**1. Introduction**

Nowadays, with the rapid development of optical fiber broadband access network, 5G and other communication technologies, the security of multimedia data, especially digital images, is of particular interest in communication networks [1]. As everyone knows, encryption is an effective means of achieving security enhancements [2]. However, traditional text encryption algorithms such as AES, DES, and IDEA are not suitable for digital images because they featured with strong correlation between adjacent pixels. To deal with the problem, various methodologies are introduced to design different image ciphers. Among them, chaos-based image encryption is the most popular one, because chaos has characteristics of sensitivity to initial values, dense periodic points, and long-term unpredictability of orbits [3–5]. In the past two decades, chaotic image encryption technology has been widely discussed and has become a research hotspot [6]. To improve the security performance of chaotic image encryption technology, various chaotic systems with resistance to dynamic degradation are studied, including quantum chaotic map [7], fractional-order chaos [8], non-degenerated hyperchaos [9], economic chaotic map [10], and cascaded chaotic systems [11], etc. However, chaotic cryptography still lacks authoritative metrics, especially in terms of security. Accordingly, many reported chaotic encryption algorithms have been

**Citation:** Wen, H.; Zhang, C.; Huang, L.; Ke, J.; Xiong, D. Security Analysis of a Color Image Encryption Algorithm Using a Fractional-Order Chaos. *Entropy* **2021**, *23*, 258. https://doi.org/10.3390/e23020258

Academic Editor: Amelia Carolina Sparavigna

Received: 1 February 2021 Accepted: 13 February 2021 Published: 23 February 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

broken [12–15]. As shown in Table 1, some previous chaos-based ciphers are vulnerable upon various attack methods, including chosen-ciphertext attack [16], chosen-/knownplaintext attack [12], differential cryptanalysis [17], even cipher-only attack [18]. Therefore, research on security is extremely important and has received much attention [19–33].

**Table 1.** Some chaos-based ciphers broken by various attack methods.


As described in Ref. [39], fractional-order chaotic systems have higher complexity and more optional key parameters and can be used as a competitive encryption scheme. Correspondingly, image encryption algorithms based on fractional-order chaotic systems have attracted the attention of researchers in recent years [35,40–42]. In 2013, Wang et al. [40] introduced a fractional-order chaos into image encryption for the first time, and gave some experiments to verify its performance. Since then, many image encryption schemes based on fractional-order chaotic systems have been proposed [35,41,42]. For example, in 2017, Zhang et al. [41] proposed a color image encryption scheme combing with fractionalorder hyperchaotic system and DNA encoding. Yet, cryptanalysts have reported that some fractional-order chaotic image encryption algorithms have some fatal security issues. Exactly, Norouzi et al. [36] pointed out that the image cipher that using an improper fractional-order chaotic system was insecure, which was proposed in [35]. As far as we know, there are still few research studies concerning cryptanalysis on the ciphers based on fractional-order chaotic systems. Moreover, considering that each cryptosystem has its intrinsic characteristics, it is necessary and urgen<sup>t</sup> to perform cryptanalysis on these existing ciphers.

In 2015, a color image encryption algorithm based on a fractional-order hyperchaotic system was proposed [42]. In color image encryption algorithm using a fractional-order hyperchaotic system (CIEA-FOHS), using the pseudo-random sequences generated by the fractional-order hyperchaotic system, RGB-inter permutation, RGB-intra permutation and pixel diffusion are successively performed to ge<sup>t</sup> cipher images from plain images. Meanwhile, the relevant pixel correlation, histogram and other experimental analysis are given to verify its security performance. However, from the perspective of cryptanalysis, we found some security defects as follows:


Based on the three points, CIEA-FOHS cannot resist against a chosen-plaintext attack method with the divide-and-conquer strategy. More specifically, under the scenario of chosen-plaintext attack, firstly an equivalent diffusion key is obtained, and then an equivalent permutation key is achieved, and finally the original images can be restored from the encrypted images with the equivalent keys.

#### **2. The Encryption Algorithm under Study**

In this section, the fractional-order hyperchaotic system used in Reference [42] is presented, and then the specific steps of CIEA-FOHS are introduced.

#### *2.1. Fractional-Order Hyperchaotic System*

The fractional-order hyperchaotic system used in CIEA-FOHS is derived from Ref. [39], given as

$$\begin{cases} D\_t^a x(t) = -z - w \\ D\_t^a y(t) = 2y + z \\ D\_t^a z(t) = 14x - 14y \\ D\_t^a w(t) = 100(x - g(w)) \end{cases} \tag{1}$$

where *x*, *y*, *z*, *w* are the four state variables, *g*(*w*) = *w* − (|*w* − 0.4| − |*w* − 0.8| − |*w* + 0.4| − |*w* + 0.8|), *<sup>D</sup><sup>α</sup>t* is the fractional derivative under the definition of Caputo and *α* is the derivative order. The attractor of the fractional-order hyperchaotic system is shown in Figure 1.

