A Difference-Equation-Based Robust Image Encryption Scheme with Chaotic Permutations and Logic Gates

Abstract

Image encryption has become an indispensable tool for achieving highly secure image-based communications. Numerous encryption approaches have appeared and demonstrated varying degrees of robustness to adversarial attacks. In this paper, an efficient and robust image encryption algorithm is established based on randomized difference equations, random permutations and randomized logic circuits. Specifically, hyperchaotic and chaotic systems are used to generate pseudo-random sequences. These sequences are thus used to define random first-order difference equations, chaotic permutations and logic circuits. Image encryption based on these three randomized modules shows high computational efficiency as well as strong robustness against statistical, differential, and chosen-plaintext attacks. The proposed scheme leads to almost zero correlation in the encrypted images, entropy values of more than 7.99 for the test images, and a key space size of \(2^{572}\). Furthermore, differential analysis shows that the number of pixel change rate (NPCR) and the unified average change intensity (UACI) for the proposed technique are on average 99.61 and 33.35%, respectively.

1 Introduction

Image encryption is an essential operation for visual information hiding and secure image communication with a wide range of applications in digital communication [8], imaging [14], and cloud computing [29]. Based on information redundancy and plain-image pixel correlation, numerous encryption algorithms have been developed where the image pixels are essentially scrambled and encoded into cipher-image pixels using secret keys [22]. The strength of any encryption algorithm depends on how far it can satisfy two key properties: confusion and diffusion. On the one hand, a high-confusion encryption algorithm little or no correlation between a cipher-image and its corresponding plain-image. On the other hand, for a high-diffusion algorithm, any change in the secret key or the plain-image information is effectively propagated to the cipher-image. The encryption algorithms can be generally categorized into symmetric and asymmetric algorithms [7, 34]. A symmetric encryption algorithm uses a single secret key for image encryption and decryption, while an asymmetric algorithm uses a public key for encrypting a plain-image, and a different private key for decrypting the corresponding cipher-image.

Many image encryption techniques have been developed over the past few decades in order to ensure better encryption strength, efficiency, and robustness. Indeed, different mathematical and statistical tools have been exploited in order to achieve these goals through introducing higher degrees of randomness in the encryption keys and operations. For example, Annaby et al. [1] proposed highly secure image encryption algorithms by extending the construction of the discrete fractional Fourier transform (DFrFT) and introducing two generalized discrete transforms of both unitary and non-unitary types. Artiles et al. [6] employed a randomized variant of the Rijndael S-box to construct randomized-block image ciphers. Moreover, chaos and chaotic systems have been extensively explored to strengthen the encryption confusion and diffusion properties. For instance, Hua et al. [18] introduced a cosine-transform-based chaotic system through which image pixels are scrambled with random-order substitution, and are then diffused with chaotic maps of complex dynamical behavior. Other encryption algorithms explored novel chaotic maps [33, 39], compressive sensing [41], orthogonal transforms [10, 35] and logic circuits [4].

Many image encryption algorithms in literature are based on shuffling image pixels using permutations and/or XOR operations. However, using these operations only in encryption has been shown as insecure against chosen-plaintext attacks [5, 21, 23, 42]. In [5], Arroyo et al. designed a chosen-plaintext attack to break an encryption algorithm based on pixel shuffling and gray-level masking. In particular, for \(M\times N\) images, one plain-image is chosen to remove the masking part, and then the procedure in [23] is followed to recover the shuffling map using \(\lceil \log _{256} MN \rceil \) images. When the encryption scheme is based on permutation only, [21] proved that via choosing \(\lceil \log _{L} MN \rceil \) plain-images of size MN and L different intensities, the chosen-plaintext attack completely determines the correct plaintext elements. Moreover, Huang et al. [19] demonstrated a cryptanalysis algorithm for encryption algorithms based on Latin cubes.

In this work, we establish a new image encryption scheme based on randomized first-order difference equations, chaotic permutations, and randomized logic circuits. It should be pointed out that the use of difference equations can be viewed as a diffusion process among pixels, rather than diffusion among blocks as in [13, 17, 25, 36, 38]. However, this diffusion process merely uses difference equations with constant coefficients. In our approach, we use a randomized difference equation, where the coefficients are not only variable keys, but are also generated using pseudorandom chaotic sequences. We implement hyperchaotic sequences to scramble pixel values, and hence construct chaotic gates. The robustness of the use of the first-order difference equations is rigorously discussed. In particular, we demonstrate that the choice of the initial conditions plays a major role in strengthening the immunity of the encryption algorithm. In summary, the main contributions of this paper are as follows:

• A novel efficient and robust image encryption scheme is presented.

• For the first time, randomized difference equations are proposed for image encryption.

• The proposed algorithm utilizes both chaotic permutations and chaotic logic gates, whose parameters generated via hyper-chaotic maps.

• The robustness of the proposed difference-equation encryption scheme is demonstrated through a rigorous proof.

• Various statistical measures are used to evaluate the performance outcomes of the proposed scheme and compare them with those of other state-of-the-art methods.

The paper is designed as follows. The mathematical tools used in the proposed image encryption technique are introduced in Sect. 2. In Sect. 3, the details of the encryption and decryption algorithms are introduced, in addition to the specification of the employed encryption keys. Section 4 presents the simulation and statistical analysis results for the proposed encryption algorithm. Conclusions of this work are given in Sect. 5.

2 Encryption Tools

This section introduces the basic tools required to build up a robust and efficient encryption technique. These tools are basically chaotic (or hyper-chaotic) difference equations, reversible logic gates, and random logic circuits.

