A Difference-Equation-Based Robust Image Encryption Scheme with Chaotic Permutations and Logic Gates

Image encryption has become an indispensable tool for achieving highly secure image-based communications. Numerous encryption approaches have appeared and demonstrated varying degrees of robustness to adversarial attacks. In this paper, an efficient and robust image encryption algorithm is established based on randomized difference equations, random permutations and randomized logic circuits. Specifically, hyperchaotic and chaotic systems are used to generate pseudo-random sequences. These sequences are thus used to define random first-order difference equations, chaotic permutations and logic circuits. Image encryption based on these three randomized modules shows high computational efficiency as well as strong robustness against statistical, differential, and chosen-plaintext attacks. The proposed scheme leads to almost zero correlation in the encrypted images, entropy values of more than 7.99 for the test images, and a key space size of 2572\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{572}$$\end{document}. Furthermore, differential analysis shows that the number of pixel change rate (NPCR) and the unified average change intensity (UACI) for the proposed technique are on average 99.61 and 33.35%, respectively.


Introduction
Image encryption is an essential operation for visual information hiding and secure image communication with a wide range of applications in digital communication [8], imaging [14], and cloud computing [29]. Based on information redundancy and plain-image pixel correlation, numerous encryption algorithms have been developed where the image pixels are essentially scrambled and encoded into cipherimage pixels using secret keys [22]. The strength of any encryption algorithm depends on how far it can satisfy two key properties: confusion and diffusion. On the one hand, a high-confusion encryption algorithm little or no correlation between a cipher-image and its corresponding plain-image. On the other hand, for a high-diffusion algorithm, any change in the secret key or the plain-image information is effectively propagated to the cipher-image. The encryption algorithms can be generally categorized into symmetric and asymmetric algorithms [7,34]. A symmetric encryption algorithm uses a single secret key for image encryption and decryption, while an asymmetric algorithm uses a public key for encrypting a plain-image, and a different private key for decrypting the corresponding cipher-image.
Many image encryption techniques have been developed over the past few decades in order to ensure better encryption strength, efficiency, and robustness. Indeed, different mathematical and statistical tools have been exploited in order to achieve these goals through introducing higher degrees of randomness in the encryption keys and operations. For example, Annaby et al. [1] proposed highly secure image encryption algorithms by extending the construction of the discrete fractional Fourier transform (DFrFT) and introducing two generalized discrete transforms of both unitary and non-unitary types. Artiles et al. [6] employed a randomized variant of the Rijndael S-box to construct randomizedblock image ciphers. Moreover, chaos and chaotic systems have been extensively explored to strengthen the encryption confusion and diffusion properties. For instance, Hua et al. [18] introduced a cosine-transform-based chaotic system through which image pixels are scrambled with randomorder substitution, and are then diffused with chaotic maps of complex dynamical behavior. Other encryption algorithms explored novel chaotic maps [33,39], compressive sensing [41], orthogonal transforms [10,35] and logic circuits [4].
Many image encryption algorithms in literature are based on shuffling image pixels using permutations and/or XOR operations. However, using these operations only in encryption has been shown as insecure against chosen-plaintext attacks [5,21,23,42]. In [5], Arroyo et al. designed a chosenplaintext attack to break an encryption algorithm based on pixel shuffling and gray-level masking. In particular, for M × N images, one plain-image is chosen to remove the masking part, and then the procedure in [23] is followed to recover the shuffling map using log 256 M N images. When the encryption scheme is based on permutation only, [21] proved that via choosing log L M N plain-images of size M N and L different intensities, the chosen-plaintext attack completely determines the correct plaintext elements. Moreover, Huang et al. [19] demonstrated a cryptanalysis algorithm for encryption algorithms based on Latin cubes.
In this work, we establish a new image encryption scheme based on randomized first-order difference equations, chaotic permutations, and randomized logic circuits. It should be pointed out that the use of difference equations can be viewed as a diffusion process among pixels, rather than diffusion among blocks as in [13,17,25,36,38]. However, this diffusion process merely uses difference equations with constant coefficients. In our approach, we use a randomized difference equation, where the coefficients are not only variable keys, but are also generated using pseudorandom chaotic sequences. We implement hyperchaotic sequences to scramble pixel values, and hence construct chaotic gates. The robustness of the use of the first-order difference equations is rigorously discussed. In particular, we demonstrate that the choice of the initial conditions plays a major role in strengthening the immunity of the encryption algorithm. In summary, the main contributions of this paper are as follows: -A novel efficient and robust image encryption scheme is presented. -For the first time, randomized difference equations are proposed for image encryption. -The proposed algorithm utilizes both chaotic permutations and chaotic logic gates, whose parameters generated via hyper-chaotic maps. -The robustness of the proposed difference-equation encryption scheme is demonstrated through a rigorous proof.
-Various statistical measures are used to evaluate the performance outcomes of the proposed scheme and compare them with those of other state-of-the-art methods.
The paper is designed as follows. The mathematical tools used in the proposed image encryption technique are introduced in Sect. 2. In Sect. 3, the details of the encryption and decryption algorithms are introduced, in addition to the specification of the employed encryption keys. Section 4 presents the simulation and statistical analysis results for the proposed encryption algorithm. Conclusions of this work are given in Sect. 5.

