An extendable key space integer image-cipher using 4-bit piece-wise linear cat map

This paper presents a multiplierless image-cipher, with extendable 2048-bit key-space, based on a 4-dimensional (4D) quantized piece-wise linear cat map (PWLCM). The quantized PWLCM exhibits limit-cycles of 4-bit encoded integers with periods greater than 107. The synthesis of the PWLCM in a finite state space allows to eliminate the undesirable finite precision effect due to the hardware realization. The proposed image-cipher combines chaos, modular arithmetic, and lattice-based cryptography to encrypt a color image by performing pixel permutation and diffusion in a single operation. Further, an image-dependent confusion operation based on an 8-bit 2D-PWLCM is performed on the whole image to enhance security. In order to increase the key-space without key duplication, 16 × 16 sub-images are modified using sub-keys of different lattice length vectors generated from the external key. Both simulations and security analyses confirm that the proposed algorithm can resist common cipher attacks, in addition to its advantages such as simplicity, ease of implementation on low-end processors and extensibility of key-space that allows it to easily adapt even for future post-quantum computing attacks.


Introduction
The rapid development of digital image transmission over wireless communication media has increased the concern of data security, leading to the demand for image cipher. There exist several techniques for securing data, including steganography, watermarking, and data encryption [2,25]. The steganography technique conceals the message data; hence it requires more communication bandwidth over a computer network, whereas the cryptography technique transforms the message data, needing approximately the same bandwidth as message data. Thus, encryption is the preferable and mature technology used in applications used in data encryption in the confusion step. Apart from the ACM, the combination of the Henon and Arnold cat maps was used in designing an image cipher [11]. Although the algorithm performed well, it has nevertheless been observed that the periodicity of restoring the original image is too short, leading to security issues. More recently, an encryption scheme based on continuous phase space of a generalized Arnold cat map was reported [20]. In [43], the 2D ACM was combined with an affine cipher to enhance the security level of the cipher. In all of these algorithms, the ACM is used in its continuous phase space version, and the precision of the generated obits is chosen as large as possible (32-bit, for example) to avoid short limit-cycles due to the quantization process. The quantized ACM (QACM) has been widely studied in the literature, and the relationship between its period and the number of encoding bits has been determined [6,7,27].
The period of the QACM is an important parameter that can induce security issues when using it in cryptography. It is known that the period of the QACM does not exceed 3m, m ∈ N >1 being the modulo value. This limitation justifies the use of continuous phase space ACM (m = 1) compared to QACM in many cryptographic applications. As a solution, some researchers investigated the impact of the dimensionality and the control parameters on the period of the system. The investigation showed that the period does not significantly increase with the increase in dimension [16], where the conventional 2D Arnold's cat map was altered to a 3D map by introducing six control parameters. The obtained map allows for improvement, but the period distribution and its impact on the system dynamics are not evaluated. Due to the finite computer precision, chaotic sequences are transformed into periodic ones. Further, the output of the 3D map was perturbed to mitigate such degradation of chaotic sequences without investigating the impact of the perturbation on randomness.
The present paper proposes a multiplierless 2048-bit key secure cipher based on the quantized piece-wise linear cat map (PWLCM) obtained by perturbing the conventional QACM [11]. We aim to directly generate randomly distributed integers with the desired precision using the PWLCM. The proposed algorithm combines chaos, modular arithmetic, and lattice-based cryptography [3,8,35]. The latter allows to easily extend the external key length without duplication. Such a property is required as lattice-based ciphers are assumed to resist future attacks in the era of post-quantum computing [3,17,28,35]. For the algorithm to be implemented even with low-end processors, we consider only 4-bit precision random numbers generated from a 4D PWLCM for performing the confusion and diffusion operations. We investigate the period of the generated random integers and their randomness to prove the high-security level of our cipher. In the proposed scheme, pixel positions and values are modified in a single operation within blocks of size 16 × 16 pixels with a 2D PWLCM before confusing the whole image. It helps to enhance the speed performance. During the confusion-diffusion operation, each 16 × 16 sub-image is modified using a different subkey corresponding to a combination of κ-length vectors (κ-dimensional lattice), κ ∈ N ≥1 [28].
The key contributions of the current work are as follows: 1. A novel integer arithmetic multiplierless 2048-bit key image cipher combining chaos, modular arithmetic and lattice-based cryptography is proposed that uses a combination of 4-bit and 8-bit modular addition and subtraction operations only; 2. An extensible key management technique combining modular arithmetic and lattices is presented; 3. A 4-bit 2D and 4D PWLCM is proposed to generate large period pseudorandom sequences; 4. A performance analysis for different attacks is presented.
The rest of the paper is organized as follows: Section 2 presents a brief recalling of ACM and the definition of the PWLCM; Section 3 presents the proposed cipher; Section 4 presents the security analysis of the proposed encryption scheme, and conclusions are given in Section 5.

