In this subsection, the example of ASAD in Ref. [27] is described. The sketch of the encryption scheme is shown in Fig. 1, and the encryption steps are described as follows.

Fig. 1.

	Figure Option ViewDownloadNew Window
	Fig. 1. Sketch of original scheme.

Step 1 The chaotic map used in Ref. [27] is a logistic map, which is defined as

Step 2 The size of the plain image is M × N. The MN pseudo random numbers {d_i} (i = 0,1,2, …, MN − 1) are obtained by Eq. (1) and the numbers ranging from 0 to 2 are obtained by the operations of discrete format and module, the {d_i} denotes the distribution map.

Step 3 Construct three S-boxes, i.e., AES S-box, Gray S-box, and Hussain’s S-box. The distribution map {d_i} is used to map the pixels into one of the three S-boxes. Then the pixels in the plain image are substituted by the selected S-box, while the candidate elements in the S-boxes are decided by the pixels in the plain image. So the substituted image is obtained.

Step 4 Divide the substituted image into nonoverlapping blocks of Z × Z elements, then the size of Z × Z pseudo random numbers S are generated through the logistic map. The first block in the cipher image is obtained by Eq. (2) where ⊕ is the bit-wise XOR operation and B₁ is the first block in the substituted image.

Step 5 Each K-th (K ≥ 2) block in the substituted image is XORed with the (K − 1)-th block in the cipher image. The process of encryption is described as follows:

The potential defects of the above encryption scheme based on ASAD are summed up as follows.

1) Unsafe diffusion process The diffusion process is easily cracked by the cipher-only attack, so the substituted image without the first block is obtained. The attack method is shown below.

2) Ineffective diffusion process While one pixel is changed in the plain image, there are few changed pixels in the cipher image. So the encryption scheme cannot resist the chosen-plaintext attack.

3) Separated processes of substitution and diffusion While the diffusion process is unsafe and unrelated to the substitution, the attackers can crack the diffusion process and obtain the equivalent key streams first, then the process of substitution is useless and the whole encryption scheme is cracked.

The encryption scheme in Ref. [27] was attacked in Ref. [31] and described as follows. Firstly, the substituted image without the first block was obtained by the cipher-only attack shown in Eq. (4). Then the distribution map {d_i} (i = Z, Z + 1, …, MN − 1) without the first block and mappings of the three S-boxes used in the substitution were obtained. So far, the substitution process was clear and the plain image without the first block was obtained. Finally, the distribution map {d_i} (i = 0, 1, …, Z − 1) in the first block was obtained to restore the chaotic block S used in the diffusion, so the process of diffusion was clear and the plain image was recovered totally.

The novel attack method simplifies the process of cryptanalysis compared with the attack method in Ref. [31], while it does not need to know the whole distribution map {d_i} and the three S-boxes used in the substitution process. As shown in Eq. (2), the first block in the cipher image is obtained by the bit-wise XOR operation. The two processes of substituting the pixels by S-boxes and the bit-wise XOR operation based on chaotic block S can be equivalent to one mapping operation, so neither the first block in the substituted image nor S needs to be known. The novel attack method establishes the whole coding table T to reveal the correspondence between the pixels in the cipher image and plain image intuitively, so the pixels in the cipher image can easily find their corresponding plain pixels based on the coding table T. The total steps are described as follows.

Step 1 Obtain the size of block Z. Construct two images with the same pixels without the first pixel, then encrypt the two images to obtain the corresponding cipher images. According to the original encryption scheme for the first block shown in Eq. (2) and Section 2, there will be some different pixels between two cipher images, and the distance between the first and the second different pixels in the first row is the size of block.

Step 2 The 256 different images with all the same pixel values that range from 0 to 255 are transformed into the vector and encrypted, while the vector size is 1 × L, and the size of plain image is M × N, L = M × N. By using the ciphertext-only attack based on Eq. (4), the corresponding substituted image without the first block is obtained. As mentioned above, the first block in the substituted image does not need to be known. Then obtain the vector of the middle image, while the first block is to the same as the first block in the cipher image. The 256 middle images are combined and denoted as C′, while C′_i(j) is satisfied for i ∈ [0,255], j ∈ [0,L − 1].

