1 Introduction

Chaos based ciphers mostly include permutation and diffusion operations [16, 22, 25, 36]. The permutation operation allows to shuffle the plaintext characters while the diffusion process changes the character values. For the generation of permutation and diffusion keys that are necessary for these two operations, a random number generator is required. Mostly, random numbers are derived from chaotic systems due to their ergodicity and sensitivity to initial conditions [16, 30]. These chaotic systems usually involve real-number arithmetic, while data to be encrypted usually are integer encoded characters (image pixels, text characters…). Moreover, in some special cases, the target hardware implementing the chaotic system is precision limited [7, 20]. Although there is no need for converting real-numbers into integers in some chaos based ciphers to generated permutation keys [15, 16], the generation of the diffusion keys inevitably imposes the chaotic numbers to fit the phase space and the precision of the plaintext. For ASCII symbols for example, the values used for the diffusion operation need to be 8-bit encoded for the ciphertext to remain an ASCII symbol. In the case of a gray-level image, the diffusion values should be 8-bit encoded for the encrypted image to preserve its initial format.

The orbits generated from a chaotic system using finite precision are no longer chaotic, but limit cycles with a finite period length [2, 4, 5, 13, 14, 20, 27, 34]. Thus, the randomness of the discrete chaotic sequence is altered by the limited computational precision [12, 19, 20, 28], which seriously affects the security level of the cipher. Some investigations have been made to evaluate the impact of the data precision on the randomness of some well-known chaotic systems [32]. Indeed, using finite computational precision transforms chaotic sequences into periodic orbits with short period lengths, which does not meet requirements of cryptography. It is well known that longer periods and flat period distribution allow to overcome the limited range in the number representation of digital systems, which is very important in constructing high quality PRNGs [39]. Therefore, most of the algorithms proposed in the literature have been implemented under more than 8-bit precision condition. Wafaa et al. in [37] presented a fixed-point hardware realization of the logistic map experiencing a trade-off between computational efficiency and accuracy. They showed that the minimum bus size for the pseudo-random number generator (PRNG) to pass all the NIST tests is 45. Nagaraj et al. in [32] proposed a PRNG in which the average period length is increased by switching between robust chaotic maps. There are several works in the literature that have been carried out in order to increase the period of digital chaotic systems realized under limited precision conditions. Chunlei et al. recently investigated the effects of limited computational precision on discrete chaotic sequences [14]. They proposed a new PRNG that exhibits random sequences with period lengths longer than those of the logistic and tent maps under the same precision, but they didn’t give an estimate of this period. As it is the case for many digital PRNG, the period of the exhibited orbits is usually much smaller than the number of non-trivial points of the system.

Arnold’s cat map (ACM) is known to be chaotic, area-preserving, ergodic and mixing, and invertible [9, 23, 28]. It has a unique hyperbolic fixed point and the linear transformation defining it is hyperbolic. Its quantized version also forms short limit cycles whose lengths do not exceed 3m, m being the modulo value. In the case of n-bit precision (m = 2n) which is convenient for digital applications, the period of the quantized Arnold cat map (QACM) is only equal to 3 ⋅ 2n− 2, n ≥ 2, which is effectively smaller than 3m. Therefore, for the security level of ciphers including the QACM to be enhanced, its period needs to be increased [3, 13, 39]. The other properties of this interesting map can be found in the literature [3, 9, 13, 23, 28]. The ACM is used in cryptography, in digital tattoo applications, in watermarking and for random number generation to cite a few [9, 10, 29]. The QACM is particularly used for image scrambling due to its periodic nature [8]. In such a case, it is combined with another chaotic map to increase the security level of the cipher [6, 31, 31], which involves floating-point arithmethics. The QACM has been also used for the implementation of public key ciphers [24], but the latter are not secure when dealing with QACM with weak periods [26]. When the QACM is not combined with another chaotic map, to overcome the security issue caused by its weak period, most ciphers are based on its continuous phase space version that corresponds to m = 1 and which also involves floating-point arithmetics [18, 41]. As floating-point arithmetics is hardware resource costly, another alternative is to increase the dimensionality of the QACM, as high dimensional maps provide more complicated dynamics than lower ones for some appropriate parameter setting. In addition, highly complex dynamics enhance the confusion and diffusion properties in cryptographic applications [38]. In [39], Ta et al. proposed an approach to extend the dimension of the basic 2-dimensional (2D) QACM by using the fast pseudo-Hadamard transform. The resulted Cat-Hadamard map presents a period that is not so large for enhancing diffusion and confusion properties in cryptographic applications.

In this paper, we propose an 8-bit precision cipher that can be implemented with low-end microprocessors running 8-bit integer arithmetics. The cipher includes exclusively a quantized pseudo-random number generator (QPRNG) based on a 16-dimensional (16D) QACM that exhibits a large period. In order to considerably increase both the period and the complexity of the proposed QPRNG, we suggest to switch between different 2D QACM by defining coupling methods that allow to easily extend the dimension of the system as the number of switches increases. As the period of the set of switches is the least common multiple (LCM) of the periods of the individual switches, the switching instants are chosen as distinct prime numbers for the period of the switches set to be the product of all the individual periods. For the QPRNG to include both initial conditions and control parameters, we suggest to control an 8D time switching based QACM by another 8D time switching based QACM with amplitude-controlled switching instants. Thus, the first 8D QACM is time-controlled using prime numbers, while the second one is space-controlled. We verify that the period and the complexity of the proposed PRNG is strongly related to the number of 2D QACM and switches under interplay. Considering the large period and the complexity of the resulting QPRNG, the proposed 8-bit precision cipher involves exclusively integer arithmetics, and combines the confusion and diffusion operations in a single loop.

