On the Cryptanalysis of a Latin Cubes-Based Image Cryptosystem

Abstract

Based on orthogonal Latin cubes, an image cryptosystem with confusion–diffusion–confusion cipher architecture has been proposed recently (Inf. Sci. 2019, 478, 1–14). However, we find that there are four fatal vulnerabilities in this image cryptosystem, which leave open doors for cryptanalysis. In this paper, we propose a reference-validation inference algorithm and design screening-based rules to efficiently break the image cryptosystem. Compared with an existing cryptanalysis algorithm, the proposed method requires fewer pairs of chosen plain-cipher images, and behaves stably since different keys, positions of chosen bits and contents of plain images will not affect the cryptanalysis performance. Experimental results show that our cryptanalysis algorithm only requires $\sqrt[3]{8\times H\times W}+3$pairs of chosen plain-cipher images, where $H\times W$ represents the image’s resolution. Comparative studies demonstrate effectiveness and superiority of the proposed cryptanalysis algorithm.

1. Introduction

One image is worth more than ten thousand words. How to protect image contents from illegal accesses has become a crucial security issue for the practical applications such as virtual meeting, video surveillance or telemedicine, especially when we have entered the era of big data. Cryptography is a cornerstone in the field of information security. Conventional data encryption techniques, e.g., DES (data encryption standard), AES (advanced encryption standard) and IDEA (international data encryption algorithm), are inappropriate for image encryption applications because there are high redundancies and strong correlation among adjacent pixels [1,2]. Permutation-and-diffusion cipher architecture, which alternately shuffles pixel positions and changes pixel values, has the capability to reduce the redundancy and the correlation, thereby playing a central role in many image encryption algorithms [3,4,5,6].

Naturally, an image can be encoded as a three-dimensional (3D) bit matrix, in which bits are the smallest elements representing digital information. Some methods [7,8,9,10,11,12,13,14] have extended the permutation-and-diffusion cipher architecture to 3D version, in which the bit-level permutation not only shuffles the bit positions but also changes the pixel values at the same time. Zhu et al. [7] employed Arnold cat map for bit-level permutation and Logistic map for diffusion. Zhang et al. [8] invented a collision-free random bidirectional visiting mechanism by coupling Chen chaotic system with Arnold cat map, and developed a new hybrid 3D permutation rule. In the image cryptosystem [9], multiple chaotic maps were used to control the bit-level row/column-wise permutation. Cai et al. [10] proposed a plaintext-related random-access mechanism that scrambles the 3D bit matrix based on a mixture of three chaotic maps. Gan et al. [11] obtained a random mapping sequence from Chen chaotic system, and designed a tailor-made multilevel quantizer for generating diffusion matrices. Pak et al. [12] improved the original Logistic map and Sine map by introducing a differential amplification operation, and then built a linear–nonlinear–linear conversion structure geared towards a bit-level image cryptosystem. Xu and Tian [13] constructed a confusion-diffusion-confusion cipher architecture, and grouped three orthogonal Latin cubes together to form a 3D random permutation table. Shahna and Mohamed [14] performed the image permutation at the pixel and bit levels, which combines a key-governed scan pattern with a cyclic shift operation.

Cryptanalysis, which is the opposite of cryptography, focuses on exploring and exposing vulnerabilities in a cryptosystem. Indeed, some of the above works [7,8,9,10,11,12,13] have been found to be insecure. Zhang and Wang [15] developed a differential attack that can effectively bypass Zhu’s Arnold cat map [7]. Then, they put forward an improved proposal, in which flipping operations are embedded into the permutation phase, and the connection between plain pixels and keys is established by swapping the order of the permutation and diffusion phases. Later, Wang and Zhao [16] found that Zhang’s improved proposal [15] is still insecure. A reverse differential attack can exactly counteract the order exchange between the permutation and diffusion phases so as to equivalently reconstruct the random mapping sequence. Wu et al. [17] pointed out that the hybrid 3D permutation of Zhang’s image cryptosystem [8] fails to move the bit at the origin, and the diffusion phase merely depends on a weak CBC (cipher block chaining) mode. To break Zhang’s image cryptosystem [8], Li et al. [18] first separated the permutation and diffusion phases by designing a special plain image, and then revealed functionally equivalent keys by using the chosen-plaintext attack. In the same way, Li et al. [19] broke Pak’s work [12] by comparing the differences between several pairs of chosen plain-cipher images. After analyzing the image cryptosystem [9], Liu et al. [20] reported that the correlation information among adjacent plain pixels cannot be erased by the row/column-wise permutation, thereby leaving an open door for the known-plaintext attack. Wen and Yu [21] ascertained that, in the image cryptosystem [9], keys are not associated with the plain images. Exploiting this security flaw, they launched a cracking attack in a divide-and-conquer manner. Recently, Zhang and Yu [22] demonstrated that the process of generating the orthogonal Latin cubes in [13] is independent of the plain images. This allows an adversary to expose the random mapping sequence by using the chosen-plaintext attack.

In this paper, we reinvestigate the security loopholes of Xu’s image cryptosystem [13]. Inspired by the chosen-plaintext attack, we propose an efficient reference-validation inference algorithm and design a screening-based rule to break Xu’s image cryptosystem [13]. Compared with Zhang’s work [22], our cryptanalysis algorithm requires fewer pairs of chosen plain-cipher images, and behaves stably since different keys, positions of chosen bits and contents of plain images will not affect the cryptanalysis performance. Experimental results demonstrate the effectiveness and the superiority of the proposed cryptanalysis algorithm.

The rest of this paper is organized as follows. Section 2 gives a brief introduction to Xu’s image cryptosystem [13], which is the attack target in this study. In Section 3, we first summarize the existing vulnerabilities of [13], and then describe the proposed cryptanalysis algorithm in detail. In Section 4, we conduct extensive experiments and exhibit corresponding results. Last section concludes this paper.

2. Review of Target Image Cryptosystem

In this section, we briefly introduce the TIC (target image cryptosystem) [13]. Overall, it consists of three encryption phases based on Latin cubes, namely pre-permutation, diffusion, and post-permutation.

For better readability, we use bold uppercase symbols (e.g., P) and bold lowercase symbols (e.g., p) to represent cubes and sequences, respectively. Let P(x, y, z) denote the element of P at the coordinate (x, y, z). Let p(n) denote the nth element of p. Non-bold italic font (e.g., n and N) denotes scalars, and Greek letters (e.g., μ) stand for the keys of an image cryptosystem. Bold calligraphic capital letters (e.g.,$\mathcal{N}$) is used to represent sets. Let ℤ represent the ring of integers.

Consider an 8-bit plain image with H × W resolution, where the total number of bits is 8 × H × W. Let N denote the side length of a bit-cube, whose value equals$\sqrt[3]{8\times H\times W}$. For simplicity, Xu and Tian [13] assume that the image size H and W are appropriate values to ensure that the side length N is an integer. Reshape the plain image into the plain bit-cube, denoted by P.

In the TIC [13], Logistic map is adopted to generate a chaotic sequence, denoted by r = [r(0), r(1), …, r(N − 1)]. The definition of the Logistic map can be expressed as

r(n + 1) = μ·r(n) (1 − r(n)),

(1)

where n = 0, 1, …, N − 1, and κ = r(−1) is the initial condition. In Equation (1), μ is the system parameter. When its value lies in the interval (3.573815, 4], the system exhibits chaotic properties, including ergodicity and high sensitivity to the initial conditions [13]. Figure 1 shows diagrams of bifurcation, Lyapunov exponent, and information entropy of the Logistic map. More details can be found in [23].

The chaotic sequence r is first sorted in ascending order, and then the sorted result is used to form a random mapping sequence, denoted by s = [s(0), s(1), …, s(N − 1)]. Specifically, s represents the random mapping relations between r and its sorted counterpart. Clearly, s(n) is an integer lying in the interval [0, N − 1]. By using the random mapping sequence s, three orthogonal Latin cubes, denoted by L₁, L₂ and L₃, are generated as follows

$$\{\begin{array}{l}{L}_1(x, y, z)={\alpha }^2\times s\left(x\right)+\alpha \times s\left(y\right)+s\left(z\right),\\ L_2(x, y, z)={\beta }^2\times s\left(x\right)+\beta \times s\left(y\right)+s\left(z\right), \\ L_3(x, y, z)={\gamma }^2\times s\left(x\right)+\gamma \times s\left(y\right)+s\left(z\right),\end{array}$$

(2)

where L₁(x, y, z), L₂(x, y, z) and L₃(x, y, z) are the elements of L₁, L₂ and L₃ at the coordinate (x, y, z), respectively. In Equation (2), the addition operator “+” and the multiplication operator “×” are both defined on the ring$\mathbb{Z}/N\mathbb{Z}.$Note that, in the TIC [13], N is fixed to 128 so that the addition and multiplication operators are originally defined on the finite field GF(2⁷). However, it is too strict to consider a constant side length. In a practical image cryptosystem, N may not be a power of a prime number. Therefore, in this paper, we define the two operators on the ring $\mathbb{Z}/N\mathbb{Z}$rather than on a finite field.

