† Corresponding author. E-mail:

A novel image encryption method based on the random sequence generated from the generalized information domain and permutation–diffusion architecture is proposed. The random sequence is generated by reconstruction from the generalized information file and discrete trajectory extraction from the data stream. The trajectory address sequence is used to generate a P-box to shuffle the plain image while random sequences are treated as keystreams. A new factor called drift factor is employed to accelerate and enhance the performance of the random sequence generator. An initial value is introduced to make the encryption method an approximately one-time pad. Experimental results show that the random sequences pass the NIST statistical test with a high ratio and extensive analysis demonstrates that the new encryption scheme has superior security.

With the development of information technology and the Internet, digital images have been widely used in many areas. The security of images in some special areas, such as health systems, military systems, geographic information systems (GIS) or images of business and personal privacy has become an important issue. Image encryption is different from text encryption due to some inherent features, such as bulk data capacity, high correlation among pixels and high redundancy. Thus, most conventional ciphers, such as DES (data encryption standard), IDEA (international data encryption algorithm), AES (advanced encryption standard), etc. are not suitable for image encryption especially in real time encryption.

There is a wide range of algorithms used in image encryption such as cellular automaton (CA),^{[1–3]} DNA computing,^{[4–6]} and chaotic systems. Chaotic systems have several significant features favorable to secure communications, such as ergodicity, sensitivity to initial conditions, control parameters and random-like behavior, which can be connected with some conventional cryptographic properties of good ciphers, such as confusion and diffusion. After Matthews proposed the chaotic encryption algorithm in 1989,^{[7]} increasingly research of image encryption technology is based on chaotic systems.

Many chaos-based cryptography schemes have shortcomings. One is the short cycle length resulting from the finite precision of computers which makes various attacks possible.^{[8,9]} To extend the cycle length of chaotic systems, some chaotic stream ciphers utilized dual chaotic systems or hyper chaotic systems.^{[10–13]} Another problem is that the key stream generated by the chaotic map is completely dependent on the secret key and remains unchanged to any plain image, which is insecure against chosen plain text attack.^{[14]} In Ref. [14], a new block encryption scheme was proposed by combining circular bit shift and XOR operations based on iterating a chaotic map. Li *et al.*^{[15]} showed that there are some security defects in such a scheme (proposed in Ref. [14]) and most elements in the underlying chaotic pseudorandom bit sequence can be obtained by a differential known plain text attack using only two known plain texts. To solve this problem, some approaches that try to make the encryption process or the key stream related to the plain image were proposed. In Ref. [16], a chosen plain text attack of Ref. [14] was presented because of the plain text-independent key stream, and an improvement was suggested by using a ciphertext feedback mechanism. Xu *et al.*^{[17]} analyzed and improved the above algorithms by using Chen chaotic system instead of a logistic map for better random number sequence and setting the parameter of the Chen map using the last one byte of encrypted plain text after every iteration. Wang *et al.*^{[18]} proposed an algorithm using a logistic map in which the shuffling and diffusion are performed simultaneously and the chaotic maps' states are altered according to the encrypted pixel. Zhang *et al.*^{[19]} employed a plain text feedback in permutation using the max and sum of the pixel value of the plain image and a plaintext/ciphertext feedback in diffusion. The permutation process behaves in a “one-time pad” manner and the diffusion process is sensitive to changes of plain image. Chen *et al.*^{[20]} presented an image encryption scheme with a dynamic state variables selection mechanism. The state variables generated from chaotic systems are distributed to each pixel dynamically and pixel-relatively in both permutation and diffusion procedures. Dong^{[21]} proposed a color image encryption scheme using one-time keys based on coupled chaotic systems. It employed secure hash algorithm 3 (SHA-3) combined with the initial keys to generate the new keys which would change in each encryption process.

The permutation–diffusion structure^{[22]} is the most common and effective encryption architecture and has become the basis of many chaotic image encryption schemes since Fridrich developed a chaos-based image encryption scheme of this structure in 1998,^{[23]} which was first cryptanalyzed in Ref. [24] using a chosen-ciphertext attack. It is composed of two steps: pixel permutation and diffusion. In the permutation process, the positions of image pixels are changed. In the diffusion process, the pixel values are modified sequentially so that a tiny change for one pixel can spread out to almost all pixels in the whole image. Zhang *et al*.^{[25]} used a skew tent map to generate random sequences then sort the sequence to get index sequence as a P-box with the same size of the plain image which totally shuffled the plain image. Zhang *et al*.^{[26]} sorted random chaotic sequences to get the index sequence as small permutations and then constructed large permutation from the small permutations and totally shuffled the plain image. General permutation-only image encryption algorithms have been quantitatively cryptanalyzed^{[27]} and one round permutation–diffusion is not secure enough especially against chosen plain text attack.^{[28]} Therefore, many image encryption algorithms employ the permutation–diffusion process by two rounds or more.

