Security Analysis of the Image Encryption Algorithm Based on a Two-Dimensional Infinite Collapse Map

Abstract

This paper analyzes the security of the image encryption algorithm based on a two-dimensional (2D) infinite collapse map. The encryption algorithm adopts a permutation–diffusion structure and can perform two or more rounds to achieve a higher level of security. By cryptanalysis, it is found that the original diffusion process can be split into a permutation–diffusion structure, which comes after the original permutation, so these two permutations can be merged into one. Then, some theorems about round-down operation are summarized, and the encryption and decryption equations in the diffusion process are deduced and simplified accordingly. Since the chaotic sequences used in encryption algorithm are independent of the plaintext and ciphertext, there are equivalent keys. The original encryption algorithm with single-round, two-round, and multi-round of permutation–diffusion processes is cracked, and the data complexity of the cryptanalysis attacks is analyzed. Numerical simulation is carried out by MATLAB, and the experimental results and theoretical analysis show the effectiveness of the cryptanalysis attacks. Finally, some suggestions for improvement are given to overcome the shortcomings of the original encryption algorithm.

1. Introduction

Advances in information and network technology have facilitated the rapid development of the Internet in providing the technical foundation, and the Internet is deeply integrated into all aspects of human life. Accompanying this is a variety of data forms and massive amounts of data generated every day. Since these data are closely linked with user information, their protection is particularly important. Digital image data are an important carrier of information, and has occupied a large part in the process of network transmission. Encrypting images is an important means to ensure image security.

Image data have the characteristics of strong correlation between pixels, high data redundancy, and large amount of data. The traditional text encryption algorithms such as DES and AES are not suitable for image encryption. In recent years, image encryption based on chaotic systems [1,2,3,4,5,6,7], cellular automata [8,9,10,11,12], DNA encoding [13,14,15], bit plane decomposition [16,17,18,19,20,21], and elliptic curve [22,23,24,25,26] is the mainstream of cryptography. Due to the significant properties of unpredictability, ergodicity and initial state sensitivity, the chaotic system becomes a good choice for encryption [27]. However, the chaotic sequence is transformed to a bit sequence to encrypt the plaintext in most chaotic image encryptions. The security of the encryption is thus determined by the properties of the bit sequence. Moreover, the essential reason for the chaotic cryptosystem easily existing equivalent keys is that the encryption process is independent of plaintext and/or ciphertext. In addition, elliptic curve cryptography is capable of providing high security than to other cryptosystems with the same key size because it is more complicated and requires a deeper mathematical understanding; it is more susceptible to errors which diminishes its security.

Since Matthews proposed a generalized logistic map and used it to generate pseudo-random numbers for data encryption [28], a large number of scholars have poured into using chaotic systems to design and implement novel image encryption schemes. In 1998, Fridrich [29] first proposed a chaotic image encryption scheme with multi-round of permutation–diffusion processes, which gradually became the main operation in chaotic image encryption algorithms. In 2015, Simin Yu reviewed the current situation and existing problems of the theory and application of chaotic cryptography, the literature [30] focused on the progress of high-dimensional chaotic cryptography and its application in multimedia secure communication and hardware implementation technology. In 2018, Özkaynak reported various chaotic image encryption algorithms proposed in the past 20 years. The chaotic systems, diffusion operations, and analysis methods commonly used in chaotic image encryption algorithms are classified and summarized in detail [31]. Overall, the chaotic encryption algorithm with a multi-round of permutation–diffusion processes offers cryptographic properties better than those with a single-round of permutation–diffusion processes, and it can resist against the chosen-plaintext attacks.

Cryptography and cryptanalysis are the unity of opposites, and they promote each other and develop together. Through cryptanalysis, the defects of cryptographic algorithm can be pointed out and the suggestions for improvement are given. Cryptanalysis is based on the Kerchhoff’s principle; a cryptographic system should be secure even if everything about the system, except the key, is public knowledge. The attacker can get the plaintext or even the encryption key through the obtained plaintext/ciphertext pair. In cryptology, the basic models are named after the generally defined attacks such as ciphertext-only attack, known-plaintext attack, chosen-plaintext attack, and chosen-ciphertext attack. Many analysis methods can be classified into the above four methods. In recent years, linear attack and differential attack [32] have been proposed one after another, which have a great impact on cryptanalysis. Many new analysis methods are variants of these two methods [33].

At present, there are some analytical articles on a multi-round image encryption algorithm. In 2010, Solak et al. proposed a chosen-ciphertext attack on the Fridrich’s scheme for the first time [34]. Some bases for further optimizing attack on the Fridrich’s scheme and its variants are provided in [35]. In 2015, Chen et al. analyzed an encryption algorithm with a multi-round of permutation–diffusion structure [36], and proposed a differential cryptanalysis method for two-round and multi-round [37]. However, due to the special permutation operation adopted by the original encryption algorithm, the analysis for multi-round is not universal; in 2016, they proposed a method of chosen-ciphertext attack, and verified the adaptability of this attack method by analyzing several common diffusion equations [38]. In 2021, a multi-round chaotic image encryption algorithm was analyzed in [39]. The original encryption algorithm adopts multiple permutations and one diffusion, and repeats them multiple rounds. Multiple consecutive permutations are equivalent to one permutation. Since the diffusion operation only uses XOR without ciphertext feedback, the diffusion part can be separated from the permutation part. Therefore, it can be cracked by simplifying it into one round of permutation–diffusion. In the same year, Chen et al. mathematically summarized and expressed a class of chaotic image cryptosystems based on a multi-round of permutation–diffusion structure [37,38], and proposed a chosen-ciphertext attack method for this kind of encryption algorithm [40,41]. It is noted that the cryptanalysis algorithms in the existing literature are mainly aimed at the single-round encryption and some multi-round encryptions, which also can be directly equivalent to single-round encryption after simplification.

In this paper, a security analysis of the image encryption algorithm based on a 2D infinite collapse map proposed in [42] is carried out. According to the analysis, the encryption algorithm has one permutation operation in the diffusion process. Therefore, its structure is actually a permutation–permutation–diffusion structure, and two permutation operations can be equivalent to one permutation operation. In addition, this paper deduces the rules of round-down operation, and then gives the correct diffusion decryption equation. Since the chaotic sequences used in the encryption algorithm are independent of the plaintext and ciphertext, there are equivalent keys. This paper analyzes and discusses the single-round, two-round and multi-round situations, provides the attack complexity, and gives the corresponding improvement suggestions to overcome the shortcomings of the original encryption algorithm. The main advantage of this paper is that a detailed security analysis of a more complex multi-round encryption algorithm is carried out, and the main difference between this multi-round encryption and the previous multi-round encryption methods is that the multi-round encryption cannot be directly equivalent to a single-round of encryption. Therefore, the cryptanalysis methods in the existing literature cannot be directly used to crack this multi-round encryption algorithm.

The remainder of this article is organized as follows: Some definitions and related theorems are provided in Section 2. Section 3 presents the detail of the original encryption algorithm, and gives the correct decryption equation. An analysis of the encryption algorithm is demonstrated in detail in Section 4. Section 5 mainly introduces the numerical simulation experiments carried out by MATLAB. The experimental results verify the correctness of the cryptanalysis, and at the same time, the complexity of the deciphering algorithms is given, and corresponding improvement measures are proposed to overcome the shortcomings of the original encryption algorithm. The last section concludes the article.

2. Some Definitions and Related Theorems

In order to better analyze the original encryption algorithm, it is first necessary to simplify the original algorithm. According to the formula used in the original algorithm, some preliminaries are given to aid the subsequent theoretical analysis. The definitions and properties of round-down operation $\lfloor ·\rfloor$, the operation $\{·\}$ for finding the fractional part of a real number, and the modulus operator are introduced, and three theorems about these operations are deduced in this section.

Definition 1

([43]). The largest integer of a real number a is recorded as $\lfloor a\rfloor$, which is the largest integer less than or equal to a, that is, $\lfloor a\rfloor$ is the integer satisfying $\lfloor a\rfloor \le a<\lfloor a\rfloor +1$.

Definition 2

([43]). The fractional part of the real number a is recorded as $\left\{a\right\}$, which is the difference between a and $\lfloor a\rfloor$, that is, $\left\{a\right\}=a-\lfloor a\rfloor$.

Property 1.

$a=\lfloor a\rfloor +\left\{a\right\},0\le \left\{a\right\}<1$.

Property 2.

$\lfloor n+a\rfloor =n+\lfloor a\rfloor ,\{n+a\}=\left\{a\right\},n\in \mathbb{Z}$.

Theorem 1.

For any real numbers a and b, there are

$$\lfloor a+b\rfloor =\left\{\begin{array}{cc}\lfloor a\rfloor +\lfloor b\rfloor \hfill & 0\le \left\{a\right\}+\left\{b\right\}<1,\hfill \\ \lfloor a\rfloor +\lfloor b\rfloor +1\hfill & 1\le \left\{a\right\}+\left\{b\right\}<2.\hfill \end{array}\right.$$

Proof. 

$$\begin{array}{ccc}\lfloor a+b\rfloor \hfill & =\lfloor (\lfloor a\rfloor +\{a\left\}\right)+(\lfloor b\rfloor +\{b\left\}\right)\rfloor \hfill & \left(\mathrm{Property\; 1}\right)\hfill \\ \hfill & =\lfloor \lfloor a\rfloor +\lfloor b\rfloor +\left(\right\{a\}+\{b\left\}\right)\rfloor \hfill & \\ \hfill & =\lfloor a\rfloor +\lfloor b\rfloor +\lfloor \left\{a\right\}+\left\{b\right\}\rfloor .\hfill & (\lfloor a\rfloor +\lfloor b\rfloor \in \mathbb{Z},\mathrm{Property\; 2}).\hfill \end{array}$$

• From Property 1, we know $0\le \left\{a\right\}<1,0\le \left\{b\right\}<1$, so $0\le \left\{a\right\}+\left\{b\right\}<2$.
• When $0\le \left\{a\right\}+\left\{b\right\}<1$, $\lfloor \left\{a\right\}+\left\{b\right\}\rfloor =0$, then $\lfloor a+b\rfloor =\lfloor a\rfloor +\lfloor b\rfloor$.
• When $1\le \left\{a\right\}+\left\{b\right\}<2$, $\lfloor \left\{a\right\}+\left\{b\right\}\rfloor =1$, then $\lfloor a+b\rfloor =\lfloor a\rfloor +\lfloor b\rfloor +1$.