**Figure 1.** Attractor phase diagrams of the fractional-order hyperchaotic system with different variables: (**a**) (*<sup>x</sup>*, *y*, *z*); (**b**) (*<sup>x</sup>*, *y*, *w*); (**c**) (*<sup>x</sup>*, *z*, *w*); (**d**) (*y*, *z*, *<sup>w</sup>*).

#### *2.2. Description of CIEA-FOHS*

As shown in Figure 2, CIEA-FOHS consists of three main parts: inter-permutation, intra-permutation and pixel diffusion. It is noted that, a two-dimensional image is transformed into an one-dimensional sequence in raster scan order. Specifically, a color plain image *I* of size *H* × *W* × 3 is converted into three sequences of length *H* × *W* expressed as: *IR*, *IG*, and *IB*, which correspond to the three RGB channels of the image. The main contents are briefly introduced as follows:

**Figure 2.** The block diagram of CIEA-FOHS.

• The Secret Key:

•

The secret keys of CIEA-FOHS include (*tf* , *α*, *h*, *x*0, *y*0, *z*0, *<sup>w</sup>*0), where *tf* is the fractional derivative defined by Caputo definition, *α* is the dimension, *h* is the step size for discretization, and (*<sup>x</sup>*0, *y*0, *z*0, *<sup>w</sup>*0) are the four initial values of the fractional-order hyperchaotic system defined in Equation (1), respectively. In CIEA-FOHS, these keys are used to generate some chaos-based pseudo-random sequences for encryption [42].Initialization:

In Equation (1), by selecting the secret key as the initial values and parameters and iterating *L* times, one gets four chaos-based pseudo-random sequences {*xi*}*Li*=1, {*yi*}*Li*=1, {*zi*}*Li*=<sup>1</sup> and {*wi*}*Li*=1, where *L* = *H* × *W* represents the number of pixels in a single image channel.

• Stage 1. RGB-inter permutation:

The RGB-inter permutation refers to the process of pixel replacement between channels. This stage is implemented by two control vectors {*selEi*}*Li*=<sup>1</sup> and {*selLeni*}*Li*=1, which are given as

$$\begin{cases} selE\_i = (|x\_i| \times 10^{14}) \bmod{6} \\ selLen\_i = (|z\_i| \times 10^{14}) \bmod{3} \end{cases} \tag{2}$$

where *i* = 1 ∼ *L*. More specifically, {*selEi*}*Li*=<sup>1</sup> is used to switch channels, as shown in Table 2, and {*selLeni*}*Li*=<sup>1</sup> is to control the position and length of the permutation pixel, given as


**Table 2.** The stutas of RGB-inter permutation under six rules.

⎧⎪⎪⎨⎪⎪⎩*length* = (*sum*(*ER*(*pos* : *pos* + *length* − 1)) mod <sup>64</sup>), if *selLeni* = 0

$$length = (sum(EG(pos:pos + length - 1)) \bmod 64), \\ \text{if } selLcn\_i = 1 \tag{3}$$

*length* = (*sum*(*EB*(*pos* : *pos* + *length* − 1)) mod <sup>64</sup>), if *selLeni* = 2

where *pos* is the starting position, *length* is the length of the permautation pixels, and *sum* is the cumulative function.

• Stage 2. RGB-intra permutation:

Sort {*yi*}*Li*=1, {*zi*}*Li*=1, and {*wi*}*Li*=<sup>1</sup> to ge<sup>t</sup> three index sequences {*IYi*}*Li*=1, {*IZi*}*Li*=1, and {*IWi*}*Li*=<sup>1</sup> respectively, and their values range [1, *<sup>L</sup>*]. Use {*IYi*}*Li*=1, {*IZi*}*Li*=1, and

{*IWi*}*Li*=<sup>1</sup> to permute *ER*, *EG* and *EB* respectively, given as *ERi* = *ER*(*IYi*), *EGi* = *EG*(*IZi*) and *EBi* = *EB*(*IWi*).

• Stage 3. Pixel diffusion: Perform pixel diffusion on *ER*, *EG* and *EB*, and then ge<sup>t</sup> three channels of the cipher image*C*.Exactly,thethreechannels*CR*, *CG*and*CB*aredefinedas

$$\begin{cases} \bigcirc \mathcal{R}\_{i} = \mathcal{S}X\_{i} \oplus \left( (ER\_{i} + SX\_{i}) \bmod 256 \right) \oplus \mathcal{C}R\_{i-1} \\ \quad \mathcal{C}G\_{i} = \mathcal{S}Y\_{i} \oplus \left( (EG\_{i} + SY\_{i}) \bmod 256 \right) \oplus \mathcal{C}G\_{i-1} \\ \quad \mathcal{C}B\_{i} = \mathcal{S}Z\_{i} \oplus \left( (EB\_{i} + SZ\_{i}) \bmod 256 \right) \oplus \mathcal{C}B\_{i-1} \end{cases} \tag{4}$$

