Run Run Shaw Library
Copyright WarningUse of this thesis/dissertation/project is for
the purpose of private study or scholarly research only. Users must
comply with the Copyright Ordinance. Anyone who consults this
thesis/dissertation/project is understood to recognise that its
copyright rests with its author and that no part of it may be
reproduced without the authors prior written consent.
CITY UNIVERSITY OF HONG KONG
A Study on Efficient Chaotic Image Encryption Schemes
Submitted to Department of Electronic Engineering in Partial
Fulfillment of the Requirements for the Degree of Master of
Philosophy
by
Kwok Sin Hung
September 2007
i
AbstractWith the advancements of mobile communication
technologies, the utilization of audio-visual information in
addition to textual information becomes more prevalent than the
past. Cryptographic approaches are therefore necessary for secure
multimedia content storage and distribution over open networks such
as the Internet. A traditional way to resist statistical and
differential cryptanalyses is to employ permutation and diffusion
alternatively. Recently, research on image encryption using chaos
theory has been emerged. Some chaotic image encryption schemes use
a multi-dimensional chaotic map for pixel permutation in the
spatial domain while taking another one-dimensional (1D) chaotic
map for keystream generation in the diffusion function. Various
image encryption schemes under this architecture have been proposed
in the literature. There are still two realization constraints of
the above architecture which hinder the system performance. First,
the confusion and diffusion effect is solely contributed by the
permutation and the diffusion stage, respectively. Consequently,
more overall rounds than necessary are required to achieve a
certain level of security. Second, in particular to diffusion
stage, real-valued chaotic sequence is commonly treated as a
pseudo-random keystream. However, a considerable amount of
computation load is sacrificed for real-valued computation and
consequent integer quantization. In this thesis, the typical
structure of chaos-based image encryption schemes has been studied.
The concept of introducing certain diffusion effect in the
confusion stage by simple sequential Add-and-then-shift operations
is proposed. The purpose is to mix the pixel values over the entire
image to achieve similar effect of diffusion. The explicit
diffusion function then contributes the second level diffusion
effect which leads to fewer overall rounds and hence a faster
encryption. Moreover, a more efficient diffusion function using
simple table lookup techniques as a light-weight replacement to
real-valued chaotic
ii
maps is also suggested. Instead of floating point computation,
the diffusion process is accomplished by mutual lookup of a static
two-dimensional (2D) permutation table and a dynamic 2D diffusion
table. Both the position and the value of each permuted image pixel
are used to locate a secret mask. Eventually, each permuted pixel
value is added to the random mask drawn from the table. Simulation
results show that at a similar performance level, the proposed
cryptosystem requires around one-third the encryption time of an
existing cryptosystem. The effective acceleration of the encryption
speed is therefore achieved which is then more applicable to
real-time image encryption.
iii
AcknowledgementsFirst and foremost, I would like to express my
deepest gratitude to my supervisor, Dr. K.W. Wong for his patient
guidance and support during my research. Dr. Wongs kind
encouragement and insightful advice have helped me to overcome many
challenges and guided me to complete this thesis. In addition, I
sincerely appreciate the fruitful collaborations with my
colleagues, Mr C.W. Lee and Mr K.P. Man, in various research
projects. They have made my study life more enjoyable. I would
especially like to thank City University of Hong Kong for providing
financial support and an ideal environment for my research.
Finally, I am very grateful to my family for their great love,
support and understanding at all times, especially during the most
difficult periods of my research and thesis writing.
iv
ContentsList of Figures
.....................................................................................................vi
List of Tables
.......................................................................................................x
List of Symbols
...................................................................................................xi
List of Abbreviations
........................................................................................
xii Chapter 1 Introduction
.........................................................................................1
1.1 Motivation and Objective
.......................................................................1
1.2 Outline of the
Thesis...............................................................................3
Chapter 2 Fundamentals of Cryptography
...........................................................5 2.1
Background
.............................................................................................5
2.2 Private-key
Cryptography.......................................................................8
2.2.1 The Encryption Process
.................................................................8
2.2.2 Typical Private-key Cryptosystems
.............................................10 2.2.3 Brief Review
on Some Existing Image Encryption Schemes......12 2.3 Public-key
Cryptography
......................................................................14
2.3.1 Principle of Public-key
Encryption..............................................14 2.3.2
Typical Public-key Cryptosystems
..............................................16 2.4 Summary
...............................................................................................17
Chapter 3 Chaotic Cryptography
.......................................................................19
3.1 Introduction to Chaotic Maps
...............................................................20
3.1.1 One-dimensional Chaotic
Maps...................................................20 3.1.2
Two-dimensional Chaotic Maps
..................................................22 3.2 The
Important Properties of Chaotic
Maps...........................................25 3.2.1 Sensitive
Dependence on Initial Conditions ................................25
3.2.2 Sensitive Dependence on System
Parameters..............................26 3.2.3
Ergodicity.....................................................................................26
3.3 Relationship between Cryptosystems and Chaotic
Systems.................27 3.4 Chaotic Encryption Schemes for
Digital Images..................................30 3.4.1 Review of
Some Existing Chaotic Image Encryption Schemes ..31 3.4.2
Architecture of Generic Chaos-based Image Cryptosystems ......33
3.4.3 Other Issues in Chaos-based Image Cryptosystems
....................37 3.4.4 Cryptanalysis of Chaos-based Image
Cryptosystems ..................40 3.5 Summary
...............................................................................................42
v
Chapter 4 Chaotic Confusion Process for Image Encryption
............................43 4.1 Overview of an Image Encryption
Scheme Using 2D Standard Map ..44 4.2 Some Observations
...............................................................................46
4.3 Modified Confusion Process with Pixel Value Mixing
........................49 4.3.1 Investigation of Some Possible
Operations on Pixel Value.........49 4.3.2 Encryption
Procedure...................................................................56
4.3.3 Decryption Procedure
..................................................................58
4.3.4 Hardware Implementation
...........................................................58 4.4
Security Analysis
..................................................................................61
4.4.1
Histogram.....................................................................................61
4.4.2 Key Space
....................................................................................62
4.4.3 Differential Analysis with Time
Performance.............................63 4.4.4 Correlation
Analysis of Two Adjacent Pixels .............................67 4.5
Summary
...............................................................................................70
Chapter 5 Efficient Image Diffusion Using Table
Operations...........................71 5.1 Diffusion Algorithms
Based on 1D Logistic map ................................72 5.1.1
Diffusion Techniques Based on XOR plus mod Operations....72 5.1.2
Diffusion Techniques Based on XOR with Substitutions............73
5.2 Practical Problems of the Algorithms
...................................................74 5.3 The
Proposed Cryptosystem
.................................................................79
5.3.1 Diffusion Based on Table Lookup and Entries
Swapping...........79 5.3.2 The Overall Encryption Procedure
..............................................85 5.3.3 Hardware
Implementation
...........................................................89 5.4
Experimental Results and Analysis
......................................................90 5.4.1
Diffusion Key
Analysis................................................................92
5.4.2 Correlation Analysis of Two Adjacent Pixels
.............................94 5.4.3 NPCR & UACI
Analyses.............................................................95
5.5 Summary
...............................................................................................98
Chapter 6 Conclusion and Further Developments
.............................................99 6.1 Conclusion
............................................................................................99
6.2 Further
Developments.........................................................................101
6.2.1 Joint Compression-encryption Approach to Reduce Cipher Image
Size................................................................................101
6.2.2 Extension to Chaos-based Video Encryption
............................102 6.2.3 Incorporation of Public-key
with Private-key Schemes ............102 References
........................................................................................................104
List of Publications
..........................................................................................109
vi
List of FiguresFigure 2.1 Figure 2.2 Figure 2.3 Figure 3.1
Figure 3.2 The encryption process performed by Caesar
cipher...................... 6 Private-key cryptography
scenario.................................................. 8
Public-key cryptography
scenario................................................. 15 A plot
of the tent map with parameter a = 3
................................. 21 4 A plot of the logistic map
with parameter b = 3.999. ................... 22
Figure 3.3 An illustration of baker map in the unit square (a)
before action; (b) being stretched and (c) being folded.
...................................... 23 Figure 3.4 Figure 3.5
Figure 3.6 An illustration of cat map in the unit square.
................................ 24 Cobweb diagram of logistic map
with (a) x0=0.7, (b) x0=0.700001.
................................................................................
25 Variation in trajectories of the logistic map due to minor
differences in system parameter b = 3.999999 and b =
3.999998........................................................................................
26 A typical distribution of trajectory of the logistic map after
104
iterations........................................................................................
27 (a) plain image containing many areas with identical or similar
gray levels, and (b) its corresponding encrypted image by Advanced
Encryption Standard (AES) with both key size and block size 128-bit
long running in the ECB mode........................ 30 (a) A test
image of Lena; the resultant images (b) and (c) after applying the
discretized baker map once and nine times, respectively, with N =
(8, 8, 32, 64, 32, 32, 32, 32, 64, 64, 32, 64, 32, 8, 8).
..................................................................................
35
Figure 3.7 Figure 3.8
Figure 3.9
Figure 3.10 The results of test image Lena (a) and (b) after
applying the discretized cat map once and nine times, respectively,
with a = 5 and b =
9.....................................................................................
