1 Introduction

The rapid development of digital image transmission over wireless communication media has increased the concern of data security, leading to the demand for image cipher. There exist several techniques for securing data, including steganography, watermarking, and data encryption [2, 25]. The steganography technique conceals the message data; hence it requires more communication bandwidth over a computer network, whereas the cryptography technique transforms the message data, needing approximately the same bandwidth as message data. Thus, encryption is the preferable and mature technology used in applications involving message transmission over a network [19]. In encryption, the message is scrambled using a secret key. The encryption’s strength depends on the secret key’s randomness strength. Different techniques such as linear congruential, additive congruentional, linear feedback shift register, multiple recursive generators and chaos based generators are used to generate the random sequences using the seed as the initial condition of the dynamical system that constitutes the secret key [18, 24, 37].

There exist different methods such as linear feedback shift register (LFSR), linear congruential generator (LCG), Multiple Recursive Generators (MRGs) for generating Pseudo-random Numbers (PRN). The disadvantages of these methods are the limited periodicity of the random number sequence, which can be mitigated using a suitable chaotic system.

Chaotic systems have intrinsic properties such as sensitivity to initial conditions, ergodicity, random-like dynamics behaviors, and unpredictability that are desired characteristics for designing secure ciphers. Hence, chaos-based encryption methods have emerged besides traditional ciphers such as Advanced Encryption Standard (AES), International Data Encryption Algorithm (IDEA), Data Encryption Standard (DES), and RSA to enhance data security. However, complex chaotic systems are required to make ciphers more secure. Broadly, there are two types of dynamical chaotic systems: continuous-time and discrete-time. The latter is suitable for data encryption as it is feasible to implement on digital hardware. Among the basic discrete-time systems, 2D logistic map, 2D standard map, 2D Henon map, and the 3D Baker map are used in cryptography [26, 34, 38, 39]. During the last decade, the performance of such systems has been improved to increase their complexity, leading to more randomness for secure data encryption. A combination of the piece-wise-linear chaotic map and linear Diophantine Equation (LDE) enhances the cipher’s security and was used for image encryption [14]. Although the ciphered image was obtained after only one round, it has the drawback that the encryption process is independent of the plain-image characteristics. The authors mitigated the drawbacks by proposing another one-round encryption scheme in which large permutation and diffusion keys were generated by sorting the solutions of the LDE [13]. Multiple chaotic maps were used to derive the control parameters and initial values to increase the security level of the cipher [31]. It enhances the key-space; however, the short-length encryption key makes the cipher vulnerable against brute force attacks. Other ciphers based on the combination of chaotic systems were also proposed to increase the key-space and are still under investigation [22, 29, 30, 33, 36].

In all the above chaos-based ciphers, chaotic maps need to be quantized during the hardware implementation of the algorithm. Such a quantization reduces the randomness of the chaotic orbits; hence the security level of the cipher [41]. In order to overcome such a drawback, it is necessary to either evaluate the complexity of the chaotic system under limited precision conditions or to increase the computational precision. Most of the work reported in the literature implements chaotic systems with 32-bit floating-point arithmetic, which is hardware costly and requires high-end processors for execution [5, 15]. Hence, it is necessary to design quantized chaotic systems with a large period of limit-cycles to implement chaos-based ciphers on a low-end processor [12].

Arnold’s cat map (ACM) preserves the mixing property even after quantization among the different chaotic maps. It has the advantage of (i) being easily defined both in the continuous phase space and the discrete phase space (quantized version) and (ii) a computationally simple 2D system that can be easily extended into a multi-dimensional system. It has been used in data encryption in the confusion step. Apart from the ACM, the combination of the Henon and Arnold cat maps was used in designing an image cipher [11]. Although the algorithm performed well, it has nevertheless been observed that the periodicity of restoring the original image is too short, leading to security issues. More recently, an encryption scheme based on continuous phase space of a generalized Arnold cat map was reported [20]. In [43], the 2D ACM was combined with an affine cipher to enhance the security level of the cipher. In all of these algorithms, the ACM is used in its continuous phase space version, and the precision of the generated obits is chosen as large as possible (32-bit, for example) to avoid short limit-cycles due to the quantization process. The quantized ACM (QACM) has been widely studied in the literature, and the relationship between its period and the number of encoding bits has been determined [6, 7, 27].

The period of the QACM is an important parameter that can induce security issues when using it in cryptography. It is known that the period of the QACM does not exceed 3m, \(m\in \mathbb {N}_{>1}\) being the modulo value. This limitation justifies the use of continuous phase space ACM (m = 1) compared to QACM in many cryptographic applications. As a solution, some researchers investigated the impact of the dimensionality and the control parameters on the period of the system. The investigation showed that the period does not significantly increase with the increase in dimension [16], where the conventional 2D Arnold’s cat map was altered to a 3D map by introducing six control parameters. The obtained map allows for improvement, but the period distribution and its impact on the system dynamics are not evaluated. Due to the finite computer precision, chaotic sequences are transformed into periodic ones. Further, the output of the 3D map was perturbed to mitigate such degradation of chaotic sequences without investigating the impact of the perturbation on randomness.

The present paper proposes a multiplierless 2048-bit key secure cipher based on the quantized piece-wise linear cat map (PWLCM) obtained by perturbing the conventional QACM [11]. We aim to directly generate randomly distributed integers with the desired precision using the PWLCM. The proposed algorithm combines chaos, modular arithmetic, and lattice-based cryptography [3, 8, 35]. The latter allows to easily extend the external key length without duplication. Such a property is required as lattice-based ciphers are assumed to resist future attacks in the era of post-quantum computing [3, 17, 28, 35]. For the algorithm to be implemented even with low-end processors, we consider only 4-bit precision random numbers generated from a 4D PWLCM for performing the confusion and diffusion operations. We investigate the period of the generated random integers and their randomness to prove the high-security level of our cipher. In the proposed scheme, pixel positions and values are modified in a single operation within blocks of size 16 × 16 pixels with a 2D PWLCM before confusing the whole image. It helps to enhance the speed performance. During the confusion-diffusion operation, each 16 × 16 sub-image is modified using a different subkey corresponding to a combination of κ-length vectors (κ-dimensional lattice), \(\kappa \in \mathbb {N}_{\geq 1}\) [28].