Zhang *et al*.^{[29]} proposed a random number generator based on discrete trajectory transform in generalized information domain (RGDG) which has superior randomness. RGDG has a time-related initial value so that it can generate different random sequences every time. In this paper, our main contribution includes: 1) We introduce a new factor called drift factor (DF) and develop an improved algorithm of RGDG called RGDG-DF, which has an increased speed. 2) RGDG has an initial value IV = {*t*,*r*,*u*} where *t* is system time, *r* is a system random number and *u* is user’s personalized input. In RGDG-DF, IV = {ST, SI, UI}, where ST is system time, SI is system identifier that is unique, such as hard disk number of the machine and UI is user input. 3) IV is employed in RGDG-DF in a feedback mechanism. In every encryption process, IV is different so that random sequences generated by RGDG-DF are different by time and space. The image encryption scheme is an approximately “one-time pad”. 4) We propose an image encryption scheme based on RGDG-DF. The trajectory address sequence generated by RGDG-DF is used to create a P-box with the same size of plain image. A new permutation method is proposed to shuffle the positions of pixels totally using the P-box. The random sequences of RGDG-DF are used as keystreams in the diffusion steps. 5) This algorithm has a generalized key which only needs to be settled in the first time at both communication sides. No secret key needs to be exchanged during the encryption process. Experimental results show that the random sequences pass the NIST statistical test^{[30]} with a high ratio and the new encryption scheme has feasibility and superiority.

The rest of the paper is organized as follows. In Section 2, we describe the generalized information domain, RGDG, and the proposed RGDG-DF. In Section 3, we describe the scheme of image encryption and decryption. The experimental results and security analysis are given in Section 4. Finally, Section 5 concludes the paper.

Generalized information domain (GID) is the space of all kinds of digital information stored in digital equipment or transferred over the Internet that can be expressed by binary code. With the development of the information technology and the Internet, GID is so large that it can be seen as an infinite space to some extent. In this paper, we denote the generalized information file as GIF which refers to the file in GID. Because of the diversity of users in cultural background, career, interests, habits and so on, the user’s choice of GIF from GID can be seen as random behavior and an entropy source that is easy to get without any other facility. Zhang *et al.*^{[29]} proposed a random number generator based on discrete trajectory transform in the generalized information domain (RGDG). In RGDG, they first reconstruct the GIF and user input using shift operation with restriction condition to get the data stream which has good statistical properties and appropriate length denoted by background (BG). Then, a discrete trajectory extraction (DTE) method is proposed to extract the random number from BG. A system random source called initial value IV = {*t*,*r*,*u*} where *t* is system time, *r* is a system random number, and *u* is the user’s personalized input that is introduced. IV is used to calculate the extraction position and the extracted data is used in updating the IV in a feedback mechanism. Experimental results showed that RGDG had superior randomness and passed the NIST statistical test with a high ratio. However, we found that RGDG spends most of the time on calculating extraction positions. To speed up RGDG and preserve its good property at the same time, we propose an accelerated scheme based on drift factor (DF) in this paper, called RGDG-DF. DF is 32-bit vector used in the process of calculating extraction positions in Section 2.3.

According to Ref. [29], GIFs usually have bad statistics properties such as low information entropy, high correlation coefficient, etc. To generate random number sequences, we also reconstruct GIF first to get a sequence with an appropriate length and good statistics properties which is called BG.

The reconstruction process includes *n* rounds. We note GIF as RB_{0} (reconstruction block) and the result of the *i*th round of reconstruction as

*S*,

*L*) = ({

*s*,

_{i}*l*}) (

_{i}*i*= 1,2,…,

*n*), where

*s*means the starting position of round

_{i}*i*and

*l*means the length of sequence of round

_{i}*i*. The reconstruction process is given below in detail

*s*+

_{i}*j*)/

*l*

_{i−1}⌋ bits.