Encryption Tools
This section introduces the basic tools required to build up a robust and efficient encryption technique. These tools are basically chaotic (or hyper-chaotic) difference equations, reversible logic gates, and random logic circuits.

Chaotic Systems
For the purpose of information security, there is an essential need for pseudo-random number generators that yield pseudo-random number sequences. These sequences are employed as encryption keys in image encryption algorithms. Many chaotic systems have been proposed in the literature to generate chaotic number sequences.
In [12], Dong et al. proposed a new family of Hamiltonian conservative chaotic systems. In particular, a 5D conservative hyper-chaotic system (CCS) was introduced with two non-hyperbolic equilibrium points, nonzero initial values, and coexisting quasi-periodic and hyper-chaotic orbits. This 5D system is defined by the following equations: Fixing the parameters a, b, c, d of the system in (1), and the initial values in some dimensions and varying the other dimensions causes the dynamic flow to evolve and switch among hyper-chaos, chaos, and quasi-periodic motions. The effects of the initial values of (x, y, z, w, v) on the system dynamics have been analyzed in [12]. As previously mentioned, coexisting orbits have been founded, for special values or ranges of some dimensions. The dynamic properties of the system in [12] were verified by several criteria, namely dynamical evolution maps, equilibrium points, and the Lya-punov dimension. Additionally, the pseudo-randomness of his chaotic system has been validated through NIST [27]. The implementation details of a chaotic system similar to that in (1) are mentioned in [12]. In our work, , we employ the system in (1) with a hyper-chaotic orbit by choosing the following parameter settings a = 30, b = 30, c = 10, and d = 30, as well as the initial values x = −0.1, y = 2.45, z = −0.1, w = 1.85, and v = −0.1.

Randomized Difference Equations
Consider the first-order equation: α k = 0, together with the initial condition Here α k , β k , γ k , η are randomly generated numbers (generally complex numbers). However, we select them to be real numbers.
The coefficients α k , β k , γ k and the initial condition value η are randomly selected via the systems described in the previous section. They will be used as keys of the encryption process.
By slightly modifying the technique of [24], a general solution of the Cauchy problem (3) and (4) can be written as: where u k is the solution of the homogeneous problem, γ k ≡ 0, i.e., and h k is any particular solution of (3) and (4). Again by a slightly different analysis of [24], we obtain Consequently where k = 0, · · · , N − 1. A detailed analysis of using (8) in encryption is established in Sect. 3.

Chaotic Circuits
We mean here by chaotic circuits, any logical gate or circuit with controlling bits determined via chaotic systems, such that the controlled-NOT gate in Fig. 1. This gate takes two input bits x and y, and outputs the bits x and z = x ⊕ y. The x bit in this gate acts as a controlling bit, where if x = 0, then the output bit z = y, and when x = 1, that implies that z = ¬y. For image encryption, the controlling-bit gate can be applied by generating the x bits by a chaotic system, to ensure the randomness of the bit stream, and specifying the y bits as the plaintext image bits. Then, the ciphertext image is obtained by applying the controlled-NOT gate, such as the ciphertext image bits are the output bits of XOR gate z = x ⊕ y, in case the input bits of the XOR gate are x and y, as is previously specified. We should note that the controlling-NOT gate is used in this article; however, any reversible gate can be applied, not only with 1 controlling bit, but also with 2 controlling bits like Fredkin gate. Some analysis about the security of applying the reversible gates, rather than the irreversible gates, in image encryption, is mentioned in [2].

