Security measurement of a medical communication scheme based on chaos and DNA coding
Lei Chen, Chengqing Li, Chao Li

TL;DR
This paper critically analyzes a chaos and DNA coding-based medical image encryption scheme, revealing its vulnerabilities through a chosen-plaintext attack and questioning its claimed security features.
Contribution
It introduces an efficient chosen-plaintext attack on the MPPS scheme and evaluates its security flaws, challenging prior claims of robustness.
Findings
The attack discloses the scheme's equivalent secret-key with minimal plaintext-ciphertext pairs.
The scheme's claimed resistance to certain attacks is invalidated.
The analysis promotes better application of DNA encoding in multimedia privacy protection.
Abstract
To encrypt sensitive information existing in a color DICOM images, a medical privacy protection scheme (called as MPPS) based on chaos and DNA coding was proposed by using two coupled chaotic systems to produce cryptographic primitives. Relying on some empirical analyses and experimental results, the designers of MPPS claimed that it can withstand a chosen-plaintext attack and some other classic attacking models. However, this statement is groundless. In this paper, we investigate the essential properties of MPPS and DNA coding, and we then propose an efficient chosen-plaintext attack to disclose its equivalent secret-key. The attack only needs pair of chosen plain-images and the corresponding cipher-images, where and ``3" are the size of the RGB color image and the number of color channels, respectively. In addition, the other…
| Rule number | ||||
|---|---|---|---|---|
| A | C | G | T | |
| A | G | C | T | |
| T | G | C | A | |
| T | C | G | A | |
| C | A | T | G | |
| C | T | A | G | |
| G | A | T | C | |
| G | T | A | C |
| A | G | C | T | |
|---|---|---|---|---|
| A | A | G | C | T |
| G | G | C | T | A |
| C | C | T | A | G |
| T | T | A | G | C |
| A | G | C | T | |
|---|---|---|---|---|
| A | A | T | C | G |
| G | G | A | T | C |
| C | C | G | A | T |
| T | T | C | G | A |
| Original sub-key | Corresponding equivalent sub-key | Description |
|---|---|---|
| Permutation index sequence | ||
|
or
|
DNA coding and decoding rules | |
| Binary sequence | ||
| Keystream of R plane | ||
| Keystream of G plane | ||
| Keystream of B plane |
| Equivalent sub-key class 333 represents different keystream in the equivalent classes, where . Because the value of depends on the original sub-key , only the more general relationships between them are given here. | Equivalent sub-key class | Equivalent sub-key class | Equivalent sub-key class |
|---|---|---|---|
| for R channel | for G channel | for B channel |
|---|---|---|
| Original sub-keys | The obtained equivalent sub-keys |
|---|---|
| Invalid key items | Equivalent keys type I | Equivalent keys type II | Weak keys type I | Weak keys type II |
|---|---|---|---|---|
| Effective keyspace size |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Security Measurement of a Medical Communication Scheme based on Chaos and DNA Coding
Lei Chen
Chengqing Li
Chao Li
School of Computer Science, Xiangtan University, Xiangtan 411105, Hunan, China
College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, Hunan, China
Abstract
To encrypt sensitive information existing in a color DICOM images, a medical privacy protection scheme (called as MPPS) based on chaos and DNA coding was proposed by using two coupled chaotic systems to produce cryptographic primitives. Relying on some empirical analyses and experimental results, the designers of MPPS claimed that it can withstand a chosen-plaintext attack and some other classic attacking models. However, this statement is groundless. In this paper, we investigate the essential properties of MPPS and DNA coding, and we then propose an efficient chosen-plaintext attack to disclose its equivalent secret-key. The attack only needs pair of chosen plain-images and the corresponding cipher-images, where and “3” are the size of the RGB color image and the number of color channels, respectively. In addition, the other claimed superiorities are questioned from the perspective of modern cryptography. Both theoretical and experimental results are presented to support the efficiency of the proposed attack and the other reported security faults. The proposed cryptanalysis results will promote the proper application of DNA encoding to protect multimedia privacy data, especially that in a DICOM image.
keywords:
cryptanalysis, chaotic cryptography, chosen-plaintext attack, DNA coding, DICOM image security, privacy protection.