The three control parameters, namely α, β, and γ, in Equation (2), must be different nonzero numbers within the ring$\mathbb{Z}/N\mathbb{Z}$. This is a necessary and sufficient condition for the three Latin cubes to be mutually orthogonal. The orthogonality property means that each triple (L₁(x, y, z), L₂(x, y, z), L₃(x, y, z)) appears only once after traversing all possible ones, where x, y, and z take values from [0, N − 1]. The orthogonality property ensures that all the mapping relations between (x, y, z) and (L₁(x, y, z), L₂(x, y, z), L₃(x, y, z)) are one-to-one correspondences without collision, so that the orthogonal Latin cubes can be directly used for permuting a bit-cube. It is worth clarifying here that the initial condition κ, the system parameter μ, and the three control parameters α, β, γ collectively serve as keys in the TIC [13].

The first pre-permutation phase shuffles the bit positions of P based on the three orthogonal Latin cubes. Formally, the pre-permutation phase can be expressed as

U(x, y, z) = P(L₁(x, y, z), L₂(x, y, z), L₃(x, y, z)),

(3)

where$\mathbf{U}=\left[U\right(x, y, z)|x, y, z=0, 1, \cdots , N-1]$represents the permuted version of P.

The diffusion phase, which is executed after the pre-permutation phase, aims to flip a part of bits in U under the control of a random bit sequence. In the TIC [13], the random bit sequence is extracted from L₁ through binarization

$$B\left(x, y, z\right)=\{\begin{array}{ll}0,& \mathrm{if} L_1(x, y, z) \ge N/2,\\ 1,& \mathrm{otherwise}. \end{array}$$

(4)

In Equation (4), $N/2$ is the threshold. The binarized bit-cube is denoted by$\mathbf{B}=\left[B\right(x, y, z)|x, y, z=0, 1, \cdots , N-1]$. Reshape U and B into two one-dimensional (1D) bit sequences according to the same scanning order. Here, the 3D-to-1D coordinate transformation can be explicitly formulated as

n = x × N²+ y × N + z.

(5)

The two resulting 1D bit sequences are denoted by u = [u(0), ⋯, u(n), ⋯, u(N − 1)] and b = [b(0), ⋯, b(n), ⋯, b(N − 1)], respectively. The diffusion phase is described as

v(n) = u(n) ⨁ v(n − 1) ⨁ b(n),

(6)

where v = [v(0), ⋯, v(n), ⋯, v(N − 1)] is the diffused bit sequence, and v(−1) is initialized to 0. In Equation (6), the sign “⨁” represents bit-wise exclusive or (XOR) operator.

In the last post-permutation phase, a CPV (cipher-parity value), denoted by t, is first defined by

t = v(0) ⨁ v(1) ⨁⋯⨁ v(N − 1).

(7)

Then, reshape the 1D diffused bit sequence v into a diffused bit-cube V. Here, the 1D-to-3D coordinate transformation for each bit position can be explicitly expressed as

$$\{\begin{array}{l}x=⎣n/N^2⎦,\\ y=⎣n/N⎦\%N,\\ z=n\%N, \end{array}$$

(8)

where the floor sign “$⎣·⎦$” rounds down to the nearest integer of the number enclosed within the sign, while “%” represents a remainder operator. The three Latin cubes are reused in the following form to permute the diffused bit-cube V

$$\{\begin{array}{ll}C(x, y, z)=V\left(L_2\right(x, y, z), L_3(x, y, z), L_1(x, y, z\left)\right), & \mathrm{if} t=0,\\ C(x, y, z)=V\left(L_3\right(x, y, z), L_1(x, y, z), L_2(x, y, z\left)\right), & \mathrm{otherwise}.\end{array}$$

(9)

In Equation (9),$\mathbf{C}=\left[C\right(x, y, z)|x, y, z=0, 1,\dots , N-1]$represents the resulting bit-cube of the post-permutation phase. Finally, reshape C into an 8-bit cipher image with H × W resolution.

Decryption is composed of the inverse encryption operations, which are organized in a reverse order.

3. Cryptanalysis

In this section, we first summarize the existing vulnerabilities of the TIC [13] from four aspects. Then, inspired by the chosen-plaintext attack, we propose an efficient reference-validation inference algorithm to break the random mapping sequence, and design screening-based rules to determine the keys of the orthogonal Latin cubes. In total, our cryptanalysis algorithm requires only$\sqrt[3]{8\times H\times W}+3$pairs of chosen plain-cipher images to break the TIC [13], where H and W represent the image’s height and width, respectively.

3.1. Vulnerability Analysis

Although Xu and Tian [13] conducted various security tests, there still exist four fatal vulnerabilities in their image cryptosystem. First, the process of generating the chaotic sequence r is independent of the plain image, so that an attacker can arbitrarily fabricate desired plain images without influencing r. Second, the diffusion phase, as shown in Equation (6), fundamentally inherits from the traditional CBC mode. This means that modifying one bit in the plain image may only affect a small part of the diffused bits. In such circumstance, an attacker can mine useful information, for example the number of unchanged bits, to infer the random mapping sequence s. Third, the initial value of the diffusion phase is set to v(−1) = 0 without introducing any cryptography mechanism. This flaw somewhat eases the cryptanalysis task. Fourth, the post-permutation phase, as shown in Equation (9), fails to conceal the statistical information of V. This enables an attacker to bypass the post-permutation phase and to calculate the equivalent CPV directly from the cipher images.

Kerckhoffs’s principle, which lies at the core of cryptanalysis, sets forth that the security of a cryptosystem relies only on the keys, rather than on the details of the encryption/decryption algorithm. In other words, the encryption/decryption details, e.g., the coordinate transformations between 1D and 3D as shown in Equations (5) and (8), are all open knowledge. In summary, the task of breaking the TIC [13] is equivalent to reconstructing the key-based information, including the random mapping sequence s (which is controlled by the keys κ and μ), and the three orthogonal Latin cubes L₁, L₂, and L₃ (which are controlled by the keys α, β, and γ).

Hereafter, we act as an attacker and use the existing vulnerabilities to break the TIC [13]. In Section 3.2, we ascertain what controls the CPV and propose a reference-validation inference algorithm to reconstruct s. In Section 3.3, we turn to design screening-based rules to determine the keys α, β, and γ.

3.2. Reference-Validation Inference Algorithm

3.2.1. Simplify the Pre-Permutation Phase

As discussed in [22], some special coordinates in the plain bit-cube P can be used to simplify the pre-permutation phase. When substituting s(x) = s(y) = 0 into Equation (2), we have L₁(x, y, z) = L₂(x, y, z) = L₃(x, y, z) = s(z). Then, the pre-permutation phase, as shown in Equations (2) and (3), can be rewritten as

U(x, y, z) = P(s(z), s(z), s(z)),

(10)

in which s(z) must be an integer lying in the interval [0, N − 1]. Here, we introduce a new notation s⁻¹(·) to represent the inverse of s(·), and further formulate Equation (10), giving

U(s⁻¹(0), s⁻¹(0), s⁻¹(n)) = P(n, n, n),

(11)

where the coordinate (n, n, n) is located at the diagonal of P. In other words, as long as we visit the diagonal bits of P, the original pre-permutation phase can be simplified to Equation (11). This paves the way for inferring the mapping relations between s⁻¹(n) and n. As doing so, reconstructing s is trivial since s⁻¹(·) belongs to a bijective mapping.

