[i\right]$. (3) Consider the second-scrambling stage. Take the output 1D bit encryption sequences ${\left\{d_o\left[i\right]\right\}}_{i=0}^{q^3-1}$ and ${\left\{d_t\left[i\right]\right\}}_{i=0}^{q^3-1}$ in the diffusion stage as the input 1D bit sequences in the second-scrambling stage, calculate $G\left(d_0\right)=\left({\sum }_{i=0}^{q^3-1}{d}_0\left[i\right]\right)$, $G\left(d_t\right)=\left({\sum }_{i=0}^{q^3-1}{d}_t\left[i\right]\right)$, respectively. If $t\%2=0$ in Equation (19) holds, then it follows that

$$G\left(d_t\right)\%2=G\left(d_0\right)\%2.$$

(20)

According to Equation (9) with Equation (20), it is noted that the same scrambling rule for ${\left\{d_o\left[i\right]\right\}}_{i=0}^{q^3-1}$ and ${\left\{d_t\left[i\right]\right\}}_{i=0}^{q^3-1}$ is used in the second-scrambling stage. By comparing the first equation $d_t\left[i\right]=d_o\left[i\right](0\le i<t)$ of Equation (19) with $e_k\left[i_l\right]=e_0\left[i_l\right](l=1,2,\cdots ,m_{k,0};i_l\in \{0,1,2,\cdots ,q^3-1\})$, it follows that $t=m_{k,0}$. Then, according to Equation (16), $T\left(k\right)=m_{k,0}$ holds. The proof is finished. □

Based on Proposition 1, one has $S_1(i_0,i_0,i_{\xi })=M(\xi ,\xi ,\xi )$, where $\xi \in \{0,1,2,\cdots ,q-1\}$ is the sequence value of chaotic index sequence $lx$, $i_{\xi }$ is the sequence number of $lx$. However, even though $\xi$ is given, since $S_1(i_0,i_0,i_{\xi })$ is the first-scrambling result of bit cube $M(\xi ,\xi ,\xi )$, but the scrambling rule $T(·)$ is unknown beforehand, the sequence numbers $i_0$ and $i_{\xi }$ cannot be directly available. Thus, Proposition 2 is needed to obtain the specific numbers $i_0$ and $i_{\xi }$.

Based on Proposition 2, suppose that the input plain image $M(l_1,l_2,l_3)$ is given by

$$M(l_1,l_2,l_3)=\left\{\begin{array}{cc}1,\hfill & \mathrm{if}{l}_1=l_2=l_3=\xi ,\hfill \\ 0,\hfill & \mathrm{otherwise},\hfill \end{array}\right.$$

(21)

where $\xi \in \{0,1,\cdots ,q-1\}$. Based on Equation (15) with Equation (21), one has $k=\xi ·(q^2+q+1)$. Next, one obtains $m_{k,0}$ by a chosen plaintext attack. If $m_{k,0}\%2=0$ holds, then the same scrambling rule is used for $d_0$ and $d_t$ in the second-scrambling stage, such that $T\left(k\right)=m_{k,0}=t$. Finally, according to Equation (14), it follows that

$$\left\{\begin{array}{cc}\hfill & i_0=⌊t/q^2⌋=⌊T(\xi ·(q^2+q+1))/q^2⌋=⌊T\left(k\right)/q^2⌋=⌊m_{k,0}/q^2⌋,\hfill \\ \hfill & i_{\xi }=t\%q=T(\xi ·(q^2+q+1))\%q=T\left(k\right)\%q=m_{k,0}\%q.\hfill \end{array}\right.$$

(22)

An example of Proposition 2 is as in Figure 4. Figure 4a shows the ciphertext corresponding to the grayscale image lena. Figure 4b shows the corresponding ciphertext image after changing the bit at the bit-cube coordinates (6, 6, 6) of lena. Figure 4c is a bitwise exclusive or result between Figure 4a,b. Figure 4d is a bit statistical histogram of Figure 4c.