2.1 Chaotic Systems

For the purpose of information security, there is an essential need for pseudo-random number generators that yield pseudo-random number sequences. These sequences are employed as encryption keys in image encryption algorithms. Many chaotic systems have been proposed in the literature to generate chaotic number sequences.

In [12], Dong et al. proposed a new family of Hamiltonian conservative chaotic systems. In particular, a 5D conservative hyper-chaotic system (CCS) was introduced with two non-hyperbolic equilibrium points, nonzero initial values, and coexisting quasi-periodic and hyper-chaotic orbits. This 5D system is defined by the following equations:

$$\begin{aligned} {\left\{ \begin{array}{ll} &{}\dot{x} = ay+cv, \\ &{}\dot{y} = -ax+bxw, \\ &{}\dot{z} = dw, \\ &{}\dot{w} = -bxy-dz, \\ &{}\dot{v} = -cx. \end{array}\right. } \end{aligned}$$

(1)

Fixing the parameters a, b, c, d of the system in (1), and the initial values in some dimensions and varying the other dimensions causes the dynamic flow to evolve and switch among hyper-chaos, chaos, and quasi-periodic motions. The effects of the initial values of (x, y, z, w, v) on the system dynamics have been analyzed in [12]. As previously mentioned, coexisting orbits have been founded, for special values or ranges of some dimensions. The dynamic properties of the system in [12] were verified by several criteria, namely dynamical evolution maps, equilibrium points, and the Lyapunov dimension. Additionally, the pseudo-randomness of his chaotic system has been validated through NIST[27]. The implementation details of a chaotic system similar to that in (1) are mentioned in [12]. In our work, , we employ the system in (1) with a hyper-chaotic orbit by choosing the following parameter settings \(a=30,b=30,c=10,\text { and } d=30\), as well as the initial values \(x=-0.1,y=2.45,z=-0.1,w=1.85,\text { and }v=-0.1\).

Since the proposed encryption system requires six chaotic sequences, we generate a sixth randomized sequence using a logistic map with a bifurcation parameter \(\mu \) and an initial point \(x_0\)

$$\begin{aligned} q_{j+1}=\mu q_j (1-q_j),\quad 0<\mu <4, q_0\in (0,1), \end{aligned}$$

(2)

where we do not consider \(0<\mu \le \mu _0 \approx 3.569946\cdots \) because when \(\mu \in (0,\mu _0]\), then for any initial value \(q_0 \in (0,1)\), the orbit \(O(q_0)=\{q_n\}_{n=0}^{\infty }\) asymptotically falls onto \(2^k\) points of [0, 1] for some \(k\in \mathbb {N}\) [2, 3, 11]. Nevertheless, as we select the bifurcation parameter \(\mu \in (\mu _0, 4]\), one has to avoid the stability gaps, like the interval \(3.825< \mu < 3.86\), where for the initial values in (0, 1), the orbits are attracting cycles of period 3, see [3, 11]. In our experimental setup, we take \(\mu =3.9\) and the initial value \(q_0=0.5\) to generate a chaotic sequence.

2.2 Randomized Difference Equations

Consider the first-order equation:

$$\begin{aligned} \alpha _k y_k + \beta _k y_{k-1} + \gamma _k = 0, \quad k=0,\cdots , N-1, \end{aligned}$$

(3)

\(\alpha _k\ne 0\), together with the initial condition

$$\begin{aligned} y_{-1}=\eta . \end{aligned}$$

(4)

Here \(\alpha _k, \beta _k, \gamma _k, \eta \) are randomly generated numbers (generally complex numbers). However, we select them to be real numbers.

The coefficients \(\alpha _k, \beta _k, \gamma _k\) and the initial condition value \(\eta \) are randomly selected via the systems described in the previous section. They will be used as keys of the encryption process.

By slightly modifying the technique of [24], a general solution of the Cauchy problem (3) and (4) can be written as:

$$\begin{aligned} y_k=u_k+h_k, \end{aligned}$$

(5)

where \(u_k\) is the solution of the homogeneous problem, \(\gamma _k\equiv 0\), i.e.,

$$\begin{aligned} u_k = (-1)^{k+1} \eta \prod _{l=0}^{k} \frac{\beta _l}{\alpha _l}, \end{aligned}$$

(6)

and \(h_k\) is any particular solution of (3) and (4). Again by a slightly different analysis of [24], we obtain

$$\begin{aligned} h_k= u_k \sum _{m=0}^{k} \frac{\gamma _m}{\beta _m u_{m-1}},\quad k=0,\cdots , N-1. \end{aligned}$$

(7)

Consequently

$$\begin{aligned} y_k= \left\{ \begin{array}{ll} \eta , &{} k=-1, \\ u_k [1+ \displaystyle \sum _{m=0}^{k} \frac{\gamma _m}{\beta _m u_{m-1}}], &{} k>0, \\ \end{array} \right. \end{aligned}$$

(8)

where \(k=0,\cdots ,N-1\). A detailed analysis of using (8) in encryption is established in Sect. 3.

2.3 Chaotic Circuits

We mean here by chaotic circuits, any logical gate or circuit with controlling bits determined via chaotic systems, such that the controlled-NOT gate in Fig. 1. This gate takes two input bits x and y, and outputs the bits x and \(z=x\oplus y\). The x bit in this gate acts as a controlling bit, where if \(x=0\), then the output bit \(z=y\), and when \(x=1\), that implies that \(z=\lnot y\). For image encryption, the controlling-bit gate can be applied by generating the x bits by a chaotic system, to ensure the randomness of the bit stream, and specifying the y bits as the plaintext image bits. Then, the ciphertext image is obtained by applying the controlled-NOT gate, such as the ciphertext image bits are the output bits of XOR gate \(z=x\oplus y\), in case the input bits of the XOR gate are x and y, as is previously specified.