To this end, the first step is to choose the plain images, which can simplify the pre-permutation phase according to Equation (11). We create N plain bit-cubes by modifying the diagonal bits of P in turn. This procedure is described as follows

$$P_n^{\prime }(x, y, z)=\{\begin{array}{ll}1-P(x, y, z) & \mathrm{if} x=y=z=n, \\ P(x, y, z)& \mathrm{otherwise}, \end{array}$$

(12)

where n = 0, 1, ⋯, N − 1. The notation${ \mathbf{P}}_n^{\prime }={[P}_n^{\prime }(x, y, z)|x, y, z = 0, 1, \cdots , N-1]$represents the nth created plain bit-cube. Clearly, the only one different bit between P and${ \mathsf{P}}_n^{\prime }$is located at the coordinate (n, n, n). As discussed above, modifying bit values in P will not influence the chaotic behaviors of the Logistic map so that all these plain bit-cubes, namely P and${ \mathsf{P}}_n^{\prime }$, share the same s. This provides us with the opportunity to break the random mapping sequence s by the chosen-plaintext attack. For the convenience of presentation, we shall attach a prime superscript on the letter to signify the intermediate encryption result of${ \mathsf{P}}_n^{\prime }$. For example, the symbols${ \mathsf{U}}_n^{\prime }$,${ \mathsf{V}}_n^{\prime }$,${ \mathsf{C}}_n^{\prime }$correspond to the pre-permutated, the diffused and the post-permutated version of${ \mathsf{P}}_n^{\prime }$, respectively.

Feeding${ \mathsf{P}}_n^{\prime }$into the TIC [13], we can obtain the post-permutated bit-cube${ \mathsf{C}}_n^{\prime }$. The new CPV, denoted by$t_n^{\prime }$, can be directly computed from${\mathsf{C}}_n^{\prime }$even without knowing${\mathsf{V}}_n^{\prime }$because the post-permutation phase does not affect any bit values. According to whether$t_n^{\prime }=t$or$t_n^{\prime }\ne t$, the N pairs of chosen plain-cipher images can be divided into CPV-preserving and CPV-changing groups. The two kinds of groups will be tackled through different strategies, as will be presented below.

3.2.2. CPV-Preserving Group

When${ t}_n^{\prime }=t$, the bit-cubes C and${ \mathsf{C}}_n^{\prime }$have undergone the same post-permutation phase, as shown in Equation (9), so that we can directly apply the bit-wise XOR operator to them. Calculate a differential bit-cube${\mathsf{D}}_n=\mathsf{C} ⨁{ \mathsf{C}}_n^{\prime }$, and count the total number of 1s in${\mathsf{D}}_n$. Let$d_n$be the counting result. Since the diffusion phase, as shown in Equation (6), belongs to the weak CBC mode, a modified bit in${\mathsf{u}}_n^{\prime }$will affect the diffused sequence${\mathsf{v}}_n^{\prime }$starting from the landmark position and propagating the influence of the modification along the way forward to the end, as illustrated in Figure 2. Here, the landmark position, denoted by${lp}_n$, plays a dual role. On one hand, it corresponds to the flipped bit in$u_n^{\prime }$and to the modified bit in${ \mathsf{P}}_n^{\prime }$at the coordinate (n, n, n), as indicated by the dotted arrow in Figure 2. Hence, the landmark position${lp}_n$can be represented by

$${lp}_n={ s}^{-1}\left(0\right)\times N^2+s^{-1}\left(0\right)\times N+s^{-1}\left(n\right).$$

(13)

Equation (13) is a 3D-to-1D coordinate transformation, which instantiates Equation (5) by using (s⁻¹(0), s⁻¹(0), s⁻¹(n)) for (x, y, z). On the other hand, the landmark position can reflect the number of flipped bits in${ \mathsf{v}}_n^{\prime }$, denoted by$h_n$, taking the following form:

$${lp}_n=N^3-h_n,$$

(14)

where${ N}^3$is the total number of bits. As illustrated in Figure 2, when${ t}_n^{\prime }=t$holds, the number of flipped bits$h_n$can be exposed by counting the number of 1s in ${\mathsf{D}}_n$, namely that the equation$h_n=d_n$holds. Substitute for${lp}_n$in Equation (13) using Equation (14) and apply the 1D-to-3D coordinate transformation, giving

$$\{\begin{array}{l}{s}^{-1}\left(0\right)=⎣{(N}^3-h_0)/N^2⎦=⎣{(N}^3-h_0)/N⎦\%N,\\ s^{-1}{\left(n\right)=(N}^3-h_n)\%N. \end{array}$$

(15)

Equation (15) establishes the relationship between s⁻¹(n) and$h_n$. Based on this relationship, we can readily determine the mapping relations s⁻¹(·) due to the one-to-one correspondence between$h_n$and n.

3.2.3. What Controls the CPV

It is worth ascertaining what controls the CPV and how many pairs of chosen plain-cipher images in the CPV-preserving and CPV-changing groups, respectively. The following three propositions comprehensively assert that the last term in Equation (13), namely s⁻¹(n), controls the CPV.

Proposition 1. 

If the number of flipped bits, namely$h_n$, is even, then$t_n^{\prime }=t$. Otherwise$t_n^{\prime }\ne t$.

Proof. 

Clearly, the flipped bits in${\mathsf{v}}_n^{\prime }$, as marked by red ink in Figure 2, are the sources of changing the CPV. Hence, in this proof, we only focus on the flipped part that consists of$h_n$bits. Suppose that$h_n=h_n^{(1\to 0)}+h_n^{(0\to 1)}$, where${ h}_n^{(1\to 0)}$(and${ h}_n^{(0\to 1)}$) denotes the number of 1s (and 0s) being flipped to 0 (and 1) caused by the one bit modification at the landmark position.

If$h_n$is even, we will encounter one of the following two cases: (1) both$h_n^{(1\to 0)}$and$h_n^{(0\to 1)}$are even; (2) both$h_n^{(1\to 0)}$and$h_n^{(0\to 1)}$are odd. In both cases,$h_n^{(1\to 0)}$and$h_n^{(0\to 1)}$share the same parity so that flipping$h_n$ bits will not change the CPV.

On the contrary, if$h_n$is odd, the two cases become: (1)$h_n^{(1\to 0)}$is odd while$h_n^{(0\to 1)}$is even; (2)$h_n^{(1\to 0)}$is even while$h_n^{(0\to 1)}$is odd. In both cases,$h_n^{(1\to 0)}$and$h_n^{(0\to 1)}$possess the opposite parity. This means that the number of 1s in the to-be-flipped part of v will be changed from an odd integer to an even integer for case (1), and from an even integer to an odd integer for case (2). Consequently, if$h_n$is odd,$t_n^{\prime }$is necessarily opposite to t. □

Proposition 2. 

If the landmark position${lp}_n$is even, then$t_n^{\prime }=t$. Otherwise${ t}_n^{\prime }\ne t$.

Proof. 

Equation (14) establishes the relationship between$h_n$and${lp}_n$, in which$N^3=W\times H\times 8$is even because it is a multiple of 8. Due to this evenness, Equation (14) forces$h_n$and${lp}_n$to share the same parity. Consequently, the landmark position${lp}_n$, just like$h_n$, controls the CPV. □

Proposition 3. 

Ifs⁻¹(n) is even, then$t_n^{\prime }=t$. Otherwise${ t}_n^{\prime }\ne t$.

Proof. 

Since$N^3=W\times H\times 8$,$N=2·{(W\times H)}^{1/3}$and$N^2=4·{(W\times H)}^{2/3}$are multiples of even integers, they must be even. Similarly, the first and second terms on the right-hand side of Equation (13) must be even as well because they take N and N² as multipliers. The remaining two terms, namely${lp}_n$and s⁻¹(n), are therefore forced to share the same parity. Consequently, s⁻¹(n) exactly plays the same role as${lp}_n$and$h_n$in controlling the CPV. □

Since s⁻¹(·) must be an integer lying in the interval [0, N − 1], half CPVs$t_n^{\prime }$will remain unchanged when s⁻¹(n) is even, while the remaining half ones are opposite to t when s⁻¹(n) is odd. When$t_n^{\prime }=t$, we determine$h_n$by counting the number of 1s in${ \mathsf{D}}_n$, and then calculate s⁻¹(n) by using Equation (15). When$t_n^{\prime }\ne t$, V and${\mathsf{V}}_n^{\prime }$will be permuted by different ways, as shown in Equation (9), so that it is meaningless to calculate the bit-wise XOR of C and${ \mathsf{C}}_n^{\prime }$. To alleviate this problem, we propose a reference-validation inference algorithm that requires only two additional pairs of chosen plain-cipher images to determine the mapping relations between s⁻¹(n) and n for the CPV-changing group. See details in the next three subsections.

For future convenience, we define two index sets${\mathcal{N}}^{=}$and${\mathcal{N}}^{\ne }$with the same cardinality$N/2$. The former consists precisely of the indices n for which$t_n^{\prime }=t$ is true. Members of the latter are the indices n for which$t_n^{\prime }\ne t$is true. Properties of the CPV-preserving and CPV-changing groups are summarized in

Table 1. Properties of the CPV (cipher-parity value)-preserving and CPV-changing groups.