where *i* = 1 ∼ *L*, ⊕ is bitwise XOR operation, mod represents modulo operation, and *CR*0 = *SXL*, *CG*0 = *SYL*, and *CB*0 = *SZL*. Here, three diffusion sequences *SX*, *SY* and *SZ* are generated by *SXi* = *round*(*xi*) × 1014, *SYi* = *round*(*yi*) × 10<sup>14</sup> and *SZi* = *round*(*zi*) × 10<sup>14</sup> respectively, where *round* is a rounding operation on real numbers.

Decryption is the inverse of encryption and is not described in detail here.

#### **3. Security Analysis of CIEA-FOHS**

#### *3.1. Preliminary Analysis of CIEA-FOHS*

Referring to the basic assumptions of cryptanalysis, everything about the cryptosystem is public and only the secret key is unknown for attackers [13]. Chosen-plaintext attack is a common and powerful method of cryptanalysis. It assumes that attackers can arbitrarily choose the plaintext that is conducive to deciphering and obtain the corresponding ciphertext [12]. Under the scenario of chosen-plaintext attack, attackers can construct special plain images, such as all black and all white, and obtain the corresponding cipher images to analyze the target cipher.

From the perspective of cryptanalysis, two-stage permutations of CIEA-FOHS can be treated as a global pixel permutation because they only change the pixels' position without their values. The difference is that the number of pixels performing the permutation is 3*HW* instead of *HW*. Then, the algorithm structure of CIEA-FOHS is actually a classic single-round permutation-diffusion. Moreover, the generation process of all chaos-based pseudo-random sequences is independent of the plain image, which means that these sequences can be regarded as an equivalent key. The reason is that, in the case of a given secret key, these sequences are fixed for encrypting different plain images with the same size. Then, CIEA-FOHS can be equivalently simplified as Figure 3, where *PM* is an equivalent permutation key and three diffusion sequences *SX*, *SY* and *SZ* serve as an equivalent diffusion key.

**Figure 3.** The block diagram of an equivalent simplified CIEA-FOHS.

Based on the above, under the scenario of chosen-plaintext attack and the strategy of divide and conquer, one can ge<sup>t</sup> the equivalent keys and then recover the original plain images. Specifically, firstly choose some plain images with same pixel values to cancel the permutation and ge<sup>t</sup> the corresponding plain images to obtain the diffusion key; then achieve the permutation key by the method of Reference [12]; finally, recover the images by the equivalent keys.

#### *3.2. Analysis on the Diffusion Part*

In this section, based on chosen-plaintext attack, it is assumed that the plaintext image with the same pixel value is selected, and the corresponding ciphertext image is obtained.

• *Step 1.* Choose the all-zero plain image *I*(0) and ge<sup>t</sup> the corresponding cipher image *C*(0) to determine *SXL*, *SYL*, *SZL*.

The reason for choosing the all-zero image is that the permutation is invalid at this time, and the diffusion can be eliminated to the greatest extent. Then, Equation (4) becomes

$$\begin{cases} \mathcal{C}R\_i^{(0)} = \mathcal{C}R\_{i-1}^{(0)}\\ \mathcal{C}G\_i^{(0)} = \mathcal{C}G\_{i-1}^{(0)}\\ \mathcal{C}B\_i^{(0)} = \mathcal{C}B\_{i-1}^{(0)} \end{cases} \tag{5}$$

when *i* = 1, one has *CR*(0) 1 = *CR*0. Since *CR*0 = *SXL*, thus *SXL* = *CR*(0) *i* . Similarly, one further gets *SYL*= *CG*(0) *i*and *SZL*= *CB*(0) *i*.

 •*Step 2.* Choose two special plain images and ge<sup>t</sup> the corresponding cipher images to determine *SXi*, *SYi*, *SZi* for *i* = 1 ∼ *L* − 1.

Referring to [43,44], the two chosen plaintexts are pure-color images with pixel values of 85 and 170, represented as *I*(85) and *<sup>I</sup>*(170), respectively. Because for the combined operation of module addition and bitwise XOR, choosing these two plain images can minimize the number of solutions for *SX*, *SY*, *SZ*. Under the plain image *I*(85) and its corresponding cipher image *<sup>C</sup>*(85), one gets

$$\begin{cases} \bigcirc \mathcal{R}\_{i}^{(85)} = \mathcal{S} \mathcal{X}\_{i} \oplus \left( (85 + \mathcal{S} \mathcal{X}\_{i}) \bmod 256 \right) \oplus \mathcal{C} \mathcal{R}\_{i-1}^{(85)}\\\mathcal{C} \mathcal{G}\_{i}^{(85)} = \mathcal{S} \mathcal{Y}\_{i} \oplus \left( (85 + \mathcal{S} \mathcal{Y}\_{i}) \bmod 256 \right) \oplus \mathcal{C} \mathcal{G}\_{i-1}^{(85)}\\\mathcal{C} \mathcal{B}\_{i}^{(85)} = \mathcal{S} \mathcal{Z}\_{i} \oplus \left( (85 + \mathcal{S} \mathcal{Z}\_{i}) \bmod 256 \right) \oplus \mathcal{C} \mathcal{B}\_{i-1}^{(85)} \end{cases} \tag{6}$$

