Optimal quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks

Optimal quan titativ e cryptanalysis of p erm utation-only m ultimedia ciphers against plain text attac ks Chengqing Li ∗ ,a,b , Kw ok-T ung Lo b a Col le ge of Information Engine ering, Xiangtan University, Xiangtan 411105, Hunan, China b Dep artment of Ele ctr onic and Information Engine ering, The Hong Kong Polyte chnic University, Hong Kong Abstract Recen tly , an image scrambling encryption algorithm of pixel bit based on c haos map w as prop osed. Considering the algorithm as a t ypical binary image scrambling/permutation algorithm exerting on plain text of size M × (8 N ), this pap er prop oses a nov el optimal method to break it with some kno wn/chosen-plain texts. The spatial complexity and computational complexity of the attac k are only O (32 · M N ) and O (16 · n 0 · M N ) resp ectiv ely , where n 0 is the n um b er of kno wn/chosen- plain texts used. The method can b e easily extended to break any p ermutation-only encryption sc heme exerting on plain text of size M × N and with L differen t levels of v alues. The corresp ond- ing spatial complexity and computational complexity are only O ( M N ) and O ( d log L ( M N ) e · M N ) resp ectiv ely . In addition, some specific remarks on the performance of the image scram bling en- cryption algorithm are presen ted. Key wor ds: cryptanalysis, kno wn-plaintext attack, chosen-plain text attac k, encryption, image 1. In tro duction With rapid dev elopment of digital information tec hnology , image data is transmitted o ver all kinds of wired/wireless channels more and more frequently . Consequen tly , securit y of image data b ecomes more and more imp ortan t. How ev er, the traditional text encryption schemes fail to pro- tect image data efficiently due to the big differences b et w een image data and text, e.g. strong redundancy existing in uncompressed image data and its bulky size. In addition, image encryp- tion sc hemes hav e some sp ecial requiremen ts such as fast handling speed and easy concatenation of differen t comp onen ts of the whole image pro cessing system. Therefore, designing encryption sc hemes protecting image data sp ecially b ecomes an urgent task. Due to the subtle similarities b et w een cryptography and chaos, a great num ber of image encryption sc hemes based on c haos or other nonlinear theories ha ve b een prop osed in the past decade [1 – 7]. Unfortunately , most of them ha ve been found to b e insecure to different extents from the viewpoint of mo dern cryptography [8 – 16]. F or more discussion on chaos-based image encryption schemes, please refer to [17, 18]. In [19], an image p erm utation algorithm was prop osed b y scram bling/p erm uting binary bit of ev ery pixel with pseudo-random n um b er sequence generated b y c haotic logistic map. Essen- tially , it is a p ermutation-only algorithm exerting on a binary image of size M × (8 N ). The ∗ Corresp onding author. Email addr ess: chengqingg@gmail.com (Chengqing Li) Pr eprint submitte d to Signal Pr o c essing June 29, 2021 presen t pap er fo cuses on security analysis of the algorithm and rep orts the following results: 1) an optimal metho d is prop osed to break the image p erm utation algorithm under study with some kno wn/chosen plaintexts; 2) the method is extended to break an y p erm utation-only encryption sc heme exerting on elements of any different lev els of v alues; 3) some remarks on the p erformance of the image p erm utation algorithm under study are giv en. The rest of this pap er is organ ized as follows. Section 2 briefly introduces the image permutation algorithm under study . Section 3 prop oses the optimal kno wn/c hosen-plaintext attack based on a binary tree to break the algorithm and p oin ts out some remarks on the p erformance on it. Extension of the optimal attac k to break any p ermutation-only multimedia encryption