Step 3 Construct the coding table T whose size is 256 × L. Set i = 0 and repeatedly iterate Eq. (5) for j = 0, 1, …, L − 1. Then set i = i + 1 and repeat the above operations until i reaches 255. So the whole coding table T is obtained after the cycle.

Step 4 Recover the plain image. Assume that a cipher image C needs to be recovered. Firstly, the size of block Z is obtained by Step1. Then the middle image C′ is obtained by the ciphertext-only attack based on the block size Z. The vector of the plain image is P in a size of 1 × L, for j = 0, 1, …, L − 1, the P is obtained based on coding table T by the following equation:

Transform the vector P into the size M × N, and the plain image will be obtained.

The computational complexity of the novel attack method of obtaining the coding table T is 257 times that of the encryption and cipher-only attack, so the time spent is acceptable.

The result of the crack experiment is shown in Fig. 2 based on the different images, like Lena, Peppers, and Baboon. There is no difference between the original images and recovered images, so the novel attack method is effective.

Fig. 2.

	Figure Option ViewDownloadNew Window
	Fig. 2. (color online) (a) Original, (b) encrypted, and (c) recovered Lena; (d) original, (e) encrypted, and (f) recovered Peppers; (g) original, (h) encrypted, and (i) recovered Baboon.

To show the security and efficiency of the proposed algorithm, we use eight gray images each with a size of 512 × 512 as the original ones, i.e., the ‘Lena’, ‘Peppers’, ‘Baboon’, ‘Boat’, ‘Bridge’, ‘Lake’, ‘White’, and ‘Black’ images.

Figure 4 shows the original plain-images. The corresponding encrypted and decrypted images are displayed in Figs. 5 and 6, respectively. As can be seen, the cipher-images are completely disordered and unrecognizable. The decrypted images are identical to the corresponding original ones. After the test, no difference is shown between the plain images and the decrypted images. Therefore, our proposed algorithm has a good encryption effect.

Fig. 4.

	Figure Option ViewDownloadNew Window
	Fig. 4. Original images: (a) Lena plain-image; (b) Peppers plain-image; (c) Baboon plain-image; (d) Boat plain-image; (e) Bridge plain-image; (f) Lake plain-image; (g) White plain-image; (h) Black plain-image.

Fig. 5.

	Figure Option ViewDownloadNew Window
	Fig. 5. Cipher-images: (a) Lena cipher-image; (b) Peppers cipher-image; (c) Baboon cipher-image; (d) Boat cipher-image; (e) Bridge cipher-image; (f) Lake cipher-image; (g) White cipher-image; (h) Black cipher-image.

Fig. 6.

	Figure Option ViewDownloadNew Window
	Fig. 6. The decrypted images: (a) Decrypted image of Lena; (b) Decrypted image of Peppers; (c) Decrypted image of Baboon; (d) Decrypted image of Bridge; (e) Decrypted image of Boat; (f) Decrypted image of Lake; (g) Decrypted image of White; (h) Decrypted image of Black.

An effective image encryption scheme should have a large key space so that the brute-force attack is useless. In the proposed encryption scheme, the secret keys include two initial values x₁ and x₂ and parameter μ to generate the double S-boxes, two parameters cxor, csum used in forward encryption. Then the values used in backward encryption are different, named x₃, x₄, μ′, cxor′, and csum′, so the minimum number of secret keys is eleven when the secret key pos is added. Suppose that the calculation precision of the computer is set to be 10⁻¹⁴, so the total key space is at least 10⁹⁶, and it is large enough to resist all types of brute-force attack.

A good encryption scheme should make the histogram of an encrypted image as flat as possible. The histograms of the Lena and the cipher image are shown in Fig. 7, and it is clear that the histogram of the cipher image is uniformly distributed.

Fig. 7.