The key contributions of the current work are as follows:

  1. 1.

    A novel integer arithmetic multiplierless 2048-bit key image cipher combining chaos, modular arithmetic and lattice-based cryptography is proposed that uses a combination of 4-bit and 8-bit modular addition and subtraction operations only;

  2. 2.

    An extensible key management technique combining modular arithmetic and lattices is presented;

  3. 3.

    A 4-bit 2D and 4D PWLCM is proposed to generate large period pseudorandom sequences;

  4. 4.

    A performance analysis for different attacks is presented.

The rest of the paper is organized as follows: Section 2 presents a brief recalling of ACM and the definition of the PWLCM; Section 3 presents the proposed cipher; Section 4 presents the security analysis of the proposed encryption scheme, and conclusions are given in Section 5.

2 The 4D piece-wise linear cat map (PWLCM)

2.1 Brief recall on 2D PWLCM

Arnold’s cat map is basically a 2D chaotic map of repeated folding and stretching in a limited area. It has been popularly used in multimedia chaotic encryption [5]. The 2D ACM is modeled as [23]:

$$ \left\{ \begin{array}{ll} x(t+1)=x(t)+\alpha y(t) \\ y(t+1)=\beta x(t+1)+y(t) \end{array} \text{ mod } m, \right. $$
(1)

which can be rewritten using matrix representation as

$$ \mathbf{x}(t+1)=A\mathbf{x}(t)\text{ mod } m $$
(2)

where

$$ A=\left( \begin{array}{cc} 1 & \quad \alpha \\ \beta & \quad \alpha\cdot\beta+1 \end{array}\right), $$

\((\alpha ,\beta )\in \mathbb {N}_{\geq 1}^{2}\), and x = (x,y)T; (⋅)T is the transpose of (⋅). The above map is a discrete time system and is continuous in the phase space for (x,y) ∈ [0,1)2 and m = 1. The QACM is obtained for (x,y) ∈ [0,m)2 with \(m\in \mathbb {N}_{>1}\). The QACM is periodic and its period depends on m and the parity of both α and β. It is shown that for α = β = 1 and m = 2n, the period πn behaves like [4, 10]

$$ {\Pi}_{n}=2\cdot {\Pi}_{n-1}, n>2 $$
(3)

with π1 = π2 = 3 for the minimal period.

The period of the QACM can be computed using (3) and it is too short. As an example, for an 8-bit encoded phase space values, the period is π8 = 192. In order to increase the period of QACM, we proposed the PWLCM by introducing a nonlinear perturbation term to the conventional QACM, as shown below [9]:

$$ \mathbf{x}(t+1)=A\mathbf{x}(t)+\mathbf{x}_{c}(t) \text{ mod } m, $$
(4)

where the perturbation xc(t) is defined as

$$ \mathbf{x}_{c}(t) = \left( \begin{array}{c} \sum\limits_{i = 1}^{M} \Big(a_{i} + y(t)\Big) \text{ mod } {c_{i}} \\ \sum\limits_{j = 1}^{N} \Big(b_{j} +x(t + 1)\Big) \text{ mod } {d_{j}} \end{array} \right) $$
(5)

with \((i,j)\in \mathbb {N}\). In (4), ci and dj are two natural numbers such that 0 ≤ ci < m + ai and 0 ≤ dj < m + bj, 0 ≤ ai,bj < m if (ci,dj) = (0,0); 0 ≤ ai < ci if ci≠ 0 and, 0 ≤ bj < dj if dj≠ 0. The parameters ai, bj, ci and dj are defined as perturbation parameters that can also be used as control parameters, while a = (ai), b = (bj), c = (ci) and d = (dj) are control vectors. We showed in [9] that the system in (5) can be put in the form

$$ \mathbf{x}(t+1)=B\mathbf{x}(t)+C(t) \quad\text{ mod } m $$
(6)

where

$$ B=\left( \begin{array}{cc} 1 & \quad \alpha^{\prime} \\ \beta^{\prime} & \quad \alpha^{\prime}\beta^{\prime}+1 \end{array} \right), $$
(7)

with \(\alpha ^{\prime }=M+\alpha \), \(\beta ^{\prime }=N+\beta \) and C(t) = (C1(t),C2(t))T such that

$$ C(t)=\left( \begin{array}{c} \sum\limits_{i=1}^{M} \Bigg(a_{i}-\varepsilon_{i}c_{i}\cdot u\Big(a_{i}+y(t)-c_{i}\Big)\Bigg) \\ \beta^{\prime}C_{1}(t)+\sum\limits_{j=1}^{N} \Bigg(b_{j}-\varepsilon_{j}d_{j}\cdot u\Big(b_{j}+x(t+1)-d_{j}\Big)\Bigg) \end{array} \right), $$
(8)

where \(\varepsilon _{i}=\left \lfloor \frac {a_{i}+y(t)}{c_{i}}\right \rfloor \) and \(\varepsilon _{j}=\left \lfloor \frac {b_{j}+x(t+1)}{d_{j}}\right \rfloor \). u(t) is the Heaviside function defined as

$$ u(t)=\left\{ \begin{array}{ll} 0, & \quad\text{if }t< 0; \\ 1, & \quad\text{otherwise.} \end{array}\right. $$
(9)

We verified that the PWLCM is a conservative system that exhibit large periods [9]. In order to use it both for image scrambling and diffusion, we suggest its 4D modelling.