The rest of the paper is organized as follows: Section 2 is devoted to the generation of random integers, Section 3 presents the new cipher, Section 4 is devoted to the performance analysis of the proposed cipher, while Section 5 summarizes the paper.

2 Generation of random integers

Our purpose is to design a PRNG exhibiting as much as possible complex dynamics for multimedia encryption. In practice, chaotic systems are complex as their dynamics is nearby brownian. The particularity of the system we are going to propose is that it generates integers, instead of real numbers as it is the case for many chaotic systems.

2.1 System modeling

We consider the basic model of the QACM, which is known to be chaotic and reversible. It is also known to be periodic, according to its finite state space, and that its period depends on the initial conditions [3, 11]. The basic 2D QACM is modeled by

$$ \left\{\begin{array}{ll} x_{1}(t+1)=x_{1}(t)+x_{2}(t) \\ x_{2}(t+1)=x_{1}(t+1)+x_{2}(t) \end{array}\mod m, \right. $$
(1)

where \(m\in \mathbb {N}_{>1}\), \(x_{i}\in \mathbb {N}\), i = 1,2, and \(t\in \mathbb {N}\). While taking m = 2p, \(p\in \mathbb {N}\), the minimal period of the corresponding QACM is

$$ {\Pi}(p)=3\times2^{p-2}, p>2, $$
(2)

with π(1) = π(2) = 3, while its upper bound is 3m [3, 9, 13]. For relatively small values of m, such a short period needs to be increased to improve the performance of QACM based ciphers [17]. Working in this direction, we propose to couple four two-dimensional (2D) QACM to obtain an 8D QACM. The proposed 8D QACM is supposed to provide a large key space for data encryption .

We assume that variables x1 and x2 in (1) describe respectively the momentum and the position of a particle. For extending this assumption to the 8D system, let us assume that xi, 1 ≤ i ≤ 4, are the momenta of four particles and xi, 5 ≤ i ≤ 8 the corresponding positions. Then the behavior of the first particle (or first QACM) is described by (x1,x5), the second one by (x2,x6), the third particle by (x3,x7) and the fourth one by (x4,x8). The state of the system is described by x = (x1,x2,x3,x4,x5,x6,x7,x8)T, where (⋅)T is the transpose of (⋅). In order to increase the basic period of the 8D QACM, one can switch between different configurations, i.e., systems with different initial conditions. Such a switching process can be seen as shock occurrences between particles. We assume that there are two shock occurrences that can suddenly change the behavior of each variable xi (four shocks per particle) and that these shocks periodically occur in time. Therefore, there are 16 shock occurrences or shock instants di that influence the behavior of the whole system. The corresponding shock instants vector is noted as d = (d1,d2,⋯ ,d16)T. We can also consider more than four shocks per particle without modifying the dimension of the phase space of the system: the dimension of the shock space is independently chosen of that of the system state space. Now considering a linear coupling between particles for describing interactions and including shocks between particles, we define the following general coupling term:

$$ \begin{array}{@{}rcl@{}} {x_{i}}(t + 1) &=& {x_{i}}(t) + a_{i}\cdot{x_{j}}(t + {\tau_{j}})+ a_{i+8}(1 - a_{i})\cdot{x_{k}}(t + \tau_{k}) \\ && + (1-a_{i}-a_{i+8}+a_{i}a_{i+8})\cdot x_{l}(t+\tau_{l})\mod{2^{p}} \end{array} $$
(3)

where 1 ≤ ijkl ≤ 8, ai = δ (t mod di), τj = 0 (resp. τk = 0, τl = 0) if i < j, (resp. i < k,i < l), and τj = 1 (resp. τk = 1, τl = 1) if i > j (resp. i > k, i > l). δ(t) is the Dirac function and the coefficients ai(t) are defined such that

$$ a_{i}(t)=\left\{\begin{array}{ll} 1, & \quad\text{if }0\equiv t\mod d_{i}; \\ 0, & \quad\text{otherwise.} \end{array}.\right. $$
(4)