We should note that the controlling-NOT gate is used in this article; however, any reversible gate can be applied, not only with 1 controlling bit, but also with 2 controlling bits like Fredkin gate. Some analysis about the security of applying the reversible gates, rather than the irreversible gates, in image encryption, is mentioned in [2].

Fig. 1

Controlled-NOT gate

Fig. 2

Illustration of the application of (9) onto the input signal \(\xi \) to output r using the keys \(\varvec{\alpha }, \varvec{\beta }, \varvec{\gamma }\), \(\eta _{-1}\)

Fig. 3

Illustration of the three steps in the encryption algorithm

3 Proposed Cryptosystem

3.1 Using Difference Equations

In this subsection, we discuss the use of the first-order difference Eqs. (3) and (4) as well as its solution (8) as an encryption tool. In addition, we will discuss its robustness against chosen plaintext attacks.

Assume that we have an array \((\xi _1, \xi _2, \cdots , \xi _{N-1})\in \mathbb {R}^N\), and we want to encrypt it via a first-order difference equation. We assume that \(\varvec{\alpha }=(\alpha _k), \varvec{\beta }=(\beta _k), \varvec{\gamma }=(\gamma _k)\) and \(\eta \) are randomly chosen, \(\alpha _k \ne 0\). We encrypt \((\xi _1, \xi _2, \cdots , \xi _{N-1})\) via

$$\begin{aligned} \xi _k \mapsto r_k, \quad k=0,\dots , N-1, \end{aligned}$$

where

$$\begin{aligned} r_k = \mathcal {T}(\xi _k) = \alpha _k \xi _k + \beta _k \xi _{k-1} + \gamma _k , \quad \xi _{-1}=\eta . \end{aligned}$$

(9)

An illustration of the above equation is shown in Fig. 2. The decryption step is carried out through (8) to recover \(\xi _k\) back from the cipher \(r_k\) to obtain

$$\begin{aligned} \xi _k= \left\{ \begin{array}{ll} \eta , &{} k=-1, \\ (-1)^{k+1} \eta \prod _{l=0}^{k} \frac{\beta _l}{\alpha _l} [1+ \sum _{m=0}^{k} \frac{\gamma _m-r_m}{\beta _m u_{m-1}}], &{} k>0, \\ \end{array} \right. \end{aligned}$$

(10)

where \(k=0,\cdots ,N-1\) and \(\{u_m\}_{m=-1}^{N-1}\) is given in (6).

The robustness of the encryption-decryption system (9, 10) against chosen-plaintext attacks depends on the random initial value \(\eta \) as well as the initial values \(\beta _0\) and \(\gamma _0\). The other values can be recovered via chosen plaintext attacks. In fact, knowing the effect of the cipher (9, 10) on four chosen-plaintexts suffices to recover the values of \(\alpha _k, \beta _k, \gamma _k\) except for \(\beta _0\) and \(\gamma _0\). Let \(\xi _k^{(1)}\), \(\xi _k^{(2)}\), \(\xi _k^{(3)}\) and \(\xi _k^{(4)}\) be the arrays

$$\begin{aligned}&\xi _k^{(1)}\equiv 0, k=0,\cdots ,N-1, \end{aligned}$$

(11)

$$\begin{aligned}&\xi _k^{(2)}\equiv 1, k=0,\cdots ,N-1, \end{aligned}$$

(12)

$$\begin{aligned}&\xi _k^{(3)}= \left\{ \begin{array}{ll} 0, &{} k=2m, 0\le m \le \lfloor N/2-1/2\rfloor , \\ 1, &{} k=2m+1, 0\le m \le \lfloor N/2-1\rfloor ,\\ \end{array} \right. \end{aligned}$$

(13)

where \(k=0,\cdots ,N-1\),

$$\begin{aligned} \xi _k^{(4)}= \left\{ \begin{array}{ll} 1, &{} k=2m, 0\le m \le \lfloor N/2-1/2\rfloor , \\ 0, &{} k=2m+1, 0\le m \le \lfloor N/2-1\rfloor ,\\ \end{array} \right. \end{aligned}$$

(14)

where \(k=0,\cdots ,N-1\). Then, the parameters \(\gamma _k, \beta _k, \alpha _k\) are recoverable according to the following proposition.

Proposition 1

Assume that \(r_k^{(j)}=\mathcal {T}(\xi _{k}^{(j)}), j=1,2,3,4\) are known, and \(k=1,\cdots ,N-1\). Then,

$$\begin{aligned} \gamma _k= & {} r_k^{(1)}, \end{aligned}$$

(15)

$$\begin{aligned} \beta _k= & {} \left\{ \begin{array}{ll} r_k^{(3)}-\gamma _k, &{} k=2m, 1\le m \le \lfloor N/2-1/2\rfloor ,\\ r_k^{(4)}-\gamma _k, &{} k=2m+1, 0\le m \le \lfloor N/2-1\rfloor , \end{array} \right. \end{aligned}$$

(16)

and for \(k=0,\cdots ,N-1\),

$$\begin{aligned} \alpha _k = \left\{ \begin{array}{ll} r_0^{(2)}-r_0^{(1)}, &{} k=0, \\ r_k^{(4)}-\gamma _k, &{} k=2m, 1\le m \le \lfloor N/2-1/2\rfloor ,\\ r_k^{(3)}-\gamma _k, &{} k=2m+1, 0\le m \le \lfloor N/2-1\rfloor . \end{array} \right. \end{aligned}$$

(17)

Proof

See Appendix 1. \(\square \)