The difference between the two plaintexts is only 1 bit. It can be found from Figure 4d that the number of identical bits between their corresponding ciphertexts is 1,733,762, which is an even number. Substituting $m_{k,0}=1,733,762$, $\xi =6$, and $q=128$ into Equation (22) yields $i_0=105$ and $i_6=2$.

3.1.3. The Second Case for Analysis of Chaotic Index Sequence $lx$

If $m_{k,0}\%2\ne 0$, the above-mentioned method is no longer available, which needs to be further consideration.

Corollary 1.

Supposing that the cipher image corresponding to plain image $P_{k_1{k}_2}=P_{k_1}\oplus P_{k_2}(k_1\ne k_2)$ is $E_{k_1{k}_2}$, the 1D bit sequence corresponding to $E_{k_1{k}_2}$ is ${\left\{e_{k_1{k}_2}\left[i\right]\right\}}_{i=0}^{q^3-1}$, the cipher image corresponding to plain image $P_0$ is $E_0$, the 1D bit sequence corresponding to $E_0$ is ${\left\{e_0\left[i\right]\right\}}_{i=0}^{q^3-1}$. A differential operation is performed in the form of ${\sum }_{i=0}^{q^3-1}\left(e_0\left[i\right]\oplus e_{k_1{k}_2}\left[i\right]\right)=m_{k_1{k}_2,0}$, in which $e_k\left[i_l\right]\ne e_0\left[i_l\right](l=1,2,\cdots ,m_{k_1{k}_2,0};i_l\in \{0,1,2,\cdots ,q^3-1\})$. If $m_{k_1{k}_2,0}\%2=0$, then $\left|T\left(k_1\right)-T\left(k_2\right)\right|=m_{k_1{k}_2,0}$ holds. In addition, if $\left|T\left(k_1\right)-T\left(k_2\right)\right|\%2=0$, then $m_{k_1{k}_2,0}=\left|T\left(k_1\right)-T\left(k_2\right)\right|$ also holds.

Corollary 2.

Suppose that the cipher image corresponding to plain image $P_{k_1{k}_2{k}_3}=P_{k_1}\oplus P_{k_2}\oplus P_{k_3}(k_1\ne k_2\ne k_3)$ is $E_{k_1{k}_2{k}_3}$, the 1D bit sequence corresponding to $E_{k_1{k}_2{k}_3}$ is ${\left\{e_{k_1{k}_2{k}_3}\left[i\right]\right\}}_{i=0}^{q^3-1}$, the cipher image corresponding to plain image $P_0$ is $E_0$, the 1D bit sequence corresponding to $E_0$ is ${\left\{e_0\left[i\right]\right\}}_{i=0}^{q^3-1}$. A differential operation is performed in the form of ${\sum }_{i=0}^{q^3-1}\left(e_0\left[i\right]\oplus e_{k_1{k}_2{k}_3}\left[i\right]\right)=q^3-m_{k_1{k}_2{k}_3,0}$, in which $e_{k_1{k}_2{k}_3}\left[i_l\right]=e_0\left[i_l\right](l=1,2,\cdots ,m_{k_1{k}_2{k}_3,0};i_l\in \{0,1,2,\cdots ,q^3-1\})$, $q^3$ is an even number. If $(q^3-m_{k_1{k}_2{k}_3,0})\%2=q^3\%2-m_{k_1{k}_2{k}_3,0}\%2=m_{k_1{k}_2{k}_3,0}\%2=0$, then $T\left(k_1\right)+T\left(k_2\right)-T\left(k_3\right)=m_{k_1{k}_2{k}_3,0}$ holds, where $T\left(k_1\right)<T\left(k_3\right)<T\left(k_2\right)$ or $T\left(k_1\right)>T\left(k_3\right)>T\left(k_2\right)$. In addition, if $\left[T\left(k_1\right)+T\left(k_2\right)-T\left(k_3\right)\right]\%2=0$, then $m_{k_1{k}_2{k}_3,0}=T\left(k_1\right)+T\left(k_2\right)-T\left(k_3\right)$ also holds.