	Figure Option ViewDownloadNew Window
	Fig. 7. (color online) Histograms of plain and encrypted Lena.

The variances of histograms are used to evaluate the uniformity of ciphered images. The lower value of variances indicates the higher uniformity of ciphered images. Then two variances of ciphered images, which are encrypted by different secret keys on the same plaintext image are also calculated, and the two values of variances being closer to each other indicates the higher uniformity of ciphered images when the secret keys are varying.^[33] The variance of histogram is presented as follows:

In simulating experiments, two variances of histograms of two ciphered images by Eq. (10) from the same plain image with different secret keys are calculated. Only one parameter of secret keys is changed in such different secret keys.

The eight plain images shown in Fig. 4 are tested. In Table 1 the variances of histograms of ciphered images are listed. The parameters of x₃, x₄, μ′, cxor′, and csum′ used in the backward encryption are mirrored with the parameters used in the forward encryption, so the parameters of x₁, x₂, μ, cxor, and csum are tested. In Table 1, the variances in the first column are obtained by the secret key x₁, the variances in the next column are obtained by only changing one parameter of x₂, μ, cxor, and csum respectively compared with the secret key x₁.

Table 1.

Table 1.

Table 1. Comparison among variances of histograms of all secret keys in the proposed algorithm. . Cipher image x1 x2 μ cxor csum Lena 1128.0469 816.6719 943.8203 959.3984 943.7422 Peppers 1079.4219 1019.3578 1097.8828 932.8203 999.5781 Baboon 954.2891 980.3705 1045.2578 1055.5938 874.5078 Boat 1148.5469 1005.4844 1000.1094 1072.0312 952.5547 Bridge 1067.4971 980.5649 1149.4971 1031.9717 931.1649 Lake 1064.4971 1164.8594 1094.4688 962.1797 910.2597 White 1087.7031 1048.1953 1153.4375 1149.9531 996.7188 Black 1020.2813 1061.1953 876.4844 990.1016 913.0469 Average 1068.7340 1009.5874 1045.1198 1019.2562 940.1966

Table 1. Comparison among variances of histograms of all secret keys in the proposed algorithm. .

The variance values are about 5000, which indicates that the average fluctuation of the number of pixels in each gray value is about 70 pixels. However, the variance value is 625571.4908 for the histogram of the plain image Lena. It is obvious that the proposed algorithm is effective.

To measure the uniformity of each parameter in secret keys, we calculate the percentage of variance differences between the x₁ and the secret key that only one parameter is changed compared with x₁. Each parameter such as x₂, μ, cxor, and csum for three plain images is calculated and listed in Table 2. As Table 2 shows, the key cxor leads to the closest uniformity, and the key x₂ leads to more fluctuation than other keys.

Table 2.

Table 2.

Table 2. Comparison among percentages of variances difference of histograms of secret keys in the proposed algorithm. . Cipher image x1/% x2/% μ/% cxor/% csum/% Lena 13.32 17.97 5.19 3.63 5.20 Peppers 7.54 1.56 9.38 7.06 0.41 Baboon 3.49 0.64 5.93 6.98 11.37 Boat 1.23 12.82 13.43 5.82 19.09 Bridge 6.74 1.94 14.95 3.20 6.88 Lake 8.52 18.79 11.62 1.88 7.17 White 14.53 18.72 4.32 13.42 4.26 Black 16.69 19.90 3.02 14.15 5.90 Average 9.01 11.54 8.48 7.01 7.54

Table 2. Comparison among percentages of variances difference of histograms of secret keys in the proposed algorithm. .

To measure the histogram difference against plain images, the variance values among three images are changed obviously in Table 2. The difference in variance value indicates that the histogram depends on the plain image in the proposed algorithm. The simulation results indicate that any statistical attacks on the proposed scheme are useless.