Fig. 4

The effect of applying (9) on the Cameraman plaintext image in Fig. 4a 1 through 5 rounds, and then applying the permutation and XORing encryption steps

3.2 Encryption Algorithm

The proposed encryption technique of this paper consists of three different stages, implementing the tools briefed in Sect. 2. The first stage applies the difference equation approach among plaintext pixels, while the second and third steps apply chaotic permutation and chaotic logic gates or circuits, respectively. The cipher might be made more complicated by applying randomized orthogonal transforms, see, e.g., [2]. The algorithm is illustrated in Fig. 3 and can be summarized as follows:

• Step 1. In this stage, we apply the procedure (3, 4) column-wise on the plaintext image. Let P be the \(N-1\times N-1\) plaintext image, which may be written as:

  $$\begin{aligned} P=(P_0,P_1, \cdots , P_{N-1}), \end{aligned}$$

  (18)

  where \(P_j\) is the column \(P_j=(p_{0,j},p_{1,j},\cdots , p_{N-1,j})^{\top }\), \(A^{\top }\) is the transpose of a matrix A, \(p_{x,y}\) is the value of pixel at the xth row of the yth column. To make the encryption stage of applying (3, 4) as robust as possible, we may apply (3, 4) n times with the coefficients \(\varvec{\alpha }{(l)},\varvec{\beta }{(l)},\varvec{\gamma }{(l)},\eta (l), l=1,\cdots ,n\). These coefficient parameters are considered as encryption keys, and they are randomly chosen. The random choice of the parameters \(\alpha , \beta , \gamma , \eta \) applied on each column of the plaintext is different. For each round of application, these parameters can be fixed, or variant for each round. Thus, we apply (3, 4) on each column through

  $$\begin{aligned}&\mathcal {T}^{\tau }(P_j)=\mathcal {T}(\mathcal {T}^{\tau -1}(P_j)), \tau =2,\cdots ,n, \nonumber \\&\quad j=0,\cdots ,N-1, \end{aligned}$$

  (19)

  and

  $$\begin{aligned} \mathcal {T}^{1}(P_j)=\alpha _k p_{kj}+\beta _k p_{k-1,j}+\gamma _k, 0\le k\le N-1. \end{aligned}$$

  (20)

  According to the performance analysis demonstrated below, we found that \(n=6\) is a possible minimum of rounds to guarantee robustness. Let \(T_j=\mathcal {T}^n (P_j)\), \(j=0,\cdots ,N-1\), and T be the \(N-1\times N-1\) matrix, such that \(T = (T_1, \cdots , T_{N-1})\). In the following step, we apply permutation of the pixels of T.

• Step 2. The permutation step is performed by shifting each column, \(T_j\), of T, \(j=0, \cdots , N-1\), circularly, by \(y_j \in \{0,1,\cdots ,N-1\}\) units, via the translation operator R as:

  $$\begin{aligned} (R_{y_j} T_j)(i)=T_j(i-y_j)=\widetilde{T}_j, i=0,\cdots ,N-1, \end{aligned}$$

  (21)

  with period N. Let \(\widetilde{T}\) be the \(N-1\times N-1\) matrix in which the jth column is \(R_{y_j} T_j\), \(j=0,\cdots ,N-1\). Then, apply the above operator R on the rows of \(\widetilde{T}\), \(s_j\), \(j=0,\cdots , N-1\), to circularly shift each \(S_j\) by \(x_j\in \{0,1,\cdots ,N-1\}\) units, via

  $$\begin{aligned} (R_{x_j} S_j)(i)=S_j(i-x_j)=\widetilde{S}_j, i=0,\cdots ,N-1. \end{aligned}$$

  (22)

  Let \(\widetilde{S}\) be the \(N-1\times N-1\) in which the jth row is \(R_{x_j} S_j, j=0,\cdots ,N-1\). In the following step, the XOR gate is applied on the pixels of \(\widetilde{S}\).

• Step 3. The XOR gate is used to scramble each pixel \(\widetilde{s}_{i,j}\) with a random key \(e_{i,j}\in E\), such that E is an \(N-1\times N-1\) matrix, and produce \(c_{i,j}\) via

  $$\begin{aligned} c_{i,j} = \widetilde{s}_{i,j} \oplus e_{i,j}, 0\le i,j \le N-1. \end{aligned}$$

  (23)

  Thus, C is the ciphertext image corresponding to P.

The first step in the above encryption algorithm is applied five rounds on the \(256\times 256\) Cameraman plaintext image shown in Fig. 4a to produce Figs. 4b–f. As can be shown, after the first round of application, the details of the plaintext features still can be recognizable. However, as many rounds of applications are performed, the features diminish until it cannot be possible to extract related features from the plaintext. Steps 2 and 3 of the encryption algorithm representing the permutation and XORing are applied on Fig. 4f to enhance the encryption security and produce the ciphertext image shown in Fig. 4h. The random appearance of pixels can be shown after a few rounds of the difference equation on the plaintext image and after the permutation and XORing applications.

The choice of the number of rounds of the first encryption step is arbitrary. In order to investigate a suitable number of rounds after which there is almost no correlation between the plaintext image, we applied (9) a test set of 10 plaintext images of size \(256\times 256\) for rounds 1 through 10. After each round, we calculate the average correlation coefficient value between the resulting images and the plaintext images. Figure 5 shows how much the correlation after each round of application. As can be seen, the correlation coefficient value decreases as the number of rounds increases. We have found that when the number of rounds is 6, the correlation value becomes negative and tremendously small, and it continues to be negative and smaller for further applications. Therefore, repeating the first encryption step for 6 rounds is an adequate number before applying the permutation and XORing in steps 2 and 3. The average mean square error after each round of application of the difference equation only to the plaintext images can be shown in Fig. 6. After the first round of application, a small error is found; however, the error increases as the number of rounds increases, until it converges to some error value after the fifth or sixth round.