Suppose that the set of all sequence values corresponding to the chaotic index sequence $lx$ is $\mathsf{\Omega }=\{{\xi }_{i_1},{\xi }_{i_2},\cdots ,{\xi }_{i_{q/2}},{\xi }_{i_1^{\prime }}^{\prime },{\xi }_{i_2^{\prime }}^{\prime },\cdots ,{\xi }_{i_{q/2}^{\prime }}^{\prime }\}$. Let $\mathsf{\Psi }=\{{\xi }_{i_1},{\xi }_{i_2},\cdots ,{\xi }_{i_{q/2}}\}$ be the set of sequence value $\xi$ corresponding to sequence number $i_{\xi }$, where $i_{\xi }$ is obtained by using Equation (22). The relationship among $\xi ,k,t$ is $k=\xi (q^2+q+1)$ and $t=T\left(k\right)=T(\xi ·(q^2+q+1))$. For $\forall \xi \in \mathsf{\Psi }$, $m_{k,0}\%2=0$ and $t=m_{k,0}$ hold. Similarly, let ${\mathsf{\Psi }}^{\prime }=\left\{{\xi }_{i_1^{\prime }}^{\prime },{\xi }_{i_2^{\prime }}^{\prime },\cdots ,{\xi }_{i_{q/2}^{\prime }}^{\prime }\right\}$ be the set of sequence value ${\xi }^{\prime }$ corresponding to sequence number $i_{\xi }^{\prime }$. The relationship among ${\xi }^{\prime },k^{\prime },t^{\prime }$ is $k^{\prime }={\xi }^{\prime }·(q^2+q+1)$ and $t^{\prime }=T\left(k^{\prime }\right)=T({\xi }^{\prime }·(q^2+q+1))$. For $\forall {\xi }^{\prime }\in {\mathsf{\Psi }}^{\prime }$, $m_{k^{\prime },0}\%2=0$ and $t^{\prime }=m_{k^{\prime },0}$ do not hold.

When $\xi \in \mathsf{\Psi }$, one has $k=\xi (q^2+q+1)$ and $m_{k,0}\%2=0$, based on the Proposition 2, $t=m_{k,0}$ holds. According to Equation (22), the sequence number $i_{\xi }$ corresponding to sequence value $\xi$ is given by $i_{\xi }=t\%q$. However, when ${\xi }^{\prime }\in {\mathsf{\Psi }}^{\prime }$, one has $k^{\prime }={\xi }^{\prime }(q^2+q+1)$ and $m_{k^{\prime },0}\%2\ne 0$, the Proposition 2 is not available, $t^{\prime }=m_{k^{\prime },0}$ does not hold. Therefore, the sequence number $i_{{\xi }^{\prime }}^{\prime }$ corresponding to sequence value ${\xi }^{\prime }\in {\mathsf{\Psi }}^{\prime }$ cannot be determined by using Equation (22).

To further solve the above-mentioned problem, by selecting $k_1^{\prime },k_2^{\prime }(k_1^{\prime }\ne k_2^{\prime })$, one can obtain $m_{k_1^{\prime },0}$ corresponding to $k_1^{\prime }$, and $m_{k_2^{\prime },0}$ corresponding to $k_2^{\prime }$ by using chosen plaintext attack, which satisfies $m_{k_1^{\prime },0}\%2=1$ and $m_{k_2^{\prime },0}\%2=1$. Under this circumstance, although $T\left(k_1^{\prime }\right)$ and $T\left(k_2^{\prime }\right)$ are unknown, but according to the Proposition 2, $\forall k$ corresponding to $T\left(k\right)\%2=0$ can be found, so that the remained $\forall k^{\prime }$ satisfies $T\left(k_1^{\prime }\right)\%2=1$ and $T\left(k_2^{\prime }\right)\%2=1$, $|T\left(k_1^{\prime }\right)-T\left(k_2^{\prime }\right)|\%2=0$. According to the Corollary 1, it follows that

$$m_{k_1^{\prime }{k}_2^{\prime },0}=|T\left(k_1^{\prime }\right)-T\left(k_2^{\prime }\right)|=|t_1^{\prime }-t_2^{\prime }|.$$