Using Difference Equations
In this subsection, we discuss the use of the first-order difference Eqs. (3) and (4) as well as its solution (8) as an encryption tool. In addition, we will discuss its robustness against chosen plaintext attacks.

Encryption Algorithm
The proposed encryption technique of this paper consists of three different stages, implementing the tools briefed in Sect.
2. The first stage applies the difference equation approach among plaintext pixels, while the second and third steps apply chaotic permutation and chaotic logic gates or circuits, respectively. The cipher might be made more complicated by applying randomized orthogonal transforms, see, e.g., [2]. The algorithm is illustrated in Fig. 3 and can be summarized as follows: Step 1. In this stage, we apply the procedure (3,4) column-wise on the plaintext image. Let P be the N − 1 × N − 1 plaintext image, which may be written as: Illustration of the application of (9) onto the input signal ξ to output r using the keys α, β, γ , η −1

Fig. 3 Illustration of the three steps in the encryption algorithm
where P j is the column A is the transpose of a matrix A, p x,y is the value of pixel at the xth row of the yth column. To make the encryption stage of applying (3,4) as robust as possible, we may apply (3,4) n times with the coefficients α(l), β(l), γ (l), η(l), l = 1, · · · , n. These coefficient parameters are considered as encryption keys, and they are randomly chosen. The random choice of the parameters α, β, γ , η applied on each column of the plaintext is different. For each round of application, these parameters can be fixed, or variant for each round. Thus, we apply (3, 4) on each column through and According to the performance analysis demonstrated below, we found that n = 6 is a possible minimum of rounds to guarantee robustness. Let T j = T n (P j ), j = 0, · · · , N − 1, and T be the N − 1 × N − 1 matrix, such that T = (T 1 , · · · , T N −1 ). In the following step, we apply permutation of the pixels of T .
Step 2. The permutation step is performed by shifting each column, T j , of T , j = 0, · · · , N − 1, circularly, by y j ∈ {0, 1, · · · , N − 1} units, via the translation operator R as: Then, apply the above operator R on the rows of T , s j , In the following step, the XOR gate is applied on the pixels of S.
Step 3. The XOR gate is used to scramble each pixel s i, j with a random key e i, j ∈ E, such that E is an N − 1 × N − 1 matrix, and produce c i, j via Thus, C is the ciphertext image corresponding to P.
The first step in the above encryption algorithm is applied five rounds on the 256 × 256 Cameraman plaintext image shown in Fig. 4a to produce Figs. 4b-f. As can be shown, after the first round of application, the details of the plaintext features still can be recognizable. However, as many rounds of applications are performed, the features diminish until it cannot be possible to extract related features from the plaintext. Steps 2 and 3 of the encryption algorithm representing the permutation and XORing are applied on Fig. 4f to enhance the encryption security and produce the ciphertext image shown in Fig. 4h. The random appearance of pixels can be shown after a few rounds of the difference equation on the plaintext image and after the permutation and XORing applications.
The choice of the number of rounds of the first encryption step is arbitrary. In order to investigate a suitable number of rounds after which there is almost no correlation between the plaintext image, we applied (9) a test set of 10 plaintext images of size 256 × 256 for rounds 1 through 10. After each round, we calculate the average correlation coefficient value between the resulting images and the plaintext images. Figure 5 shows how much the correlation after each round of application. As can be seen, the correlation coefficient value decreases as the number of rounds increases. We have found that when the number of rounds is 6, the correlation value becomes negative and tremendously small, and it continues to be negative and smaller for further applications. Therefore, repeating the first encryption step for 6 rounds is an adequate number before applying the permutation and XORing in steps 2 and 3. The average mean square error after each round of application of the difference equation only to the plaintext images can be shown in Fig. 6. After the first round of application, a small error is found; however, the error increases as