	CPV	${\mathit{h}}_{\mathit{n}}$	${\mathit{l}\mathit{p}}_{\mathit{n}}$	s−1(n)	Size
CPV-preserving group	$t_n^{\prime }=t$	even	even	even	$\left|{\mathcal{N}}^{=}\right|=N/2$
CPV-changing group	$t_n^{\prime }\ne t$	odd	odd	odd	$\left|{\mathcal{N}}^{\ne }\right|=N/2$

for ease of comparison.

3.2.4. Pair of Reference Plain-Cipher Images

When$t_n^{\prime }\ne t$,${\mathsf{D}}_n=\mathsf{C} ⨁{ \mathsf{C}}_n^{\prime }$where$n\in {\mathcal{N}}^{\ne }$, is no longer informative because the number of 1s in${\mathsf{D}}_n$does not reflect the number of flipped bits in${\mathsf{C}}_n^{\prime }$. We shall resort to another means to measure$h_n$. The reference-validation inference algorithm fulfills this need through the following three steps

• [step-1]: using a pair of reference plain-cipher images to detect leftmost and rightmost landmark positions for the CPV-changing group (discussed in this subsection);
• [step-2]: using a pair of validation plain-cipher images to determine the index $n\in {\mathcal{N}}^{\ne }$, whose${lp}_n$corresponds to the leftmost landmark position (discussed in Section 3.2.5);
• [step-3]: using the leftmost landmark position to measure$h_n$, where n$\in {\mathcal{N}}^{\ne }$ (discussed in Section 3.2.6).

To achieve step-1, we create the reference plain bit-cube by simultaneously modifying three diagonal bits of P

$$P^{\mathrm{ref}}(x, y, z)=\{\begin{array}{ll}1-P(x, y, z) & {\mathrm{if} x=y=z=n}^{\mathrm{left}}, \\ 1-P(x, y, z) & {\mathrm{if} x=y=z=n}^{\mathrm{mid}}, \\ 1-P(x, y, z) & {\mathrm{if} x=y=z=n}^{\mathrm{right}}, \\ P(x, y, z)& \mathrm{otherwise}, \end{array}$$

(16)

where${\mathsf{P}}^{\mathrm{ref}}=\left[P^{\mathrm{ref}}(x, y, z)|x, y, z=0, 1, \cdots , N-1\right]$denotes the reference plain bit-cube. Hereafter, a letter with the “ref” superscript, such as${\mathsf{V}}^{\mathrm{ref}}$or${\mathsf{C}}^{\mathrm{ref}}$, signifies the intermediate encryption result of${\mathsf{P}}^{\mathrm{ref}}$. Most importantly, the three indices, namely$n^{\mathrm{left}}$,$n^{\mathrm{mid}}$and$n^{\mathrm{right}}$, are constrained to satisfy the following two requirements

(i)

$n^{\mathrm{left}}$and$n^{\mathrm{right}}$are selected from${\mathcal{N}}^{\ne }$while$n^{\mathrm{mid}}$comes from${\mathcal{N}}^{=}$;

(ii)

the corresponding three landmark positions satisfy the inequality${lp}_{n^{\mathrm{left}}}<{lp}_{n^{\mathrm{mid}}}<{lp}_{n^{\mathrm{right}}}$.

The requirement (i) implies that${\mathsf{P}}^{\mathrm{ref}}$provides a bridge between the CPV-preserving and CPV-changing groups. The requirement (ii) ensures that the new CPV, denoted by$t^{\mathrm{ref}}$, equals t. The reason for this is presented below. Since${lp}_{n^{\mathrm{left}}}<{lp}_{n^{\mathrm{mid}}}<{lp}_{n^{\mathrm{right}}}$, one bit modification will affect${\mathsf{v}}^{\mathrm{ref}}$starting from${lp}_{n^{\mathrm{left}}}$and ending at${lp}_{n^{\mathrm{mid}}}$. The flipped bits appear once again starting from${lp}_{n^{\mathrm{right}}}$until the end of the last bit of${\mathsf{v}}^{\mathrm{ref}}$. As illustrated in Figure 3, the flipped bits (red ink) are separated into two parts in${ \mathsf{v}}^{\mathrm{ref}}$. The number of flipped bits in${\mathsf{v}}^{\mathrm{ref}}$, denoted by$h^{\mathrm{ref}}$, can be represented by

$$h^{\mathrm{ref}}={(N}^3-{lp}_{n^{\mathrm{left}}})-{(N}^3-{lp}_{n^{\mathrm{mid}}})+{(N}^3-{lp}_{n^{\mathrm{right}}})=N^3-{lp}_{n^{\mathrm{left}}}+{lp}_{n^{\mathrm{mid}}}-{lp}_{n^{\mathrm{right}}},$$

(17)

where$N^3$is an even integer. Moreover, both${lp}_{n^{\mathrm{left}}}$and${lp}_{n^{\mathrm{right}}}$are odd because the indices $n^{\mathrm{left}}$and $n^{\mathrm{right}}$belong to${\mathcal{N}}^{\ne }$. Conversely, the landmark position${lp}_{n^{\mathrm{mid}}}$is even since$n^{\mathrm{mid}}\in {\mathcal{N}}^{=}$. As shown in (17), the expression for$h^{\mathrm{ref}}$contains two even items and two odd items, so that$h^{\mathrm{ref}}$must be even. Thus, the evenness of$h^{\mathrm{ref}}$ensures that$t^{\mathrm{ref}}=t$according to Proposition 1.

To meet the two requirements, we design the following procedures for selecting the three indices. First, define a new differential bit-cube${\mathsf{D}}_{m,n}^{\prime }={\mathsf{C}}_m^{\prime } ⨁{ \mathsf{C}}_n^{\prime }$, where both m and n come from${\mathcal{N}}^{\ne }$, and we have$t_m^{\prime }=t_n^{\prime } \ne t$. The number of 1s in${ \mathsf{D}}_{m,n}^{\prime }$, denoted by$d_{m,n}^{\prime }$, is informative in providing the distance between${lp}_m$and${lp}_n$, giving

$$d_{m,n}^{\prime }=\left|{lp}_m-{lp}_n\right|.$$

(18)

Traverse all possible combinations {m, n} and calculate$d_{m,n}^{\prime }$. Search the combination that gives the maximum value in (18). That is

$$m^{\ne }{,n}^{\ne }=\underset{m,n}{\mathrm{argmax}} d_{m,n}^{\prime }, \mathrm{for} m\in {\mathcal{N}}^{\ne } \mathrm{and} n\in {\mathcal{N}}^{\ne },$$

(19)

where we stipulate that$m^{\ne }<n^{\ne }$. Next, traverse all indices$n\in {\mathcal{N}}^{=}$and select the one whose landmark position is the median. That is

$$n^{=}=\underset{n}{\mathrm{argmed}} d_n, \mathrm{for} n\in {\mathcal{N}}^{=}.$$

(20)

It is worth mentioning that the traversal operations used above are computationally feasible for${\mathcal{N}}^{=}$and${\mathcal{N}}^{\ne }$. This is because the cardinality of${\mathcal{N}}^{=}$(and${\mathcal{N}}^{\ne }$) equals$N/2$, which is a negligible number compared with the size of key space.

Clearly,$n^{\mathrm{mid}}$is set to$n^{=}$. However, there exist two candidate settings, which, in this paper, are called null and alternative hypotheses, respectively. The null hypothesis is that$n^{\mathrm{left}}=m^{\ne }$and$n^{\mathrm{right}}=n^{\ne }$. The alternative hypothesis is that$n^{\mathrm{left}}=n^{\ne }$and$n^{\mathrm{right}}=m^{\ne }$. Which of these two hypotheses is true will be determined by using the pair of validation plain-cipher images, as will be discussed later. At this moment, we break the tie by taking the null hypothesis as a provisional setting.