Brief recall on 2D PWLCM
Arnold's cat map is basically a 2D chaotic map of repeated folding and stretching in a limited area. It has been popularly used in multimedia chaotic encryption [5]. The 2D ACM is modeled as [23]: which can be rewritten using matrix representation as , and x = (x, y) T ; (·) T is the transpose of (·). The above map is a discrete time system and is continuous in the phase space for (x, y) ∈ [0, 1) 2 and m = 1. The QACM is obtained for (x, y) ∈ [0, m) 2 with m ∈ N >1 . The QACM is periodic and its period depends on m and the parity of both α and β. It is shown that for α = β = 1 and m = 2 n , the period n behaves like [4,10] n = 2 · n−1 , n > 2 with 1 = 2 = 3 for the minimal period. The period of the QACM can be computed using (3) and it is too short. As an example, for an 8-bit encoded phase space values, the period is 8 = 192. In order to increase the period of QACM, we proposed the PWLCM by introducing a nonlinear perturbation term to the conventional QACM, as shown below [9]: where the perturbation x c (t) is defined as with (i, j ) ∈ N. In (4), c i and d j are two natural numbers such that 0 ≤ c i < m + a i and 0 The parameters a i , b j , c i and d j are defined as perturbation parameters that can also be used as control parameters, while a = (a i ), b = (b j ), c = (c i ) and d = (d j ) are control vectors. We showed in [9] that the system in (5) can be put in the form with α = M + α, β = N + β and C(t) = C 1 (t), C 2 (t) T such that where ε i = a i +y(t) is the Heaviside function defined as We verified that the PWLCM is a conservative system that exhibit large periods [9]. In order to use it both for image scrambling and diffusion, we suggest its 4D modelling.

The proposed 4D PWLCM
The above 2D PWLCM can be easily extended to a 4D PWLCM by coupling two 2D PWLCM x = (x, y) T and z = (q, r) T such that: where (α, β, γ , ζ ) ∈ N 4 . F 1 (y, t), F 2 (y, t), F 3 (y, t) and F 4 (y, t) are the coupling nonlinear terms, defined as The 4D PWLCM defined in (10) is invertible and the corresponding inverse system is

Stability analysis
In order to investigate the stability of the 4D PWLCM, we evaluated its Jacobian matrix. By using the same expansion as in (5)-(9), the system can be rewritten as in (6) with and From the above equations, we deduce the Jacobian matrix as where , PWLCM thus defined is conservative as det(J ) = 1, which implies that the sum of the four corresponding Lyapunov exponents is equal to 0. While computing the eigenvalues of J , we found 1 = 2 = 1, the other eigenvalues are and The Lyapunov exponents corresponding to 1,2 are equal to zero. The sum of the Lyapunov exponents being zero implies that 3 > 1 (corresponding to a positive Lyapunov exponent) and 0 < 4 < 1 (corresponding to a positive Lyapunov exponent). The steady state of the system depends on the perturbing parameter and remains difficult to formally determine. Figure 1 presents the behavior of the largest Lyapunov exponent for arbitrary parameter setting and various initial conditions (x 0 , y 0 , q 0 , r 0 ). We fixed q 0 = r 0 = 1 and set  Figure 1(b) depicts the Lyapunov exponent in terms of the control vector a represented as parameter a r , with 3,1), and h = (3, 5, 1). These plots show that the largest Lyapunov exponent remains positive for the chosen initial conditions and control parameters.

