Security analysis of a chaotic encryption algorithm related to the sum of plaintext pixel value

The security analysis of the existing chaotic image encryption algorithm is mainly for the algorithm whose secret keys are independent of plaintext, while a few cryptanalyses on plaintext-related scheme are released. This paper analyzes the security of a chaotic encryption algorithm related to the sum of plaintext pixel value (SPPV). It is found that for all plaintexts with the same SPPV, the chaotic sequences used for encryption are identical. Accordingly, there exist a series of equivalent keys corresponding to the different SPPVs, a codebook attack method to crack this type of encryption algorithm is proposed. Since the SPPV is predictable, limited in number and reconfigurable, the chosen-plaintext attack is adopted to analyze the plaintext with all possible SPPVs. And the corresponding equivalent keys are calculated, respectively. These equivalent keys corresponding to SPPV finally form a complete codebook for cracking the original encryption scheme. The research result shows that any encryption algorithm related to SPPV can be cracked by the codebook attack method proposed in this paper. Therefore, the method proposed in this paper owns certain universal applicability. Theoretical analysis and experimental results prove the feasibility of this method.


Introduction
Digital image characterized for its convenient storage, processing, transmission, and rich information content has become an important medium for transmitting information in the era of big data, which makes information safety issue more and more attention socially. Image encryption is an important means to achieve message security. However, it is difficult to encrypt digital images due to its large amount of information, high redundancy, strong correlation between pixels, and other characteristics. So far, there is no standardized image encryption algorithm. Since Fridrich proposed the image encryption algorithm based on chaos [1], there has been an upsurge in academia to apply chaos theory to the field of image encryption [2][3][4][5][6][7][8][9][10], in which Chaos also shows huge potential application value [2]. Chen and Mao et al. standardized the image encryption structure based on chaos [3,4], as shown in Fig. 1, where the encryption process consists of two core links: permutation and diffusion. Permutation refers to transform the pixels in the image, but the value remains unchanged. In recent years, bit-level permutation has also appeared [11][12][13][14], which enriches the type of permutation. Bit-level permutation is to convert the pixel value into an 8-bit binary form, which is the position transformation of binary byte-code, so that the effect of changing the pixel value can be achieved at the same time. Diffusion is to change the pixel value through certain operation rules and cover up the original image information [15][16][17]. Through the two procedure, the connection between plaintext and key confused fully, which urges ciphertext similar to random noise characteristically and cannot express any meaningful information [18]. One of the development direction of the chaos-based image encryption is around the structure ranged from the permutation-only [19] to permutation-permutation-diffusion, permutation-diffusion-permutation, diffusion-permutation-diffusion, multi-round permutation-diffusion [20][21][22][23], etc. Among these structures, permutation-only framework had been proved to be insecure [24,25], and Simin Yu and Qianxue Wang have contributed equally to this work. others are safe under certain conditions [26,27]. Another advancement prospect is to focus on the chaos itself, by improving the randomness and the sensitivity to the initial value through which to heighten the algorithm safety, such as designing more complicated chaos, combination of multiple chaos maps, chaotic initial value or control parameters associated with plaintext, etc. [1,8,9,23].
Since the key for the plaintext-independent chaotic image encryption algorithm is fixed, the same chaotic sequence is used to encrypt different plaintext images, which exists equivalent keys actually. These types of algorithms are generally unable to resist an assault, such as chosen-plaintext attack (CPA), chosen ciphertext attack (CCA), and known plaintext attack (KPA). To eliminate the vulnerability of equivalent keys in plaintext-independent encryption, the algorithms associated with plaintext have been proposed in the past 10 years [28][29][30][31][32][33][34][35], which marks the maturity of the application of chaos theory in the field of image encryption. The plaintext-related chaotic image encryption algorithm is to associate the key or encryption process with some characteristic values of the plaintext image, such as SPPV, average pixel value, or Hash value of the plaintext image. By this way, the key or encryption process of different plaintext images are unique. Its reliability is higher than that of the plaintext-independent encryption, which invalidates the common attacks. However, not all plaintextrelated algorithms meet the requirement of one-time-onepassword. Some algorithms still own equivalent keys, which cannot resist CPA. In 