††journal: Elsevier
\geometry
left=1.8cm,right=1.8cm,top=2.5cm,bottom=2.5cm
1 Introduction
DNA (Deoxyribonucleic acid) computing is an emerging new generation of computing technology that uses biochemical reaction techniques to perform calculation in biological DNA molecules as information carriers rather than the standard artificial hardware [2]. DNA computing has some potential advantages over conventional alternatives, such as huge storage space, massive parallelism, and ultra-low power consumption [25]. Consequently, it has received attention from many researchers in multiple fields, such as mathematics, biology, and computer science [6, 12]. Some researchers have adopted the concept of DNA computing into cryptography, and adopted its computing rules as part of an encryption algorithm. These algorithms are known as DNA cryptography [18]. In 2004, Gehani et al. proposed the first DNA-based cryptosystem in [13], which combines a one-time-pad and the diffusion operation based on exclusive OR operation. A number of DNA-based encryption schemes have since been published in the literature and in patents. Most of these schemes have adopted nonlinear dynamics for better encryption effect, including 2-D Logistic-adjusted-Sine map [38], Hénon-Sine map [37] and discrete memristor [30].
Cryptography and cryptanalysis are two equivalent parts of cryptology. As shown in the development history of the Data Encryption Standard (DES), they can promote development of the two parts. Some encryption schemes based on DNA encoding were found to be insecure to different extents from the viewpoint of modern cryptology [39, 14, 33, 3, 17, 35, 36]. For example, Xie et al. evaluated the security performance of an image encryption algorithm based on DNA sequence operation and a hyper-chaotic system. They disclosed its equivalent secret key with no more than chosen plain-images, where is the size of the plain-image [39]. In 2014, Hermassi et al. cryptanalyzed an image encryption algorithm based on DNA addition, and recovered its keystream (i.e., the equivalent secret-key) with some pairs of chosen plain-images and the corresponding cipher-images [14]. From a survey of the literature it can be seen that most efforts have focused on using chosen-plaintext attacks as powerful attacking tools [33, 3, 17], while a few works have proposed specific attack algorithms under the conditions of known-plaintext attacks [35] and chosen-ciphertext attacks [36]. Using the properties of DNA coding during encryption process, some cryptanalysis works have presented near-optimal attacking methods [5, 41, 7]. Specifically, DNA addition is modelled as equivalent version in terms of a binary addition in [5]; a series of DNA manipulations can be viewed as S-box components in [7]; and different DNA coding and decoding rules have the same encryption effect in [41].
The fast development of transmission and sensing technologies supports the progress of remote diagnosis (telediagnosis) and remote surgery (telesurgery)[9]. However, concerns about the security and privacy of the medical images transmitted via public channels are becoming increasingly serious[10]. Due to the bulky size of medical image data and the special storage format, the modern text encryption standards are not efficient to protect them [1, 42]. The directly optimized image protection strategy is to reduce the size of encryption object by automatically detecting the region of interest (ROI) and leaving the region of non-interest (RONI) in plain-form. As the equivalent counterpart of cryptography, the object of cryptanalysis is to obtain as much information on the secret-key and/or the plaintext as possible under a given attacking scenario [29, 11, 43, 8, 40]. Among them, reference [11] first eliminated the diffusion effect by using a differential attacking approach and then revealed the equivalent secret-key of the permutation process; while reference [43] obtained the keystream and permutation matrix by an efficient chosen-plaintext attacking method.
The degree of randomness of the pseudo-random number sequences (PRNSs) generated by iterating a chaotic map in a digital device may be weaker than that of the counterpart obtained in an infinite domain [26, 27, 23, 30]. As comprehensively reviewed in [19], various methods have been proposed to counteract the dynamics degradation of digitized chaotic maps, as follows: selecting state and control parameters; increasing the arithmetic precision; perturbing the control parameters; perturbing states; switching among multiple chaotic maps; cascading multiple chaotic maps together [15, 16]; and constructing much more complex systems [34]. For a critical review of chaotic cryptology, we refer the reader to [4, 28, 24].
A medical privacy protection scheme (MPPS) based on DNA encoding and chaotic maps was proposed in [32]. The images stored as DICOM (Digital Imaging and Communications in Medicine) standard are encrypted with DNA encoding and PRNSs generated by iterating two coupled chaotic systems (CCSs). Based on some experimental results and empirical analysis, the designers of MPPS claimed that the encryption scheme is secure against chosen-plaintext attacks. However, rigorous modern cryptanalysis reveals that this statement is groundless. This paper focuses on security evaluation of MPPS. Some properties on its essential structure are reported and proved to be rigorous, which is then used to support an efficient chosen-plaintext attack. A divide-and-conquer strategy is adopted to obtain the secret key of MPPS and/or its equivalent. The metrics on validating security performance of MPPS are critically checked with some convincing arguments.