In Eq. (*C* = {*c _{k}*} (

*k*= 0,1,…,255) is introduced, where

*c*records the frequency of code

_{k}*k*during the extraction process of each round and

*c*

_{min}= min{

*c*} (

_{k}*k*= 0,1, …,15). At the beginning of each round,

*C*will be reset to zero. The restriction condition

^{i}to be balanced. The restriction factor

*q*

_{1}is used to control the degree of the balance level. If

*q*

_{1}gets smaller, the restriction condition becomes more critical and the frequency distribution of the code sequence is more balanced. It is proved in Ref. [29], if

*l*> 255 ×

_{i}*q*

_{1}, each code of RB

^{i}exits and the frequency difference of any two codes is no more than

*q*

_{1}. After

*n*rounds of reconstruction, we obtain a sequence RB

^{n}and note it as BG = {

*b*}, where

_{i}*b*∈ {0,1, …,255} (

_{i}*i*= 0,1,2, …,

*l*− 1).

_{n}BG cannot be used as random sequence directly because it has some regular pattern, not random. Therefore, an extraction method is used to generate random number sequences. The process of generating random number sequences SK and trajectory sequence PK from BG can be presented as (SK,PK) = *f* (BG,IV,*D*), where *f* is the extraction function. In each extraction operation, four bits of data are extracted from BG and added into the final random sequence based on some restriction condition. We introduced another counter vector denoted by *c _{k}* records the frequency of code

*k*during the extraction process,

*C*′ is initialized as zero and

The extraction process is given as follows.

*x*_{0},*x*_{1}, …,*x _{m}*). The size of

*x*(

_{i}*i*= 0,1, …,

*m*) is 32 bits.

*a*=

_{i}*x*mod

_{i}*d*,

_{i}*D*= (

*d*

_{0},

*d*

_{1}, …,

*d*), and

_{m}*d*∈ ℤ

_{i}^{+}(

*i*= 0,1, …,

*m*).

*ω* to initialize DF using formula

*M*. If *M* cannot satisfy the restriction condition (i): *M* satisfying condition (i).

*M* four times. Then go to Step 9 until we obtain sequence of requested length.

*x*_{0},*x*_{1}, …,*x _{m}*) is seen as a 32 ×

*m*-bit-long sequence. Left shift four bit of AI and add four bits data

*M*from Step 6 into the rightmost four bit of AI then get the new AI. Then go to Step 3.

Repeat Steps 3–9 until we get sequence SK of requested length. Another sequence SK′ can be generated similarly. In addition, we record the ta sequence denoted by PK which will be used in the permutation part of the image encryption process.

In RGDG, analysis results show that the computation of Eq. (*M* is used to update DF in a feedback mechanism which makes the extraction process more complex. Figure

RGDG-DF has key *K* = {GIF, (*S*,*L*),*D*}, parameters *q*_{1} and *q*_{2}. The suggested value ranges of parameters are summarized as below.

The encryption algorithm is based on the permutation–diffusion architecture. The random sequence PK is used to generate a P-box then shuffle the plain image while SK′ and SK are used to diffuse the shuffled image. Some papers^{[16,28]} have shown that one round permutation–diffusion is not secure enough especially against chosen plain text attack. Therefore, we add a pre-diffusion to confuse the plain image. Moreover, a new shuffle method is proposed in the permutation process. When encrypting any two images the IVs are different in time and space because ST is different in time and SI is different in space. In practical situations, different IVs usually result in different keystreams. Thus, this encryption algorithm is an approximately one-time pad.

Without loss of generality, we assume the plain image is a 256 gray-scale image of size *M* × *N* which can be seen as a one-dimensional vector *P* = (*p*_{1},*p*_{2}, …, *p*_{M×N}), where *p _{i}* denotes the gray level of the image pixel in the row floor (

*i*/

*N*) column mod (

*i*,

*N*). The algorithm can be described as below.

*c*_{0} and three random sequences PK, SK′, and SK as described in Section 2.

_{1},pk_{2},…,pk_{M×N}) and obtain

*c*is the gray level of the cipher image pixel.

_{i}The decryption process is similar to the encryption process and is the inverse of the encryption process.

*c*_{0} and three random sequences PK, SK′, and SK as described in Section 2.

*T* using the same method as Step 2 in the encryption process.

*T* and obtain the middle cipher image

*P* = (*p*_{1},*p*_{2}},…,*p*_{M×N}) from

In our scheme, we propose a new shuffle method shown in Eq. (*T* and does not need to calculate the inverse permutation sequence. This makes the decryption process more efficient.