schemes is discussed in Sec. 4. The last section concludes the pap er. 2. The image p erm utation algorithm under study The plaintext encrypted b y the image p erm utation algorithm under study is a gra y-scale image of size M × N (heigh t × width), whic h can b e denoted b y an M × N matrix in domain Z 256 , I = [ I ( i, j )] M − 1 ,N − 1 i =0 ,j =0 . The image I is further represen ted as an M × (8 N ) binary matrix B = [ B ( i, l )] M − 1 , 8 N − 1 i =0 ,l =0 , where I ( i, j ) = P 7 k =0 B ( i, l ) · 2 k , l = 8 · j + k . The corresp onding cipher-image is I 0 = [ I 0 ( i, j )] M − 1 ,N − 1 i =0 ,j =0 , I 0 ( i, j ) = P 7 k =0 B 0 ( i, l ) · 2 k , l = 8 · j + k . Then, the image p erm utation algorithm can b e described as follows 1 . • The se cr et key : three p ositive integers m , n , and T , and the initial condition x 0 ∈ (0 , 1) and con trol parameter µ ∈ (3 . 569945672 , 4) of the follo wing c haotic Logistic map: f ( x ) = µ · x · (1 − x ) . (1) • The initialization pr o c e dur e : 1) run the map Eq. (1) from x 0 to generate a chaotic sequence, { x k } max { ( m + M ) , ( n +8 M N ) } k =1 ; 2) generate an vector T M of length M , where S M ( T M ( i )) is the ( i + 1)-th largest elemen t of S M = { x m + k } M k =1 , 0 ≤ i ≤ ( M − 1); 3) generate a matrix T N of size M × (8 N ), where, ∀ i ∈ { 0 , · · · , M − 1 } , S N ( T N ( i, j )) is the ( j + 1)-th largest elemen t of S N = { x n +(8 N ) i + k } 8 N k =1 , 0 ≤ j ≤ N − 1. • The encryption pr o c e dur e : – Step 1 – vertic al p ermutation : generate an in termediate matrix B ∗ = [ B ∗ ( i, l )] M − 1 , 8 N − 1 i =0 ,l =0 , where B ∗ ( i, :) = B ( T M ( i ) , :); (2) – Step 2 – horizontal p ermutation : generate an intermediate matrix B 0 = [ B 0 ( i, l )] M − 1 , 8 N − 1 i =0 ,l =0 , where B 0 ( i, l ) = B ∗ ( i, T N ( i, l )); (3) – Step 3 – r ep etition : reset the v alue of x 0 to the current state of Eq. (1), and rep eat the ab o v e op erations from the initialization pr o c e dur e for ( T − 1) times. 1 T o make the presen tation more concise and complete, some notations in the original pap er are mo dified, and some details about the algorithm are also supplied or corrected. 2 • The de cryption pr o c e dur e is similar to the encryption one except the following simple mo di- fications: 1) the different rounds of encryption are exerted in a reverse order; 2) the order of Step 1 and Step 2 in each round is rev ersed; 3) the left parts and right parts of Eq (2) and Eq. (3) are exc hanged, resp ectiv ely . 3. Cryptanalysis 3.1. Known-plaintext attack The known-plain text attack is an attack mo del for cryptanalysis where the attack er has some samples of b oth the plaintext and the corresp onding ciphertext and mak e use of them to rev eal secret information, suc h as secret keys and/or its equiv alen t ones. Apparen tly , the com bination of multiple rounds of the op erations in the encryption pr o c e dur e can b e represen ted by an M × (8 N ) p ermutation matrix W = [ w ( i, l )] M , 8 N i =0 ,l =0 , where w ( i, l ) = ( i 0 , l 0 ) denotes the secret p osition of the plain bit B ( i, j ) in B 0 . That is, the p erm utation matrix W defines a bijectiv e map on set M × N + , where M = { 0 , · · · , M − 1 } and N + = { 0 , · · · , 8 N − 1 } . Once the attack er recov ers the p ermutation matrix W and then obtains its inv erse W − 1 , he can use it as an equiv alent k ey to decrypt an y cipher-image encrypted with the same secret key . Since that the secret p ermutation do es not change the v alues of the p erm uted elements, a general algorithm w as proposed in [20] for obtaining the p erm utation matrix b y comparing the v alues of the elements of some plaintexts and the corresp onding ciphertexts. Based on the same mec hanism, a no vel optimal method is prop osed here to break the image p erm utation algorithm under study . Actually , the prop osed metho d is the