2015, Murillo-Escobar et al. proposed a chaotic image encryption algorithm related to plaintext [31], where the chaotic sequence generated by logistic map is applied to encrypt a plaintext. The initial value and control parameters of the map are relevant with the characteristics of the plaintext, which makes the encryption of different plaintexts producing different sequences. The encryption algorithm had passed various measure, and the author claimed its security. However, in 2018, Fan et al. analyzed the scheme and found that it was weakly related to the plaintext and unable to resist CPA and KPA [36]. In 2018, Li et al. proposed a hyperchaos-based plaintext-related image encryption algorithm [32]. The confusion is linked to the sum of pixel intensity, and the diffusion is connected to 9 pixel value of the intermediate image after permutation. Both the key and the encryption process of the algorithm are related to the plaintext, whose security is significantly higher than that of the plaintext-independent encryption. In 2019, Liu and Zhang et al. found that there were two security vulnerabilities in the encryption algorithm. First, the 9 pixel of intermediate image does not actually participate in the diffusion. Second, the permutation is associated with the sum of pixel value, which could be predictable. Accordingly, the algorithm exists an existence of equivalent key [37]. Ye and Pan et al. designed a new structure of encryption algorithm in 2018 [33]. It utilized a composition of permutation-rewriting-diffusion, through which could enhance the relationship between permutation and diffusion further. The permutation is related to the square sum of plaintext pixel strength, which belongs to the plaintext-related chaotic image encryption. However, in 2022, Chen and Liu conducted a safety assessment on the algorithm [38] and revealed that there are two vulnerabilities. On the one hand, rewriting and diffusion can be merged into one diffusion equivalently, which has nothing to do with plaintext. On the other hand, for different plaintexts with the same square sum of pixel strength, the permutation is identical, which exists equivalent keys. As a result, the plaintext-related encryption scheme proposed in [33] cannot resist CPA. The published articles on the safety analysis of plaintext-related chaotic image encryption scheme are all aimed at the unique loophole of the original algorithm and adopted personalized attack schemes, which is one analysis for one case. Consequently, these analysis methods are not universally applicable.
Recently, literature [39] proposed a plaintext-related image encryption algorithm, which exploits two classic chaotic maps Ikeda and Logistic. The key consist of four quantities: two initial values of the Ikeda map, one initial value of the Logistic map, and SPPV. The sequences generated by Ikeda and Logistic map are used for diffusion and confusion, respectively. This algorithm performs two-stage pixel-level diffusion whose sequence is generated by Ikeda map. First, the plaintext is divided into two vertical halves. Each sub-image is diffused individually and then merged. Second, the merged image is divided into two horizontal halves. After the same procedure, a diffused image ( EI D ) is formed eventually. During the encryption, each pixel of the plaintext image is diffused twice. In addition, the two-stage diffusion is independent of the plaintext. The permutation is performed at the bit-level. To begin with, each decimal pixel value of EI D is converted into 8-bit binary representation, which is then shifted circularly to the right according to the sequence generated by Logistic map. The sequence used for confusion produced by Logistic map is related to SPPV. Specifically, the SPPV is added to the initial value of Logistic map as a new one to generate a sequence. The algorithm had passed many tests, such as key space, key sensitivity, histogram analysis, correlation analysis, differential  Fig. 1 Skeleton of a chaotic image encryption attack analysis, information entropy analysis, etc. The author claimed that the algorithm was safe and could resist various methods of attack. However, this paper conducts a security analysis on the algorithm from the perspective of modern cryptography and reveals that it has the following two defects. First of all, the diffusion is independent of the plaintext, which exists an equivalent diffusion key. Second, although the permutation is related to SPPV, the sequence generated by Logistic map is the same for all plaintext with the same SPPV, which own a series of equivalent permutation keys corresponding to the different SPPV.
According to the principles of cryptanalysis, information such as image size and pixel level are public. Therefore, the SPPV is predictable, limited in number and reconfigurable. In view of the above loopholes, this paper adopts the codebook attack based on CPA to crack the original algorithm. The rest of this paper is organized as follows. Section 2 describes the original algorithm. Section 3 analyzes the security of the original encryption algorithm. Section 4 presents the results of numerical simulation experiments. Sect. 5 gives some related discussions and followed by the conclusion of full text in Sect. 6.