We choose 10 groups of different keys and parameters as shown in Tables ^{[30]} a statistical package consisting of 15 tests for random and pseudo-random number generators for cryptographic applications. The results are shown in Table

From Tables

Key space size is the total number of different keys which can be used in the encryption. A good encryption algorithm should be sensitive to the secret keys, and the key space should be large enough to make brute-force attack impossible.

In our algorithm, GIF together with parameters (*S*,*L*), *D* denoted by *K* = {GIF, (*S*,*L*),*D*} can be seen as generalized key compared with traditional symmetric cryptography. This generalized key is different from the traditional key of a modern cryptography system such as DES, AES in three ways: (i) the length or size of *K* is not fixed, (ii) the key space is infinite, (iii) *K* can be stored in the facility of both sides of the communication and does not need to be transferred in a long time. GIF can be any digital file from the GID so its space is infinite theoretically. As mentioned before, we suggest that the size of GIF should range from 0.5 KB to 10 MB. Suppose the size of GIF is 1KB, then the space of GIF is 2^{1024×8} = 2^{8192}. (*S*,*L*) = {(*s _{i}*,

*l*)}, (

_{i}*i*= 1,2,…,

*n*), where

*s*and

_{i}*l*are 32-bits integer and

_{i}*n*∈ [3,7]. Suppose

*n*= 3, then the space of (

*S*,

*L*) is 2

^{32×2×3}= 2

^{192}.

*D*= (

*d*

_{0},

*d*

_{1},…,

*d*), (

_{m}*i*= 0,1, …,

*m*), where

*d*is 32-bits long. If

_{i}*m*= 4, then the space of

*D*is 2

^{32×5}= 2

^{160}. Thus, the key space of our algorithm is at least 2

^{8192+192+160}= 2

^{8544}which is so huge that it can prevent brute-force attack.

For experimental analysis, IV remains unchanged in Subsection 4.3–4.5 and the corresponding AI is given in Table *K*_{0} = {GIF_{0}, (*S*_{0},*L*_{0}),*D*_{0}} and parameters used in Subsections 4.3–4.5 are also shown in Table

Image histogram is a very important feature in image analysis. Figures

Correlation between pixels is an important intrinsic feature of an image. To resist statistical analysis, a good encryption algorithm should remove the high correlation of the plain image. We select all the pairs of two-adjacent pixels in vertical, horizontal, and diagonal directions from the plain image and the cipher image, and calculate the coefficient by

*x*and

*y*are gray-scale values of two adjacent pixels in the image and

*N*is the total number of pixels.

We test the correlation coefficients of adjacent pixels in the plain image “Lenna” and its cipher image and the result is listed in Table

The information entropy is an important feature of the randomness and the information entropy *H*(*s*) of a message source *s* can be calculated as

*p*(

*s*) denotes the probability of symbol

_{i}*s*. For a true random 256 gray-scale image, the entropy should be 8. The entropy of cipher images of three plain images “Lenna”, “Baboon”, and “Pepper” is shown in Table

_{i}^{[18,19,25]}are shown in Table

In order to measure the different ranges between two images, we use NPCR (number of pixels change range) and UACI (unified average changing intensity),

*c*

_{1}and

*c*

_{2}are two images with the same size

*W*×

*H*. If

*c*

_{1}(

*i*,

*j*) =

*c*

_{2}(

*i*,

*j*),

*D*(

*i*,

*j*) = 1; otherwise

*D*(

*i*,

*j*) = 0.

Key sensitivity is an essential feature for any good cryptosystem which guarantees the security of the cryptosystem against the brute-force attack to some extent. In the proposed algorithm, the generalized key *K* = {GIF, (*S*,*L*),*D*} is composed of several parts so we run several tests for each part of the key *K* separately. We randomly change one bit of GIF 1000 times to get 1000 slightly different GIFs and keep (*S*,*L*), *D* unchanged. We encrypt image “Lenna” using *K*_{0} and these 1000 keys and calculate the average NPCR and UACI of the cipher images using Eqs. (*s*_{1},*l*_{1}) and the only changed bit may not belong to the effective GIF. However, the effective GIF is large enough to resist the brute force attack. The average results of the 971 groups are shown in Table *S*_{0},*L*_{0}) by adding or minusing 1 separately and get a series keys. We encrypt image “Lenna” using *K*_{0} and these keys and calculate the average NPCR and UACI of the cipher images. The average results are shown in Table *x*_{0},*x*_{1}, …,*x _{m}*) is the hash transformation result of IV. For simplification, we test the sensitivity of AI instead of IV. We choose AI