There are many coupling possibilities and we set the following

$$ \begin{array}{@{}rcl@{}} \left\{\begin{array}{l} {x_{1}}(t{+}1) {=}{x_{1}}(t) {+} a_{1}{x_{5}}(t){+}(1-a_{1})a_{9}{x_{8}}(t){+}(1-a_{1}-a_{9}{+}a_{1}a_{9})x_{7}(t)\\ {x_{2}}(t{+}1) {=}{x_{2}}(t) {+} a_{2}{x_{6}}(t){+}(1-a_{2})a_{10}{x_{7}}(t){+}(1-a_{2}-a_{10}{+}a_{2}a_{10})x_{5}(t)\\ {x_{3}}(t{+}1) {=}{x_{3}}(t) {+} a_{3}{x_{7}}(t){+}(1-a_{3})a_{11}{x_{6}}(t){+}(1-a_{3}-a_{11}{+}a_{3}a_{11})x_{8}(t)\\ {x_{4}}(t{+}1) {=}{x_{4}}(t) {+} a_{4}{x_{8}}(t){+}(1-a_{4})a_{12}{x_{5}}(t){+}(1-a_{4}-a_{12}{+}a_{4}a_{12})x_{6}(t)\\ {x_{5}}(t{+}1) {=}{x_{5}}(t) {+} a_{5}{x_{1}}(t{+}1){+}(1-a_{5})a_{13}{x_{3}}(t{+}1){+}(1-a_{5}-a_{13}{+}a_{5}a_{13})x_{2}(t{+}1)\\ {x_{6}}(t{+}1) {=}{x_{6}}(t) {+} a_{6}{x_{4}}(t{+}1){+}(1-a_{6})a_{14}{x_{2}}(t{+}1){+}(1-a_{6}-a_{14}{+}a_{6}a_{14})x_{3}(t{+}1)\\ {x_{7}}(t{+}1) {=}{x_{7}}(t) {+} a_{7}{x_{2}}(t{+}1){+}(1-a_{7})a_{15}{x_{1}}(t{+}1){+}(1-a_{7}-a_{15}{+}a_{7}a_{15})x_{4}(t{+}1)\\ {x_{8}}(t{+}1) {=}{x_{8}}(t) {+} a_{8}{x_{3}}(t{+}1){+}(1-a_{8})a_{16}{x_{4}}(t{+}1)+(1-a_{8}-a_{16}+a_{8}a_{16})x_{1}(t+1) \end{array}\mod2^{p},\right. \end{array} $$
(5)

which can be put into matrix form as

$$ \mathbf{x}(t+1)=A(t)\mathbf{x}(t)\mod 2^{p}, $$
(6)

where the matrix A(t) is defined as

$$ A(t)=\left( \begin{array}{cccccccc} 1 & 0 & 0 & 0 & m_{15} & 0 & m_{17} & m_{18} \\ 0 & 1 & 0 & 0 & m_{25} & m_{26} & m_{27} & 0 \\ 0 & 0 & 1 & 0 & 0 & m_{36} & m_{37} & m_{38} \\ 0 & 0 & 0 & 1 & m_{45} & m_{46} & 0 & m_{48} \\ m_{51} & m_{52} & m_{53} & 0 & m_{55} & m_{56} & m_{57} & m_{58} \\ 0 & m_{62} & m_{63} & m_{64} & m_{65} & m_{66} & m_{67} & m_{68} \\ m_{71} & m_{72} & 0 & m_{74} & m_{75} & m_{76} & m_{77} & m_{78} \\ m_{81} & 0 & m_{83} & m_{84} & m_{85} & m_{86} & m_{87} & m_{88} \end{array} \right), $$
(7)

with m15 = a1; m17 = 1 − a1a9 + a1a9; m18 = (1 − a1)a9;

m25 = 1 − a2a10 + a2a10; m26 = a2; m27 = (1 − a2)a10;

m36 = (1 − a3)a11; m37 = a3; m38 = 1 − a3a11 + a3a11;

m45 = (1 − a4)a12; m46 = 1 − a4a12 + a4a12; m48 = a4;

m51 = a5; m52 = 1 − a5a13 + a5a13; m53 = (1 − a5)a13;

m55 = 1 + a5a1 + (1 − a5a13 + a5a13)(1 − a2a10 + a2a10);

m56 = (1 − a5a13 + a5a13)a2 + (1 − a5)a13(1 − a3)a11;

m57 = (1 − a5a13 + a5a13)(1 − a2)a10 + a5(1 − a1a9 + a1a9) + (1 − a5)a13a3;

m58 = a5(1 − a1)a9 + (1 − a5)a13(1 − a3a11 + a3a11);

m62 = (1 − a6)a14; m63 = 1 − a6a14 + a6a14; m64 = a6;

m65 = a6(1 − a4)a12 + (1 − a6)a14(1 − a2a10 + a2a10)

m66 = 1 + a6(1 −a4a12 + a4a12) + (1 −a6)a14a2 + (1 −a6a14 + a6a14)(1 −a3)a11;

m67 = (1 − a6)a14(1 − a2)a10 + (1 − a6a14 + a6a14)a3;

m68 = a6a4 + (1 − a6a14 + a6a14)(1 − a3a11 + a3a11);

m71 = (1 − a7)a15; m72 = a7; m74 = 1 − a7a15 + a7a15;

m75 = a7(1 −a2a10 + a2a10) + (1 −a7)a15a1 + (1 −a7a15 + a7a15)(1 −a4)a12;

m76 = a7a2 + (1 − a7a15 + a7a15)(1 − a4a12 + a4a12);

m77 = 1 + a7(1 − a2)a10 + a15(1 − a7)(1 − a1a9 + a1a9);

m78 = (1 − a7a15 + a7a15)a4 + (1 − a7)a15(1 − a1)a9;

m81 = 1 − a8a16 + a8a16; m83 = a8; m84 = (1 − a8)a16;

m85 = (1 − a8)a16(1 − a4)a12 + (1 − a8a16 + a8a16)a1

m86 = a8(1 − a3)a11 + (1 − a8)a16(1 − a4a12 + a4a12);

m87 = a8a3 + (1 − a8a16 + a8a16)(1 − a1a9 + a1a9);

m88 = 1 + a8(1 −a3a11 + a3a11) + (1 −a8)a16a4 + (1 −a8a16 + a8a16)(1 −a1)a9.