□

Theorem 2.

For any real numbers a and b, there are

$$\lfloor a-b\rfloor =\left\{\begin{array}{cc}\lfloor a\rfloor -\lfloor b\rfloor \hfill & 0\le \left\{a\right\}-\left\{b\right\}<1,\hfill \\ \lfloor a\rfloor -\lfloor b\rfloor -1\hfill & -1<\left\{a\right\}-\left\{b\right\}<0.\hfill \end{array}\right.$$

Proof. 

$$\begin{array}{ccc}\lfloor a-b\rfloor \hfill & =\lfloor (\lfloor a\rfloor +\{a\left\}\right)-(\lfloor b\rfloor +\{b\left\}\right)\rfloor \hfill & \left(\mathrm{Property\; 1}\right)\hfill \\ \hfill & =\lfloor \lfloor a\rfloor -\lfloor b\rfloor +\left(\right\{a\}-\{b\left\}\right)\rfloor \hfill & \\ \hfill & =\lfloor a\rfloor -\lfloor b\rfloor +\lfloor \left\{a\right\}-\left\{b\right\}\rfloor .\hfill & (\lfloor a\rfloor -\lfloor b\rfloor \in \mathbb{Z},\mathrm{Property\; 2})\hfill \end{array}$$

• From Property 1, we know $0\le \left\{a\right\}<1,0\le \left\{b\right\}<1$, so $-1<\left\{a\right\}-\left\{b\right\}<1$.
• When $0\le \left\{a\right\}-\left\{b\right\}<1$, $\lfloor \left\{a\right\}-\left\{b\right\}\rfloor =0$, then $\lfloor a-b\rfloor =\lfloor a\rfloor -\lfloor b\rfloor$.
• When $-1<\left\{a\right\}+\left\{b\right\}<0$, $\lfloor \left\{a\right\}-\left\{b\right\}\rfloor =-1$, then $\lfloor a-b\rfloor =\lfloor a\rfloor -\lfloor b\rfloor -1$.

□

Definition 3

([44]). The modular operation returns the remainder after a real number is divided by a positive integer, and often abbreviated as $\mathrm{mod}$:

Property 3.

$$\left(a\mathrm{mod}256\right)\mathrm{mod}256=a\mathrm{mod}256,a\in R.$$

Property 4.

$$(a+b)\mathrm{mod}256=\left(\right(a\mathrm{mod}256)+(b\mathrm{mod}256\left)\right)\mathrm{mod}256,a,b\in R.$$

Theorem 3.

$$\lfloor a\mathrm{mod}256\rfloor =\lfloor a\rfloor \mathrm{mod}256,a\in R.$$

Proof. 

Assuming $b=a\mathrm{mod}256$, the corresponding inverse operation is $a=256\times k+b$, where $a,b\in R$, $k\in \mathbb{Z}$ and $0\le b<256$, so $\lfloor a\mathrm{mod}256\rfloor =\lfloor b\rfloor$ and

$$\begin{array}{ccc}\hfill \lfloor a\rfloor \mathrm{mod}256& =\lfloor 256\times k+b\rfloor \mathrm{mod}256\hfill & \\ \hfill & =(256\times k+\lfloor b\rfloor )\mathrm{mod}256\hfill & \hfill & (256\times k\in \mathbb{Z},Property 2)\hfill \\ \hfill & =\lfloor b\rfloor .\hfill & \hfill & (0\le \lfloor b\rfloor <256,\mathrm{Definition\; 3})\hfill \end{array}$$

$\lfloor a\mathrm{mod}256\rfloor =\lfloor b\rfloor =\lfloor a\rfloor \mathrm{mod}256$ is proved. □

3. Description of the Original Encryption Algorithm

In this section, the chaotic map used in [42] is first introduced, and then the original encryption algorithm is described in detail.

3.1. Two-Dimensional Infinite Collapse Map (2D-ICM)

The chaotic system 2D-ICM used in the original encryption algorithm is a two-dimensional infinite collapse map obtained by integrating two one-dimensional infinite collapse maps with different parameters [42], and its iterative equation is

$$\begin{array}{c}\hfill \left\{\begin{array}{c}{x}_{n+1}=sin\left(\frac{a}{y_n}\right)·sin\left(\frac{b}{x_n}\right),\hfill \\ y_{n+1}=sin\left(\frac{a}{x_n}\right)·sin\left(\frac{b}{y_n}\right),\hfill \end{array}\right.\end{array}$$

(1)

where the control parameters a and b are real numbers, $a\ne 0$, $b\ne 0$, and the initial states are recorded as $x_0,y_0$.

3.2. 2D-ICM Based Image Encryption Algorithm (ICMIE)

According to [42], it proposed a new image encryption algorithm based on 2D-ICM and named it ICMIE. The original algorithm ICMIE is described as follows:

(1)

Key parameters

There are seven key parameters in the original algorithm. The key K is expressed as $a_0,b_0,x,y,T,C_1,C_2$, and the first five parameters $a_0,b_0,x,y,T$ are 40-bit binary representation. Assuming that the 40-bit binary is ${\left(s_1{s}_2\cdots s_{40}\right)}_2$, the IEEE754 format

$$\begin{array}{c}\hfill d=\frac{{\sum }_{i=1}^{40}{s}_i{2}^{40-i}}{2^{40}}\end{array}$$

(2)

is adopted to convert $a_0,b_0,x,y,T$ into decimal numbers in $\left[0,1\right)$, then $C_1$ and $C_2$ are positive integers represented by 20-bit binary, and they are converted into decimal numbers directly. Substitute the converted decimal $a_0,b_0,x,y,T,C_1,C_2$ into the following equation:

$$\begin{array}{c}\hfill \left\{\begin{array}{c}a=\left(a_0+T\times C_1\right)\mathrm{mod}5+16,\hfill \\ b=\left(b_0+T\times C_2\right)\mathrm{mod}5+16,\hfill \\ x_0=\left(x+T\times C_1\right)\mathrm{mod}2-1,\hfill \\ y_0=\left(y+T\times C_2\right)\mathrm{mod}2-1.\hfill \end{array}\right.\end{array}$$

(3)

The initial conditions $a,b,x_0,y_0$ of 2D-ICM can be obtained.

(2)

Encryption process

The original algorithm divides the encryption process into permutation and diffusion, and then performs two or more rounds of permutation and diffusion as a whole. In fact, the diffusion process of the original algorithm also includes a permutation operation. In order to distinguish, the first permutation operation is named permutation 1 and the second permutation operation is named permutation 2. The grayscale image P of $M\times N$ is encrypted, and the ciphertext image C of the same size is finally generated. The overall encryption process is shown in Figure 1.

The specific encryption steps are described as follows:

(1) Permutation

First, two chaotic matrices X and Y of $M\times N$ are generated by 2D-ICM. The matrix S is combined into a single matrix $S=X\ast Y$ by multiplying the corresponding elements of X and Y. The index matrix I is composed of the position of each element in the original matrix S after sorting S in ascending order. Then, the pixel positions of the plaintext image P are rearranged by using the index matrix I to obtain the permutation 1 image F.

(2) Diffusion

First, the index matrix $\chi$ is composed of the corresponding positions of all elements of the chaotic matrix X in its ascending order. Then, the pixel positions of the permutation 1 image F are arranged again by the index matrix $\chi$ to obtain a new permutation 2 image A. Finally, the pixel values of the diffusion image D are obtained by the following method:

$$d_i=\left\{\begin{array}{cc}⌊\left(a_i+a_{M\times N}+\left|y_i\right|\times \left(2^{31}-1\right)\right)\mathrm{mod}256⌋\hfill & \mathrm{if}i=1,\hfill \\ ⌊\left(a_i+d_{i-1}+\left|y_i\right|\times \left(2^{31}-1\right)\right)\mathrm{mod}256⌋\hfill & \mathrm{if}i\in \left[2,M\times N\right],\hfill \end{array}\right.$$

(4)

where $i=1,2,\dots ,M\times N$, then $d_i,a_i$ and $y_i$ are the pixel values of the i-th element of the diffusion image D, the permutation 2 image A and the chaotic matrix Y according to the raster scan order, respectively.

(3) Repeat steps (1) and (2) to achieve multi-round encryption.

(3)

Decryption process

Usually, the decryption process is the inverse of the image encryption process. Using the correct key to generate the chaotic matrices X and Y, the decryption process of ICMIE will alternately perform the inverse diffusion and inverse permutation in two rounds or multiple rounds, and then obtain the recovered image. The decryption equation in the diffusion process is incorrect. When $i\in \left[2,M\times N\right]$, according to the encryption Equation (4),

$$\begin{array}{ccc}\hfill d_i& =⌊\left(a_i+d_{i-1}+\left|y_i\right|\times \left(2^{31}-1\right)\right)\mathrm{mod}256⌋,\hfill & \\ \hfill d_i& =⌊\left(a_i+d_{i-1}+\left|y_i\right|\times \left(2^{31}-1\right)\right)⌋\mathrm{mod}256,\hfill & \hfill (\mathrm{Theorem\; 3})\\ \hfill d_i+256\times k_i& =⌊\left(a_i+d_{i-1}+\left|y_i\right|\times \left(2^{31}-1\right)\right)⌋,\hfill & \hfill (\mathrm{Definition\; 3})\\ \hfill d_i+256\times k_i& =a_i+d_{i-1}+⌊\left(\left|y_i\right|\times \left(2^{31}-1\right)\right)⌋,\hfill & \hfill (\mathrm{Property\; 2})\\ \hfill a_i& =d_i+256\times k_i-d_{i-1}-⌊\left(\left|y_i\right|\times \left(2^{31}-1\right)\right)⌋,\hfill & \\ \hfill a_i\mathrm{mod}256& =\left(d_i+256\times k_i-d_{i-1}-⌊\left(\left|y_i\right|\times \left(2^{31}-1\right)\right)⌋)\mathrm{mod}256\right.,\hfill & \\ \hfill a_i& =\left(\left(d_i-d_{i-1}-⌊\left(\left|y_i\right|\times \left(2^{31}-1\right)\right)⌋\right)\mathrm{mod}256\right)\mathrm{mod}256,\hfill & \hfill (\mathrm{Property\; 4})\\ \hfill a_i& =\left(d_i-d_{i-1}-⌊\left(\left|y_i\right|\times \left(2^{31}-1\right)\right)⌋\right)\mathrm{mod}256,\hfill & \hfill (\mathrm{Property\; 3})\\ \hfill a_i& =⌊d_i-d_{i-1}-\left(\left|y_i\right|\times \left(2^{31}-1\right)\right)+1⌋\mathrm{mod}256,\hfill & \hfill (\mathrm{Theorem\; 2})\end{array}$$

where $k_i\in \mathbb{Z}(i=2,3,\cdots ,M\times N)$. Similarly, $a_i$ can be obtained when $i=1$, and the correct decryption equation is finally derived as

$$a_i=\left\{\begin{array}{cc}⌊\left(d_i-d_{i-1}-\left(\left|y_i\right|\times \left(2^{31}-1\right)\right)+1\right)\mathrm{mod}256⌋\hfill & \mathrm{if}i\in \left[2,M\times N\right],\hfill \\ ⌊\left(d_i-a_{M\times N}-\left(\left|y_i\right|\times \left(2^{31}-1\right)\right)+1\right)\mathrm{mod}256⌋\hfill & \mathrm{if}i=1.\hfill \end{array}\right.$$

(5)

Then, the pixel positions of the ciphertext image will be processed by inverse permutation. The original image is completely recovered.

