Improved Cryptanalysis and Enhancements of an Image Encryption Scheme Using Combined 1D Chaotic Maps

This paper presents an improved cryptanalysis of a chaos-based image encryption scheme, which integrated permutation, diffusion, and linear transformation process. It was found that the equivalent key streams and all the unknown parameters of the cryptosystem can be recovered by our chosen-plaintext attack algorithm. Both a theoretical analysis and an experimental validation are given in detail. Based on the analysis of the defects in the original cryptosystem, an improved color image encryption scheme was further developed. By using an image content–related approach in generating diffusion arrays and the process of interweaving diffusion and confusion, the security of the cryptosystem was enhanced. The experimental results and security analysis demonstrate the security superiority of the improved cryptosystem.


Introduction
The transmission of a digital image from the public network is becoming more and more frequent nowadays. Consequently, it is urgent to guarantee the security and privacy of image transmission, especially for military images and some sensitive content images. As an essential technical means, image encryption approaches are particularly important in image communications. However, traditional cryptography cannot quickly encrypt images with large amounts of data. As traditional cryptography relies on the complexity of computation, it is not easy to generate a large number of keys quickly. In this application background, chaotic encryption is a good complement to traditional cryptography, especially in image encryption. As chaotic signals have some excellent characteristics required by cryptography, chaotic systems have become a fine tool for information encryption [1], especially for image encryption applications. Due to this, chaotic systems have been widely used in designing image encryption algorithms. Entropy is an important measure of the chaotic characteristics of dynamical systems. Entropy, chaos and information theory are closely related [2][3][4].

The New Chaotic System
The chaotic system adopted in Pak's encryption scheme is a newly discovered chaotic map by using the chaotic sine map, which is expressed as  (1) where, u is the control parameter of the system and {x(n), n = 0, 1, 2, …} is the output chaotic sequence with the initial value x(0) = x0. x   is the largest integer that is smaller than or equal to x.

The Confusion Process
In the confusion process, a permutation operation is performed on the pixel level with a position transformation. The operational process consists of the following steps: Step 1: By using specified parameter values x0, u and k, iterate the new chaotic system (N0 + L) times and select the rear L elements to make a sub chaotic sequence X = [x(1), x (2), … , x(L)]. Where N0 is an integer used as a security key.

The New Chaotic System
The chaotic system adopted in Pak's encryption scheme is a newly discovered chaotic map by using the chaotic sine map, which is expressed as where, u is the control parameter of the system and {x(n), n = 0, 1, 2, . . . } is the output chaotic sequence with the initial value x(0) = x 0 . x is the largest integer that is smaller than or equal to x. System (1) is called a Sine-Sine system (SSS) [60], which is chaotic when u ∈ (0, 10] and k ∈ [8,20]. Parameters k, u and x 0 were used as secret keys.

The Confusion Process
In the confusion process, a permutation operation is performed on the pixel level with a position transformation. The operational process consists of the following steps: Step 1: By using specified parameter values x 0 , u and k, iterate the new chaotic system (N 0 + L) times and select the rear L elements to make a sub chaotic sequence X = [x(1), x(2), . . . , x(L)]. Where N 0 is an integer used as a security key.

Diffusion Process
In the diffusion process, pixel value encryption is performed based on a diffusion array D . The operational process consists of the following two steps: The operational process consists of the following steps: Step 1: Generate the diffusion array D = [d (1), d (2), . . . , d (L)] from the chaotic sequence X as: Step 2: Get the temporary ciphered image pixel array C = [c(1), c(2), . . . , c(L)] from the diffusion vector D and the permuted image array P according to the following diffusion equation: where ⊕ denotes the binary XOR operator. c(i − 1) is the previous cipher pixel, and seed is a preset constant.

Linear Transformation
Get the final cipher image pixel array C = [c (1), c (2), . . . , c (L)] from the temporary cipher image pixel array C and a security number lp as where lp is used as a security key. In order to see the result of the linear transformation at a glance, we used a graph to express the linear transformation process, which is shown in Figure 2. There are two key points in this linear transformation process, which deserve our special attention. One, the first pixel in the array C was moved to the (L − lp + 1) position in the array C , that is c (L − lp + 1) = c(1). Second, the original two adjacent pixels c(lp) and c(lp + 1) were moved to the end and start of the array C , that is, c (L) = c(lp), c (1) = c(lp + 1). If lp = 0 or lp = L, then c (i) = c(i). Hence, a reasonable range of lp is 0 < lp < L.
Entropy 2018, 20, x 4 of 23 Step 3: Get the permuted image pixel sequence Pꞌ = [p ꞌ (1), p ꞌ (2), …, p ꞌ (L)] by using the permutation position array X ꞌ and the plain image pixel sequence P. The transformation relation is (2)

