Cryptography

Run Run Shaw Library

Copyright WarningUse of this thesis/dissertation/project is for the purpose of private study or scholarly research only. Users must comply with the Copyright Ordinance. Anyone who consults this thesis/dissertation/project is understood to recognise that its copyright rests with its author and that no part of it may be reproduced without the authors prior written consent.

CITY UNIVERSITY OF HONG KONG

A Study on Efficient Chaotic Image Encryption Schemes

Submitted to Department of Electronic Engineering in Partial Fulfillment of the Requirements for the Degree of Master of Philosophy

by

Kwok Sin Hung

September 2007

i

AbstractWith the advancements of mobile communication technologies, the utilization of audio-visual information in addition to textual information becomes more prevalent than the past. Cryptographic approaches are therefore necessary for secure multimedia content storage and distribution over open networks such as the Internet. A traditional way to resist statistical and differential cryptanalyses is to employ permutation and diffusion alternatively. Recently, research on image encryption using chaos theory has been emerged. Some chaotic image encryption schemes use a multi-dimensional chaotic map for pixel permutation in the spatial domain while taking another one-dimensional (1D) chaotic map for keystream generation in the diffusion function. Various image encryption schemes under this architecture have been proposed in the literature. There are still two realization constraints of the above architecture which hinder the system performance. First, the confusion and diffusion effect is solely contributed by the permutation and the diffusion stage, respectively. Consequently, more overall rounds than necessary are required to achieve a certain level of security. Second, in particular to diffusion stage, real-valued chaotic sequence is commonly treated as a pseudo-random keystream. However, a considerable amount of computation load is sacrificed for real-valued computation and consequent integer quantization. In this thesis, the typical structure of chaos-based image encryption schemes has been studied. The concept of introducing certain diffusion effect in the confusion stage by simple sequential Add-and-then-shift operations is proposed. The purpose is to mix the pixel values over the entire image to achieve similar effect of diffusion. The explicit diffusion function then contributes the second level diffusion effect which leads to fewer overall rounds and hence a faster encryption. Moreover, a more efficient diffusion function using simple table lookup techniques as a light-weight replacement to real-valued chaotic

ii

maps is also suggested. Instead of floating point computation, the diffusion process is accomplished by mutual lookup of a static two-dimensional (2D) permutation table and a dynamic 2D diffusion table. Both the position and the value of each permuted image pixel are used to locate a secret mask. Eventually, each permuted pixel value is added to the random mask drawn from the table. Simulation results show that at a similar performance level, the proposed cryptosystem requires around one-third the encryption time of an existing cryptosystem. The effective acceleration of the encryption speed is therefore achieved which is then more applicable to real-time image encryption.

iii

AcknowledgementsFirst and foremost, I would like to express my deepest gratitude to my supervisor, Dr. K.W. Wong for his patient guidance and support during my research. Dr. Wongs kind encouragement and insightful advice have helped me to overcome many challenges and guided me to complete this thesis. In addition, I sincerely appreciate the fruitful collaborations with my colleagues, Mr C.W. Lee and Mr K.P. Man, in various research projects. They have made my study life more enjoyable. I would especially like to thank City University of Hong Kong for providing financial support and an ideal environment for my research. Finally, I am very grateful to my family for their great love, support and understanding at all times, especially during the most difficult periods of my research and thesis writing.

iv

ContentsList of Figures .....................................................................................................vi List of Tables .......................................................................................................x List of Symbols ...................................................................................................xi List of Abbreviations ........................................................................................ xii Chapter 1 Introduction .........................................................................................1 1.1 Motivation and Objective .......................................................................1 1.2 Outline of the Thesis...............................................................................3 Chapter 2 Fundamentals of Cryptography ...........................................................5 2.1 Background .............................................................................................5 2.2 Private-key Cryptography.......................................................................8 2.2.1 The Encryption Process .................................................................8 2.2.2 Typical Private-key Cryptosystems .............................................10 2.2.3 Brief Review on Some Existing Image Encryption Schemes......12 2.3 Public-key Cryptography ......................................................................14 2.3.1 Principle of Public-key Encryption..............................................14 2.3.2 Typical Public-key Cryptosystems ..............................................16 2.4 Summary ...............................................................................................17 Chapter 3 Chaotic Cryptography .......................................................................19 3.1 Introduction to Chaotic Maps ...............................................................20 3.1.1 One-dimensional Chaotic Maps...................................................20 3.1.2 Two-dimensional Chaotic Maps ..................................................22 3.2 The Important Properties of Chaotic Maps...........................................25 3.2.1 Sensitive Dependence on Initial Conditions ................................25 3.2.2 Sensitive Dependence on System Parameters..............................26 3.2.3 Ergodicity.....................................................................................26 3.3 Relationship between Cryptosystems and Chaotic Systems.................27 3.4 Chaotic Encryption Schemes for Digital Images..................................30 3.4.1 Review of Some Existing Chaotic Image Encryption Schemes ..31 3.4.2 Architecture of Generic Chaos-based Image Cryptosystems ......33 3.4.3 Other Issues in Chaos-based Image Cryptosystems ....................37 3.4.4 Cryptanalysis of Chaos-based Image Cryptosystems ..................40 3.5 Summary ...............................................................................................42

v

Chapter 4 Chaotic Confusion Process for Image Encryption ............................43 4.1 Overview of an Image Encryption Scheme Using 2D Standard Map ..44 4.2 Some Observations ...............................................................................46 4.3 Modified Confusion Process with Pixel Value Mixing ........................49 4.3.1 Investigation of Some Possible Operations on Pixel Value.........49 4.3.2 Encryption Procedure...................................................................56 4.3.3 Decryption Procedure ..................................................................58 4.3.4 Hardware Implementation ...........................................................58 4.4 Security Analysis ..................................................................................61 4.4.1 Histogram.....................................................................................61 4.4.2 Key Space ....................................................................................62 4.4.3 Differential Analysis with Time Performance.............................63 4.4.4 Correlation Analysis of Two Adjacent Pixels .............................67 4.5 Summary ...............................................................................................70 Chapter 5 Efficient Image Diffusion Using Table Operations...........................71 5.1 Diffusion Algorithms Based on 1D Logistic map ................................72 5.1.1 Diffusion Techniques Based on XOR plus mod Operations....72 5.1.2 Diffusion Techniques Based on XOR with Substitutions............73 5.2 Practical Problems of the Algorithms ...................................................74 5.3 The Proposed Cryptosystem .................................................................79 5.3.1 Diffusion Based on Table Lookup and Entries Swapping...........79 5.3.2 The Overall Encryption Procedure ..............................................85 5.3.3 Hardware Implementation ...........................................................89 5.4 Experimental Results and Analysis ......................................................90 5.4.1 Diffusion Key Analysis................................................................92 5.4.2 Correlation Analysis of Two Adjacent Pixels .............................94 5.4.3 NPCR & UACI Analyses.............................................................95 5.5 Summary ...............................................................................................98 Chapter 6 Conclusion and Further Developments .............................................99 6.1 Conclusion ............................................................................................99 6.2 Further Developments.........................................................................101 6.2.1 Joint Compression-encryption Approach to Reduce Cipher Image Size................................................................................101 6.2.2 Extension to Chaos-based Video Encryption ............................102 6.2.3 Incorporation of Public-key with Private-key Schemes ............102 References ........................................................................................................104 List of Publications ..........................................................................................109

vi

List of FiguresFigure 2.1 Figure 2.2 Figure 2.3 Figure 3.1 Figure 3.2 The encryption process performed by Caesar cipher...................... 6 Private-key cryptography scenario.................................................. 8 Public-key cryptography scenario................................................. 15 A plot of the tent map with parameter a = 3 ................................. 21 4 A plot of the logistic map with parameter b = 3.999. ................... 22

Figure 3.3 An illustration of baker map in the unit square (a) before action; (b) being stretched and (c) being folded. ...................................... 23 Figure 3.4 Figure 3.5 Figure 3.6 An illustration of cat map in the unit square. ................................ 24 Cobweb diagram of logistic map with (a) x0=0.7, (b) x0=0.700001. ................................................................................ 25 Variation in trajectories of the logistic map due to minor differences in system parameter b = 3.999999 and b = 3.999998........................................................................................ 26 A typical distribution of trajectory of the logistic map after 104 iterations........................................................................................ 27 (a) plain image containing many areas with identical or similar gray levels, and (b) its corresponding encrypted image by Advanced Encryption Standard (AES) with both key size and block size 128-bit long running in the ECB mode........................ 30 (a) A test image of Lena; the resultant images (b) and (c) after applying the discretized baker map once and nine times, respectively, with N = (8, 8, 32, 64, 32, 32, 32, 32, 64, 64, 32, 64, 32, 8, 8). .................................................................................. 35

