#### Abstract

In this paper, the security analysis of a color image encryption algorithm based on Hopfield chaotic neural network is given. The original chaotic image encryption algorithm includes permutation encryption and diffusion encryption. The result of cryptanalysis shows that the chaotic sequences generated by this algorithm are independent of plaintext image, and there exist equivalent permutation key and equivalent diffusion key. Therefore, according to chosen-plaintext attack, the equivalent diffusion key and the equivalent permutation key can be obtained by choosing two special plaintext images and the corresponding ciphertext images, respectively, and the plaintext image is further recovered from the ciphertext image. Theoretical analysis and numerical simulation experiment results verify the effectiveness of the analytical method. Finally, some improved suggestions for the original encryption algorithm are proposed to promote the security.

#### 1. Introduction

With the rapid development of network technology, the security and privacy protection problems of multimedia information have become a hot subject. In order to promote the security of information transmission, scholars have proposed a large amount of image encryption algorithms based on different mechanisms and theories, such as chaotic map [1–13], neural network [14], DNA [15–18], and so on. The security performance of the image encryption algorithms mainly depends on statistical test indicators, such as key space, histogram, key sensitivity analysis, information entropy, differential attack, and so on. However, statistical test indicator is an essential condition and not a sufficient condition for measuring security presented in [19]; moreover, some of them are proven to be insecure due to their inherent pitfalls [20–30]. Therefore, it is necessary to perform cryptanalysis in order to improve the security of the image encryption algorithms.

In recent years, many image encryption algorithms have been cryptanalyzed by the researchers. For example, in [20], the cryptanalysis of an image encryption cryptosystem based on binary bit planes extraction and multiple chaotic maps (IEC-BPMC) proposed in [1] is given; it is pointed out that IEC-BPMC is insecure against chosen-plaintext attack. In [21], the security analysis of an image chaotic encryption algorithm based on Latin cubes and bit cubes presented in [2] is proposed; it is reported that the generation of Latin cubes is independent of plain image, while in the diffusion stage, when any one bit in the plain image changes, the corresponding number of bits in the cipher image follows the change with obvious regularity. According to chosen-plaintext attack, only a maximum of plaintext images are needed to crack the ciphertext images of size resolution. In [22], according to chosen-ciphertext attack, the security analysis for a self-synchronization and closed-loop feedback-based chaotic stream cipher proposed in [3] is given; it has shown that, under the condition that only one unknown key needs to be deciphered while the remaining keys are all known, most secret keys can be deciphered accurately. In addition, the attack complexity of the proposed method is lower than that of the exhaustive attack. In [23], the security performance for an 8D self-synchronous and feedback-based chaotic stream cipher with low 8 bits of state variables for encryption proposed in [4] is analysed, according to known-plaintext attack and divide-and-conquer attack, 49 secret keys can be obtained, and an improved chaotic stream cipher is proposed for improving the ability to resist divide-and-conquer attack and chosen-ciphertext attack. According to chosen-plaintext attack, in [24], the security analysis of an image encryption algorithm based on 3D bit matrix permutation presented in [5] is given and proposes some improved suggestions in order to enhance security performance. The cryptanalysis of the image encryption algorithm proposed in [7] is presented in [25]; it is reported that the equivalent secret keys can be obtained by utilizing chosen-plaintext attack and further recover the original plaintext image from the ciphertext image. In [26], the security analysis of an image encryption algorithm based on improved hyperchaotic sequence presented in [8] is given; it is shown that only 1-pair known plaintext-ciphertext image can crack the original encryption algorithm by using known-plaintext attack. In [27], the cryptanalysis of an image encryption algorithm with one round diffusion structure proposed in [9] is reported to find that the original encryption algorithm has equivalent secret keys, so that it can be deciphered by known-plaintext and chosen-plaintext attack. In [28], it is pointed out that permutation-only encryption structure presented in [10] is insecure against known-plaintext attack and chosen-plaintext attack, respectively; for given image of size , the original encryption algorithm is cracked by only using plaintext-ciphertext images. The image encryption algorithm based on DNA encoding and spatiotemporal chaos is proposed in [15]; nevertheless, it is broken in [29] by using chosen-plaintext attack and chosen-ciphertext attack with lower computation complexity and data complexity, respectively. In [30], the security analysis of an image encryption algorithm based on 2D Henon-Sine map and DNA proposed in [17] is given; it is found that cipher image can be cracked by utilizing chosen-plaintext attack without known keys, and its attack complexity is .