With these preparations, we detect the leftmost and rightmost landmark positions as follows. First, the equality$t^{\mathrm{ref}}=t$enables us to define a reference differential bit cube${\mathsf{D}}^{\mathrm{ref}}$by applying the bit-wise XOR operator to C and${\mathsf{C}}^{\mathrm{ref}}$, namely${\mathsf{D}}^{\mathrm{ref}}=\mathsf{C} ⨁{ \mathsf{C}}^{\mathrm{ref}}$. The number of 1s in${\mathsf{D}}^{\mathrm{ref}}$, denoted by$d^{\mathrm{ref}}$, equals$h^{\mathrm{ref}}$. That is

$$d^{\mathrm{ref}}=h^{\mathrm{ref}}=N^3-{lp}_{n^{\mathrm{left}}}+{lp}_{n^{\mathrm{mid}}}-{lp}_{n^{\mathrm{right}}}$$

(21)

in which the middle landmark position${lp}_{n^{\mathrm{mid}}}$is known, whose value has been calculated in the last subsection. Further reformulate Equation (21) as follows

$${lp}_{n^{\mathrm{right}}}+{lp}_{n^{\mathrm{left}}}=N^3+{lp}_{n^{\mathrm{mid}}}-d^{\mathrm{ref}},$$

(22)

where all unknowns are gathered on the left-hand side while the terms on the right-hand side are all accessible. Then, the distance between${lp}_{n^{\mathrm{right}}}$and${lp}_{n^{\mathrm{left}}}$can be calculated according to Equation (18), giving

$${lp}_{n^{\mathrm{right}}}-{lp}_{n^{\mathrm{left}}}=d_{n^{\mathrm{left}}{,n}^{\mathrm{right}}}^{\prime },$$

(23)

where the absolute value sign has been removed because${lp}_{n^{\mathrm{right}}}$must be greater than${lp}_{n^{\mathrm{left}}}$. Combining Equations (22) and (23), we can obtain the solutions for${lp}_{n^{\mathrm{left}}}$and${lp}_{n^{\mathrm{right}}}$.

3.2.5. Pair of Validation Plain-Cipher Images

In this subsection, we conduct the hypothesis testing to determine the true values of$n^{\mathrm{left}}$and $n^{\mathrm{right}}$from the two candidates$m^{\ne }$and$n^{\ne }$. The null hypothesis is that$n^{\mathrm{left}}=m^{\ne }$and$n^{\mathrm{right}}=n^{\ne }$, which has been considered as a provisional setting. The alternative hypothesis is that$n^{\mathrm{left}}=n^{\ne }$and$n^{\mathrm{right}}=m^{\ne }$. To this end, we create the validation plain bit-cube, denoted by${\mathsf{P}}^{\mathrm{val}}$, by simultaneously modifying three bits at the diagonal of P

$$P^{\mathrm{val}}(x,y,z)=\{\begin{array}{ll}1-P(x,y,z)& \mathrm{if}x=y=z={\tilde{n}}^{\mathrm{left} }\\ 1-P(x,y,z)& \mathrm{if}x=y=z={\tilde{n}}^{\mathrm{mid} }\\ 1-P(x,y,z)& \mathrm{if}x=y=z={\tilde{n}}^{\mathrm{right} }\\ P(x,y,z)& \mathrm{otherwise}\end{array}$$

(24)

where$P^{\mathrm{val}}(x, y, z)$is the element of${\mathsf{P}}^{\mathrm{val}}$at the coordinate (x, y, z). Accordingly, a letter with the “val” superscript, such as${\mathsf{V}}^{\mathrm{val}}$or${\mathsf{C}}^{\mathrm{val}}$, signifies the intermediate encryption result of${\mathsf{P}}^{\mathrm{val}}$. The indices ${\tilde{n}}^{\mathrm{left}}$ and ${\tilde{n}}^{\mathrm{mid}}$ are set as before, namely that ${\tilde{n}}^{\mathrm{left}}=m^{\ne }$ and ${\tilde{n}}^{\mathrm{mid}}=n^{=}$. However, ${\tilde{n}}^{\mathrm{right}}$ is set as follows

$${\tilde{n}}^{\mathrm{right}}={\tilde{n}}^{\ne }=\underset{n}{\mathrm{argmax}} d_{m^{\ne },n}^{\prime }, \mathrm{for}n\in {\mathcal{N}}^{\ne }\backslash \left\{m^{\ne },n^{\ne }\right\}.$$

(25)

Recall that Equation (19) seeks the two indices$m^{\ne }$and$n^{\ne }$that maximize$d_{m,n}^{\prime }$. Here, Equation (25) leaves$m^{\ne }$unchanged and seeks a new index${\tilde{n}}^{\ne }$so that the distance between${lp}_{m^{\ne }}$and${lp}_{m^{\ne }}$reaches the second largest value.

Since the new indices ${\tilde{n}}^{\mathrm{left}}$, ${\tilde{n}}^{\mathrm{mid}}$ and ${\tilde{n}}^{\mathrm{right}}$ still satisfy the requirements (i) and (ii),${\mathsf{C}}^{\mathrm{val}}$and${\mathsf{C}}^{\mathrm{ref}}$are constrained to share the same CPV. We have$t^{\mathrm{val}}=t^{\mathrm{ref}}=t$. This allows us to define a differential bit cube${\mathsf{D}}^{\mathrm{val}}=\mathsf{C} ⨁{ \mathsf{C}}^{\mathrm{val}}$. Let$d^{\mathrm{val}}$denote the number of 1s in${ \mathsf{D}}^{\mathrm{val}}$. As done before, we can get the solutions for $l{p}_{{\tilde{n}}^{\mathrm{left}}}$ and $l{p}_{{\tilde{n}}^{\mathrm{right}}}$, where$d^{\mathrm{val}}$instead of$d^{\mathrm{ref}}$is used in Equation (22). As illustrated in Figure 4, if $l{p}_{{\tilde{n}}^{\mathrm{left}}}=l{p}_{n^{\mathrm{left}}}$ and $l{p}_{{\tilde{n}}^{\mathrm{right}}}\ne l{p}_{n^{\mathrm{right}}}$, accept the null hypothesis. Otherwise, accept the alternative hypothesis.

3.2.6. CPV-Changing Group

From the CPV-changing group, the leftmost landmark position${lp}_{n^{\mathrm{left}}}$plays a key role in determining the mapping relations between s⁻¹(n) and n. Specifically, we state that the index$n^{\mathrm{left}}$satisfies the following equation

$$n^{\mathrm{left}}=\underset{n}{\mathrm{argmin}} {lp}_n, \mathrm{for} n\in {\mathcal{N}}^{\ne }.$$

(26)

Equipped with this property, we can remove the absolute value sign in Equation (18), and represent the unknown landmark positions through

$${lp}_n={lp}_{n^{\mathrm{left}}}+d_{n^{\mathrm{left}},n}^{\prime },$$

(27)

where$d_{n^{\mathrm{left}},n}^{\prime }$representing the number of 1s in${\mathsf{D}}_{n^{\mathrm{left}},n}^{\prime }$, has been calculated in Equation (19). Traverse each member n$\in {\mathcal{N}}^{\ne }$, look up$d_{n^{\mathrm{left}},n}^{\prime }$in turn, and use Equation (27) to get${lp}_n$. Doing so exposes all landmark positions for the parity-changing group. Further, exploit Equations (14) and (15) to determine the mapping relations between s⁻¹(n) and n, where$n\in {\mathcal{N}}^{\ne }$. So far, all s⁻¹(n), where n = 0, 1, …, N − 1, has been obtained, enabling us to reconstruct the random mapping sequence s even without knowing the keys κ and μ.

3.3. Screening-Based Rules

The pre-permutation phase is based on the three orthogonal Latin cubes, as shown in Equation (2), which belong essentially to quadratic equations over the ring$\mathbb{Z}/N\mathbb{Z}$. The keys, namely α, β, and γ, can be regarded as unknown variables from the perspective of cryptanalysis. Under the condition that s has been reconstructed, the three shared factors, namely s(x), s(y), and s(z), can be exposed by the chosen-plaintext attack. In other words, s(x), s(y), and s(z) are viewed as known variables of the quadratic equations in this subsection. However, there may exist multiple groups of the shared factors due to the uncertainty of the CPV. We design screening-based rules to eliminate the uncertainty, paving the way for breaking α, β, and γ.

To this end, we need to create two plain bit-cubes${\mathsf{P}}_0^{″}$and${ \mathsf{P}}_1^{″}$by modifying the bits at the coordinates (L₁(x₀, y₀, z₀), L₂(x₀, y₀, z₀), L₃(x₀, y₀, z₀)) and (L₁(x₁, y₁, z₁), L₂(x₁, y₁, z₁), L₃(x₁, y₁, z₁)), respectively. The coordinates are substituted into the left-hand side of Equation (2). To effectively solve the quadratic equations, we choose the coordinates obeying the following three conditions [24]. First, L₁(x₀, y₀, z₀) = L₂(x₀, y₀, z₀) ≠ L₃(x₀, y₀, z₀) and L₁(x₁, y₁, z₁) ≠ L₂(x₁, y₁, z₁) = L₃(x₁, y₁, z₁). Second, L₂(x₀, y₀, z₀) = L₂(x₁, y₁, z₁). Third, all these values are integers taken from the interval [0, N − 1].