Period and randomness evaluation of the PWLCM
Similar to the QACM, the proposed 4D PWLCM is chaotic while used in a continuous phase space (m = 1). As we are interested in using it in a finite state phase space (m = 4 and m = 8), it is no longer chaotic but preserves the mixing properties of the corresponding chaotic systems. For it to be efficient for security applications, its period should be very large. In this subsection, we estimate the period n of the proposed 4D PWLCM for different values of the precision n and some arbitrary values of the perturbation parameters. The periods of PWLCM are compared with the QACM and tabulated in Tables 1 and 2. From the Table 1, we can observe that for any value of n, the period of the proposed PWLCM is significantly higher than that of the corresponding QACM. Table 2 shows the comparison of the 4D PWLCM and 4D QACM. It confirms that the periods of the proposed map are significantly higher than those of the QACM for any arbitrary parameter values, α = β = γ = ζ = 1, M = N = 1: In order to testify the mixing property of the 4D PWLCM, we propose to shuffle a 2 13 × 2 13 periodic image obtained by repeating sequences of 8-bit encoded unsigned integers. The image was shuffled with x and y coordinates of the 4D PWLCM. We set as initial conditions, q 0 = 1, r 0 = 2; x 0 , y 0 ∈ 0, 2 13 − 1 2 and controls parameters a 1 = 1, b 1 = 2, e 1 = 0, f 1 = 1, c 1 = 3, d 1 = 3, g 1 = 3 and h 1 = 3; the corresponding period is 148740480. The NIST800-22 statistical test was performed after 30 iterations of image scrambling with the PWLCM and the QACM. The data set was divided into 100 sets of 1000000 bits and the results obtained are summarized in Table 3. The comparison of the two results confirms that the 4D PWLCM is suitable for the image scrambling as it passes all the tests.

Proposed encryption algorithm
The proposed encryption algorithm has two stages, namely diffusion-confusion and confusion only. In the pixel diffusion-confusion stage, the pixel value of each sub-block is diffused and confused using the 4D PWLCM, whereas in the subsequent block confusion stage, each diffusion-confusion sub-block is split into sub-images that are confused using the 2D PWLCM. The proposed scheme generates the initial values and the control parameter values of 4D PWLCM from the external key, whereas the control parameters of the 2D PWLCM is derived from the external key along with the diffusion-confusion image. Thus, it is image-dependent. The detailed procedure for generating these parameters is described in Section 3.1.
The algorithmic steps of the proposed cipher are mentioned below: The block diagram of the proposed image cipher is shown in Fig. 2. The minimum number of rounds for the algorithm to be secure is R = 2. Indeed, once the image-dependent step is applied in the first round, we need to go for a second round for the image-dependent shuffling to take effect in the diffusion process, thus increasing the algorithm's sensitivity to the plain-image.

External key management
The external key is defined by using N K ASCII characters, vectors a, b, c, d, e, f, g, h whose coordinates are 4-bit encoded unsigned integers. As ASCII characters are 8-bit encoded, each character is divided into two blocks of 4 bits that are used as coordinates of each control vector. Therefore, θ = κ 2 ASCII characters are required to determine the coordinates of each control vector. In

Algorithm 1
the case of 256-bit key for example, θ = 4 and characters C 0 to C 3 are used to determine coordinates of the control vector a, C 4 to C 7 are used for b, C 8 to C 11 for c, C 12 to C 15 for d, C 16 to C 19 for e, C 20 to C 23 for f, C 24 to C 27 for g and C 28 to C 31 are used for h. In the case of a 2048-bit key, θ = 64 ASCII characters are required to determine each control vector. Therefore, a for example is defined as: c(2ξ) = a(2ξ) + C ξ +κ−1 mod 16 (19) where 1 ≤ ξ ≤ θ. The coordinates of the other control vectors d, g and h can be defined using the same approach. Thus, control vectors can be considered as belonging to an κ-D lattice.