Diffusion Process
In the diffusion process, pixel value encryption is performed based on a diffusion array D ʹ . The operational process consists of the following two steps: Step 1: Generate the diffusion array Dꞌ = [dꞌ(1), dꞌ (2), …, dꞌ(L)] from the chaotic sequence X as: Step 2: Get the temporary ciphered image pixel array C = [c(1), c(2), …, c(L)] from the diffusion vector D ꞌ and the permuted image array Pꞌ according to the following diffusion equation: where  denotes the binary XOR operator. c(i − 1) is the previous cipher pixel, and seed is a preset constant.

Linear Transformation
Get the final cipher image pixel array C ʹ = [c ꞌ (1), c ꞌ (2), …, c ꞌ (L)] from the temporary cipher image pixel array C and a security number lp as where lp is used as a security key. In order to see the result of the linear transformation at a glance, we used a graph to express the linear transformation process, which is shown in Figure 2. There are two key points in this linear transformation process, which deserve our special attention. One, the first pixel in the array C was moved to the (L − lp + 1) position in the array Cʹ, that is c ꞌ (L − lp + 1) = c (1). Second, the original two adjacent pixels c(lp) and c(lp + 1) were moved to the end and start of the array Cʹ, that is, c ꞌ (L) = c(lp), c ꞌ (1) = c(lp + 1). If lp = 0 or lp = L, then c ꞌ (i) = c(i). Hence, a reasonable range of lp is 0 < lp < L. The final cipher image was obtained by converting the 1D pixel vector Cꞌ into a 2D color image consisting of R, G and B components with the size of M × N. The secret keys used in Pak's algorithm consists of five parameters {x0, u, k, N0, lp}.
The decryption process is the inverse operation of the encryption process and it was omitted here. According to Kerchoff's principle, when analyzing an encryption algorithm, an assumption is made that the cryptanalyst knows exactly the design and working of the cryptosystem. Namely, the only thing the attacker does not know is the secret key. The definition of a chosen-plaintext attack can be described as follows: Attackers have the chance to use the encryption machine temporarily, hence they can select a special plaintext to encrypt and get its corresponding ciphertext without knowing the secret keys. The final cipher image was obtained by converting the 1D pixel vector C into a 2D color image consisting of R, G and B components with the size of M × N. The secret keys used in Pak's algorithm consists of five parameters {x 0 , u, k, N 0 , lp}.
The decryption process is the inverse operation of the encryption process and it was omitted here. According to Kerchoff's principle, when analyzing an encryption algorithm, an assumption is made that the cryptanalyst knows exactly the design and working of the cryptosystem. Namely, the only thing the attacker does not know is the secret key. The definition of a chosen-plaintext attack can be described as follows: Attackers have the chance to use the encryption machine temporarily, hence they can select a special plaintext to encrypt and get its corresponding ciphertext without knowing the secret keys.
In Pak's algorithm, the permutation position array X and the diffusion array D are determined by parameters {x 0 , u, k, N 0 } and have nothing to do with the plain image. Namely, X and D are static and do not change with different images to be encrypted. The secret key, lp, and the unknown parameter seed also have nothing to do with the plain image. Therefore, attackers can choose some special plaintext images to encrypt by using Pak's encryption machine when they temporarily obtain the opportunity to use Pak's encryption machine and obtain the corresponding ciphertext image to use these known plaintext-ciphertext image pairs to crack the equivalent key sequences X , D , parameters lp and seed. By using these equivalent key sequences X and D , parameters lp and seed, any image encrypted by Pak's encryption machine can be decrypted without knowing the original keys of Pak's encryption machine. This is the basic principle of the chosen-plaintext attack model. According to this attack model, it is obvious that Pak's scheme cannot resist a chosen-plaintext attack.