4. Cryptanalysis

The generation process of the chaotic sequences and the encryption process of the original algorithm are independent of the plaintext and the ciphertext, so there are equivalent keys. Firstly, the core structure of the original encryption algorithm (i.e., the permutation–permutation–diffusion structure) is generalized, then the diffusion equation is isolated, and the two permutation processes are merged into one permutation. Next, the original encryption algorithm is analyzed in terms of single-round, two-round, and multi-round.

The original encryption algorithm can be summarized as a multi-round of permutation–diffusion processes as shown in Figure 2.

In Figure 2, $KP$ and $KD$ represent the permutation equivalent key and the diffusion equivalent key, respectively. P represents plaintext image and C represents ciphertext image. n represents the total number of rounds of encryption, and

$$P^{\left(t\right)}=\left\{\begin{array}{cc}P\hfill & t=1,\hfill \\ D^{(t-1)}\hfill & t\in [2,n],\hfill \end{array}\right.$$

where $P^{\left(t\right)}$, $A^{\left(t\right)}$, and $D^{\left(t\right)}$ represent the plaintext image, the permutation image, and diffusion image encrypted in the t-th round, respectively. Taking the feedback apart, it can be shown in Figure 3.

In Figure 3, $P^{\left(t\right)}=D^{(t-1)}$, that is, the diffusion image encrypted in the previous round is the plaintext image encrypted in the subsequent round. For plaintext image P and ciphertext image C, there are $P^{\left(1\right)}=P$ and $C=D^{\left(n\right)}$.

For the convenience of the following discussion, some definitions are given here. $P_i^{\left(t\right)},A_i^{\left(t\right)},D_i^{\left(t\right)}$ respectively represent the i-th plaintext image, permutation image, and diffusion image in the t-th round. The size of the images discussed in this paper are all $M\times N$.

4.1. Simplification of ICMIE

Since the two permutations are independent of plaintext, they can be equivalent to one permutation operation. The equivalent key $KP$ of the two permutation operations from plaintext image P to permutation image A can be obtained directly in one step. The diffusion equivalent key $KD$ can be obtained from the permutation image A to the diffusion image D.

The original diffusion encryption Equation (4) is deduced and the following equation is obtained. When $i\in \left[2,M\times N\right]$, according to Theorem 1, there is

$$\begin{array}{cc}\hfill d_i& =⌊\left(a_i+d_{i-1}+\left|y_i\right|\times \left(2^{31}-1\right)\right)\mathrm{mod}256⌋\hfill \\ \hfill & =⌊a_i+d_{i-1}+\left|y_i\right|\times \left(2^{31}-1\right)⌋\mathrm{mod}256\hfill & \hfill (\mathrm{Theorem\; 3})\\ \hfill & =\left(a_i+d_{i-1}+⌊\left|y_i\right|\times \left(2^{31}-1\right)⌋\right)\mathrm{mod}256\hfill & \hfill (\mathrm{Property\; 2})\\ \hfill & =\left(a_i+d_{i-1}+⌊\left|y_i\right|\times \left(2^{31}-1\right)⌋\mathrm{mod}256\right)\mathrm{mod}256\hfill & \hfill (\mathrm{Property\; 4})\\ \hfill & =\left(a_i+d_{i-1}+{\widehat{y}}_i\right)\mathrm{mod}256,\hfill \end{array}$$

(6)

where ${\widehat{y}}_i=\left(⌊\left|y_i\right|\times \left(2^{31}-1\right)⌋\right)\mathrm{mod}256$.

Likewise, when $i=1$,

$$d_1=\left(a_1+a_{M\times N}+{\widehat{y}}_1\right)\mathrm{mod}256,$$

(7)

where ${\widehat{y}}_1=\left(⌊\left|y_1\right|\times \left(2^{31}-1\right)⌋\right)\mathrm{mod}256$.

In order to facilitate the analysis, ∔ is defined to represent the modular addition that is, the two elements are added and then modulo 256. Correspondingly, $\dot{-}$ represents the modular subtraction, that is, the two elements are subtracted and then modulo 256. From Equations (6) and (7),

$$\begin{array}{c}\hfill d_i=\left\{\begin{array}{cc}{a}_i\dotplus a_{M\times N}\dotplus {\widehat{y}}_i\hfill & \mathrm{if}i=1,\hfill \\ a_i\dotplus d_{i-1}\dotplus {\widehat{y}}_i\hfill & \mathrm{if}i\in \left[2,M\times N\right],\hfill \end{array}\right.\end{array}$$

(8)

where ${\widehat{y}}_i=\left(⌊\left|y_i\right|\times \left(2^{31}-1\right)⌋\right)\mathrm{mod}256$.

4.2. Security Analysis of Encryption in Single-Round

First, let $P_0$ be an all-zero image, then the pixel value will not be changed after permutation. Therefore, the element values of the permutation image $A_0$ are all 0. The image $D_0$ is obtained according to the encryption algorithm. According to Equation (8), one has

$$\begin{array}{c}\hfill d_i=\left\{\begin{array}{cc}{\widehat{y}}_i\hfill & \mathrm{if}i=1,\hfill \\ d_{i-1}\dotplus {\widehat{y}}_i\hfill & \mathrm{if}i\in \left[2,M\times N\right],\hfill \end{array}\right.\end{array}$$

(9)

and

$$\begin{array}{c}\hfill {\widehat{y}}_i=\left\{\begin{array}{cc}{d}_i\hfill & \mathrm{if}i=1,\hfill \\ d_i-d_{i-1}+256k_i\hfill & \mathrm{if}i\in \left[2,M\times N\right],\hfill \end{array}\right.\end{array}$$

(10)

where $k_i\in \mathbb{Z}(i=2,3,\cdots ,M\times N)$.

Because ${\widehat{y}}_i$ and $d_i$ perform modulo 256 operation,

${\widehat{y}}_i\in \left\{0,1,2,\cdots ,255\right\}$,$d_i-d_{i-1}\in \left\{-255,-254,\cdots ,254,255\right\}\left(i=2,3,\cdots ,M\times N\right)$, so

$$\begin{array}{c}\hfill {\widehat{y}}_i=\left\{\begin{array}{cc}{d}_i\hfill & \mathrm{if}i=1,\hfill \\ d_i-d_{i-1}+256\hfill & \mathrm{if}i\in \left[2,M\times N\right]\mathrm{and}\left(d_i-d_{i-1}\right)<0,\hfill \\ d_i-d_{i-1}\hfill & \mathrm{if}i\in \left[2,M\times N\right]\mathrm{and}\left(d_i-d_{i-1}\right)\ge 0.\hfill \end{array}\right.\end{array}$$

(11)

In other words, substitute the pixel value of $D_0$ to obtain ${\widehat{y}}_i$ by Equation (11), then make $k{d}_i={\widehat{y}}_i\left(i=1,2,\cdots ,M\times N\right)$ to get the equivalent key $KD=k{d}_{1}k{d}_2\cdots k{d}_{M\times N}$. Next, according to Theorem 3, the diffusion decryption from Equation (5), one can further obtain

$$\begin{array}{cc}\hfill a_i& =\left\{\begin{array}{cc}⌊d_i\dot{-}{d}_{i-1}\dot{-}\left(\left|y_i\right|\times \left(2^{31}-1\right)\right)\dotplus 1⌋\hfill & \mathrm{if}i\in \left[2,M\times N\right],\hfill \\ ⌊d_i\dot{-}{a}_{M\times N}\dot{-}\left(\left|y_i\right|\times \left(2^{31}-1\right)\right)\dotplus 1⌋\hfill & \mathrm{if}i=1.\hfill \end{array}\right.\hfill \\ \hfill & =\left\{\begin{array}{cc}⌊\left(d_i\dot{-}{d}_{i-1}\dotplus 1\right)\dot{-}\left(\left|y_i\right|\times \left(2^{31}-1\right)\right)⌋\hfill & \mathrm{if}i\in \left[2,M\times N\right],\hfill \\ ⌊\left(d_i\dot{-}{a}_{M\times N}\dotplus 1\right)\dot{-}\left(\left|y_i\right|\times \left(2^{31}-1\right)\right)⌋\hfill & \mathrm{if}i=1.\hfill \end{array}\right.\hfill \end{array}$$

(12)