35 Figure 3.11 The results of test image Lena (a) and (b) after
applying the discretized standard map once and nine times,
respectively, with k =
1750.................................................................................
36
vii
Figure 3.12 A generic architecture of image encryption systems
based on 2D chaotic permutations.
.............................................................. 37
Figure 3.13 An illustration of key generation and distribution
proposed in [9].
.................................................................................................
39 Figure 4.1 Figure 4.2 The chaotic image cryptosystem proposed by
Lian et al. in [9]. .. 45 Plaintext sensitivity test: (a) original
image, (b) and (c) cipher images ( m=n=2 ) whose corresponding
plain images have one pixel difference only; (d) difference between
cipher images (b) and (c) in gray scale(upper) and binary
colour(lower), (e) and (f) cipher images ( m=n=4 ) with the same
corresponding plain images as (b) and (c), respectively ; (g)
difference between cipher images (e) and (f) in gray level.
......................................... 48 Architecture of the
proposed chaotic image cryptosystem. .......... 57 An illustration
of Add-and-then-shift operation on pixels in permutation.
..................................................................................
57 The proposed hardware configuration.
......................................... 59 Main modules of the
proposed hardware implementation: (a) Standard Map Computation
Unit; (b) Add-and-then-shift Unit and (c) Logistic Map Computation
Unit. ...................................... 60 (a) Plain Lena
image; (b) Histogram of the plain image; (c) Intermediate cipher
image using Lian et al.s confusion; (d) Histogram of the
intermediate cipher image shown in (c); (e) Intermediate cipher
image using the proposed confusion; (f) Histogram of the
intermediate cipher image given in (e). ............ 62 (a) Plain
Cameraman image; (b) and (c) cipher images whose corresponding
plain images have one pixel difference only; (d) difference between
cipher images shown in (b) and (c). .............. 64 Performance
of the proposed and Lian et al.s cryptosystems in terms of (a)
number of pixels change rate (NPCR); and (b) unified average
changing intensity (UACI) at different overall rounds (m) with 4
permutation rounds in each confusion stage (n =
4)............................................................................................
65
Figure 4.3 Figure 4.4 Figure 4.5 Figure 4.6
Figure 4.7
Figure 4.8
Figure 4.9
viii
Figure 4.10 Correlation analyses of two horizontally adjacent
pixels in (a) the plain Peppers image; (b) the cipher image
obtained using the proposed scheme.
....................................................................
69 Figure 5.1 Figure 5.2 A plot of pixel value and mask value using
the diffusion method employed in [9].
............................................................... 76
Diffusion performance on plain-image: (a) 256 256 Cameraman image;
(b) and (c) diffused image by 1 round of Algorithm 5.1.1 and 5.1.2,
respectively; (d) and (e) diffused image by 9 rounds of Algorithm
5.1.1 and 5.1.2, respectively; (f) and (g) Histograms of results in
(d) and (e), respectively........ 77 Diffusion performance on
plain-image: (a) 512 512 Elaine image; (b) and (c) diffused image
by 1 round of Algorithm 5.1.1 and 5.1.2, respectively; (d) and (e)
diffused image by 9 rounds of Algorithm 5.1.1 and 5.1.2,
respectively; (f) and (g) Histograms of results in (d) and (e),
respectively. ........................ 78 An illustration of
encoding method for Pi-1 and Ci-1. .................... 81 A block
diagram of table lookup based on information of pixel position
permutation.
....................................................................
82 Graphical representation of swapping entries (s,t) and (x4,y4).
.. 83 An illustration of the dynamic update of the 2D lookup
table...... 84 Flowchart of the proposed diffusion
algorithm............................. 85 Architecture of the
proposed chaos-based image cryptosystem. .. 86
Figure 5.3
Figure 5.4 Figure 5.5 Figure 5.6 Figure 5.7 Figure 5.8 Figure
5.9
Figure 5.10 The proposed hardware configuration.
......................................... 89 Figure 5.11 Main
modules of the proposed hardware implementation: (a) Standard Map
Computation Unit and (b) 2D Table Operation
Unit................................................................................................
90 Figure 5.12 Performance of diffusion function collaborated with
different 2D chaotic maps (a) - (c) permutated image using baker
map, cat map and standard map, respectively; (d) - (f) completely
encrypted images of images (a) - (c) after diffusion process,
respectively; (g) - (i) histograms of images (d) - (f).
.................... 91
ix
Figure 5.13 Key sensitivity test 1: (a) plain-image; (b)
encrypted image (Kx = 123, Ky = 34, Kr = 56, Ktrow = 78, Ktcol =
90); (c) encrypted image (Kx = 123, Ky = 34, Kr = 56, Ktrow = 78,
Ktcol = 91); (d) difference
image............................................................................
93 Figure 5.14 Key sensitivity test 2: (a) plain-image; (b)
encrypted image (Kx = 123, Ky = 34, Kr = 56, Ktrow = 78, Ktcol =
90); (c) decrypted image (Kx = 123, Ky = 34, Kr = 56, Ktrow = 78,
Ktcol = 90); (d) decrypted image (Kx = 123, Ky = 34, Kr = 56, Ktrow
= 78, Ktcol = 91).
................................................................................................
93 Figure 5.15 Correlations of two horizontally adjacent pixels in
(a) the plain Lena image; (b) the encrypted image by the proposed
scheme
(m=2,n=1)......................................................................................
95
x
List of TablesTable 3.1 A comparison of some features
characterized by chaotic systems and traditional
cryptosystems...........................................................
28 Table 3.2 Comparison of the parameter space of baker map, cat
map and standard map after discretization.
.................................................... 38 Table 4.1
Percentage of pixel change on different test images with overall
rounds m=n=2 and m=n=4.
.............................................................. 47
Table 4.2 Time required to perform Algorithms 4.3.1 (a) (f).
...................... 51 Table 4.3 Test on permuting Lena image
with Algorithms 4.3.1 (a) (f) (MN: Mean; SD: Standard Deviation;
MDN: Median). .................. 52 Table 4.4 Test on permuting
homogenous black square with Algorithms 4.3.1 (a) (f) (MN: Mean;
SD: Standard Deviation; MDN: Median).
...........................................................................................
54 Table 4.5 Test on permuting homogenous white square with
Algorithms 4.3.1 (a) (f) (MN: Mean; SD: Standard Deviation; MDN:
Median).
...........................................................................................
55 Table 4.6 Probability of no shift on some test
images.................................. 56 Table 4.7 Execution
time and performance indices NPCR and UACI of the proposed and Lian
et al.s schemes, for some selected values of m and n.
............................................................................................
67 Table 4.8 Correlation coefficients of adjacent pixels of
different images. ...... 68 Table 5.1 Time required for different
diffusion algorithms to process an image of size 512 512.
..................................................................
75 Table 5.2 Content of the proposed 2D Diffusion table: (a)
initial state (b) updated after processing the entire
image........................................ 88 Table 5.3 The
configuration and results of key sensitivity
test........................ 94 Table 5.4 Correlation coefficients
of adjacent pixels in two images ............... 94 Table 5.5
Encryption time and performance indices NPCR and UACI of the
proposed, Chen et al.s and Lian et al.s scheme, for some selected
values of m and
n................................................................
97
xi
List of Symbols> left shift right shift exclusive-or scalar
multiplication modulus operator closed interval between a and b
N-tuple of n members list of elements ai with i being the index
selected pre-image of a plain image P value of ith pixel in a
cipher image C inverse of function E number of pixels N in one row
ranged from 0 to N-1 value of ith pixel in a plain image P Real
number domain value of the 1D chaotic map iteration at the nth
cycle random scan couple 1D vector with elements s and t absolute
value of number x upper bound of the logistic map lower bound of
the logistic map
mod [a, b] (a1 , a 2 ,L , a n ) {ai}C
Ci E-1
N 0N 1
Pi R
n(rx, ry) s t |x| Xmax Xmin
xii
List of AbbreviationsAES CBC CFB CKBA DCT DES ECB ECC ECDH ECDLP
HCIE IDEA IFP KDC LFSR MDN MN NIST NPCR OFB PGP RSA SD UACI XNOR
XOR Advanced Encryption Scheme Cipher Block Chaining Mode Cipher
Feedback Mode Chaotic Key-based Algorithm Discrete Cosine Transform
Data Encryption Scheme Electronic Code Book Mode Elliptic Curve
Cryptography Elliptic Curve Diffie-Hellman Protocol Elliptic Curve
Discrete Logarithm Problem Hierarchical Chaotic Image Encryption
International Data Encryption Algorithm Integer Factorization
Problem Key Distribution Center Linear Feedback Shift Register
Median Mean National Institute of Standards and Technology Number
of Pixels Change Rate Output Feedback Pretty Good Privacy
Rivest-Shamir-Adleman Standard Deviation Unified Average Changing
Intensity Bitwise Exclusive-NOR Bitwise Exclusive-OR
1
Chapter 1
Introduction1.1 Motivation and ObjectiveIn recent years,
audio-visual information sharing has become more prevalent under
the rapid development of Internet. Real-time multimedia
applications are also made possible with the advancement of mobile
communication technologies. However, in open networks, there is a
potential risk of making sensitive information such as military and
medical images vulnerable to unauthorized interceptions. The
development of robust cryptographic schemes is thus essential to
the provision of multimedia security. For textual information, it
can be satisfied with the direct application of many
well-established encryption schemes such as Data Encryption Scheme
(DES)[1], International Data Encryption Algorithm (IDEA) [2] and
Advanced Encryption Scheme (AES) [3]. However, the case of
multimedia information in real-time communication is different and
hard to be accomplished by traditional schemes.