The natural image has a high correlation with adjacent pixels, so the encryption scheme should effectively reduce the correlation in the encrypted image. In order to analyze the correlation with the adjacent pixels in the plain and cipher images, 2000 pairs of adjacent pixels are randomly chosen in the horizontal, vertical, and diagonal direction from the plain images and cipher images. The correlation distribution is shown in Fig. 8 and it is clear that the correlation among the adjacent pixels can be reduced greatly by the proposed encryption scheme.

Fig. 8.

	Figure Option ViewDownloadNew Window
	Fig. 8. (color online) Correlation analysis: (a) plain image and its (b) horizontal, (c) vertical, and (d) diagonal correlation; (e) encrypted image and its (f) horizontal, (g) vertical, and (h) diagonal correlation.

In order to calculate the correlation coefficient γ_xy of the adjacent pixels, we use the following formulas:

Table 3.

Table 3.

Table 3. Correlations between the plain images and the encrypted images. . Algorithm Horizontal Vertical Diagonal Plain image (Lena) 0.9719 0.9850 0.9639 Proposed algorithm 0.0014 0.0011 0.0023 Ref. [6] 0.0019 0.0038 −0.0019 Ref. [13] 0.0024 −0.0006 0.0012 Ref. [16] 0.0020 −0.0007 −0.0014

Table 3. Correlations between the plain images and the encrypted images. .

The information entropy is defined to express the degree of uncertainty or randomness in a given system. The information entropy H(m) of an image is calculated from

Table 4.

Table 4.

Table 4. Comparison of entropy between plain images and encrypted images. . Image Plain image Cipher image Ref. [6] Ref. [13] Ref. [16] Lena 7.4455 7.9992 7.9971 7.9972 7.9970 Peppers 7.5715 7.9993 7.9972 7.9971 7.9970 Baboon 7.3585 7.9992 7.9974 7.9973 7.9969 Boat 7.1914 7.9992 7.9971 7.9970 7.9971 Bridge 5.7056 7.9994 7.9970 7.9971 7.9971 Lake 7.4845 7.9995 7.9970 7.9972 7.9970 White 0 7.9997 7.9970 7.9972 7.9971 Black 0 7.9998 7.9972 7.9971 7.9970

Table 4. Comparison of entropy between plain images and encrypted images. .

To resist the differential attack, an effective encryption scheme should be sensitive to the change of plain image. The number-of-pixels changing rate (NPCR) and the unified average changing intensity (UACI) are used to evaluate the difference between two images. The NPCR and UACI are calculated by Eqs. (13), (14), and (15).

From Tables 5 and 6, it is clear that the NPCR and UACI of the cipher images are close to the average NPCR and UACI of random images, respectively, so the proposed encryption scheme can resist the differential attack effectively. Then the performance of the proposed algorithm is better than those from the algorithms in Refs. [6] and [13], while the maximum value of NRCR is close to that from the algorithm proposed in Ref. [16].

Table 5.

Table 5.

Table 5. NPCR and UACI for different images based on the proposed algorithm. . Image Average Maximum Minimum NPCR% UACI% NPCR% UACI% NPCR% UACI% Lena 99.6106 33.4823 99.6498 33.6182 99.5783 33.3452 Peppers 99.6102 33.4534 99.6483 33.5835 99.5637 33.3464 Baboon 99.6104 33.4458 99.6547 33.5762 99.5862 33.3373 Boat 99.6105 33.4696 99.6478 33.5897 99.5758 33.3458 Bridge 99.6016 33.4539 99.6519 33.5679 99.5628 33.3578 Lake 99.6082 33.4587 99.6547 33.5764 99.5823 33.3497 White 99.6084 33.4814 99.6439 33.5846 99.5858 33.3735 Black 99.6109 33.4613 99.6352 33.5673 99.5957 33.3837

Table 5. NPCR and UACI for different images based on the proposed algorithm. .

Table 6.

Table 6.

Table 6. Comparison between NPCR and UACI. . Algorithm NPCR/% UACI/% Proposed algorithm 99.61 33.48 Ref. [6] 99.59 33.25 Ref. [13] 99.58 27.35 Ref. [16] 99.65 33.48

Table 6. Comparison between NPCR and UACI. .