Figure 3.7 Figure 3.8

Figure 3.9

Figure 3.10 The results of test image Lena (a) and (b) after applying the discretized cat map once and nine times, respectively, with a = 5 and b = 9..................................................................................... 35 Figure 3.11 The results of test image Lena (a) and (b) after applying the discretized standard map once and nine times, respectively, with k = 1750................................................................................. 36

vii

Figure 3.12 A generic architecture of image encryption systems based on 2D chaotic permutations. .............................................................. 37 Figure 3.13 An illustration of key generation and distribution proposed in [9]. ................................................................................................. 39 Figure 4.1 Figure 4.2 The chaotic image cryptosystem proposed by Lian et al. in [9]. .. 45 Plaintext sensitivity test: (a) original image, (b) and (c) cipher images ( m=n=2 ) whose corresponding plain images have one pixel difference only; (d) difference between cipher images (b) and (c) in gray scale(upper) and binary colour(lower), (e) and (f) cipher images ( m=n=4 ) with the same corresponding plain images as (b) and (c), respectively ; (g) difference between cipher images (e) and (f) in gray level. ......................................... 48 Architecture of the proposed chaotic image cryptosystem. .......... 57 An illustration of Add-and-then-shift operation on pixels in permutation. .................................................................................. 57 The proposed hardware configuration. ......................................... 59 Main modules of the proposed hardware implementation: (a) Standard Map Computation Unit; (b) Add-and-then-shift Unit and (c) Logistic Map Computation Unit. ...................................... 60 (a) Plain Lena image; (b) Histogram of the plain image; (c) Intermediate cipher image using Lian et al.s confusion; (d) Histogram of the intermediate cipher image shown in (c); (e) Intermediate cipher image using the proposed confusion; (f) Histogram of the intermediate cipher image given in (e). ............ 62 (a) Plain Cameraman image; (b) and (c) cipher images whose corresponding plain images have one pixel difference only; (d) difference between cipher images shown in (b) and (c). .............. 64 Performance of the proposed and Lian et al.s cryptosystems in terms of (a) number of pixels change rate (NPCR); and (b) unified average changing intensity (UACI) at different overall rounds (m) with 4 permutation rounds in each confusion stage (n = 4)............................................................................................ 65

Figure 4.3 Figure 4.4 Figure 4.5 Figure 4.6

Figure 4.7

Figure 4.8

Figure 4.9

viii

Figure 4.10 Correlation analyses of two horizontally adjacent pixels in (a) the plain Peppers image; (b) the cipher image obtained using the proposed scheme. .................................................................... 69 Figure 5.1 Figure 5.2 A plot of pixel value and mask value using the diffusion method employed in [9]. ............................................................... 76 Diffusion performance on plain-image: (a) 256 256 Cameraman image; (b) and (c) diffused image by 1 round of Algorithm 5.1.1 and 5.1.2, respectively; (d) and (e) diffused image by 9 rounds of Algorithm 5.1.1 and 5.1.2, respectively; (f) and (g) Histograms of results in (d) and (e), respectively........ 77 Diffusion performance on plain-image: (a) 512 512 Elaine image; (b) and (c) diffused image by 1 round of Algorithm 5.1.1 and 5.1.2, respectively; (d) and (e) diffused image by 9 rounds of Algorithm 5.1.1 and 5.1.2, respectively; (f) and (g) Histograms of results in (d) and (e), respectively. ........................ 78 An illustration of encoding method for Pi-1 and Ci-1. .................... 81 A block diagram of table lookup based on information of pixel position permutation. .................................................................... 82 Graphical representation of swapping entries (s,t) and (x4,y4). .. 83 An illustration of the dynamic update of the 2D lookup table...... 84 Flowchart of the proposed diffusion algorithm............................. 85 Architecture of the proposed chaos-based image cryptosystem. .. 86

Figure 5.3

Figure 5.4 Figure 5.5 Figure 5.6 Figure 5.7 Figure 5.8 Figure 5.9

Figure 5.10 The proposed hardware configuration. ......................................... 89 Figure 5.11 Main modules of the proposed hardware implementation: (a) Standard Map Computation Unit and (b) 2D Table Operation Unit................................................................................................ 90 Figure 5.12 Performance of diffusion function collaborated with different 2D chaotic maps (a) - (c) permutated image using baker map, cat map and standard map, respectively; (d) - (f) completely encrypted images of images (a) - (c) after diffusion process, respectively; (g) - (i) histograms of images (d) - (f). .................... 91

ix

Figure 5.13 Key sensitivity test 1: (a) plain-image; (b) encrypted image (Kx = 123, Ky = 34, Kr = 56, Ktrow = 78, Ktcol = 90); (c) encrypted image (Kx = 123, Ky = 34, Kr = 56, Ktrow = 78, Ktcol = 91); (d) difference image............................................................................ 93 Figure 5.14 Key sensitivity test 2: (a) plain-image; (b) encrypted image (Kx = 123, Ky = 34, Kr = 56, Ktrow = 78, Ktcol = 90); (c) decrypted image (Kx = 123, Ky = 34, Kr = 56, Ktrow = 78, Ktcol = 90); (d) decrypted image (Kx = 123, Ky = 34, Kr = 56, Ktrow = 78, Ktcol = 91). ................................................................................................ 93 Figure 5.15 Correlations of two horizontally adjacent pixels in (a) the plain Lena image; (b) the encrypted image by the proposed scheme (m=2,n=1)...................................................................................... 95

x

List of TablesTable 3.1 A comparison of some features characterized by chaotic systems and traditional cryptosystems........................................................... 28 Table 3.2 Comparison of the parameter space of baker map, cat map and standard map after discretization. .................................................... 38 Table 4.1 Percentage of pixel change on different test images with overall rounds m=n=2 and m=n=4. .............................................................. 47 Table 4.2 Time required to perform Algorithms 4.3.1 (a) (f). ...................... 51 Table 4.3 Test on permuting Lena image with Algorithms 4.3.1 (a) (f) (MN: Mean; SD: Standard Deviation; MDN: Median). .................. 52 Table 4.4 Test on permuting homogenous black square with Algorithms 4.3.1 (a) (f) (MN: Mean; SD: Standard Deviation; MDN: Median). ........................................................................................... 54 Table 4.5 Test on permuting homogenous white square with Algorithms 4.3.1 (a) (f) (MN: Mean; SD: Standard Deviation; MDN: Median). ........................................................................................... 55 Table 4.6 Probability of no shift on some test images.................................. 56 Table 4.7 Execution time and performance indices NPCR and UACI of the proposed and Lian et al.s schemes, for some selected values of m and n. ............................................................................................ 67 Table 4.8 Correlation coefficients of adjacent pixels of different images. ...... 68 Table 5.1 Time required for different diffusion algorithms to process an image of size 512 512. .................................................................. 75 Table 5.2 Content of the proposed 2D Diffusion table: (a) initial state (b) updated after processing the entire image........................................ 88 Table 5.3 The configuration and results of key sensitivity test........................ 94 Table 5.4 Correlation coefficients of adjacent pixels in two images ............... 94 Table 5.5 Encryption time and performance indices NPCR and UACI of the proposed, Chen et al.s and Lian et al.s scheme, for some selected values of m and n................................................................ 97

xi

List of Symbols> left shift right shift exclusive-or scalar multiplication modulus operator closed interval between a and b N-tuple of n members list of elements ai with i being the index selected pre-image of a plain image P value of ith pixel in a cipher image C inverse of function E number of pixels N in one row ranged from 0 to N-1 value of ith pixel in a plain image P Real number domain value of the 1D chaotic map iteration at the nth cycle random scan couple 1D vector with elements s and t absolute value of number x upper bound of the logistic map lower bound of the logistic map

mod [a, b] (a1 , a 2 ,L , a n ) {ai}C

Ci E-1

N 0N 1

Pi R

n(rx, ry) s t |x| Xmax Xmin

xii

List of AbbreviationsAES CBC CFB CKBA DCT DES ECB ECC ECDH ECDLP HCIE IDEA IFP KDC LFSR MDN MN NIST NPCR OFB PGP RSA SD UACI XNOR XOR Advanced Encryption Scheme Cipher Block Chaining Mode Cipher Feedback Mode Chaotic Key-based Algorithm Discrete Cosine Transform Data Encryption Scheme Electronic Code Book Mode Elliptic Curve Cryptography Elliptic Curve Diffie-Hellman Protocol Elliptic Curve Discrete Logarithm Problem Hierarchical Chaotic Image Encryption International Data Encryption Algorithm Integer Factorization Problem Key Distribution Center Linear Feedback Shift Register Median Mean National Institute of Standards and Technology Number of Pixels Change Rate Output Feedback Pretty Good Privacy Rivest-Shamir-Adleman Standard Deviation Unified Average Changing Intensity Bitwise Exclusive-NOR Bitwise Exclusive-OR

1

Chapter 1

Introduction1.1 Motivation and ObjectiveIn recent years, audio-visual information sharing has become more prevalent under the rapid development of Internet. Real-time multimedia applications are also made possible with the advancement of mobile communication technologies. However, in open networks, there is a potential risk of making sensitive information such as military and medical images vulnerable to unauthorized interceptions. The development of robust cryptographic schemes is thus essential to the provision of multimedia security. For textual information, it can be satisfied with the direct application of many well-established encryption schemes such as Data Encryption Scheme (DES)[1], International Data Encryption Algorithm (IDEA) [2] and Advanced Encryption Scheme (AES) [3]. However, the case of multimedia information in real-time communication is different and hard to be accomplished by traditional schemes.

