On the Security of Image Encryption Schemes Based on Multiple Parameters Transforms

ON THE SECURITY OF IMAGE ENCRYPTION SCHEMES BASED ON MULTIPLE PARAMETERS TRANSFORMS

Esam Elsheh and Amr Youssef

Concordia Institute for Information Systems Engineering Concordia University, Montreal, Quebec, Canada {e elsh, [email protected]}

ABSTRACT Unnikrishnan et al. [2] also proposed optical image encryption with FRFT. Recent developments of generalized forms of signal process- With the increasing applications of FRFT, researchers ing transforms with a large number of independent param- have put numerous efforts on the development of its eters, such as the Multiple Parameter Fractional Fourier theory. Consequently, a variety of different forms of Transform and the Discrete Fractional Cosine Transform, FRFTs were defined, which enriched the applications of have encouraged many researchers to propose image encryp- these transforms. Zhu et al. [4] constructed a Multiple tion algorithms based on a single or multiple applications Fractional Fourier Transform (MFRFT) as a linear com- of these transforms. In order to claim a high level of secu- bination of the conventional FRFT. Afterward, Liu et rity of these parameterized transforms-based schemes, their al. [5] proposed the Random Fractional Fourier Transform authors usually use the argument that the encrypted image (RFRFT) by randomizing the transform kernel function is visually indistinguishable from random noise. of the conventional FRFT. Later, Tao et al. [6] proposed In this paper, we show that these algorithms represent the Multiple-Parameter Fractional Fourier Transform typical textbook examples of insecure ciphers; all the build- (MPFRFT) by using the fractionalized method from ing blocks of these schemes are linear, and hence, breaking Shih [3]. Following ideas from the FRFT, a series of trans- these scheme, using a known plaintext attack, is equivalent forms, such as Fractional Cosine Transform (FCT) [7], to solving a set of linear equations. We also invalidate the Fractional Hadamard Transform (FRHaT) [8], and Frac- argument of relying on the visual quality of the encrypted tional Random Transform (FRT) [9], have been proposed. image ciphertext by presenting an example for a trivially insecure system that produces ciphertext images with the A common feature of these generalized transforms is same property. An agrement against the claimed efficiency that they have a relatively larger number of independent of these schemes is also provided. parameters as compared to their corresponding original forms. Reconstructing the original signal from the trans- 1. INTRODUCTION formed domain requires the application of the inverse transform with the exact set of parameters corresponding Mathematical transforms, such as the Fourier, Cosine, and to the ones that were applied to the original signal. Any Wavelet Transforms, have long been powerful tools for sig- simple modification in these parameters would lead to nal representation, analysis and processing. The discrete the reconstruction of a completely distorted version of forms of these transforms have been widely applied to many the signal. These observations have encouraged many applications including image processing. researchers to propose image encryption algorithms based Motivated by the wide available spectrum of possible ap- on a single or multiple steps of these transforms, where plications, these transforms have been generalized. For ex- the parameters of these transforms are used as encryption ample, the Fractional Fourier Transform (FRFT) [1] has keys. A quick review of the relevant signal processing been proposed as a generalizing for the Fourier transform. literature would reveal a surprisingly very large number of The Fourier transform can be interpreted as a transform of image encryption schemes based on these transforms. For a time domain signal into a frequency domain signal. Sim- example, [10], [11] and [12] propose similar systems based ilarly, the interpretation of the inverse Fourier transform is on the Discrete Fractional Fourier Transform (DFRFT). as a transform of a frequency domain signal into a time do- To increase the number of the transform parameters, main signal. The FRFT, on the other hand, transforms a the authors in [13] introduced the Discrete Multiple signal, either in the time domain or frequency domain, into Parameter Fractional Fourier Transform (DMPFRFT) and the domain between time and frequency; it is a rotation in then proposed an image encryption algorithm based on it. the time-frequency domain. The FRFT can be thought of Nu et al. [14] proposed an image encryption system based as the Fourier transform to the nth power, where it trans- on the Mixed Discrete Fourier Transformation (MxDFT) forms a function to an intermediate domain between time in which the constructed transform matrix is represented and frequency. Its applications range from filter design and as a linear combination of more than one DFRFT. To signal analysis to phase retrieval and pattern recognition. add more randomness to encrypted images whose energy