2
This is because the intrinsic properties of audio-visual
information such as bulk data capacity, strong pixel correlation
and high redundancy, lower the encryption performance. Since
traditional encryption schemes are not fit for modern multimedia
requirement, many researches have been devoted to investigate
better solutions for image and video encryptions. In particular,
application of chaos theory in multimedia encryption is one of the
important research directions. The field of chaotic cryptography
has undergone tremendous growth over the past few decades. The
primary motivation of employing chaotic systems is its simplicity
in form and complexity in dynamics. According to the classification
of chaotic systems, the security application of chaos can be
divided into analog chaotic secure communications utilizing
continuous dynamical systems [4, 5] and digital chaotic
cryptosystems utilizing discrete dynamical systems [6 - 8]. For
todays computer technology, the way realizing chaos in digital
domain is more vital to security application running in finite
precision machines. In response to the aforementioned challenges in
protecting multimedia content, the objective of this research work
is specially oriented towards analyzing chaos-based image
encryption schemes. Many existing schemes under this category are
found to merely achieve moderate or even low security. Only a few
of them [9 - 11] promise to achieve sufficient security, but
without maintaining a satisfactory speed performance. Our work is
to modify and optimize some existing chaotic image encryption
schemes so as to uplift the efficiency required for real-time
operation purpose. In this regards, two enhancement measures in the
system efficiency have been proposed to the main components of
typical chaos-based image cryptosystems: chaotic confusion and
pixel diffusion processes. The superior results of numerical and
security analysis justify the feasibility of such proposed schemes
in real-time communication environment.
3
1.2 Outline of the ThesisChapter 2 covers the fundamentals and
terminologies of cryptography, including the issues of private-key
cryptography and public-key cryptography. Note that the chaotic
image encryption schemes under study fall into the category of
private-key cryptosystems. In order to have a clear background for
the remaining chapters, the type of ciphers and mode of operations
in private-key cryptosystems will explicitly be highlighted. In
addition, some modern cryptographic standards such as DES, AES and
RSA will be discussed. Chapter 3 introduces an overview of chaotic
cryptography. The illustration of chaos theory will start with some
widely studied one-dimensional (1D) and two-dimensional (2D)
chaotic maps. Given the backgrounds of chaotic properties, the
similarities and differences between chaotic maps and cryptosystems
will then be analyzed. Based on the above established
relationships, a more detail description on existing chaotic image
encryption schemes will be given together with the issue of design
considerations and list of particular cryptanalysis. Chapter 4
presents a modified approach to the confusion process in typical
chaotic image cryptosystems through a special review on an image
encryption scheme using 2D chaotic standard map. The principle of
this approach including the encryption and decryption procedures
will be explained in detail. The security evaluations on the
proposed scheme will be provided after the design principle. In
Chapter 5, our attention turns to the effectiveness of the
diffusion process which is another important component in image
cryptosystems. The goal is to investigate a light weight
replacement for the concerned process which commonly requires
real-valued computation and consequent integer quantization. The
problems will be elaborated by two practical examples of existing
schemes based on 1D logistic map. With suitably use of table lookup
techniques, a new diffusion approach will be proposed. The
corresponding image encryption scheme together with security
consideration will be provided.
4
Finally, we conclude our work in this thesis and give some
remarks on future research in Chapter 6.
5
Chapter 2
Fundamentals of CryptographyIn this chapter, the basic
principles of cryptography will be introduced as a foundation for
the remaining chapters of this thesis. In Section 2.1, the
background of cryptography and some terminologies will be covered.
The issues of private-key cryptography will be presented in Section
2.2, while the introduction of public-key cryptography will be
provided in Section 2.3. A summary will finally be given in Section
2.4.
2.1 BackgroundConfidential communication has long been a common
practice in the social life. However, as information can be
communicated electronically, it is exposed in public domain and
unavoidably resulted in interceptions. A scientific approach to
respond the demands on achieving the sense of security is
cryptography. The term cryptosystem, also called cipher, is often
used in cryptography. Intuitively, its meaning is clear enough
which refers to an encryption system. The central
6
idea of encryption is to transform the message in which its
original information can only be reconstructed by a designated
recipient. By definition, a message in its original form is known
as plaintext P and the information concealed in an unintelligible
form is known as ciphertext C. The encryption process consists of
an algorithm and a key. It is generally described as C = E(P, ke),
where ke is the encryption key and E( ) is the encryption
algorithm. Therefore, the ciphertext C can be transmitted over
public channels without exposing the information it represents.
Similarly, a corresponding decryption process is the reverse of
encryption which is based on the ciphertext C with decryption key
kd for the reconstruction of the original plaintext: P = D(C, kd),
where D( ) = E-1( ). The principle of encryption process is
depicted in Figure 2.1. As an illustration, Caesar cipher is chosen
which is the simplest and most classical cipher attributed to
Julius Caesar [12].
encryption key ke=3 plaintext P eg. CITYU ciphertext C eg. FLWBX
Encryption public channel
decryption key kd=3 plaintext P eg. CITYU
Decryption
Figure 2.1 The encryption process performed by Caesar
cipher.
In this example, the encryption algorithm is to shift each plain
letter forward by ke letter positions, while the decryption
algorithm is similar to the encryption one, but reverse shift with
kd letter positions. The keys ke and kd in this example are
predefined as 3. For instance, the letter A is replaced by D, the
letter B is replaced by E and consequently CITYU would be replaced
by FLWBX. Since then, a confidential communication between the
sender and the receiver can be realized. Obviously, it is possible
to complicate the encryption algorithm by incorporating with some
additional operations such as replacing each letter by another
letter or multiple letters. Such approach is known as a
7
substitution and examples of early substitution ciphers include
Affine cipher, Vigenere cipher and Playfair cipher [13]. Indeed,
the substitution-based approach is still employed in many modern
complex cryptosystems to be presented in Section 2.2. According to
Kerckhoffs principle of secure cryptosystem [14], the security
should depend on the secrecy of the key, not the secrecy of the
encryption/decryption algorithm that was used. In other words, it
is assumed that the algorithm is publicly known, yet decryption of
message is infeasible on the basis of the ciphertext in addition to
knowledge of the algorithm. Shannon pointed out two fundamental
operations required for cipher design, namely confusion and
diffusion [15]. The former refers to a transformation which
obscures the statistical dependence between the plaintext and the
ciphertext in a sense that the possibility of key discovery will be
frustrated. This can be achieved by using complex substitution
algorithms. The latter means dissipating the statistical structure
of the plaintext by spreading it out over the ciphertext. That is,
every ciphertext block is affected by many (ideally all) plaintext
blocks. Collectively, with respect to the cryptographic key
relationship of ke and kd, two important classes of cryptography
are derived: private-key cryptography and public-key cryptography.
For a private-key cryptosystem, ke and kd are either the same or
one can easily be deduced from the other, whereas a pair of
separate keys is required in public-key cryptosystem, i.e. ke kd.
Typically, it is also impractical to seek a relationship between
the keys without the knowledge of some additional information. As
of todays information security, both two branches of cryptosystems
have a significant importance and one cannot substitute another. A
more detailed discussion on these two cryptosystems will be given
in the following sections.
8
2.2 Private-key CryptographyIn brief, the principle of
private-key cryptography, as shown in Figure 2.2, is based on the
fact that the sender and receiver agree on a common secret key k
before they can communicate securely. Similar to the generic
encryption model described in Figure 2.1, the ciphertext C is
unintelligible without the aid of the secret key k. Such an
unintelligible piece of information can finally be transformed back
into the original plaintext P by the receiver possessing the same
key. However, it should be stressed that a secure channel between
the parties for key agreement is critical but practically
inconvenient to follow. This refers to the key distribution
problem. As a remedy, key distribution center (KDC) together with
some associated protocols is suggested for the secret key
establishment.
secret key k
secure channel ciphertext C recovered plaintext P Receiver
Decryption
Sender
plaintext P Encryption
public channel
Figure 2.2 Private-key cryptography scenario.
2.2.1 The Encryption Process Information is represented by a
sequence of bits for storage and manipulation. In private-key
cryptography, the structure of ciphers can generally be divided
into two types, namely, block cipher and stream cipher.
i. Block cipher In the course of block encryption, a
fixed-length block of bits is operated at a time. Each block is
encrypted into another block with the same size. The block
9
size determines the security and complexity of the cipher. For a
simple block cipher, each plaintext block is usually processed
independently by the same key. In addition, there is a need for
padding short last block of plaintext with certain zero bits. The
way the cipher operates is called Electronic Code Book (ECB) mode
[16]. In ECB mode, repeated plaintext blocks will transform to the
same corresponding ciphertext blocks. The ECB mode is particularly
insecure to those highly structured plaintext. To overcome this
problem, three other modes of operation, namely, Cipher Block
Chaining (CBC), Cipher Feedback (CFB) and Output Feedback (OFB) are
defined. In CBC mode, each plaintext block being encrypted will
perform Exclusive-OR (XOR) operation with its previous ciphertext
block. This overcomes the problem of ECB mode by the fact that the
same plaintext blocks turn out with different ciphertext blocks. On
the other hand, each plaintext block is linked together in
encryption operation. Under this circumstance, a single bit change
in one plaintext block will propagate to the corresponding
ciphertext block and all subsequent ciphertext blocks. Because of
its added security, CBC is the most commonly used block cipher
mode. The same effect can also be achieved by the CFB mode. With
CFB mode, a shift register is required in such a way that its
content together with a certain number, say j, of bits of the
previous ciphertext as an encryption input. The output of
encryption function appears to be pseudorandom which is then XORed
with j-bit plaintext. The difference between OFB mode and CFB mode
is that the content of shift register in OFB is operated with the
previous output of encryption function instead of the ciphertext.