The matrix of the system at iteration t is equal to the product of the first t matrices of occurring shocks. As each coefficient ak, 1 ≤ k ≤ 16, can either be 0 or 1, the maximum number of distinct matrices is NA = 216. The distribution of the matrices is periodic and its period TA is equal to the least common multiple (LCM) of {dk}k= 1,2,…,16. While setting dk as distinct prime numbers, TA takes its maximum value, that is

$$ T_{A}=\prod\limits_{k=1}^{16}d_{k}. $$
(8)

The behavior of the whole system is thus the modulation of the behaviors of the individual 2D QACM. Therefore, the period Tx of the system is then

$$ T_{\mathbf{x}}={\Pi}(p)T_{A}, $$
(9)

This period depends on the choice of dk once p has been fixed. We choose d = (5,7,11,13,17,19,23,29,211,223,227,229,233,239,241,251)T, which corresponds to the minimal period Tx = 8.8844 × 1027 ⋅π(p). Such a period is sufficiently large, as compared to the basic period of the QACMs. The particular case p = 0, hence m = 1, corresponds to the ACM that exhibits chaotic behaviors in a continuous phase space.

Although the QACM period π(p) is multiplied by the TA factor in the proposed system, the orbit length still depends on the initial conditions, and it could be too small for some initial condition values. For the system to be used as a pseudo-random number generator, it is better to get full length orbits. Such a requirement is satisfied by considering an external force temporarily acting on the system as

$$ \mathbf{x}(t+1) = A(t)\mathbf{x}(t)+\mathbf{u}_{x}(t)\mod 2^{p}, $$
(10)

where

$$ \mathbf{u}_{x}(t)=(a_{1}(t), 0, 0, 0, 0, 0, 0, 0)^{T} $$
(11)

for example. By this approach, the system does no longer present a steady state within the interval [0,2p − 1], and the number of non-trivial points that an orbit may contain is Np = 28p. For p = 2 and x(0) = (0,0,0,0,2,0,0,2)T for example, the orbit lengths are respectively 252 for the unforced system and 65536 for the forced one, which clearly corresponds to Np = 216. Forcing the system thus considerably increases the orbit length, hence acts as a pseudo-random number generator. Figure 1 shows the corresponding first return maps of the system state x = 27px8 + 26px7 + 25px6 + 24px5 + 23px4 + 22px3 + 2px2 + x1. One can observe that the unforced system presents a fractal aspect while the forced one is behaving like brownian motion.

Fig. 1
figure 1

(Color online) Normalized first return map of the (a) unforced and (b) forced system, p = 2, x(0) = (0,0,0,0,2,0,0,2)T

Full size image

2.2 Key space extension: inclusion of control parameters

The period of the system typically depends on the number of particles and the choice of the shock instants. The shock instants, while chosen as prime numbers, need to be all distinct, otherwise the period factor does no longer follow the rule in (8). Indeed, a redundant shock instant appears only once in the computation of TA as it corresponds to the LCM of {dk}, which contributes to reduce the predicted period. In order to extend the key space, we modify the architecture of the system by considering amplitude-dependent shock instants, that could be used as control parameters for the generation of random numbers. Therefore, we adopt a piece-wise coupling principle interacting two distinct systems, the controlling system with time-dependent shock instants and the controlled one with phase space-related shock instants. Indeed, particular phase space values of the controlling system are used as shock instants for another system of the same type (controlled system). We agree that the second system is amplitude-controlled by the first one, which itself is time-controlled (due to time-dependent shock instants).

Similarly to the time-controlled system, we define {sk}k= 1,2,…,16 the set of control parameters or shock amplitudes. The dynamics of the amplitude-controlled system thus depends on the values of control parameters sk. The general coupling term of such a system can thus be written as

$$ \begin{array}{@{}rcl@{}} {y_{i}}(t + 1) &=& {y_{i}}(t) + b_{i}\cdot{y_{j}}(t + {\tau_{j}})+ b_{i+8}(1 - b_{i})\cdot{y_{k}}(t + \tau_{k}) \\ && + (1-b_{i}-b_{i+8}+b_{i}b_{i+8})\cdot y_{l}(t+\tau_{l})\mod{2^{q}}, \end{array} $$
(12)

where ijkl, τj = 0 (resp. τk = 0, τl = 0) if i < j, (resp. i < k, i < l), and τj = 1 (resp. τk = 1, τl = 1) if i > j (resp. i > k, i > l). The coefficients bi are defined as

$$ b_{i}(t)=\left\{\begin{array}{ll} 1, & \quad\text{if }x_{i}< s_{i}; \\ 0, & \quad\text{otherwise,} \end{array}.\right. $$
(13)

and

$$ b_{i+8}(t)=\left\{\begin{array}{ll} 1, & \quad\text{if }x_{i}< s_{i+8}; \\ 0, & \quad\text{otherwise,} \end{array}.\right. $$
(14)

with 1 ≤ i ≤ 8, \(q\in \mathbb {N}_{\geq 1}\) and si < si+ 8.