construction pro cess of a binary tree, where every no de includes five comp onen ts in order: a pointer holding address of the left child no de, P T L ; tw o sets con taining some entry p ositions of plain-image and cipher-image, respectively; cardinalit y of one of the tw o sets; a pointer holding address of the right c hild no de, P T R . Denote the tw o sets in the ro ot no de with B and B 0 , resp ectiv ely , where B = B 0 = M × N + . Ob viously , cardinalit y of B , | B | = 8 M N . Then, the binary tree can b e constructed as follows. • ∀ ( i, l ) ∈ B , do the follo wing op erations: ( add ( i, l ) into B 1 if B ( i, l ) = 1; add ( i, l ) into B 0 if B ( i, l ) = 0 . (4) • ∀ ( i, l ) ∈ B 0 , do the follo wing op erations: ( add ( i, l ) into B 0 1 if B 0 ( i, l ) = 1; add ( i, l ) into B 0 0 if B 0 ( i, l ) = 0 . • Delete the elements in the tw o sets of ro ot no de and set the fourth item of the no de as zero. Since the secret p erm utation do es not change the v alues of the p ermuted elements, the cardi- nalities of the tw o sets in the tw o child no des are alwa ys the same. Hence, only the cardinality of one set is needed to record. The basic structure of the binary tree is sho wn in Fig. 1. With more pairs of known-images and the corresponding cipher-images, the binary tree will be updated and expanded iterativ ely with the following steps. 3 • Searc h for all no des whose third item is greater than one, namely , both the corresponding t wo sets hav e more than one elemen ts; • Expand eac h found no de with the similar op erations shown abov e. P T L B 1 B 0 1 | B 1 | P T R P T L B 0 B 0 0 | B 0 | P T R P T L B B 0 | B | P T R      A A A A U Figure 1: Basic structure of the binary tree. After the construction of the binary tree is completed, we now inv estigate how to obtain the estimated version of the p ermutation matrix W from the tree. T o facilitate the follo wing discussion, let B i , B 0 i and | B i | denote the middle three items of a leaf no de, resp ectiv ely . Apparently , w ( i, l ) can be uniquely determined if and only if | B i | = 1. Otherwise, one has to guess one from | B i | ! p ossible cases. F or the whole p ermutation matrix, there are Π P i =1 ( | B i | !) p ossible cases, where P is the n umber of leaf no des in the binary tree. F or simplicity , we deriv e the p erm utation matrix b y mapping the elemen ts in B i and B 0 i one b y one in order. Next, we in vestigate ho w many kno wn-images are sufficient to achiev e an acceptable breaking p erformance. Roughly sp eaking, Π P i =1 ( | B i | !) rapidly decrease when the n umber of kno wn-images, n 0 , is increased. The less v alue of Π P i =1 ( | B i | !) means more accurate estimation of the p erm utation matrix. T o simplify the analyses, w e assume that eac h element in B distributes uniformly o ver { 0 , 1 } , and any t wo elemen ts are indep endent of each other. Then, the elements of B i can b e divided in to the following tw o t yp es: • the sole right p osition , which o ccurs definitely; • other fake p ositions , eac h of whic h occurs in B i with a probabilit y of 1 / 2 n 0 , since one condition in Eq. (4) is satisfied consecutiv ely for n 0 times. Let n 8 denote the n umber of error bits in a reco vered pixel, it can be calculated that P r ob ( n 8 = i ) =  8 i  · (1 − p b ) i · ( p b ) 8 − i , where p b = 1 1+(8 M N − 1) / 2 n 0 , i = 0 ∼ 8. Generally sp eaking, when every bit is determined correctly with a probability larger than a half, namely p b > 0 . 5, the decryption will b e acceptable. Solve the inequality , one has n 0 > d log 2 (8 M N − 1) e . (5) T o verify the p erformance of the ab o v e kno wn-plain text attac k, a n um b er of exp eriments hav e b een p erformed on a num ber of randomly selected natural images of size 256 × 256. In this case, Eq. (5) b ecome n 0 > d log 2 (2 19 − 1) e = 19. With a randomly selected secret key ( x 0 , µ, m, n, T ) = (0 . 