The length of j in CFB and OFB modes can be any value up to the
block size. Compared with CBC mode, it is possible to encrypt data
in units smaller than the block size of the ciphers in CFB and OFB
modes.
ii. Stream cipher In contrast to block ciphers, which operate on
large plaintext blocks, stream ciphers operate on smaller units of
data at a time. Typically, a random bit stream is required to serve
as a keystream. It is then XORed with the plaintext stream to
10
accomplish the encryption process. The keystream can generally
be produced by two types of generators, namely, synchronous and
self-synchronous. In the former, the keystream generated is
independent of the plaintext stream. A bit lost in transmitting
ciphertext stream will cause a problem in decryption. When this
happens, the keystream must be resynchronized for correct
decryption. Compared with its synchronous counterparts, the basic
difference of a selfsynchronous stream cipher is that the keystream
is computed from knowledge of the previous n ciphertext bits. For
the case of bit lost in transmission, such keystream will
resynchronize itself after obtained sufficient number of correct
ciphertext bit. This can be easily realized by the use of a linear
feedback shift register (LFSR) [12]. Owing to its simplicity, the
encryption speed of stream ciphers is faster than that of block
ciphers. They are more applicable for telecommunications and
real-time data transmission such as video streaming.
2.2.2 Typical Private-key Cryptosystems All of the notably known
private-key cryptosystems exhibit the cryptographic properties
desired in a block cipher. Some of them have become the
cryptographic standards in the past few decades. In this
sub-section, three typical cryptosystems will briefly be
covered.
i. Data Encryption Standard Data Encryption Standard (DES) [1]
was developed by IBM researchers and has been adopted by the
National Institute of Standards and Technology (NIST) in 1977. As a
private-key block cipher, DES operates on 64-bit blocks of
plaintext, while the block encryption is governed by a 56-bit key.
Aiming at achieving the confusion and diffusion properties, DES
undergoes a Feistel cipher-like implementation which iteratively
performs 16 rounds of permutation and substitution transformations
called S-boxes and P-boxes, respectively. In this case, key
schedule is specified to generate 16 sub-keys used in each round.
However, people have recognized that the key space of DES is
insufficient to
11
resist against brute-force attacks using todays powerful
computer. Other than brute-force attacks, differential
cryptanalysis [17] and linear cryptanalysis [18] have also been
carried out successfully by investigating some specific
plaintextciphertext pairs of DES in early 1990s.
ii. International Data Encryption Algorithm In 1990, Lai and
Massey proposed the International Data Encryption Algorithm (IDEA)
cryptosystem which is designed to be stronger against differential
cryptanalysis than DES [2]. The security relies on employing a
128bit secret key and interleaving group of operations such as
modular addition and multiplication. It is adopted as a message
encryption algorithm in a hybrid encryption packages called Pretty
Good Privacy (PGP). However, the patent practice and
commercialization of IDEA greatly limit its deployment in the
community.
iii. Advanced Encryption Standard Since the security deficits
are found in DES, the need for a stronger alternative has been
officially declared by NIST. After calls for proposal, a Belgian
cipher, Rijndael [19] has eventually been adopted as the Advanced
Encryption Standard (AES), a successor of DES in 2001. It is also
an iterated block cipher with a scalable key length which can be
128, 192 or 256 bits. In the core of AES algorithm, there is no
Feistel cipher-like structure. However, the entire block of input
data can be processed in parallel and intertwined with operations
such as substitutions, row shifting, column mixing and round key
additions. In this regard, the new AES with an expanded key length
has many potential advantages over other block ciphers by offering
a more secure and faster implementation. Many recent security
applications have been migrated to meet this new standard.
12
2.2.3 Brief Review on Some Existing Image Encryption Schemes In
general, the confidentiality of multimedia data such as digital
image and video can be safeguarded by means of private-key
cryptography. Those techniques mentioned in previous sub-section
are considered as general-purpose encryption methods. Besides, some
encryption techniques particularly dedicated to image indeed form
the basis for video encryption. As an extension of the related
topics, a few advanced private-key image encryption techniques will
be covered in the following context.
i. Selective Bitplane Encryption To achieve a fast encryption,
image encryption schemes are often designed not to encrypt the
entire images completely, but a portion only. In this way, the
amount of computation is reduced and this approach is regarded as
selective image encryption [20]. Gray level images are usually
composed of eight bitplanes. The higher-order bitplanes contain the
majority of visually significant and strong correlation data of the
plainimage, whereas the remainings contribute to more subtle
details in the image. Based on this observation, a selective
bitplane encryption scheme is proposed [21]. AES is selected as the
functional encryption in this scheme. Undoubtedly, the underlying
security is subject to the portions of bitplane to be encrypted.
Through the experiments, it is not suggested to merely encrypt the
most significant bitplane which can be reconstructed from those
unencrypted residual bitplanes. However, there seems to be no
convincing method to determine the portions of bitplane encryption
for encryption.
ii. SCAN-based Image Encryption A formal language (SCAN) is
intended to describe and generate multiple of two-dimensional (2D)
spatial accessing order from a short set of simple ones [22]. It is
first employed for image encryption in [23]. The plain image is
initially serialized to one dimensional data stream which is then
described by the SCAN language. Several scanning orders are
expressed into the corresponding SCAN
13
letters. Different SCAN strings (combinations of SCAN letters)
form different kinds of secret images. The SCAN string is served as
an encryption key bound to a given 2D image array. The encryption
procedure is to rearrange image into a final sequential
representation. Each assembled secret image in process of SCAN
string is combined by the insertion of additive noises at
particular image points. Since no one except the intended user can
obtain the correct SCAN combinations, the original image is
therefore considered confidential.
iii. Embedding Image Compression into Encryption The
abovementioned schemes are devoted to the uncompressed image data.
For compressed images, some special measures are required before
strictly combining encryption and compression directly. In [24], a
framework is proposed for fast encryption by entropy encoders such
as Huffman coder. In entropy coding, the statistical model is used
to decode the compressed bit stream. It is therefore suggested that
multiple statistical models are used alternately in certain secret
order to encode the input symbol stream. Through security analyses,
the proposed scheme is proved to be applied effectively on both
multiple Huffman coding tables of Huffman coder and multiple state
indices of QM coder. However, it should be noted that the original
image can be correctly reconstructed only if its input is identical
to the output of the encoder. There is also a concern about codec
dependence of such kind of scheme [25]. Nevertheless, the potential
for integrating encryption with multimedia compression at a low
computation is promised.
iv. Chaotic Image Encryption Recently, a widely studied example
of image encryption is based on chaos theory which is well
established, simple but with complicated dynamics. In [26], a
symmetric encryption scheme based on two-dimensional chaotic maps
is proposed. A two or higher dimensional discretized chaotic map is
adopted for pixel permutation together with another one-dimensional
(1-D) map for diffusion. The superiorities of such kinds of
chaos-based approaches are mainly relatively
14
large block size and a high encryption rate. More detailed
investigations on chaotic image encryption schemes will be
discussed in the following chapters.
2.3 Public-key CryptographyApparently, key establishment
protocol and KDC server can be utilized to deal with the key
distribution problem caused by private-key cryptography. However,
due to the requirement of online presence of KDC, the server
becomes a single point of failure once it goes down in the network.
The approach of centralization is probably not a complete solution
to key distribution problem. The true solution was not available
until the proposal of public-key cryptography introduced by Diffie
and Hellman in 1976 [27]. In the following, the idea of public-key
cryptography will be explained.
2.3.1 Principle of Public-key Encryption Unlike private-key
cryptography, secret keys are not shared via a secure channel.
Instead, each party has a pair of keys, called private key and
public key. Typically, the public key for encryption is announced
openly, while the private key for decryption is kept strictly
secret. More importantly, it is computationally infeasible to
derive the private key from the corresponding public key. Thus, all
communications involve public key only, but not private key. The
communication model of public-key cryptography is illustrated in
Figure 2.3. Initially, each concerned party is associated with a
key pair in the form of , denoted by for the sender and for the
receiver. The public keys of both parties are assumed to be
publicly accessible to all parties throughout their
communication.
15
Receivers public key Krecv ciphertext C Sender plaintext P
Encryption public channel
Receivers private key krecv recovered plaintext P Receiver
Decryption
Figure 2.3 Public-key cryptography scenario.