Feed${ \mathsf{P}}_m^{″}$into the TIC [13]. Obtain${\mathsf{C}}_m^{″}$and$t_m^{″}$, where$m=0, 1$. The number of the flipped bits in${ C}_m^{″}$, denoted by$h_m^{″}$, is the key information to expose s(x_m), s(y_m) and s(z_m). Instantiate Equation (8) by using$h_m^{″}$, giving

$$\{\begin{array}{l}{s}^{-1}\left(x_m\right)=⎣h_m^{″}/N^2⎦, \\ s^{-1}\left(y_m\right)=⎣h_m^{″}/N⎦\%N, \\ s^{-1}\left(z_m\right)=h_m^{″}\%N, \end{array}$$

(28)

all of which can be readily converted into s(x_m), s(y_m) and s(z_m) by using the knowledge of s.

However, it is not trivial to obtain$h_m^{″}$. We shall first check whether$t_m^{″}$equals t or not. If$t_m^{″}=t$, calculate a differential bit-cube${\mathsf{D}}_m^{″}=\mathsf{C} ⨁{ \mathsf{C}}_m^{″}$, and then count the number of 1s in${ \mathsf{D}}_m^{″}$, denoted by$d_m^{″}$. Similar to the CPV-preserving group, we have$h_m^{″}=d_m^{″}$. If$t_m^{″}\ne t$, we select an index n from${\mathcal{N}}^{\ne }$and have$t_m^{″}=t_n^{\prime }\ne t$. In this case,${\mathsf{D}}_m^{″}$should be defined as${\mathsf{D}}_m^{″}={\mathsf{C}}_n^{\prime } ⨁{ \mathsf{C}}_m^{″}$, and$d_m^{″}$represents the distance between${lp}_m$and${lp}_n$. Similar to Equation (18), we have

$$d_m^{″}=\left|{lp}_m-{lp}_n\right|,$$

(29)

where the absolute value sign is necessary. The reason for this is presented as follows. In this subsection, the coordinates no longer lie on the diagonal of P, meaning that the pre-permutation phase cannot be simplified. As a result, the statement that${lp}_{n^{\mathrm{left}}}$(${lp}_{n^{\mathrm{right}}}$) is located at the leftmost (rightmost) side is no longer true. For an arbitrarily selected$n\in {\mathcal{N}}^{\ne }$, its landmark position${lp}_n$may be located at the left or right side of${lp}_m$.

According to Equation (14),${lp}_m$and${lp}_n$can be expressed as$N^3-h_m^{″}$and$N^3-h_n$, respectively. Based on this expression, we can rewrite Equation (29) in the form

$$h_m^{″}=h_n\pm d_m^{″},$$

(30)

where both$h_n$and$d_m^{″}$are accessible. Equation (30) means that, when$t_m^{″}\ne t$, the calculation of$h_m^{″}$ involves uncertainty, resulting in two possible values. Accordingly, by using Equation (28) and the knowledge of s, we may obtain two groups of the shared factors, denoted by {s⁺(x_m), s⁺(y_m), s⁺(z_m)} and {s⁻(x_m), s⁻(y_m), s⁻(z_m)}, respectively. Here, the superscripts are intended to signify which of the two operators “+” and “−” is used during the calculation of$h_m^{″}$. Since it is difficult to forecast the CPV at the stage of creating${\mathsf{P}}_0^{″}$and${\mathsf{P}}_1^{″}$, we would have to consider following three cases, and design screening-based rules separately to determine the real solutions of α, β, and γ.

The first case, indicated by “case 1” in Figure 5, occurs when$t_0^{″}=t$and$t_1^{″}=t$. In this case, we obtain that$h_0^{″}=d_0^{″}$and$h_1^{″}=d_1^{″}$without uncertainty, meaning that the shared factors {s(x₀), s(y₀), s(z₀)} and {s(x₁), s(y₁), s(z₁)} are both authentic. Therefore, the quadratic equations can be written as

$$\{ \begin{array}{l}{L}_1(x_0, y_0, z_0)=L_2(x_0, y_0, z_0)={\chi }_0^2{\times s\left(x_0\right)+\chi }_0\times s\left(y_0\right)+s\left(z_0\right)\\ L_2(x_1, y_1, z_1)=L_3(x_1, y_1, z_1)={\chi }_1^2{\times s\left(x_1\right)+\chi }_1\times s\left(y_1\right)+s\left(z_1\right)\end{array}$$

(31)

where${\chi }_0$and${\chi }_1$are used here to represent the unknown variables in Equation (2). Solve Equation (31) over the ring$\mathbb{Z}/N\mathbb{Z}$ and obtain${\chi }_0=\left\{{\chi }_0{\left(0\right), \chi }_0\left(1\right)\right\}$and${\chi }_1=\left\{{\chi }_1{\left(0\right), \chi }_1\left(1\right)\right\}$, each of which must contain two real solutions due to the authenticity of the shared factors [24]. For this case, the screening-based rule is to assign$\beta ={\chi }_0\cap {\chi }_1$,$\alpha ={\chi }_0\backslash \left\{\beta \right\}$, and$\gamma ={\chi }_1\backslash \left\{\beta \right\}$, which directly breaks the keys.

The second case, indicated by “case 2” in Figure 5, occurs when$t_0^{″}=t$but$t_1^{″}\ne t$(or equivalently$t_0^{″}\ne t$but$t_1^{″}=t$). In this case, {s(x₀), s(y₀), s(z₀)} is still authentic but we will obtain {s⁺(x₁), s⁺(y₁), s⁺(z₁)} and {s⁻(x₁), s⁻(y₁), s⁻(z₁)} due to the uncertainty of$h_1^{″}$. Hence, the quadratic equations take two possible forms

$$\{ \begin{array}{l}{L}_1(x_0, y_0, z_0) = L_2(x_0, y_0, z_0) = {\chi }_0^2{ \times s\left(x_0\right) + \chi }_0\times s\left(y_0\right) + s\left(z_0\right)\\ L_2\left(x_1,y_1,z_1\right)=L_3\left(x_1,y_1,z_1\right)={\left({\chi }_1^{+}\right)}^2\times s^{+}\left(x_1\right)+{\chi }_1^{+}\times s^{+}\left(y_1\right)+s^{+}\left(z_1\right)\end{array}$$

(32)

$$\{ \begin{array}{l}{L}_1(x_0, y_0, z_0) = L_2(x_0, y_0, z_0)={\chi }_0^2{ \times s\left(x_0\right) + \chi }_0\times s\left(y_0\right) + s\left(z_0\right)\\ L_2\left(x_1, y_1, z_1\right)=L_3\left(x_1, y_1, z_1\right)={\left({\chi }_1^{-}\right)}^2\times s^{-}\left(x_1\right)+{\chi }_1^{-}\times s^{-}\left(y_1\right)+s^{-}\left(z_1\right)\end{array}$$

(33)

Solving (32) yields${\chi }_0$and${\chi }_1^{+}$. Accordingly,${\chi }_0$and${\chi }_1^{-}$are the solutions of Equation (33). Due to its authenticity,${\chi }_0$can be used to screen out the real solution${\chi }_1$from${\chi }_1^{+}$and${\chi }_1^{-}$. Specifically, the screening-based rule is that, if${\chi }_0\cap {\chi }_1^{+}=\varnothing$, then${\chi }_1={\chi }_1^{-}$, otherwise${\chi }_1={\chi }_1^{+}$. In this way, the uncertainty can be eliminated, allowing us to smoothly break the keys as described before.