(23)

According to the chosen plaintext attack, $m_{k_1^{\prime }{k}_2^{\prime },0}$ in Equation (23) can be obtained from the given ${\xi }_1^{\prime },{\xi }_2^{\prime }\in {\mathsf{\Psi }}^{\prime }$, where ${\xi }_1^{\prime }$ corresponding to $t_1^{\prime }$ satisfies $t_1^{\prime }=T\left({\xi }_1^{\prime }(q^2+q+1)\right)$, and ${\xi }_2^{\prime }$ corresponding to $t_2^{\prime }$ satisfies $t_2^{\prime }=T\left({\xi }_2^{\prime }(q^2+q+1)\right)$, respectively.

For the same $k_1^{\prime },k_2^{\prime }$, by selecting a suitable k such that $k=\xi (q^2+q+1)$, $m_{k,0}\%2=0$, one gets $\left[T\left(k_1^{\prime }\right)+T\left(k_2^{\prime }\right)-T\left(k\right)\right]\%2=0$. Then, according to the Corollary 2, it follows that

$$m_{k_1^{\prime }{k}_2^{\prime }k,0}=T\left(k_1^{\prime }\right)+T\left(k_2^{\prime }\right)-T\left(k\right)=t_1^{\prime }+t_2^{\prime }-t,$$

(24)

where $T\left(k_1^{\prime }\right)<T\left(k\right)<T\left(k_2^{\prime }\right)$ or $T\left(k_1^{\prime }\right)>T\left(k\right)>T\left(k_2^{\prime }\right)$, $t_1^{\prime }<t<t_2^{\prime }$ or $t_1^{\prime }>t>t_2^{\prime }$.

According to the chosen plaintext attack, $m_{k_1^{\prime }{k}_2^{\prime }k,0}$ in Equation (24) can be obtained from the given ${\xi }_1^{\prime },{\xi }_2^{\prime }\in {\mathsf{\Psi }}^{\prime }$ and $\xi \in \mathsf{\Psi }$, where ${\xi }_1^{\prime }$ corresponding to $t_1^{\prime }$ satisfies $t_1^{\prime }=T\left({\xi }_1^{\prime }(q^2+q+1)\right)$, ${\xi }_2^{\prime }$ corresponding to $t_2^{\prime }$ satisfies $t_2^{\prime }=T\left({\xi }_2^{\prime }(q^2+q+1)\right)$, $\xi$ corresponding to t satisfies $t=T\left(\xi (q^2+q+1)\right)=m_{k,0}$, in which $m_{k,0}$ is known by a chosen plaintext attack as well.

Note that one can also select $t_i^{\prime },t_{i+1}^{\prime },t(i=2,3,\cdots ,(q/2-1))$ in the same way, which is omitted here due to the limited length of the article.

According to Equations (23) and (24), four cases are given as follows:

(1)

If $t_1^{\prime }<t<t_2^{\prime }$, then one has

$$\left\{\begin{array}{c}{t}_2^{\prime }=(m_{k_1^{\prime }{k}_2^{\prime },0}+m_{k_1^{\prime }{k}_2^{\prime }k,0}+t)/2=A_1,\hfill \\ t_1^{\prime }=(-m_{k_1^{\prime }{k}_2^{\prime },0}+m_{k_1^{\prime }{k}_2^{\prime }k,0}+t)/2=B_1.\hfill \end{array}\right.$$

(25)

(2)

If $t_1^{\prime }>t>t_2^{\prime }$, then one has

$$\left\{\begin{array}{c}{t}_1^{\prime }=(m_{k_1^{\prime }{k}_2^{\prime },0}+m_{k_1^{\prime }{k}_2^{\prime }k,0}+t)/2=A_1,\hfill \\ t_2^{\prime }=(-m_{k_1^{\prime }{k}_2^{\prime },0}+m_{k_1^{\prime }{k}_2^{\prime }k,0}+t)/2=B_1.\hfill \end{array}\right.$$