Fig. 5

Average correlation coefficient values between the plaintext and ciphertext images over a test set of 10 plaintext images of size \(256\times 256\), when only (9) is applied 1 through 10 times

Fig. 6

Average mean square error values between the plaintext and ciphertext images over a test set of 10 plaintext images of size \(256\times 256\), when only (9) is applied 1 through 10 times

3.3 Decryption Algorithm

The decryption algorithm steps are the converse of the implemented encryption steps. The first step is applying the inverse of the implemented logical gate in the encryption algorithm to undo the scrambling effect by the logical gate. The second step is to permute the columns and rows of the output matrix by the inverse of the permutation map utilized in the encryption algorithm. The last step is applying (10) to reverse the effect of the mapping (\( \xi _k \mapsto r_k \)) and output the plaintext. The details of implementing each step are as follows.

• Step 1 Let C be the \(N-1\times N-1\) ciphertext image. In this stage, we reverse the XOR logical gate applied in Step 3 in the encryption algorithm. Since the inverse of XOR is itself, then \(\widetilde{S}\) can be retrieved via

  $$\begin{aligned} \widetilde{s}_{i,j}=c_{i,j} \oplus e_{i,j},\quad 0\le i,j \le N-1, \end{aligned}$$

  (24)

  where \(e_{i,j}\) is the (i, j) element in the key matrix E (23). In the following step, the permutation step is reversed by rearranging the pixels of \(\widetilde{S}\).

• Step 2 Since the permutation in the encryption step is applied by shifting the columns, and then the rows, then in this stage, the rows are shifted, first, and then the columns, in the opposite direction, by the same permutation map as used in the encryption algorithm. Construct the matrix \(\widetilde{T}\) of size \(N-1 \times N-1\), in which the jth row, \(S_j, 0\le j \le N-1\) circularly via

  $$\begin{aligned} S_j = \widetilde{S}(i+x_j), i=0,\cdots ,N-1. \end{aligned}$$

  (25)

  Then, the columns of \(\widetilde{T}\), denoted by \(\widetilde{T}_1, \widetilde{T}_2,\cdots , \widetilde{T}_{N-1}\), are circularly shifted, to yield \(T_1, T_2,\cdots , T_{N-1}\) via

  $$\begin{aligned} T_j = \widetilde{T}(i+y_j),\quad i=0, \cdots , N-1, \end{aligned}$$

  (26)

  where \(x_j, y_j\) are as chosen in (21)-(22). Let \(T=(T_1, T_2, \cdots , T_{N-1})\). In the following step, (10) is applied on each \(T_j, 1\le j\le N-1\), to yield the columns of \(P=(P_0,P_1,\cdots ,P_{N-1})\).

• Step 3 If (19) is applied n times such that \(\mathcal {T}^n (P_j) = T_j\), then \(P_j=\mathcal {T}^{-n}(T_j)\), where \(\mathcal {T}^{-1}\) is the converse of \(\mathcal {T}\). Since \(T_j=(t_{0,1},t_{0,2},\cdots ,t_{0,N-1})\), then from (10), \(\mathcal {T}^{-1}(T_j)\) can be obtained via

  $$\begin{aligned} \mathcal {T}^{-1}(t_{k,j})= \left\{ \begin{array}{ll} \eta , &{} k=-1, \\ (-1)^{k+1} \eta \prod _{l=0}^{k} \frac{\beta _l}{\alpha _l} [1+ \sum _{m=0}^{k} \frac{\gamma _m-t_{m,j}}{\beta _m u_{m-1}}], &{} k>0. \\ \end{array} \right. \end{aligned}$$

  (27)

3.4 Encryption Keys

The chaotic systems’ streams of (1, 2) are used to generate the parameters of the randomized difference equation, the permutation map, and the logic gate implemented in our encryption algorithm. Therefore, the parameters and initial values of these systems are the secret keys of the encryption system. The chaotic system in (1) requires 4 parameters a, b, c, d, and 5 initial values for x, y, z, w, v to generate pseudorandom sequences, while the system (2) requires one parameter \(\mu \) and one initial value \(q_{0}\). Therefore, the total number of keys in this system is 11. These parameters and initial values should be known by the sender and receiver for the purpose of encryption and decryption.

As we have mentioned, we will use the chaotic maps (1) and (2) to generate six random sequences for implementing the three mentioned stages of encryption. For this purpose, we need to preprocess the obtained chaotic sequences.

Let X, Y, Z, W, V be the chaotic sequences generated by the system variables x, y, z, w, v. As in [37], a preprocessing step is used to improve the statistical randomness properties, before employing the sequences X, Y, Z, W, V in the encryption procedure. The preprocessing equation applied on the X sequence, for instance, similar to the formula in [37], is

$$\begin{aligned} X[i]=10^n x[i]-\lfloor 10^n x[i] \rfloor +0.5, i\in \mathbb {N}, \end{aligned}$$

(28)

where X[i] is the ith element in the X chaotic sequence corresponding to the ith generated value of the system variable x, when x is discretized, and n is the shifted backward digits of the decimal part. Similarly, (28) is applied on the other sequences Y, Z, W, V. Additional information about the statistical randomness properties achieved after applying the preprocessing step, and illustrations of the preprocessed chaotic sequences are found in [37].