In general, the primary contributions of this paper are summarized as follows:
The mathematical properties of DNA coding are studied; 2. 2)
A divide-and-conquer attack is proposed to crack the three channels of the cipher-image produced by MPPS (namely Red, Green, and Blue channels of the color image); 3. 3)
Both theoretical and simulation results demonstrate that there are a large number of equivalent keys of MPPS; 4. 4)
The security performance of MPPS is comprehensively evaluated from eight aspects.
The rest of this paper is organized as follows. Section 2 presents the operations of the medical privacy protection scheme under study. A detailed description of cryptanalysis on MPPS is presented in Sec. 3, together with some experimental results. Finally, the last section concludes the paper with final remarks.
2 A precise and concise description of MPPS
As specified in [32, Sec. III], MPPS can protect the sensitive information in a DICOM image with two different modes: partial and full encryption. If partial encryption is adopted, then only the significant areas of the DICOM image are encrypted to considerably reduce the size of the encryption object for diagnosis. Except the difference on selected operating portions of a plain-image, MPPS works exactly the same in the two modes. Without loss of generality, the encryption object of MPPS can be simplified as a RGB colour image of size for either mode, which are represented with three two-dimensional (2D) 8-bit integer matrices: , and . Accordingly, is the cipher-image, where , and . Each 2-D image data can also be written as a one-dimensional (1D) array by scanning it in the raster order (from left to right, and top to bottom); for example, 111Because the 2-D and 1-D presentation forms can be mutually converted, they are not distinguished strictly in the paper..
The architecture of MPPS designed in [32] is illustrated in Fig. 1. The basic parts of MPPS are described as follows222To make the description of MPPS more concise and complete, some details of its process given in [32] are modified under the precondition that its security performance is uninfluenced.:
- •
The secret key includes six sets of initial values and control parameters . The sub-keys , , and are the initial values and control parameters of the Coupled Logistic-Sine (CLS) map
[TABLE]
where
[TABLE]
is the Logistic map studied in [19]. The other two sub-keys, and , are sets of the initial values and control parameters of a Coupled Logistic-Tent (CLT) map
[TABLE]
where and .
- •
Initialization:
Generating an index sequence: iterate CLS map (1) times from the initial condition with control parameter to avoid the transient effect generated in the initial iterations. Iterate it more times to obtain a state sequence , where . Sort in an ascending order to produce an index sequence satisfying that is the -th largest element of sequence . 2. 2)
Determining DNA coding rules: iterate CLT map (3) with control parameter from initial condition times to avoid the transient effect. Iterate it six more times to obtain a sequence and quantize it to six random numbers via
[TABLE]
where returns the nearest integer that is less than or equal to . 3. 3)
Constructing a pseudo-random number generator: starting from the initial condition , iterate CLT map (3) times with control parameter . Iterate map (3) more times to obtain a state sequence and quantize it to a binary sequence via
[TABLE] 4. 4)
Generating three keystreams , , : similar to Step 1, set three sub-keys , , and as the control parameter and initial state of CLS map (1), generate three sequences , and , respectively. As above, the first states are eliminated to generate , where . Then, every element of these sequences is quantified via function
[TABLE]
- •
Encryption procedure:
- a)
Permutation: three matrices , , and are “placed” vertically to obtain a larger image . Then, produce a scrambled intermediate image from by the index sequence :
[TABLE]
where
[TABLE] 2. b)
DNA Encoding: first, assign for . Using transform function
[TABLE]
satisfying to change every pixel of , , and into four neighboring elements of 2-bit integer matrices of size , , , and , respectively. For example, the pixel ”228” can be represented as , thus the 2-bit integer is . Then, convert , and into DNA symbol matrices with the encoding rules in the -th, -th, and -th row of Table 1, respectively. Let , and denote the corresponding conversion results. 3. c)
DNA Complement: for Red channel, obtain matrix via
[TABLE]
where
[TABLE]
For Green and Blue channels, they remain unchanged, i.e., , . 4. d)
DNA Diffusion: According to the DNA addition operation rules defined in Table 2, calculate
[TABLE]
for . 5. e)
DNA Decoding: first, assign for . Then, change DNA symbol matrices , , and into 2-bit integer matrices with the conversion rule in the -th, -th, and -th rows of Table 1, respectively. Accordingly, intermediate matrices , , and are produced. Finally, transform , , and into , , and , respectively. In these transforms, every four consecutive 2-bit integer elements are merged into one 8-bit integer with the inverse function of Eq. (9). 6. f)
Pixel Diffusion: considering every 2-D matrix as a 1-D sequence by scanning it in the raster order, produce matrices by calculating
[TABLE]
, denotes the bitwise exclusive OR operation, , , and .