2

This is because the intrinsic properties of audio-visual information such as bulk data capacity, strong pixel correlation and high redundancy, lower the encryption performance. Since traditional encryption schemes are not fit for modern multimedia requirement, many researches have been devoted to investigate better solutions for image and video encryptions. In particular, application of chaos theory in multimedia encryption is one of the important research directions. The field of chaotic cryptography has undergone tremendous growth over the past few decades. The primary motivation of employing chaotic systems is its simplicity in form and complexity in dynamics. According to the classification of chaotic systems, the security application of chaos can be divided into analog chaotic secure communications utilizing continuous dynamical systems [4, 5] and digital chaotic cryptosystems utilizing discrete dynamical systems [6 - 8]. For todays computer technology, the way realizing chaos in digital domain is more vital to security application running in finite precision machines. In response to the aforementioned challenges in protecting multimedia content, the objective of this research work is specially oriented towards analyzing chaos-based image encryption schemes. Many existing schemes under this category are found to merely achieve moderate or even low security. Only a few of them [9 - 11] promise to achieve sufficient security, but without maintaining a satisfactory speed performance. Our work is to modify and optimize some existing chaotic image encryption schemes so as to uplift the efficiency required for real-time operation purpose. In this regards, two enhancement measures in the system efficiency have been proposed to the main components of typical chaos-based image cryptosystems: chaotic confusion and pixel diffusion processes. The superior results of numerical and security analysis justify the feasibility of such proposed schemes in real-time communication environment.

3

1.2 Outline of the ThesisChapter 2 covers the fundamentals and terminologies of cryptography, including the issues of private-key cryptography and public-key cryptography. Note that the chaotic image encryption schemes under study fall into the category of private-key cryptosystems. In order to have a clear background for the remaining chapters, the type of ciphers and mode of operations in private-key cryptosystems will explicitly be highlighted. In addition, some modern cryptographic standards such as DES, AES and RSA will be discussed. Chapter 3 introduces an overview of chaotic cryptography. The illustration of chaos theory will start with some widely studied one-dimensional (1D) and two-dimensional (2D) chaotic maps. Given the backgrounds of chaotic properties, the similarities and differences between chaotic maps and cryptosystems will then be analyzed. Based on the above established relationships, a more detail description on existing chaotic image encryption schemes will be given together with the issue of design considerations and list of particular cryptanalysis. Chapter 4 presents a modified approach to the confusion process in typical chaotic image cryptosystems through a special review on an image encryption scheme using 2D chaotic standard map. The principle of this approach including the encryption and decryption procedures will be explained in detail. The security evaluations on the proposed scheme will be provided after the design principle. In Chapter 5, our attention turns to the effectiveness of the diffusion process which is another important component in image cryptosystems. The goal is to investigate a light weight replacement for the concerned process which commonly requires real-valued computation and consequent integer quantization. The problems will be elaborated by two practical examples of existing schemes based on 1D logistic map. With suitably use of table lookup techniques, a new diffusion approach will be proposed. The corresponding image encryption scheme together with security consideration will be provided.

4

Finally, we conclude our work in this thesis and give some remarks on future research in Chapter 6.

5

Chapter 2

Fundamentals of CryptographyIn this chapter, the basic principles of cryptography will be introduced as a foundation for the remaining chapters of this thesis. In Section 2.1, the background of cryptography and some terminologies will be covered. The issues of private-key cryptography will be presented in Section 2.2, while the introduction of public-key cryptography will be provided in Section 2.3. A summary will finally be given in Section 2.4.

2.1 BackgroundConfidential communication has long been a common practice in the social life. However, as information can be communicated electronically, it is exposed in public domain and unavoidably resulted in interceptions. A scientific approach to respond the demands on achieving the sense of security is cryptography. The term cryptosystem, also called cipher, is often used in cryptography. Intuitively, its meaning is clear enough which refers to an encryption system. The central

6

idea of encryption is to transform the message in which its original information can only be reconstructed by a designated recipient. By definition, a message in its original form is known as plaintext P and the information concealed in an unintelligible form is known as ciphertext C. The encryption process consists of an algorithm and a key. It is generally described as C = E(P, ke), where ke is the encryption key and E( ) is the encryption algorithm. Therefore, the ciphertext C can be transmitted over public channels without exposing the information it represents. Similarly, a corresponding decryption process is the reverse of encryption which is based on the ciphertext C with decryption key kd for the reconstruction of the original plaintext: P = D(C, kd), where D( ) = E-1( ). The principle of encryption process is depicted in Figure 2.1. As an illustration, Caesar cipher is chosen which is the simplest and most classical cipher attributed to Julius Caesar [12].

encryption key ke=3 plaintext P eg. CITYU ciphertext C eg. FLWBX Encryption public channel

decryption key kd=3 plaintext P eg. CITYU

Decryption

Figure 2.1 The encryption process performed by Caesar cipher.

In this example, the encryption algorithm is to shift each plain letter forward by ke letter positions, while the decryption algorithm is similar to the encryption one, but reverse shift with kd letter positions. The keys ke and kd in this example are predefined as 3. For instance, the letter A is replaced by D, the letter B is replaced by E and consequently CITYU would be replaced by FLWBX. Since then, a confidential communication between the sender and the receiver can be realized. Obviously, it is possible to complicate the encryption algorithm by incorporating with some additional operations such as replacing each letter by another letter or multiple letters. Such approach is known as a

7

substitution and examples of early substitution ciphers include Affine cipher, Vigenere cipher and Playfair cipher [13]. Indeed, the substitution-based approach is still employed in many modern complex cryptosystems to be presented in Section 2.2. According to Kerckhoffs principle of secure cryptosystem [14], the security should depend on the secrecy of the key, not the secrecy of the encryption/decryption algorithm that was used. In other words, it is assumed that the algorithm is publicly known, yet decryption of message is infeasible on the basis of the ciphertext in addition to knowledge of the algorithm. Shannon pointed out two fundamental operations required for cipher design, namely confusion and diffusion [15]. The former refers to a transformation which obscures the statistical dependence between the plaintext and the ciphertext in a sense that the possibility of key discovery will be frustrated. This can be achieved by using complex substitution algorithms. The latter means dissipating the statistical structure of the plaintext by spreading it out over the ciphertext. That is, every ciphertext block is affected by many (ideally all) plaintext blocks. Collectively, with respect to the cryptographic key relationship of ke and kd, two important classes of cryptography are derived: private-key cryptography and public-key cryptography. For a private-key cryptosystem, ke and kd are either the same or one can easily be deduced from the other, whereas a pair of separate keys is required in public-key cryptosystem, i.e. ke kd. Typically, it is also impractical to seek a relationship between the keys without the knowledge of some additional information. As of todays information security, both two branches of cryptosystems have a significant importance and one cannot substitute another. A more detailed discussion on these two cryptosystems will be given in the following sections.

8

2.2 Private-key CryptographyIn brief, the principle of private-key cryptography, as shown in Figure 2.2, is based on the fact that the sender and receiver agree on a common secret key k before they can communicate securely. Similar to the generic encryption model described in Figure 2.1, the ciphertext C is unintelligible without the aid of the secret key k. Such an unintelligible piece of information can finally be transformed back into the original plaintext P by the receiver possessing the same key. However, it should be stressed that a secure channel between the parties for key agreement is critical but practically inconvenient to follow. This refers to the key distribution problem. As a remedy, key distribution center (KDC) together with some associated protocols is suggested for the secret key establishment.

secret key k

secure channel ciphertext C recovered plaintext P Receiver Decryption

Sender

plaintext P Encryption

public channel

Figure 2.2 Private-key cryptography scenario.