2.2 The proposed 4D PWLCM

The above 2D PWLCM can be easily extended to a 4D PWLCM by coupling two 2D PWLCM x = (x,y)T and z = (q,r)T such that:

$$ \left\{ \begin{array}{l} {x}(t + 1) = {x}(t) + \alpha {y}(t)+F_{1}(y,t)\\ {y}(t + 1) = {y}(t) + \beta {x}(t+1)+F_{2}(x,t)\\ {q}(t + 1) = {q}(t) + \gamma {y}(t+1)+F_{3}(y,t)\\ {r}(t + 1) = {r}(t) + \zeta {q}(t+1)+F_{4}(q,t) \end{array} \right. \quad\text{ mod } m, $$
(10)

where \((\alpha , \beta , \gamma , \zeta )\in \mathbb {N}^{4}\). F1(y,t), F2(y,t), F3(y,t) and F4(y,t) are the coupling nonlinear terms, defined as

$$ \left\{ \begin{array}{l} F_{1}(y,t) = \sum\limits_{i = 1}^{M} \Big({a_{i}} + y(t)\Big) \text{ mod } {c_{i}} \\ F_{2}(x,t) = \sum\limits_{j = 1}^{N} \Big({b_{j}} +x(t + 1)\Big) \text{ mod } {d_{j}} \\ F_{3}(y,t) = \sum\limits_{k = 1}^{P} \Big({e_{k}} +y(t + 1)\Big) \text{ mod } {g_{k}} \\ F_{4}(q,t) = \sum\limits_{l = 1}^{W} \Big({f_{l}} +q(t + 1)\Big) \text{ mod } {h_{l}} \end{array} \right. $$
(11)

The 4D PWLCM defined in (10) is invertible and the corresponding inverse system is

$$ \left\{ \begin{array}{l} {r}(t) = {z}(t+1) - \zeta {q}(t+1)-F_{4}(q,t)\\ {q}(t) = {q}(t+1) - \gamma {y}(t+1)-F_{3}(y,t)\\ {y}(t) = {y}(t+1) - \beta {x}(t+1)-F_{2}(x,t)\\ {x}(t) = {x}(t+1) - \alpha {y}(t)-F_{1}(y,t) \end{array} \right. \text{ mod } m. $$
(12)

2.3 Stability analysis

In order to investigate the stability of the 4D PWLCM, we evaluated its Jacobian matrix. By using the same expansion as in (5)–(9), the system can be rewritten as in (6) with

$$ B = \begin{pmatrix} 1 & \quad \alpha^{\prime} & \quad 0 & \quad 0\\ \beta^{\prime} & \quad 1+\alpha^{\prime}\beta^{\prime} & \quad 0 & \quad 0 \\ \beta^{\prime}\gamma^{\prime} & \quad \gamma^{\prime}(1+\alpha^{\prime}\beta^{\prime}) & \quad 1 & \quad 0 \\ \beta^{\prime}\gamma^{\prime}\zeta^{\prime} &\quad \gamma^{\prime}\zeta^{\prime}(1+\alpha^{\prime}\beta^{\prime}) & \quad \zeta^{\prime} & \quad 1 \end{pmatrix}, $$
(13)

and C(t) = (C1(t),C2(t),C3(t),C4(t))T such that

$$ C(t)=\left( \begin{array}{c} \sum\limits_{i=1}^{M} \Bigg(a_{i}-\varepsilon_{i}c_{i}\cdot u\Big(a_{i}+y(t)-c_{i}\Big)\Bigg) \\ \beta^{\prime}C_{1}(t)+\sum\limits_{j=1}^{N} \Bigg(b_{j}-\varepsilon_{j}d_{j}\cdot u\Big(b_{j}+x(t+1)-d_{j}\Big)\Bigg) \\ \gamma^{\prime}C_{2}(t)+\sum\limits_{k=1}^{P} \Bigg(e_{k}-\varepsilon_{k}g_{k}\cdot u\Big(e_{k}+y(t+1)-g_{k}\Big)\Bigg) \\ \zeta^{\prime}C_{3}(t)+\sum\limits_{l=1}^{W} \Bigg(f_{l}-\varepsilon_{l}h_{l}\cdot u\Big(f_{l}+q(t+1)-h_{l}\Big)\Bigg) \end{array}\right), $$
(14)

From the above equations, we deduce the Jacobian matrix as

$$ J = \begin{pmatrix} 1 & \quad J_{1,2}(t) & \quad 0 & \quad 0\\ J_{2,1}(t) & \quad J_{2,2}(t) & \quad 0 & \quad 0 \\ J_{3,1}(t) & \quad J_{3,2}(t) & \quad 1 & \quad 0 \\ J_{4,1}(t) & \quad J_{4,2}(t) & \quad J_{4,3}(t) & \quad 1 \end{pmatrix}, $$
(15)

where

$$ \left\{ \begin{array}{l} J_{1,1}(t) = \alpha^{\prime} - {\sum}_{i=1}^{M}(c_{i} \delta(y{(t)} + a_{i} - c_{i}))\\ J_{2,1}(t) = \beta^{\prime} - {\sum}_{j=1}^{N}(d_{j} \delta(x{(t+1)} + b_{j} - d_{j}))\\ J_{2,2}(t) =1+ J_{2,1}(t) J_{1,2}(t)\\ J_{3,1}(t) = J_{2,1}(t)(\gamma^{\prime} - {\sum}_{k=1}^{P}(g_{k} \delta(y{(t+1)} + e_{k} - g_{k})))\\ J_{3,2}(t) =J_{2,2}(t)(\gamma^{\prime} - {\sum}_{k=1}^{P}(g_{k} \delta(y{(t+1)} + e_{k} - g_{k})))\\ J_{4,1}(t) = J_{3,1}(t) J_{4,3}(t)\\ J_{4,2}(t) = J_{3,2}(t) J_{4,3}(t)\\ J_{4,3}(t) = \zeta^{\prime} - {\sum}_{l=1}^{W}(h_{l} \delta(q{(t+1)} + f_{l} - h_{l})) \end{array} \right., $$