Overview of the original encryption algorithm
The image encryption algorithm proposed in [39] includes three stages: key parameter selection, diffusion, and permutation. The algorithm flowchart is shown in Fig. 2. On the premise of not changing the original algorithm, the description of some details is different from that of [39]. For more information, please refer to [39].

Ikeda map
The Ikeda map utilized in [39] was proposed by Ikeda in 1979. And its mathematical expression is as follows: where represents the control parameter. 2D Ikeda map exhibits chaotic behavior when ≥ 0.6 and = 0.9 are chosen. x n and y n indicate the nth iteration, which will be used in diffusion process of the original scheme. The initial values x 0 and y 0 constitute the keys of the algorithm. t n represents the intermediate quantity, not used in the encryption.

Logistic map
In the encryption algorithm proposed in [39], the chaotic sequence used for the permutation is generated by Logistic map, description of which is as follows mathematically: where represents the control parameter. When > 3.569945 , Logistic map generates a chaotic sequence. And x n represents nth iteration, which will be applied for permutation. The initial value x 0 and the SPPV constitute the keys.

Encryption procedure
According to [39], the encryption process of the original algorithm is described as follows.

Key parameters
There are four key parameters in the original algorithm, which are the two initial values x 0 and y 0 of Ikeda map, the initial value x 0 of Logistic map and the SPPV.

Diffusion process
Suppose the size of the plaintext image is H × W , and the image after two-stage diffusion is EI D . The specific diffusion is as follows.
(a) Divide the plaintext image vertically into two subimages I 1 and I 2 , whose sizes are both H × W∕2. (b) Obtain two chaotic sequences of equal length from Eq. (1), and use the algorithm in [40] to process the sequences, so that the values in the sequences are unique and within the interval; then, the size x n+1 = 1 + (x n cos t n − y n sin t n ) y n+1 = (x n sin t n − y n cos t n )  [39] of the two sequences is deformed to be the same as the size of the sub-image I 1 and I 2 . The processed sequences are, respectively, x and y, both of which are in the size of H × W∕2. (c) Sort the sequence y wise column to get the index matrix sort_indices_y , and sort the other sequence x according to sort_indices_y . Then, perform a bitwise XOR operation on it and the sub-image I 1 , sub-image I 1 becomes I 1

Permutation process
(a) Calculate the SPPV and divide it by a certain power of 10 to make its value less than 1. Then, add the value to the initial value x 0 of the Logistic map and take the added result as the new one x ′ 0 . Therefore, the generated sequence x n is related to the plaintext and the sequence length is H × W. (b) Carry out relevant numerical processing on the sequence x n , so that the processed sequence x ′ n is an integer among [0, 7], and its length remains unchanged. (c) Convert each pixel value in EI D into an 8-bit binary representation. (d) The 8-bit binary formation of each pixel is cyclically shifted to the right according to the sequence x ′ n , and then, all shifted binary bits are transformed to decimal number to obtain the final ciphertext. The permutation process is shown in Fig. 3.

Decryption procedure
Since the permutation is related to the SPPV, this additional information is required for decryption. The specific decryption process will not be explained in this article. Please refer to [39] for more details.

Security analysis of the original encryption scheme
The original encryption algorithm adopts a three-level encryption structure of diffusion-diffusion-permutation. Each pixel of the plaintext is diffused twice. The diffusion is realized by XORing between the plaintext pixel and the diffusion sequence. Besides, both two-stage diffusion have nothing to do with the plaintext. The two-stage diffusion could be equivalent to one-stage diffusion on the basis of Proposition 1. Therefore, the original encryption structure can be equivalent to the classic two-level encryption structure of diffusion-permutation. And the one-stage diffusion is still irrelevant to the plaintext. Consequently, there is an existence of equivalent diffusion key. The permutation of the original encryption algorithm is carried out at bit level. The decimal value of each pixel also changes when performed bit-level permutation. In addition, the permutation sequence  Fig. 3 Permutation process of the original encryption algorithm [39] is associated with the SPPV, which makes the permutation more complicated. However, from the perspective of modern cryptography, there are still flaws in the confusion process. Although the permutation is related to SPPV, the permutation sequence generated by Logistic map are the same for all different plaintext images with the equal SPPV, so the original algorithm exists a series of equivalent permutation keys corresponding to the SPPV, which can be cracked by CPA. An analytical method called codebook attack based on CPA would be proposed in this section.