To establish a confidential communication as shown in Figure
2.3, the sender first encrypts the plaintext P using receivers
public key and obtain the ciphertext C = E(P, Krecv), where E( ) is
the encryption function. When C is available at the receiver side,
it is decrypted by the receiver using its private key and
transformed back into the original plaintext P = D(C, krecv), where
D( ) is the decryption function. For eavesdroppers who sniffed the
key Krecv and the encrypted message C, it is still insufficient to
determine the original message as long as no one, except the
receiver, has the knowledge of krecv. The ciphertext C can be
transmitted publicly without exposing the information it
represents. Since the secrecy of krecv is never disclosed over
public channels, public-key cryptosystem is said to be free from
the key distribution problem. In addition, it also provides some
significant cryptographic functions for data origin authentication
in digital signatures, non-repudiation services and session key
distribution services in an efficient way. Mathematically, the
arrangement of a key pair can be described as a one way trapdoor
function. Using this kind of function, it is easy to compute in one
direction, but its reverse is infeasible without the presence of
some additional information. Very often, the encryption function
controlled by the public key acts as a one way function, while the
private key forms a decryption trapdoor. In other words, the
security of public-key cryptosystems is entirely related to its
underlying mathematical problem of computing a private key from the
matched public key. The more complex the mathematical problem, the
more secure the cryptosystem. Although there is no absolute one way
trapdoor function proved,
16
some known mathematical problems are considered to be
computationally hard in the scope of current computing means.
Examples are the Integer Factorization Problem (IFP) and the
Elliptic Curve Discrete Logarithm Problem (ECDLP). The mathematical
basis of public-key cryptosystems will be explored in the next
sub-section.
2.3.2 Typical Public-key Cryptosystems
i. RSA RSA [28] was developed by three MIT researchers Rivest,
Shamir and Adleman shortly after the discovery of public-key
cryptography. It relies on discrete logarithm and factorization of
large prime numbers. To get the scheme started, a pair of keys is
initiated with the steps of choosing large prime numbers p and q
say of 100 digits and then multiplying them together to get the
product n, i.e. n = pq. The sender determines numbers e and d such
thated =1
(mod( p 1)(q 1) ),
(2.1)
where e is relatively prime to ( p 1)(q 1) , d is the
multiplicative inverse of e modulo ( p 1)(q 1) . In this way, the
public key denoted by e, n is publicly issued, while the private
key denoted by d , p, q is kept secret. In RSA, the plaintext is
encrypted block by block. It is divided into k-bit blocks where 2k
< n. The encryption and decryption are formulated by Eqs. (2.2)
and (2.3), respectively C = Pe (mod n), P = Cd = (Pe)d = P
k(p-1)(q-1)+1 = P (mod n), by Eulers Theorem (2.2) (2.3)
where P is plaintext block, C is ciphertext block and k is an
integer. The integer factorization problem here is assumed that
given only n, it is not computationally feasible to find ( p 1)(q
1) without having knowledge of p and q. Over
decades, the factorization problem has been challenged by many
trial attacks
17
such as Number Field Sieve (NFS). As of today, 512-bit RSA keys,
which were formerly considered as adequate for use, are now
questionable.
ii. Elliptic curve cryptosystem Elliptic curve cryptosystem
(ECC) is based on Elliptic Curve Discrete Logarithm Problem (ECDLP)
in which the entities are points on certain parts of an elliptic
curve. The use of elliptic curves for public-key cryptographic
schemes is suggested by Koblitz [29] and Miller [30] independently
in 1985. The mathematical problem behind is all about two points P
and Q on the curve such that Q = kP where k is scalar. With the
knowledge of points k and P, it is easy (at least not hard) to
obtain the scalar multiplication of point kP. Interestingly, the
inverse of finding k given P and kP is intractable. In such a
system, P and kP can be made public whereas k is the decryption
trapdoor which must be kept secret. Theoretically, ECC is the best
alternative to the RSA system since it possesses a higher security
with shorter key length. As in its application, ECC devices require
less memory storage and power than others. It is particularly for
the deployment of those constrained platforms, such as wireless
devices, PDA and smart cards.
2.4 SummaryIn this chapter, the goals and common terminologies
of cryptography are explained with the aid of the well-known Caesar
cipher. Following the ideas of Kerckhoff and Shannon, some
important issues of cipher design are outlined. Moreover, by
defining the use of cipher keys, two cryptographic schemes, namely
private-key cryptosystems and public-key cryptosystems and their
encryption techniques are discussed. As aforementioned, public-key
cryptography overcomes the key distribution problem found in
private-key cryptography. However, public-key cryptosystems are
derived from complex mathematical systems and thus more
computationally intensive than its private-
18
key counterparts. In general, private-key cryptosystem is mainly
utilized for data confidentiality services. Other than those
traditional schemes such as DES, IDEA and AES, some specific
private-key variants are also proposed as enhancements to the
traditional one [20]. In particular, attempts to integrate chaotic
dynamics and cryptosystems have been made [6, 7 & 26]. An
investigation of this new research direction and its application
for multimedia security will be discussed in the following
chapters.
19
Chapter 3
Chaotic CryptographyChaos in nature is multidisciplinary which
broadly covers physics, mathematics, communications, engineering
and so on. The first notion of applying chaos to encryption
appeared in Shannons famous paper of cryptography in 1949 [15]. As
the principle of contemporary cryptographic design, he pointed out
that: In a good mixing transformation functions are complicated,
involving all variables in a sensitive way. A small variation of
any one (variable) changes (all the outputs) considerably. This
refers to the concept of confusion and diffusion, which can be
connected to the fundamental properties of chaotic systems such as
ergodic and sensitivity to initial conditions. Recall that
traditional cryptographic schemes mainly rely on complicated
algebraic operations. Interestingly, chaotic systems exhibit
attractive complex dynamics but exist in a relatively simple form.
In this sense, it is feasible to employ chaos theory in
cryptographic aspect. Over the past decades,
20
the field of chaos-based cryptography has become more and more
popular in the research literature. In this chapter, an overview of
chaotic cryptography will be presented. Section 3.1 will illustrate
the concept of chaos theory by some widely studied chaotic maps. In
Section 3.2, the fundamental properties of chaotic systems will be
described as a background for the following sections. The
similarities and differences between chaotic systems and
cryptosystems will then be investigated in Section 3.3. In
particular, the issue of chaotic image encryption will be discussed
in Section 3.4, while summary will be given in Section 3.5.
3.1 Introduction to Chaotic MapsIn a scientific context, one
general description of chaos is an unpredictable and random-like
long-term evolution that results from deterministic nonlinear
systems. The simplest class of chaotic dynamic systems is
one-dimensional chaotic map which is a difference equation of the
form x n +1 = f ( x n , ) , n = 0, 1, 2, 3, (3.1)
where the state variable x and the system parameter are scalars,
i.e., x, R, and f is a mapping function defined in the real domain
R R. As for an introductory purpose from here on, only one- and
two-dimensional chaotic maps are briefly discussed.
3.1.1 One-dimensional Chaotic Maps
From Eq (3.1), it can be seen that one-dimensional (1D) chaotic
maps refer to those with the relation where the value of xn+1 is
determined only by xn. More specifically, this is known as
recurrence relation. In chaotic dynamics, iteration is involved,
which means to evaluate the map f over and over. The first example
considered is the tent map which is described as follows [31]:
21
x n +1
= a (1 2 x1 2
n
1 2
) = 2ax1 x 2a (n
n
)
if 0 x n 1 ; 2 1 if 2 < x n 1.
(3.2)
where a >
and x n [0,1] . In addition, the tent map is a piecewise-linear
map
while the trajectory of map is shown in Figure 3.1. In the
figure, the map parameter is chosen as a =3 4
that is confined to the interval [0, 1].
Figure 3.1 A plot of the tent map with parameter a =
3 4
.
Another example is called logistic map which is originally
proposed to describe population growth model [32]. The map is
quadratic and thus nonlinear with the following expression: x n +1
= bx n (1 x n ) , (3.3)
where b is the control parameter governing the chaotic behavior.
To ensure xn in the range [0, 1], parameter b has to be in the
range [0, 4]. Figure 3.2 shows the trajectory of the map with b =
3.999. Both the tent and the logistic maps exhibit a maximum at x n
= 1 . In the next section, the logistic map is explicitly chosen as
2 a typical study case of chaotic behavior.
22
Figure 3.2 A plot of the logistic map with parameter b =
3.999.
3.1.2 Two-dimensional Chaotic Maps
The simplest possible case of a multi-dimensional map is a
twodimensional (2D) map. Some well-studied examples to be covered
in this subsection include the baker map, the cat map and the
standard map. They also possess those superior properties found in
chaos, but are often described geometrically. More importantly, the
nature of 2D maps is more favourable for chaotic image encryption
than the 1D counterpart studied in last sub-section.
i. Baker map The baker map is a one-to-one map of the unit
interval [0, 1] into itself and is given by [33]: xn +1 = 2 xn
(mod1) 1 y = 2 yn n +1 1 ( yn + 1) 2
if 0 xn < 1 , 2 1 if 2 xn 1,
(3.4)
where ( x n , y n ) [0,1] and x mod 1 refers the fractional
parts of a real number x. One characteristic found in the map can
resemblance to the stretch-and-fold
23
mechanism as shown in Figure 3.3. An interval is elongated twice
itself horizontally, then split into half and piled up. In such a
way, the map is considered as topologically mixing.