978-1-4244-9991-5/11/$26.00 ©2011 IEEE 97 concentrates around the corners or borders, the Random wherea ¯ = [a0, a1, ··· , aN−1]. Discrete Fractional Fourier Transform (RDFRFT) was The RDFRFT [15] with 1 × N parameter vectora ¯ is proposed in [15]. The eigenvectors of the kernel matrix obtained by using the random DFT-commuting matrix H of the RDFRFT are random DFT eigenvectors that are and the DMPFRFT, as follows computed from eigenvectors of a random DFT-commuting matrix. Several discrete Fourier-related transforms have NX−1 a¯ ak T been parameterized in order to design image encryption FH = λk rkrk . (5) algorithms. For example, Zhou et al. [16] present an k=0 image encryption system using the Discrete Parametric where rk are the orthonormal random DFT eigenvectors Cosine Transform (DPCT) and Tao et al. [17] present computed from H, λk is the DFT eigenvalue corresponding another system based on the Multiple-Parameter Discrete to rk and Fractional Hadamard Transform (MPDFrHaT).  −j2π ak (e ) if λk = 1  −jπ/2 a The rest of the paper is organized as follows. In the next (e ) k if λ = −j λak = k (6) section, we briefly review the details of three representative k −jπ ak (e ) if λk = −1 samples of these image encryption schemes which are based  (e−j3π/2)ak if λ = j. on RDFRFT [15], Multi Orders Fractional Fourier Trans- k forms [18] and Reciprocal-Orthogonal Parametric (ROP) The reader is referred to [15] for the steps of obtaining Transform [19], respectively. In Section 3, we present our matrix H. main observations about these schemes: all these schemes Finally, the 2-D RDFRFT image encryption with secret are linear and hence they can be trivially broken using a key parameters (¯a1, H1,a ¯2, H2) of an N × M image P is known plaintext attack. We also show that relying on the defined by visual quality of the encrypted image does not provide any rigorous proof of security for the underlying system and we a¯ a¯ Q = F 1 · P · F 2 (7) discuss the claimed efficiency of these schemes. Finally, our H1 H2 conclusion is presented in Section 4. where Q is the encrypted image and Fa¯1 , Fa¯2 are the H1 H2 N × N and M × M RDFRFT matrices, respectively. 2. EXAMPLES OF IMAGE ENCRYPTION ALGORITHMS BASED ON MULTIPLE 2.2. Image Encryption Based on the Multi-Orders PARAMETERS TRANSFORMS Fractional Fourier Transform [18]

In this section, we briefly summarize three representative The N × N of the p-th order DFRFT is defined as examples of the image encryption algorithms that are based N N N N on parameterized discrete transforms. Fp = Λp,u · W · Λp,t (8) N N N×N where the matrices Fp , W ∈ C and the diagonal N N N×N 2.1. Image Encryption Based on RDFRFT [15] matrices Λp,u, Λp,t ∈ C are defined as