Similarly, given the plain image *I*(170) and its corresponding cipher image *<sup>C</sup>*(170), one has

$$\begin{cases} \bigcirc \mathcal{R}\_i^{(170)} = \mathcal{S}X\_i \oplus \left( (170 + \mathcal{S}X\_i) \bmod 256 \right) \oplus \mathcal{C}\mathcal{R}\_{i-1}^{(170)}\\\mathcal{C}\mathcal{G}\_i^{(170)} = \mathcal{S}Y\_i \oplus \left( (170 + \mathcal{S}Y\_i) \bmod 256 \right) \oplus \mathcal{C}\mathcal{G}\_{i-1}^{(170)}\\\mathcal{C}\mathcal{B}\_i^{(170)} = \mathcal{S}Z\_i \oplus \left( (170 + \mathcal{S}Z\_i) \bmod 256 \right) \oplus \mathcal{C}\mathcal{B}\_{i-1}^{(170)} \end{cases} \tag{7}$$

By performing bitwise on Equations (6) and (7), one further gets

$$\begin{cases} (85 \div SX\_i) \oplus (170 \div SX\_i) = \bigcirc \prescript{(85)}{i} \oplus \prescript{(85)}{i-1} \oplus \prescript{(170)}{i} \oplus \prescript{(170)}{i-1} \\\ (85 \div SY\_i) \oplus (170 \div SY\_i) = \bigcirc \prescript{(85)}{i} \oplus \prescript{(85)}{i-1} \oplus \prescript{(170)}{i} \oplus \prescript{(170)}{i-1} \\\ (85 \div SZ\_i) \oplus (170 \div SZ\_i) = \bigcirc \prescript{(85)}{i} \oplus \prescript{(85)}{i-1} \oplus \prescript{(170)}{i} \oplus \prescript{(170)}{i-1} \end{cases} (8)$$

where +˙ is defined as *a*+˙ *b* Δ= mod(*a* + *b*, <sup>256</sup>). It is worth pointing out that the reason why 85 and 170 are chosen as the attack images is that their binary are 01010101 and 10101010 respectively. At this time, the number of possible solutions of *SXi*, *SYi*, *SZi* is the smallest, which is two. More precisely, the difference between the two solutions is 128. Then, based on Equation (8), we propose Alogrithm 1 to determine *SXi*, *SYi*, *SZi*, where *i* = 1 ∼ *L* − 1.

• *Step 3.* Eliminate the diffusion part by *SX*, *SY*, *SZ*. Corresponding to Equation (4), the decryption process of diffusion is given as

$$\begin{cases} ER\_i = (SX\_i \oplus CR\_i \oplus CR\_{i-1} - SX\_i) \bmod 256 \\\\ EG\_i = (SY\_i \oplus CG\_i \oplus CG\_{i-1} - SY\_i) \bmod 256 \\\ EB\_i = (SZ\_i \oplus CB\_i \oplus CB\_{i-1} - SZ\_i) \bmod 256 \end{cases} \tag{9}$$

Thus, *ER*, *EG*, *EB* can be restored from *CR*, *CG*, *CB* with *SX*, *SY*, *SZ*, respectively.


```
Input: SXL, SYL, SZL, two chosen plain images I(85) and I(170), and their
           corresponding cipher images C(85) and C(170).
   Output: SXi, SYi, SZi for i = 1 ∼ L − 1
1 i ← 1;
2 for x ← 0 to 255 do
 3 if (85+˙ x) ⊕ (170+˙ x) = CR(85) 1 ⊕ CR(170) 1 then
 4 SX1 ← x;
 5 end
 6 if (85+˙ x) ⊕ (170+˙ x) = CG(85) 1 ⊕ CG(170) 1 then
 7 SY1 ← x;
 8 end
 9 if (85+˙ x) ⊕ (170+˙ x) = CB(85) 1 ⊕ CB(170) 1 then
10 SZ1 ← x;
11 end
12 end
13 for i ← 2 to L − 1 do
14 for x ← 0 to 255 do
15 if (85+˙ x) ⊕ (170+˙ x) = CR(85) i ⊕ CR(85) i−1 ⊕ CR(170) i ⊕ CR(170) i−1 then
16 SXi ← x;
17 end
18 if (85+˙ x) ⊕ (170+˙ x) = CG(85) i ⊕ CG(85) i−1 ⊕ CG(170) i ⊕ CG(170) i−1 then
19 SYi ← x;
20 end
21 if (85+˙ x) ⊕ (170+˙ x) = CB(85) i ⊕ CB(85) i−1 ⊕ CB(170) i ⊕ CB(170) i−1 then
22 SZi ← x;
23 end
24 end
25 end
26returnSXi,SYi,SZifori=1∼L−1
```
#### *3.3. Analysis on the Permutation Part*