Proposition 1 The bitwise XOR operation satisfies the associative law, that is
According to Proposition 1, the two-stage diffusion of the original encryption algorithm can be equivalent to one-stage diffusion. As shown in Fig. 4, the output after two-stage diffusion is where X represents the equivalent diffusion key. The equivalent one-stage diffusion is shown in Fig. 5.
In summary, the flow of the original scheme is equivalent to that shown in Fig. 6.

Crack equivalent diffusion key
The diffusion sequence generated by Ikeda map is independent of plaintext. Therefore, the equivalent one-stage diffusion is still irrelevant of plaintext, which exists an equivalent diffusion key. The diffusion key is composed of the two initial values x 0 and y 0 of Ikeda map. From the perspective of modern cryptanalysis, known diffusion sequence X obtains the same effect as known the original keys x 0 and y 0 . Therefore, cracking the diffusion process of the original encryption algorithm can be concluded as follows. The problem of cracking the original diffusion keys x 0 and y 0 is transformed into the that of cracking the equivalent diffusion key X, which is feasible mathematically.
In this section, the differential method is used to break the equivalent diffusion key X. Select two special plaintext images with the same SPPV to ensure that their permutations are the same. First, the equivalent permutation key corresponding to the equal SPPV is obtained. Second, its equivalent diffusion key X is acquired. The specific steps are as follows. Use the encryption machine to encrypt the two plaintexts M 1 and M 2 , and ciphertexts C 1 and C 2 are obtained, respectively. Its particular analysis mathematically is as follows. Equivalent diffusion → convert to 8-bit binary formation → shift to the right circularly (bit-level permutation) → convert to decimal numbers.
The whole encryption process of plaintext M 1 is analyzed, and its equivalent diffusion process is as follows: where circshift(•, PM(i)) means that the 8-bit binary is cyclically shifted to the right, which belongs to the bitlevel permutation process.
Convert to decimal numbers  (5)-(8) are synthesized to obtain the following formula: By analyzing the whole encryption process of plaintext M 2 in the same way, we also achieve the following formula: the difference between Eqs. (9) and (10) is acquired as follows: The above equation can be further arranged as follows: Therefore, the equivalent permutation key PM corresponding to M 1 and M 2 is gained below 3. Crack the equivalent diffusion key. Since M 1 and C 1 , M 2 , and C 2 are known, the equivalent diffusion key X can be obtained by substituting Eq. (13) into Eq. (9) or Eq. (10). 8), PM(i))). 8), PM(i))).

Reveal a series of equivalent permutation keys corresponding to the SPPV
The original encryption algorithm proposed in [39] adopts bit-level permutation whose sequence is generated by the Logistic map. The key of permutation is composed of the original initial value x 0 of Logistic map and SPPV. However, different plaintexts with the same SPPV share the identical permutation process. Therefore, the relationship between plaintext and permutation is not bijective, which makes the existence of a series of equivalent permutation keys P (SPPV) corresponding to the SPPV. From the perspective of modern cryptanalysis, the known permutation sequence obtains the same effect as known the original keys x 0 and SPPV. Therefore, cracking the permutation process of the original encryption algorithm can be concluded as follows.
The problem of cracking the original permutation key x 0 and the SPPV is transformed into that of cracking a series of equivalent permutation key P (SPPV) corresponding to the SPPV, which is feasible mathematically due to the SPPV being predictable and finite in number. The equivalent diffusion key X had been cracked in Sect. 3.2; only leaving the bit-level permutation process is unknown. Therefore, Fig. 6 can be further simplified to Fig. 7, where only bit-level permutation is connected between the plaintext and the ciphertext. This section will select a series of special plaintexts for encryption to analyze the relationship between each pair of plaintexts and ciphertexts, which could reveal the equivalent permutations corresponding to the SPPV. These special plaintexts include all possible SPPV. For a grayscale plaintext image of size H × W and pixel level L, the SPPV ∈ [0, HW × (L − −1)] and SPPV∈ Z . Therefore, only HW × (L − −1) + 1 special plaintexts need to be selected to crack all the equivalent permutation keys. In other words, the original permutation exits HW × (L − −1) + 1 equivalent keys corresponding to the SPPV, which is the codebook. In this paper, the image of grayscale level L = 256 is taken as an example to illustrate its specific decoding steps.