_{0}= (

*x*

_{0},

*x*

_{1}, …,

*x*) and

_{m}*K*

_{0}to encrypt plain image “Lenna” and then encrypt the same image with the same

*K*

_{0}and other slightly different AIs. The NPCR and UACI between the cipher images are given in Table

In order to resist differential attack, a tiny change in the plain image should cause a substantial change in the cipher image. Given a 256 gray-scale plain image *P* of size 256×256 and get a *P*′ which only has a single pixel difference in a random position (*i*, *j*), where *i*, *j* = 0,1, …,255,

Encrypting *P* and *P*′ obtains the cipher images *C* and *C*′, then we calculate NPCR and UACI using Eqs. (

We have used Microsoft Visual Studio 2010 to run RGDG,^{[29]} RGDG-DF, encryption and decryption programs in a personal computer with an Intel Core i3 CPU 2.53 GHz, 2 GB memory and 250 GB hard-disk capacity, and the operation system is Microsoft Windows 7. The average speed of RGDG-DF is 8.29 M/s and the average speed of RGDG is 5.78 M/s. The average time of encryption/decryption on 256 gray-scale images of size 512 × 512 is 150 ms. Considering the speed of the Internet transmission, our algorithm can well satisfy the practical situation.

Compared with that in Ref. [29], we add a random value SI in the initial value IV. It can be deduced that when encrypting any two images, IVs must be different. ST is system time generated by computer system so when encrypting images at different times the STs are different. SI is system unique identifier such as hard disk number, mainboard number, etc. When encrypting the two images at the same time then they must be at different machines so that SIs are different. It is easy to notice that Eq. (*A* = (*a*_{0},*a*_{1}, …,*a _{m}*). Therefore, in a practical situation, different IVs usually result in different random streams. Thus, every encryption uses different keystreams and this encryption method is an approximately one-time pad. Therefore, the attacks proposed in Refs. [15], [16], and [28] become ineffective to this new scheme. The proposed scheme can easily resist the known plain text and the chosen plain text attacks.

Key management includes key storage, key backup/recovery, and key period. In our scheme, the key *K* = {GIF, (*S*,*L*),*D*} can be seen as a generalized key compared with traditional symmetric cryptography. The process of the communication in practical usage is shown in Fig. *K* only needs to be settled by both sides of the communication in the first time and can be stored at the machine of both sides. No secret key needs to be exchanged during the encryption process. IV and the cipher image are sent to the receiver on a public channel. Therefore, our scheme can tremendously reduce the risk of key leakage. For example, the sender and receiver choose the newest installation package of iTunes as GIF. The key {(*S*,*L*),*D*} is exchanged on a safety channel. GIF can pretend to be an ordinary file in the computer and does not need to be stored securely. In addition, the backup GIF can be found on the Internet anytime which is very convenient. The period of ST is 2^{32}/(60 × 60 × 24 × 365) = 136 year (when the time unit is seconds). When a longer period is needed, a larger ST such as 64 bits could be applied, so in a quite long time, both the sender and receiver do not need to change the key for safety which saves sources from key distribution and exchange.

In this paper, we propose a novel image encryption method based on random sequence generated from generalized information domain and permutation–diffusion architecture is proposed. This algorithm takes user’s random choice of the GIF as the entropy source and generates a random sequence by reconstruction from GIF and discrete trajectory extraction from the data stream. A new drift factor is introduced to accelerate and enhance the random generator. The trajectory address sequence is used to generate a P-box and then shuffle the plain image conpletely using a new permutation method and the random sequence is used as the keystream. A unique IV composed of ST, SI, and UI is introduced to make the encryption method an approximately one-time pad. Thus, the proposed scheme shows good resistance to the known plain text and the chosen plain text attacks. Experimental results show that the random sequences can pass the NIST statistical test with a high ratio. The key space is large enough to resist brute-force attacks. Statistical analysis shows that the cipher image of the scheme has high information entropy and low correlation coefficients so that it can resist statistical attack. The scheme has high key sensitivity and plain text sensitivity to anti differential attack. Moreover, the scheme has a high encryption speed. This algorithm has great advantages in practical use especially in some special areas which require high security such as military systems.

**Reference**