In 2019, a color image encryption algorithm based on Hopfield chaotic neural network (CIEA-HCNN) is given in [14]. CIEA-HCNN adopts permutation encryption-diffusion encryption structure; in the permutation encryption phase, firstly, the parameters of Arnold cat map are generated by chaotic sequence and then Arnold cat map is used to scramble the pixel positions of plaintext image. In the diffusion encryption stage, diffusion matrix is generated by utilizing Hopfield chaotic neural network, and then bitwise XOR operation is performed by using diffusion matrix on the scrambled image to obtain the ciphertext image. Some statistical test results are proposed in CIEA-HCNN, and it is claimed that the encryption algorithm has a higher security performance against various attacks. However, CIEA-HCNN has the following inherent defects from the view of cryptanalysis:(1)The chaotic sequences generated by key-streams are independent of plaintext image; for given secret key parameters and the size of the plaintext image, the chaotic sequences remain unchanged regardless of the plaintext image.(2)The diffusion encryption structure is too simple, there is no ciphertext feedback mechanism, and there exists equivalent diffusion key. According to chosen-plaintext attack, the equivalent diffusion key is broken by choosing one special plaintext image and its corresponding ciphertext image without known keys.(3)The permutation encryption structure is a permutation-only encryption process. After deciphering the diffusion encryption structure, the original encryption algorithm becomes a permutation-only encryption structure; in [28], it is pointed out that permutation-only is insecure and cannot resist chosen-plaintext attack and known-plaintext attack. Moreover, parameters of Arnold cat map generated by chaotic sequence depend solely on the secret keys, and the position is always mapped into itself in Arnold cat map.

According to the above shortcomings, one obtains that CIEA-HCNN is insecure, and it is vulnerable to chosen-plaintext attack or known-plaintext attack. An attacker can successfully crack the original encryption algorithm by using the equivalent diffusion key and the equivalent permutation key without knowing the secret keys.

The rest of the paper is organized as follows. Section 2 briefly introduces CIEA-HCNN under study. Section 3 analyses the security performance of CIEA-HCNN by using chosen-plaintext attack. Section 4 gives the numerical simulation experiments and the suggestions for improvement. Section 5 concludes the paper.

#### 2. Chaotic Encryption Algorithm under Study

In this section, Hopfield chaotic neural network and Staged composite chaotic map proposed in [14] are first given, and then CIEA-HCNN is introduced in detail.

##### 2.1. Hopfield Chaotic Neural Network

In 1982, American physicist Hopfield first proposed Hopfield chaotic neural network given in [31]. It is a fully connected neural network, mainly used providing model of simulation human memory. Simultaneously, Hopfield chaotic neural network is also a feedback neural network, and the output signal of each neuron in the network is usually fed back to itself by using other neurons. The iterative equation of Hopfield chaotic neural network is given bywhere state variable , , , denotes a hyperbolic tangent function, and represents a weight matrix.

##### 2.2. Staged Composite Chaotic Map

Staged composite chaotic map is a novel phased chaotic map which combines Logistic map with Tent map, given bywhere control parameter , state variable , . The system is chaotic defined by equation (4) when .

##### 2.3. Description of CIEA-HCNN

In [14], CIEA-HCNN consists of secret keys selection, chaotic sequences generation, permutation encryption, and diffusion encryption, as shown in Figure 1, where are secret key parameters, are chaotic sequences generated by Staged composite chaotic map, and are parameters of Arnold cat map, is a permutation matrix, are sequences generated by Hopfield chaotic neural network, is a diffusion matrix, is a color plaintext image, is a temporary permutation encryption image of , is a permutation encryption image of , is a diffusion encryption image of , and is a ciphertext image corresponding to the plaintext image ; the detailed encryption principles of CIEA-HCNN are presented as follows:

*Step 1: Permutation Encryption*. First, F transform of the chaotic sequence ; one obtains control parameters and of Arnold cat map, given by where is the width of the plaintext image , mod represents a modular operation, and floor rounds a real number to the nearest integer. In Figure 1, scramble R, G, B channels of by utilizing Arnold cat map, respectively, and get the corresponding temporary permutation encryption image denoted by ; the iterative equation of Arnold cat map is defined as where and represent the before and after coordinate of permutation encryption through using Arnold cat map; moreover, the default number of Arnold cat map iterations is set as 1 [14]. According to Figure 1 and equation (6), one gets Finally, scan R, G, B three channels of in a raster order from left to right and up to down; one obtains the permutation encryption image with the size of , given by

*Step 2: Diffusion Encryption*. First, set the chaotic sequences , , and as the initial values of Hopfield chaotic neural network, substitute them into equations (1)-(2), iterate times, and get three sequences defined by . Let be equal to , such that Then, is quantified to obtain the diffusion matrix given by where round denotes a round-off function and abs is an absolute value function. In Figure 1, perform bitwise XOR operation on the permutation encryption image by utilizing diffusion matrix , and then get the temporary ciphertext image defined as where notation denotes a bitwise XOR operation. Finally, convert the temporary ciphertext image into the ciphertext image .(4)Decrypt image by using chaotic decryption algorithm. Decryption is the inverse process of encryption. First, convert the ciphertext image into the temporary ciphertext image , then perform bitwise XOR operation by using and the diffusion matrix , and get the permutation encryption image . Second, transform into the temporary permutation encryption image . Finally, implement anti-scramble encryption for by means of Arnold cat map, and further recover the plaintext image from the encrypted image .

#### 3. Cryptanalysis

##### 3.1. Preliminary Analysis of CIEA-HCNN

According to Kerckhoff’s assumptions [32], one gets that the cryptosystem is open and its security depends solely on the secret keys rather than the cryptosystem itself; that is, the attacker knows everything about the cryptosystem except for the secret keys. If the cryptosystem cannot resist various attacks, it is insecure. There are generally four common attack types for cryptanalysis given in Table 1 from the hardest to the easiest types. In Table 1, ciphertext-only attack is the hardest type, and chosen-ciphertext attack is the easiest type. The adversary reveals secret keys or the equivalent keys to break the cryptosystem by using the four common attack types listed in Table 1.

According to Figure 1, one obtains that CIEA-HCNN adopts permutation encryption-diffusion encryption structure. First, the diffusion encryption structure of CIEA-HCNN is too simple, and the diffusion matrix is independent of plaintext image or ciphertext image. Therefore, one gets that CIEA-HCNN has the equivalent diffusion key. According to chosen-plaintext attack, the equivalent diffusion key can be broken by just selecting one pure plaintext image and the corresponding ciphertext image.

After cracking the equivalent diffusion key, CIEA-HCNN is simplified to a permutation-only encryption algorithm. In [28], it is pointed out that permutation-only encryption algorithm is insecure. For given secret key parameters and the size of the plaintext image, the generated chaotic sequences remain unchanged which are unrelated to the plaintext image and the corresponding ciphertext image; therefore, the values of and in Arnold cat map are fixed, and further the permutation matrix also remains unchanged. Indeed, the permutation matrix is the equivalent permutation key of CIEA-HCNN. An attacker can break the permutation-only encryption algorithm by using the permutation matrix . In addition, the position is always mapped into itself in Arnold cat map.

According to the above analysis, one gets that the security performance of CIEA-HCNN depends only on the diffusion matrix and the permutation matrix ; indeed, it means that the equivalent diffusion key and the equivalent permutation key exist in CIEA-HCNN. The adversary can reveal the equivalent keys by using chosen-plaintext attack and further successfully break the original encryption algorithm. Therefore, the problem of cracking secret key parameters in the original encryption algorithm can be solved by chosen-plaintext attack and transforming it into solving the equivalent diffusion key and the equivalent permutation key. Moreover, according to Figure 1, one obtains the simplified block diagram of CIEA-HCNN, as shown in Figure 2. In Figure 2, denotes the equivalent permutation key, and represents the equivalent diffusion key.