(26)

(3)

If $t_2^{\prime }<t<t_3^{\prime }$, then one has

$$\left\{\begin{array}{c}{t}_3^{\prime }=(m_{k_2^{\prime }{k}_3^{\prime },0}+m_{k_2^{\prime }{k}_3^{\prime }k,0}+t)/2=A_2,\hfill \\ t_2^{\prime }=(-m_{k_2^{\prime }{k}_3^{\prime },0}+m_{k_2^{\prime }{k}_3^{\prime }k,0}+t)/2=B_2.\hfill \end{array}\right.$$

(27)

(4)

If $t_2^{\prime }>t>t_3^{\prime }$, then one has

$$\left\{\begin{array}{c}{t}_2^{\prime }=(m_{k_2^{\prime }{k}_3^{\prime },0}+m_{k_2^{\prime }{k}_3^{\prime }k,0}+t)/2=A_2,\hfill \\ t_3^{\prime }=(-m_{k_2^{\prime }{k}_3^{\prime },0}+m_{k_2^{\prime }{k}_3^{\prime }k,0}+t)/2=B_2.\hfill \end{array}\right.$$

(28)

Based on Equations (25)–(28), it follows that

$$\left\{\begin{array}{c}\{t_1^{\prime },t_2^{\prime }\}=\{A_1,B_1\},\hfill \\ \{t_2^{\prime },t_3^{\prime }\}=\{A_2,B_2\}.\hfill \end{array}\right.$$

(29)

Then, according to Equation (29), it follows that

$$\left\{\begin{array}{c}{t}_2^{\prime }=\{A_1,B_1\}\bigcap \{A_2,B_2\},\hfill \\ t_1^{\prime }=\{A_1,B_1\}-\left\{t_2^{\prime }\right\},\hfill \\ t_3^{\prime }=\{A_2,B_2\}-\left\{t_2^{\prime }\right\}.\hfill \end{array}\right.$$

(30)

Similarly, for $t_{i-1}^{\prime },t_i^{\prime },t$ and $t_i^{\prime },t_{i+1}^{\prime },t$, one has

$$\left\{\begin{array}{c}{t}_i^{\prime }=\{A_{i-1},B_{i-1}\}\bigcap \{A_i,B_i\},\hfill \\ t_{i-1}^{\prime }=\{A_{i-1},B_{i-1}\}-\left\{t_i^{\prime }\right\},\hfill \\ t_{i+1}^{\prime }=\{A_i,B_i\}-\left\{t_i^{\prime }\right\},\hfill \end{array}\right.$$

(31)

where $i=2,3,\cdots ,(q/2-1)$.

For any given ${\xi }_l^{\prime }\in {\mathsf{\Psi }}^{\prime }$ and $\xi \in \mathsf{\Psi }$, according to Equation (31), first, one can get the corresponding $t_l^{\prime }$. Then, the sequence number $i_{{\xi }_l^{\prime }}^{\prime }$ corresponding to the sequence value ${\xi }_l^{\prime }$ can be further obtained by using $t_l^{\prime }$, such that

$$\left\{\begin{array}{c}{i}_{{\xi }_l^{\prime }}^{\prime }=t_l^{\prime }\%q,\hfill \\ lx\left[i_{{\xi }_l^{\prime }}^{\prime }\right]={\xi }_l^{\prime },\hfill \end{array}\right.$$

(32)

where $l\in \{1,2,\cdots ,q/2\}$.

Finally, according to the Equations (22) and (32), one can determine all the sequence values $\xi \in \mathsf{\Psi }$, ${\xi }_l^{\prime }\in {\mathsf{\Psi }}^{\prime }$ and all the corresponding sequence numbers $i_{\xi }$, $i_{{\xi }^{\prime }}^{\prime }$ in Equation (2), so that the chaotic index sequence $lx$ can be completely deciphered.