Because $d_i\dot{-}{d}_{i-1}\dotplus 1,d_i\dot{-}{a}_{M\times N}\dotplus 1\in \mathbb{Z}$, it means $\left\{d_i\dot{-}{d}_{i-1}\dotplus 1\right\}=0$ and $\left\{d_i\dot{-}{a}_{M\times N}\dotplus 1\right\}=0$, then $\left\{d_i\dot{-}{d}_{i-1}\dotplus 1\right\}\dot{-}\left\{\left|y_i\right|\times \left(2^{31}-1\right)\right\}<0$ and $\left\{d_i\dot{-}{a}_{M\times N}\dotplus 1\right\}\dot{-}\left\{\left|y_i\right|\times \left(2^{31}-1\right)\right\}<0$. According to Theorem 2 and Property 2,

$$\begin{array}{cc}\hfill a_i& =\left\{\begin{array}{cc}⌊d_i\dot{-}{d}_{i-1}\dotplus 1⌋\dot{-}⌊\left|y_i\right|\times \left(2^{31}-1\right)⌋\dot{-}1\hfill & \mathrm{if}i\in \left[2,M\times N\right],\hfill \\ ⌊d_i\dot{-}{a}_{M\times N}\dotplus 1⌋\dot{-}⌊\left|y_i\right|\times \left(2^{31}-1\right)⌋\dot{-}1\hfill & \mathrm{if}i=1,\hfill \end{array}\right.\hfill \\ \hfill & =\left\{\begin{array}{cc}{d}_i\dot{-}{d}_{i-1}\dotplus 1\dot{-}⌊\left|y_i\right|\times \left(2^{31}-1\right)⌋\dot{-}1\hfill & \mathrm{if}i\in \left[2,M\times N\right],\hfill \\ d_i\dot{-}{a}_{M\times N}\dotplus 1\dot{-}⌊\left|y_i\right|\times \left(2^{31}-1\right)⌋\dot{-}1\hfill & \mathrm{if}i=1,\hfill \end{array}\right.\hfill \\ \hfill & =\left\{\begin{array}{cc}{d}_i\dot{-}{d}_{i-1}\dot{-}{\widehat{y}}_i\hfill & \mathrm{if}i\in \left[2,M\times N\right],\hfill \\ d_i\dot{-}{a}_{M\times N}\dot{-}{\widehat{y}}_i\hfill & \mathrm{if}i=1,\hfill \end{array}\right.\hfill \end{array}$$

(13)

where ${\widehat{y}}_i=\left(⌊\left|y_i\right|\times \left(2^{31}-1\right)⌋\right)\mathrm{mod}256$.

The permutation image A corresponding to the ciphertext image C can be cracked by substituting the equivalent key $KD$ (i.e., ${\widehat{y}}_i=k{d}_i\left(i=1,2,\cdots ,M\times N\right)$) obtained from all-zero plaintext and $d_i\left(i=1,2,\cdots ,M\times N\right)$ according to Equation (13). Because the specific ciphertext C is known, then the diffusion image $D=C$, so $d_i\left(i=1,2,\cdots ,M\times N\right)$ is known.

Since the two permutations are independent of the plaintext, they can be equivalent to one permutation, and the permutation operation only changes the coordinate position of the pixel without changing the pixel value, so that only the coordinate position of the pixel in the permutation image A is changed. Therefore, the equivalent permutation key $KP$ can be solved by comparing the pixel pairs of the plaintext images and the permutation images. Next, the optimal chosen-plaintext attack is used [45], and the steps are as follows:

Step 1: Construct a data matrix U with the same size as the image P, $u_j$ is the value of the j-th element of the matrix U obtained in raster scan order. The nonnegative integers $0,1,\cdots ,M\times N-1$ are successively written into the data matrix U according to the raster scan order by $u_j=j-1\left(j=1,2,3,\dots ,M\times N\right)$.

Step 2: Calculate the number of selected plaintexts $l=⌈{log}_{256}\left(M\times N\right)⌉$, where $⌈·⌉$ is the round-up operation. In addition, create l plaintext images $P_1,P_2,\cdots ,P_l$.

Step 3: Use U to write the value into $P_1,P_2,\cdots ,P_l$. The writing rule of the j-th element $p_{i,j}$ obtained from the i-th plaintext image in raster scan order is

$$p_{i,j}=⌊\left(u_j/{256}^{i-1}\right)\%256⌋,$$

(14)

where $i=1,2,3,\dots ,l$ and $j=1,2,3,\dots ,M\times N$.

After constructing the plaintext through the above steps, l plaintext images $P_1,P_2,\cdots ,P_l$ are successively input into the encryptor to obtain the corresponding ciphertext images $C_1,C_2,\cdots ,C_l$, respectively. Then, according to the obtained equivalent diffusion key $KD$, inverse diffusion is carried out to obtain $A_1,A_2,\cdots ,A_l$, respectively, and these images are combined into a data matrix V. The consolidation rule is

$$V=\sum _{i=1}^l\left(A_i\times {256}^{i-1}\right),$$

(15)

where $i=1,2,3,\dots ,l$. By comparing the position difference between the data matrix U and the data matrix V with the same pixel value, the equivalent permutation key $KP$ used in permutation can be obtained.

4.3. Cryptanalysis of Two-Round Encryption

Two-round encryption is analyzed here by the combination of the differential attack and the chosen-plaintext attack.

Firstly, the encryption algorithm is deduced by differential analysis. According to Equation (8),

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}{d}_1\hfill & =a_{M\times N}\dotplus a_1\dotplus {\widehat{y}}_1,\hfill \\ d_2\hfill & =a_{M\times N}\dotplus a_1\dotplus a_2\dotplus {\widehat{y}}_1\dotplus {\widehat{y}}_2,\hfill \\ \hfill & ⋮\hfill \\ d_j\hfill & =a_{M\times N}\dotplus a_1\dotplus a_2\dotplus \dots \dotplus a_j\dotplus {\widehat{y}}_1\dotplus {\widehat{y}}_2\dotplus \dots \dotplus {\widehat{y}}_j,\hfill \\ \hfill & ⋮\hfill \\ d_{M\times N}\hfill & =a_{M\times N}\dotplus a_1\dotplus a_2\dotplus \dots \dotplus a_{M\times N}\dotplus {\widehat{y}}_1\dotplus {\widehat{y}}_2\dotplus \dots \dotplus {\widehat{y}}_{M\times N}.\hfill \end{array}\right.\end{array}$$

(16)

Now use $a_{i,j}^{\left(t\right)},d_{i,j}^{\left(t\right)}$($t=1,2,3,\dots ,n$, $i=0,1,2,\cdots$ and $j=1,2,3,\dots ,M\times N$) to represent the j-th element of the i-th permutation image and diffusion image in the raster scan order in the t-th round of encryption, respectively. Then, the j-th element in raster scan order in two different diffusion images $D_k^{\left(t\right)}$ and $D_l^{\left(t\right)}$ encrypted in the t-th round can be expressed as

$$d_{k,j}^{\left(t\right)}=a_{k,M\times N}^{\left(t\right)}\dotplus a_{k,1}^{\left(t\right)}\dotplus a_{k,2}^{\left(t\right)}\dotplus \dots \dotplus a_{k,j}^{\left(t\right)}\dotplus {\widehat{y}}_1\dotplus {\widehat{y}}_2\dotplus \dots \dotplus {\widehat{y}}_j$$

(17)

and

$$d_{l,j}^{\left(t\right)}=a_{l,M\times N}^{\left(t\right)}\dotplus a_{l,1}^{\left(t\right)}\dotplus a_{l,2}^{\left(t\right)}\dotplus \dots \dotplus a_{l,j}^{\left(t\right)}\dotplus {\widehat{y}}_1\dotplus {\widehat{y}}_2\dotplus \dots \dotplus {\widehat{y}}_j$$

(18)

Let $\Delta D_{k-l}^{\left(t\right)}=D_k^{\left(t\right)}\dot{-}{D}_l^{\left(t\right)}$, the difference $\Delta d_{k-l,j}^{\left(t\right)}=d_{k,j}^{\left(t\right)}\dot{-}{d}_{l,j}^{\left(t\right)}$ of the j-th element of the t-th round of diffusion images $D_k^{\left(t\right)}$ and $D_l^{\left(t\right)}$ in the raster scan order can be obtained, which is

$$\Delta d_{k-l,j}^{\left(t\right)}=\left(a_{k,M\times N}^{\left(t\right)}\dotplus a_{k,1}^{\left(t\right)}\dotplus a_{k,2}^{\left(t\right)}\dotplus \dots \dotplus a_{k,j}^{\left(t\right)}\right)\dot{-}\left(a_{l,M\times N}^{\left(t\right)}\dotplus a_{l,1}^{\left(t\right)}\dotplus a_{l,2}^{\left(t\right)}\dotplus \dots \dotplus a_{l,j}^{\left(t\right)}\right).$$

(19)

Let

$$\left\{\begin{array}{cc}\Delta a_{k-l,M\times N}^{\left(t\right)}\hfill & =a_{k,M\times N}^{\left(t\right)}\dot{-}{a}_{l,M\times N}^{\left(t\right)},\hfill \\ \Delta a_{k-l,1}^{\left(t\right)}\hfill & =a_{k,1}^{\left(t\right)}\dot{-}{a}_{l,1}^{\left(t\right)},\hfill \\ & ⋮\hfill \\ \Delta a_{k-l,j-1}^{\left(t\right)}\hfill & =a_{k,j-1}^{\left(t\right)}\dot{-}{a}_{l,j-1}^{\left(t\right)},\hfill \\ \Delta a_{k-l,j}^{\left(t\right)}\hfill & =a_{k,j}^{\left(t\right)}\dot{-}{a}_{l,j}^{\left(t\right)},\hfill \end{array}\right.$$

and there is

$$\Delta d_{k-l,j}^{\left(t\right)}=\Delta a_{k-l,M\times N}^{\left(t\right)}\dotplus \Delta a_{k-l,1}^{\left(t\right)}\dotplus \Delta a_{k-l,2}^{\left(t\right)}\dotplus \dots \dotplus \Delta a_{k-l,j}^{\left(t\right)}.$$

(20)