Known encrypted image aŌer diffusion
Bit-Level permutaƟon

LogisƟc map
Plaintext Ciphertext Add Secret key All pixel sum Fig. 7 The framework for obtaining all equivalent permutation keys 1. Select all-0 plaintext M 0 for encryption. And the corresponding ciphertext is C 0 . As shown in Fig. 7, the plaintext encryption process is analyzed as follows: where P (0) presents the equivalent permutation key when the SPPV is 0, and other symbols have the same meanings as above. According to Eq. (14), we can further obtain One can further obtain formula as below In the equation, compare() represents a function that compares the positional relationship of two 8-bit binary. The other symbols are the same as the above. The function of compare() is as follows. 2. Select the plaintext M 1 whose first pixel value is 1 and the rest are 0 for encryption. The corresponding ciphertext is C 1 . The selected plaintext M 1 denotes the permutation when the SPPV is 1. Crack the equivalent permutation key P (1) corresponding to SPPV being 1 based on step 3.3. 3. Select the plaintext M 2 whose first pixel value is 2 and the rest are 0 for encryption. The corresponding ciphertext is C 2 . The selected plaintext M 2 denotes the permutation when the SPPV is 2. Crack the equivalent permutation key P (2) corresponding to SPPV being 2 based on step 3.3. 4. Similar to the previous steps, gradually increase the first pixel value until it reaches the maximum value of 255, then, second pixel value continues to increase from 0 to 255, then the pixel value of the third pixel continues to increase from 0 to 255, and so on, until the intensity level of the last pixel reaches 255, then all the equivalent permutation keys corresponding to SPPV have been deciphered, namely P (SPPV) (SPPV = 0, 1 ⋯ HW × 255) , which is the codebook for the equivalent permutation.

Break the original encryption algorithm
So far, the equivalent diffusion key and all possible equivalent permutation keys of the original encryption algorithm have been cracked. This section studies how to use these equivalent keys to crack the original algorithm. In other words, it means that an attacker could recover any ciphertext image back to the corresponding plaintext image according to these equivalent keys without knowing the original key. According to the equivalent flowchart of the original encryption algorithm shown in Fig. 6. This section starts from the equivalent permutation key P (0) of ciphertext image C, and all possible equivalent permutation keys P (SPPV) (SPPV = 0, 1, 2 ⋯ HW × 255) are traversed one by one so as to recover the corresponding plaintext M. Then, the SPPV is calculated, respectively. If the SPPV does not correspond to the used equivalent permutation key, the traversal continues until the recovered plaintext image M SPPV , whose SPPV is consistent with the used equivalent permutation key P (SPPV) , which means that the image M SPPV is the true plaintext corresponding to the ciphertext image C. Consequently, the ciphertext image has been cracked successfully. The specific steps are as follows.
1. Decrypt the ciphertext image C according to the equivalent permutation key P (0) and the equivalent diffusion key X. Set the restored image as M 0 . The analysis process is as follows. Each pixel of the ciphertext C is transferred into 8-bit binary expressed by C 2 Perform the bit-level reversed permutation of C 2 to get D 2 as below After converting D 2 to a decimal number, the image M 0 is obtained by reverse diffusion as follows: In Eqs.
sponding ciphertext C, and the cracking is successful. If the sum is unequal to 0, go to step 3. 3. Decrypt the ciphertext image C according to the equivalent permutation key P (1) and the equivalent diffusion key X. Set the restored image as M 1 . The analysis process is as shown in Eq. (17)- (19), where the sum of all image M 1 pixel value is calculated. If the sum equals to 1, it indicates that image M 1 corresponds to ciphertext C. If the sum is unequal to 1, then the equivalent permutation key P (SPPV) (SPPV = 2, 3 ⋯ SPPV) and equivalent diffusion key X will continue to be selected for traversal until that the restored image M SPPV corresponds to the used equivalent permutation key P (SPPV) . That is to say, the sum of all M (SPPV) pixel value equal to SPPV. Then, the image M SPPV is the authentic plaintext of the ciphertext C.
According to the above analysis, the algorithm to break the original encryption scheme is as follows.