For the system to exhibit full range orbits, we also consider a forcing term uy. The corresponding amplitude-controlled system can thus be put into the following form

$$ \mathbf{y}(t+1)=B(t)\mathbf{y}(t)+\mathbf{u}_{y}(t)\mod 2^{q}. $$
(15)

The elements of the matrix B(t) are similar to those of matrix A(t), except that the coefficients ai are replaced by bi. The main advantage of this approach is that the two systems can be run in parallel, which can easily allow to speed up the generation of random numbers. Moreover, the precision of the two systems are completely independent, which also means that the amplitude-controlled system can be seen as a converter of the time-controlled system. Indeed, in the case the phase space of the time-controlled system is continuous, that of the amplitude-controlled one can be seen as its digitized version: it acts like an analogue-to-digital converter. In the case p > 1 and q > 1, the complete system is a 16-dimensional time varying QACM, and can be written as

$$ \mathbf{z}(t+1)=\left( \begin{array}{cc} A(t) & 0 \\ 0 & B(t) \end{array}\right) \mathbf{z}(t)+\mathbf{u}(t)\mod 2^{r}, $$
(16)

where r = (p,q)T, p being the precision of the controlling system and q that of the controlled system. This system thus contains 48 key parameters, namely 16 initial conditions and 16 control parameters, 8 forcing parameters for the forcing system, and 8 other forcing parameters for the controlled system. Such a key length is large enough for designing secure ciphers. As the controlling system is periodic, the controlled system also is periodic, knowing that it is quantized.

2.3 Evaluation of the randomness of the system

The NIST-800-22 test suite is useful for evaluating statistical properties and conclude on the randomness of our system. Such an evaluation is required for the system to be used as PRNG for data encryption. Therefore, we applied the NIST test to our time varying QACM for various initial conditions, control parameters and precisions r. For simplification purposes, we set \(s_{i}=\left \lfloor \frac {2^{p}}{3}\right \rfloor \) and \(s_{i+8}=2\left \lfloor \frac {2^{p}}{3}\right \rfloor \), 1 ≤ i ≤ 8, ux, uy as in (11).

Table 1 shows the results obtained with 21 different initial conditions (x = 0 to x = 20, y = x), where

$$ x=\sum\limits_{k=1}^{8}2^{8(k-1)}x_{k}, $$
(17)

and

$$ y=\sum\limits_{k=1}^{8}2^{8(k-1)}y_{k}. $$
(18)
Table 1 P-values [35] of the NIST-800-22 suite test in terms of the number of encoding bits p = 8
Full size table

The sequence length is set as N = 106 for each initial condition. The results are presented for p = 8 and various values of q. It then appears that the controlling system passes all the statistical tests. Five tests (Block Frequency Test, Runs Test, the Non-overlapping Template Test, Approximate Entropy Test, and the Serial Test-1) were not successful for the controlled system in the case q = 1, while it successfully passes all the statistical tests for q > 1.

We recall that in our case, a given test is successful as the corresponding P-value is greater than 0.01. The other tests that are not successful fail for some initial values, but not for all. Such results were observed only for q = 1. For the rest of the paper, we are going to consider both systems (controlling and controlled) in the proposed cipher, with p = q = 8.

3 Proposed encryption algorithm

The algorithm we are proposing includes the QACM above presented as PRNG. It combines the confusion and diffusion steps in a single loop. Both permutation and diffusion keys are image dependent, which contribute to reinforce the security level of the cipher. We implemented it for color images for a more general use. The Algorithmic steps of the proposed cipher are given below in Algorithm 1.

figure a

3.1 Generating permutation and diffusion keys

The permutation and diffusion keys are directly derived from the QACM using the external key. In this paper, we used a 256-bit key S, hence a set of 32 ASCII symbols S = S1S2S32 to derive initial conditions and control parameters. The corresponding decimal values are set as K = (K1, K2,…K32). There are sixteen initial conditions to be derived from the external key. For the time-controlled sub-system, these initial conditions are determined as

$$ x_{i}(0) = \sum\limits_{k=i}^{i+24}k\cdot K_{k}\mod 2^{p}, $$
(19)

while those of the amplitude-controlled sub-system are determined as

$$ y_{i}(0)=\sum\limits_{k=4(i-1)+1}^{4i}k\cdot K_{k}\mod 2^{q}, $$
(20)

where 1 ≤ i ≤ 8. Kk is the decimal value of the k-th ASCII symbol Sk of the external key. Similarly to the initial conditions, the control parameters also are set from the external key. For this purpose, we first sort into ascending order values K17 to K32 and obtain a sorted vector Q of sixteen values ranged from 0 to 255. Thereafter, the control parameters are set as

$$ \left\{\begin{array}{ll} s_{j}=6+\left\lfloor\frac{\mathbf{Q}(j)}{3}\right\rfloor, & \quad\text{if }1\leq j\leq8; \\ s_{j}=6+2\left\lfloor\frac{\mathbf{Q}(j)}{3}\right\rfloor, & \quad\text{if }9\leq j\leq16. \end{array}\right. $$
(21)

The above initial conditions and control parameters are then included in the QACM to generate the permutation and diffusion keys. For this purpose, we remove the first t = 100 iterates for transient die out and consider the following N ones to form N-length random sequences. Sequence X = (x1(t + 1),x1(t + 2),…,x1(t + N))T is sorted into ascending order and the corresponding time index sequence is considered as our initial permutation key Ix. Similarly, sequence Y = (y1(t + 1),y1(t + 2),…,y1(t + N))T is used as the initial diffusion key. The generation of the permutation and diffusion keys includes steps 2 to 4 of our algorithm, and combines only integer operations. The confusion and diffusion processes are respectively realized by applying the permutation key to the plaintext sequence U as

$$ \mathbf{U}_{s}=\mathbf{U}(\mathbf{I}_{\mathbf{x}}), $$
(22)

and XOR-ing the diffusion key with the shuffled sequence Us as

$$ \mathbf{U}_{c}=\mathbf{U}_{s}\oplus\mathbf{D}_{y}. $$
(23)

Uc is a one-round encrypted sub-image and ⊕ is the bitwise XOR operation. Once a sub-image has been confused and diffused, the permutation and diffusion keys need to be updated before encrypting the following sub-image.