Let Q be the chaotic sequence generated by (2). Then, we have the sequences X, Y, Z, W, V, Q to be used in encryption algorithm. The randomized encryption keys \(\varvec{\alpha }, \varvec{\beta }, \varvec{\gamma }, \eta \) to implement the difference equation step are taken from the sequences X, Y, Z, W, respectively. For the second permutation step in the encryption algorithm, the sequence V is used, while the sequence Q is used to determine the random key of the XOR gate in the third step of the encryption algorithm.

3.5 Encryption Methods

In Sect. 3.2, we have introduced an encryption algorithm which utilizes many methods such as randomized difference equation, chaotic permutations and logic gates (XOR). In this section, we discuss the function and contribution of each method in our encryption algorithm. As noted in the introduction of this paper, the use of permutation and XOR operations only is insecure against the chosen-plaintext attack. Then, we have applied the randomized difference equation whose parameters are chaotic in the encryption process to resist such attacks. We have theoretically proved that the randomized equation is robust as the initial conditions (\(\eta \)) as well as the initial values \(\beta _0\) and \(\gamma _0\) which are randomly chosen are unrecoverable while the other parameters of difference equation (\(\alpha , \beta , \gamma \)) can be recovered. After the application of the difference equation, we have used the chaotic permutations and logic gates to enhance the confusion and statistical properties of the cipher-text image. Since XOR is a balanced gate [4], then the effect of applying such a gate with chaotic inputs is a uniform distribution, as shown in Fig. 7, which is necessary to resist statistical attacks and enhance the statistical measures.

4 Simulation Results

4.1 Histogram Analysis

Histogram analysis is a primitive common measure of robustness against statistical attacks. When the histogram of a ciphered image is uniform, no statistical information can be recovered. Figure 7 shows the histograms of four plaintext test images, and also their corresponding ciphertext images. As can be shown, the histograms of the ciphertext images are all uniform despite the fact that the four plaintext image histograms have distinct patterns. This shows the robustness of the proposed technique against statistical attacks.

Fig. 7

Four plaintext images from the test set are shown in (a–d), with their histograms in 7e–7h. The corresponding ciphertext images are shown in (i–l), with their uniform histograms in (m–p)

Fig. 8

Correlation patterns for the gray-level values of 5000 pixel pairs randomly selected from the Lena test image: a Horizontally adjacent plaintext pixels, b vertically adjacent plaintext pixels, c diagonally adjacent plaintext pixels, d horizontally adjacent ciphertext pixels, e vertically adjacent ciphertext pixels, f diagonally adjacent ciphertext pixels

4.2 Brute-Force Attack

A brute-force attack searches for and attempts to identify the utilized secret cipher key among all possible keys in the key space. If the key space is large enough, the search becomes highly infeasible and the cipher turns out to be robust against the brute-force attack. The proposed cipher uses a large number of keys in association with the hyper-chaotic map and the logic gates. Specifically, the hyper-chaotic map is parameterized by four parameters a, b, c, d, as well as the initial values of the state variables x, y, z, w, v. Also, a logic gate has the parameter \(\mu \) and the initial value \(q_0\) (2). All of these parameters and initial values are considered to be the keys of the proposed cipher. If a 52-bit precision is used for key representation, then the key space shall be quite large with a size of \(=2^{52\times 11}=2^{572}\). Therefore, the key space can be huge enough to guarantee robustness against the brute-force attack. The key space may be further enlarged if we use different chaotic-sequence parameters in order to define a different encryption scheme (3 and 4) for each row (or column) of the plaintext image.

4.3 Correlation

The sample Pearson’s correlation coefficient, \(r_{xy}\), for \(\{(x_1,y_1),(x_2,y_2),\cdots ,(x_n,y_n)\}\), where \(x_i\) and \(y_i\) are sample points taken from X and Y variables, respectively, can be defined by

$$\begin{aligned} r_{xy} = \frac{n\sum x_i y_i - \sum x_i \sum y_i}{\sqrt{n \sum x^2_i - (\sum x_i)^2} \sqrt{n \sum y^2_i - (\sum y_i)^2}}, \end{aligned}$$

(29)

where \(r_{xy} \in [-1, 1]\). A value of \(r_{xy}=1\) indicates the strongest positive correlation between samples of X and Y, whereas \(r_{xy}=-1\) reflects the strongest negative correlation. In addition, a correlation value of 0 indicates that no correlation exists.

For correlation analysis, we examine how much adjacent pixels in a ciphertext image are correlated. Ciphers should ideally exhibit no correlation between ciphertext adjacent pixels, while the adjacent pixels in plaintext images generally have high correlation coefficients. We chose random samples of 5000 pairs of adjacent pixels in the horizontal, vertical and diagonal directions. Then, we estimated the correlation in each of these directions by computing \(r_{xy}\) according to (29). Figure 8 shows plots of the gray-level values of adjacent pixels for plaintext and ciphertext of the Lena image. While the plaintext image shows linear correlation in all directions, the ciphertext image shows completely random patterns with no clear correlation. These visual observations are supported by the correlation coefficient values, computed for 10 test images in Table 1. For each test image, the correlation coefficient is almost zero, indicating no correlation between the ciphertext pixels.

Moreover, Table 2 compares the average correlation coefficients obtained for standard test images after encryption by our method and five other state-of-the-art methods. Although each of these methods used a slightly different set of standard images, it is still valid to say that the results of the different methods are comparable with no significant differences in the correlation coefficients. On average, our method is slightly better than most of other methods for different correlation directions.