Algorithm 2 Break the original encryption algorithm
Require: ciphertext image C. A series of equivalent permutation keys P (SP P V ) (SP P V = 0, 1, · · · , SP P V ). Equivalent diffusion keys X. 6: if sum(sum(M )) = SP P V then Break 7: end if 8: M SP P V ← M 9: end for 10: return M SP P V

Optimized algorithm for deciphering the original encryption scheme
The cracking algorithm proposed in Sect. 3.4 is based on traversal of all candidate SPPV, of which a clumsy approach is applied to search in the whole solution space blindly and mechanically until the correct one is identified. For a plaintext image with a size of H × W and a pixel level of L, there are HW × (L − −1) + 1 possible SPPV, but for any particular plaintext image, the SPPV is unique. The true solution should be seek out from HW × (L − −1) + 1 candidates, in which the calculation amount is significant and the average efficiency of the algorithm is only O(2∕HW(L − −1)) . Evidently, the computation soars and the efficiency decreases further with the size and pixel level increasing. To overcome these shortcomings analyzed above, it is necessary to optimize the Algorithm 2. It should be start with the characteristics of bit-level permutation and make full use of its advantages to compress solution space. Some features of bit-level permutation are introduced below. First, for any 8-bit binary, 1 determine the pixel intensity merely while 0 does not work. Second, cyclic shift only changes the weight of 1. And it can neither increase or decrease the quantity of 1, nor changes the relative position among these 1. Third, any 8-bit binary can only represent 8 decimal numbers at most when it is shifted circularly due to only 8 bits to move. The image with pixel level L = 256 is taken for instance to analyze the optimization based on the above three characteristics. Any 8-bit binary performed circular transfer could only represent 8 decimal figures, the gap between the minimum and maximum of which is narrower than [0, 255]. Hence, as for a image implemented bit-level permutation, the difference between gross value of the minimum figure (MinGV) and that of the maximum one (MaxGV) of all pixels is much smaller than [0, HW × 255] . For the convenience of analysis, we define the difference between MinGV and MaxiGV as effective solution space (ESS) without losing generality. Judging from the discussion above, the conclusion that ESS of the equivalent bit-level permutation is far less than [0, HW × 255] can be drawn. The solution space can be effectively compressed by introducing ESS, which could reduce computation and raise efficiency of Algorithm 2 extremely. The specific steps of the optimization are given below.  According to the above analysis, the optimized formula for cracking the primitive encryption scheme is showed as Algorithm 3.

Algorithm 3 Optimized Algorithm for Deciphering the Original Encryption Scheme
Require: ciphertext image C. A series of equivalent permutation keys P (SP P V ) (SP P V = 0, 1 · · · SP P V ). Equivalent diffusion keys X.

Numerical simulation experiment
To verify the effectiveness of these algorithms proposed in this paper to crack the equivalent diffusion key, reveal a series of equivalent permutation keys corresponding to the SPPV and optimize the deciphering scheme, the grayscale image with a size of 256 × 256 and pixel level of L = 256 is selected for numerical simulation experiment. The experimental hardware platform is a laptop computer equipped with Intel(R)Core(TM)i7-700 processor, the main frequency is 3.60 GHZ, the memory is 16GB RAM, the operating system is Widows10, and the simulation software used is Matlab2019a.