##### 3.2. Cracking CIEA-HCNN by Using Chosen-Plaintext Attack

The basic method of cracking the permutation encryption and the diffusion encryption structure shown in Figure 2 is that, according to chosen-plaintext attack, one adopts divide-and-conquer strategy to separate the permutation encryption from the diffusion encryption through choosing the plaintext that would be useful for breaking, on this basis, and further deciphering the equivalent permutation key and the equivalent diffusion key , respectively. The detailed procedures of cracking the equivalent permutation key and the equivalent diffusion key are presented as follows.

###### 3.2.1. Deciphering the Equivalent Diffusion Key

According to chosen-plaintext attack, choose a full zero image denoted by , and get the corresponding ciphertext image defined as . Next, using the obtained and as known conditions, one further gets the corresponding equivalent diffusion key .

The specific approaches for cracking the equivalent diffusion key are given as follows. Step 1. Choose a full zero plaintext image as , according to chosen-plaintext attack, and get its corresponding ciphertext image as . From Figure 1, one obtains the temporary ciphertext image corresponding to . Step 2. According to equation (11) and Figure 2, one has Since all pixels of are zero, after performing the permutation encryption operation for , holds. *Step 3*. From equations (11)-(12) with , one obtains the equivalent diffusion key defined as

###### 3.2.2. Deciphering the Equivalent Permutation Key

After breaking the equivalent diffusion key , the original permutation encryption-diffusion encryption structure is simplified to permutation-only encryption structure. Besides, since the original image chaotic encryption algorithm adopts the same permutation matrix to the three channels of the plaintext image, the work of deciphering the equivalent permutation key sets the R channel of the plaintext image as an example as follows. First, choose a plaintext image defined as , and suppose the pixels of coordinates and in R channel are and , respectively. Moreover, , and , others are full zero, and let all pixels of G channel and B channel be full zero. One obtains the corresponding ciphertext image described by . Then using the obtained and as known conditions, one further gets the corresponding equivalent permutation key . Note that the equivalent permutation key is not affected by the number of Arnold cat map iterations.

The specific steps for cracking the equivalent permutation key are presented as follows. *Step 1*. According to chosen-plaintext attack, choose one plaintext image as , and get its ciphertext image defined as . Then, the temporary ciphertext image as is obtained by using the ciphertext image . *Step 2*. Substitute and with equation (11); the permutation encryption image denoted as is described by *Step 3*. Convert the permutation encryption image of size into the temporary permutation encryption image of size , and then compare with one by one; one gets

According to equations (6)-(7), one obtains

From equations (16)-(17), one sees that , , , and are given, and only the equivalent permutation key is unknown; therefore, one can solve the equation by combining equations (16)-(17), defined as

According to equation (18), one obtains the equivalent permutation key by adopting one special plaintext image and the corresponding ciphertext image.

For the sake of understanding the above analysis, take the plaintext image of size as an example, given by

After performing the permutation-only encryption on , one gets the temporary permutation encryption image denoted by , such that

According to equations (19)-(20), one has

Then substituting equation (21) into equation (18), according to , one obtains and further gets the equivalent permutation key , defined as

###### 3.2.3. Recover the Plaintext Image by Using the Equivalent Diffusion Key and the Equivalent Permutation Key

First, convert the ciphertext image into the temporary ciphertext image . According to equation (11) and the equivalent diffusion key , the permutation encryption image denoted by can be obtained from the temporary ciphertext image . Second, convert the permutation encryption image into the temporary permutation encryption image denoted by . Finally, recover the plaintext image defined by from the ciphertext image by utilizing the equivalent permutation key .

According to the above security analysis, the process of cracking CIEA-HCNN by adopting chosen-plaintext attack is described in Algorithm 1.

#### 4. The Numerical Simulation Experiments for Breaking CIEA-HCNN

In the numerical simulation experiments, color images Lena, Baboon, and Pepper are taken as three examples, where the size of the image is . The secret keys are set as , , , , , , , and . The numerical simulation experiments are operated under MATLAB R2017a running on desktop computer with Intel (R) Core (TM) i7-7700 CPU 3.6 GHz, 16 G memory RAM, and 1 TB hard drive; the operation system is Microsoft Windows 7.