2009 , 3 . 98 , 20 , 51 , 4), a plain-image “P epp ers” and its encrypted version are sho wn in Figs. 2a) and b), resp ectively . Let W 20 and W 25 denote the estimated version of the permutation matrix W obtained from 20 and 25 kno wn plain-images, respectively . The decrypted v ersion of Fig. 2b) with W 20 and W 25 is sho wn in Figs. 2c) and d) resp ectively . It is found that most visual information con tained in the original plain-image has b een recov ered in Fig. 2c), although only 23509 / 65536 ≈ 35 . 8% of plain pixels are correct in v alue. This is attributed to the following tw o main reasons: 4 • h uman eyes ha ve a p o werful capability for excluding image noises and recognizing significant information; • due to strong redundancy in natural images, tw o pixel v alues are close to eac h other with a probabilit y larger than the a verage one, hence many incorrectly reco vered pixels are close to their true v alues with a probability larger than the a v erage one also. Distribution of difference b et w een the reco v ered plain-image, sho wn in Fig. 2c), and the corre- sp onding original plain-image is sho wn in Fig. 3a). The similar data on the recov ered plain-image sho wn in Fig. 2d) is also illustrated in Fig. 3b) for comparison. With some noise reduction sc hemes, the reco vered plain-images can b e enhanced further. The results of t w o images shown in Figs. 2c) and d) with a 3 × 3 median filter are shown in Figs. 4a) and b), resp ectiv ely . a) b) c) d) Figure 2: The image “Peppers” recov ered by kno w-plaintext attac k: a) “Peppers”; b) the encrypted “Peppers”; c) reco vered “Peppers” via W 20 ; d) reco vered “P epp ers” via W 25 . Figure 5 sho ws the p ercentage of correctly-recov ered elements, including plain-bit, plain-pixel and the elements of p ermutation matrix, with re spect to the n umber of known plain-images. One can see that the breaking performance is go od when n 0 ≥ 20. It can also b e observed that the slop es of the three lines sho wn in Fig. 5 are very flat when n 0 ≥ 25. This is due to the negativ e impact incurred b y the strong redundancy in natural images suc h as the MSBs of neighboring pixels are the same with a high probability . This p oint has been prov ed quantitativ ely in [20]. No w, one can see that the non-uniform distribution of most natural images has tw o opp osite influences on 5 1 10 100 1000 10000 − 2 8 − 2 7 − 2 6 − 2 5 − 2 4 − 2 3 − 2 2 − 2 1 − 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 a) 1 10 100 1000 10000 − 2 8 − 2 7 − 2 6 − 2 5 − 2 4 − 2 3 − 2 2 − 2 1 − 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 b) Figure 3: Distribution of non-zero difference b etw een t wo recov ered plain-images and the original plain-image: a) the one shown in Fig. 2c); b) the one sho wn in Fig. 2d), where x-axis denotes sp ecific difference and y-axis denotes the corresp onding counts. the final breaking. The exp erimen ts ha v e shown that the ab o v e analysis result obtained under the assumption of uniform distribution also holds for the case of ordinary natural images. a) b) Figure 4: The enhanced results of applying a 3 × 3 median filter to the tw o reco vered plain-images: a) the image sho wn in Fig. 2c); b) the image shown in Fig. 2b). Ob viously , the spatial complexity and the computational complexit y of the prop osed known- plain text attack are only O (32 · M N ) and O (16 · n 0 · M N ), resp ectively . 3.2. Chosen-plaintext attack The chosen-plain text attac k is an attack model for cryptanalysis whic h assumes that the at- tac ker has the capabilit y to arbitrarily choose some plain texts to b e encrypted and observe the corresp onding ciphertexts. The goal of the attac k is to optimize the attac k p erformance con- sidering the sp ecial prop erties of the encryption sc heme when the plain texts are with a sp ecific structure. 