Pixel decomposition
In step 5, individual pixel, i of sub-image S j , j ∈ N are decomposed into two 4-bit encoded integers q i and r i . For an 8-bit encoded pixel P i , q i and r i are obtained as and r i = P i mod 16

Pixel confusion-diffusion process
In step 6, the confusion and diffusion operations are combined in a single operation (confusion-diffusion). Indeed, the coordinates x i and y i , as well as the intensity coordinates q i and r i of the pixel P i are used as initial conditions of the 4D PWLCM to output new coordinates x i , y i , q i and r i using (20). As S j is a vector, there is a relationship between x i , y i and i such that and For each sub-image S j , only a single coordinate a(k), b(k), c(k), d(k), e(k), f(k), g(k), and h(k), k > 0, is used as control parameter to 4D PWLCM as given below: where k = 1 + j mod κ. The new position of the diffused pixel i is obtained after three iterations of the PWLCM as The corresponding intensity value is obtained as

Image-dependent confusion
In order to enhance the security level of the cipher and prevent chosen-plaintext attacks, an additional image-dependent confusion step is performed using the 2D PWLCM, described as where a 1 , b 1 , c 1 and d 1 are 16-length control vectors whose coordinates are 4-bit encoded values derived from the image of step 8 and the external key as: I c is the intermediate ciphered image obtained in step 8. m 1 and m 2 are defined such that with (T 1 , T 2 ) ∈ N 2 ≥1 . T 1 ×T 2 is the size of sub-images to be shuffled, m 1 ×m 2 is the number of sub-images and N L × N C is the size of the image.

Results and security analysis
The performance of the proposed encryption algorithm is analyzed by encrypting standard images like "Lena", "Baboon", "Airplane", "Peppers", of size 512 × 512 and 256 gray levels. Figure 3 respectively represents the plain-text "Lena" image, its encrypted image, and the decrypted image with the same key. All simulations are performed using MATLAB 2018b on a CPU with an Intel(R) Core (TM) i5-8250u CPU @ 1.60 GHz and 8 GB RAM with the Windows 10 operating system. In the current simulation, a 256-bit external encryption key is set as K1 = azertyuiopqsdfgjazertyuiopqsdfg0. We also set α = β = γ = ζ = 1 to make the algorithm multiplierless.

Evaluation metrics
This subsection presents the definition of evaluation metrics used to measure the proposed cipher's strength.

Entropy measure
The Shannon entropy of the ciphered image is the primary indicator to confirm that the cipher is secure against permutation of pixels. It measures the disorder or randomness of pixels. For an 8-bit encoded image, it is determined as where 0 ≤ v i ≤ 255 are pixel values and p(v i ) the probability of v i . It is to be noted that for an 8-bit encoded image, the maximum value of the entropy is H = 8.

Correlation coefficient
The correlation coefficient is used to measure the similarity between two images A and B, and is defined as where E(·) is the expectation value; A and B are images between which the correlation coefficient needs to be evaluated. A and B represent the mean value of images A and B respectively. Similarly, σ A and σ B represent the standard deviation of image A and B respectively. In general, for any plain-text image there exists high correlation between adjacent pixels, whereas in the ciphered image it should be close to 0.

NPCR and UACI measures
The number of changing pixel rate (NP CR) and unified averaged changed intensity (UACI ) of an image are the commonly used parameters to measure the change in encrypted pixels by modifying the value of a single-pixel in the original image. These metrics are commonly used to evaluate the strength of ciphers for differential attacks. For a 256-gray level image, the NPCR and UACI between two images are defined as where and where F = 255 is the largest supported value of 256 gray level images. A high NPCR (NP CR > 99.5810) and UACI (33.3445 ≤ UACI ≤ 33.5826) [21] imply a high resistance of the cipher to differential attacks.

Key-space analysis
The key-space analysis is performed by evaluating the key-space and key sensitivity.

Key-space
Key-space is an ensemble of all possible combinations of keys that are used for encryption. A 256-bit key is known to be sufficiently large to prevent brute force attacks. One of the proposed cipher's main advantages is its key-space's extensibility. To simulate a postquantum computing attack, we extended the key to 2048 bits. Indeed, most chaos-based ciphers exhibit a large key-space with keys that cannot easily be proven to be different. However, the sensitivity of the key is verified by changing its least significant bit (LSB). However, by our approach, the key-space can be extended as desired without sacrificing the independence of the keys. This approach consists of affecting to each sub-image j a subkey (a(k), b(k), c(k), d(k), e(k), f(k), g(k), h(k)) corresponding to a map QACM k , with k = 1 + j mod κ. Each sub-image j is encrypted with a different map QACM k , such that any permutation in the set {QACM k } 1≤k≤κ affects the behaviour of the cryptogram, thus giving the possibility to extend the key-space.