Decryption Algorithm
The decryption algorithm steps are the converse of the implemented encryption steps. The first step is applying the inverse of the implemented logical gate in the encryption algorithm to undo the scrambling effect by the logical gate. The second step is to permute the columns and rows of the output matrix by the inverse of the permutation map utilized in the encryption algorithm. The last step is applying (10) to reverse the effect of the mapping (ξ k → r k ) and output the plaintext. The details of implementing each step are as follows.
Step 1 Let C be the N − 1 × N − 1 ciphertext image.
In this stage, we reverse the XOR logical gate applied in Step 3 in the encryption algorithm. Since the inverse of XOR is itself, then S can be retrieved via where e i, j is the (i, j) element in the key matrix E (23). In the following step, the permutation step is reversed by rearranging the pixels of S.
Step 2 Since the permutation in the encryption step is applied by shifting the columns, and then the rows, then in this stage, the rows are shifted, first, and then the columns, in the opposite direction, by the same permutation map as used in the encryption algorithm. Construct the matrix Then, the columns of T , denoted by T 1 , T 2 , · · · , T N −1 , are circularly shifted, to yield T 1 , T 2 , · · · , T N −1 via where x j , y j are as chosen in (21)- (22). Let T = (T 1 , T 2 , · · · , T N −1 ). In the following step, (10) is applied on each T j , 1 ≤ j ≤ N − 1, to yield the columns of P = (P 0 , P 1 , · · · , P N −1 ).

Encryption Keys
The chaotic systems' streams of (1, 2) are used to generate the parameters of the randomized difference equation, the permutation map, and the logic gate implemented in our encryption algorithm. Therefore, the parameters and initial values of these systems are the secret keys of the encryption system. The chaotic system in (1) requires 4 parameters a, b, c, d, and 5 initial values for x, y, z, w, v to generate pseudorandom sequences, while the system (2) requires one parameter μ and one initial value q 0 . Therefore, the total number of keys in this system is 11. These parameters and initial values should be known by the sender and receiver for the purpose of encryption and decryption.
As we have mentioned, we will use the chaotic maps (1) and (2) to generate six random sequences for implementing the three mentioned stages of encryption. For this purpose, we need to preprocess the obtained chaotic sequences.
Let X , Y , Z , W , V be the chaotic sequences generated by the system variables x, y, z, w, v. As in [37], a preprocessing step is used to improve the statistical randomness properties, before employing the sequences X , Y , Z , W , V in the encryption procedure. The preprocessing equation applied on the X sequence, for instance, similar to the formula in [37], is where X [i] is the ith element in the X chaotic sequence corresponding to the ith generated value of the system variable x, when x is discretized, and n is the shifted backward digits of the decimal part. Similarly, (28) is applied on the other sequences Y , Z , W , V . Additional information about the statistical randomness properties achieved after applying the preprocessing step, and illustrations of the preprocessed chaotic sequences are found in [37]. Let Q be the chaotic sequence generated by (2). Then, we have the sequences X , Y , Z , W , V , Q to be used in encryption algorithm. The randomized encryption keys α, β, γ , η to implement the difference equation step are taken from the sequences X , Y , Z , W , respectively. For the second permutation step in the encryption algorithm, the sequence V is used, while the sequence Q is used to determine the random key of the XOR gate in the third step of the encryption algorithm.

Encryption Methods
In Sect. 3.2, we have introduced an encryption algorithm which utilizes many methods such as randomized difference equation, chaotic permutations and logic gates (XOR). In this section, we discuss the function and contribution of each method in our encryption algorithm. As noted in the introduction of this paper, the use of permutation and XOR operations only is insecure against the chosen-plaintext attack. Then, we have applied the randomized difference equation whose parameters are chaotic in the encryption process to resist such attacks. We have theoretically proved that the randomized equation is robust as the initial conditions (η) as well as the initial values β 0 and γ 0 which are randomly chosen are unrecoverable while the other parameters of difference equation (α, β, γ ) can be recovered. After the application of the difference equation, we have used the chaotic permutations and logic gates to enhance the confusion and statistical properties of the cipher-text image. Since XOR is a balanced gate [4], then the effect of applying such a gate with chaotic inputs is a uniform distribution, as shown in Fig. 7, which is necessary to resist statistical attacks and enhance the statistical measures.