##### 4.1. The Experiments for Breaking CIEA-HCNN by Using Chosen-Plaintext Attack

First, according to the analysis in Section 3.2.1, choose a full zero plaintext image of size denoted by and get the corresponding ciphertext image , as shown in Figures 3(a) and 3(b). Based on equation (12), and , one obtains the equivalent diffusion key given by

**(a)**

**(b)**

Second, according to Section 3.2.1, construct a color image of size defined by , let the pixels of the coordinates and be 1 and 2 in the R channel of the plaintext image , other pixels are set as 0, and all pixels of the G and B channels are defined as 0, as shown in Figure 4(a). According to chosen-plaintext attack, one can get the corresponding ciphertext image of denoted by , as shown in Figure 4(b). Recover the permutation encryption image represented by from the ciphertext image by using the equivalent diffusion key , and then convert the permutation encryption image into the temporary permutation encryption image , as shown in Figure 4(c). Based on equation (15), and comparing with , one gets

**(a)**

**(b)**

**(c)**

According to equations (16)-(18), one obtains the equivalent permutation key defined as

Finally, according to Section 3.2.3, the plaintext images of Lena, Baboon, and Pepper with the size of are recovered by using the equivalent diffusion key and the equivalent permutation key ; moreover, in order to verify that the recovered plaintext image is equal to the original plaintext image, performing the bitwise XOR operation on them, one gets a full zero image. The breaking results on CIEA-HCNN with RGB color Lena, Baboon, and Pepper are shown in Figure 5.

**(a)**

**(b)**

**(c)**

**(d)**

**(e)**

**(f)**

**(g)**

**(h)**

**(i)**

**(j)**

**(k)**

**(l)**

##### 4.2. Attack Complexity Analysis

The attack complexity consists of time complexity and data complexity. On the aspect of time complexity, according to chosen-plaintext attack, the cracking time of CIEA-HCNN is 11.164 seconds for the color image with the size of , and the encryption time is 5.813 seconds. Moreover, on the aspect of data complexity, given the same size of color image, the data complexity of breaking CIEA-HCNN is . Therefore, the experimental results verify that the attack method is both effective and efficient, meanwhile having lower attack complexity.

##### 4.3. Suggestions for Improvement

According to the security defects of CIEA-HCNN, the suggestions for improvement are given as follows:(1)In the permutation encryption structure, one can construct the combination of parameters of Arnold cat map and the characters of plaintext image such as all pixels sum and average and hash value of the plaintext information. One adopts multiple-round permutation encryption based on the encryption efficiency. Simultaneously, one suggests that using different permutation matrix performs the scrambling operation on the three R, G, B channels of the color image, respectively. Moreover, after the permutation encryption, exchange the pixel of coordinate to the other random pixel to improve the security of the original permutation encryption.(2)In the diffusion encryption structure, one could add some nonlinear diffusion encryption structure and ciphertext feedback mechanism to enhance the combination of plaintext, keys, and ciphertext and further promote the security of the original encryption algorithm.(3)One suggests that multiple-round encryption algorithm is proposed to improve the security based on the higher efficiency.

#### 5. Conclusions

In this paper, the security analysis of a color image encryption algorithm based on Hopfield chaotic neural network called CIEA-HCNN is given. CIEA-HCNN adopts permutation encryption-diffusion encryption structure; from the view of cryptanalysis, it has the equivalent keys due to the inherent defects. Therefore, one can obtain the equivalent permutation key and the equivalent diffusion key by utilizing the chosen-plaintext attack and further crack CIEA-HCNN. Theoretical analysis and numerical simulation experiment results verify the effectiveness of the deciphering method; as for the color image of size , the data complexity is . Finally, some suggestions are proposed to improve the security of chaotic encryption algorithm. The reported results may help the designers of chaotic cryptography realize the importance of the essential structure of a color image encryption algorithm based on Hopfield chaotic neural network.

#### Data Availability

The data and code used to support the findings of this study are available from the corresponding author upon request.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This work was supported by the National Key Research and Development Program of China (No. 2016YFB0800401) and the National Natural Science Foundation of China (No. 61532020, 61671161).