2.2.1 The Encryption Process Information is represented by a sequence of bits for storage and manipulation. In private-key cryptography, the structure of ciphers can generally be divided into two types, namely, block cipher and stream cipher.

i. Block cipher In the course of block encryption, a fixed-length block of bits is operated at a time. Each block is encrypted into another block with the same size. The block

9

size determines the security and complexity of the cipher. For a simple block cipher, each plaintext block is usually processed independently by the same key. In addition, there is a need for padding short last block of plaintext with certain zero bits. The way the cipher operates is called Electronic Code Book (ECB) mode [16]. In ECB mode, repeated plaintext blocks will transform to the same corresponding ciphertext blocks. The ECB mode is particularly insecure to those highly structured plaintext. To overcome this problem, three other modes of operation, namely, Cipher Block Chaining (CBC), Cipher Feedback (CFB) and Output Feedback (OFB) are defined. In CBC mode, each plaintext block being encrypted will perform Exclusive-OR (XOR) operation with its previous ciphertext block. This overcomes the problem of ECB mode by the fact that the same plaintext blocks turn out with different ciphertext blocks. On the other hand, each plaintext block is linked together in encryption operation. Under this circumstance, a single bit change in one plaintext block will propagate to the corresponding ciphertext block and all subsequent ciphertext blocks. Because of its added security, CBC is the most commonly used block cipher mode. The same effect can also be achieved by the CFB mode. With CFB mode, a shift register is required in such a way that its content together with a certain number, say j, of bits of the previous ciphertext as an encryption input. The output of encryption function appears to be pseudorandom which is then XORed with j-bit plaintext. The difference between OFB mode and CFB mode is that the content of shift register in OFB is operated with the previous output of encryption function instead of the ciphertext. The length of j in CFB and OFB modes can be any value up to the block size. Compared with CBC mode, it is possible to encrypt data in units smaller than the block size of the ciphers in CFB and OFB modes.

ii. Stream cipher In contrast to block ciphers, which operate on large plaintext blocks, stream ciphers operate on smaller units of data at a time. Typically, a random bit stream is required to serve as a keystream. It is then XORed with the plaintext stream to

10

accomplish the encryption process. The keystream can generally be produced by two types of generators, namely, synchronous and self-synchronous. In the former, the keystream generated is independent of the plaintext stream. A bit lost in transmitting ciphertext stream will cause a problem in decryption. When this happens, the keystream must be resynchronized for correct decryption. Compared with its synchronous counterparts, the basic difference of a selfsynchronous stream cipher is that the keystream is computed from knowledge of the previous n ciphertext bits. For the case of bit lost in transmission, such keystream will resynchronize itself after obtained sufficient number of correct ciphertext bit. This can be easily realized by the use of a linear feedback shift register (LFSR) [12]. Owing to its simplicity, the encryption speed of stream ciphers is faster than that of block ciphers. They are more applicable for telecommunications and real-time data transmission such as video streaming.

2.2.2 Typical Private-key Cryptosystems All of the notably known private-key cryptosystems exhibit the cryptographic properties desired in a block cipher. Some of them have become the cryptographic standards in the past few decades. In this sub-section, three typical cryptosystems will briefly be covered.

i. Data Encryption Standard Data Encryption Standard (DES) [1] was developed by IBM researchers and has been adopted by the National Institute of Standards and Technology (NIST) in 1977. As a private-key block cipher, DES operates on 64-bit blocks of plaintext, while the block encryption is governed by a 56-bit key. Aiming at achieving the confusion and diffusion properties, DES undergoes a Feistel cipher-like implementation which iteratively performs 16 rounds of permutation and substitution transformations called S-boxes and P-boxes, respectively. In this case, key schedule is specified to generate 16 sub-keys used in each round. However, people have recognized that the key space of DES is insufficient to

11

resist against brute-force attacks using todays powerful computer. Other than brute-force attacks, differential cryptanalysis [17] and linear cryptanalysis [18] have also been carried out successfully by investigating some specific plaintextciphertext pairs of DES in early 1990s.

ii. International Data Encryption Algorithm In 1990, Lai and Massey proposed the International Data Encryption Algorithm (IDEA) cryptosystem which is designed to be stronger against differential cryptanalysis than DES [2]. The security relies on employing a 128bit secret key and interleaving group of operations such as modular addition and multiplication. It is adopted as a message encryption algorithm in a hybrid encryption packages called Pretty Good Privacy (PGP). However, the patent practice and commercialization of IDEA greatly limit its deployment in the community.

iii. Advanced Encryption Standard Since the security deficits are found in DES, the need for a stronger alternative has been officially declared by NIST. After calls for proposal, a Belgian cipher, Rijndael [19] has eventually been adopted as the Advanced Encryption Standard (AES), a successor of DES in 2001. It is also an iterated block cipher with a scalable key length which can be 128, 192 or 256 bits. In the core of AES algorithm, there is no Feistel cipher-like structure. However, the entire block of input data can be processed in parallel and intertwined with operations such as substitutions, row shifting, column mixing and round key additions. In this regard, the new AES with an expanded key length has many potential advantages over other block ciphers by offering a more secure and faster implementation. Many recent security applications have been migrated to meet this new standard.

12

2.2.3 Brief Review on Some Existing Image Encryption Schemes In general, the confidentiality of multimedia data such as digital image and video can be safeguarded by means of private-key cryptography. Those techniques mentioned in previous sub-section are considered as general-purpose encryption methods. Besides, some encryption techniques particularly dedicated to image indeed form the basis for video encryption. As an extension of the related topics, a few advanced private-key image encryption techniques will be covered in the following context.

i. Selective Bitplane Encryption To achieve a fast encryption, image encryption schemes are often designed not to encrypt the entire images completely, but a portion only. In this way, the amount of computation is reduced and this approach is regarded as selective image encryption [20]. Gray level images are usually composed of eight bitplanes. The higher-order bitplanes contain the majority of visually significant and strong correlation data of the plainimage, whereas the remainings contribute to more subtle details in the image. Based on this observation, a selective bitplane encryption scheme is proposed [21]. AES is selected as the functional encryption in this scheme. Undoubtedly, the underlying security is subject to the portions of bitplane to be encrypted. Through the experiments, it is not suggested to merely encrypt the most significant bitplane which can be reconstructed from those unencrypted residual bitplanes. However, there seems to be no convincing method to determine the portions of bitplane encryption for encryption.

ii. SCAN-based Image Encryption A formal language (SCAN) is intended to describe and generate multiple of two-dimensional (2D) spatial accessing order from a short set of simple ones [22]. It is first employed for image encryption in [23]. The plain image is initially serialized to one dimensional data stream which is then described by the SCAN language. Several scanning orders are expressed into the corresponding SCAN

13

letters. Different SCAN strings (combinations of SCAN letters) form different kinds of secret images. The SCAN string is served as an encryption key bound to a given 2D image array. The encryption procedure is to rearrange image into a final sequential representation. Each assembled secret image in process of SCAN string is combined by the insertion of additive noises at particular image points. Since no one except the intended user can obtain the correct SCAN combinations, the original image is therefore considered confidential.

iii. Embedding Image Compression into Encryption The abovementioned schemes are devoted to the uncompressed image data. For compressed images, some special measures are required before strictly combining encryption and compression directly. In [24], a framework is proposed for fast encryption by entropy encoders such as Huffman coder. In entropy coding, the statistical model is used to decode the compressed bit stream. It is therefore suggested that multiple statistical models are used alternately in certain secret order to encode the input symbol stream. Through security analyses, the proposed scheme is proved to be applied effectively on both multiple Huffman coding tables of Huffman coder and multiple state indices of QM coder. However, it should be noted that the original image can be correctly reconstructed only if its input is identical to the output of the encoder. There is also a concern about codec dependence of such kind of scheme [25]. Nevertheless, the potential for integrating encryption with multimedia compression at a low computation is promised.

iv. Chaotic Image Encryption Recently, a widely studied example of image encryption is based on chaos theory which is well established, simple but with complicated dynamics. In [26], a symmetric encryption scheme based on two-dimensional chaotic maps is proposed. A two or higher dimensional discretized chaotic map is adopted for pixel permutation together with another one-dimensional (1-D) map for diffusion. The superiorities of such kinds of chaos-based approaches are mainly relatively

14

large block size and a high encryption rate. More detailed investigations on chaotic image encryption schemes will be discussed in the following chapters.

2.3 Public-key CryptographyApparently, key establishment protocol and KDC server can be utilized to deal with the key distribution problem caused by private-key cryptography. However, due to the requirement of online presence of KDC, the server becomes a single point of failure once it goes down in the network. The approach of centralization is probably not a complete solution to key distribution problem. The true solution was not available until the proposal of public-key cryptography introduced by Diffie and Hellman in 1976 [27]. In the following, the idea of public-key cryptography will be explained.

2.3.1 Principle of Public-key Encryption Unlike private-key cryptography, secret keys are not shared via a secure channel. Instead, each party has a pair of keys, called private key and public key. Typically, the public key for encryption is announced openly, while the private key for decryption is kept strictly secret. More importantly, it is computationally infeasible to derive the private key from the corresponding public key. Thus, all communications involve public key only, but not private key. The communication model of public-key cryptography is illustrated in Figure 2.3. Initially, each concerned party is associated with a key pair in the form of , denoted by for the sender and for the receiver. The public keys of both parties are assumed to be publicly accessible to all parties throughout their communication.

15

Receivers public key Krecv ciphertext C Sender plaintext P Encryption public channel

Receivers private key krecv recovered plaintext P Receiver Decryption

Figure 2.3 Public-key cryptography scenario.