It can be seen from the previous analysis that $P^{\left(t\right)}=D^{(t-1)}$, so there is $\Delta P_{k-l}^{\left(t\right)}=\Delta D_{k-l}^{(t-1)}$ and $\Delta A_{k-l}^{\left(t\right)}=f_{KP}\left(\Delta P_{k-l}^{\left(t\right)}\right)=f_{KP}\left(\Delta D_{k-l}^{(t-1)}\right)$, where $f_{KP}\left(·\right)$ is the permutation operation on the matrix. Now, let $a_{i,j}^{\left(t\right)}=f_{k{p}_h}\left(p_{i,h}^{\left(t\right)}\right)$, where $j=1,2,\dots ,M\times N,h=1,2,\dots ,M\times N$, and then, $j=k{p}_h$ and $h=k{p}_j^{-1}$ are permutation pairs. $a_{i,j}^{\left(t\right)}=f_{k{p}_h}\left(p_{i,h}^{\left(t\right)}\right)$ indicates that the $j=k{p}_h$-th element $a_{i,j}^{\left(t\right)}$ of the i-th permutation image $A_i^{\left(t\right)}$ encrypted in the t-th round according to the raster scan order is replaced by the $h=k{p}_j^{-1}$-th element $p_{i,h}^{\left(t\right)}$ of the i-th plaintext image $P_i^{\left(t\right)}$ encrypted in the t-th round according to the raster scan order. Thus, the difference of the j-th element between the permutation image $A_k^{\left(t\right)}$ and $A_l^{\left(t\right)}$ encrypted in the t-th round is

$$\begin{array}{cc}\hfill \Delta a_{k-l,j}^{\left(t\right)}& =a_{k,j}^{\left(t\right)}\dot{-}{a}_{l,j}^{\left(t\right)}\hfill \\ \hfill & =f_{k{p}_h}\left(p_{k,h}^{\left(t\right)}\right)\dot{-}{f}_{k{p}_h}\left(p_{l,h}^{\left(t\right)}\right)\hfill \\ \hfill & =f_{k{p}_h}\left(p_{k,h}^{\left(t\right)}\dot{-}{p}_{l,h}^{\left(t\right)}\right)\hfill \\ \hfill & =f_{k{p}_h}\left(\Delta p_{k-l,h}^{\left(t\right)}\right)\hfill \\ \hfill & =f_{k{p}_h}\left(\Delta d_{k-l,h}^{(t-1)}\right),\hfill \end{array}$$

(21)

where $\Delta p_{k-l,h}^{\left(t\right)}=p_{k,h}^{\left(t\right)}\dot{-}{p}_{l,h}^{\left(t\right)}$.

The flow chart for cracking the two-round encryption is shown in Figure 4. The following is a detailed introduction to the two-round encryption cracking algorithm. It should be pointed out that this method is only for the case of two-round encryption with the same permutation matrix.

Step 1: Construct an all-zero plaintext image as $P_0$ of $M\times N$ for cracking the ciphertext image C of $M\times N$, then construct a plaintext image set $\left\{P_1,P_2,\dots ,P_{M\times N}\right\}$, let the k-th element in $P_k\left(k\in \left\{1,2,\dots ,M\times N\right\}\right)$ according to the raster scan order be 1 and the rest be 0, and this means

$P_1=\left[\begin{array}{cccc}1& 0& \cdots & 0\\ 0& 0& \cdots & 0\\ ⋮& ⋮& & ⋮\\ 0& 0& \cdots & 0\end{array}\right]$, $P_2=\left[\begin{array}{cccc}0& 1& \cdots & 0\\ 0& 0& \cdots & 0\\ ⋮& ⋮& & ⋮\\ 0& 0& \cdots & 0\end{array}\right]$, ⋯, $P_{M\times N}=\left[\begin{array}{cccc}0& 0& \cdots & 0\\ 0& 0& \cdots & 0\\ ⋮& ⋮& & ⋮\\ 0& 0& \cdots & 1\end{array}\right].$

Step 2: According to Equation (20), the difference relationship between the diffusion images $D_k^{\left(2\right)}$ and $D_0^{\left(2\right)}$ from their $M\times N$-th to the first element encrypted in the second round is

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\Delta d_{k,M\times N}^{\left(2\right)}\hfill & =\Delta a_{k,M\times N}^{\left(2\right)}\dotplus \Delta a_{k,1}^{\left(2\right)}\dotplus \Delta a_{k,2}^{\left(2\right)}\dotplus \dots \dotplus \Delta a_{k,M\times N-2}^{\left(2\right)}\dotplus \Delta a_{k,M\times N-1}^{\left(2\right)}\dotplus \Delta a_{k,M\times N}^{\left(2\right)},\hfill \\ \Delta d_{k,M\times N-1}^{\left(2\right)}\hfill & =\Delta a_{k,M\times N}^{\left(2\right)}\dotplus \Delta a_{k,1}^{\left(2\right)}\dotplus \Delta a_{k,2}^{\left(2\right)}\dotplus \dots \dotplus \Delta a_{k,M\times N-2}^{\left(2\right)}\dotplus \Delta a_{k,M\times N-1}^{\left(2\right)},\hfill \\ \Delta d_{k,M\times N-2}^{\left(2\right)}\hfill & =\Delta a_{k,M\times N}^{\left(2\right)}\dotplus \Delta a_{k,1}^{\left(2\right)}\dotplus \Delta a_{k,2}^{\left(2\right)}\dotplus \dots \dotplus \Delta a_{k,M\times N-2}^{\left(2\right)},\hfill \\ \hfill & ⋮\hfill \\ \Delta d_{k,2}^{\left(2\right)}\hfill & =\Delta a_{k,M\times N}^{\left(2\right)}\dotplus \Delta a_{k,1}^{\left(2\right)}\dotplus \Delta a_{k,2}^{\left(2\right)},\hfill \\ \Delta d_{k,1}^{\left(2\right)}\hfill & =\Delta a_{k,M\times N}^{\left(2\right)}\dotplus \Delta a_{k,1}^{\left(2\right)}.\hfill \end{array}\right.\end{array}$$

(22)

Modular subtraction of each element from its next adjacent element as

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\Delta d_{k,M\times N}^{\left(2\right)}\dot{-}\Delta d_{k,M\times N-1}^{\left(2\right)}\hfill & =\Delta a_{k,M\times N}^{\left(2\right)},\hfill \\ \Delta d_{k,M\times N-1}^{\left(2\right)}\dot{-}\Delta d_{k,M\times N-2}^{\left(2\right)}\hfill & =\Delta a_{k,M\times N-1}^{\left(2\right)},\hfill \\ \Delta d_{k,M\times N-2}^{\left(2\right)}\dot{-}\Delta d_{k,M\times N-3}^{\left(2\right)}\hfill & =\Delta a_{k,M\times N-2}^{\left(2\right)},\hfill \\ \hfill & ⋮\hfill \\ \Delta d_{k,2}^{\left(2\right)}\dot{-}\Delta d_{k,1}^{\left(2\right)}\hfill & =\Delta a_{k,2}^{\left(2\right)},\hfill \\ \Delta d_{k,1}^{\left(2\right)}\dotplus \Delta d_{k,M\times N-1}^{\left(2\right)}\dot{-}\Delta d_{k,M\times N}^{\left(2\right)}\hfill & =\Delta a_{k,1}^{\left(2\right)}.\hfill \end{array}\right.\end{array}$$

(23)

Input $P_0$ and the plaintext image set $P_1,P_2,\dots ,P_{M\times N}$ into the encryption algorithm in turn, and obtain the corresponding ciphertext image $C_0$ and $C_1,C_2,\dots ,C_{M\times N}$ after two-round encryption, where $D_0^{\left(2\right)}=C_0,D_1^{\left(2\right)}=C_1,\dots ,D_{M\times N}^{\left(2\right)}=C_{M\times N}$. Perform modular subtraction operation on each pixel value in $D_1^{\left(2\right)},D_2^{\left(2\right)},\dots ,D_{M\times N}^{\left(2\right)}$ from each pixel value in $D_0^{\left(2\right)}$ to obtain $\Delta D_1^{\left(2\right)},\Delta D_2^{\left(2\right)},\Delta D_3^{\left(2\right)},\dots ,\Delta D_{M\times N}^{\left(2\right)}$. According to Equation (23), $\Delta A_1^{\left(2\right)},\Delta A_2^{\left(2\right)},\Delta A_3^{\left(2\right)},\dots ,\Delta A_{M\times N}^{\left(2\right)}$ are obtained, then the sum of all elements of the above matrices can be calculated as ${\displaystyle \sum _{j=1}^{M\times N}}\Delta a_{1,j}^{\left(2\right)},{\displaystyle \sum _{j=1}^{M\times N}}\Delta a_{2,j}^{\left(2\right)},\dots ,{\displaystyle \sum _{j=1}^{M\times N}}\Delta a_{M\times N,j}^{\left(2\right)}$.

Step 3: Because the permutation operation does not change the sum of the element values in the matrix, so ${\displaystyle \sum _{j=1}^{M\times N}}\Delta d_{1,j}^{\left(1\right)}={\displaystyle \sum _{j=1}^{M\times N}}\Delta a_{1,j}^{\left(2\right)},{\displaystyle \sum _{j=1}^{M\times N}}\Delta d_{2,j}^{\left(1\right)}={\displaystyle \sum _{j=1}^{M\times N}}\Delta a_{2,j}^{\left(2\right)},\dots ,{\displaystyle \sum _{j=1}^{M\times N}}\Delta d_{M\times N,j}^{\left(1\right)}={\displaystyle \sum _{j=1}^{M\times N}}\Delta a_{M\times N,j}^{\left(2\right)}$.