The Related Cryptanalysis Work
In Wang's cryptanalysis scheme, the authors constructed an equivalent cryptosystem for Pak's cryptosystem. In the equivalent cryptosystem, they constructed the new permutation position array X" and diffusion array D" of the equivalent encryption scheme by transforming the original permutation position array X and diffusion array D with the secret parameter lp respectively. The relationships of the key streams between the equivalent cryptosystem and Pak's cryptosystem are as follows Wang's equivalent encryption scheme contains only two processes: permutation and diffusion, which can be described by Equations (8) and (9) respectively.
(1) Extract the diffusion array D". Select a special plain-image P consisting of all 0 elements such that p"(i) = 0 and obtain the corresponding cipher-image C". According to Equation (9), the diffusion array D" is extracted as (2) Extract the permutation position array X". Select L special plain images with the 1D pixel arrays respectively denoted as P 1 , P 2 , . . . , P L and the jth element in the pixel array P j is 1; all other elements are 0. Get the corresponding encrypted image arrays C 1 , C 2 , . . . , C L . By using one plain image P j and the corresponding C j , only one element x"(i) in X" can be obtained. All elements of {x"(1), x"(1), . . . , x"(L)} can be obtained when L pairs of (P j , C j ) are used.
(3) Recover the original plain image. By using the new permutation position array X" and the new diffusion array D", recover the original plain image P from the target cipher image C.
We find that Wang's cryptanalysis algorithm has the following issues: (1) The authors assume that the attacker knows the parameter seed and used it as a known parameter in the equivalent encryption system. In fact, the seed parameter is a constant set in Pak's cryptosystem. Although the attacker can use Pak's encryption machine temporarily, the seed parameter is unknown to the attacker.
(2) Although the authors claim that the cipher image C" obtained from their equivalent cryptosystem is the same as the cipher image C obtained by the original Pak's cryptosystem, no strict proof is given. In fact, the cipher image pixel array C" is not equivalent to C due to the unknown parameter lp, which is not broken out by the authors. The proof procedure is as follows.
In fact, there are some defects in Wang's cryptanalysis algorithm because the authors completely ignore the role of the parameter lp and do not break out lp. However, when the parameter lp is not known, one cannot know where the seed should be used to calculate c"(i).
(3) The most serious problem in Wang's cryptanalysis scheme is that the number of chosen plain images is too high to reach M × N × 3 in extracting the permutation position array X". The use of one chosen plain image at a time can only break one element value of X", which is very inefficient, so Wang's cryptanalysis scheme is unrealistic.
In Chen's cryptanalysis scheme, unfortunately, the parameter seed is also not deciphered and used as a known parameter. Thus, reducing the difficulty of the cryptanalysis. In addition, Chen did not give the specific process of deciphering the permutation position array X .

The Improved Cryptanalysis Scheme
In order to provide a more comprehensive and efficient cryptanalysis method on Pak's encryption algorithm, we propose an improved chosen-plaintext attack algorithm to Pak's scheme. Suppose the target color cipher image to be decrypted has the size of L = M × N × 3. Firstly, we cracked the secret parameter lp and the diffusion array [d (2), d (3), . . . , d (L)] except for d (1) by using two selected plain images and their corresponding cipher images. Secondly, we cracked the unknown parameter seed and d (1) by using one or more than one selected plain images. Thirdly, we cracked the permutation position array X by using (M × N × 3)/255 selected plain images and their corresponding cipher images, where x is the smallest integer that is greater than or equal to x. Wang's cryptanalysis algorithm needs M × N × 3 selected plain images to decipher the permutation position array X , while our cryptanalysis algorithm only needs (M × N × 3)/255 selected plain images to decipher the permutation position array X . Hence, the efficiency of our improved chosen-plaintext attack algorithm is about 255 times that of Wang's algorithm.

Recover the Secret Key lp and the Diffusion Array
According to Equations (4) and (5), d (i) can be calculated as where x . −y = mod(x -y + 256, 256). Obviously, if the seed in Equation (16) is replaced by c (L − lp), then the relationship between d (i) and c (j) can be expressed in Figure 3.

Recover the Secret Key lp and the Diffusion Array
According to Equations (4) and (5), () d' i can be calculated as where xy = mod(x -y + 256, 256). Obviously, if the seed in Equation (16) is replaced by cꞌ(L − lp), then the relationship between dꞌ(i) and cꞌ(j) can be expressed in Figure 3.
Equation (17) brings us great convenience for computing d(i) because it does not contain the unknown parameters lp and seed. Obviously, the equivalent relationship of the elements between Dꞌ Equation (17) It is worth noting that, except for d (1) or d(Llp + 1), the rest of the values d(i) (i = Llp + 1) obtained by Equation (17) are all right values. Namely, when calculating d(L -lp + 1), if we do not use the parameter seed and use the c (L − lp) value instead of seed, then the result of d(Llp + 1) may be wrong.
Considering the values of d(i) or d (i) are determined by parameters {x 0 , u, k, N 0 } and have nothing to do with the content of the image, if we choose two different plain images and get the corresponding cipher images, by using the two pairs of plaintext-ciphertext to calculate d 1 (i) and d 2 (i), then one can find the only position of ii that the value of d 1 (ii) and d 2 (ii) will not be identical but values of d 1 (i) and d 2 (i) at other locations i (i = ii) are definitely the same. Once the location ii is sought out, the value of lp can be determined, which is lp = L + 1 − ii.
Step 3: Compare da(i) and db(i) one by one for i = 1, 2, . . . , L. If it exists at position I = ii and meets the relationship da(ii) = db(ii), then L -lp + 1 = ii, so lp is determined as lp = L + 1 − ii, and go to Step 4. Otherwise, repeat Step 2 to Step 3 until lp is determined.
Step 4: After the value of lp is ascertained, we can recover the diffusion array D' of Pak's cryptosystem by using Equation (18). Where only the value of d (1) is incorrect.