3.2 Updating permutation and diffusion keys

From a sub-image to another one are used different permutation and diffusion keys. However, all of them are related and the process to move from the previous key to the new one is called updating. For the updating of the permutation key, eight random integers are generated; in the previous sequence \(\mathbf {X}^{\prime }\), the first eight values are discarded, then the sequence is eight steps left shifted while the eight newly generated integers are placed at the end of the sequence. Indeed, let \(\mathbf {X}^{\prime } = (X^{\prime }(1), X^{\prime }(2), \ldots , X^{\prime }(N))^{T}\) be the previous sequence, then the updated sequence is \(\mathbf {X} = \left (X^{\prime }(9), X^{\prime }(10), \ldots , X^{\prime }(N), x_{1}(1), x_{2}(1), \ldots , x_{8}(1)\right )^{T}\), where xi(1), 1 ≤ i ≤ 8 are the newly generated integers. Note that only one iteration of the PRNG is necessary for generating the 8 integers. The updated sequence X is thereafter sorted into ascending order and the corresponding time index sequence is considered as the updated permutation key.

For the generation of the eight new random integers, updated initial conditions also are required. These initial conditions are image dependent. We set the first fifteen updated initial conditions as

$$ \left\{\begin{array}{ll} x_{i}(0)=\mathbf{K} (1+(\mathbf{U}_{c}(i)\mod 32)), & \quad\text{if }1\leq i\leq 8; \\ y_{i-8}(0)=\mathbf{K} (1+(\mathbf{U}_{c}(i)\mod 32)), & \quad\text{if }9\leq i\leq 15. \end{array}\right. $$
(24)

The last initial condition completely depends on the image and is set as

$$ y_{8}(0)=\sum\limits_{j=1}^{N}\mathbf{U}_{c}(j)\mod 2^{q}. $$
(25)

According to this updating process, the initial conditions change with the sub-image.

The diffusion key also needs to be updated for the cipher to be secure. Thus, we consider the previous diffusion key \({\mathbf {D}}_{y}^{\prime }\) and set \(\mathbf {Y}^{\prime } = {\mathbf {D}}_{y}^{\prime }\); then update eight values in \(\mathbf {Y}^{\prime }\) as it was the case for \(\mathbf {X}^{\prime }\). The updated sequence is then \(\mathbf {Y} = (Y^{\prime }(9), Y^{\prime }(10), \ldots , Y^{\prime }(N), y_{1}(1), y_{2}(1), \ldots , y_{8}(1))^{T}\), and the updated diffusion key is obtained as

$$ \mathbf{D}_{y}={\mathbf{D}}_{y}^{\prime}+\mathbf{Y}(\mathbf{I}_{x})\mod 256, $$
(26)

where Ix is the updated permutation key.

4 Results and security analysis

The performance of the algorithm is evaluated with RGB test images of size 512 × 512 and 256 gray levels to show the color image encryption ability of the algorithm. We also consider as sub-image length N = 2n, n ∈{4,5,6,7,8,9,10}. The encryption scheme should resist all kinds of known attacks: known-plaintext, ciphertext-only, statistical, differential and brute-force attacks. We present in this section some security analysis results for the proposed cipher, including: key-space analysis, statistical analysis, differential analysis, number of pixel change rate (NPCR) and unified average changing intensity (UACI) for one pixel difference in the plain-text image. The 256-bit external encryption key used for our simulation is set as S = azertyuiopqsdfgjazertyuiopqsdfg0.

4.1 Statistical analysis

The statistical analysis concerns the histogram, the correlation of adjacent pixels and the information entropy of the ciphered image. The statistical analysis of several 256 gray-scale color images having different contents were evaluated and we present here the results obtained for the image of Lena (Fig. 7(a)). We evaluate the statistical parameters for different values of N. We first evaluate the entropy of image encryption using our algorithm. The entropy is determined as

$$ H=-\sum\limits_{i=0}^{255}p(v_{i})\log_{2}(p(v_{i})), $$
(27)

where 0 ≤ vi ≤ 255 are pixel values and p(vi) the probability of vi. Figure 2 shows the behavior of the entropy H in terms of N and the number of rounds R. It is observed from this figure that the entropy does not depend on N and R. The entropy values of the ciphered image remain satisfactory for all the simulated block lengths as H > 7.9992,∀N ≥ 16. For N = 16 for example, the entropy of the red component of the image passes from \(H_{Red}^{p}=7.253\) for the plain-image to HRed = 7.9993 for the ciphered image with R = 1,2 or 3.

Fig. 2
figure 2

(Color online) Entropy values H in terms of the number of rounds R and the block length N. From left to right are presented, respectively, the entropy values of the Red, Green and Blue colors. R = 1 corresponds to the solid line, R = 2 the dashed line and R = 3 the dash-dotted line

Full size image

Similarly, the correlation of horizontally, vertically and diagonally adjacent pixels is evaluated. For this purpose, we used Pearson’s correlation coefficient defined as

$$ \rho_{A,B}=\frac{E((A-\mu_{A})(B-\mu_{B}))}{\sigma_{A}\cdot\sigma_{B}}, $$
(28)

where E(⋅) is the expectation value; μ and σ are mean value and standard deviation, respectively; A and B are images to be compared.