- •
Decryption procedure: the decryption procedure is the inverse version of the above encryption procedure. The DNA subtraction rules are defined in Table 3.
3 Cryptanalysis of MPPS
To objectively evaluate the security performance of MPPS, its essential properties are first investigated. This is then used to underpin an efficient chosen-plaintext attack on it. Finally, the eight security performance metrics of MPPS are re-evaluated one by one.
3.1 Some essential properties of MPPS
To aid the subsequent theoretical analysis, some of the properties of MPPS and the DNA coding are analyzed.
First, a property of the differences between the ciphertexts generated by MPPS is introduced. The difference between two cipher-images and is defined as , where , , . Accordingly, the difference between intermediate images and is defined as , where , , .
Property 1
The differences , and are unrelated with the secret keys (and their equivalents); that is, (), (), and ().
Proof 1
By observing Eq. (13), one can get
[TABLE]
and then the property is proved.
Remark 1
Referring to Property 1 and its proof, one can decrypt the difference of cipher-images to obtain the difference of intermediate images even without any information on the secret or an equivalent key.
Let represent the DNA encoding defined in Table 1, where denotes a rule number; that is, . Accordingly, let denote decoding transformation, represents DNA complement transformation given in Eq. (11), where and denote a rule number.
To investigate the intrinsic properties of computing of DNA coding, two composite functions and are defined.
Property 2
If , then one has
[TABLE]
where and .
Proof 2
Given that , there is a DNA complement between and ; that is,
[TABLE]
By substituting the above result into Eq. (11), one can get
[TABLE]
By decoding and to obtain (or ) and , (or ), one has
[TABLE]
Hence, .
Property 3
Composite functions and are both bidirectional maps that are defined in domain . They only have eight and 16 different maps, respectively.
Proof 3
First, , and are all bidirectional maps that are defined in domain , so and are also fixed bidirectional maps. Considering the constraint of Eq. (16), one can enumerate that the possible numbers of and are and , respectively.
Property 4
Given a map , there are different versions of satisfying
[TABLE]
for any , where is a fixed value and , and , .
Proof 4
Referring to Eq. (16), one can get
[TABLE]
where , , and . Then, one has
[TABLE]
Given that and are two different maps, , namely .
Property 5
Given a map , there are different versions of map satisfying
[TABLE]
for any , where is a fixed value and , and , .
Proof 5
Referring to Eq. (16), there are two possible cases:
- •
when , ;
- •
when , .
Similar to the proof of Property 4, either case can be proven.
3.2 Cryptoanalyzing MPPS with a chosen-plaintext attack
Under the scenario of the chosen-plaintext attack, an attacker can disclose the equivalent secret key of MPPS with some chosen plaintexts. From encryption procedure a) in Sec. 2, one can see that the same permutation operation controlled by can be performed if is available; namely, is the equivalent counterpart of . In addition, , , , , and have the corresponding equivalent sub-keys, which are presented in Table 4.
To aid the subsequent analysis, a set of special plain-images is defined: , , , where and . Assume that the corresponding cipher-image set is . The plain-images are specially chosen to assure their permuted versions remain unchanged, namely , , . Thus, an attacker only needs to focus on the intermediate states from the permutated images to the cipher-images. Recalling the description of MPPS, the DNA coding and diffusion operations after the permutation process are executed in the Red, Green, and Blue channels, separately. To disclose the sub-key corresponding to each channel, a divide-and-conquer (DAC) strategy is adopted in the further cryptanalysis.