Recover d (1) and the Unknown Parameter Seed
According to the first formula in Equation (16), (d (1), seed) meets the following relationship Using the special chosen plain image PA = [0, 0, . . . , 0] and PB= [1, 1, . . . , 1], we have got a pair of ciphertext data (ca (L -lp + 1), cb (L -lp + 1)) in the previous section. Therefore, d (1) and seed needs to satisfy the following equation: Consider such a fact that seed ∈ {0, 1, 2, . . . , 255} and d (1) ∈ {0, 1, 2, . . . , 255}, so the solution of Equation (20) can be easily obtained by the computer exhaustive algorithm. However, the solution [d (1), seed] of Equation (20) is not unique because the equations in Equation (20) are not two linear equations. Suppose an equation for d and seed has the following form: Regarding the solutions of Equation (21) Where, x represents the binary inverse value of x.
Suppose Equation (20)  In addition, we can obtain another equation as: mod(d (1) + q, 256) ⊕ seed = c (L -lp + 1). Under the constraint of the other equation, we can remove those superfluous solutions that do not satisfy all equations until the remaining solutions are only 2 groups. In this way, the unknown parameter seed and the secret key d (1) of the original encryption system can be deciphered. The concrete algorithm for recovering d (1) and seed is described as follows: Step 1: Let m groups of solutions of Equation (20)  Step 2: Check the value of m. If m ≤ 2, then go to Step 9. If m > 2, then go to Step 3.
Step 4: For i = 1, 2, . . . , m, each groups of solutions [r(i), s(i)] is assumed to be used to encrypt the plaintext pixel value q and calculate the corresponding ciphertext values as cc(i) = mod(q + r(i), 256)⊕s(i).
Step 5: For i = 1, 2, . . . , m, Check whether the value of each element in the array [cc(1), cc (2), . . . , cc(m)] is exactly the same. If cc(i) is exactly the same, then repeat Step 3 to Step 5. If cc(i) is not exactly the same, then go to Step 6.
Step 8: Modify the value of m, that is, m = size(R), and return to Step 2. Step

Recover the Permutation Position Array X
After the RGB image matrix is converted into a 1D gray image pixel sequence P = [p(1), p(2), . . . , p(L)], array P has L pixels and L = M × N × 3. Each value of p(i) is an integer in the range of [0, 255]. If L ≤ 255, then only one chosen-plain image P = [1, 2, . . . , L] is necessary to recover the permutation position array X , so that each pixel in the chosen plain image has different values in {1, 2, . . . , L}. If L > 255, then n chosen plain images are required to recover the permutation position array X , where n = L/255 > 1. In this case, we select a series of special color plain images (P 1 , P 2 , . . . , P n ) and P j = [p j (1), p j (2), . . . , p j (L)]. We divide P j into n groups and each group contains 255 pixels except for the last one and the last group contains q pixels (q ≤ 255). For the j-th chosen-plain image pixel array P j , we assign each element of the j-th group a distinct value between 1 to 255 and the others are assigned the value of 0. The patterns of elements in each chosen plain image pixel array P j are shown in Figure 4.  We then obtain the corresponding series of cipher images ( 1 '

Recover the Original Plain Image
In Sections 3.1 to 3.3, we obtained the secret keys {lp, Xꞌ, Dꞌ} and the unknown parameter seed, which are unrelated to the plain image or ciphertext image. Therefore, we can decrypt any other ciphertext image CI by using the parameter set {seed, lp, Xꞌ, Dꞌ}. The decryption process to recover the plain image PI from the target ciphertext image CI is exactly the same as the decryption process of Pak's scheme, which can be described as follows: Step Step 3: Recover the permuted image pixel array Pꞌ = [pꞌ(1), pꞌ(2), …, pꞌ(L)] by performing the inverse diffusion process of Equation (4).
Step 4: Do inverse permutation on Pꞌ to obtain P by using the inverse permutation process of Equation (2).
Step 5: Convert the 1D array P into a 3D matrix with a size of M × N × 3 and the original color We then obtain the corresponding series of cipher images (C 1 , C 2 , . . . , C n ) by using Pak's encryption machine. Where, C j = [c j (1), c j (2), . . . , c j (L)]. Then, we can decrypt C j to obtain P j = [p j (1), p j (2), . . . , p j (L)], where p j (i) can be obtained by using Equation (16).
Finally, because of the relationship p j (i) = p j (x (i)) (i ∈ [1, L]), X can be determined by comparing P j and P j . Namely, if p j (i) = p j (k), then x (i) = k.