Table 1 Correlation coefficient results for images encrypted with the proposed method

Table 2 Average correlation coefficients for adjacent pixels in ciphertext images produced by our encryption method and other relevant methods

4.4 Structural Similarity

For image quality assessment, Wang et al. [40] introduced the index of structural similarity between an original image and a distorted image. This index is based on comparisons of local pixel intensity patterns, where the pixel intensities are normalized for luminance and contrast. The structural similarity between two images can be decomposed into three components (luminance, contrast and structure), which are respectively denoted by \(l(x,y), c(x,y), \text {and} s(x,y)\). Then, this similarity index can be mathematically defined as:

$$\begin{aligned} S(x,y)=f(l(x,y), c(x,y), s(x,y)). \end{aligned}$$

(30)

The definitions of each of the \(l(x,y), c(x,y), \text {and} s(x,y)\) components and the conditions that S(x, y) should satisfy can be found in [40]. For two image patches x and y, the structural similarity can be mathematically expressed as follows:

$$\begin{aligned} S(x,y)=\frac{(2\mu _x \mu _y+C_1)(2\sigma _{xy}+C_2)}{(\mu _x^2+\mu _y^2+C_1)(\sigma _x^2+\sigma _y^2+C_2)}, \end{aligned}$$

(31)

where \(\mu _x, \mu _y\) are the mean intensities of x and y, while \(\sigma _x\), and \(\sigma _y\) are the corresponding standard deviations. Also, \(\sigma _{xy}\) denotes the covariance of x and y, while \(C_1, C_2\) are constants. The similarity index as defined in (31) satisfies the conditions that \(S(x,y)\le 1\) and that \(S(x,y)=1\) iff \(x=y\) [40]. In our context, we use the index S to measure the similarity between an original plaintext image and the corresponding ciphertext image, where the former is assumed to be the reference image. Table 3 shows that the structural similarity values for 10 pairs of plaintext and ciphertext test images are \(\approx 0\). These results demonstrate a high encryption strength for the proposed encryption algorithm.

Table 3 Structural similarity values for 10 test images encrypted with the proposed algorithm

4.5 Entropy

Let \(\mathcal {O}\) denote a zero-memory source of statistically independent random events (source symbols) from the possible set of events \(\{a_1,a_2,\cdots ,a_J\}\). Each event \(a_j\) is generated with a probability \(P(a_j)\). The entropy H measures the information content averaged all sources [16], as expressed by the formula

$$\begin{aligned} H=-\displaystyle \sum _{j=1}^{J} P(a_j) \log _{2} P(a_j). \end{aligned}$$

(32)

In particular, if an image is an output of the source \(\mathcal {O}\), such that each event \(a_j\) represents one of the image intensities, the entropy of the image can be defined as:

$$\begin{aligned} \widetilde{H}=-\displaystyle \sum _{k=0}^{L-1} p_r(r_k) \log _{2} p_r(r_k), \end{aligned}$$

(33)

where \(r_k, p_r(r_k),\) and L are the \(k^(th)\) intensity value, the probability of occurrence of the \(k^(th)\) intensity value, and the highest intensity value, respectively.

In an image with random intensity values, the pixel intensities are supposed to be generated (emitted) with equal probabilities. Based on the definition of the image entropy in (33), \(0\le \widetilde{H}\le \log _{2} L\), and \(\widetilde{H}=8\) for a completely random 8-bit image. Table 4 lists the entropy values of the ciphertexts of our test images. The entropy values are near optimal (\(\approx 8\)), and this verifies the randomness and strength of our encryption algorithm.

Table 5 compares the entropy values obtained for standard test images after encryption by our method and four other methods. On average, our entropy results are the same or even slightly better than those of the compared methods. In fact, the average entropy obtained by our method matches the result returned by Hui et al. [20] and exceeds the results returned by the three other methods.

4.6 Differential Attacks

The number of changing pixel rate (NPCR) measures how much two images have different pixel intensities in corresponding locations. Also, the unified averaged changed intensity (UACI) measures the average absolute difference between two images. Let \(f_1\) and \( f_2\) be two \(M\times N\) images with intensities in the range \([0, L-1]\). Then, the NPCR and UACI measures are defined, respectively, as follows [32]:

$$\begin{aligned} \text {NPCR}(f_1,f_2)={\displaystyle \sum _{i,j}} \frac{\delta _{i,j}}{MN} \times 100\%, \end{aligned}$$

(34)

where \(\delta _{i,j}= \left\{ \begin{array}{ll} 0, &{} f_1(i,j)=f_2(i,j), \\ 1, &{} f_1(i,j)\ne f_2(i,j), \\ \end{array} \right. \)

$$\begin{aligned} \text {UACI}(f_1,f_2)={\displaystyle \sum _{i,j}} \frac{|f_1(i,j)-f_2(i,j)|}{(L-1)MN} \times 100\%. \end{aligned}$$

(35)

Differential cryptanalysis techniques (or differential attacks) investigate how small changes in the input plaintext image can affect the output ciphertext image. By tracing differences and discovering non-random patterns, an adversary can exploit the existing encryption properties to recover the encryption key. The NPCR and UACI measures are used to evaluate the strength of an encryption scheme against such differential attacks. In [32], different statistical hypothesis tests were carried out to estimate the critical NPCR and UACI values for different levels of significance. In each of these tests, the null hypothesis is that the ciphertext images are random, while the alternative hypothesis is that they are not. These tests used NPCR and UACI scores of two ciphertext images corresponding to two plaintext images that are identical except for one pixel intensity value. High NPCR and UACI values imply that the encryption technique is highly resistant to differential attacks. Based on the proposed technique, experimental NPCR and UACI values were calculated for the 10 test images and listed in Table 4. In fact, all of the NPCR and UACI values are quite close to the theoretical critical values of these measures. In Table 6, the average NPCR and UACI values of the test set are compared with the average values obtained for three relevant state-of-the-art methods. Again, the results of our method compare well the other methods.