and \(\alpha ^{\prime } = \alpha + M\), \(\beta ^{\prime } = \beta + N\), \(\gamma ^{\prime } = \gamma +P\), \(\zeta ^{\prime } = \zeta +W\). The 4D PWLCM thus defined is conservative as \(\det (J)=1\), which implies that the sum of the four corresponding Lyapunov exponents is equal to 0. While computing the eigenvalues of J, we found Λ1 = Λ2 = 1, the other eigenvalues are

$$ \begin{array}{@{}rcl@{}} {\Lambda}_{3}(t) &=& 1+\frac{1}{2} \Bigg(\alpha^{\prime} - {\sum}_{i=1}^{M} c_{i}\delta \Big(y(t)-{\tau_{y}^{i}}\Big)\Bigg) \Bigg(\beta^{\prime} - {\sum}_{j=1}^{N} d_{j} \delta \Big(x(t+1) - {\tau_{x}^{j}}\Big)\Bigg) \\ && \left( 1+ \sqrt{1+\frac{4}{\Bigg(\alpha^{\prime} - {\sum}_{i=1}^{M} c_{i} \delta \Big(y(t) - {\tau_{y}^{i}}\Big)\Bigg) \Bigg(\beta^{\prime} - {\sum}_{j=1}^{N} d_{j} \delta \Big(x(t+1) - {\tau_{x}^{j}}\Big)\Bigg)}}\right)\\ \end{array} $$
(16)

and

$$ \begin{array}{@{}rcl@{}} {\Lambda}_{4}(t) &=& 1 + \frac{1}{2} \Bigg(\alpha^{\prime} - {\sum}_{i=1}^{M} c_{i} \delta \Big(y(t) - {\tau_{y}^{i}}\Big)\Bigg) \Bigg(\beta^{\prime} - {\sum}_{j=1}^{N} d_{j} \delta \Big(x(t+1) - {\tau_{x}^{j}}\Big)\Bigg) \\ && \left( 1- \sqrt{1 + \frac{4}{\Bigg(\alpha^{\prime} - {\sum}_{i=1}^{M} c_{i} \delta \Big(y(t) - {\tau_{y}^{i}}\Big)\Bigg) \Bigg(\beta^{\prime} - {\sum}_{j=1}^{N} d_{j} \delta \Big(x(t+1) - {\tau_{x}^{j}}\Big)\Bigg)}}\right)\\ \end{array} $$
(17)

The Lyapunov exponents corresponding to Λ1,2 are equal to zero. The sum of the Lyapunov exponents being zero implies that Λ3 > 1 (corresponding to a positive Lyapunov exponent) and 0 < Λ4 < 1 (corresponding to a positive Lyapunov exponent). The steady state of the system depends on the perturbing parameter and remains difficult to formally determine. Figure 1 presents the behavior of the largest Lyapunov exponent for arbitrary parameter setting and various initial conditions (x0,y0,q0,r0). We fixed q0 = r0 = 1 and set z0 = 2nx0 + y0, where 0 ≤ x,y ≤ 2n − 1, \(a_{r}={\sum }_{i=1}^{^{N}}2^{n(i-1)}a_{N}\), and n = 4 is the number of bits or precision. Figure 1(a) shows the Lyapunov exponent as a function of initial conditions z0, where control vectors are set as a = e = (1,1,0,0), b = f = (0,2,0,0), c = g = (0,3,1,1), d = h = (3,5,1,1). Figure 1(b) depicts the Lyapunov exponent in terms of the control vector a represented as parameter ar, with N = 3 where x0 = y0 = 2, b = (0,2,1), c = (15,15,15), d = (3,5,1), e = (1,1,0), f = (0,2,0), g = (0,3,1), and h = (3,5,1). These plots show that the largest Lyapunov exponent remains positive for the chosen initial conditions and control parameters.

Fig. 1
figure 1

Lyapunov exponent of the 4D PWLCM: (a) behavior of the Lyapunov exponent λ(z0) with respect to the initial condition z0 = 2nx0 + y0, for n = 4 and given control vectors; (b) behavior of the four Lyapunov exponents λ1,2,3,4(ar) with respect to the control vector a, for n = 4 and given initial condition and control vectors b, c, d, e, f, g, and h

Full size image

2.4 Period and randomness evaluation of the PWLCM

Similar to the QACM, the proposed 4D PWLCM is chaotic while used in a continuous phase space (m = 1). As we are interested in using it in a finite state phase space (m = 4 and m = 8), it is no longer chaotic but preserves the mixing properties of the corresponding chaotic systems. For it to be efficient for security applications, its period should be very large. In this subsection, we estimate the period πn of the proposed 4D PWLCM for different values of the precision n and some arbitrary values of the perturbation parameters. The periods of PWLCM are compared with the QACM and tabulated in Tables 1 and 2. From the Table 1, we can observe that for any value of n, the period of the proposed PWLCM is significantly higher than that of the corresponding QACM.

Table 1 Comparison of the 2D QACM and 2D PWLCM periods
Full size table
Table 2 Comparison of the 4D QACM and 4D PWLCM periods
Full size table

Table 2 shows the comparison of the 4D PWLCM and 4D QACM. It confirms that the periods of the proposed map are significantly higher than those of the QACM for any arbitrary parameter values, α = β = γ = ζ = 1, M = N = 1:

In order to testify the mixing property of the 4D PWLCM, we propose to shuffle a 213 × 213 periodic image obtained by repeating sequences of 8-bit encoded unsigned integers. The image was shuffled with x and y coordinates of the 4D PWLCM. We set as initial conditions, q0 = 1, r0 = 2; \(x_{0},y_{0}\in \left [ 0,2^{13}-1\right ]^{2}\) and controls parameters a1 = 1,b1 = 2,e1 = 0,f1 = 1,c1 = 3,d1 = 3,g1 = 3 and h1 = 3; the corresponding period is 148740480. The NIST800-22 statistical test was performed after 30 iterations of image scrambling with the PWLCM and the QACM. The data set was divided into 100 sets of 1000000 bits and the results obtained are summarized in Table 3. The comparison of the two results confirms that the 4D PWLCM is suitable for the image scrambling as it passes all the tests.