Once the diffusion part is broken, CIEA-FOHS degenerates into a permutation-only cipher. Based on existing research, it cannot resist a chosen-plaintext attack. The basic idea of attacking permutation-only is to construct a special plain image with unequal element values, and ge<sup>t</sup> the corresponding permuted image. Taking 2 × 2 × 3 as an example, the process of solving *PM* is described below. First, a chosen plain image and the corresponding permuted image are given as

$$I\mathbf{R} = \begin{bmatrix} 0 & 1 \\ 2 & 3 \end{bmatrix}; I\mathbf{G} = \begin{bmatrix} 4 & 5 \\ 6 & 7 \end{bmatrix}; I\mathbf{B} = \begin{bmatrix} 8 & 9 \\ 10 & 11 \end{bmatrix}$$

$$
\mathbf{ER} = \left[\begin{array}{cc} 5 & 8 \\ 3 & 11 \end{array}\right]; \mathbf{EG} = \left[\begin{array}{cc} 1 & 10 \\ 2 & 9 \end{array}\right]; \mathbf{EB} = \left[\begin{array}{cc} 6 & 4 \\ 0 & 7 \end{array}\right]
$$

For ease of explanation, a matrix of size *H* × 3*W* is obtained by connecting three channels of size *H* × *W* in a row connection manner. Then, the permutation process can be described by

$$
\begin{bmatrix} 0 & 1 & 4 & 5 & 8 & 9 \\ 2 & 3 & 6 & 7 & 10 & 11 \end{bmatrix} \xrightarrow{PM} \begin{bmatrix} 5 & 8 & 1 & 10 & 6 & 4 \\ 3 & 11 & 2 & 9 & 0 & 7 \end{bmatrix}
$$

where *PM* is the permutation matrix of size *H* × 3*W*. Finally, *PM* is determined as

$$\mathbf{PM} = \begin{bmatrix} (2,5) & (1,3) & (1,6) & (1,1) & (1,2) & (2,4) \\ & (2,3) & (2,1) & (1,5) & (2,6) & (1,4) & (2,2) \end{bmatrix} \tag{10}$$

Obviously, one can recover (*IR*, *IG*, *IB*) from (*ER*, *EG*, *EB*) with *PM*. However, the situation may be more complicated for large size images. For an 8-bit image, the pixel value range is [0, <sup>255</sup>]. Thus, when 3*HW* > 256, *PM* cannot be determined by only one chosen plain image and its corresponding cipher image. Fortunately, this problem has been solved in our latest research [12,13]. The basic idea is to combine multiple chosen plain images in a weighted manner to form a matrix with different elements, and the number of chosen plain images required for attacking permutation is #log256(3*HW*)\$, where . is the rounding up operation.

Based on the above, the steps for attacking permutation are briefly summarized as follows:


#### *3.4. The Proposed Chosen-Plaintext Attack Method*

Following the above-mentioned discussion, CIEA-FOHS cannot resist the attack method proposed in this paper. The flowchart of the attack method is shown in Figure 4, and the specific steps based on chosen-plaintext attack are given as: firstly, ge<sup>t</sup> an equivalent diffusion key (*SX*, *SY*, *SZ*) by the method in Section 3.2; secondly, achieve the permutation matrix *PM* by the method in Section 3.3; finally, recover the original images with the equivalent keys.

**Figure 4.** The overall flowchart of attacking CIEA-FOHS.

Moreover, the complexity required for the attack method is discussed here. In terms of data complexity, for color images of size *H* × *W* × 3, the number of chosen plain images required to decipher diffusion and permutation is 3 and #log256(3*HW*)\$, respectively. Hence, the total data complexity required is *O*(3 + #log256(3*HW*)\$).

#### **4. Experimental Verifications and Discussions**

To verify our security analysis, the algorithm steps of CIEA-FOHS strictly follow Ref. [42]. Although Due to the complexity of fractional-order chaos, some parameters may not be completely consistent, but this does not affect the effectiveness of security analysis. We conduct simulation verification on the proposed image cryptosystem based on a PC (personal computer) with MATLAB r2018b. The running PC is installed with Windows 10 64-bit OS (operating system), Intel(R) Core(TM) i5-8265U CPU @ 1.60 GHz and 8 GB memory. We select some typical images listed in Table 3 for experiments. Among them, the image "Lenna" of size 256 × 256 × 3 given in Ref. [42] is also included. In Equation (1), we set the experimental secret key parameters for *h* = 0.001, *α* = 104, *tf* = 100, *x*0 = 1.002, *y*0 = 0.949, *z*0 = 0.997 and *w*0 = 1.103.