To establish a confidential communication as shown in Figure 2.3, the sender first encrypts the plaintext P using receivers public key and obtain the ciphertext C = E(P, Krecv), where E( ) is the encryption function. When C is available at the receiver side, it is decrypted by the receiver using its private key and transformed back into the original plaintext P = D(C, krecv), where D( ) is the decryption function. For eavesdroppers who sniffed the key Krecv and the encrypted message C, it is still insufficient to determine the original message as long as no one, except the receiver, has the knowledge of krecv. The ciphertext C can be transmitted publicly without exposing the information it represents. Since the secrecy of krecv is never disclosed over public channels, public-key cryptosystem is said to be free from the key distribution problem. In addition, it also provides some significant cryptographic functions for data origin authentication in digital signatures, non-repudiation services and session key distribution services in an efficient way. Mathematically, the arrangement of a key pair can be described as a one way trapdoor function. Using this kind of function, it is easy to compute in one direction, but its reverse is infeasible without the presence of some additional information. Very often, the encryption function controlled by the public key acts as a one way function, while the private key forms a decryption trapdoor. In other words, the security of public-key cryptosystems is entirely related to its underlying mathematical problem of computing a private key from the matched public key. The more complex the mathematical problem, the more secure the cryptosystem. Although there is no absolute one way trapdoor function proved,

16

some known mathematical problems are considered to be computationally hard in the scope of current computing means. Examples are the Integer Factorization Problem (IFP) and the Elliptic Curve Discrete Logarithm Problem (ECDLP). The mathematical basis of public-key cryptosystems will be explored in the next sub-section.

2.3.2 Typical Public-key Cryptosystems

i. RSA RSA [28] was developed by three MIT researchers Rivest, Shamir and Adleman shortly after the discovery of public-key cryptography. It relies on discrete logarithm and factorization of large prime numbers. To get the scheme started, a pair of keys is initiated with the steps of choosing large prime numbers p and q say of 100 digits and then multiplying them together to get the product n, i.e. n = pq. The sender determines numbers e and d such thated =1

(mod( p 1)(q 1) ),

(2.1)

where e is relatively prime to ( p 1)(q 1) , d is the multiplicative inverse of e modulo ( p 1)(q 1) . In this way, the public key denoted by e, n is publicly issued, while the private key denoted by d , p, q is kept secret. In RSA, the plaintext is encrypted block by block. It is divided into k-bit blocks where 2k < n. The encryption and decryption are formulated by Eqs. (2.2) and (2.3), respectively C = Pe (mod n), P = Cd = (Pe)d = P k(p-1)(q-1)+1 = P (mod n), by Eulers Theorem (2.2) (2.3)

where P is plaintext block, C is ciphertext block and k is an integer. The integer factorization problem here is assumed that given only n, it is not computationally feasible to find ( p 1)(q 1) without having knowledge of p and q. Over

decades, the factorization problem has been challenged by many trial attacks

17

such as Number Field Sieve (NFS). As of today, 512-bit RSA keys, which were formerly considered as adequate for use, are now questionable.

ii. Elliptic curve cryptosystem Elliptic curve cryptosystem (ECC) is based on Elliptic Curve Discrete Logarithm Problem (ECDLP) in which the entities are points on certain parts of an elliptic curve. The use of elliptic curves for public-key cryptographic schemes is suggested by Koblitz [29] and Miller [30] independently in 1985. The mathematical problem behind is all about two points P and Q on the curve such that Q = kP where k is scalar. With the knowledge of points k and P, it is easy (at least not hard) to obtain the scalar multiplication of point kP. Interestingly, the inverse of finding k given P and kP is intractable. In such a system, P and kP can be made public whereas k is the decryption trapdoor which must be kept secret. Theoretically, ECC is the best alternative to the RSA system since it possesses a higher security with shorter key length. As in its application, ECC devices require less memory storage and power than others. It is particularly for the deployment of those constrained platforms, such as wireless devices, PDA and smart cards.

2.4 SummaryIn this chapter, the goals and common terminologies of cryptography are explained with the aid of the well-known Caesar cipher. Following the ideas of Kerckhoff and Shannon, some important issues of cipher design are outlined. Moreover, by defining the use of cipher keys, two cryptographic schemes, namely private-key cryptosystems and public-key cryptosystems and their encryption techniques are discussed. As aforementioned, public-key cryptography overcomes the key distribution problem found in private-key cryptography. However, public-key cryptosystems are derived from complex mathematical systems and thus more computationally intensive than its private-

18

key counterparts. In general, private-key cryptosystem is mainly utilized for data confidentiality services. Other than those traditional schemes such as DES, IDEA and AES, some specific private-key variants are also proposed as enhancements to the traditional one [20]. In particular, attempts to integrate chaotic dynamics and cryptosystems have been made [6, 7 & 26]. An investigation of this new research direction and its application for multimedia security will be discussed in the following chapters.

19

Chapter 3

Chaotic CryptographyChaos in nature is multidisciplinary which broadly covers physics, mathematics, communications, engineering and so on. The first notion of applying chaos to encryption appeared in Shannons famous paper of cryptography in 1949 [15]. As the principle of contemporary cryptographic design, he pointed out that: In a good mixing transformation functions are complicated, involving all variables in a sensitive way. A small variation of any one (variable) changes (all the outputs) considerably. This refers to the concept of confusion and diffusion, which can be connected to the fundamental properties of chaotic systems such as ergodic and sensitivity to initial conditions. Recall that traditional cryptographic schemes mainly rely on complicated algebraic operations. Interestingly, chaotic systems exhibit attractive complex dynamics but exist in a relatively simple form. In this sense, it is feasible to employ chaos theory in cryptographic aspect. Over the past decades,

20

the field of chaos-based cryptography has become more and more popular in the research literature. In this chapter, an overview of chaotic cryptography will be presented. Section 3.1 will illustrate the concept of chaos theory by some widely studied chaotic maps. In Section 3.2, the fundamental properties of chaotic systems will be described as a background for the following sections. The similarities and differences between chaotic systems and cryptosystems will then be investigated in Section 3.3. In particular, the issue of chaotic image encryption will be discussed in Section 3.4, while summary will be given in Section 3.5.

3.1 Introduction to Chaotic MapsIn a scientific context, one general description of chaos is an unpredictable and random-like long-term evolution that results from deterministic nonlinear systems. The simplest class of chaotic dynamic systems is one-dimensional chaotic map which is a difference equation of the form x n +1 = f ( x n , ) , n = 0, 1, 2, 3, (3.1)

where the state variable x and the system parameter are scalars, i.e., x, R, and f is a mapping function defined in the real domain R R. As for an introductory purpose from here on, only one- and two-dimensional chaotic maps are briefly discussed.

3.1.1 One-dimensional Chaotic Maps

From Eq (3.1), it can be seen that one-dimensional (1D) chaotic maps refer to those with the relation where the value of xn+1 is determined only by xn. More specifically, this is known as recurrence relation. In chaotic dynamics, iteration is involved, which means to evaluate the map f over and over. The first example considered is the tent map which is described as follows [31]:

21

x n +1

= a (1 2 x1 2

n

1 2

) = 2ax1 x 2a (n

n

)

if 0 x n 1 ; 2 1 if 2 < x n 1.

(3.2)

where a >

and x n [0,1] . In addition, the tent map is a piecewise-linear map

while the trajectory of map is shown in Figure 3.1. In the figure, the map parameter is chosen as a =3 4

that is confined to the interval [0, 1].

Figure 3.1 A plot of the tent map with parameter a =

3 4

.

Another example is called logistic map which is originally proposed to describe population growth model [32]. The map is quadratic and thus nonlinear with the following expression: x n +1 = bx n (1 x n ) , (3.3)

where b is the control parameter governing the chaotic behavior. To ensure xn in the range [0, 1], parameter b has to be in the range [0, 4]. Figure 3.2 shows the trajectory of the map with b = 3.999. Both the tent and the logistic maps exhibit a maximum at x n = 1 . In the next section, the logistic map is explicitly chosen as 2 a typical study case of chaotic behavior.

22

Figure 3.2 A plot of the logistic map with parameter b = 3.999.

3.1.2 Two-dimensional Chaotic Maps

The simplest possible case of a multi-dimensional map is a twodimensional (2D) map. Some well-studied examples to be covered in this subsection include the baker map, the cat map and the standard map. They also possess those superior properties found in chaos, but are often described geometrically. More importantly, the nature of 2D maps is more favourable for chaotic image encryption than the 1D counterpart studied in last sub-section.

i. Baker map The baker map is a one-to-one map of the unit interval [0, 1] into itself and is given by [33]: xn +1 = 2 xn (mod1) 1 y = 2 yn n +1 1 ( yn + 1) 2

if 0 xn < 1 , 2 1 if 2 xn 1,

(3.4)

where ( x n , y n ) [0,1] and x mod 1 refers the fractional parts of a real number x. One characteristic found in the map can resemblance to the stretch-and-fold

23

mechanism as shown in Figure 3.3. An interval is elongated twice itself horizontally, then split into half and piled up. In such a way, the map is considered as topologically mixing.