Figure 3 shows the behavior of the correlation coefficients of horizontally adjacent pixels as a function of N for various values of R. This figure also shows that the correlation coefficients of adjacent pixels do not depend on N and R. The correlation coefficients of adjacent pixels in the plain-image are, respectively, ρRed = 0.9798, ρGreen = 0.9691 and ρBlue = 0.9327, while the corresponding values for one round ciphered image are ρRed = − 0.0045, ρGreen = 0.0008 and ρBlue = − 0.0004 with N = 16; and ρRed = 0.0002, ρGreen = 0.0030 and ρBlue = 0.0019 with N = 1024. Similar results were obtained with vertically and diagonally adjacent pixels. This result proves that the proposed cipher satisfies the zero co-correlation property that is necessary to resist statistical attacks even for N = 16 only.

Fig. 3
figure 3

(Color online) Correlation coefficient ρ of horizontally adjacent pixels in terms of the number of rounds R and the block length N. From left to right are presented, respectively, the ρ values of the Red, Green and Blue colors. R = 1 corresponds to the solid line, R = 2 the dashed line and R = 3 the dash-dotted line

Full size image

Figure 4 shows the histograms of one round ciphered image of Lena with N = 16. It appears that the histogram of each component of the ciphered image is fairly uniform and significantly different from that of the corresponding plain-image component. According to this result, deducing the secret key from the cipher-text during the known/chosen plaintext attacks is a hard task.

Fig. 4
figure 4

(Color online) Histograms of the image of Lena. In the first line, from left to right, are shown the original histograms of the red, green and blue components, respectively; while the second line is showing the histograms of the corresponding ciphered image components

Full size image

4.2 Differential attack

The sensitivity of the cipher to small changes in the plain-image (single pixel change) is required for the cipher to resist differential attacks. The metrics commonly used to evaluate the robustness against the differential attacks are the NPCR and UACI. The NPCR between two ciphered images A and B of size m × n is defined by:

$$ NPCR_{A,B}=\frac{{\sum}_{i=1}^{m} {\sum}_{j=1}^{n}D(i,j)}{m\times n}\times100 $$
(29)

where

$$ D(i,j)=\left\{\begin{array}{ll} 1, & \quad\text{if }A(i,j)\neq B(i,j); \\ 0, & \quad\text{otherwise.} \end{array}\right. $$
(30)

Similarly, the UACI is defined as:

$$ UACI_{A,B}=\frac{100}{255}\frac{{\sum}_{i=1}^{m}{\sum}_{j=1}^{n}|A(i,j)-B(i,j)|}{m\times n} $$
(31)

The result in Fig. 5 shows that the cipher is sensitive to one pixel change for R > 1. Indeed, the cipher is secure as NPCR > 99.5810 and 33.3445 ≤ UACI ≤ 33.5826 (α = 0.01 significance level) for gray images of size 512 × 512 [21]. In the case R = 1, the maximal values of NPCR and UACI were obtained for N = 16. We found NPCRRed = 97.8458, NPCRGreen = 97.8394 and NPCRBlue = 97.8325; and UACIRed = 32.8434, UACIGreen = 32.8836 and UACIBlue = 32.8228, thus attesting that the cipher is not secure for R = 1. All these values are far less than the target values that are necessary for the cipher to be secure. When R > 1, the cipher becomes much more secure as observed in Fig. 5. The number of rounds that are necessary for the cipher to be secure increases with N. We observed that the minimal number of rounds required is \(R_{\min \limits }=2\) for N = 24 and that the system is secure with \(R_{\min \limits }=3\) for all the values of N chosen on simulation. The dependency of the security level on N and R is justified by the fact that during the first round, the impact of the single changed pixel value does not affect the overall image; starting from the second round, the influence of the pixel change propagates in the other sub-images, depending on N, which contributes to enhance the NPCR and UACI. The values obtained for R = 3 and N = 24 are respectively NPCRRed = 99.6010, NPCRGreen = 99.6086 and NPCRBlue = 99.6174; and UACIRed = 33.4559, UACIGreen = 33.4164 and UACIBlue = 33.4373. This ability of the cipher to encrypt small block sizes with high security level is advantageous when implementing it with low-end processors under limited memory space constraints.

Fig. 5
figure 5

(Color online) NPCR and UACI of one pixel change ciphered image of Lena in terms of N. In the first line, from left to right, are shown the NPCR of the red, green and blue components, respectively, for R = 1 (solid line), R = 2 (dashed line) and R = 3 (dash-dotted line). The corresponding UACI values are shown in the second line

Full size image

We also evaluated the impact of the step size δ (used to perform a right circular shift) on the security level. Figure 6 shows the behavior of the NPCR and UACI of the red component of the image of Lena in terms of δ. We set N = 128 and R = 3 for this experiment. It appears that the NPCR approaches its reference value as δN.

Fig. 6
figure 6

(Color online) Impact of δ on the sensitivity of the cipher with respect to the plain-image. From top to bottom are shown, respectively, the behaviors the NPCR and UACI of one pixel change ciphered red component of the image Lena, with R = 3 and N = 128

Full size image

4.3 Key space analysis

4.3.1 The key space

We designed the cipher with a 256-bit key corresponding to 32 ASCII symbols, as such a key length is known to be sufficiently large for resisting all presently known kinds of brute-force attacks. The key space is the number of effective combinations of 32 symbols that can be built from the set of ASCII symbols, i.e 2256 while using the whole set of ASCII symbols. This key space can easily be extended to 2384 (48 ASCII symbols) by also considering the forcing terms ux and uy as parameters of the 16D QACM. The key space can also be extended by increasing the dimension of the PRNG.