3.2. Analysis of Secret Keys $\alpha$, $\beta$, $\gamma$

Proposition 3.

Under the condition that the chaotic index sequence $lx$ is obtained, for any $(l_1,l_2,l_3)\ne (l_1^{\prime },l_2^{\prime },l_3^{\prime })$, where $l_i,l_i^{\prime }\in \{0,1,2,\cdots ,q-1\}(i=1,2,3)$, if $L_1(l_1,l_2,l_3)=L_2(l_1,l_2,l_3)\ne 0$ and $L_2(l_1^{\prime },l_2^{\prime },l_3^{\prime })=L_3(l_1^{\prime },l_2^{\prime },l_3^{\prime })\ne 0$, then the secret keys $\alpha ,\beta ,\gamma$ can be uniquely determined.

Proof. 

According to Equation (3), if $L_1(l_1,l_2,l_3)=L_2(l_1,l_2,l_3)\ne 0$ and $L_2(l_1^{\prime },l_2^{\prime },l_3^{\prime })=L_3(l_1^{\prime },l_2^{\prime },l_3^{\prime })\ne 0$ for any $(l_1,l_2,l_3)\ne (l_1^{\prime },l_2^{\prime },l_3^{\prime })$, then it follows that

$$\left\{\begin{array}{c}\hfill L_1(l_1,l_2,l_3)=L_2(l_1,l_2,l_3)=c_{l_1}\times {{\chi }_1}^2+c_{l_2}\times {\chi }_1+c_{l_3}\ne 0,\\ \hfill L_2(l_1^{\prime },l_2^{\prime },l_3^{\prime })=L_3(l_1^{\prime },l_2^{\prime },l_3^{\prime })=c_{l_1^{\prime }}\times {{\chi }_2}^2+c_{l_2^{\prime }}\times {\chi }_2+c_{l_3^{\prime }}\ne 0,\end{array}\right.$$

(33)

where $c_{l_1},c_{l_2},c_{l_3}$ are sequence values of chaotic index sequence $lx$, ${\chi }_1\in \{\alpha ,\beta \}$, ${\chi }_2\in \{\beta ,\gamma \}$.

According to the first equation of Equation (33), one gets two solutions ${\chi }_1^{\left(1\right)},{\chi }_1^{\left(2\right)}$ for ${\chi }_1$. Similarly, according to the second equation of Equation (33), one gets two solutions ${\chi }_2^{\left(1\right)},{\chi }_2^{\left(2\right)}$ for ${\chi }_2$. Thus, there exists an intersection for the first equation and the second equation of Equation (33), given by $\beta =\{{\chi }_1^{\left(1\right)},{\chi }_1^{\left(2\right)}\}\bigcap \{{\chi }_2^{\left(1\right)},{\chi }_2^{\left(2\right)}\}$. Based on the deciphered secret key $\beta$, the remaining two secret keys $\alpha =\{{\chi }_1^{\left(1\right)},{\chi }_1^{\left(2\right)}\}-\left\{\beta \right\}$ and $\gamma =\{{\chi }_2^{\left(1\right)},{\chi }_2^{\left(2\right)}\}-\left\{\beta \right\}$ can further be deciphered as well.

If $L_1(l_1,l_2,l_3)=L_2(l_1,l_2,l_3)=0$ and $L_2(l_1^{\prime },l_2^{\prime },l_3^{\prime })=L_3(l_1^{\prime },l_2^{\prime },l_3^{\prime })=0$, then, an intersection for the first equation and the second equation of Equation (33) does not exist, so the secret keys $\alpha ,\beta ,\gamma$ cannot be obtained [39]. The proof is finished. □

3.3. Flowchart of Security Analysis

The flowchart of security analysis is shown in Figure 5.

4. Steps for Deciphering the Image Chaotic Encryption Algorithm

The steps for deciphering image chaotic encryption algorithm are as Algorithm 3.