• *Case 1.* Breaking CIEA-FOHS with an image of size 2 × 2 × 3: In order to better illustrate the attack process, we first adopt an extremely simple image with a size of 2 × 2 × 3. A pair of the given target plain and cipher images *I* and *C* is shown in Figure 5a,c respectively, and their histograms are shown in Figure 5b,d respectively. Accordingly, the numerical matrices of *I* and *C* are:

**Figure 5.** A pair of plain and cipher images of size 2 × 2 × 3: (**a**) plain image *I*; (**b**) histogram of *I*; (**c**) cipher image *C*; (**d**) histogram of *C*.

$$I\mathbf{R} = \begin{bmatrix} 11 & 22 \\ 33 & 44 \end{bmatrix}; I\mathbf{G} = \begin{bmatrix} 55 & 66 \\ 77 & 88 \end{bmatrix}; I\mathbf{B} = \begin{bmatrix} 99 & 100 \\ 111 & 122 \end{bmatrix}$$

$$\mathbf{C}\mathbf{R} = \begin{bmatrix} 70 & 165 \\ 103 & 145 \end{bmatrix}; \mathbf{C}\mathbf{G} = \begin{bmatrix} 231 & 154 \\ 118 & 28 \end{bmatrix}; \mathbf{C}\mathbf{B} = \begin{bmatrix} 181 & 24 \\ 171 & 165 \end{bmatrix}$$

Firstly, following Step 1 in Section 3.2, choose the all-zero plain image *I*(0) shown in Figure 6a and temporarily use the encryption machine of CIEA-FOHS, and then ge<sup>t</sup> the corresponding cipher image *<sup>C</sup>*(0), as shown in Figure 6c. The all-zero plain image *I*(0) and the corresponding cipher image *C*(0) and their histograms are shown in Figure 6b,d, respectively. Similarly, the numerical matrices of *I*(0) and *C*(0) are:

**Figure 6.** The all-zero chosen plain image *I*(0) and its corresponding cipher image *C*(0) of size 2 × 2 × 3: (**a**) *<sup>I</sup>*(0); (**b**) histogram of *<sup>I</sup>*(0); (**c**) *<sup>C</sup>*(0); (**d**) histogram of *C*(0).

$$I\mathbf{R}^{(0)} = \begin{bmatrix} 0 & 0\\ 0 & 0 \end{bmatrix}; I\mathbf{G}^{(0)} = \begin{bmatrix} 0 & 0\\ 0 & 0 \end{bmatrix}; I\mathbf{B}^{(0)} = \begin{bmatrix} 0 & 0\\ 0 & 0 \end{bmatrix}$$

$$\mathbf{C}\mathbf{R}^{(0)} = \begin{bmatrix} 77 & 77\\ 77 & 77 \end{bmatrix}; \mathbf{C}\mathbf{G}^{(0)} = \begin{bmatrix} 174 & 174\\ 174 & 174 \end{bmatrix}; \mathbf{C}\mathbf{B}^{(0)} = \begin{bmatrix} 109 & 109\\ 109 & 109 \end{bmatrix}$$

Then, one has *SXL* = 77, *SYL* = 174 and *SZL* = 109 because *SXL* = *CR*0, *SYL* = *CG*0 and *SZL* = *CB*0, where *L* = 2 × 2 = 4.

Secondly, based on Step 2 in Section 3.2, choose the two plain images *I*(85) and *<sup>I</sup>*(170), and ge<sup>t</sup> the corresponding cipher images, *C*(85) and *<sup>C</sup>*(170), which are shown in Figure 7a–d, respectively. The values of their RGB three channels are:

$$\begin{aligned} \mathbf{I} \mathbf{R}^{(85)} &= \begin{bmatrix} 85 & 85 \\ 85 & 85 \end{bmatrix}; \mathbf{IG}^{(85)} = \begin{bmatrix} 85 & 85 \\ 85 & 85 \end{bmatrix}; \mathbf{I} \mathbf{B}^{(85)} = \begin{bmatrix} 85 & 85 \\ 85 & 85 \end{bmatrix} \\ \mathbf{C} \mathbf{R}^{(85)} &= \begin{bmatrix} 176 & 186 \\ 77 & 85 \end{bmatrix}; \mathbf{C} \mathbf{G}^{(85)} = \begin{bmatrix} 5 & 181 \\ 110 & 24 \end{bmatrix}; \mathbf{C} \mathbf{B}^{(85)} = \begin{bmatrix} 184 & 94 \\ 229 & 241 \end{bmatrix} \\ \mathbf{I} \mathbf{R}^{(170)} &= \begin{bmatrix} 170 & 170 \\ 170 & 170 \end{bmatrix}; \mathbf{IG}^{(170)} = \begin{bmatrix} 170 & 170 \\ 170 & 170 \end{bmatrix}; \mathbf{I} \mathbf{B}^{(170)} = \begin{bmatrix} 170 & 170 \\ 170 & 170 \end{bmatrix} \\ \mathbf{C} \mathbf{R}^{(170)} &= \begin{bmatrix} 231 & 235 \\ 177 & 81 \end{bmatrix}; \mathbf{C} \mathbf{G}^{(170)} = \begin{bmatrix} 120 & 24 \\ 174 & 238 \end{bmatrix}; \mathbf{C} \mathbf{B}^{(170)} = \begin{bmatrix} 199 & 123 \\ 45 & 1 \end{bmatrix} \end{aligned}$$

**Figure 7.** The two chosen plain images *<sup>I</sup>*(85), *I*(170) and their corresponding cipher images *<sup>C</sup>*(85), *C*(170)of size 2 × 2 × 3: (**a**) *<sup>I</sup>*(85); (**b**) *<sup>C</sup>*(85); (**c**) *<sup>I</sup>*(170); (**d**) *C*(170).

Then, combining Algorithm 1, we determine *SX SY SZ* as

$$\mathbf{S} \mathbf{X} = \begin{bmatrix} 84 & 86 & 89 & 77 \end{bmatrix}; \mathbf{S} \mathbf{Y} = \begin{bmatrix} 63 & 31 & 71 & 46 \end{bmatrix}; \mathbf{S} \mathbf{Z} = \begin{bmatrix} 64 & 36 & 119 & 109 \end{bmatrix}$$

or

$$\mathbf{SX} = \begin{bmatrix} 212 & 214 & 217 & 205 \end{bmatrix}; \mathbf{SY} = \begin{bmatrix} 191 & 159 & 199 & 174 \end{bmatrix}; \mathbf{SZ} = \begin{bmatrix} 192 & 164 & 247 & 237 \end{bmatrix}$$

Thirdly, by Step 3 in Section 3.2, the corresponding permuted image shown in Figure 8c can be restored from the targeted cipher image Figure 8a with *SX SY SZ*. Fourthly, following Step 1 in Section 3.3, construct some special attack images to obtain the permutation matrix *PM*. For images of size 2 × 2 × 3, the process of solving *PM* is exactly the same as Section 3.3. Then, we determine the *PM* as Equation (10). Fifth, by Step 2 in Section 3.3, recover (*IR*, *IG*, *IB*) from (*ER*, *EG*, *EB*) with *PM*. Thus, the

•

original plain image shown in Figure 8e can be recovered.

**Figure 8.** A target cipher image, the permuted image, the original plain image and their histograms of size 2 × 2 × 3: (**a**) a target cipher image; (**b**) histogram of (**a**); (**c**) its permuted image; (**d**) histogram of (**c**); (**e**) its plain image; (**f**) histogram of (**e**).

*Case 2.* Breaking CIEA-FOHS with "Lenna" of size 256 × 256 × 3: Firstly, following Step 1 in Section 3.2, choose the all-zero plain image *I*(0) shown in Figure 9a and temporarily use the encryption machine of CIEA-FOHS, and then ge<sup>t</sup> the corresponding cipher image *<sup>C</sup>*(0), as shown in Figure 9b, and the corresponding three channel images and their histograms of *C*(0) are shown in Figure 9c,d, respectively. Exactly, one has *SXL* = 238, *SYL* = 168 and *SZL* = 91 owing to *SXL* = *CR*0, *SYL*= *CG*0and *SZL*= *CB*0.

**Figure 9.** The all-zero chosen plain image *I*(0) and its corresponding cipher image *C*(0) of size 256 × 256 × 3: (**a**) *<sup>I</sup>*(0); (**b**) histogram of *<sup>I</sup>*(0); (**c**) *<sup>C</sup>*(0); (**d**) histogram of *C*(0).

Secondly, based on Step 2 in Section 3.2, choose the two plain images, *I*(85) and *<sup>I</sup>*(170), and ge<sup>t</sup> the corresponding cipher images, *C*(85) and *<sup>C</sup>*(170), which are shown in Figure 10a–d, respectively.

**Figure 10.** The two chosen plain images *<sup>I</sup>*(85), *I*(170) and their corresponding cipher images *<sup>C</sup>*(85), *C*(170)of size 256 × 256 × 3: (**a**) *<sup>I</sup>*(85); (**b**) histogram of *<sup>I</sup>*(85); (**c**) *<sup>C</sup>*(85); (**d**) histogram of *<sup>C</sup>*(85); (**e**) *<sup>I</sup>*(170); (**f**) histogram of *<sup>I</sup>*(170); (**g**) *<sup>C</sup>*(170); (**h**) histogram of *C*(170).