3.2.1 Cracking encryption operations in the Red channel
By observing the change rule of the data in the red channel during the whole encryption process, one can reveal the equivalent sub-keys , , , and . Choose two special images , from image set satisfying , and ; that is, images and ; or and . Obviously, there are possible image pairs satisfying the constraint. As discussed earlier, the permutated versions are and . Now, only the Red channel of the permuted images—that is, and —is left. To describe the subsequent encryption process, take and its -th pixel of value as an example. Using Eq. (9), pixel is encoded with four DNA codes:
[TABLE]
where . Then, the earlier four DNA codes are complemented via Eq. (10) and Eq. (11), namely
[TABLE]
where , , , and . Referring to the DNA diffusion in Eq. (12), one can see that the Red channel remains unchanged. Thus, the four DNA codes in Eq. (22) can be decoded as
[TABLE]
Similarly, by substituting the -th pixel of value in the image into Eqs. (21), (22), and (23), one can get
[TABLE]
Given that and , one has
[TABLE]
from Property 2 and Eq. (16), where . This deduction is a forward analysis of two images and . A backward analysis on them can then be considered by calculating the difference on the red channel of the corresponding cipher-images: . Referring to Property 1 and Remark 1, one can reversibly recover from . Consequently, every 2-bit integer in is accessible to the attacker, and binary sequence can be recovered via Eq. (25).
The next task is to obtain , , and . Because the number of possible combination of and is only , they can be exhaustively searched and verified with the method illustrated in Algorithm 1. In the process of verifying the candidate keys, only four pairs of special plain-image and the corresponding cipher-images are needed: , and , which correspond to four different plain pixels , , , and , respectively. This is attributed to the fact that functions and only have four different inputs; that is, . Based on such analysis, it could also be four other plain-image, for example, and their pixel values correspond to , , and respectively. In addition, from Eq. (13), one can decrypt the red channel of cipher-image , , to obtain the intermediate image by
[TABLE]
In general, the main idea of Algorithm 1 is that if and are both guessed correctly. Then, candidate sequences obtained from multiple pairs of plain-images and the corresponding cipher-images are consistent.
Multiple groups of candidate sub-keys , are outputted by running Algorithm 1. It is further found that any original sub-key , has 16 sets of possible results via a number of experiments (for more detail see Table 5).
The underlying reasons can be divided into the following two cases:
- •
Different DNA encoding and decoding rules may have the same DNA mapping and encryption effect. Referring to Property 3, although there are 64 combinations of and , and have only 8 and 16 different cases, respectively. Consequently, different parameter pairs and still generate the same transformation effect for the DNA mapping. Furthermore, if the corresponding keystream has the same value, then the corresponding encryption results are the same. Such cases can be found in Table 5, such as and .
- •
Different DNA mappings may have the same encryption effect. From Properties 4 and 5, there are two different DNA mappings that generate the same encryption effect. So does . Assuming that one CEK-R (the Red channel) is , there is another one , where . Such cases can also be found in Table 5; that is, and .
Note that because the three color channels are not completely independent (See Eq. (12)), the 16 CEK-Rs that are obtained here are not the final attacking result.
3.2.2 Cracking encryption operations in the Green channel and the Blue channel
This subsection discusses how to attack the encryption operations in the Green channel and the Blue channel, which are also used to confirm the attacking results for the Red channel further.
First, from Eq. (13), one has
[TABLE]
where , . This suggests that one can decrypt the data in the two channels of cipher-image and into the intermediate images , and , respectively. As for the attacking in the Green channel, a similar search method as Algorithm 1 is performed with the same four plain-images and the corresponding cipher-images. However, one point is different: the case in the Green channel is not completely independent. As shown in Eqs. (9), (10), (11), and (12), this is related to DNA encoding (sub-key ) and DNA complement (key ) of the red channel. So, it needs to exhaustively search times for the Green channel. Finally, one can obtain some candidate equivalent sub-keys for the Green channel (CEK-Gs), .
As for the blue channel, the attacking method is also very similar. The size of search space here is . The output is some candidate equivalent sub-keys for the blue channel (CEK-Bs) .
Among these three output results, CEK-Rs, CEK-Gs, and CEK-Bs, or appear twice, but CEK-Rs and CEK-Gs are not exactly the same, and so do CEK-Gs and CEK-Bs. If an element appears in the two candidate sets at the same time, then it is an optional key and reserved; otherwise, it is a wrong key and removed. An illustrating example can be found in Sec. 3.3.
3.2.3 Revealing the permutation sub-key
Up to now, the equivalent sub-keys shown in Table 4 are all known except for the permutation index . So, one can recover the permuted image from a cipher-image . Additionally, the corresponding plain-image is accessible for the attacker under the scenario of a chosen-plaintext attack. In this process, MPPS is degenerated to a position permutation-only encryption scheme, whose security performance has been studied in depth in [22, 21]. Using the sub-optimal attacking method based on multi-branch tree proposed in [22], it only needs to select special plain-images to attack the position permutation part of MPPS, where function returns the smallest possible integer value which is greater than or equal to the argument . In all, the whole equivalent secret key of MPPS can be successfully recovered with only chosen plain-images and the corresponding cipher-images.