In the encryption scheme, the cipher image should totally change when there is a slight change in the secret keys. To test the key sensitivity of the proposed encryption scheme, we randomly choose two groups of secret keys with only one-bit difference to encrypt the plain image, respectively. Then, the NPCR and the UACI of the encrypted image are calculated. This test is performed 1000 times for each plain image, and the average, maximum, and minimum values of NPCR and UACI are shown in Table 7. The results show that the proposed encryption scheme is highly sensitive to any small change (i.e., onebit) in the secret keys.

Table 7.

Table 7.

Table 7. Key sensitivities of the proposed scheme. . Image Average Maximum Minimum NPCR/% UACI/% NPCR/% UACI/% NPCR/% UACI/% Lena 99.6125 33.4682 99.6458 33.6035 99.5825 33.3836 Peppers 99.6069 33.4725 99.6482 33.5826 99.5826 33.3415 Baboon 99.6125 33.4528 99.6362 33.5672 99.5725 33.3273 Boat 99.6126 33.4628 99.6437 33.5725 99.5791 33.3415 Bridge 99.6056 33.4768 99.6418 33.5819 99.5849 33.3567 Lake 99.6058 33.4867 99.6458 33.5845 99.5871 33.3545 White 99.6036 33.4893 99.6417 33.5762 99.5726 33.3827 Black 99.6028 33.4527 99.6315 33.5636 99.5857 33.3747

Table 7. Key sensitivities of the proposed scheme. .

The encryption speed is an important factor for the encryption scheme to be widely used in the practical application. The proposed encryption scheme cannot be implemented in parallel forms, while the algorithms in Refs. [13] and [16] can be implemented in parallel to potentially enhance the computational efficiency. So the algorithms in Refs. [13] and [16] are replaced by other algorithms in the speed test. We run our encryption scheme 1000 times on 256 gray-scale images with the Lena image in a size of 256 × 256 and compare the average encryption efficiency with those of the algorithms proposed in Refs. [6] and [27] and Refs. [34]–[36]. The test results are listed in Table 8. It is clear that the proposed encryption scheme has higher efficiency.

Table 8.

Table 8.

Table 8. Comparison between encryption speeds cited from the literature and calculated by our proposed algorithm. . Algorithm Ours Ref. [34] Ref. [35] Ref. [6] Ref. [36] Ref. [27] Speed/(m/s) 0.6634 1.5473 14.7249 2.3428 84.5806 1827.4854

Table 8. Comparison between encryption speeds cited from the literature and calculated by our proposed algorithm. .

According to Kerchoff’s principle,^[37] the cryptosystem should be open and its security entirely depends on the secre key. In other words, the cryptanalyst can know everything about the cryptosystem without the secret key. A secure cryptosystem should resist all kinds of attacks; otherwise, the cryptosystem is insecure. Generally speaking, there are four classical types of attacks to break a cryptosystem, and their orders from the hardest types to the easiest types are listed as follows.

(I) Ciphertext attack: The opponent only possesses a series of ciphertexts.

(II) Known plaintext attack: The opponent only can possess a series of plaintext and corresponding ciphertexts.

(III) Chosen plaintext attack: The opponent can obtain the encryption machinery. Some plaintexts are chosen to encrypt and their corresponding ciphertexts can be obtained.

(IV) Chosen ciphertext attack: The opponent can obtain the decryption machinery. Some known ciphertexts are chosen to decrypt and their corresponding plaintexts can be obtained.

Obviously, the chosen plaintext attack is the most powerful attack. If a cryptosystem can resist this attack, it can resist other types of attacks.^[38] The proposed encryption scheme combines the processes of substitution and diffusion by double S-boxes and the pixels encrypted by double S-boxes in different steps can influence each other. Meanwhile, the forward encryption and backward encryption are used to improve the security of a cryptosystem, so the attackers cannot gradually crack the encryption scheme by one of the S-boxes or the processes of substitution and diffusion. So the proposed encryption scheme can resist the chosen plaintext or ciphertext attack.