Table 4 NPCR, UACI and entropy results for ciphertext images obtained with the proposed algorithm

Table 5 Average entropy results obtained based on our encryption method and other relevant methods

Table 6 Average NPCR, UACI comparison results

4.7 Computational Efficiency

We estimate the computational complexity of the proposed cipher as follows. We count the main operations used in each encryption stage, and the total operation count is used to find the overall cipher complexity. The difference-equation-based encryption stage needs \(2N(M-1)\) multiplication operations, while the permutation stage takes \(N+M\) shift operations in order to shift M rows and N columns. The bitwise XOR logical operations on each pixel in an 8-bit \(M\times N\) image reaches 8MN operations. Thus, the proposed cipher has an overall time complexity of \(\approx 2N(M-1)+N+M+8MN=\mathcal {O}(MN)\).

5 Conclusions

This paper proposed constructing image ciphers using the first-order linear difference operators along with chaotic permutations and reversible logic gates. All encryption parameters were randomly generated based on chaotic systems. A rigorous mathematical proof is given to show the robustness of the proposed difference-equation scheme against chosen-plaintext attacks. Indeed, breaking the proposed cipher requires the solution of an inverse problem, which is extremely difficult to do with chosen-plaintext attacks. Also, the proposed cipher is shown to be highly effective in comparison with other state-of-the-art methods. Our method is also robust against statistical and differential attacks. Furthermore, our work may be extended in many directions, such as utilizing higher-order linear and nonlinear difference operators. We may also incorporate orthogonal transforms into the cipher, and these transforms may be of different generalized types (such as the randomized, multi-parameter or fractional transforms). Moreover, the proposed randomized encryption algorithm can be adapted and realized by digital circuits [15].

A Appendix

Proof of Proposition 1

Since \(r_k^{(j)}=\mathcal {T}(\xi _k^{(j)})=\alpha _k \xi _k^{(j)}+\beta _k \xi _{k-1}^{(j)}+\gamma _k \), for any j and \(0\le k\le N-1\), if \(j=1\) and \(k>0\), then \(\xi _{k}^{(1)}=\xi _{k-1}^{(1)}=0\), and in this case \(\gamma _k=r_k^{(1)}\) for \(1\le k \le N-1\). Let us now denote the even entries of \(\xi , \alpha , \text {and} \beta \) by \(\xi _{2k}, \alpha _{2k}, \text {and} \beta _{2k}\). Also, denote the odd entries of \(\xi , \alpha , \text {and} \beta \) by \(\xi _{2k+1}, \alpha _{2k+1}, \text {and} \beta _{2k+1}\) for \(k=0,\cdots ,N-1\). Consider \(j=3\) and \(k=1,3,\cdots ,N-1\) in the following equations:

$$\begin{aligned} r^{(3)}_k= & {} \alpha _k \xi _k^{(3)} + \beta _k \xi _{k-1}^{(3)} + \gamma _k, \end{aligned}$$

(36)

$$\begin{aligned} r^{(3)}_{k+1}= & {} \alpha _{k+1} \xi _{k+1}^{(3)} + \beta _{k+1} \xi _{k}^{(3)} + \gamma _{k+1} . \end{aligned}$$

(37)

The even entries of \(\xi \) in (36 and 37), \(\xi _{k-1}=\xi _{k+1}=0\), and the odd entries of \(\xi \), \(\xi _k=1\). Therefore, the odd entries of \(\alpha \), \(\alpha _k\), and the even entries of \(\beta \), \(\beta _{k+1}\) in (36 and 37) can be obtained as \(\alpha _k=r_k^{(3)}-\gamma _k\) and \(\beta _{k+1}=r_{k+1}^{(3)}-\gamma _{k+1}\). By a similar way, consider \(j=4\) and \(k=1,3,\cdots ,N-1\) in the following equations:

$$\begin{aligned} r^{(4)}_k= & {} \alpha _k \xi _k^{(4)} + \beta _k \xi _{k-1}^{(4)} + \gamma _k, \end{aligned}$$

(38)

$$\begin{aligned} r^{(4)}_{k+1}= & {} \alpha _{k+1} \xi _{k+1}^{(4)} + \beta _{k+1} \xi _{k}^{(4)} + \gamma _{k+1} . \end{aligned}$$

(39)

The even entries of \(\xi \) in (38 and 39), \(\xi _{k-1}=\xi _{k+1}=1\), and the odd entries of \(\xi \), \(\xi _k=0\). Therefore, the odd entries of \(\beta \), \(\beta _{k-1}\), and the even entries of \(\alpha \), \(\alpha _{k+1}\) in (38 and 39) can be obtained as \(\alpha _{k+1}=r_{k+1}^{(4)}-\gamma _{k+1}\) and \(\beta _{k}=r_{k}^{(4)}-\gamma _{k}\). Now, consider the case when \(k=0, j=1\) and when \(k=0, j=2\) in the following equations:

$$\begin{aligned} r^{(1)}_0= & {} \alpha _0 \xi _k^{(1)} + \beta _0 \xi _{-1}^{(1)} + \gamma _0, \end{aligned}$$

(40)

$$\begin{aligned} r^{(2)}_0= & {} \alpha _0 \xi _k^{(2)} + \beta _0 \xi _{-1}^{(2)} + \gamma _0, \end{aligned}$$

(41)

Since \(\xi _k^{(1)}=0\) in (40), then \(r^{(1)}_0 = \beta _0 \xi _{-1}^{(1)} + \gamma _0\), and since \(\xi _k^{(2)}=1\) in (41), then \( \alpha _0 = r^{(2)}_0 - ( \beta _0 \xi _{-1}^{(2)} + \gamma _0)=r^{(2)}_0 - r^{(1)}_0\). \(\square \)