Recover the Original Plain Image
In Section 3.1 to 3.3, we obtained the secret keys {lp, X , D } and the unknown parameter seed, which are unrelated to the plain image or ciphertext image. Therefore, we can decrypt any other ciphertext image CI by using the parameter set {seed, lp, X , D }. The decryption process to recover the plain image PI from the target ciphertext image CI is exactly the same as the decryption process of Pak's scheme, which can be described as follows: Step Step 3: Recover the permuted image pixel array P = [p (1), p (2), . . . , p (L)] by performing the inverse diffusion process of Equation (4).
Step 4: Do inverse permutation on P to obtain P by using the inverse permutation process of Equation (2).
Step 5: Convert the 1D array P into a 3D matrix with a size of M × N × 3 and the original color plain image PI is recovered.

Examples of the Improved Cryptanalysis Scheme
Suppose the right values of original secret keys in Pak's cryptosystem are as follows: x 0 = 0.456, u = 5.4321, k = 14, N 0 = 1000, lp = 5, and seed = 250. Example 1. In this example, the plain image P is the color peppers with a size of 256 × 256 × 3. The plain image and its cipher image encrypted by using Pak's encryption machine are shown in Figure 5a,b respectively. The deciphered image by using our chosen-plaintext attack is shown in Figure 5c, which is exactly the same as the original plain image in Figure 5a. Through the image peppers as an example, our attack attains demonstration. Example 1. In this example, the plain image P is the color peppers with a size of 256 × 256 × 3. The plain image and its cipher image encrypted by using Pak's encryption machine are shown in Figures  5a,b respectively. The deciphered image by using our chosen-plaintext attack is shown in Figure 5c, which is exactly the same as the original plain image in Figure 5a. Through the image peppers as an example, our attack attains demonstration.
Through the two examples, our attack attains demonstration. Therefore, Pak's encryption scheme cannot resist the chosen-plaintext attacks and the security of the algorithm is not high enough.

The Improved Cryptosystem
In Pak's encryption scheme, the diffusion array D and the permutation position array X are used separately in the diffusion and permutation stage. Accordingly, the diffusion array D and the permutation position array X are easily deciphered separately by the attackers. This is a weakness of Pak's encryption scheme. In Wang's improved encryption scheme, a parameter E determined by the plaintext image is introduced. In order to obtain the value of the E parameter, it is necessary to calculate the average value of all the pixels of the image, which obviously increases the time overhead of the algorithm. In addition, the linear transformation operation of Wang's algorithm is changed to the binary shift operation to each pixel, which makes encryption speed very slow.
Our improved algorithm retains the advantages of the speed of the original algorithm and overcomes its shortcomings. It includes two rounds of synchronous operations of diffusion and confusion. Two diffusion arrays D and D are generated by using the chaotic sequence X and the previously encrypted pixel value. D and D are used to encrypt the image pixels respectively in the two rounds of synchronous operation.

Encryption Process
Step 1: Input the secret parameters {x 0 , u, k, N 0 , C 0 } and the color image PI with the size of M × N × 3, and PI is reshaped to a one-dimensional grayscale image array P = [p(1), p(2), . . . , p(L)], where L = M × N × 3.
Step 6: Transform the 1D vector C into a 3D matrix with a size of M × N × 3, then the ciphered color image CI is obtained.

Decryption Process
To decrypt the cipher image CI with the secret keys {x 0 , u, k, N 0 , C 0 }, the following decryption operations can be executed.
Step 1: Transform the 3D matrix CI into a gray scale image pixel sequence C.

Tests and Analysis for the Improved Cryptosystem
To examine the performance of the improved cryptosystem, we carried out a simulation experiment. The secret keys were set as (x 0 = 0.4563, u = 5.4321, k = 14, N 0 = 1000, C 0 = 98). The encryption and decryption algorithms were run on the platform Matlab R2016b in a computer with 3.3 GHz CPU, 4 GB memory and a 64 bit Microsoft Windows 7 operating system. The plain image used in the experiments was the color image lena. Figure 6 shows the original plain image and its cipher image encrypted by the improved scheme. The results reveal that the improved scheme has reliable encryption and decryption effect.