Recall that the N × N DFT matrix is deﬁned as N −j 2π (m−1)(n−1) [W ]m,n = e N ,

1 pπ 2 2 N j 2 cot( 2 )(n−1) ·∆t 1 −j(2π/N)mn [Λp,t]n,n = e , [F]m,n = √ e , 0 ≤ m, n ≤ N − 1. (1) N and N j 1 cot( pπ )(n−1)2·∆u2 [Λ ] = e 2 2 p The Eigen decomposition of the DFT matrix F is given p,u n,n by where p ∈ (0, 2), ∆t is the sampling intervals in the time domain, and ∆up = 2π sin(pπ/2)/(N∆t) is the p-th order NX−1 T of Fractional Fourier domain (FRFD). Correspondingly, the F = λkekek (2) p-th order of the inverse DFRFT for an N-length sequence, k=0 which is equivalent to the p-th order DFRFT, can be ex- N where e0, e1, ··· , eN−1 form an orthonormal eigenvector pressed as the Hermite transposition of Fp , i.e., basis of the DFT. The DFRFT Fa with one parameter a is deﬁned as N N H N N H N F−p = (Fp ) = Λ−p,t · (W ) · Λ−p,u (9) NX−1 The encryption is carried as follows: The A × B origi- a a T F = λkekek . (3) nal image P is divided into M × N sub-images, Pa,b, a = k=0 1, 2, ··· ,M and b = 1, 2, ··· ,N, with a size of A/M ×B/N, A generalization of DFRFT, called the Discrete Multi- which are given by ple Parameters Fractional Fourier Transform (DMPFRFT) [13], is deﬁned with the corresponding matrix [Pa,b]m,n = [P](a−1)A/M+m,(b−1)B/N+n (10) If the column vectors of P are M-fold interpolated NX−1 a,b a¯ ak T and further pa,b,a-th order inverse discrete fractional Fourier F = λ eke . (4) k k transformed, then we can obtain the encrypted sub-images k=0

978-1-4244-9991-5/11/$26.00 ©2011 IEEE 98 Qa,b, based on the FRFD analysis of the interpolation [20, element-by-element multiplication of each of these minus- 21], as indexed rows by the parametric vector V we obtain the normalized ROP matrix of order four     Dpa,b,1,0 1 1 1 1  Dp ,1   1 −a1 a1 −1   a,b,1  TV = . Q =  .  Xa,b[Ep ,0 Ep ,1 ··· Ep ,N−1] 4   a,b  .  a,b,2 a,b,2 a,b,2 1 a1 −a1 −1 . 1 −1 −1 1 Dpa,b,1,M−1 Vi (11) Let us denote by TN the ROP transform matrix of order (A/M)×(B/N) N constructed using the parametric vector V , which has where the matrix Xa,b ∈ C is the two dimen- i N/2 − 1 independent parameters. Then, we consider four sional inverse DFRFT of Pa,b, which is given by diﬀerent parametric vectors V1, V2, V3, and V4 to con- V V V A/M B/N T struct the ROP transform matrices T 1 , T 2 , T 3 , and Xa,b = F−p · Pa,b · (F−p ) N N N a,b,1 a,b,2 V4 TN , respectively. (A/M)×(A/M) The diagonal matrices Dpa,b,1,l ∈ C , l = The output of the ﬁrst round is obtained as 0, 1, ··· ,M − 1 and E ∈ C(B/N)×(B/N), k = pa,b,2,k 1 0, 1, ··· ,N − 1 are expressed as C = TV2 (P ¯ [ejα(n,m)])TV1 (13) 4 N N

p π whereas the encrypted image Q of the original image P of −j 1 cot( a,b,l )·[2(n−1)l(A/M)+l2(A/M)2]∆t2 [D ] = e 2 2 pa,b,1,l n,n size N × N is obtained as

1 V4 jβ(n,m) V3 Q = 2 TN (C ¯ [e ])TN (14) p π N −j 1 cot( a,b,2 )·[2(n−1)k(B/N)+k2(B/N)2]∆t2 [E ] = e 2 2 where ¯ denotes the element-by-element multiplication pa,b,2,k n,n operation of matrices, [ejα(n,m)] and [ejβ(n,m)] are two Then, we obtain the encrypted image Q by summation N × N random phase matrices, α(n, m) and β(n, m), 1 ≤ of Qa,b n, m ≤ N, are white, uniformly distributed in [0, 2π] and independent of each other. The (2N − 4) independent pa- XM XN V1 V2 V3 rameters (V1, V2, V3, V4) of the matrices TN , TN , TN , Q = Qa,b (12) V4 and TN and the random phase matrices are used as the a=1 b=1 encryption secret keys. 2.3. Image Encryption based on the ROP Trans- form [19] 3. MAIN OBSERVATIONS