6 5 10 15 20 25 30 35 40 1 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 n 0 P c Pixel Bit Permuation matrix Figure 5: The p ercen tage of correctly-recov ered elements with resp ect to the num ber of known plain-images. As for the image permutation algorithm under study , at least n c = d log 2 (8 M N ) e = 3 + d log 2 ( M N ) e chosen plain-images are needed to mak e cardinality of the set in ev ery leaf no de of the binary tree for breaking is equal to one, namely , every element of the p erm utation matrix can b e reco vered exactly . First, construct an M × (8 N ) matrix in domain Z 2 n c , B + = [ B + ( i, l )] M − 1 , 8 N − 1 i =0 ,l =0 , whose elemen ts are different from eac h other. Then, the chosen plain-images { I t } n c − 1 i =0 can b e c hosen/constructed as follows: I t ( i, j ) = X 7 k =0 B + t ( i, l ) · 2 k , where P n c − 1 t =0 B + t ( i, l ) · 2 t = B + ( i, l ) and l = 8 · j + k . 3.3. Some r emarks on the p erformanc e on the image p ermutation algorithm under study • We ak r andomness of ve ctors T M and T N Ob viously , randomness of vectors T M and T N dep ends on randomness of the sequences generated b y iterating Logistic map. Note that con vincing argument for goo d randomness of a sequence is not the so-called complex theories based but whether it can pass a series of ob jective tests [21]. As shown in [22, Sec. 3.1], Logistic maps cannot serve as a go o d random n umber generator. This p oint can also b e guessed by observing distribution of the tra jectory of Logistic map, which is mainly determined by the control parameter [23]. F or illustration, distribution of tw o tra jectories of Logistic map with the same initial condition and control parameter used in [19, Sec. 2] is shown in Fig. 6. • F ail to encrypt images of fixe d value zer o or 255 F or b oth the tw o images, all elements of the corresp onding in termediate matrix B ∗ are the same, whic h make all the encryption pro cedures do nothing. • Insensitivity with r esp e ct to changes of plaintext 7 0 0.2 0.4 0.6 0.8 1 0 0.05 0.1 0.15 0.2 0.25 x p a) 0 0.2 0.4 0.6 0.8 1 0 0.05 0.1 0.15 0.2 0.25 p x b) Figure 6: Distribution of t wo tra jectories of the map Eq. (1) with con trol parameter µ = 3 . 5786: a) x 0 = 0 . 3333; b) x 0 = 0 . 5656. Sensitivit y with resp ect to c hanges of plain text is v ery imp ortan t for an y image encryption sc heme since an image and its watermark ed version ma y b e encrypted at the same time. In cryptograph y , the most ideal state ab out the sensitivity is that the change of any single bit of plaintext will make every bit of the corresp onding ciphertext c hange with a probabilit y of one half. Unfortunately , the image p erm utation algorithm under study do es not consider this prop ert y at all. • Equivalent sub-key Since f ( x ) = f (1 − x ), x 0 and (1 − x 0 ) are equiv alent sub-k eys for decryption. • Unchange d histo gr am on plain-bit Although the histogram on plain-byte is c hanged b y the image permutation algorithm under study , the one on plain-bit keep unchanged, whic h mak e the cipher-image still rev eal some information of the plain-image. • L ow efficiency The generation metho d of p ermutation matrixes T M and T N mak e the computational com- plexit y of the image p ermutation algorithm under study is O ( M · (8 N ) 2 ), which is even m uc h larger than that of DES. 4. Kno wn/c hosen-plain text attack on any p erm utation-only multimedia encryption sc hemes As shown in [20], no matter what the p ermuted elemen ts of multimedia data are, all p erm utation- only m ultimedia encryption schemes on a plaintext of size M × N can b e represe n ted as I ∗ ( w ( i, j )) = I ( i, j ) , where the permutation matrix W = [ w ( i, j ) = ( i 0 , j 0 ) ∈ M × N ] M × N , M = { 0 , · · · , M − 1 } and N = { 0 , · · · , N − 1 } . Then it was analyzed that permutation-only m ultimedia encryption can b e brok en with only O ( d log L ( M N ) e ) kno