Sensitivity of the key
Key sensitivity measures the sensitivity of the encryption algorithm to a small change in the key value. A high sensitivity of the key is required to prevent adaptive chosen-plaintext attacks and linear cryptanalysis. To evaluate the sensitivity of our cipher to the external key, we have encrypted the same image with two slightly different keys K1 as mentioned above and K2 = azertyuiopqsdfghazertyuiopqsdfg1. The key K2 has only one-bit change from key K1. The plain-text image is encrypted with keys K1 and K2; UACI, NPCR, and correlation coefficients between the two encrypted images are tabulated in Table 4. The NPCR and UACI values are more than the reference values, and correlation coefficients close to zero suggest that the algorithm is highly sensitive to the key. In addition, the entropy of the image encrypted with key K1 and decrypted with key K2 is computed and tabulated in the same table. The entropy close to eight demonstrates that the decryption is unsuccessful; hence, the proposed algorithm is extremely sensitive to the key. We repeated the same experiment with a 2048-bit key. We set the 2048-bit as K 1 = K1K1K1K1K1K1K1K1 and a one-bit different key K 2 as K 2 = K1K1K1K1K1K1K1K2. The sensitivity of the key was evaluated under the same conditions as for the 256-bit key and the results are tabulated in Table 4. It demonstrates that the sensitivity of the key analysis is the same as in the case of the 256-bit key. Therefore, we can conclude that the proposed cipher presents an extensible key space than can be adapted depending on the desired security level. In Fig. 4, an example of ciphering/deciphering realized with two (R = 2) rounds is presented. The plain-image is encrypted with K 1. After that, the ciphered image is successfully decrypted with K 1. However, the decryption fails with K 2, which attests to the high sensitivity of the cipher to the encryption key.
Security of the proposed cipher, although we set T 1 = T 2 = 2. Figure 5 shows the behavior of the entropy values of the RED component of the image of Lena encrypted with K1 and those of the corresponding attempt for decryption using K2. The entropy is evaluated by varying T 1 and T 2 and plotted in terms of μ 1 = log 2 (T 1 ) and μ 2 = log 2 (T 2 ) in Fig. 5.
From this figure, we observed that the sensitivity of the key depends on the choice of (T 1 , T 2 ). We verified that the system is secure to one-bit change in the external key as (μ 1 , μ 2 ) < (4, 4). The upper limit μ m = 4 of μ 1 and μ 2 corresponds to the binary logarithm of the block length of the confusion-diffusion step. We observe that the entropy decreases with an increase in T 1 or T 2 , leading to a decrease in the key sensitivity. Further, in some cases, entropy values are close to those of the plain-image entropy (H R = 7.2531). It attests to the vulnerability of the proposed scheme for these values of μ 1 and μ 2 . In the proposed method, such a sensitivity decrease is compensated by increasing the number of rounds of the algorithm.

Statistical analysis
The histogram, the correlation of adjacent pixels (ρ h : correlation coefficient between horizontal adjacent pixels; ρ v : correlation coefficient between vertical adjacent pixels; ρ d : correlation coefficient between diagonal adjacent pixels) and the information entropy of the ciphered image are evaluated for several 256 gray-scale images. Figure 6 shows the results  Fig. 4(a)) by varying number of rounds R between 1 and 10. Figure 6 suggests that the entropy is independent of the number of rounds R for R > 1, thereby attests that the minimum number of rounds required for the cipher to be secure is R = 2. Similarly, it also shows a satisfactory analysis result for the correlation of horizontally (ρ h ), vertically (ρ v ), and diagonally (ρ d ) adjacent pixels. Indeed, it can be concluded that the correlation coefficients of the three image components, i.e., RED, GREEN, and BLUE, are close to zero, independently of the number of rounds R. Thus, the proposed cipher satisfies the zero-correlation property necessary to resist statistical attacks. Figure 7 shows the histograms of two round ciphered images of Lena for the RED, GREEN, and BLUE components. It appears that the histogram of each encrypted component is fairly uniform and significantly different from that of the corresponding plain-image component. It demonstrates that deducing the secret key from the ciphertext during the known/chosen plaintext attacks is hard.