3.3 Attacking process and simulation results
To verify the performance of the proposed chosen-plaintext attack, a large number of experiments were performed with some random secret keys. To facilitate an illustration with the limited presentation size, the RGB colour images of size (i.e., ) are used. In the following simulation, the initial iterations of CLS map and CTS map are both set as , and the six original sub-keys of MPPS are as listed in the second column of Table 7. Accordingly, the equivalent sub-key corresponding to each original key is calculated by the initialization procedure of MPPS.
As shown in Fig. 2, two groups of special plain-images were constructed to obtain all of the equivalent keys of MPPS. The first group of four special plain-images and the corresponding cipher-images are given here:
[TABLE]
First, referring to Eqs. (26), (27), the above cipher-images can be partially decrypt without keys, that is,
[TABLE]
where , and . Then, calculate the difference . By using Eq. (25), one can determine the binary sequence
[TABLE]
By adopting Algorithm 1 with and the aforementioned four pairs of plain-images and the corresponding cipher-images, one can obtain a candidate for the equivalent sub-key set of . Similarly, the counterparts for the Green and Blue channels can be produced; namely, the candidates for the equivalent sub-key sets of and , where and . Let represent the different keystream , , . Table 6 shows the whole test results obtained by running the attack algorithms on the three channels separately, where the red number signals that appears in both columns. However, they need to be confirmed further by checking the consistency. For example, one can get as they do not appear in the first two columns. By excluding the results, one can obtain the correct equivalent sub-key set of MPPS, which is marked in red in Table 6. Meanwhile, another group of images are chosen to obtain the permutation index , which includes only one (i.e. ) plain-image chosen. For example, one can select the following special plain-image and obtain the corresponding cipher-image:
[TABLE]
An attacker can decrypt cipher-image step-by-step with a decryption key, which is selected from the correct sets in Table 6, such as , , and , . The concrete decryption process includes the following two steps:
- a)
By using the inverse of Eqs. (26), (27) with the decryption sub-keys , , , one can decrypt cipher-image into an image . 2. b)
By adopting DNA coding, subtraction (the inverse of Eq. (12)), complement (the inverse of Eqs. (10), (11), and DNA decoding with the decryption sub-keys , one can get a scrambled image , .
Finally, by comparing the position of every pixel in with that of the same gray value in , one can determine a permutation index In all, by selecting plain-images, one can first uniquely determine the equivalent sub-keys and , which agree with Table 7. In addition, there are eight possible values of in the table. If is one of them (fixed value), then there are eight possible values of . Similarly, there are eight possible values of when is a fixed value. Therefore, there are sets of equivalent secret keys in total and one of them exists in Table 7.
To further demonstrate the effectiveness of the proposed attack, a number of simulations on some RGB colour image of size are conducted with the same original key that was used in the previous example. Referring to the attack framework in Fig. 2, the equivalent sub-keys , , , and can be obtained according to four special plain-cipher image pairs , , and , which are described in Fig. 4 and Fig. 5. Then, selecting special images by the attack method mentioned in Sec. 3.2.3 to reveal the equivalent permutation key . After obtaining all of these sub-keys, one can recover any encrypted image. Figure 6 shows the process of decrypting two cipher-images, which indicates that the proposed attacks are effective.
3.4 Evaluation of other attack analyses
In [32, Sec. IV], the performance of MPPS was analyzed from eight aspects. Here, their credibilities are re-evaluated one by one as follows.
- •
Keyspace: the statement “it can be evident that the coupled chaotic map achieves amplified chaotic range in the entire region of [0, 4]” in [32] is questionable. The size of each sub-figure in [32, Fig. 1] is about 0.9 inch by 0.9 inch. Assume that the adopted dots per inch (dpi) is 200, then the number of the printed dots is only about 32,400. Observing [32, Fig. 1], one can see that the distribution is not uniform. Meanwhile, the effective keyspace of MPPS is far overestimated, due to the following four types of equivalent or weak keys in MPPS:
- –
Equivalent keys type I (coupled chaotic maps): since the symmetry of the initial values of CLS (Eq. (1)) or CLT (Eq. (3)); that is, or , where and . In this case, the effective keyspace of MPPS is reduced to (i.e., ) of the claimed size.