Table 3 NIST 800-22 test results
Full size table

3 Proposed encryption algorithm

The proposed encryption algorithm has two stages, namely diffusion-confusion and confusion only. In the pixel diffusion-confusion stage, the pixel value of each sub-block is diffused and confused using the 4D PWLCM, whereas in the subsequent block confusion stage, each diffusion-confusion sub-block is split into sub-images that are confused using the 2D PWLCM.

The proposed scheme generates the initial values and the control parameter values of 4D PWLCM from the external key, whereas the control parameters of the 2D PWLCM is derived from the external key along with the diffusion-confusion image. Thus, it is image-dependent. The detailed procedure for generating these parameters is described in Section 3.1.

The algorithmic steps of the proposed cipher are mentioned below:

figure a

The block diagram of the proposed image cipher is shown in Fig. 2. The minimum number of rounds for the algorithm to be secure is R = 2. Indeed, once the image-dependent step is applied in the first round, we need to go for a second round for the image-dependent shuffling to take effect in the diffusion process, thus increasing the algorithm’s sensitivity to the plain-image.

Fig. 2
figure 2

Synoptic of the proposed cipher

Full size image

3.1 External key management

The external key is defined by using NK ASCII characters, {Ck},0 ≤ kNK − 1, to derive κ-length (\(\kappa =2\lfloor \frac {N_{K}}{8}\rfloor \)) control vectors a, b, c, d, e, f, g, h whose coordinates are 4-bit encoded unsigned integers. As ASCII characters are 8-bit encoded, each character is divided into two blocks of 4 bits that are used as coordinates of each control vector. Therefore, \(\theta =\frac {\kappa }{2}\) ASCII characters are required to determine the coordinates of each control vector. In the case of 256-bit key for example, 𝜃 = 4 and characters C0 to C3 are used to determine coordinates of the control vector a, C4 to C7 are used for b, C8 to C11 for c, C12 to C15 for d, C16 to C19 for e, C20 to C23 for f, C24 to C27 for g and C28 to C31 are used for h. In the case of a 2048-bit key, 𝜃 = 64 ASCII characters are required to determine each control vector. Therefore, a for example is defined as:

$$ \left\{ \begin{array}{l} \mathbf{a}(2\xi-1) = \left\lfloor\frac{C_{\xi-1}}{16}\right\rfloor \\ \mathbf{a}(2\xi) = C_{\xi-1} \quad \text{ mod } 16 \end{array} \right. $$
(18)

where 1 ≤ ξ𝜃. The other vectors b, e and f are defined using the same principle, from the corresponding ASCII symbols. Similarly, c is defined as:

$$ \left\{\begin{array}{l} \mathbf{c}(2\xi-1) = \mathbf{a}(2\xi-1)+\left\lfloor\frac{C_{\xi+\kappa-1}}{16}\right\rfloor \\ \mathbf{c}(2\xi) = \mathbf{a}(2\xi)+\Big(C_{\xi+\kappa-1} \quad \text{ mod } 16\Big) \end{array} \right. $$
(19)

where 1 ≤ ξ𝜃. The coordinates of the other control vectors d, g and h can be defined using the same approach. Thus, control vectors can be considered as belonging to an κ-D lattice.

3.2 Pixel decomposition

In step 5, individual pixel, i of sub-image Sj, \(j\in \mathbb {N}\) are decomposed into two 4-bit encoded integers qi and ri. For an 8-bit encoded pixel Pi, qi and ri are obtained as

$$ q_{i}=\left\lfloor\frac{P_{i}}{16}\right\rfloor. $$

and

$$ r_{i}=P_{i} \quad \text{ mod }16 $$

3.3 Pixel confusion-diffusion process

In step 6, the confusion and diffusion operations are combined in a single operation (confusion-diffusion). Indeed, the coordinates xi and yi, as well as the intensity coordinates qi and ri of the pixel Pi are used as initial conditions of the 4D PWLCM to output new coordinates \(x_{i^{\prime }}\), \(y_{i^{\prime }}\), \(q_{i^{\prime }}\) and \(r_{i^{\prime }}\) using (20). As Sj is a vector, there is a relationship between xi,yi and i such that

$$ x_{i}=i \quad\text{ mod }16, $$

and

$$ y_{i}=\left\lfloor\frac{i}{16}\right\rfloor. $$

For each sub-image Sj, only a single coordinate a(k), b(k), c(k), d(k), e(k), f(k), g(k), and h(k), k > 0, is used as control parameter to 4D PWLCM as given below:

$$ \left\{ \begin{array}{l} {x}(t + 1) = {x}(t) + \alpha{y}(t)+\left( \mathbf{a}(k)+y(t)\right) \quad \text{ mod } \mathbf{c}(k)\\ {y}(t + 1) = {y}(t) + \beta{x}(t+1)+\left( \mathbf{b}(k)+x(t+1)\right) \quad \text{ mod } \mathbf{d}(k)\\ {q}(t + 1) = {q}(t) + \gamma{y}(t+1)+\left( \mathbf{e}(k)+y(t+1)\right) \quad \text{ mod } \mathbf{g}(k)\\ {r}(t + 1) = {r}(t) + \zeta{q}(t+1)+\left( \mathbf{f}(k)+q(t+1)\right) \quad \text{ mod } \mathbf{h}(k) \end{array} \right. \quad \text{ mod } 16, $$
(20)

where k = 1 + j mod κ. The new position of the diffused pixel \(i^{\prime }\) is obtained after three iterations of the PWLCM as

$$ i^{\prime}=16\cdot y_{i^{\prime}}+x_{i^{\prime}} $$
(21)

The corresponding intensity value is obtained as

$$ P_{i^{\prime}}=16\cdot q_{i^{\prime}}+r_{i^{\prime}}. $$
(22)