Simulation experiment of cracking equivalent diffusion key
This section performs numerical simulation experiment on cracking equivalent diffusion key proposed in Sect. 3.2. Two special plaintext images M 1 and M 2 are selected. And the original encryption algorithm and key are adopted for encryption so as to obtain the corresponding ciphertext images C 1 and C 2 . The equivalent diffusion key X of the original encryption algorithm is revealed by analyzing the differential image of the plaintext-ciphertext pairs. The values in the upper half pixels of the plaintext image M 1 are all 1 and the values in the lower half ones are all 0. The values in the upper half pixels of the plaintext image M 2 are all 0 and the values in the lower half ones are all 1. Obviously, the SPPV of two plaintext images are equal, so their permutation processes in encryption are identical, on which based the equivalent diffusion key X could be obtained. The specific experimental steps are as follows.
1. The plaintext image M 1 is encrypted to obtain the ciphertext image C 1 , as shown in Fig. 8. 2. The plaintext image M 2 is encrypted to obtain the ciphertext image C 2 , as shown in Fig. 8. 3. Analyze the corresponding pixel values of differential plaintext image ΔM and differential ciphertext image ΔC , as shown in Fig. 8. Convert each pixel value of ΔM and ΔC into 8-bit binary representation. Then, solve the equivalent permutation key PM corresponding to plaintext M 1 and M 2 according to Algorithm 1. 4. Substitute the cracked equivalent permutation key PM into Eq. (9) to crack the equivalent diffusion key X.

Simulation experiment of optimization algorithm to crack the original encryption scheme
In this section, the Algorithm 3 is simulated to verify its effectiveness. Algorithm 3 based on Algorithm 2 is the optimization algorithm of deciphering the original encryption scheme. Its effectiveness could prove the validity of Algorithm 2 adequately. In this experiment, three plaintext images Lena, Boy, and Camerman are selected for verification. At first, the three plaintext images are encrypted into ciphertext images, which are taken as analysis objects. Algorithm 3 is used to crack the three ciphertext images, respectively. The recovered plaintext images are exactly the same as the real plaintext images Lena, Boy, and Camerman, as shown in Fig. 10. Therefore, the cracking is successful and Algorithm 3 is effective as well as Algorithm 2.

A simple example analysis
To vividly explain the whole process of cracking the original encryption algorithm, an image with a size of 3 × 3 and a grayscale level of L = 256 is taken as an example to illus-  Table 2, among which only one is correct.

Attack complexity
Attack complexity includes time complexity and data complexity. In terms of time complexity, it has a lot to do with the computer hardware configuration. The time required to crack the same algorithm is different for computers with different configurations. Therefore, it is meaningless to measure the pros and cons of the cracking algorithm by discussing the time complexity. Now, focus on the analysis of data complexity, data complexity refers to the amount of data needed to crack the original encryption algorithm, and the cracking equivalent diffusion key algorithm proposed in this paper only needs two plaintext images. Since the permutation is related to SPPV, the number of image needed for cracking is determined by that of SPPV. For the image with a size of H × W and grayscale level of L used in this experiment, HW × (L − 1) images are taken to crack all of the equivalent permutation keys, which is capable of handling by modern computer. If a brute force attack is used to break all the equivalent permutation keys, the computation is as much as 8 H×W , which is obviously beyond the capability of modern computers. Therefore, compared with brute force attack method, the number complexity of the attack method proposed in this paper is not high. SPPV Yes [42] SPPV Yes [43] SPPV and Maximum pixel value partially feasible c [44] SPPV Yes

Discussion
In this section, some improved measures based on the original algorithm are suggested to resist the codebook attack proposed in this paper. Then followed by the discussion on general application of codebook attack.