The third case, indicated by “case 3” in Figure 5, occurs when$t_0^{″}\ne t$and$t_1^{″}\ne t$. In this case, both$h_0^{″}$and$h_1^{″}$have two possible values, each of which generates two groups of the shared factors. Hence, the quadratic equations take one of the following four forms

$$\{ \begin{array}{l}{L}_1(x_0, y_0, z_0)=L_2(x_0, y_0, z_0)={\left({\chi }_0^{+}\right)}^2\times s^{+}\left(x_0\right)+{\chi }_0^{+}\times s^{+}\left(y_0\right)+s^{+}\left(z_0\right)\\ L_2\left(x_1, y_1, z_1\right)=L_3\left(x_1, y_1, z_1\right)={\left({\chi }_1^{+}\right)}^2\times s^{+}\left(x_1\right)+{\chi }_1^{+}\times s^{+}\left(y_1\right)+s^{+}\left(z_1\right)\end{array}$$

(34)

$$\{ \begin{array}{l}{L}_1(x_0, y_0, z_0)=L_2(x_0, y_0, z_0)={\left({\chi }_0^{+}\right)}^2\times s^{+}\left(x_0\right)+{\chi }_0^{+}\times s^{+}\left(y_0\right)+s^{+}\left(z_0\right)\\ L_2\left(x_1, y_1, z_1\right)=L_3\left(x_1, y_1, z_1\right)={\left({\chi }_1^{-}\right)}^2\times s^{-}\left(x_1\right)+{\chi }_1^{-}\times s^{-}\left(y_1\right)+s^{-}\left(z_1\right)\end{array}$$

(35)

$$\{ \begin{array}{l}{L}_1(x_0, y_0, z_0)=L_2(x_0, y_0, z_0)={\left({\chi }_0^{-}\right)}^2\times s^{-}\left(x_0\right)+{\chi }_0^{-}\times s^{-}\left(y_0\right)+s^{-}\left(z_0\right)\\ L_2\left(x_1, y_1, z_1\right)=L_3\left(x_1, y_1, z_1\right)={\left({\chi }_1^{+}\right)}^2\times s^{+}\left(x_1\right)+{\chi }_1^{+}\times s^{+}\left(y_1\right)+s^{+}\left(z_1\right)\end{array}$$

(36)

$$\{ \begin{array}{l}{L}_1(x_0, y_0, z_0)=L_2(x_0, y_0, z_0)={\left({\chi }_0^{-}\right)}^2\times s^{-}\left(x_0\right)+{\chi }_0^{-}\times s^{-}\left(y_0\right)+s^{-}\left(z_0\right)\\ L_2\left(x_1, y_1, z_1\right)=L_3\left(x_1, y_1, z_1\right)={\left({\chi }_1^{-}\right)}^2\times s^{-}\left(x_1\right)+{\chi }_1^{-}\times s^{-}\left(y_1\right)+s^{-}\left(z_1\right)\end{array}$$

(37)

from which we explicitly obtain four groups of solutions, denoted by {${\chi }_0^{+}$,${\chi }_1^{+}$}, {${\chi }_0^{+}$,${\chi }_1^{-}$}, {${\chi }_0^{-}$,${\chi }_1^{+}$}, and {${\chi }_0^{-}$,${\chi }_1^{-}$}, respectively. Inspect each group, the screening-based rule makes the following judgement. If the intersection of the two solutions is empty, then the corresponding group will be discarded, otherwise, it must be the authentic one {${\chi }_0$,${\chi }_1$}. For example, if only the second group has a non-empty intersection, namely that${\chi }_0^{+}\cap {\chi }_1^{-}\ne \varnothing$, then we set${\chi }_0={\chi }_0^{+}$and${\chi }_1={\chi }_1^{-}$. By doing so, the double uncertainties can be eliminated as well.

Figure 5 shows a toy example that illustrates the screening-based rules for the three cases. Assume that n = 5 is selected from${\mathcal{N}}^{\ne }$, and the pair of chosen plain-cipher bit-cubes, namely${\mathsf{P}}_5^{\prime }$and ${\mathsf{C}}_5^{\prime }$, plays a role when$t_m^{″}\ne t$. Note that, since the shared factors may be incorrect, there exists empty solution, such as${\chi }_1^{+}$as shown in this example. The empty solution can be discarded directly.

3.4. Performance Analysis

In total, the proposed cryptanalysis algorithm requires$2\times \sqrt[3]{H\times W}+3$pairs of chosen plain-cipher images to break the TIC [13]. Compared with Zhang’s work [22] that requires$2.5\times \sqrt[3]{H\times W}+6$ pairs, our method is more efficient especially when the image has a high resolution. This merit is particularly useful when the number of admissible accesses to a TIC is limited.

To reconstruct s, the proposed reference-validation inference algorithm requires$2\times \sqrt[3]{H\times W}+1$ pairs of chosen plain-cipher bit-cubes. First, we need to create$2\times \sqrt[3]{H\times W}-1$plain bit-cubes${\mathsf{P}}_n^{\prime }$using Equation (12), where$n=1, 2, \cdots , N-1$. In practice, the plain bit-cube${ \mathsf{P}}_0^{\prime }$is needless because$s^{-1}\left(0\right)$ can be immediately derived from Equation (15) regardless of the value of n. Second, to tackle the CPV-changing group, we create a reference plain bit-cube${ \mathsf{P}}^{\mathrm{ref}}$using Equation (16) and a validation counterpart${\mathsf{P}}^{\mathrm{val}}$using Equation (24).

To break the keys α, β, and γ, Zhang’s work [22] requires two, four or six pairs of chosen plain-cipher images, respectively, to deal with the three cases described in the last section. Note that when evaluating the performance of a cryptanalysis algorithm, we always consider the worst bound that need the most computational consumptions. From this perspective, we state that six pairs are needed in Zhang’s work [22]. By contrast, the designed screening-based rules can eliminate the uncertainty in$h_m^{″}$ by fully mining the exclusion and intersection relationships between the group-wise solutions. Therefore, in our work, only two pairs of chosen plain-cipher images are sufficient to break the keys α, β, and γ, whichever case we encounter in practice.

Furthermore, the number of necessary pairs of chosen plain-cipher images can be treated as a constant with respect to the keys, the positions of chosen bits or the contents of plain images. This merit allows an attacker to accurately estimate the computational consumptions before launching the attacks. The experimental results in Section 4.3 will corroborate the above claims.

4. Experimental Results

In this section, we conduct simulation experiments and comparative studies to demonstrate the effectiveness and the superiority of the proposed cryptanalysis algorithm. The first experiment aims to exhibit the cryptanalysis results for five standard grayscale images. The second experiment tests the cryptanalysis performance for a camera-based natural scene image, showing the prospects for practical applications. The third experiment is devoted to the comparative studies, which demonstrates that our cryptanalysis algorithm requires fewer pairs of chosen plain-cipher images than Zhang’s work [22]. Following the setting in [13], we specify that the default keys are$\kappa =0.12345678912341$,$\mu =3.99999$,$\alpha =1$,$\beta =2$, and$\gamma =3$, respectively. Unless explicitly stated, the TIC [13] is governed by the default keys. All experiments are implemented on a desktop computer with a 2.90 GHz Intel i7-10700 central processing unit, 16.00 GB memory. The programming environment for simulations is Matlab R2017a installed on the Window 10 operation system.

4.1. Results of the Cryptanalysis Algorithm

Figure 6 shows the results for the first experiment. The first and second columns display the plain images and the corresponding cipher images obtained from the TIC [13], respectively. Five plain images are “Lena”, “Baboon”, “Testpat”, “Wedge”, and “Black”, all of which have the size of 512 × 512 × 1 (grayscale) and the side length N being equal to$\sqrt[3]{512 \times 512 \times 8}=128$. In this experiment, we first perform the proposed cryptanalysis algorithm for reconstructing s and breaking the keys α, β, and γ. Then, for each cipher image, perform the decryption algorithm of [13] governed by the broken information. In the third column of Figure 6, we provide the intermediate results, in which the cipher images are partially decrypted to counteract the post-permutation and diffusion phases (with the exception of the pre-permutation phase). The rightmost column shows the completely decrypted images. We see that these completely decrypted images are exactly the same as the plain images in the first column without any visual loss. For “Black”, however, the partial decryption can entirely reveal the visual information because “Black” is immune to the pre-permutation phase. As expected, the third column of Figure 6e is an all zero-valued image, which is the same as the plain image. This provides us with a new perspective to verify the correctness of our cryptanalysis algorithm on the basis of the intermediate results.

In the upper panel of each image, we append some auxiliary information, intended to provide qualitative and quantitative indicators for monitoring the progress and validating the correctness of our cryptanalysis algorithm. The auxiliary information includes CSBPs (cross-sectional bit-planes), LBP (local binary pattern) histograms, and corresponding entropy values calculated from the LBP histograms.

For qualitative comparisons, we select the front CSBP P(0, :, :), the middle CSBP P($N/2-1$, :, :), and the back CSBP P($N-1$, :, :) out of a given bit-cube P, where the colon operator returns a regularly-spaced vector [0, 1, …, $N-1$]. Intuitively, the CSBP can reflect the bit correlation in a given bit-cube. Observing the CSBPs of the plain images, we see that there exist regular LBPs, especially for “Testpat” and “Wedge”. In contrast, the cipher images’ CSBPs consist of pseudorandom LBPs, meaning that the regularity has been eliminated by the TIC [13]. Most importantly, by comparative observations, we find that the same regular LBPs reappear for the completely decrypted images, thereby verifying that the proposed cryptanalysis algorithm is capable of breaking the TIC [13].