Figure 3.3 An illustration of baker map in the unit square (a)
before action; (b) being stretched and (c) being folded.
ii. Cat map Another most studied example is Arnold cat map or
simply cat map, named after Russian mathematician Vladimir Arnold,
who discovered it using an image of a cat [34]. It is described by:
x n +1 1 1 x n y = 1 2 y mod 1, n n +1
(3.5)
Of particular observation in the study of 2D invertible maps is
the property of area preserving. This property is also found in the
cat map as the determinant of its transform matrix is equal to 1.
Similar to the baker map, Figure 3.4 explains the stretch-and-fold
mechanism behind the cat map in a geometrical way.
24
Figure 3.4 An illustration of cat map in the unit square.
iii. Standard map The standard map is a perturbed twist map
which results from periodic impulsive kicking of the rotor written
in the form [31, 35]: n +1 = ( n + J n ) mod 2 , J n +1 = J n + k
sin n +1 mod 2 ,
(3.6)
where ( J n , n ) [0,2 ] and k (> 0) is kicking strength.
Note that the maps mentioned above belong to the category of a
coupled map. In geometry, the two equations of the map are
dependent on each other in how they act on the coordinates of a
point. In [36], it has also been proved that the map preserves area
in ( J , ) -space by calculating the Jacobian of the map as
follows: n det n +1 J n +1 n n +1 J n 1 1 = 1. = det k cos J n +1 J
n 1 + k cos n +1 n +1
(3.7)
The above mathematical proof implies that the map in Eq. (3.6)
is also bijection onto itself in the unit space. The application of
the three invertible chaotic maps will be extensively described in
Section 3.4.
25
3.2 The Important Properties of Chaotic MapsThis section will
step more closely to some important properties characterized by
chaotic maps. They include sensitive dependence on initial
conditions, sensitive dependence on system parameters and mixing in
phase space. To facilitate the discussion, the logistic map is used
as an example to illustrate the following properties.
3.2.1 Sensitive Dependence on Initial Conditions
High sensitivity to its initial conditions is commonly
considered as the hallmark of chaos. To illustrate the point, two
Cobweb diagrams, as shown in Figure 3.5, are used to illustrate the
effect of perturbing the initial values of logistic map with x0 =
0.7 and x0 = 0.700001 under the same parameter b = 3.999999. In the
figure, the trajectories after 100 iterations are computed. As
observed, even a tiny perturbation (< 10-6) in the initial value
x0 turns out to be tremendous difference in trajectory and output
in long-term.
(a)
(b)
Figure 3.5 Cobweb diagram of logistic map with (a) x0=0.7, (b)
x0=0.700001.
26
3.2.2 Sensitive Dependence on System Parameters
In chaotic domain, the sensitive dependence is not limited to
its initial values, but also in system parameters. Figure 3.6 plots
two trajectories of a logistic map which are specified with b =
3.999999 and b = 3.999998.
Figure 3.6 Variation in trajectories of the logistic map due to
minor differences in system parameter b = 3.999999 and b =
3.999998.
Since the studied maps are configured with arbitrarily small
different parameters, it is naturally expected that their
trajectories should somehow pass through the phase space in a
similar way. In the figure, the similarity in trajectories appears
to happen only in the first few iterations, but diverge themselves
exponentially over iterations.
3.2.3 Ergodicity
Ergodic property of chaotic system is often linked with the
concept of mixing. Roughly speaking, this means that any trajectory
of the map will not be restricted within a small region of phase
space wherever the arbitrary point x in the space they start from.
In this regard, certain amount of distributions of
27
logistic trajectories iterating for 104 times with random
initial values and random system parameters (b > 3) were
investigated. Apart from the transient effect in the first few
iterations, it is found that all the distributions spread evenly in
the phase space and are quite close to each other. Figure 3.7
depicts the typical distribution of trajectory of the logistic
map.
Figure 3.7 A typical distribution of trajectory of the logistic
map after 104 iterations.
3.3 Relationship between Cryptosystems and Chaotic SystemsIn the
literature, it has been investigated that there exists a close
relationship between traditional cryptosystems and chaotic systems
(maps) in many aspects [26, 36 & 37]. It is suggested that the
chaotic system experiences many superior dynamical properties which
can analogously correspond to those required in cryptosystems.
According to the investigation made in [37], the common
relationship which promotes chaos theory into practical
cryptographic design are summarized in Table 3.1. In particular,
the notion of confusion in traditional cryptosystems causes
plaintext transforming to random ciphertext such that there should
be no repeated
28
pattern in the ciphertext. By the same token, the trajectories
of chaotic systems pass through all points of the phase space
generally with uniform distribution. In other words, it is very
difficult to predict the final position of one point from its
initial position. It is indeed the concept of ergodicity which can
be associated with confusion in cryptosystems.Chaotic systems
Ergodicity Sensitivity to initial condition and system parameters
Parameters Iterations Traditional cryptosystems Confusion Diffusion
Encryption key Cipher rounds
Table 3.1 A comparison of some features characterized by chaotic
systems and traditional cryptosystems.
To develop a good cryptosystem, another essential design
principle is the property of diffusion. By doing so, a totally
different ciphertext is resulted no matter how one bit of key or
plaintext is changed. This implies that the system is sensitive to
plaintext and its encryption key. On the other hand, recall that
the chaotic systems highly depend on initial conditions and
parameters. A small variation in any of the system parameters or
initial point leads to the trajectory diverged significantly. In
this regard, chaotic systems and cryptosystems can naturally
benefit from each other. With the security consideration,
cryptosystems confuse and diffuse plaintext by numbers of cipher
rounds. Similarly, for chaotic systems, the initial region is
ultimately scattered over the entire phase space via iterations. It
is therefore expected that chaos theory can be exploited in the
field of cryptography by taking such system parameters and initial
condition as secret keys while considering the iterations of
chaotic map equivalent to rounds of the encryption function.
29
An elaborative example for the concept of chaos-based
cryptography was given in [38]. For illustrative purpose, 1D
chaotic map is assumed while the secret key is introduced to the
initial condition as follows. Suppose be a 1D chaotic map to be
employed in such a way that:
: [0,1] [0,1] ,
(3.8)
while P (0,1) be a plaintext to encrypt, and the ciphertext C is
the output of the encryption. Given the secret key k and a natural
number n for iterations of the map, we obtain: C = n ( P) = ( (L (
P ))) , (3.9)
where C are some selected pre-image of P under the map n . Then
for encryption, k is incorporated to be an initial condition of the
map which is formulated by
C = C + k (mod 1).Decryption is the reverse of encryption
procedure described as: P = n (C k ).
(3.10)
(3.11)
It is clear that the aforementioned example is too simple,
without fully utilizing those chaotic properties to resist strong
cryptanalysis. However, this provides some insights, to certain
extent, about the cryptographic design incorporated with chaos
theory. For example, even the property of sensitivity to initial
conditions can considerably complicate the nature of encryption. It
should also be stressed that the use of chaos is defined over real
numbers, unlike traditional cryptosystems that are defined over the
integer set [37, 39]. Some studies on phase space problem and
possible supplementary measures such as defining approximate
transformation functions have been carried out [40]. Nevertheless,
by comparing the nature of these two systems, traditional
cryptographic algorithms usually involve series of complicated
substitution and permutation, whereas the one used in chaos only
relies on simple equations. Over
30
the past few decades, chaotic cryptography has received much
attention for the reasons discussed [6, 7 & 41].
3.4 Chaotic Encryption Schemes for Digital ImagesIn the
preceding section, an integration of chaos-based techniques to data
encryption has been briefly introduced. In practice, large-scale
data encryption (or more precisely, multimedia encryption) seems to
be rather difficult and slow to obtain a real data permutation and
diffusion by conventional means such as DES, IDEA and AES [42]. An
example is a digital image characterized with bulk data capacity
and strong correlation among pixels. In this sense, a direct
extension from document encryption to digital image may not be
efficient without special modifications. Worse still, it would pose
a problem as depicted in Figure 3.8 if conventional block ciphers
are applied unwisely. Because of high redundancy for the area with
the same or similar colour in Figure 3.8(a), it leads to the
identical repeated patterns as shown in Figure 3.8(b) when a block
cipher is used in the ECB mode. The source code of the block cipher
proposed in [43] is implemented here.
(a)
(b)
Figure 3.8 (a) plain image containing many areas with identical
or similar gray levels, and (b) its corresponding encrypted image
by Advanced Encryption Standard (AES) with both key size and block
size 128-bit long running in the ECB mode.
31
It is clear that image encryption has its own requirements in
contrast to textual one. Alternatively, the well-established chaos
theory and the simplicity of discretized chaotic maps make
chaos-based techniques even more suitable for image encryption than
many traditional encryption schemes. The plain image can be swiftly
shuffled and diffused by the application of chaotic maps usually
derived from simple equations. Thus, it can provide a relatively
fast and secure means for real-time data transmission over high
speed networks.