wn/c hosen plaintexts, where L is the num ber of different elemen ts in the plain text. The breaking metho d prop osed in [20, Sec. 3.1] includes the following three k ey steps: 8 • Step 1 : obtain a set con taining all p ossible secret p ositions for each entry of the plaintext by comparing ev ery pair of plaintext and the corresp onding ciphertext; • Step 2 : solve the intersection of the different sets corresponding to each en try of plain text; • Step 3 : get an estimated v ersion of the p ermutation matrix b y choosing a secret p osition of an en try plaintext from the final set corresp onding to it. The op erations in Step 2 make the computational complexit y of the abov e attack b ecome O ( n 0 · M N 2 ). It is found that the complex intersection operations can b e a voided b y extending the idea prop osed in Sec. 3.1, namely constructing a m ulti-branch tree, where ev ery node includes 2 L + 3 comp onen ts: 2 L p oin ters holding addresses of 2 L p ossible c hild no des; tw o sets containin g some en try p ositions in plain-image and cipher-image, resp ectiv ely; and cardinalit y of one of the t w o sets. Let B , B 0 , and | B | denote the last three items in the ro ot no de. Initially , set B = B 0 = M × N , and | B | = M N . Then, the m ulti-branc h tree can b e constructed as follo ws. • ∀ ( i, j ) ∈ B , add ( i, j ) to the first set of the c hild no des to which the I ( i, j )-th item of the curren t no de p oin ts; • ∀ ( i, j ) ∈ B 0 , add ( i, j ) to the second set of the child no des to whic h the I 0 ( i, j )-th item of the curren t no de p oin ts. • Delete the elemen ts of the sets in the ro ot no de and set the last item of the node as zero. With more pairs of known/c hosen plain-images and the corresp onding cipher-images, the multi branc h can b e up dated and expanded iterativ ely with the follo wing steps: • Searc h for all no des whose last item is greater than one; • Expand and up date each found node with the similar op erations shown abov e. Once construction of the m ulti-branch tree is completed, the p erm utation matrix W can b e estimated b y simply mapping the elements in the tw o sets of ev ery leaf no de in order. Finally , combine the p erformance analysis of the known/c hosen-plain text attac k presen ted in [20], we can conclude that an y p erm utation-only multimedia encryption sc hemes exerting on plain- text of size M × N can b e efficiently broken with O ( d log L ( M N ) e ) kno wn/chosen-plain texts, and spatial complexity and computational complexit y of the attack are O ( M N ) and O ( n 0 · M N ), re- sp ectiv ely . Substitute n 0 with d log L ( M N ) e , the complexity becomes O ( d log L ( M N ) e · M N ), which is lo wer muc h than O ( d log L ( M N ) e · M N 2 ), the whole attac k complexity estimated in [20]. 5. Conclusion In this pap er, the security of an image p ermutation encryption algorithm is analyzed. An optimal metho d, in term of spatial complexity and computational complexit y , is prop osed to break the binary image p erm utation algorithm. F urthermore, the m ethod can b e extended to break an y p erm utation-only multimedia encryption schemes with an optimal p erformance also. In addition, some sp ecific remarks on the p erformance of the image scrambling encryption algorithm under study are provided. Again, this cryptanalysis pap er pro ves that the securit y of a go od image encryption scheme should rely on a combination of traditional cryptography and sp ecial prop erties of image data, lik e the schemes prop osed in [24, 25]. 9 Ac kno wledgemen t The work of Chengqing Li was partially supp orted by The Hong Kong P olytechnic Univ ersit y’s P ostdo ctoral F ellowships Sc heme under gran t no. G-YX2L. References [1] K.-L. Chung, L.-C. Chang, Large encrypting binary images with higher securit y , Pattern Recognition Letters 19 (5-6) (1998) 461–468. [2] H.-C. Chen, J.