- –
Equivalent keys type II (DNA coding rules): given that there are three kinds of DNA encoding or decoding rules (corresponding sub-key ) in three color channels, the effective keyspace of is only and is not (), as was claimed in [32]. Considering DNA encoding properties (Property 2, Property 3), there are many equivalent keys in Table 6, and the effective keyspace of is further reduced to .
- –
Weak keys type I (coupled chaotic maps): The initial values or are the fixed points of CCS or CLT; that is, , and . Then, one can conclude that there are about weak keys (i.e., ineffective keys) in this case.
- –
Weak keys type II (DNA coding rules): When the DNA encoding and decoding rules are the same (i.e., ), the DNA transformations have no any encryption effect, where and . Thus, MPPS has weak keys.
The influence of the invalid key items on real key space are summarized in Table 8, where the keyspace of MPPS is estimated to be approximately . As for the equivalent keys type II, the real key space of is , so the whole cryptosystem is . Considering the influence of the four factors in Table 8, the actual key space can be estimated as .
- •
Key sensitivity: As analyzed in [21, 20, 31], there are many equivalent secret keys due to the dynamics degradation of the chaotic system in a finite-precision computer. As shown in Fig. 7, 3, one can see that many initial states evolve into the same orbit after some iterations of the involved map. Similar to digitized Logistic map and Tent map analyzed in [24], the degradation patterns of CLS map and CLT map are similar (regardless of the implementation precision and quantization schemes). Due to the presentation limitation, the SMNs of the two analyzed coupled maps under four small precision are given in Fig. 8 and Fig. 9, respectively. Recalling Sec. 2, the initial states are discarded to avoid the so-called “transient effect”, which makes the key insensitivity problem become more severe.
- •
Statistical attack: Statistical tests, such as histogram, entropy and correlation coefficient analysis can only provide a necessary but not sufficient test for security evaluation. In other words, passing such tests cannot verify that the involved schemes are secure against various attacks [20, 31].
As shown in [31], several counterexamples are constructed to demonstrate that an obviously insecure encryption scheme can still perform well or can pass the aforementioned tests. In [20], a counterexample of image histogram analysis is given. These are enough to show that statistical tests cannot be used as the decisive criteria for evaluating the security performance of an encryption scheme.
- •
Differential attack: In [32], it is claimed that “the value of NPCR and UACI of the cipher images are nearer to the ideal value (NPCR ) (UACI )”, thus “this evidences the ability of suggested algorithm to tolerate differential attacks”. In fact, similar to the analysis of the statistical attack, this conclusion is highly questionable because NPCR and UACI evaluations are essentially statistical analysis. In fact, the diffusion rules (Eq. (13)) of MPPS are vulnerable to differential attack. According to Property 1, any difference between cipher-images is unrelated to the sub-keys , , and , which means that the effective key length is reduced by half.
- •
Chosen-plaintext attack: One specific relationship between plain-image and the corresponding cipher-image is almost unrelated with the capability of an encryption scheme against a chosen-plaintext attack. In [32, Sec. 4.5], the criteria to determine whether to resist a plaintext attack is invalid. As a counter-example, a permutation-only encryption scheme is obviously a very weak against the chosen-plaintext attack, whereas the criteria provided by [32, Sec. 4.5] leads to an opposite conclusion.
- •
Cropping Attack: If the encryption process is unrelated to the plain-image, then any encryption scheme is robust against cropping attack. Actually, the ability against cropping attacks is contradictory to the good sensitivity of ciphertext on the change of plaintext. In [32, Fig. 8], the difference between the two decrypted images is very close, which means the sensitivity of cipher-image on change of plain-image is weak. In other words, these experiments show that MPPS has security flaws rather than superiority.
- •
Performance comparison: As emphasized in [24], any encryption scheme should target a specific application scenario; otherwise, the balancing point among usability, security and efficiency is obscure. Meanwhile, in [32, Table 11], most of the performance comparisons use statistical analysis, which hardly supports the view that the proposed scheme is superior to the other similar chaos-based encryption schemes.
3.5 Other defects
- •
Practical consideration: In [32, Sec. III], it is stated that “selection of a region of interest and region of non-interest is solely left to the user under the recommended physician”. Besides, MPPS “requires the user’s feed that specifies the number of rounds of operation”. Consequently, it requires professional training for ordinary users.