3.4.1 Review of Some Existing Chaotic Image Encryption
Schemes
To deal with the challenges of image protection, an increasing
number of attentions have been turned to the chaotic approaches. In
the general chaotic cryptographic design, the illustrative example
is given in Section 3.3. For the purpose of better image
encryption, the chaotic map is indeed more than simply a functional
block in the cipher. Alternatively, the map is commonly suggested
to be a pseudorandom bit generator as a part of secret encryption
operations [44], or to scramble the entire image pseudorandomly [45
- 47] or both [9 11, 26 & 48 50]. The former encrypts the
pixels with chaotic key streams to achieve the similar security of
classical stream ciphers. However, the latter focus on the
effective permutation of pixel position rather than their values,
usually shuffling the whole image in a single step. In particular,
an inspiring concept of permutation realized by discrete version of
2D chaotic maps has been pointed out earlier in a paper by Pichler
and Scharinger in 1994 [47]. Since then, dedicated chaotic image
encryption schemes have been emerged in the literature. A few years
later, in 1998, Fridrich [26] extended the work of Pichler and
Scharinger by suggesting a more generalized approach adapting an
invertible 2D chaotic map on a torus or on a square to create a
symmetric block encryption scheme. In her design, an example based
on the 2D baker map was given to illustrate the steps of cipher
construction. The steps include choosing a chaotic map,
generalizing it by introduction of some parameters, discretizing
the map and extending the discretized map to three-dimensional
composed with a simple
32
diffusion mechanism. The detail of the steps will be described
in next subsection. On the other hand, Scharinger further proposed
an encryption scheme based on chaotic Kolmogorov flow [48]. The
basic idea is to take the whole image as a single block and then
permute through a chaotic system based on the Kolmogorov flow. In
addition, a substitution based on a pseudorandom number generator
formed by shift registers is performed, which renders the
statistical information of the encrypted image. Generally speaking,
the two combination schemes under study can provide a more
structural framework and more importantly perform faster than the
classical schemes such as DES [26]. In 1999, a permutation-only
image cipher called Hierarchical Chaotic Image Encryption (HCIE)
was proposed by Yen and his research group [45]. As the name
implied, HCIE undergoes certain levels of encryption: (1) permuting
image blocks, and (2) permuting pixels in each image block in four
different directions. These can be accomplished by a pseudorandom
permutation matrix controlled by the binary sequence of chaotic
logistic map. The scheme provides the ease of implementation and
thus achieves a fast operation. In 2000, another chaotic image
encryption scheme called Chaotic Key-based Algorithm (CKBA) was
proposed by the same group [44]. The scheme first generates a
binary sequence based on the logistic map. According to the binary
sequence generated, image pixels are rearranged and pseudorandomly
XOR or XNOR operated with a sub-key in the predefined set.
Unfortunately, the two schemes were later criticized in [51] and
[52], respectively, and are proven that either the use of
permutation in fashion or chaotic binary stream encryption is
insecure at all. More recently, some other chaos-based image
encryption schemes have been proposed. Guan et al. employed the 2D
chaotic cat map [49] while Lian et al. employed the 2D standard map
[9] for their cryptographic implementation. A detailed analysis of
Lian et al.s will be provided in the next chapters. In general, the
said schemes here mainly follow Fridrichs framework adapting 2D
permutation together with simple diffusion process. In 2004, some
of mostly used 2D chaotic maps have also been spatially extended to
higher-dimensional versions such as 3D cat map [10], 3D baker map
[11] and 3D standard map [50].
33
Since higher degree of chaotic properties is expected, the maps
achieve better permutation on image pixels and thus fewer cipher
rounds are required. A distinct step to such modification is to
pile up the 2D plain image into a 3D cube which do consume a
certain computational time. Meanwhile a chaotic diffusion process,
namely XOR plus modulo operation is performed in [10, 11]. Such
diffusion process will be explicitly explained in Chapter 5.
3.4.2 Architecture of Generic Chaos-based Image
Cryptosystems
For image encryption, 2D or higher-dimensional chaotic maps are
naturally employed for a reason that the image can be considered as
a 2D array of pixels [53]. In the previous sub-section, some
related examples [9 11, 26 & 48 - 50] have been shown which all
operated under Fridrichs framework. The properties of the framework
provide a more stable speed performance with a higher degree of
security. This greatly influences the design of chaos-based
cryptosystems hereafter. For a comprehensive study, the procedures
of Fridrichs generalization [26] are summarized as follows:
Assuming that the size of the plain image is N N, while the number
of gray levels is L. The recommended construction includes the
following four steps.
i. Choosing the chaotic map and generalizing it by introduction
of parameters This step intends to define a high-dimensional
chaotic map to perform pixel permutation. It is suggested that the
2D map f which is a chaotic bijection of the unit square I I, where
I = [0,1) should be chosen. Such a bijective requirement is known
as the measure-preserving property of chaotic maps so that
one-to-one mapping is guaranteed in the processes of encryption and
decryption. It seems that a rich variety of chaotic maps are
satisfied for cryptographic purposes. In practice, only simple ones
are preferred for fast encryption process. Apart from simplicity,
the parameterization of the chaotic map chosen should also be
considered as well. A set of parameters can be introduced into the
map to
34
constitute a portion of the secret key. Those 2D chaotic maps
previously described in Section 3.1.2 are examples to be
chosen.
ii. Discretizing the chaotic map Since images are composed of
finite lattice called pixels, the domain of the map f is changed
from the unit square I I to the discretized form N 0N 1 N 0N 1 ,
where
N 0N 1 = [0, N-1]. In doing so, such discretized map F maps an
image pixel toanother bijectively. As emphasized in [26], the
discretization in this step must fulfill the asymptotic property
formulated by:N 0i , j < N
lim max f (i / N , j / N ) F (i, j ) = 0 ,
(3.12)
where f is the continuous map chosen and F is the discretized
form. This means that the discretized map will be getting closer to
the continuous counterpart when the number of pixels tends to
infinity. It could then preserve the basic properties of its
continuous one. The discretization of the 2D chaotic baker map
[47], cat map and standard map [26] are presented in Eqs. (3.13)
(3.15), respectively.N N = ( x k N i ) + y k mod , ni ni
x k +1 y k +1
n0 + n1 + K + nt = N , N = n + n + K + n , i 0 1 i with N 0 = 0,
ni N x = [ N , N + n ), = y k y k mod + N i , i i i +1 k ni N y k =
[0, N ).
(3.13)
a xk x k +1 1 y = b ab + 1 y mod N , k k +1
(3.14)
x k +1 = ( x k + y k ) mod N , x 2 y k +1 = y k + t sin k +1 mod
N . N (3.15)
where (xk, yk) and (xk+1, yk+1) are current and next chaotic
state in each of the maps, and other symbols are the corresponding
system parameters. Figures 3.9
35
3.11 illustrate the results of applying three discretized
chaotic maps in Eqs. (3.13) (3.15) to the test image Lena once and
nine times.
(b)
(a)
(c) Figure 3.9 (a) A test image of Lena; the resultant images
(b) and (c) after applying the discretized baker map once and nine
times, respectively, with N = (8, 8, 32, 64, 32, 32, 32, 32, 64,
64, 32, 64, 32, 8, 8).
(a)
(b)
Figure 3.10 The results of test image Lena (a) and (b) after
applying the discretized cat map once and nine times, respectively,
with a = 5 and b = 9.
36
(a)
(b)
Figure 3.11 The results of test image Lena (a) and (b) after
applying the discretized standard map once and nine times,
respectively, with k = 1750.
iii. Composing a diffusion mechanismSo far, an apparently
unrecognized image can be achieved through shuffling the position
of image pixels. However, the histogram of the resultant image
remains the same as that of the plain image. The permutation-based
cipher is still vulnerable to the statistical and
chosen-plaintext-type attacks. It is necessary to introduce a
diffusion mechanism after the permutation stage. The idea is to
spread the influence of every single pixel over the entire image.
In general, the gray scale of pixels can be alternated sequentially
by the pseudorandom output of a 1D chaotic map.
iv. Evaluating the overall performance (security and
complexity)The security level is a fundamental issue of all kinds
of ciphers. A strong cipher refers to those which is capable of
resisting any kind of cryptanalytic attacks including brute-force
attack, statistical attack, known-plaintext attack and
chosen-plaintext attack. Therefore, a cipher of high key and
plaintext sensitivity together with a large key space is
preferable. On the other hand, complexity evaluation is important
to image encryption as well since it always indicates the
feasibility of encryption schemes. Some special attentions should
be given in terms of computational speed, size and quality of the
encrypted images.
37
Plain image
P1
2D Pixel value Permutation diffusion
2D Pixel value Permutation diffusion
P2 = C1 Kp1 Ks1 Kp2 Ks2
P3 = C2
2D Pixel value Permutation diffusion
Encrypted image
Pn = Cn-1 Kpn Ksn
Cn
Figure 3.12 A generic architecture of image encryption systems
based on 2D chaotic permutations.
In accordance with the above cipher constructions, the basis of
the generic image encryption is thereby modeled and presented in
Figure 3.12. Similar to traditional block ciphers, the studied
architecture is composed of two processes: chaotic confusion and
pixel diffusion. The former is also called permutation which
shuffles a whole plain image with a 2D chaotic map, and the latter
modifies the value (gray-level) of each pixel one by one. In the
confusion process, the parameters of the chaotic map can be
regarded as the confusion key
Kp; in the diffusion process, parameters such as the initial
values and controlparameters of the diffusion function can be
regarded as the diffusion key Ks. For security enhancement reasons,
the confusion and diffusion processes are often repeated for n
times.