Differential attack
For the cipher to resist differential attacks, it must be sensitive to a small change (singlepixel change) in the plain-image. We evaluated the robustness of our cipher against the differential attacks by comparing the NP CR and UACI values of a two-round ciphered image of Lena to their reference values. We diagonally varied the position (x, y) of changed pixels as (k, k), with 1 ≤ k ≤ 512 by the step size of 2, and computed the corresponding NP CR and UACI for the RED, GREEN and BLUE components of the color image of Lena, and plotted in Fig. 8.  (4,4) A cipher is secure as NP CR > 99.5810 and 33.3445 ≤ UACI ≤ 33.5826 (ν = 0.01 significance level) for gray images of size 512 × 512 [21]. The result in Fig. 8 shows that our cipher is sensitive to one-pixel change for R > 1. From this figure, it appears that the proposed cipher can resist differential attacks as the NP CR and UACI remain in the good range independently of the coordinate of the pixel change. We also observed that the values of the NP CR and UACI depend on the input image. Indeed, for two different components, the NP CR values obtained from the same pixel change coordinate are different; the same observation is made for the UACI . Table 5 shows comparative values of the proposed cipher's NP CR and UACI and other recent cipher (R = 3). This comparison also confirms the effectiveness of our algorithm.

Speed performance analysis
The execution speed of the proposed cipher is evaluated using Matlab 18b in the CPU as specified above. Table 6 compares the execution speed of the proposed algorithm with other chaos-based ciphers. We used the gray-scale images of cameraman (256 × 256) and Lena (512×512) for this experiment. The average execution time, for R = 2, is about 0.4478 s for the 512 × 512 gray-scale images. Although this speed is comparable to that of Refs. [1] and [42], it remains low as compared to the one obtained in [13]. Such a low execution speed is justified by the multiple data conversion involved in the algorithm, which is not necessary   for hardware implementation. For example, the decomposition of the pixel gray-level into two 4-bit encoded integers q(t) and r(t) implies a division and a modulo operation. In the hardware implementation, these operations correspond to the four most significant bits (MSB) as the quotient q(t) and the four least significant bits (LSB) as the remainder r(t), thereby is time-saving. Similarly, the inverse of this decomposition is time costly in Matlab and corresponds to the concatenation of the two 4-bit outputs q(t + 1) and r(t + 1) in the hardware implementation. Thus, the proposed algorithm is more suitable for low-cost hardware implementation than software implementation. The overall comparison shows that the cipher in Ref. [13] is running faster in the Matlab environment than in ours; however, it requires floating-point arithmetic that is hardware costly than the 4-bit integer arithmetic used in the proposed scheme. Our algorithm offers the advantage of combining only 4bit and 8-bit integer arithmetic operations, precisely addition and subtraction. These basic operations make simpler its hardware implementation even with low-end microprocessors  The average execution time (in second) of the proposed cipher are obtained with R = 2 and K1 as encryption key without losing its security properties. Moreover, the algorithm can easily be parallelized according to its architecture shown in Fig. 2.

Conclusion
This paper proposed an extendable integer image cipher based on the combined 4-bit and 8-bit PWLCM. The cipher does not require any multiplication operation. The PWLCM is obtained by perturbing the convectional QACM and presents an extended period. The key space extensibility is achieved using different lattice length (κ) of the PWLCM control vectors. The extended key space helps to avoid key duplication. We evaluated the sensitivity of the key under 256-bit and 2048-bit key conditions and verified the high sensitivity of the key for both cases. Such flexibility for the extensibility of the key-space makes the proposed cipher a good candidate to resist brute-force attacks even under the post-quantum computing situation. The main advantages of the proposed cipher are the low number of bits involved in its hardware implementation and the extensibility of its key-space. Moreover, only unsigned integer addition and subtraction operations are used, contrary to other chaos-based ciphers that involve floating-point arithmetics, including time-consuming operations like multiplications and divisions. The statistical, differential, and key-space analysis demonstrate the robustness of the proposed cipher against known attacks. We further expect to reduce the block size while maintaining a high-security level of the cipher, simplifying its implementation with low-end processors under the limited memory space constraints.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.