-C. Y en, A new cryptograph y system and its VLSI realization, Journal of Systems Arc hitecture 49 (7–9) (2003) 355–367. [3] G. Chen, Y. Mao, C. K. Chui, A symmetric image encryption scheme based on 3D chaotic cat maps, Chaos, Solitons & F ractals 21 (3) (2004) 749–761. [4] N. J. Flores-Carmona, M. Carpio-V aladez, Encryption and decryption of images with chaotic map lattices, Chaos 16 (3) (2006) art. no. 033118. [5] A. P . Kurian, S. Puth usserypady , Self-synchronizing c haotic stream ciphers, Signal Pro cessing 88 (10) (2008) 2442–2452. [6] X. T ong, M. Cui, Image encryption sc heme based on 3d baker with dynamical comp ound c haotic sequence cipher generator, Signal Pro cessing 89 (4) (2009) 480–491. [7] X. Liao, S. Lai, Q. Zhou, A no vel image encryption algorithm based on self-adaptive wa ve transmission, Signal Pro cessing 90 (9) (2010) 2714–2722. [8] C.-C. Chang, T.-X. Y u, Cryptanalysis of an encryption scheme for binary images, Pattern Recognition Letters 23 (14) (2002) 1847–1852. [9] C. Li, S. Li, D.-C. Lou, On the security of the Y en-Guo’s domino signal encryption algorithm (DSEA), Journal of Systems and Softw are 79 (2) (2006) 253–258. [10] K. W ang, W. Pei, L. Zou, A. Song, Z. He, On the securit y of 3D cat map based symmetric image encryption sc heme, Ph ysics Letters A 343 (6) (2005) 432–439. [11] D. Arroy o, R. Rhouma, G. Alv arez, S. Li, V. F ernandez, On the security of a new image encryption sc heme based on c haotic map lattices, Chaos 18 (3) (2008) art. no. 033112. [12] C. Li, G. Chen, On the security of a class of image encryption schemes, in: Pro ceedings of 2008 IEEE Int. Symp osium on Circuits and Systems, 2008, pp. 3290–3293. [13] S. Li, C. Li, G. Chen, K.-T. Lo, Cryptanalysis of the RCES/RSES image encryption sc heme, Journal of Systems and Softw are 81 (7) (2008) 1130–1143. [14] R. Rhouma, S. Belghith, Cryptanalysis of a spatiotemp oral chaotic image/video cryptosystem, Physics Letters A 372 (36) (2008) 5790–5794. [15] C. Li, S. Li, M. Asim, J. Nunez, G. Alv arez, G. Chen, On the security defects of an image encryption scheme, Image and Vision Computing 27 (9) (2009) 1371–1381. [16] G. Alv arez, S. Li, Cryptanalyzing a nonlinear chaotic algorithm (NCA) for image encryption, Comm unications in Nonlinear Science and Numerical Simulation 14 (11) (2009) 3743–3749. [17] G. ´ Alv arez, S. Li, Some basic cryptographic requirements for chaos-based cryptosystems, In ternational Journal of Bifurcation and Chaos 16 (8) (2006) 2129–2151. [18] S. Li, G. Chen, X. Zheng, Chaos-based encryption for digital images and videos, in: B. F urht, D. Kirovski (Eds.), Multimedia Securit y Handb o ok, CRC Press, 2004, Ch. 4, pp. 133–167. [19] G. Y e, Image scrambling encryption algorithm of pixel bit based on chaos map, Pattern Recognition Letters 31 (5) (2010) 347–354. [20] S. Li, C. Li, G. Chen, N. G. Bourbakis, K.-T. Lo, A general quantitativ e cryptanalysis of p erm utation-only m ultimedia ciphers against plaintext attacks, Signal Pro cessing: Image Comm unication 23 (3) (2008) 212–223. [21] A. Rukhin, et al., A statistical test suite for random and pseudorandom num b er generators for cryptographic ap- plications, NIST Sp ecial Publication 800-22, av ailable online at http://csrc.nist.gov/rng/rng2.html (2001). [22] C. Li, S. Li, G. ´ Alv arez, G. Chen, K.-T. Lo, Cryptanalysis of tw o c haotic encryption schemes based on circular bit shift and xor op erations, Physics Letters A 369 (1-2) (2007) 23–30. [23] K. W ang, W. P ei, X. Hou, Y. Shen, Z. He, Symbolic dynamics approac h to parameter estimation without initial v alue, Physics Letters A 374 (1) (2009) 44–49. [24] H. Cheng, X. Li, Partial encryption of compressed images and videos, IEEE T ransactions on Signal Pro cessing 48 (8) (2000) 2439–2451. 10 [25] C.-C. Chang, M.-S. Hwang, T.-S. Chen, A new encryption algorithm for image cryptosystems, Joural of Systems and Softw are 58 (2) (2001) 83–91. 11