Resistance to Chosen-Plaintext Attacks
In our improved scheme, the diffusion matrices Dꞌ and D are related to the temporary and final ciphertext image, which is evident from Equations (25)- (28). It means that images with different contents are encrypted with different diffusion matrices. Furthermore, by using two rounds of diffusion processes, the change of the pixel value at any position in the image will affect all cipher pixel values. Even if the opponent cracked the key streams Dꞌ and D with some specially selected plain images, the key streams Dꞌ and D cannot be used to decrypt the target cipher image because the key streams of the target cipher image are different from the cracked key streams. Moreover, it is difficult to decipher the key streams Dꞌ and D directly by using chosen-plaintext attacks. Therefore, the improved scheme can well resist the chosen-plaintext attacks.

Key Space Analyses
In order to resist a brute-force attack, a cryptographic system must have enough large key space. In our improved cryptosystem, the secret keys include: x0, u, k, N0, C0, so its key space is 2 128 , which is the same as those in Reference [60]. Under the current computing power, the key space is large enough to resist a brute-force attack. The size of the key space depends not only on the number of keys but also on the number of possible values for each key. The problem of numerical chaotic systems is that the finite precision of the machines (e.g., computers) leads to performance degradation [63][64][65][66], such as the key space is reduced, some weak keys appear, and the randomness of the sequence is reduced. In order to identify and avoid weak keys, we need to calculate the Lyaponuv exponents of chaotic systems or plot the phase space trajectories of the system.

Histogram Analysis
An image histogram displays the distribution of the values of its pixels and provides some statistical information about the image. The histograms of each component of the color lena image and its cipher image are shown in Figure 7. The experimental results in Figure 7 show objectively the statistical distribution of plaintext and ciphertext pixels. The histogram of the cipher image shows that the pixel distribution in the cipher image is very uniform, which means that our improved algorithm has excellent performance in resisting statistical attacks.
The variance of a histogram can quantitatively describe the distribution of pixel values, which is calculated by [54]

Resistance to Chosen-Plaintext Attacks
In our improved scheme, the diffusion matrices D and D are related to the temporary and final ciphertext image, which is evident from Equations (25)- (28). It means that images with different contents are encrypted with different diffusion matrices. Furthermore, by using two rounds of diffusion processes, the change of the pixel value at any position in the image will affect all cipher pixel values. Even if the opponent cracked the key streams D and D with some specially selected plain images, the key streams D and D cannot be used to decrypt the target cipher image because the key streams of the target cipher image are different from the cracked key streams. Moreover, it is difficult to decipher the key streams D and D directly by using chosen-plaintext attacks. Therefore, the improved scheme can well resist the chosen-plaintext attacks.

Key Space Analyses
In order to resist a brute-force attack, a cryptographic system must have enough large key space. In our improved cryptosystem, the secret keys include: x 0 , u, k, N 0 , C 0 , so its key space is 2 128 , which is the same as those in Reference [60]. Under the current computing power, the key space is large enough to resist a brute-force attack. The size of the key space depends not only on the number of keys but also on the number of possible values for each key. The problem of numerical chaotic systems is that the finite precision of the machines (e.g., computers) leads to performance degradation [63][64][65][66], such as the key space is reduced, some weak keys appear, and the randomness of the sequence is reduced. In order to identify and avoid weak keys, we need to calculate the Lyaponuv exponents of chaotic systems or plot the phase space trajectories of the system.

Histogram Analysis
An image histogram displays the distribution of the values of its pixels and provides some statistical information about the image. The histograms of each component of the color lena image and its cipher image are shown in Figure 7. The experimental results in Figure 7 show objectively the statistical distribution of plaintext and ciphertext pixels. The histogram of the cipher image shows that the pixel distribution in the cipher image is very uniform, which means that our improved algorithm has excellent performance in resisting statistical attacks.
The variance of a histogram can quantitatively describe the distribution of pixel values, which is calculated by [54] var(Z) = 1 n 2 where Z is a vector and Z = {z 1 , z 2 , . . . , z 256 }, z i and z j are the numbers of pixels with gray values equal to i and j respectively. The lower value of variance indicates the higher uniformity of ciphered images. In the experimental tests, the variances of the histograms of the lena plain image (size of 256 × 256 × 3) and its cipher image were calculated by using Equation (33). The results obtained using two different algorithms are listed in Table 1. From Table 1, one can see that the average variance of the cipher image lena obtained with the proposed improved algorithm is 241.4141, which is much less than that of Wang's algorithm [61]. Thus, our improved algorithm has better performance in resisting statistical attacks.