Any integer n can be represented by r binary digits bi, An introduction to diﬀerent types of cryptanalytic attacks rP−1 can be found in [24]. A more rigorous mathematical treat- bi 0 ≤ i ≤ r − 1. If (−1)i=0 = −1, then n is called a ment can be found in [25]. The attack described here is minus integer. The rows of any N × N matrix are indexed a known plaintext attack, i.e., we assume that the crypt- by integer numbers 0, 1, ··· ,N − 1. A row indexed by a analyst can observe some of the plaintext images and its minus integer is called a minus-indexed row. corresponding encrypted ciphertext. One should note that, The Reciprocal-Orthogonal Parametric (ROP) N × N because of the large size of the key required to encrypt matrix is constructed using a parametric row vector V of an image using these multiple parameter transforms, the length N and Hadamard matrix H of order N. assumption that the same encryption key will be used to encrypt several images is realistic; otherwise, the user is Throughout the rest of this section, we use a toy example better oﬀ using the theoretically secure one-time pad algo- with N = 4 to illustrate the basic principles of this scheme. rithm [25]. The construction of the ROP transform matrix proceeds as follows. 3.1. Known plaintext attack Form a parametric row vector V = [1 a1 a1 1], with the Despite the apparent complexity of some of the above gen- parameter a1 is nonzero scalar and arbitrarily chosen from the complex plane. eralized transforms, a common feature in all of them is that Construct the Hadamard matrix of order 4 there is an equivalent matrix description for each one of them.   1 1 1 1 In order to avoid unnecessary mathematical notation,  1 −1 1 −1  consider the toy example of the RDFRFT image encryption H = 4  1 1 −1 −1  system presented in the previous section with N = 2. 1 −1 −1 1 · ¸ · ¸ a a b b Let Fα¯1 = 11 12 ,Fα¯2 = 11 12 , which has four rows that can be indexed from the top to the H1 a a H2 b b · 21 ¸ 22 · 21 ¸ 22 bottom by 0, 1, 2, 3. In this case, the minus-indexed rows p p q q P = 11 12 and Q = 11 12 . are those that are indexed by 1 and 2. By performing an p21 p22 q21 q22

978-1-4244-9991-5/11/$26.00 ©2011 IEEE 99 Then we have in Fig. 1, this trivially insecure 11-bit LFSR shows bet-       ter key avalanche properties when compared to some pub- q a b a b a b a b p 11 11 11 11 21 12 11 12 21 11 lished schemes. It should be noted that the existence of such  q12   a11b12 a11b22 a12b12 a12b22   p12  = . a high correlation between images decrypted with slightly  q   a b a b a b a b   p  13 21 11 21 21 22 11 22 21 13 incorrect keys and the original images may also facilitate q a b a b a b a b p 44 21 12 21 22 22 12 22 22 44 ciphertext only attacks using heuristic search techniques. By noting that the decomposition of linear systems is linear. Similar relation follow for the two other systems presented in Section 2. Also, adding an arbitrary large number of rounds would not add any nonlinearity to these schemes. Consider an N × M image P. Let INM×1 and ONM×1 denote the column-vectors obtained by concatenating the elements of the input plaintext matrix, P, and the output ciphertext matrix, Q, respectively. Then, for all the above encryption systems, we have Original Barbara Decrypted with incorrect key O = K × I