The improved scheme
The key to success of codebook attack proposed in the paper mainly depends on two significant vulnerabilities in [39] (refer to Sects. 3.2 and 3.3): First, diffusion is independent of plaintext; all images encrypted have the same sequence. Second, different figures with same SPPV share the identical bit-permutation. In fact, the encryption related to plaintext image statistical value, such as SPPV, average pixel value, and so on, is very weak. According to Kerckhoff's principle, all these values are public except key. Consequently, the equivalent codebook of original encryption algorithm gained by launching CPA is available. Judging from analysis above, several targeted measures are put forward to enhance the security of original algorithm: (I) a plaintext related to diffusion mechanism is suggested to the encryption implementation. Due to the fact that the original diffusion has nothing to do with plaintext, the attacker deciphers it easily. Introducing plaintext-correlated mechanisms in diffusion could increase the difficulty of deciphering evidently. (II) Make permutation associated with other quantities on plaintext rather than SPPV. Once the size and grayscale level of an image are determined, the SPPV is predictable. Thus, the equivalent codebook could be computed completely, thanks to which an attacker could crack the ciphertext image. Therefore, it is necessary to adopt other correlation quantities, such as Hash value, some special pixels in plaintext, and so on. (III) Due to the bad chaotic behaviors of Logistic map, other nonlinear systems with better random performance are recommended to utilize. The above strategies are helpful to improve the security of original encryption scheme and avoid codebook attack.

Extension and application to general cryptanalysis
In this section, more general framework of codebook attack on cryptanalysis is summarized, based on which a class of image ciphers is deciphered. Especially, for those associated with plaintext image statistics that are available for analyst [32,[41][42][43][44], codebook attack is almost feasible. The general step of codebook attack mainly includes two parts that are described as below.
1. Compute the codebook. The key used for generating sequence varies with SPPV. And the true SPPV is not available for cryptographer, while all possible ones are predicable. Consequently, the whole equivalent key P (SPPV) corresponding to SPPV could be calculated to establish a codebook (SPPV, P (SPPV) ) for encryption algorithm. For image with large size and high grayscale level, it can be foreseen that this workload is significant without any knowledge of SPPV. However, The modern computers with high-performance are competent completely. 2. Break cipher by comparing it with a codebook. Calculate SPPV of the deciphered image, and if it matches with equivalent key P (SPPV) used for attack, then the true plaintext image is found. In the worst-case scenario, it needs to try one by one until the true one is searched out. Fortunately, due to other vulnerabilities of original algorithm, the search process almost involves optimization scheme, which compresses solution set space effectively (refer to Sect. 3.5).
It is worth noting that the idea of codebook attack can be extended to other cryptosystems, such as text encryption, biometric systems, telemedicine, and so on [45]. As long as the associated quantity is predictable and limited, this method can be applied to decipher. For the sake of clarity, related quantity of five encryption schemes and the analysis results are listed in Table 3.

Conclusion
This paper measures the safety of a plaintext-related encryption scheme. The analysis results show that the diffusion-diffusion-permutation structure can be equivalent to typical diffusion-permutation. There exist an equivalent diffusion key due to diffusion being independent of plaintext. The permutation is related to SPPV. However, security analysis detects that the permutation is identical for different plaintexts with the same SPPV, which is not bijective. Consequently, there still exist a series of equivalent permutation keys corresponding to the SPPV. In this paper, the differential method is used to analyze two distinct plaintexts shared same SPPV for cracking the equivalent diffusion key of the original algorithm. Then, various plaintext images with all candidate SPPV are selected for encryption to break the equivalent permutation key corresponding to SPPV. Finally, the codebook of equivalent permutation keys for original encryption scheme is established. The original encryption algorithm is cracked by the equivalent diffusion key and the codebook eventually. Both theoretical analysis and experimental results demonstrate that the codebook attack method proposed in this paper is effective in cracking the original encryption scheme. Evidently, as for those encryption schemes whose associated quantities are unpredictable or infinite, and the codebook cannot be established, the codebook attack is invalid. However, as long as the associated quantity of plaintext is publicly available according to Kerckhoff's principle, the equivalent codebook of original encryption algorithm can be calculated. Thus, codebook attacks are feasible for cracking this type of cryptosystem. Undoubtedly, all the encryption schemes related to SPPV can be cracked by the codebook attack proposed in this paper. Consequently, the codebook attack method owns certain universality and it is beneficial for improving the robustness and security of the newly designed encryption schemes in future.
Funding This work was supported by the National Natural Science Foundation of China (No. 62271157), and the Natural Science Foundation of Guangdong Province (No. 2022A1515010005).
Data availability All data generated or analyzed during this study are included in this published article.