Figure 3.3 An illustration of baker map in the unit square (a) before action; (b) being stretched and (c) being folded.

ii. Cat map Another most studied example is Arnold cat map or simply cat map, named after Russian mathematician Vladimir Arnold, who discovered it using an image of a cat [34]. It is described by: x n +1 1 1 x n y = 1 2 y mod 1, n n +1

(3.5)

Of particular observation in the study of 2D invertible maps is the property of area preserving. This property is also found in the cat map as the determinant of its transform matrix is equal to 1. Similar to the baker map, Figure 3.4 explains the stretch-and-fold mechanism behind the cat map in a geometrical way.

24

Figure 3.4 An illustration of cat map in the unit square.

iii. Standard map The standard map is a perturbed twist map which results from periodic impulsive kicking of the rotor written in the form [31, 35]: n +1 = ( n + J n ) mod 2 , J n +1 = J n + k sin n +1 mod 2 ,

(3.6)

where ( J n , n ) [0,2 ] and k (> 0) is kicking strength. Note that the maps mentioned above belong to the category of a coupled map. In geometry, the two equations of the map are dependent on each other in how they act on the coordinates of a point. In [36], it has also been proved that the map preserves area in ( J , ) -space by calculating the Jacobian of the map as follows: n det n +1 J n +1 n n +1 J n 1 1 = 1. = det k cos J n +1 J n 1 + k cos n +1 n +1

(3.7)

The above mathematical proof implies that the map in Eq. (3.6) is also bijection onto itself in the unit space. The application of the three invertible chaotic maps will be extensively described in Section 3.4.

25

3.2 The Important Properties of Chaotic MapsThis section will step more closely to some important properties characterized by chaotic maps. They include sensitive dependence on initial conditions, sensitive dependence on system parameters and mixing in phase space. To facilitate the discussion, the logistic map is used as an example to illustrate the following properties.

3.2.1 Sensitive Dependence on Initial Conditions

High sensitivity to its initial conditions is commonly considered as the hallmark of chaos. To illustrate the point, two Cobweb diagrams, as shown in Figure 3.5, are used to illustrate the effect of perturbing the initial values of logistic map with x0 = 0.7 and x0 = 0.700001 under the same parameter b = 3.999999. In the figure, the trajectories after 100 iterations are computed. As observed, even a tiny perturbation (< 10-6) in the initial value x0 turns out to be tremendous difference in trajectory and output in long-term.

(a)

(b)

Figure 3.5 Cobweb diagram of logistic map with (a) x0=0.7, (b) x0=0.700001.

26

3.2.2 Sensitive Dependence on System Parameters

In chaotic domain, the sensitive dependence is not limited to its initial values, but also in system parameters. Figure 3.6 plots two trajectories of a logistic map which are specified with b = 3.999999 and b = 3.999998.

Figure 3.6 Variation in trajectories of the logistic map due to minor differences in system parameter b = 3.999999 and b = 3.999998.

Since the studied maps are configured with arbitrarily small different parameters, it is naturally expected that their trajectories should somehow pass through the phase space in a similar way. In the figure, the similarity in trajectories appears to happen only in the first few iterations, but diverge themselves exponentially over iterations.

3.2.3 Ergodicity

Ergodic property of chaotic system is often linked with the concept of mixing. Roughly speaking, this means that any trajectory of the map will not be restricted within a small region of phase space wherever the arbitrary point x in the space they start from. In this regard, certain amount of distributions of

27

logistic trajectories iterating for 104 times with random initial values and random system parameters (b > 3) were investigated. Apart from the transient effect in the first few iterations, it is found that all the distributions spread evenly in the phase space and are quite close to each other. Figure 3.7 depicts the typical distribution of trajectory of the logistic map.

Figure 3.7 A typical distribution of trajectory of the logistic map after 104 iterations.

3.3 Relationship between Cryptosystems and Chaotic SystemsIn the literature, it has been investigated that there exists a close relationship between traditional cryptosystems and chaotic systems (maps) in many aspects [26, 36 & 37]. It is suggested that the chaotic system experiences many superior dynamical properties which can analogously correspond to those required in cryptosystems. According to the investigation made in [37], the common relationship which promotes chaos theory into practical cryptographic design are summarized in Table 3.1. In particular, the notion of confusion in traditional cryptosystems causes plaintext transforming to random ciphertext such that there should be no repeated

28

pattern in the ciphertext. By the same token, the trajectories of chaotic systems pass through all points of the phase space generally with uniform distribution. In other words, it is very difficult to predict the final position of one point from its initial position. It is indeed the concept of ergodicity which can be associated with confusion in cryptosystems.Chaotic systems Ergodicity Sensitivity to initial condition and system parameters Parameters Iterations Traditional cryptosystems Confusion Diffusion Encryption key Cipher rounds

Table 3.1 A comparison of some features characterized by chaotic systems and traditional cryptosystems.

To develop a good cryptosystem, another essential design principle is the property of diffusion. By doing so, a totally different ciphertext is resulted no matter how one bit of key or plaintext is changed. This implies that the system is sensitive to plaintext and its encryption key. On the other hand, recall that the chaotic systems highly depend on initial conditions and parameters. A small variation in any of the system parameters or initial point leads to the trajectory diverged significantly. In this regard, chaotic systems and cryptosystems can naturally benefit from each other. With the security consideration, cryptosystems confuse and diffuse plaintext by numbers of cipher rounds. Similarly, for chaotic systems, the initial region is ultimately scattered over the entire phase space via iterations. It is therefore expected that chaos theory can be exploited in the field of cryptography by taking such system parameters and initial condition as secret keys while considering the iterations of chaotic map equivalent to rounds of the encryption function.

29

An elaborative example for the concept of chaos-based cryptography was given in [38]. For illustrative purpose, 1D chaotic map is assumed while the secret key is introduced to the initial condition as follows. Suppose be a 1D chaotic map to be employed in such a way that:

: [0,1] [0,1] ,

(3.8)

while P (0,1) be a plaintext to encrypt, and the ciphertext C is the output of the encryption. Given the secret key k and a natural number n for iterations of the map, we obtain: C = n ( P) = ( (L ( P ))) , (3.9)

where C are some selected pre-image of P under the map n . Then for encryption, k is incorporated to be an initial condition of the map which is formulated by

C = C + k (mod 1).Decryption is the reverse of encryption procedure described as: P = n (C k ).

(3.10)

(3.11)

It is clear that the aforementioned example is too simple, without fully utilizing those chaotic properties to resist strong cryptanalysis. However, this provides some insights, to certain extent, about the cryptographic design incorporated with chaos theory. For example, even the property of sensitivity to initial conditions can considerably complicate the nature of encryption. It should also be stressed that the use of chaos is defined over real numbers, unlike traditional cryptosystems that are defined over the integer set [37, 39]. Some studies on phase space problem and possible supplementary measures such as defining approximate transformation functions have been carried out [40]. Nevertheless, by comparing the nature of these two systems, traditional cryptographic algorithms usually involve series of complicated substitution and permutation, whereas the one used in chaos only relies on simple equations. Over

30

the past few decades, chaotic cryptography has received much attention for the reasons discussed [6, 7 & 41].

3.4 Chaotic Encryption Schemes for Digital ImagesIn the preceding section, an integration of chaos-based techniques to data encryption has been briefly introduced. In practice, large-scale data encryption (or more precisely, multimedia encryption) seems to be rather difficult and slow to obtain a real data permutation and diffusion by conventional means such as DES, IDEA and AES [42]. An example is a digital image characterized with bulk data capacity and strong correlation among pixels. In this sense, a direct extension from document encryption to digital image may not be efficient without special modifications. Worse still, it would pose a problem as depicted in Figure 3.8 if conventional block ciphers are applied unwisely. Because of high redundancy for the area with the same or similar colour in Figure 3.8(a), it leads to the identical repeated patterns as shown in Figure 3.8(b) when a block cipher is used in the ECB mode. The source code of the block cipher proposed in [43] is implemented here.

(a)

(b)

Figure 3.8 (a) plain image containing many areas with identical or similar gray levels, and (b) its corresponding encrypted image by Advanced Encryption Standard (AES) with both key size and block size 128-bit long running in the ECB mode.

31

It is clear that image encryption has its own requirements in contrast to textual one. Alternatively, the well-established chaos theory and the simplicity of discretized chaotic maps make chaos-based techniques even more suitable for image encryption than many traditional encryption schemes. The plain image can be swiftly shuffled and diffused by the application of chaotic maps usually derived from simple equations. Thus, it can provide a relatively fast and secure means for real-time data transmission over high speed networks.