3.4 Image-dependent confusion

In order to enhance the security level of the cipher and prevent chosen-plaintext attacks, an additional image-dependent confusion step is performed using the 2D PWLCM, described as

$$ \left\{ \begin{array}{l} {x}(t+1) = \Biggl({x}(t) +\alpha{y}(t)+\sum\limits_{k = 1}^{16} {\Big({\mathbf{a}_{\mathbf{1}}(k)} + y(t)\Big)\text{ mod } {\mathbf{c}_{\mathbf{1}}(k)}}\Biggr) \text{ mod } m_{1}\\ {y}(t+1) = \Biggl({y}(t)+\beta{x}(t+1) +\sum\limits_{k = 1}^{16} {\Big({\mathbf{b}_{\mathbf{1}}(k)} + x(t+1)\Big)\text{ mod } {\mathbf{d}_{\mathbf{1}}(k)}}\Biggr) \text{ mod } m_{2} \end{array} \right. $$
(23)

where a1, b1, c1 and d1 are 16-length control vectors whose coordinates are 4-bit encoded values derived from the image of step 8 and the external key as:

$$ \left\{ \begin{array}{l} \mathbf{a}_{\mathbf{1}}(1:\kappa) = {\Gamma} \quad \text{ mod } \mathbf{c} \\ \mathbf{a}_{\mathbf{1}}(\kappa+1:2\kappa) = {\Gamma} \quad \text{ mod } \mathbf{d} \\ \mathbf{b}_{\mathbf{1}}(1:\kappa) = {\Gamma} \quad \text{ mod } \mathbf{g} \\ \mathbf{b}_{\mathbf{1}}(\kappa+1:2\kappa) = {\Gamma} \quad \text{ mod } \mathbf{h} \\ \mathbf{c}_{\mathbf{1}}(1:\kappa) = \mathbf{a}_{\mathbf{1}}(1:\kappa) + {\Gamma} \quad \text{ mod } \mathbf{a} \\ \mathbf{c}_{\mathbf{1}}(\kappa+1:2\kappa) =\mathbf{a}_{\mathbf{1}}(\kappa+1:2\kappa) + {\Gamma} \quad \text{ mod } \mathbf{b} \\ \mathbf{d}_{\mathbf{1}}(1:\kappa) =\mathbf{b}_{\mathbf{1}}(1:\kappa) + {\Gamma} \quad \text{ mod } \mathbf{e} \\ \mathbf{d}_{\mathbf{1}}(\kappa+1:2\kappa) =\mathbf{b}_{\mathbf{1}}(\kappa+1:2\kappa)+ {\Gamma} \quad \text{ mod } \mathbf{f} \end{array} \right. $$
(24)

where

$$ {\Gamma}=\sum\limits_{i=1}^{N_{L}}\sum\limits_{j=1}^{N_{C}}{I_{c}(i,j)}. $$
(25)

Ic is the intermediate ciphered image obtained in step 8. m1 and m2 are defined such that

$$ \left\{ \begin{array}{l} m_{1} = \frac{N_{L}}{T_{1}} \\ m_{2} = \frac{N_{C}}{T_{2}} \end{array} \right. $$
(26)

with \((T_{1},T_{2})\in \mathbb {N}_{\geq 1}^2\). T1 × T2 is the size of sub-images to be shuffled, m1 × m2 is the number of sub-images and NL × NC is the size of the image.

4 Results and security analysis

The performance of the proposed encryption algorithm is analyzed by encrypting standard images like “Lena”, “Baboon”, “Airplane”, “Peppers”, of size 512 × 512 and 256 gray levels. Figure 3 respectively represents the plain-text “Lena” image, its encrypted image, and the decrypted image with the same key. All simulations are performed using MATLAB 2018b on a CPU with an Intel(R) Core (TM) i5-8250u CPU @ 1.60 GHz and 8 GB RAM with the Windows 10 operating system. In the current simulation, a 256-bit external encryption key is set as K1 = azertyuiopqsdfgjazertyuiopqsdfg0. We also set α = β = γ = ζ = 1 to make the algorithm multiplierless.

Fig. 3
figure 3

Example of ciphered image of Lena using the proposed encryption algorithm: (a) plain-text image; (b) ciphered image and (c) decrypted image

Full size image

4.1 Evaluation metrics

This subsection presents the definition of evaluation metrics used to measure the proposed cipher’s strength.

4.1.1 Entropy measure

The Shannon entropy of the ciphered image is the primary indicator to confirm that the cipher is secure against permutation of pixels. It measures the disorder or randomness of pixels. For an 8-bit encoded image, it is determined as

$$ H=-\sum\limits_{i=0}^{255}p(v_{i})\log_{2}(p(v_{i})), $$
(27)

where 0 ≤ vi ≤ 255 are pixel values and p(vi) the probability of vi. It is to be noted that for an 8-bit encoded image, the maximum value of the entropy is H = 8.

4.1.2 Correlation coefficient

The correlation coefficient is used to measure the similarity between two images A and B, and is defined as

$$ \rho_{A,B} = \frac{E\Big((A- \overline{A})(B- \overline{B})\Big)}{\sigma_{A} \cdot \sigma_{B}}, $$
(28)

where E(⋅) is the expectation value; A and B are images between which the correlation coefficient needs to be evaluated. \({\overline {A}}\) and \({\overline {B}}\) represent the mean value of images A and B respectively. Similarly, σA and σB represent the standard deviation of image A and B respectively. In general, for any plain-text image there exists high correlation between adjacent pixels, whereas in the ciphered image it should be close to 0.