Histogram Analysis
Histogram analysis is a primitive common measure of robustness against statistical attacks. When the histogram of a ciphered image is uniform, no statistical information can be recovered. Figure 7 shows the histograms of four plaintext test images, and also their corresponding ciphertext images. As can be shown, the histograms of the ciphertext images are all uniform despite the fact that the four plaintext image histograms have distinct patterns. This shows the robustness of the proposed technique against statistical attacks.

Brute-Force Attack
A brute-force attack searches for and attempts to identify the utilized secret cipher key among all possible keys in the key space. If the key space is large enough, the search becomes highly infeasible and the cipher turns out to be robust against the brute-force attack. The proposed cipher uses a large number of keys in association with the hyper-chaotic map and the logic gates. Specifically, the hyper-chaotic map is parameterized by four parameters a, b, c, d, as well as the initial values of the state variables x, y, z, w, v. Also, a logic gate has the parameter μ and the initial value q 0 (2). All of these parameters and initial values are considered to be the keys of the proposed cipher. If a 52-bit precision is used for key representation, then the key space shall be quite large with a size of = 2 52×11 = 2 572 . Therefore, the key space can be huge enough to guarantee robustness against the brute-force attack. The key space may be further enlarged if we use different chaotic-sequence parameters in order to define a different encryption scheme (3 and 4) for each row (or column) of the plaintext image.

Correlation
The sample Pearson's correlation coefficient, r xy , for {(x 1 , y 1 ), (x 2 , y 2 ), · · · , (x n , y n )}, where x i and y i are sample points taken from X and Y variables, respectively, can be defined by For correlation analysis, we examine how much adjacent pixels in a ciphertext image are correlated. Ciphers should ideally exhibit no correlation between ciphertext adjacent pixels, while the adjacent pixels in plaintext images generally have high correlation coefficients. We chose random samples of 5000 pairs of adjacent pixels in the horizontal, vertical and diagonal directions. Then, we estimated the correlation in each of these directions by computing r xy according to (29). Figure 8 shows plots of the gray-level values of adjacent pixels for plaintext and ciphertext of the Lena image. While the plaintext image shows linear correlation in all directions, the ciphertext image shows completely random patterns with no clear correlation. These visual observations are supported by the correlation coefficient values, computed for 10 test images in Table 1. For each test image, the correlation coefficient is almost zero, indicating no correlation between the ciphertext pixels.
Moreover, Table 2 compares the average correlation coefficients obtained for standard test images after encryption by   our method and five other state-of-the-art methods. Although each of these methods used a slightly different set of standard images, it is still valid to say that the results of the different methods are comparable with no significant differences in the correlation coefficients. On average, our method is slightly better than most of other methods for different correlation directions.

Structural Similarity
For image quality assessment, Wang et al. [40] introduced the index of structural similarity between an original image and a distorted image. This index is based on comparisons of local pixel intensity patterns, where the pixel intensities are normalized for luminance and contrast. The structural similarity between two images can be decomposed into three components (luminance, contrast and structure), which are respectively denoted by l(x, y), c(x, y), ands(x, y). Then, this similarity index can be mathematically defined as: The definitions of each of the l(x, y), c(x, y), ands(x, y) components and the conditions that S(x, y) should satisfy can be found in [40]. For two image patches x and y, the structural similarity can be mathematically expressed as follows: where μ x , μ y are the mean intensities of x and y, while σ x , and σ y are the corresponding standard deviations. Also, σ xy denotes the covariance of x and y, while C 1 , C 2 are constants. The similarity index as defined in (31) satisfies the conditions that S(x, y) ≤ 1 and that S(x, y) = 1 iff x = y [40]. In our context, we use the index S to measure the similarity between an original plaintext image and the corresponding ciphertext image, where the former is assumed to be the reference image. Table 3 shows that the structural similarity values for 10 pairs of plaintext and ciphertext test images are ≈ 0. These results demonstrate a high encryption strength for the proposed encryption algorithm.