- •
Efficiency: As analyzed in [20], conversion functions (4), (6) waste much computation on the discarded bits. To generate a sequence of length six , states are wasted. Moreover, it is questionable that DNA encoding and decoding can improve the efficiency of an encryption scheme. As shown in Fig. 1, the DNA coding region (namely DNA encoding, complement, diffusion, and decoding processes) of MPPS can implement large-scale parallel computing on all two bits of image pixels. However, various DNA computation processes can be regarded as a series of S-box operations that are defined in domain . As summarized in Property 3, the DNA encoding and decoding process in the Red plane can be seen as S-boxes, whose selection is determined by the encoding and decoding rules (key ()) and a binary random number (key ()); that is, when , ; otherwise, . In other words, DNA codec (bits-to-codes or codes-to-bits mapping) operations consume a large amount of time, as the authors claimed that “the time complexity in pixel transformation and DNA encoding and decoding are ” and “the time complexity for performing DNA addition is ”, but contribute nothing to the real security performance of MPPS.
4 Conclusion
This paper has re-analyzed the theoretical security and practical performance of a medical privacy protection scheme based on DNA encoding and chaotic maps. Some interesting properties of DNA encoding are found and the scheme was rigorously proven to be insecure against the chosen-plaintext attack. Detailed experimental results were provided to show more security defects, including the existence of a large number of weak secret keys, weak key sensitivity, low efficiency, and bad usability. The DNA-based encryption scheme that was analyzed is very important for promoting interdisciplinary research on application of DNA computing in cryptography, as follows: a) Build a precise mathematical model for DNA-related operations; b) Disclose the intrinsic relationship between DNA encoding and cryptographic primitives; c) Establish a general cryptoanalyzing framework of the DNA-based encryption algorithms. On the other hand, to resist the proposed attacks, some security enhancement mechanisms of such schemes are worthy of future research, such as adding nonlinear modules (e.g., S-box), or designing DNA encoding and decoding modules without key control.
Acknowledgement
This work was supported by the National Natural Science Foundation of China (no. 61772447), and the China Postdoctoral Science Foundation (no. 2019M660511).
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Acharya et al. [2001] Acharya, U. R., Acharya, D., Bhat, P. S., & Niranjan, U. (2001). Compact storage of medical images with patient information. IEEE Transactions on Information Technology in Biomedicine , 5 , 320–323. doi: 10.1109/4233.966107 . · doi ↗
- 2Adleman [1994] Adleman, L. M. (1994). Molecular computation of solutions to combinatorial problems. Science , (pp. 1021–1024).
- 3Akhavan et al. [2017] Akhavan, A., Samsudin, A., & Akhshani, A. (2017). Cryptanalysis of an image encryption algorithm based on DNA encoding. Optics and Laser Technology , 95 , 94–99. doi: 10.1016/j.optlastec.2017.04.022 . · doi ↗
- 4Alvarez & Li [2006] Alvarez, G., & Li, S. (2006). Some basic cryptographic requirements for chaos-based cryptosystems. International Journal of Bifurcation and Chaos , 16 , 2129–2151. doi: 10.1142/S 0218127406015970 . · doi ↗
- 5Belazi et al. [2014] Belazi, A., Hermassi, H., Rhouma, R., & Belghith, S. (2014). Algebraic analysis of a RGB image encryption algorithm based on RGB encoding and chaotic map. Nonlinear Dynamics , 76 , 1989–2004. doi: 10.1007/s 11071-014-1263-y . · doi ↗
- 6Braich et al. [2002] Braich, R. S., Chelyapov, N., Johnson, C., Rothemund, P. W., & Adleman, L. (2002). Solution of a 20-variable 3-sat problem on a DNA computer. Science , 296 , 499–502.
- 7Chen et al. [2020] Chen, J., Chen, L., & Zhou, Y. (2020). Cryptanalysis of a DNA-based image encryption scheme. Information Sciences , 520 , 130–141. doi: 10.1016/j.ins.2020.02.024 . · doi ↗
- 8Chen et al. [2018 a] Chen, J., Han, F., Qian, W., Yao, Y.-D., & Zhu, Z.-l. (2018 a). Cryptanalysis and improvement in an image encryption scheme using combination of the 1d chaotic map. Nonlinear Dynamics , 93 , 2399–2413. doi: 10.1007/s 11071-018-4332-9 . · doi ↗