3.4.1 Review of Some Existing Chaotic Image Encryption Schemes

To deal with the challenges of image protection, an increasing number of attentions have been turned to the chaotic approaches. In the general chaotic cryptographic design, the illustrative example is given in Section 3.3. For the purpose of better image encryption, the chaotic map is indeed more than simply a functional block in the cipher. Alternatively, the map is commonly suggested to be a pseudorandom bit generator as a part of secret encryption operations [44], or to scramble the entire image pseudorandomly [45 - 47] or both [9 11, 26 & 48 50]. The former encrypts the pixels with chaotic key streams to achieve the similar security of classical stream ciphers. However, the latter focus on the effective permutation of pixel position rather than their values, usually shuffling the whole image in a single step. In particular, an inspiring concept of permutation realized by discrete version of 2D chaotic maps has been pointed out earlier in a paper by Pichler and Scharinger in 1994 [47]. Since then, dedicated chaotic image encryption schemes have been emerged in the literature. A few years later, in 1998, Fridrich [26] extended the work of Pichler and Scharinger by suggesting a more generalized approach adapting an invertible 2D chaotic map on a torus or on a square to create a symmetric block encryption scheme. In her design, an example based on the 2D baker map was given to illustrate the steps of cipher construction. The steps include choosing a chaotic map, generalizing it by introduction of some parameters, discretizing the map and extending the discretized map to three-dimensional composed with a simple

32

diffusion mechanism. The detail of the steps will be described in next subsection. On the other hand, Scharinger further proposed an encryption scheme based on chaotic Kolmogorov flow [48]. The basic idea is to take the whole image as a single block and then permute through a chaotic system based on the Kolmogorov flow. In addition, a substitution based on a pseudorandom number generator formed by shift registers is performed, which renders the statistical information of the encrypted image. Generally speaking, the two combination schemes under study can provide a more structural framework and more importantly perform faster than the classical schemes such as DES [26]. In 1999, a permutation-only image cipher called Hierarchical Chaotic Image Encryption (HCIE) was proposed by Yen and his research group [45]. As the name implied, HCIE undergoes certain levels of encryption: (1) permuting image blocks, and (2) permuting pixels in each image block in four different directions. These can be accomplished by a pseudorandom permutation matrix controlled by the binary sequence of chaotic logistic map. The scheme provides the ease of implementation and thus achieves a fast operation. In 2000, another chaotic image encryption scheme called Chaotic Key-based Algorithm (CKBA) was proposed by the same group [44]. The scheme first generates a binary sequence based on the logistic map. According to the binary sequence generated, image pixels are rearranged and pseudorandomly XOR or XNOR operated with a sub-key in the predefined set. Unfortunately, the two schemes were later criticized in [51] and [52], respectively, and are proven that either the use of permutation in fashion or chaotic binary stream encryption is insecure at all. More recently, some other chaos-based image encryption schemes have been proposed. Guan et al. employed the 2D chaotic cat map [49] while Lian et al. employed the 2D standard map [9] for their cryptographic implementation. A detailed analysis of Lian et al.s will be provided in the next chapters. In general, the said schemes here mainly follow Fridrichs framework adapting 2D permutation together with simple diffusion process. In 2004, some of mostly used 2D chaotic maps have also been spatially extended to higher-dimensional versions such as 3D cat map [10], 3D baker map [11] and 3D standard map [50].

33

Since higher degree of chaotic properties is expected, the maps achieve better permutation on image pixels and thus fewer cipher rounds are required. A distinct step to such modification is to pile up the 2D plain image into a 3D cube which do consume a certain computational time. Meanwhile a chaotic diffusion process, namely XOR plus modulo operation is performed in [10, 11]. Such diffusion process will be explicitly explained in Chapter 5.

3.4.2 Architecture of Generic Chaos-based Image Cryptosystems

For image encryption, 2D or higher-dimensional chaotic maps are naturally employed for a reason that the image can be considered as a 2D array of pixels [53]. In the previous sub-section, some related examples [9 11, 26 & 48 - 50] have been shown which all operated under Fridrichs framework. The properties of the framework provide a more stable speed performance with a higher degree of security. This greatly influences the design of chaos-based cryptosystems hereafter. For a comprehensive study, the procedures of Fridrichs generalization [26] are summarized as follows: Assuming that the size of the plain image is N N, while the number of gray levels is L. The recommended construction includes the following four steps.

i. Choosing the chaotic map and generalizing it by introduction of parameters This step intends to define a high-dimensional chaotic map to perform pixel permutation. It is suggested that the 2D map f which is a chaotic bijection of the unit square I I, where I = [0,1) should be chosen. Such a bijective requirement is known as the measure-preserving property of chaotic maps so that one-to-one mapping is guaranteed in the processes of encryption and decryption. It seems that a rich variety of chaotic maps are satisfied for cryptographic purposes. In practice, only simple ones are preferred for fast encryption process. Apart from simplicity, the parameterization of the chaotic map chosen should also be considered as well. A set of parameters can be introduced into the map to

34

constitute a portion of the secret key. Those 2D chaotic maps previously described in Section 3.1.2 are examples to be chosen.

ii. Discretizing the chaotic map Since images are composed of finite lattice called pixels, the domain of the map f is changed from the unit square I I to the discretized form N 0N 1 N 0N 1 , where

N 0N 1 = [0, N-1]. In doing so, such discretized map F maps an image pixel toanother bijectively. As emphasized in [26], the discretization in this step must fulfill the asymptotic property formulated by:N 0i , j < N

lim max f (i / N , j / N ) F (i, j ) = 0 ,

(3.12)

where f is the continuous map chosen and F is the discretized form. This means that the discretized map will be getting closer to the continuous counterpart when the number of pixels tends to infinity. It could then preserve the basic properties of its continuous one. The discretization of the 2D chaotic baker map [47], cat map and standard map [26] are presented in Eqs. (3.13) (3.15), respectively.N N = ( x k N i ) + y k mod , ni ni

x k +1 y k +1

n0 + n1 + K + nt = N , N = n + n + K + n , i 0 1 i with N 0 = 0, ni N x = [ N , N + n ), = y k y k mod + N i , i i i +1 k ni N y k = [0, N ).

(3.13)

a xk x k +1 1 y = b ab + 1 y mod N , k k +1

(3.14)

x k +1 = ( x k + y k ) mod N , x 2 y k +1 = y k + t sin k +1 mod N . N (3.15)

where (xk, yk) and (xk+1, yk+1) are current and next chaotic state in each of the maps, and other symbols are the corresponding system parameters. Figures 3.9

35

3.11 illustrate the results of applying three discretized chaotic maps in Eqs. (3.13) (3.15) to the test image Lena once and nine times.

(b)

(a)

(c) Figure 3.9 (a) A test image of Lena; the resultant images (b) and (c) after applying the discretized baker map once and nine times, respectively, with N = (8, 8, 32, 64, 32, 32, 32, 32, 64, 64, 32, 64, 32, 8, 8).

(a)

(b)

Figure 3.10 The results of test image Lena (a) and (b) after applying the discretized cat map once and nine times, respectively, with a = 5 and b = 9.

36

(a)

(b)

Figure 3.11 The results of test image Lena (a) and (b) after applying the discretized standard map once and nine times, respectively, with k = 1750.

iii. Composing a diffusion mechanismSo far, an apparently unrecognized image can be achieved through shuffling the position of image pixels. However, the histogram of the resultant image remains the same as that of the plain image. The permutation-based cipher is still vulnerable to the statistical and chosen-plaintext-type attacks. It is necessary to introduce a diffusion mechanism after the permutation stage. The idea is to spread the influence of every single pixel over the entire image. In general, the gray scale of pixels can be alternated sequentially by the pseudorandom output of a 1D chaotic map.

iv. Evaluating the overall performance (security and complexity)The security level is a fundamental issue of all kinds of ciphers. A strong cipher refers to those which is capable of resisting any kind of cryptanalytic attacks including brute-force attack, statistical attack, known-plaintext attack and chosen-plaintext attack. Therefore, a cipher of high key and plaintext sensitivity together with a large key space is preferable. On the other hand, complexity evaluation is important to image encryption as well since it always indicates the feasibility of encryption schemes. Some special attentions should be given in terms of computational speed, size and quality of the encrypted images.

37

Plain image

P1

2D Pixel value Permutation diffusion


P2 = C1 Kp1 Ks1 Kp2 Ks2

P3 = C2


Encrypted image

Pn = Cn-1 Kpn Ksn

Cn

Figure 3.12 A generic architecture of image encryption systems based on 2D chaotic permutations.

In accordance with the above cipher constructions, the basis of the generic image encryption is thereby modeled and presented in Figure 3.12. Similar to traditional block ciphers, the studied architecture is composed of two processes: chaotic confusion and pixel diffusion. The former is also called permutation which shuffles a whole plain image with a 2D chaotic map, and the latter modifies the value (gray-level) of each pixel one by one. In the confusion process, the parameters of the chaotic map can be regarded as the confusion key

Kp; in the diffusion process, parameters such as the initial values and controlparameters of the diffusion function can be regarded as the diffusion key Ks. For security enhancement reasons, the confusion and diffusion processes are often repeated for n times.