According to Equation (20), one can obtain

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\Delta d_{k,1}^{\left(1\right)}\hfill & =\Delta a_{k,M\times N}^{\left(1\right)}\dotplus \Delta a_{k,1}^{\left(1\right)},\hfill \\ \Delta d_{k,2}^{\left(1\right)}\hfill & =\Delta a_{k,M\times N}^{\left(1\right)}\dotplus \Delta a_{k,1}^{\left(1\right)}\dotplus \Delta a_{k,2}^{\left(1\right)},\hfill \\ \hfill & ⋮\hfill \\ \Delta d_{k,j}^{\left(1\right)}\hfill & =\Delta a_{k,M\times N}^{\left(1\right)}\dotplus \Delta a_{k,1}^{\left(1\right)}\dotplus \Delta a_{k,2}^{\left(1\right)}\dotplus \dots \dotplus \Delta a_{k,j}^{\left(1\right)},\hfill \\ \hfill & ⋮\hfill \\ \Delta d_{k,M\times N}^{\left(1\right)}\hfill & =\Delta a_{k,M\times N}^{\left(1\right)}\dotplus \Delta a_{k,1}^{\left(1\right)}\dotplus \Delta a_{k,2}^{\left(1\right)}\dotplus \dots \dotplus \Delta a_{k,M\times N-2}^{\left(1\right)}\dotplus \Delta a_{k,M\times N-1}^{\left(1\right)}\dotplus \Delta a_{k,M\times N}^{\left(1\right)}.\hfill \end{array}\right.\end{array}$$

(24)

From Equation (21), it can be seen that $\Delta a_{k,j}^{\left(1\right)}=f_{k{p}_h}\left(\Delta p_{k,h}^{\left(1\right)}\right)=f_{k{p}_h}\left(\Delta p_{k,h}\right)$ because $\Delta p_{k,h}=p_{k,h}\dot{-}{p}_{0,h}=p_{k,h}$. From the properties of the plaintext image $P_0$ and the constructed plaintext image set $\left\{P_1,P_2,\dots ,P_{M\times N}\right\}$, one has

$$\begin{array}{c}\hfill \Delta p_{k,h}=\left\{\begin{array}{cc}1\hfill & \mathrm{if}h=k,\hfill \\ 0\hfill & \mathrm{if}h\ne k,\hfill \end{array}\right.\end{array}$$

(25)

where $k=1,2,\dots ,M\times N$.

Because h and $k{p}_h$ are a permutation pair, when $h=k$, k and $k{p}_k$ are a permutation pair. That is, if $p_{k,k}$ is permuted by $a_{k,k{p}_k}^{\left(1\right)}$, $a_{k,k{p}_k}^{\left(1\right)}=p_{k,k}=1$, then there is

$$\Delta a_{k,j}^{\left(1\right)}=\left\{\begin{array}{cc}1\hfill & j=k{p}_k,\hfill \\ 0\hfill & j\ne k{p}_k,\hfill \end{array}\right.$$

where $k{p}_k=1,2,\dots ,M\times N$, which is substituted into Equation (24), one can obtain

$$\begin{array}{c}\hfill k{p}_k=\left\{\begin{array}{cc}1\hfill & \mathrm{if}{\displaystyle \sum _{j=1}^{M\times N}}\Delta a_{k,j}^{\left(2\right)}=M\times N,\hfill \\ M\times N\hfill & \mathrm{if}{\displaystyle \sum _{j=1}^{M\times N}}\Delta a_{k,j}^{\left(2\right)}=M\times N+1,\hfill \\ M\times N+1-{\displaystyle \sum _{j=1}^{M\times N}}\Delta a_{k,j}^{\left(2\right)}\hfill & \mathrm{if}{\displaystyle \sum _{j=1}^{M\times N}}\Delta a_{k,j}^{\left(2\right)}\ne M\times N\mathrm{and}{\displaystyle \sum _{j=1}^{M\times N}}\Delta a_{k,j}^{\left(2\right)}\ne M\times N+1.\hfill \end{array}\right.\end{array}$$

(26)

According to ${\displaystyle \sum _{j=1}^{M\times N}}\Delta a_{1,j}^{\left(2\right)},{\displaystyle \sum _{j=1}^{M\times N}}\Delta a_{2,j}^{\left(2\right)},\dots ,{\displaystyle \sum _{j=1}^{M\times N}}\Delta a_{M\times N,j}^{\left(2\right)}$ obtained in the previous step, the equivalent permutation key $KP$ used for position permutation can be obtained from the above equation.

Step 4: If the image to be cracked is C, $C_0$ is the ciphertext image corresponding to the all-zero plaintext. Let $\Delta C=C\dot{-}{C}_0$, then $\Delta D^{\left(2\right)}=\Delta C$. According to Equation (23), the adjacent two elements are modular subtracted to obtain $\Delta A^{\left(2\right)}$, and the equivalent permutation key $KP$ is used to obtain $\Delta D^{\left(1\right)}$. Similarly, $\Delta A^{\left(1\right)}$ and $\Delta P=\Delta P^{\left(1\right)}$ can be obtained. Because $P_0$ is all-zero plaintext, so the deciphered plaintext is $P=P\dot{-}{P}_0=\Delta P$.

4.4. Security Analysis of Multi-Round Encryption

The chosen-ciphertext attack method was proposed in [38], which can crack the diffusion operation with ciphertext feedback and different permutation matrices in each round. The applicability of this method was summarized and demonstrated in detail in [40,41]. However, the above literature mainly gave this method for the case without feedback, and then extended it to the case with feedback directly. Through the detailed derivation of the encryption process, the steps of the attack method to crack the case with ciphertext feedback are given in this section. It is not only helpful for understanding the attack method, but also has a good inspiration for guiding the improvement of the algorithm. It should be pointed out that, if there is no special description for multi-round analysis, the symbol definitions given above are still used.

Let $a_{i,j}^{\left(t\right)}=f_j\left(p_{i,k{p}_j^{-1}}^{\left(t\right)}\right),j=1,2,\dots ,M\times N$; this means that $a_{i,j}^{\left(t\right)}$ is the j-th element of the i-th permutation image in raster scan order in the t-th round of encryption is permutated from $p_{i,k{p}_j^{-1}}^{\left(t\right)}$ which is the $k{p}_j^{-1}$-th element of the i-th plaintext image $P_i^{\left(t\right)}$ in raster scan order in the t-th round of encryption; j and $k{p}_j^{-1}$ are a permutation pair. The encryption process of the original encryption algorithm can be expressed as a general model as

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}{d}_{i,j}^{\left(t\right)}\hfill & =f_{M\times N}\left(p_{i,k{p}_{M\times N}^{-1}}^{\left(t\right)}\right)\dotplus {\displaystyle \underset{u=1}{\overset{j}{\dot{\sum }}}}{f}_u\left(p_{i,k{p}_u^{-1}}^{\left(t\right)}\right)\dotplus {\displaystyle \underset{u=1}{\overset{j}{\dot{\sum }}}}{\widehat{y}}_u^{\left(t\right)},\hfill \\ p_{i,j}^{\left(t\right)}\hfill & =d_{i,j}^{(t-1)},\hfill \end{array}\right.\end{array}$$

(27)

where $i=0,1,2,\cdots$, $j\in \left\{1,2,\dots ,M\times N\right\}$, $t=1,2,\dots ,n$, ∔ denotes modular addition operation, and ${\displaystyle \sum ^{.}}$ denotes summation operation of modular addition. As for $u\in \left\{M\times N,1,2,\dots ,j\right\}$, u and $k{p}_u^{-1}$ are a permutation pair.

According to Equation (27), one has

$$\begin{array}{cc}\hfill & p_{k,j}^{\left(t\right)}\dot{-}{p}_{l,j}^{\left(t\right)}=\Delta p_{k-l,j}^{\left(t\right)}=\Delta d_{k-l,j}^{(t-1)}\hfill \\ \hfill & =f_{M\times N}\left(\Delta p_{k-l,k{p}_{M\times N}^{-1}}^{(t-1)}\right)\dotplus \underset{u=1}{\overset{j}{\dot{\sum }}}{f}_u\left(\Delta p_{k-l,k{p}_u^{-1}}^{(t-1)}\right).\hfill \end{array}$$

(28)

According to Equations (21) and (28), $\Delta a_{k-l,r}^{\left(t\right)}=a_{k,r}^{\left(t\right)}\dot{-}{a}_{l,r}^{\left(t\right)}$ is the difference between the r-th element of the permutation images $A_k^{\left(t\right)}$ and $A_l^{\left(t\right)}$ in t-th round of encryption. That is,

$$\begin{array}{cc}\hfill \Delta a_{k-l,r}^{\left(t\right)}& =f_r\left(\Delta p_{k-l,k{p}_r^{-1}}^{\left(t\right)}\right)\hfill \\ \hfill & =f_r\left(f_{M\times N}\left(\Delta p_{k-l,k{p}_{M\times N}^{-1}}^{(t-1)}\right)\dotplus \underset{u=1}{\overset{k{p}_r^{-1}}{\dot{\sum }}}{f}_u\left(\Delta p_{k-l,k{p}_u^{-1}}^{(t-1)}\right)\right),\hfill \end{array}$$

(29)

where $k=1,2,\cdots$, $l=0,1,2,\cdots$, $r=1,2,\dots ,M\times N$, $t=1,2,\dots ,n$. By the way, r and $k{p}_r^{-1}$ are a permutation pair. As for $u\in \left\{M\times N,1,2,\dots ,k{p}_r^{-1}\right\}$, u and $k{p}_u^{-1}$ are a permutation pair.

According to Equation (20), the difference from first to $M\times N$-th element between diffusion image $D_k^{\left(t\right)}$ and $D_0^{\left(t\right)}$ (that is $l=0$) in the t-th round of encryption is:

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}\Delta d_{k,1}^{\left(t\right)}\hfill & =\Delta a_{k,M\times N}^{\left(t\right)}\dotplus \Delta a_{k,1}^{\left(t\right)},\hfill \\ \Delta d_{k,2}^{\left(t\right)}\hfill & =\Delta a_{k,M\times N}^{\left(t\right)}\dotplus \Delta a_{k,1}^{\left(t\right)}\dotplus \Delta a_{k,2}^{\left(t\right)},\hfill \\ \hfill & ⋮\hfill \\ \Delta d_{k,M\times N}^{\left(t\right)}\hfill & =\Delta a_{k,M\times N}^{\left(t\right)}\dotplus {\displaystyle \underset{v=1}{\overset{M\times N}{\dot{\sum }}}}\Delta a_{k,v}^{\left(t\right)}.\hfill \end{array}\right.\end{array}$$

(30)