Algorithm 3 Steps for Deciphering Image Chaotic Encryption Algorithm.

Output:    The equivalent secret keys $lx,\alpha ,\beta ,\gamma$; 1: According to the chosen plaintext attack, choose the plain image as $P_0$, the corresponding cipher image is $E_0$, the 1D bit sequence corresponding to $E_0$ is ${\left\{e_0\left[i\right]\right\}}_{i=0}^{q^3-1}$. 2: According to the chosen plaintext attack, choose the plain image as $P_k$, the corresponding cipher image is $E_k$, the 1D bit sequence corresponding to $E_k$ is ${\left\{e_k\left[i\right]\right\}}_{i=0}^{q^3-1}$. where $k=\xi ·(q^2+q+1)$, $\xi \in \mathsf{\Psi }$. 3: According to the differential attack, calculate $m_{k,0}$ by using ${\left\{e_0\left[i\right]\right\}}_{i=0}^{q^3-1}$ and ${\left\{e_k\left[i\right]\right\}}_{i=0}^{q^3-1}$ obtained in step 1 and step 2. 4: If $m_{k,0}\%2=0$, then $t=m_{k,0}$ holds. According to Equation (22), the sequence number corresponding to sequence value 0 is $i_0=⌊t/q^2⌋=⌊m_{k,0}/q^2⌋$, the sequence number corresponding to sequence value $\xi \in \mathsf{\Psi }$ is $i_{\xi }=t\%q=m_{k,0}\%q$. 5: If $m_k\%2=1$, then $t\ne m_{k,0}$ holds, Equation (22) is not available. According to the chosen plaintext attack, choose the plain image as $P_{k_1^{\prime }{k}_2^{\prime }}=P_{k_1^{\prime }}\oplus P_{k_2^{\prime }}$, the corresponding cipher image is $E_{k_1^{\prime }{k}_2^{\prime }}$, the 1D bit sequence corresponding to $E_{k_1^{\prime }{k}_2^{\prime }}$ is ${\left\{e_{k_1^{\prime }{k}_2^{\prime }}\left[i\right]\right\}}_{i=0}^{q^3-1}$. In addition, choose the plain image as $P_{k_1^{\prime }{k}_2^{\prime }k}=P_{k_1^{\prime }}\oplus P_{k_2^{\prime }}\oplus P_k$, the corresponding cipher image is $E_{k_1^{\prime }{k}_2^{\prime }k}$, the 1D bit sequence corresponding to $E_{k_1^{\prime }{k}_2^{\prime }k}$ is ${\left\{e_{k_1^{\prime }{k}_2^{\prime }k}\left[i\right]\right\}}_{i=0}^{q^3-1}$. 6: According to the differential attack, first calculate $m_{k_1^{\prime }{k}_2^{\prime },0}$ by using ${\left\{e_0\left[i\right]\right\}}_{i=0}^{q^3-1}$ and ${\left\{e_{k_1^{\prime }{k}_2^{\prime }}\left[i\right]\right\}}_{i=0}^{q^3-1}$ obtained in step 1 and step 5. Then, calculate $m_{k_1^{\prime }{k}_2^{\prime }k,0}$ by using ${\left\{e_0\left[i\right]\right\}}_{i=0}^{q^3-1}$ and ${\left\{e_{k_1^{\prime }{k}_2^{\prime }k}\left[i\right]\right\}}_{i=0}^{q^3-1}$ obtained in step 1 and step 5. 7: According to Equation (32), calculate the sequence number $i_{{\xi }_i^{\prime }}^{\prime }=t_i^{\prime }\%q$ corresponding to sequence value ${\xi }_i^{\prime }\in {\mathsf{\Psi }}^{\prime }$. 8: Decipher the chaotic index sequence $lx$ by using Equation (22) and Equation (32). Then, decipher the secret keys $\alpha ,\beta ,\gamma$ according to the Proposition 3. 9: return$lx,\alpha ,\beta ,\gamma$;

Theoretical analysis and experimental results indicate that only a maximum of $2.5\times \sqrt[3]{w\times h}$ plain images are needed to decipher the chaotic index sequence $lx$, and only a maximum of six plain images are needed to decipher secret keys $\alpha ,\beta ,\gamma$. Therefore, only a maximum of $2.5\times \sqrt[3]{w\times h}+6$ is needed to crack the cipher image with $w\times h$ resolution.