4.3.2 Sensitivity of the key

A high key sensitivity allows to prevent adaptive chosen-plaintext attacks and linear cryptanalysis. In order to evaluate the sensitivity of our cipher to the external key, we considered two slightly different keys S1 = azertyuiopqsdfghazertyuiopqsdfg0 and S2 = azertyuiopqsdfghazertyuiopqsdfg1 to encrypt the same image. Table 2 summarizes the sensitivity of the key of the proposed cipher, for various test images. Values of NPCR and UACI confirm the high sensitivity of the proposed scheme to one bit change in the external key.

Table 2 Detailed statistical properties of images encrypted with two slightly different keys
Full size table

In Fig. 7 is presented an example of ciphering/deciphering. The ciphered image is successfully deciphered when using the same key for both the encryption and decryption processes, whilst the decryption fails for a different key.

Fig. 7
figure 7

(Color online) Sensitivity of the key to one-bit change: (a) Original image, (b) ciphered image with S1 = azertyuiopqsdfgjazertyuiopqsdfg0, (c) successfully deciphered image with S1 and (d) unsuccessfully deciphered image with S2 = azertyuiopqsdfgjazertyuiopqsdfg1, N = 32, R = 2

Full size image

4.4 Speed performance analysis

The running speed of the algorithm is evaluated using Matlab 14b. The algorithm was not optimized and its performances were measured on a computer with Windows 10 operating system, Intel(R) Core(TM) i5-8250U CPU @ 1.60 GHz, and 8GB RAM. The average running time, for R = 3 and N = 1024, is about 146 ms for 512 × 512 gray-scale images. The corresponding average security parameters evaluated with 512 × 512 gray-scale images of Lena, Baboon, Airplane, and Peppers are, respectively, NPCR = 99.6023, UACI = 33.4690 ρh = − 0.0003, ρv = − 0.0009 and ρd = − 0.0007, thus attesting that the algorithm is secure for the chosen parameter setting. ρh, ρv and ρd are, respectively, the horizontal, vertical and diagonal correlation coefficients. Table 3 shows the average running time and security parameters for 3 ≤ R ≤ 8 and N = 1024.

Table 3 Average running speed and corresponding security parameters for 3 ≤ R ≤ 8, N = 1024 and S1 as encryption key
Full size table

4.5 Comparison with existing ciphers

Table 4 shows comparison results with existing algorithms. We used the color image of Lena for the comparison of the average NPCR, UACI and correlation coefficients. It appears that the proposed cipher and Ref. [16] are those presenting both a large NPCR and a UACI close to the ideal value. In the proposed cipher, all the permutation and diffusion keys used are N-length sequences, thus easy to implement, which is not the case for the cipher in Ref. [16]. The circular shift of the image is also performed by sequentially shifting N-length blocks, which allows all the shifting, permutation and diffusion operations to be combined in a single loop. This architecture also allows to reduce the memory space that is necessary for encrypting the entire image.

Table 4 Comparison of the proposed cipher with existing chaos based image ciphers
Full size table

Table 5 compares the running speed of the proposed algorithm with other chaos based ciphers. We used the gray-scale images of cameraman (256 × 256) and Lena (512 × 512) for this experiment. It appears that the running speed of the proposed algorithm can allow real-time data encryption.

Table 5 Comparison of encryption time of different algorithms
Full size table

From the overall comparison, it appears that the proposed cipher is faster compared to those in Ref. [1] and Ref. [40]. The one in Ref. [16] is 2.5 times faster than the proposed one, but it requires floating point arithmetics, which is more constraining than using 8-bit integer arithmetics. The proposed algorithm offers the advantage to combine only 8-bit integer operations, which is much better for its implementation with low-end microprocessors, without loss of security properties.

5 Conclusion

We presented in this paper an 8-bit precision cipher involving exclusively integer arithmetics and that can be implemented with low-end microprocessors. Our cipher includes a PRNG that was obtained by coupling an 8D time varying with an 8D amplitude varying QACM to achieve a 16D system. Eight dimensional QACM themselves were obtained by considering a linear coupling between 2D QACM with shock occurrences to model interactions. Such a coupling method allowed us to considerably increase both the period and the complexity of the resulting system, thus achieving a minimal period Tx > 1027, which is sufficiently large to predict the behavior of the QPRNG. Although it is a 16D system, the proposed PRNG runs fast as it combines only 8-bit integer operations. Its randomness was evaluated using the NIST suite tests. We particularly set the precision of the PRNG to 8 bits for the generated sequences of integers to be directly used for image encryption, without need of data conversion. We therefore evaluated the performance of the proposed cipher under 8-bit precision condition and verified that it runs fast and presents a high security level as compared to existing 32-bit precision chaos based ciphers. However, we need to consider a 16D QACM to achieve periods greater than 1027. Our intent in prospect is to reduce the dimensionality of the system while increasing its period. Such a reduction of the dimensionality will allow to gain computation time while reducing the hardware requirements. We also intend to develop a new confusion approach that does not imply the data sorting and which is much faster than the sorting process.