. Correlation of Two Adjacent Pixels
Adjacent pixels in images usually have a strong correlation. A good encryption algorithm should break the correlation of adjacent pixels in an image. In order to directly describe the correlation of adjacent pixels in an image, based on 5000 randomly selected pairs of pixels (in horizontal, vertical and diagonal directions), the correlation distribution graphs of the lena plain image and its corresponding cipher image are drawn in Figures 8 and 9. It can be seen that the adjacent pixels in three directions in the plain image have a strong correlation, while those in the cipher image have almost no correlation and it is a random pattern. The results mean that our improved scheme has greatly eliminated the correlation of adjacent pixels. In the experimental tests, the variances of the histograms of the lena plain image (size of 256 × 256 × 3) and its cipher image were calculated by using Equation (33). The results obtained using two different algorithms are listed in Table 1. From Table 1, one can see that the average variance of the cipher image lena obtained with the proposed improved algorithm is 241.4141, which is much less than that of Wang's algorithm [61]. Thus, our improved algorithm has better performance in resisting statistical attacks.

Correlation of Two Adjacent Pixels
Adjacent pixels in images usually have a strong correlation. A good encryption algorithm should break the correlation of adjacent pixels in an image. In order to directly describe the correlation of adjacent pixels in an image, based on 5000 randomly selected pairs of pixels (in horizontal, vertical and diagonal directions), the correlation distribution graphs of the lena plain image and its corresponding cipher image are drawn in Figures 8 and 9. It can be seen that the adjacent pixels in three directions in the plain image have a strong correlation, while those in the cipher image have almost no correlation and it is a random pattern. The results mean that our improved scheme has greatly eliminated the correlation of adjacent pixels. In order to quantitatively depict the correlation of adjacent pixels of an image, we introduce correlation coefficient index XY r , which is calculated as follows:  Table 2. From Table 2

Sensitivity Analysis
In order to resist differential attacks, the algorithm must be sensitive to the secret keys and plain images. To measure the sensitivity of an algorithm to tiny changes in key or plain image, we cite two metrics. One is the number of pixel changing rate (NPCR), another is the unified averaged changed intensity (UACI). The definitions of NPCR and UACI are 11  In order to quantitatively depict the correlation of adjacent pixels of an image, we introduce correlation coefficient index r XY , which is calculated as follows: where X and Y are gray-scale values of two adjacent pixels in the images. For the color lena image, the correlation coefficients of adjacent pixels in R component of plaintext image and R component of ciphertext image were calculated respectively. The results are listed in Table 2. From Table 2, we can see that the correlation coefficients of adjacent pixels in R component of plaintext image are close to 1 while those of the cipher image are close to 0. The experimental results also show that our improved algorithm has smaller absolute values of correlation coefficient than Wang's algorithm in the vertical and diagonal directions and Pak's algorithm in all three directions.

Sensitivity Analysis
In order to resist differential attacks, the algorithm must be sensitive to the secret keys and plain images. To measure the sensitivity of an algorithm to tiny changes in key or plain image, we cite two metrics. One is the number of pixel changing rate (NPCR), another is the unified averaged changed intensity (UACI). The definitions of NPCR and UACI are where m, n represent the pixel rows and columns of an image, respectively. Here, C 1 = [ c 1 (i, j)] and C 2 = [c 2 (i, j)] express two encrypted images corresponding to two security keys or two plain images, and δ(i, j) is computed by The desired value of NPCR is 1 and the desired value of UACI is 0.3346 [54].
To measure the sensitivity of our improved algorithm for the plain image, the color lena image (size 256 × 256 × 3) is chosen as the plain image one, and the plain image two is obtained by changing only one pixel of the plain image one. Then, two encrypted images are obtained by executing the improved encryption algorithm with the same secret keys, respectively. NPCR and UACI values are computed with two cipher images, and the results are listed in Table 3. The results indicate that our improved encryption algorithm is very sensitive to the plain image. To measure the sensitivity of the improved algorithm to the secret keys, two different keys with a tiny difference are used to encrypt the same plain image lena and the two cipher images, C 1 and C 2 , are obtained. The tiny change (10 −14 ) is introduced to one of the secret keys (x 0 , u) while keeping all the others unchanged. Similarly, k is changed to k + 1, N 0 is changed to N 0 + 1, C 0 is changed to C 0 + 1, while keeping all the others unchanged. The NPCR and UACI of the cipher images C 1 and C 2 are given in Tables 4 and 5. The experimental results indicate that our improved algorithm is very sensitive to any slight change in each secret key.