4.1.3 NPCR and UACI measures

The number of changing pixel rate (NPCR) and unified averaged changed intensity (UACI) of an image are the commonly used parameters to measure the change in encrypted pixels by modifying the value of a single-pixel in the original image. These metrics are commonly used to evaluate the strength of ciphers for differential attacks. For a 256-gray level image, the NPCR and UACI between two images are defined as

$$ NPCR_{A,B}=\frac{{\sum}_{i=1}^{N_{L}} {\sum}_{j=1}^{N_{C}}D(i,j)}{N_{L} \times N_{C}}\times 100 $$
(29)

where

$$ D(i,j)=\left\{ \begin{array}{ll} 1, & \text{ if } A(i,j)\neq B(i,j); \\ 0, & \text{ otherwise. } \end{array} \right. $$
(30)

and

$$ UACI_{A,B}=\frac{100}{255} \frac{{\sum}_{i=1}^{N_{L}}{\sum}_{j=1}^{N_{C}}|A(i,j)-B(i,j)|}{N_{L}\times N_{C}} $$
(31)

where \({\mathscr{F}}=255\) is the largest supported value of 256 gray level images. A high NPCR (NPCR > 99.5810) and UACI (33.3445 ≤ UACI ≤ 33.5826) [21] imply a high resistance of the cipher to differential attacks.

4.2 Key-space analysis

The key-space analysis is performed by evaluating the key-space and key sensitivity.

4.2.1 Key-space

Key-space is an ensemble of all possible combinations of keys that are used for encryption. A 256-bit key is known to be sufficiently large to prevent brute force attacks. One of the proposed cipher’s main advantages is its key-space’s extensibility. To simulate a post-quantum computing attack, we extended the key to 2048 bits. Indeed, most chaos-based ciphers exhibit a large key-space with keys that cannot easily be proven to be different. However, the sensitivity of the key is verified by changing its least significant bit (LSB). However, by our approach, the key-space can be extended as desired without sacrificing the independence of the keys. This approach consists of affecting to each sub-image j a sub-key (a(k), b(k), c(k), d(k), e(k), f(k), g(k), h(k)) corresponding to a map QACMk, with k = 1 + j mod κ. Each sub-image j is encrypted with a different map QACMk, such that any permutation in the set {QACMk}1≤kκ affects the behaviour of the cryptogram, thus giving the possibility to extend the key-space.

4.2.2 Sensitivity of the key

Key sensitivity measures the sensitivity of the encryption algorithm to a small change in the key value. A high sensitivity of the key is required to prevent adaptive chosen-plaintext attacks and linear cryptanalysis. To evaluate the sensitivity of our cipher to the external key, we have encrypted the same image with two slightly different keys K1 as mentioned above and K2 = azertyuiopqsdfghazertyuiopqsdfg1. The key K2 has only one-bit change from key K1. The plain-text image is encrypted with keys K1 and K2; UACI, NPCR, and correlation coefficients between the two encrypted images are tabulated in Table 4. The NPCR and UACI values are more than the reference values, and correlation coefficients close to zero suggest that the algorithm is highly sensitive to the key. In addition, the entropy of the image encrypted with key K1 and decrypted with key K2 is computed and tabulated in the same table. The entropy close to eight demonstrates that the decryption is unsuccessful; hence, the proposed algorithm is extremely sensitive to the key. We repeated the same experiment with a 2048-bit key. We set the 2048-bit as \(K^{\prime }1=K1K1K1K1K1K1K1K1\) and a one-bit different key \(K^{\prime }2\) as \(K^{\prime }2=K1K1K1K1K1K1K1K2\). The sensitivity of the key was evaluated under the same conditions as for the 256-bit key and the results are tabulated in Table 4. It demonstrates that the sensitivity of the key analysis is the same as in the case of the 256-bit key. Therefore, we can conclude that the proposed cipher presents an extensible key space than can be adapted depending on the desired security level.

Table 4 Detailed statistical properties of images encrypted with two slightly different keys K1 and K2 in the case of 256-bit, and \(K^{\prime }1\) and \(K^{\prime }2\) in the case of 2048-bit
Full size table

In Fig. 4, an example of ciphering/deciphering realized with two (R = 2) rounds is presented. The plain-image is encrypted with \(K^{\prime }1\). After that, the ciphered image is successfully decrypted with \(K^{\prime }1\). However, the decryption fails with \(K^{\prime }2\), which attests to the high sensitivity of the cipher to the encryption key.

Fig. 4
figure 4

Sensitivity of the key to one-bit change: (a) successfully decrypted (original) image with \(K^{\prime }1\), (b) unsuccessfully decrypted image with \(K^{\prime }2\), (c) histogram of the original image and (d) histogram of the unsuccessfully decrypted image

Full size image

Security of the proposed cipher, although we set T1 = T2 = 2. Figure 5 shows the behavior of the entropy values of the RED component of the image of Lena encrypted with K1 and those of the corresponding attempt for decryption using K2. The entropy is evaluated by varying T1 and T2 and plotted in terms of \(\mu _{1}=\log _{2}(T_{1})\) and \(\mu _{2}=\log _{2}(T_{2})\) in Fig. 5.

Fig. 5
figure 5

Behaviour in term of μ1 and μ2 of entropy values of the ciphered and decrypted components of the color image of Lena(R = 2): (a)-(c) cases of the respective RED, GREEN and BLUE components encrypted with K1; and (d)-(f) cases of attempt for decryption with K2 for RED, GREEN and BLUE components, respectively. Satisfactory entropy values after an attempt for decryption are observed for (μ1,μ2) < (4,4)

Full size image

From this figure, we observed that the sensitivity of the key depends on the choice of (T1,T2). We verified that the system is secure to one-bit change in the external key as (μ1,μ2) < (4,4). The upper limit μm = 4 of μ1 and μ2 corresponds to the binary logarithm of the block length of the confusion-diffusion step. We observe that the entropy decreases with an increase in T1 or T2, leading to a decrease in the key sensitivity. Further, in some cases, entropy values are close to those of the plain-image entropy (HR = 7.2531). It attests to the vulnerability of the proposed scheme for these values of μ1 and μ2. In the proposed method, such a sensitivity decrease is compensated by increasing the number of rounds of the algorithm.