From Equation (28)–(30), one can further obtain

$$\begin{array}{cc}\hfill \Delta d_{k,1}^{\left(t\right)}=& f_{M\times N}\left(f_{M\times N}\left(\Delta p_{k,k{p}_{M\times N}^{-1}}^{(t-1)}\right)\dotplus \underset{u=1}{\overset{k{p}_{M\times N}^{-1}}{\dot{\sum }}}{f}_u\left(\Delta p_{k,k{p}_u^{-1}}^{(t-1)}\right)\right)\hfill \\ \hfill & \dotplus f_1\left(f_{M\times N}\left(\Delta p_{k,k{p}_{M\times N}^{-1}}^{(t-1)}\right)\dotplus \underset{u=1}{\overset{k{p}_1^{-1}}{\dot{\sum }}}{f}_u\left(\Delta p_{k,k{p}_u^{-1}}^{(t-1)}\right)\right)\hfill \\ \hfill \Delta d_{k,2}^{\left(t\right)}=& f_{M\times N}\left(f_{M\times N}\left(\Delta p_{k,k{p}_{M\times N}^{-1}}^{(t-1)}\right)\dotplus \underset{u=1}{\overset{k{p}_{M\times N}^{-1}}{\dot{\sum }}}{f}_u\left(\Delta p_{k,k{p}_u^{-1}}^{(t-1)}\right)\right)\hfill \\ \hfill & \dotplus f_1\left(f_{M\times N}\left(\Delta p_{k,k{p}_{M\times N}^{-1}}^{(t-1)}\right)\dotplus \underset{u=1}{\overset{k{p}_1^{-1}}{\dot{\sum }}}{f}_u\left(\Delta p_{k,k{p}_u^{-1}}^{(t-1)}\right)\right)\hfill \\ \hfill & \dotplus f_2\left(f_{M\times N}\left(\Delta p_{k,k{p}_{M\times N}^{-1}}^{(t-1)}\right)\dotplus \underset{u=1}{\overset{k{p}_2^{-1}}{\dot{\sum }}}{f}_u\left(\Delta p_{k,k{p}_u^{-1}}^{(t-1)}\right)\right)\hfill \\ \hfill & ⋮\hfill \\ \hfill \Delta d_{k,M\times N}^{\left(t\right)}=& f_{M\times N}\left(f_{M\times N}\left(\Delta p_{k,k{p}_{M\times N}^{-1}}^{(t-1)}\right)\dotplus \underset{u=1}{\overset{k{p}_{M\times N}^{-1}}{\dot{\sum }}}{f}_u\left(\Delta p_{k,k{p}_u^{-1}}^{(t-1)}\right)\right)\hfill \\ \hfill & \dotplus \underset{v=1}{\overset{M\times N}{\dot{\sum }}}{f}_v\left(f_{M\times N}\left(\Delta p_{k,k{p}_{M\times N}^{-1}}^{(t-1)}\right)\dotplus \underset{u=1}{\overset{k{p}_v^{-1}}{\dot{\sum }}}{f}_u\left(\Delta p_{k,k{p}_u^{-1}}^{(t-1)}\right)\right)\hfill \end{array}$$

Since the modular addition and permutation can be processed out of order and ended up with the same result, after $t=n$ rounds of encryption, the pixel difference result $\Delta d_{k,j}^{\left(n\right)}(j=1,2,\dots ,M\times N)$ of diffusion images $D_k^{\left(n\right)}$, and $D_0^{\left(n\right)}$ can be expressed as the linear combination of the difference pixel point $\Delta p_{k,j}^{(n-1)}(j=1,2,\dots ,M\times N)$ of $n-1$-round plaintext $P_k^{(n-1)}$ and $P_0^{(n-1)}$ modulo 256. $\Delta d_{k,j}^{\left(n\right)},j=1,2,\dots ,M\times N$ can be recursively expressed as the linear combination of $\Delta p_{k,j}^{\left(1\right)}=\Delta p_{k,j},j=1,2,\dots ,M\times N$ modulo 256, which is

$$\begin{array}{c}\hfill \left[\begin{array}{c}\Delta d_{k,1}^{\left(n\right)}\\ \Delta d_{k,2}^{\left(n\right)}\\ ⋮\\ \Delta d_{k,M\times N}^{\left(n\right)}\end{array}\right]=\left(\left[\begin{array}{cccc}{b}_{11}& b_{11}& \cdots & b_{1M\times N}\\ b_{21}& b_{22}& \cdots & b_{2M\times N}\\ ⋮& ⋮& \cdots & ⋮\\ b_{M\times N,1}& b_{M\times N,2}& \cdots & b_{M\times N,M\times N}\end{array}\right]\times \left[\begin{array}{c}\Delta p_{k,1}\\ \Delta p_{k,2}\\ ⋮\\ \Delta p_{k,M\times N}\end{array}\right]\right)\mathrm{Mod}256,\end{array}$$

(31)

where Mod represents the modulo of each component of the vector.

For an encryption system, any plaintext image must have only one corresponding ciphertext image. At the same time, any ciphertext image can only be decrypted to one plaintext image; otherwise, the encryption algorithm will not be established. In addition, the number of pixels in the plaintext image and the ciphertext image is constant, so the coefficient matrix is a square matrix, and its rank must be $M\times N$. Furthermore, for the n-round encryption algorithm, the coefficient matrix is represented by the symbol

$$\begin{array}{c}\hfill B=\left[\begin{array}{cccc}{b}_{11}& b_{11}& \cdots & b_{1M\times N}\\ b_{21}& b_{22}& \cdots & b_{2M\times N}\\ ⋮& ⋮& \cdots & ⋮\\ b_{M\times N,1}& b_{M\times N,2}& \cdots & b_{M\times N,M\times N}\end{array}\right].\end{array}$$

(32)

$\Delta {\alpha }_k={\left[\Delta d_{k,1}^{\left(n\right)},\Delta d_{k,2}^{\left(n\right)},\cdots ,\Delta d_{k,M\times N}^{\left(n\right)}\right]}^T$ represents the one-dimensional vector converted from the difference matrix between the ciphertext images $D_k^{\left(n\right)}$ and $D_0^{\left(n\right)}$ in the n-th round of encryption according to the raster scan order. In addition, $\Delta {\beta }_k={\left[\Delta p_{k,1},\Delta p_{k,2},\cdots ,\Delta p_{k,M\times N}\right]}^T$ represents the one-dimensional vector converted from the difference matrix between the plaintext $P_k^{\left(1\right)}$ corresponding to the ciphertext image $D_k^{\left(n\right)}$ and the plaintext $P_0^{\left(1\right)}$ corresponding to the ciphertext image $D_0^{\left(n\right)}$, in the n-th round of encryption, according to the raster scan order. Then, the above equation can be expressed as

$$\Delta {\alpha }_k=\left(B\times \Delta {\beta }_k\right)\mathrm{Mod}256.$$

(33)

Consider a set of standard orthogonal bases $e_1,e_2,\dots ,e_{M\times N}$, where $e_1={\left[1,0,\dots ,0\right]}^T$, $e_2={\left[0,1,0,\dots ,0\right]}^T,\dots ,e_{M\times N}={\left[0,\dots ,0,1\right]}^T$. Then, any one-dimensional vector $\Delta \alpha ={\left[c_1,c_2,\dots ,c_{M\times N}\right]}^T$ can be expressed as

$$\Delta \alpha =\left(c_1\times e_1+c_2\times e_2+\dots +c_{M\times N}\times e_{M\times N}\right)\mathrm{Mod}256.$$

(34)

According to Equation (33), $e_1,e_2,\dots ,e_{M\times N}$ corresponds to $\Delta {\beta }_1,\Delta {\beta }_2,\dots ,\Delta {\beta }_{M\times N}$, so

$$\begin{array}{c}\hfill \left\{\begin{array}{cc}{e}_1\hfill & =\left(B\times \Delta {\beta }_1\right)\mathrm{Mod}256,\hfill \\ e_2\hfill & =\left(B\times \Delta {\beta }_2\right)\mathrm{Mod}256,\hfill \\ \hfill & ⋮\hfill \\ e_{M\times N}\hfill & =\left(B\times \Delta {\beta }_{M\times N}\right)\mathrm{Mod}256,\hfill \end{array}\right.\end{array}$$

(35)

which is substituted into Equation (34) to obtain

$$\begin{array}{cc}\hfill \Delta \alpha =& (c_1\times \left(B\times \Delta {\beta }_1\right)\mathrm{Mod}256+c_2\times \left(B\times \Delta {\beta }_2\right)\mathrm{Mod}256+\hfill \\ \hfill & \dots +c_{M\times N}\times \left(B\times \Delta {\beta }_{M\times N}\right)\mathrm{Mod}256)\mathrm{Mod}256\hfill \\ \hfill =& \left(c_1\times B\times \Delta {\beta }_1+c_2\times B\times \Delta {\beta }_2+\dots +c_{M\times N}\times B\times \Delta {\beta }_{M\times N}\right)\mathrm{Mod}256\hfill \\ \hfill =& \left(B\times \left(c_1\times \Delta {\beta }_1+c_2\times \Delta {\beta }_2+\dots +c_{M\times N}\times \Delta {\beta }_{M\times N}\right)\right)\mathrm{Mod}256.\hfill \end{array}$$

(36)

According to Equation (33), $\Delta \beta$ corresponding to $\Delta \alpha$ is

$$\Delta \beta =\left(c_1\times \Delta {\beta }_1+c_2\times \Delta {\beta }_2+\dots +c_{M\times N}\times \Delta {\beta }_{M\times N}\right)\mathrm{Mod}256.$$

(37)

The flow chart for cracking the multi-round encryption is shown in Figure 5.

The details of our cracking process consist of four steps, as given below.

Step 1: Record a ciphertext image of $M\times N$ to be cracked as

$$C=\left[\begin{array}{cccc}{c}_1& c_2& \cdots & c_N\\ c_{N+1}& c_{N+2}& \cdots & c_{2\times N}\\ ⋮& ⋮& \cdots & ⋮\\ c_{\left(M-1\right)\times N+1}& b_{\left(M-1\right)\times N+2}& \cdots & b_{M\times N}\end{array}\right].$$

Firstly, an all-zero ciphertext image of $M\times N$ is denoted by $C_0$, then a ciphertext image set $\left\{C_1,C_2,\dots ,C_{M\times N}\right\}$ is constructed, so that the k-th element in $C_k$ according to the raster scan order is set to 1, and the rest is 0 where $k\in \left\{1,2,\dots ,M\times N\right\}$, as $C_1=\left[\begin{array}{cccc}1& 0& \cdots & 0\\ 0& 0& \cdots & 0\\ ⋮& ⋮& & ⋮\\ 0& 0& \cdots & 0\end{array}\right]$, $C_2=\left[\begin{array}{cccc}0& 1& \cdots & 0\\ 0& 0& \cdots & 0\\ ⋮& ⋮& & ⋮\\ 0& 0& \cdots & 0\end{array}\right]$, ⋯, $C_{M\times N}=\left[\begin{array}{cccc}0& 0& \cdots & 0\\ 0& 0& \cdots & 0\\ ⋮& ⋮& & ⋮\\ 0& 0& \cdots & 1\end{array}\right].$

Perform modular subtraction operations of $C_0$ from $C,C_1,C_2,\dots ,C_{M\times N}$, respectively. Because $C_0$ is an all-zero ciphertext, the one-dimensional vector converted from $\Delta D^{\left(n\right)}=C,\Delta D_1^{\left(n\right)}=C_1,\Delta D_2^{\left(n\right)}=C_2,\dots ,\Delta D_{M\times N}^{\left(n\right)}=C_{M\times N}$ according to the raster scan order is actually the aforementioned $\Delta \alpha ,e_1,e_2,\dots ,e_{M\times N}$.