Furthermore, one determines *SXi*, *SYi*, *SZi* for *i* = 1 ∼ *L* − 1 by Algorithm 1. Thirdly, by the method in Section 3.3, choose the three plain images (shown in Figure 11a–f) and ge<sup>t</sup> the corresponding cipher images (shown in Figure 11g–l), and then use Algorithm 1 again to obtain their corresponding permuted images (shown in Figure 11m–r). Then, we can ge<sup>t</sup> *PM*.

**Figure 11.** *Cont.*

**Figure 11.** Three chosen plain images, the corresponding cipher and permuted images for attacking permutation: (**a**) 1# plain image; (**b**) The histogram of (**a**); (**c**) 2# plain image; (**d**) The histogram of (**c**); (**e**) 3# plain image; (**f**) The histogram of (**e**); (**g**) 1# cipher image; (**h**) The histogram of (**g**); (**i**) 2# cipher image; (**j**) The histogram of (**i**); (**k**) 3# cipher image; (**l**) The histogram of (**k**); (**m**) 1# permuted image; (**n**) The histogram of (**m**); (**o**) 2# permuted image; (**p**) The histogram of (**o**); (**q**) 3# permuted image; (**r**) The histogram of (**q**).

Finally, we recover the original image from the cipher image of "Lenna" shown in Figure 12a. First, the permuted image shown in Figure 12c is obtained from the cipher image with (*SX*, *SY*, *SZ*). Then, the plain image is restored by *PM*, which is shown in Figure 12e.

**Figure 12.** The cipher image, the permuted image, the original plain image of "Lenna" and their histograms of size 256 × 256 × 3: (**a**) the cipher image; (**b**) histogram of (**a**); (**c**) its permuted image; (**d**) histogram of (**c**); (**e**) its plain image; (**f**) histogram of (**e**).

Without loss of generality, we do the experiments based on other images with different sizes. The experimental results are shown in Table 3 and Figure 13. They both verify the effectiveness of our attack method. Besides, it can be seen from Table 3 that the proposed attack is efficient. Taking the image "Lenna" of size 256 × 256 × 3 as an example, when the encryption time is 0.6391 s, the time needed for the corresponding attack is just 129.4039 s. Even if the image size increases, the time required for the attack is still within an acceptable range. Thus, it verifies that our method is computationally feasible.

Moreover, we verified the data complexity required for the attack. As discussed in Section 3.4, the total data complexity required for breaking CIEA-FOHS is *O*(3 + #log256(3*HW*)\$). In our experiment with chosen-plaintext attack, the number of attack images required for sizes 2 × 2 × 3 and 100 × 100 × 3 are 4 and 5, respectively. And for sizes 300 × 200 × 3, 256 × 256 × 3 and 512 × 512 × 3, the number of attack images required are all 6. Therefore, the experimental verification is consistent with the theoretical calculation.


**Table 3.** The time required for breaking CIEA-FOHS by our proposed attack method (unit: second).

**Figure 13.** Attacking results with three images of size 100 × 100 × 3, 300 × 200 × 3 and 512 × 512 × 3 respectively: (**a**) cipher image of size 100 × 100 × 3; (**b**) plain image of (**a**); (**c**) cipher image of size 300 × 200 × 3; (**d**) plain image of (**c**); (**e**) cipher image of size 512 × 512 × 3; (**f**) plain image of (**e**).

#### **5. Suggestions for Improvement**

On the basis of the above, CIEA-FOHS is insecure against a chosen-plaintext attack method because of its inherent security defects. To enhance the security, some suggestions for improvement are listed below:

•Suggestion 1. Ensuring the substantial security contribution of the fractional-order chaos to the corresponding cipher. The attractor phase diagram of the fractionalorder hyperchaotic system is shown in Figure 1, which shows the extremely complex dynamics. Undoubtedly, fractional-order chaos is one of the preferred sources of entropy for encryption. However, due to the negligence of algorithm design, CIEA-FOHS has serious security defects and is attacked.

• Suggestion 2. Security analysis should be implemented from the perspective of cryptography, not limited to numerical statistical verification. As Ref. [45] points out, many encryption algorithms have excellent statistical analysis results, but they are still insecure. In fact, good statistical analysis results are only a necessary and not a sufficient condition for security. Some security flaws are difficult to reflect with numerical statistical results, but they can be clearly revealed by theoretical security analysis. For example, the existence of an equivalent key makes CIEA-FOHS vulnerable to cryptographic attacks. Given the implementation of detailed cryptographic security analysis, these flaws can be avoided, thereby improving security.