4.3 Statistical analysis

The histogram, the correlation of adjacent pixels (ρh: correlation coefficient between horizontal adjacent pixels; ρv: correlation coefficient between vertical adjacent pixels; ρd: correlation coefficient between diagonal adjacent pixels) and the information entropy of the ciphered image are evaluated for several 256 gray-scale images. Figure 6 shows the results obtained for the color image of Lena (Fig. 4(a)) by varying number of rounds R between 1 and 10. Figure 6 suggests that the entropy is independent of the number of rounds R for R > 1, thereby attests that the minimum number of rounds required for the cipher to be secure is R = 2. Similarly, it also shows a satisfactory analysis result for the correlation of horizontally (ρh), vertically (ρv), and diagonally (ρd) adjacent pixels. Indeed, it can be concluded that the correlation coefficients of the three image components, i.e., RED, GREEN, and BLUE, are close to zero, independently of the number of rounds R. Thus, the proposed cipher satisfies the zero-correlation property necessary to resist statistical attacks.

Fig. 6
figure 6

Entropy values H and correlation coefficients ρ in terms of the number of rounds R. (a) Entropy values (H), (b)-(d) correlation coefficients of respectively horizontal (ρh), vertical (ρv) and diagonal (ρd) adjacent pixels for the RED, GREEN and BLUE components

Full size image

Figure 7 shows the histograms of two round ciphered images of Lena for the RED, GREEN, and BLUE components. It appears that the histogram of each encrypted component is fairly uniform and significantly different from that of the corresponding plain-image component. It demonstrates that deducing the secret key from the ciphertext during the known/chosen plaintext attacks is hard.

Fig. 7
figure 7

Histograms of the image of Lena: first line shows from left to right histograms of the (a) RED, (b) GREEN and (c) BLUE components of the original image, respectively; second line (d)-(f) shows histograms of the corresponding components of the ciphered image

Full size image

4.4 Differential attack

For the cipher to resist differential attacks, it must be sensitive to a small change (single-pixel change) in the plain-image. We evaluated the robustness of our cipher against the differential attacks by comparing the NPCR and UACI values of a two-round ciphered image of Lena to their reference values. We diagonally varied the position (x,y) of changed pixels as (k,k), with 1 ≤ k ≤ 512 by the step size of 2, and computed the corresponding NPCR and UACI for the RED, GREEN and BLUE components of the color image of Lena, and plotted in Fig. 8.

Fig. 8
figure 8

Dependence of NPCR and UACI on position ((k,k)) of the changed pixel: case of the color image of Lena. The change applies to each image component and the NPCR of the RED, GREEN and BLUE components are computed separately for each of the components

Full size image

A cipher is secure as NPCR > 99.5810 and 33.3445 ≤ UACI ≤ 33.5826 (ν = 0.01 significance level) for gray images of size 512 × 512 [21]. The result in Fig. 8 shows that our cipher is sensitive to one-pixel change for R > 1. From this figure, it appears that the proposed cipher can resist differential attacks as the NPCR and UACI remain in the good range independently of the coordinate of the pixel change. We also observed that the values of the NPCR and UACI depend on the input image. Indeed, for two different components, the NPCR values obtained from the same pixel change coordinate are different; the same observation is made for the UACI. Table 5 shows comparative values of the proposed cipher’s NPCR and UACI and other recent cipher (R = 3). This comparison also confirms the effectiveness of our algorithm.

Table 5 Comparison of NPCR and UACI values for color images
Full size table

4.5 Speed performance analysis

The execution speed of the proposed cipher is evaluated using Matlab 18b in the CPU as specified above. Table 6 compares the execution speed of the proposed algorithm with other chaos-based ciphers. We used the gray-scale images of cameraman (256 × 256) and Lena (512 × 512) for this experiment. The average execution time, for R = 2, is about 0.4478s for the 512 × 512 gray-scale images. Although this speed is comparable to that of Refs. [1] and [42], it remains low as compared to the one obtained in [13]. Such a low execution speed is justified by the multiple data conversion involved in the algorithm, which is not necessary for hardware implementation. For example, the decomposition of the pixel gray-level into two 4-bit encoded integers q(t) and r(t) implies a division and a modulo operation. In the hardware implementation, these operations correspond to the four most significant bits (MSB) as the quotient q(t) and the four least significant bits (LSB) as the remainder r(t), thereby is time-saving. Similarly, the inverse of this decomposition is time costly in Matlab and corresponds to the concatenation of the two 4-bit outputs q(t + 1) and r(t + 1) in the hardware implementation. Thus, the proposed algorithm is more suitable for low-cost hardware implementation than software implementation. The overall comparison shows that the cipher in Ref. [13] is running faster in the Matlab environment than in ours; however, it requires floating-point arithmetic that is hardware costly than the 4-bit integer arithmetic used in the proposed scheme. Our algorithm offers the advantage of combining only 4-bit and 8-bit integer arithmetic operations, precisely addition and subtraction. These basic operations make simpler its hardware implementation even with low-end microprocessors without losing its security properties. Moreover, the algorithm can easily be parallelized according to its architecture shown in Fig. 2.

Table 6 Comparison of encryption time of different algorithms
Full size table

5 Conclusion

This paper proposed an extendable integer image cipher based on the combined 4-bit and 8-bit PWLCM. The cipher does not require any multiplication operation. The PWLCM is obtained by perturbing the convectional QACM and presents an extended period. The key space extensibility is achieved using different lattice length (κ) of the PWLCM control vectors. The extended key space helps to avoid key duplication. We evaluated the sensitivity of the key under 256-bit and 2048-bit key conditions and verified the high sensitivity of the key for both cases. Such flexibility for the extensibility of the key-space makes the proposed cipher a good candidate to resist brute-force attacks even under the post-quantum computing situation. The main advantages of the proposed cipher are the low number of bits involved in its hardware implementation and the extensibility of its key-space. Moreover, only unsigned integer addition and subtraction operations are used, contrary to other chaos-based ciphers that involve floating-point arithmetics, including time-consuming operations like multiplications and divisions. The statistical, differential, and key-space analysis demonstrate the robustness of the proposed cipher against known attacks. We further expect to reduce the block size while maintaining a high-security level of the cipher, simplifying its implementation with low-end processors under the limited memory space constraints.