Information Entropy Analysis
Image information entropy is an important way to measure the randomness of the pixel distribution. Let I be an image and its information entropy can be calculated as: where P(I i ) denotes the occurrence probability of gray level i, I i = i, and i = 0, 1, 2, . . . , 2 n . Here, 2 n is the number of grayscale levels of an image. If P(I i ) = 1/2 n , then the image is completely random.
For an image with 256 gray-scales, n = 8 and the image has 2 8 grayscale levels, so the ideal value of information entropy is 8. For an encrypted image, the closer the entropy is to 8, the closer the image is to a randomly distributed image. We experimentally tested the information entropy of the color lena ciphertext images obtained by three kinds of encryption algorithms. The results of the information entropy corresponding to the R, G and B channels are listed in Table 6. From Table 6, one can see that all the entropy values are significantly closer to 8, so the randomness is satisfactory. Among these three algorithms, our improved algorithm has the largest average entropy value. Hence, our improved encryption scheme is more capable of resisting information entropy-based attacks.

Cropping and Noise Attack
To test the performance of our improved scheme in resisting data loss and noise attacks. The encrypted lena image (Figure 10a) was attacked by a data cut with a size of 64 × 64 ( Figure 10b) and a 3% "salt & pepper" noise attack (Figure 10c), respectively. Then, these cipher images were decrypted respectively and the results of the decryption are given in Figure 10d-f. The results indicate that our improved scheme can resist cutting and noise pollution attacks. image with 256 gray-scales, n = 8 and the image has 2 8 grayscale levels, so the ideal value of information entropy is 8. For an encrypted image, the closer the entropy is to 8, the closer the image is to a randomly distributed image. We experimentally tested the information entropy of the color lena ciphertext images obtained by three kinds of encryption algorithms. The results of the information entropy corresponding to the R, G and B channels are listed in Table 6. From Table 6, one can see that all the entropy values are significantly closer to 8, so the randomness is satisfactory. Among these three algorithms, our improved algorithm has the largest average entropy value. Hence, our improved encryption scheme is more capable of resisting information entropy-based attacks. To test the performance of our improved scheme in resisting data loss and noise attacks. The encrypted lena image (Figure 10a) was attacked by a data cut with a size of 64 × 64 ( Figure 10b) and a 3% "salt & pepper" noise attack (Figure 10c), respectively. Then, these cipher images were decrypted respectively and the results of the decryption are given in Figure 10d-f. The results indicate that our improved scheme can resist cutting and noise pollution attacks.

Analysis of Speed
A practical encryption algorithm should be efficient in terms of encryption speed. To test the encryption speed of the improved scheme, three RGB color images with different size have been used for the encryption. The simulation experiments were run on a desktop PC with Intel(R) Core i5-4590 3.30 GHz CPU, 4 GB RAM and 500 GB hard disk. The operating system was 64 bits Microsoft

Analysis of Speed
A practical encryption algorithm should be efficient in terms of encryption speed. To test the encryption speed of the improved scheme, three RGB color images with different size have been used for the encryption. The simulation experiments were run on a desktop PC with Intel(R) Core i5-4590 3.30 GHz CPU, 4 GB RAM and 500 GB hard disk. The operating system was 64 bits Microsoft Windows 7 and the computational platform was Matlab R2016b. The average encryption/decryption time taken by Pak's algorithm, Wang's algorithm and our improved algorithm for processing the images with different size are shown in Table 7. The results show that our algorithm has the fastest speed. This is because our encryption algorithm has abandoned binary XOR operations.

Conclusions
In this paper, an improved cryptanalysis on a color image cryptosystem is presented. It has been shown that the equivalent secret key and all the unknown parameters of the cryptosystem can be recovered by our chosen-plaintext attack algorithm. Furthermore, based on the analysis of defects in the original cryptosystem, an improved color image encryption scheme is proposed. The contributions of this paper include two aspects: First, a more complete and efficient method to comprehensively crack Pak's encryption scheme is proposed, which further enriches the research of cryptanalysis. The validity and correctness of the cryptanalysis algorithm were verified by theoretical analysis and experimental results. Second, a new color image encryption algorithm with a higher security and a higher encryption efficiency is proposed. In the new encryption scheme, the generation of diffusion arrays depends on the content of the image itself and the permutation position array. In the process of diffusion, two effects of ciphertext feedback and pixel scrambling are also implemented simultaneously. Using these methods, the security of the cryptosystem is enhanced. Experimental results and security analysis demonstrate that the improved cryptosystem can achieve a satisfactory security level after two rounds of diffusion encryption.
Looking to the future in image encryption field, some new research directions are worth considering, such as efficient image encryption technology in the resource-constrained mobile social network [67] or sensor network communication environment [68]. Another interesting form of encryption is searchable encryption [69], which is a very promising direction in the field of cloud computing.