3.4.3 Other Issues in Chaos-based Image Cryptosystems

i. Ineffective confusion problems in corner pixelAs seen from the mathematical form of the 2D maps in Eqs. (3.13) (3.15), some pixels at the corner of the image merely map to their original position. In the case of baker map, the affected pixels are at (0, 0) and (N-1, N-1), while the problem of origin (0, 0) are also found in both cat map and standard map. The information leakage is insignificant, but undesirable in cryptographic design. As

38

rectified by [9, 54], the permutation can be improved by changing the scan order of the process. This means scanning a random pixel (rx, ry) other than the origin first in the course of permutation process.

ii. Parameter space analysis of common 2D chaotic mapsIt is clear that parameter space of the chaotic map determines the degree of cipher security to a certain extent. As investigated in [54], the parameter spaces of three common maps are listed in Table 3.2. Consider an image of size N N, the investigation suggested that parameter space of cat map is the smallest, while standard map has the largest parameter space ((N2)!). Their spaces will be enlarged in proportional if distinct value for Kp is used for n different iterations.2D Chaotic maps Parameter space (use the same key for n different iterations) Parameter space (use the different key for n different iterations) Baker map 2N-1 2n(N-1) Cat map N2 N2n Standard map (N2)! [(N2)!]n

Table 3.2 Comparison of the parameter space of baker map, cat map and standard map after discretization.

iii. Key generation for iterative ciphersAs pointed out in [54], distinct sub-keys for confusion and diffusion processes are essential to the security enhancement on cryptosystems. To this end, a key generator should be presented for the purpose of sub-key generation and distribution. In [9], Lian et al. proposed a scalable key scheming which is based on a chain of 1D chaotic maps as outlined in Figure 3.13. To obtain n subkeys, the secret key of the cryptosystem can be divided into n groups Xi and Ki, where i = [1, m] representing the ith of m cipher rounds. Xi is served as the initial conditions of the map, while Ki is served as the system parameter of the map with respect to Xi. In this scheme, any tiny change in the secret key will influence the consequent sub-keys substantially. As a result, the key sensitivity requirement of cryptosystems is therefore satisfied.

39

X1 K1 X2 K2

1D Map K1 1D Map K2

1D Map

X1m-1 K1

1D Map

X1m

1D Map

X2m-1 K2

1D Map

X2m

Xn Kn

1D Map Kn

1D Map

Xnm-1 Kn

1D Map

Xnm

Figure 3.13 An illustration of key generation and distribution proposed in [9].

iv. Typical preprocessing in integer and real domainsIn many 1D chaotic maps or some other chaotic systems, the chaotic sense is observed in real number field. In computer programming, one is required to deal with decimal fractions and integers when a real-valued chaotic system is incorporated with the process of pixel value modification. There are many methods to approximate decimal fractions to binary integer or vice versa. For example, a typical approximation function de2bi() suggested for C++ programming can be found in [49] B = de2bi(mod((Abs(Xi)-Floor(Abs(Xi))) 1014, 256) (3.16)

where Xi is a decimal fraction obtained by the chaotic system, Abs() is the absolute function, Floor() is the round-up function to the nearest integers less than or equal to the defined value. The function assumed that the 256 gray scale image and double data type (15-digit precision) are used. On the contrary, the conversion from binary integer to decimal fractions can be realized as follows: D = bi2de(v) = v / max(v), (3.17)

where max(v) is the amplitude of input v. When a real-valued chaotic map such as logistic map is used, one should expect some overheads from preprocessing decimal and integer values in the whole encryption scheme. In this case, a tradeoff between functional simplicity and complexity in the change of domains

40

is readily different from particular cipher designs and should be thoroughly balanced in the implementation.

3.4.4 Cryptanalysis of Chaos-based Image Cryptosystems

Chaotic cryptosystems, like any other cryptosystems, should have strong ability to frustrate all kinds of cryptanalytic efforts. From the cryptographic point of view, resistance against attacks is a good measure for evaluating the performance of a cryptosystem. A typical classification of the attacks is based on the different scenarios the extra information required by a cryptanalyst. They are listed as follows: Ciphertext only attack - the cryptanalyst only has a number of ciphertext; Known plaintext attack - the cryptanalyst has some matched plaintext and ciphertext pairs; Chosen plaintext attack - the cryptanalyst can choose any plaintext and obtain the corresponding ciphertext. In other words, the cryptanalyst can choose plaintext at will, and obtain the corresponding ciphertext. This added facility can help in breaking a cipher. Chosen ciphertext attack - the cryptanalyst can choose some ciphertexts and obtain the corresponding plaintexts. In the four kinds of typical attacks, the cryptanalyst intends to determine the key that was used. It is expected that ciphertext only attack is the most difficult, yet chosen plaintext attack is the easiest to the cryptanalyst, due to the auxiliary information he or she obtains. The abovementioned attacks are generally applicable to all types of cryptosystems. In particular, some specific attacks are based on the structural characteristics of multimedia data such as image and video [55]. For image encryption, statistical and differential attacks are the two most well-known yet important security issues. The former is a variant of ciphertext-only attack. In this case, the cryptanalyst try to learn or

41

recognize some pattern if the plain image is not available. The pattern or similar information may be exposed from the histograms of some encrypted images or correlations between certain pairs of adjacent image pixels. In the latter case, the cryptanalyst try to choose two images which differ in one pixel, and then compare the encryption results. Repeating the procedure with other pixels, part of or the whole pixel position mapping in the permutation stage can be reconstructed. A more detail discussion will be covered in Chapters 4 and 5. For a comprehensive study, some particular cryptanalyses on chaotic image encryption schemes in Section 3.4.1 are outlined which is worthwhile paying attentions in the future design. For a permutation-only image cipher such as [45], it has been pointed out in [51] that when such a cipher encrypts images in the spatial domain, a pixel at the position (i, j) will be secretly relocated to another fixed position (i, j) while keeping pixel value unchanged. No matter how complicated the permutation is, by comparing a number of known plain images and the corresponding encrypted images, it is possible for the cryptanalyst to reconstruct the secret permutations of all pixels. The approach is definitely incapable of providing a sufficiently high degree of security withstanding known/chosen plaintext attacks. In [52], Yen et al.s CKBA encryption scheme is found to have some serious security loopholes. First, since sub-keys are used to encrypt more than one block of plaintext, the key set together with binary sequence can be possibly reconstructed through only one pair of known or chosen plain image and encrypted image. Therefore, it cannot resist the chosen and known plaintext attacks. In addition, its security against brute force attack [12] is also overestimated by the author due to the fact that the total key length is not fully utilized in the actual encryption. From such point of view, the secret key should never be reused in all cases. In particular, the combination of permutation and diffusion schemes has been reported with some fundamental weaknesses. Wang et al. criticized the 3D cat map based image encryption scheme [10]. Although the scheme resists statistical and differential attacks, it is still likely breakable with chosen plaintext

42

attack. According to [56], firstly, chaotic 3D permutation is meaningless if a homogenous plain image with identical pixel values is encrypted. In this case, security of the scheme relies merely on a simple diffusion process. Moreover, if a pixel value in the plain image is 0, then the underlying diffusion operation is also useless. As a result, a key recovery attack is proposed in such a way that recovers the initial condition of logistic maps according to the gray code. Apparently, the encryption of homogenous plain image is an arbitrarily insufficient issue. However, in [10], this leads to the problem that the scheme is eventually broken with chosen plaintext attack discussed.

3.5 SummaryIn this chapter, the concept of chaos was shown through examples of chaotic maps and introduction of their dynamical properties. An investigation on chaotic maps and cryptosystems reveal that they share some common properties. Since then, many researchers pursued their efforts in chaotic cryptography. As mentioned in last chapter, traditional cryptographic schemes are mainly based on discrete mathematics composed with many complicated algebraic operations, while chaotic cryptographic schemes rely on the complex dynamics of nonlinear maps which are deterministic but simple. Indeed, the nice and distinct properties of chaos, such as ergodicity, sensitivity dependence on initial conditions and system parameters, favour the application of chaos theory in both document and multimedia data encryption. In this thesis, chaotic encryption scheme for digital images is particularly interested. The typical architecture and some important issues of chaotic image cryptosystems including the cryptanalysis techniques are intensively studied as a background of algorithm developments in the following chapters.

43

Chapter 4

Chaotic Confusion Process for Image EncryptionAs discussed in the preceding chapter, the architecture of many chaosbased image encryption schemes mainly consists of image pixel permutation stage and pixel value diffusion stage. Generally speaking, the confusion effect is contributed by permutation-only stage, while the diffusion effect is merely found in the pixel value diffusion stage. However, for some encryption schemes, the required number of permutation-diffusion rounds is unnecessarily large to achieve a certain level of security. The efficiency of the encryption process is thus downgraded. In this chapter, the overview of an image encryption scheme using 2D chaotic standard map will be given in Section 4.1. It is considered as a reference scheme. Some observations in this reference scheme will be described in Section 4.2. Based on the observations, a modified approach of the permutation stage will be proposed

Cryptography

Documents

sipi image

bulk data

subsequent

mobile communication

advanced encryption

pi ci

selective

1d chaotic