Abstract: A encryption algorithm named redundant transfer based on high-capacity reversible data hiding in encrypted images scheme was proposed by Qin et al, which effectively improved the ability to resist existing known-plaintext and cipher-only attacks. Based on the analysis of the redundant transfer image encryption characteristics, a known-plaintext attack method is proposed based on the non-zero-bit number (NZBN). Firstly, the NZBN feature of the image block is defined, and the analysis points out the constant invariance of the NZBN feature of image block before and after the redundant transfer image encryption. And then, the block scrambling key and the bit-plane scrambling key of each image block are estimated in turn by using the invariance of the NZBN feature. Next, the block scrambling key estimation method under the condition of multiple pairs of plain-ciphertext images is given to further improve the estimation accuracy of the block scrambling key. Finally, the key estimation accuracy and time complexity of the proposed method are discussed under different block sizes. Experimental results demonstrate that the key estimation accuracy and time complexity of the algorithm depend on the block size. When the block size is not less than 4×4 pixels, the correct rate of block scrambling key obtained from a pair of plain-ciphertext images exceeds 89%. Even if the block size is reduced to 2×2 pixels, two pairs of plain-ciphertext images may cause information leakage.