5. Numerical Simulation Experiments

In the numerical simulation experiments, the secret keys are set as ${key}_0=0.34$, ${\mu }_0=3.9$, $\alpha =20$, $\beta =37$, $\gamma =46$, the image is with $512\times 512$ resolution. According to the steps for deciphering the image chaotic encryption algorithm given in Section 4, the deciphering algorithm of the origin cipher is implemented by the C program language. Simulations are operated under a laptop computer with Intel Core i7-8550U CPU (Santa Clara, CA, USA) 1.80 GHz, 8 GB RAM, the operating system is Microsoft Windows 10 (Redmond, WA, USA). Using the original algorithm to encrypt and use the algorithm proposed in this paper to crack an image with size of $512\times 512$ takes about 0.115 s and 10.702 s, respectively. Since the encryption process of the algorithm is independent of plaintext and ciphertext, the equivalent key obtained by deciphering any ciphertext image can be used to decipher all ciphertext images of the same resolution. Taking the standard 2D plain gray image Lena, Cameraman, Livingroom as three examples, the plain images, the cipher images, and the deciphered images are shown in Figure 6, respectively.

Although the previous analysis is for grayscale images, the original encryption algorithm can be easily extended to encrypt color images by encrypting each of the three channels of the color image as a separate grayscale image. In this case, the attack method proposed in this paper is still valid. Take a real-life image with $1024\times 2048$ resolution as an example. Encrypting this image using the original encryption algorithm, it takes about 0.53 s to encrypt the three color channels with the same key, and it takes about 107.36 s to decipher the corresponding ciphertext using the attack method proposed in this paper. Encrypting three color channels with three different sets of keys takes about 1.42 s, and it takes about 318.45 s to decipher the corresponding ciphertext. The results are shown in Figure 7.

6. Suggestions for Improvement

According to the analysis in Section 3, the original algorithm is insecure and cannot resist the choice of plaintext attack, and the complexity of the attack method is relatively low. To deal with its security defects, the corresponding suggestions for improvement to enhance the security are as follows:

(1) Enhance the sensitivity of the encryption algorithm to plaintext and ciphertext. According to the analysis in Section 3, the original algorithm has a universal equivalent key $lx,\alpha ,\beta ,\gamma$. The original algorithm is not sensitive to both plaintext and ciphertext. The root cause of this defect is that the generation of Latin cubes is independent of plaintext image. This vulnerability can be solved by introducing some statistical properties of plaintext, such as the sum of all pixel values, into the generation phase of the Latin cubes.

(2) The mechanism used in the diffusion phase is too simple to achieve the avalanche effect of cryptography, which makes the encryption algorithm vulnerable to differential attacks. To fulfill this demand, increasing the number of encryption rounds or exploiting some complex diffusion mechanisms are worthy options.

7. Conclusions

This paper investigates the security of a Latin-bit cube-based image chaotic encryption algorithm. The algorithm adopts a first-scrambling-diffusion-second-scrambling three-stage encryption scheme. Although the designer claims that the algorithm has passed various statistical tests, the security analysis results in this paper demonstrate that the algorithm has some security vulnerabilities. In particular, the generation of Latin cubes is independent of plain image, and the change in the number of bits in the cipher image follows the change of any one bit in the plain image with obvious regularity. Thus, the equivalent secret keys $lx,\alpha ,\beta ,\gamma$ can be cracked by a chosen plaintext attack and differential attack. Only a maximum of $2.5\times \sqrt[3]{w\times h}+6$ plain images are needed to decipher the equivalent secret keys. Theoretical analysis and numerical simulation experiment results verify the effectiveness of the analytical method.