Entropy
Let O denote a zero-memory source of statistically independent random events (source symbols) from the possible set of events {a 1 , a 2 , · · · , a J }. Each event a j is generated with a probability P(a j ). The entropy H measures the information content averaged all sources [16], as expressed by the formula P(a j ) log 2 P(a j ).
In particular, if an image is an output of the source O, such that each event a j represents one of the image intensities, the entropy of the image can be defined as: where r k , p r (r k ), and L are the k ( th) intensity value, the probability of occurrence of the k ( th) intensity value, and the highest intensity value, respectively. In an image with random intensity values, the pixel intensities are supposed to be generated (emitted) with equal probabilities. Based on the definition of the image entropy in (33), 0 ≤ H ≤ log 2 L, and H = 8 for a completely random 8-bit image. Table 4 lists the entropy values of the ciphertexts of our test images. The entropy values are near optimal (≈ 8), and this verifies the randomness and strength of our encryption algorithm. Table 5 compares the entropy values obtained for standard test images after encryption by our method and four other methods. On average, our entropy results are the same or even slightly better than those of the compared methods. In fact, the average entropy obtained by our method matches the result returned by Hui et al. [20] and exceeds the results returned by the three other methods.

Differential Attacks
The number of changing pixel rate (NPCR) measures how much two images have different pixel intensities in corresponding locations. Also, the unified averaged changed intensity (UACI) measures the average absolute difference between two images. Let f 1 and f 2 be two M × N images with intensities in the range [0, L − 1]. Then, the NPCR and UACI measures are defined, respectively, as follows [32]: where , Differential cryptanalysis techniques (or differential attacks) investigate how small changes in the input plaintext image can affect the output ciphertext image. By tracing differences and discovering non-random patterns, an adversary can exploit the existing encryption properties to recover the encryption key. The NPCR and UACI measures are used to evaluate the strength of an encryption scheme against such

Computational Efficiency
We estimate the computational complexity of the proposed cipher as follows. We count the main operations used in each encryption stage, and the total operation count is used to find the overall cipher complexity. The difference-equation

Conclusions
This paper proposed constructing image ciphers using the first-order linear difference operators along with chaotic permutations and reversible logic gates. All encryption parameters were randomly generated based on chaotic systems. A rigorous mathematical proof is given to show the robustness of the proposed difference-equation scheme against chosen-plaintext attacks. Indeed, breaking the proposed cipher requires the solution of an inverse problem, which is extremely difficult to do with chosen-plaintext attacks. Also, the proposed cipher is shown to be highly effective in comparison with other state-of-the-art methods. Our method is also robust against statistical and differential attacks. Furthermore, our work may be extended in many directions, such as utilizing higher-order linear and nonlinear difference operators. We may also incorporate orthogonal transforms into the cipher, and these transforms may be of different generalized types (such as the randomized, multiparameter or fractional transforms). Moreover, the proposed randomized encryption algorithm can be adapted and realized by digital circuits [15]. Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecomm ons.org/licenses/by/4.0/. for 1 ≤ k ≤ N − 1. Let us now denote the even entries of ξ, α, andβ by ξ 2k , α 2k , andβ 2k . Also, denote the odd entries of ξ, α, andβ by ξ 2k+1 , α 2k+1 , andβ 2k+1 for k = 0, · · · , N − 1. Consider j = 3 and k = 1, 3, · · · , N − 1 in the following equations: The even entries of ξ in (36 and 37), ξ k−1 = ξ k+1 = 0, and the odd entries of ξ , ξ k = 1. Therefore, the odd entries of α, α k , and the even entries of β, β k+1 in (36 and 37) can be obtained as α k = r (3) k − γ k and β k+1 = r (3) k+1 − γ k+1 . By a similar way, consider j = 4 and k = 1, 3, · · · , N − 1 in the following equations: r (4) k+1 = α k+1 ξ (4) k+1 + β k+1 ξ (4) k + γ k+1 .