3.4.3 Other Issues in Chaos-based Image Cryptosystems
i. Ineffective confusion problems in corner pixelAs seen from
the mathematical form of the 2D maps in Eqs. (3.13) (3.15), some
pixels at the corner of the image merely map to their original
position. In the case of baker map, the affected pixels are at (0,
0) and (N-1, N-1), while the problem of origin (0, 0) are also
found in both cat map and standard map. The information leakage is
insignificant, but undesirable in cryptographic design. As
38
rectified by [9, 54], the permutation can be improved by
changing the scan order of the process. This means scanning a
random pixel (rx, ry) other than the origin first in the course of
permutation process.
ii. Parameter space analysis of common 2D chaotic mapsIt is
clear that parameter space of the chaotic map determines the degree
of cipher security to a certain extent. As investigated in [54],
the parameter spaces of three common maps are listed in Table 3.2.
Consider an image of size N N, the investigation suggested that
parameter space of cat map is the smallest, while standard map has
the largest parameter space ((N2)!). Their spaces will be enlarged
in proportional if distinct value for Kp is used for n different
iterations.2D Chaotic maps Parameter space (use the same key for n
different iterations) Parameter space (use the different key for n
different iterations) Baker map 2N-1 2n(N-1) Cat map N2 N2n
Standard map (N2)! [(N2)!]n
Table 3.2 Comparison of the parameter space of baker map, cat
map and standard map after discretization.
iii. Key generation for iterative ciphersAs pointed out in [54],
distinct sub-keys for confusion and diffusion processes are
essential to the security enhancement on cryptosystems. To this
end, a key generator should be presented for the purpose of sub-key
generation and distribution. In [9], Lian et al. proposed a
scalable key scheming which is based on a chain of 1D chaotic maps
as outlined in Figure 3.13. To obtain n subkeys, the secret key of
the cryptosystem can be divided into n groups Xi and Ki, where i =
[1, m] representing the ith of m cipher rounds. Xi is served as the
initial conditions of the map, while Ki is served as the system
parameter of the map with respect to Xi. In this scheme, any tiny
change in the secret key will influence the consequent sub-keys
substantially. As a result, the key sensitivity requirement of
cryptosystems is therefore satisfied.
39
X1 K1 X2 K2
1D Map K1 1D Map K2
1D Map
X1m-1 K1
1D Map
X1m
1D Map
X2m-1 K2
1D Map
X2m
Xn Kn
1D Map Kn
1D Map
Xnm-1 Kn
1D Map
Xnm
Figure 3.13 An illustration of key generation and distribution
proposed in [9].
iv. Typical preprocessing in integer and real domainsIn many 1D
chaotic maps or some other chaotic systems, the chaotic sense is
observed in real number field. In computer programming, one is
required to deal with decimal fractions and integers when a
real-valued chaotic system is incorporated with the process of
pixel value modification. There are many methods to approximate
decimal fractions to binary integer or vice versa. For example, a
typical approximation function de2bi() suggested for C++
programming can be found in [49] B =
de2bi(mod((Abs(Xi)-Floor(Abs(Xi))) 1014, 256) (3.16)
where Xi is a decimal fraction obtained by the chaotic system,
Abs() is the absolute function, Floor() is the round-up function to
the nearest integers less than or equal to the defined value. The
function assumed that the 256 gray scale image and double data type
(15-digit precision) are used. On the contrary, the conversion from
binary integer to decimal fractions can be realized as follows: D =
bi2de(v) = v / max(v), (3.17)
where max(v) is the amplitude of input v. When a real-valued
chaotic map such as logistic map is used, one should expect some
overheads from preprocessing decimal and integer values in the
whole encryption scheme. In this case, a tradeoff between
functional simplicity and complexity in the change of domains
40
is readily different from particular cipher designs and should
be thoroughly balanced in the implementation.
3.4.4 Cryptanalysis of Chaos-based Image Cryptosystems
Chaotic cryptosystems, like any other cryptosystems, should have
strong ability to frustrate all kinds of cryptanalytic efforts.
From the cryptographic point of view, resistance against attacks is
a good measure for evaluating the performance of a cryptosystem. A
typical classification of the attacks is based on the different
scenarios the extra information required by a cryptanalyst. They
are listed as follows: Ciphertext only attack - the cryptanalyst
only has a number of ciphertext; Known plaintext attack - the
cryptanalyst has some matched plaintext and ciphertext pairs;
Chosen plaintext attack - the cryptanalyst can choose any plaintext
and obtain the corresponding ciphertext. In other words, the
cryptanalyst can choose plaintext at will, and obtain the
corresponding ciphertext. This added facility can help in breaking
a cipher. Chosen ciphertext attack - the cryptanalyst can choose
some ciphertexts and obtain the corresponding plaintexts. In the
four kinds of typical attacks, the cryptanalyst intends to
determine the key that was used. It is expected that ciphertext
only attack is the most difficult, yet chosen plaintext attack is
the easiest to the cryptanalyst, due to the auxiliary information
he or she obtains. The abovementioned attacks are generally
applicable to all types of cryptosystems. In particular, some
specific attacks are based on the structural characteristics of
multimedia data such as image and video [55]. For image encryption,
statistical and differential attacks are the two most well-known
yet important security issues. The former is a variant of
ciphertext-only attack. In this case, the cryptanalyst try to learn
or
41
recognize some pattern if the plain image is not available. The
pattern or similar information may be exposed from the histograms
of some encrypted images or correlations between certain pairs of
adjacent image pixels. In the latter case, the cryptanalyst try to
choose two images which differ in one pixel, and then compare the
encryption results. Repeating the procedure with other pixels, part
of or the whole pixel position mapping in the permutation stage can
be reconstructed. A more detail discussion will be covered in
Chapters 4 and 5. For a comprehensive study, some particular
cryptanalyses on chaotic image encryption schemes in Section 3.4.1
are outlined which is worthwhile paying attentions in the future
design. For a permutation-only image cipher such as [45], it has
been pointed out in [51] that when such a cipher encrypts images in
the spatial domain, a pixel at the position (i, j) will be secretly
relocated to another fixed position (i, j) while keeping pixel
value unchanged. No matter how complicated the permutation is, by
comparing a number of known plain images and the corresponding
encrypted images, it is possible for the cryptanalyst to
reconstruct the secret permutations of all pixels. The approach is
definitely incapable of providing a sufficiently high degree of
security withstanding known/chosen plaintext attacks. In [52], Yen
et al.s CKBA encryption scheme is found to have some serious
security loopholes. First, since sub-keys are used to encrypt more
than one block of plaintext, the key set together with binary
sequence can be possibly reconstructed through only one pair of
known or chosen plain image and encrypted image. Therefore, it
cannot resist the chosen and known plaintext attacks. In addition,
its security against brute force attack [12] is also overestimated
by the author due to the fact that the total key length is not
fully utilized in the actual encryption. From such point of view,
the secret key should never be reused in all cases. In particular,
the combination of permutation and diffusion schemes has been
reported with some fundamental weaknesses. Wang et al. criticized
the 3D cat map based image encryption scheme [10]. Although the
scheme resists statistical and differential attacks, it is still
likely breakable with chosen plaintext
42
attack. According to [56], firstly, chaotic 3D permutation is
meaningless if a homogenous plain image with identical pixel values
is encrypted. In this case, security of the scheme relies merely on
a simple diffusion process. Moreover, if a pixel value in the plain
image is 0, then the underlying diffusion operation is also
useless. As a result, a key recovery attack is proposed in such a
way that recovers the initial condition of logistic maps according
to the gray code. Apparently, the encryption of homogenous plain
image is an arbitrarily insufficient issue. However, in [10], this
leads to the problem that the scheme is eventually broken with
chosen plaintext attack discussed.
3.5 SummaryIn this chapter, the concept of chaos was shown
through examples of chaotic maps and introduction of their
dynamical properties. An investigation on chaotic maps and
cryptosystems reveal that they share some common properties. Since
then, many researchers pursued their efforts in chaotic
cryptography. As mentioned in last chapter, traditional
cryptographic schemes are mainly based on discrete mathematics
composed with many complicated algebraic operations, while chaotic
cryptographic schemes rely on the complex dynamics of nonlinear
maps which are deterministic but simple. Indeed, the nice and
distinct properties of chaos, such as ergodicity, sensitivity
dependence on initial conditions and system parameters, favour the
application of chaos theory in both document and multimedia data
encryption. In this thesis, chaotic encryption scheme for digital
images is particularly interested. The typical architecture and
some important issues of chaotic image cryptosystems including the
cryptanalysis techniques are intensively studied as a background of
algorithm developments in the following chapters.
43
Chapter 4
Chaotic Confusion Process for Image EncryptionAs discussed in
the preceding chapter, the architecture of many chaosbased image
encryption schemes mainly consists of image pixel permutation stage
and pixel value diffusion stage. Generally speaking, the confusion
effect is contributed by permutation-only stage, while the
diffusion effect is merely found in the pixel value diffusion
stage. However, for some encryption schemes, the required number of
permutation-diffusion rounds is unnecessarily large to achieve a
certain level of security. The efficiency of the encryption process
is thus downgraded. In this chapter, the overview of an image
encryption scheme using 2D chaotic standard map will be given in
Section 4.1. It is considered as a reference scheme. Some
observations in this reference scheme will be described in Section
4.2. Based on the observations, a modified approach of the
permutation stage will be proposed