In order to better characterize the regularity, we define a histogram that reflects the probability distribution of occurrence of eight LBPs in a CSBP. As shown in Figure 7, the horizontal axis of the histogram lists the eight LBPs, where three adjacent bits with different binary combinations are viewed as patterns. The vertical axis corresponds to the probability values. For clarity, we omit the captions of the axes when displaying the LBP histograms in the upper panel. Furthermore, to quantificationally measure the regularity, we calculate the entropy value from each LBP histogram. By comparison, we find that cipher images possess flatter LBP distributions and greater entropy values. This supports the statement that the LBPs for the cipher images have lower regularity. The LBP histograms in the fourth column of Figure 6 share the same shapes as those in the first column. Also, we obtain equal entropy values. These results demonstrate that the TIC [13] has been successfully broken by the proposed cryptanalysis algorithm.

Moreover, we conduct correlation analysis. The correlation coefficient can be viewed as a numerical indicator reflecting the consistency between the plain image and the completely decrypted image. In this experiment, we randomly select 10,000 pairs of adjacent pixels in horizontal, vertical, and diagonal directions from each image, and calculate the correlation coefficient$r_{pq}$as follows

$$r_{pq}=\frac{{{\displaystyle \sum }}_{l=1}^{{10}^4}{(p}_l-\mathbb{E}\left(\mathsf{p}\right))\times {(q}_l-\mathbb{E}\left(\mathsf{q}\right))}{\sqrt{{{\displaystyle \sum }}_{l=1}^{{10}^4}{{(p}_l-\mathbb{E}\left(\mathsf{p}\right))}^2}\sqrt{{{\displaystyle \sum }}_{l=1}^{{10}^4}{{(q}_l-\mathbb{E}\left(\mathsf{q}\right))}^2}},$$

(38)

where$p_l$and$q_l$consists of the lth pair of adjacent pixels, and$\mathbb{E}\left(\mathsf{p}\right)$stands for the expectation of$\mathsf{p}={\{p}_1, p_2,\cdots , p_{10000}\}$. The correlation coefficient$r_{pq}$lies in the interval$\left[-1, 1\right]$, and both 1 and −1 indicate the highest correlation while 0 no correlation. Particularly, we stipulate that$r_{pq}=\mathrm{NaN}$when$p_l=q_l=c$, where c is a constant, holds for all values of l.

Table 2. The numerical results for the correlation analysis.

IDs	Directions	Plain Image	Cipher Image	Decrypted Image
				Partially	Completely
Lena	horizontal	0.9740	−0.0004	−0.0057	0.9740
	vertical	0.9863	−0.0025	0.0069	0.9863
	diagonal	0.9612	−0.0041	−0.0030	0.9612
Baboon	horizontal	0.9334	0.0027	0.0182	0.9334
	vertical	0.9102	0.0145	−0.0116	0.9102
	diagonal	0.8635	0.0011	−0.0114	0.8635
Testpat	horizontal	0.7395	0.0060	−0.0152	0.7395
	vertical	0.7654	−0.0107	0.0127	0.7654
	diagonal	0.7320	0.0200	−0.0200	0.7320
Wedge	horizontal	0.9973	0.0003	−0.0144	0.9973
	vertical	0.9998	−0.0107	−0.0229	0.9998
	diagonal	0.9971	−0.0018	0.0051	0.9971
Black	horizontal	NaN	0.0030	NaN	NaN
	vertical	NaN	−0.0022	NaN	NaN
	diagonal	NaN	0.0039	NaN	NaN

lists the quantitative results. We find that the plain image and the completely decrypted image share the same correlation coefficients. For “Black”, the correlation coefficient of the partially decrypted image equals NaN because counteracting the post-permutation and diffusion phases is sufficient to recover the zero-valued pixels, giving$p_l=q_l =0$. These results also demonstrate the correctness of the proposed cryptanalysis algorithm.

4.2. Efficiency of the Cryptanalysis Algorithm

In this experiment, the goal is to demonstrate the effectiveness of our cryptanalysis algorithm under a real-life application scenario. To this end, we take a landscape photograph of our university campus as the plain image. It has three color channels with the spatial resolution of 1024 × 2048. Under different settings, the TIC [13] yields three cipher images, as shown in Figure 8b,d,f, respectively. In the first setting, the three channels of the plain image are separately encrypted with the same default keys. In the second setting, we introduce a tiny change into the default keys, and separately encrypt the three channels. In the third setting, the TIC [13] is governed by three different keys, and encrypts the three channels in turn. In our computing environment, the proposed cryptanalysis algorithm takes 86.43 s, 87.15 s and 267.58 s (about 89.19 s for each channel, on average), respectively, to complete the cryptanalysis task under the three settings. Figure 8c,e,g exhibit the cryptanalysis results, in which the decrypted images are the same as the plain image.

We summarize following two points from the above experimental results. First, the proposed cryptanalysis algorithm is of high efficiency for the camera-based natural scene image, showing the feasibility of deployment in some practical system. Second, the efficiency of the proposed cryptanalysis algorithm is relatively stable. The time-consuming data tell us that different keys have almost no effect on the efficiency.

4.3. Comparative Studies

Zhang’s work [22] also focuses on attacking the same TIC [13]. Compared with this work [22], the proposed cryptanalysis algorithm requires fewer pairs of chosen plain-cipher images. We conduct two comparative studies as follows.

In the first comparative study, we count how many pairs of chosen plain-cipher images are necessary to break the TIC [13]. Plain images are the same as those used in Figure 6. The experimental protocol consists of the following steps. Randomly set two coordinates (L₁(x_k, y_k, z_k), L₂(x_k, y_k, z_k), L₃(x_k, y_k, z_k)), where$k=0, 1$, according to the conditions mentioned in Section 3.3. Perform Zhang’s cryptanalysis algorithm [22] and the proposed one, respectively. Record the number of necessary pairs of chosen plain-cipher images. For each plain image, we repeat the above steps ten times, and finally calculate the average number of necessary pairs. Moreover, we consider the default keys and a new set of keys, intended to examine whether the performance of the cryptanalysis algorithms is sensitive to keys or not. The new keys are $\kappa =0.12345678912343$,$\mu =3.99998$,$\alpha =2$,$\beta =1$, and$\gamma =4$. Numerical results are listed in

Table 3. The numerical results for the first comparative study. The better results are highlighted by underlines.

IDs	Using Default Keys		Using New Keys
	Zhang’s Work [22]	Ours	Zhang’s Work [22]	Ours
Lena	164.0	131.0	164.0	131.0
Baboon	163.2	131.0	163.4	131.0
Testpat	163.6	131.0	163.6	131.0
Wedge	164.8	131.0	164.6	131.0
Black	163.6	131.0	164.0	131.0

.

For the plain images with the size of 512 × 512, the proposed cryptanalysis algorithm only requires 131 pairs of chosen plain-cipher images. By contrast, on average, 163.88 pairs are necessary for Zhang’s work [22]. Furthermore, as we see in Table 3, the numerical results in the columns titled by “Ours” are all the same. This demonstrates that different keys, positions of chosen bits and contents of plain images will not affect the performance of our cryptanalysis algorithm. Thus, only given the images’ resolutions, our cryptanalysis algorithm allows an attacker to pre-estimate the computational consumptions more accurately before launching the attacks.

In the second comparative study, we aim to verify that the proposed cryptanalysis algorithm performs much more efficient when dealing with larger images. The experimental protocol consists of the following steps. Resize the plain images to 1024 × 2048, 2048 × 3456, and 4096 × 4096, respectively, using bicubic interpolation. Accordingly, the enlarged plain bit-cubes have the side length$N=256$, 384, and 512, respectively. For each cipher image, perform Zhang’s cryptanalysis algorithm [22] and the proposed one, respectively. Record the number of necessary pairs of chosen plain-cipher images. For the five plain images in Figure 6, we calculate the average number of necessary pairs. For comparison, the numerical results are plotted in a bar chart, as shown in Figure 9. Regardless of the resolutions, the proposed cryptanalysis algorithm consistently outperforms Zhang’s work [22], and the superiority becomes more obvious for larger images.

5. Conclusions

In this paper, we investigate Xu’s image cryptosystem [13], and summarize security loopholes from four aspects. On this basis, we propose a reference-validation inference algorithm and design screening-based rules to efficiently break Xu’s image cryptosystem [13]. Compared with an existing work [22], our cryptanalysis algorithm requires fewer pairs of chosen plain-cipher images. Only $\sqrt[3]{8\times H\times W}+3$pairs, where$H \times W$represents the image’s resolution, are sufficient to complete the cryptanalysis task. Moreover, the performance of the proposed cryptanalysis algorithm is highly stable since different keys, positions of chosen bits and contents of the plain images will not influence the number of necessary pairs. This merit enables an attacker to well pre-estimate and allocate the computational consumptions before launching the attacks.