Input $C_0,C_1,C_2,\dots ,C_{M\times N}$ into the decryption machine to obtain a set of corresponding plaintext images, which are denoted as $P_0,P_1,\dots ,P_{M\times N}$.

Step 2: Perform modular subtraction operations of $P_0$ from $P_1,P_2,\dots ,P_{M\times N}$, respectively, and the result $\Delta P_1=P_1\dot{-}{P}_0,\Delta P_2=P_2\dot{-}{P}_0,\dots ,\Delta P_{M\times N}=P_{M\times N}\dot{-}{P}_0$ is converted into a one-dimensional vector according to the raster scan order, which is actually the aforementioned $\Delta {\beta }_1,\Delta {\beta }_2,\dots ,\Delta {\beta }_{M\times N}$.

Step 3: Therefore, Equation (37) can also be written as

$$\Delta P=c_1\times \Delta P_1\dotplus c_2\times \Delta P_2\dotplus \dots \dotplus c_{M\times N}\times \Delta P_{M\times N}.$$

(38)

Step 4: By $\Delta P=\Delta P^{\left(1\right)}=P\dot{-}{P}_0$, the plaintext is finally obtained as

$$P=\Delta P\dotplus P_0=\left(c_1\times \Delta P_1\dotplus c_2\times \Delta P_2\dotplus \dots \dotplus c_{M\times N}\times \Delta P_{M\times N}\right)\dotplus P_0.$$

(39)

5. Numerical Simulation Experiment

The experimental environment is Intel(R) Core(TM) i5-3230M processor, CPU frequency of 2.60 GHz, 8.00 GB memory, Windows 10 operating system, and MATLABR2021a. The grayscale images Lena, Cameraman, Tiffany, Pepper, Baboon and Sailboat with the size of $128\times 128$ are selected for single-round, two-round, and multi-round numerical simulation experiments. The key is selected as follows:

$$\begin{array}{c}\hfill a_0=\{1111010010,0110101101,1110001101,1111110000\},\\ \hfill b_0=\{0001111100,1011100111,0010010010,1011000000\},\\ \hfill x=\{1010101100,1101011011,1110001110,1000100000\},\\ \hfill y=\{1111111101,1110100111,1101011111,1111001010\},\\ \hfill T=\{1101000000,0001011010,0011001100,1000011011\},\\ \hfill C_1=\{1011111100,0010000101\},C_2=\{1100001010,1111000110\}.\end{array}$$

5.1. Experimental Results

This paper analyzes the original algorithm in the case of single-round, two-round, and multi-round of encryption. Because the first two analysis methods belong to the chosen-plaintext attack and the third one belongs to the chosen-ciphertext attack, the first two analysis methods are stronger in terms of assumptions made and data requirements; they are only applicable to themselves, but the cracking speed is faster. The multi-round analysis method mentioned in this paper is applicable to any number of encryption rounds and has universality.

This paper verifies the original encryption algorithm and the analysis results by writing MATLAB programs. According to the original encryption algorithm and the cracking algorithm, the encryption and the decryption programs and cracking programs in single-round, two-round, and multi-round are written, respectively. The related experimental results are shown in Figure 6, Figure 7, Figure 8, Figure 9, Figure 10, Figure 11 and Figure 12.

Figure 6 and Figure 7 respectively list the intermediate experimental results, cracking results and relevant metrics of $128\times 128$ Lena image and Cameraman image for single-round encryption. It can be seen that, after encryption, the histogram of ciphertext is uniform and cannot reflect plaintext information. The histogram of intermediate ciphertext obtained by cracking the equivalent diffusion key is the same as that of plaintext, indicating that the diffusion step is cracked. Then, through the obtained permutation equivalent key, the deciphered image is obtained. Compared with the original plaintext image, the deciphered image is exactly the same, which shows that the cracking algorithm is correct.

Figure 8 and Figure 9 respectively list the intermediate experimental results and cracking results of the Tiffany image and Pepper image of $128\times 128$ size for two-round of encryption. A set of specially constructed chosen-plaintext is input into the encryption algorithm to obtain a set of plaintext–ciphertext pairs, and according to these plaintext–ciphertext pairs, the permutation matrix is finally cracked. Then, through the differential processing and the obtained permutation matrix, the plaintext is finally cracked, and the comparison between the deciphered image and the plaintext image is exactly the same, which shows that the cracking algorithm is correct.

Figure 10 and Figure 11 list the intermediate experimental results and cracking results of $128\times 128$ size Baboon image and Sailboat image for multi-round encryption (without losing generation, the multi-round part is encrypted in three rounds). It can be seen that, by inputting a group of specially constructed chosen-ciphertext into the decryption algorithm, a group of ciphertext–plaintext pairs are obtained, and then the plaintext is finally cracked through differential processing. The comparison between the recovered image and the plaintext image shows that the cracking algorithm is correct.

Theoretically, for a ciphertext image of $M\times N$ size, using multi-round of a cracking algorithm to completely recover the ciphertext image requires the construction of $M\times N$ ciphertext images and an all-zero ciphertext, a total of $M\times N+1$ ciphertext–plaintext pairs. Because it is difficult to obtain the permission of decryption machine in reality, it is of practical significance to reduce the number of ciphertext–plaintext pairs. Figure 12 shows the effect of constructing different number of ciphertext–plaintext pairs on the finally recovered plaintext image.

It can be seen that the plaintext can be recovered better without some ciphertext–plaintext pairs. In reality, the appropriate number of ciphertext–plaintext pairs can be obtained by constructing an appropriate number of ciphertext, which can reduce the data complexity and improve the cracking efficiency while meeting the cracking requirements.

5.2. Attack Complexity

The attack complexity of cryptanalysis generally includes time complexity and data complexity. However, the time complexity is affected by the performance of the computer and the written cracking program, so it is uncertain. For cryptanalysis, the most important thing is the data complexity, that is, the number of plaintext or ciphertext required to crack an encryption algorithm. The following will discuss the data complexity of the cracking algorithm for the case of single-round, two-round, and multi-round in case of complete cracking.

In the case of single-round, for the grayscale image of $M\times N$, when the key is unknown, the plaintext-ciphertext pair required to decipher the equivalent diffusion key and the equivalent permutation key is $\left(1+⌈{log}_{256}\left(M\times N\right)⌉\right)$, so the data complexity is $O\left({log}_{}\left(M\times N\right)\right)$.

In the case of two-round, for the grayscale image of $M\times N$, when the key is unknown, the number of chosen-plaintexts required to decipher is $\left(1+M\times N\right)$, so the data complexity is $O\left(M\times N\right)$.

In the case of multi-round, for the grayscale image of $M\times N$, when the key is unknown, the number of chosen-ciphertexts required to decipher is $\left(1+M\times N\right)$, so the data complexity is $O\left(M\times N\right)$.

5.3. Improvement Plan

From the analysis of this article, it can be seen that the original encryption algorithm has the following vulnerabilities and deficiencies.

(1) The decryption equation of diffusion operation is incorrect. The original decryption result is slightly different from the original encrypted image.

(2) The original encryption algorithm attempts to increase the nonlinear factors by using index matrices and adding a round-down operation to the diffusion equation, for improving the security of the algorithm. However, the analysis found that the above processes can not provide higher security. Instead, an additional permutation is added, resulting in increasing the encryption time. Through the corresponding processing and transformation, the algorithm is still linear and can not resist against the chosen-ciphertext attack.

(3) Under the differential attack, the original diffusion key is completely useless.

In view of the above shortcomings, the following improvement suggestions are put forward.

Cancel the permutation 2 operation. Add new operations in the diffusion process, such as adding S-box, to improve the security of the algorithm. As a nonlinear device, S-box can be applied to the original algorithm to solve its problem. The design of the S-box needs to satisfy cryptographic properties such as nonlinearity, strict avalanche criterion, algebraic immunity, differential uniformity, and correlation immunity [25]. The improvement is given below by taking the S-box as an example.

The permutation operation of the original encryption algorithm is retained. Cancel the permutation operation in the diffusion process of the original encryption algorithm, and complete the diffusion operation according to the original diffusion equation. Take the first 256 bits of the matrix X (if it is less than 256 bits, use the chaotic system to iterate the insufficient bits), obtain a 256-bit index matrix according to the original algorithm, and then form a matrix of $16\times 16$ according to the raster scan method to obtain an S-box. Each pixel of the diffusion image is indexed into the S-box according to the first four bits and the last four bits, and the value of the original pixel is replaced with the corresponding value in the S-box. According to the above steps, the encryption algorithm is carried out for two or more rounds, and the decryption algorithm is the inverse operation of the encryption algorithm.

6. Conclusions

In this paper, the security analysis of the image encryption algorithm based on two-dimensional infinite collapse map is carried out, and the definitions and properties of the round-down operation, the fractional part operation of real numbers, and the modular operation are given. At the same time, by using these theorems, the error of the original diffusion equation is found out, and finally the original encryption algorithm is processed into a general permutation–diffusion structure, and the diffusion structure is processed into a modular addition of the ciphertext feedback and the element of diffusion matrix. On this basis, the single-round, two-round, and multi-round situations are analyzed and discussed respectively. It not only deepens the understanding of the original encryption process, but also helps to guide the improvement of the original encryption algorithm. The correctness of the analysis process is verified by experiments. Finally, the attack complexity is discussed, and suggestions for improvement are given to avoid the shortcomings of the original encryption algorithm.