where K is an NM × NM equivalent key matrix whose elements can be recovered using O(NM) known plaintext- ciphettext pairs. While the complexity of solving the above system of equations using Gaussian elimination is given by O((NM)3), other more advanced techniques can reduce this complexity to O((NM)2.37). It should be noted that this complexity is much less than the usually claimed security level of these systems. A folklore argument that is typically presented by the authors of image encryption schemes based on parameter- Original Lena Decrypted with incorrect key ized discrete transforms is that their proposed schemes are more secure than others because their underlying trans- Fig. 1. Examples of images decrypted with slightly incor- forms utilize a larger number of transform parameters which rect keys for the ROP-based algorithm [19]. increases the length of the corresponding secret keys. For example, the DMPFRFT-based scheme in [22] claim better security than DFRFT because it uses more parameters compared to the DFRFT. Contrary to the above folklore argument, when consid- ering this basic forms of known plaintext attacks, an encryption system based on a generalized transform with a huge number of parameters is equally as bad as any transform with very small number of parameters; both of them can be broken with the same complexity. Similarly, adding an arbitrary large number of transform rounds would not (a) (b) (c) increase the security of these schemes. Fig. 2. (a) Lena (b) Lena encrypted by an LFSR (c) Lena 3.2. Visual Quality of Encrypted Images decrypted with a slightly incorrect key (1 bit difference). In order to claim a high level of security of these parameterized transforms-based schemes, their authors usually use the argument that the encrypted images are visually in- 3.3. Inefficiency of the proposed Schemes distinguishable from random noise. While this is a neces- sary condition for any secure image encryption system, this Due to the large data size and real time constrains of mul- condition is so loose to the extent that it can be satisfied timedia data, some researchers argue that algorithms that by almost any system, even if it has a very poor security. standard encryption algorithms may not be suitable for Verifying the security of any image encryption scheme by multimedia data. In fact, this reason is usually used as the visual observation is worthless practice; seeing a total ran- main motivation for many parameterized transform based dom image as an encrypted image of the encryption scheme image encryption systems. However, since all the elements does not provide any assurance that the proposed algo- of the matrices corresponding to these parameterized trans- rithm is secure. As an illustration of this observation, Fig 2 forms are complex numbers, the encryption process require shows the encrypted image using 11-bit Linear Feedback floating point operations which are much slower than the Shift register-based stream cipher (ciphertext only attack typical operations required by modern symmetric key ci- against this LFSR cipher, using the berlekamp massey al- phers. Also, there is usually a large data expansion as- gorithm [25], requires only 22 bits.) In fact, as depicted sociated with the encryption process because, unlike the

978-1-4244-9991-5/11/$26.00 ©2011 IEEE 100 plaintext, the ciphertext belongs to the set of complex num- [11] Y. Zhang and F. Zhao, “The algorithm of fractional bers (which typically means an expansion by a 1 : 8 factor.) Fourier transform and application in digital image en- Thus, current standard algorithms such as AES [23] outper- cryption,” International Conference on Information En- form the above systems in terms of both encryption speed, gineering and Computer Science ICIECS, 2009. bandwidth, and storage requirements. [12] H. Yoshimura, and R. Iwai, “New encryption method of 2D image by use of the fractional Fourier trans- 4. CONCLUSIONS form,” International Conference on Signal Processing ICSP, 2008. Because of their inherent linearity, encryption algorithms [13] S.C. Pei and W.L. Hsue, “The multiple-parameter dis- based on generalized multiple parameters transforms are crete fractional Fourier transform,” IEEE Signal Process. not secure. Careful analysis of the performance of these al- Lette., vol. 13, no. 6, pp. 329-332, 2006. gorithms also reveal their inefficiency in terms of both bandwidth and throughput. For practical applications requiring [14] N. Du, S. Devineni and A.M. Grigoryan, “Mixed block ciphers, we recommend the use of the AES algorithm. Fourier transforms and image encryption,” IEEE Inter- Similarly, for applications requiring stream ciphers, we rec- national Conference on Systems, Man, and Cybernetics, ommend the use of one of the seven stream ciphers de- 2009. fined, by European ECRYPT stream cipher project, in the [15] S.C. Pei and W.L. Hsue, “Random discrete fractional the eSTREAM Portfolio. These algorithms have undergone Fourier transform,” IEEE Signal Process. Lette., vol. 16, extensive cryptanalytic reviews by the cryptographic com- no. 12, 2009. munity and are optimized to achieve an excellent tradeoff [16] Y. Zhou, K. Panetta and S. Agaian, “Image encryption between security and performance. using discrete parametric cosine transform,” Conference on Signals, Systems and Computers, Record of the Forty- 5. REFERENCES Third Asilomar 2009. [17] R. Tao , J. Lang and Y. Wang, “The multiple- [1] H.M. Ozaktas and D. Mendlovic, “Fractional Fourier parameter discrete fractional Hadamard transform,” transforms and their optical implementation,” Journal Journal of Optics Communications, vol. 282, no. 8, pp. of the Optical Society of America A: Optics and Image 1531-1535, 2009. Science, and Vision. vol. 10, no. 12, pp. 2522-2531, 1993. [18] R. Tao, X.Y. Meng and Y. Wang, “Image encryption [2] G. Unnikrishnan, J. Joseph, and K. Singh, “Optical en- with multi-orders fractional Fourier transforms,” IEEE cryption by double-random phase encoding in the frac- Transactions on Information Forensics and Security, vol. tional Fourier domain, ,” Opt. Lett., vol. 25, pp. 887-889, pp, no.99, pp. 1-, 2010. 2000. [19] S. Bouguezel, A.M. Omair and M.N.S. Swamy, “Im- [3] C.C. Shih, “Fractionalization of Fourier transform,” age encryption using the reciprocal-orthogonal paramet- Optics Communications. vol. 118, no. 5-6, pp. 495-498, ric transform,” IEEE International Symposium on Cir- 1995. cuits and Systems ISCAS, 2010. [4] B. Zhu, S. Liu and Q. Ran, “Optical image encryption [20] X.Y. Meng, R. Tao and Y. Wang, “The fractional based on multifractional Fourier transforms, ” Opt. Lett., Fourier domain analysis of decimation and interpola- vol. 25, pp. 1159-1161, 2000. tion,” Science in China, Ser.F, vol. 50, pp. 521-538, 2007. [5] Z. Liu and S. Liu, “Random fractional Fourier trans- [21] X.Y. Meng, R. Tao and Y. Wan, “Fractional Fourier form,” Opt. Lett., vol. 32, pp. 2088-2090, 2007. domain analysis of cyclic multirate signal processing,” Science in China, Ser E, vol. 51, pp. 803-819, 2008. [6] R. Tao, J. Lang and Y. Wang, “Optical image encryption based on the multiple-parameter fractional Fourier [22] Y. Xiao, H, Zhang, Q. Ran, J. Zhang and L. Tan, transform,” Opt. Lett., vol. 33, pp. 581-583, 2008. “Image encryption and two dimensional discrete M- parameter fractional Fourier transform,” International [7] S.C. Pei and M.H. Yeh, “The discrete fractional cosine Congress on Image and Signal Processing CISP, 2009. and sine transforms,” IEEE Transactions on Signal Pro- [23] National Institute of Standards and Technology, FIPS- cessing. vol. 49, no. 6, pp. 1198-1207, 2001. 197: Advanced Encryption Standard, November 2001. [8] R. Tao, J. Lang and Y. Wang,“ The multiple-parameter [24] B. Schneier, Applied Cryptography, 2nd ed. New discrete fractional Hadamard transform,” Optics Com- York:Wiley, 1996. munications, vol. 282, no. 8, pp. 1531-1535, 2009. [25] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, [9] Z.J. Liu, H.F. Zhao and S.T. Liu, “A discrete fractional Handbook of Applied Cryptographic Research. Boca Ra- random transform ,” Opt. Communications, vol. 255, pp. ton, FL: CRC 1996. 357-365, 2005. [10] J.M. Vilardy, J.E. Calderon, C.O. Torres and L. Mat- tos, “Digital images phase encryption using fractional Fourier transform,” Electronics, Robotics and Automo- tive Mechanics Conference CERMA, 2006.