1 Introduction

Technological developments and the increasing prevalence of internet and mobile devices have resulted in SNSs (Social Network Services) being used all over the world and producing significant amounts of digital content. Images and videos are the content types that are the most familiar to users, and they can be used to deliver information effectively. However, such contents can infringe on the privacy of individuals because they may contain private information that can be used to identify individuals, from the contents themselves or via advanced image processing technologies such as face recognition and machine learning. From a privacy viewpoint, the dangers inherent in the characteristics of digital contents, such as ease of modification, fabrication, and distribution, can result in the privacy infringement situation being exacerbated. Consequently, studies are actively investigating methods for preventing forgeries and protecting privacy and copyrights through proper cryptographic approaches such as encryption and DRM (Digital Rights Management).

Naturally, the simplest image encryption method [6, 7, 24, 28] is to encrypt images by only conducting XOR with a plain image and secret key sequences. Unfortunately, these algorithms are vulnerable to chosen-plaintext attacks [1, 23]. Consequently, many other encryption schemes that are not susceptible to this type of attack have been proposed [3, 5, 12, 13, 21].

Recently, double image encryption schemes [14, 15, 1719, 30] have attracted research attention. These schemes can improve robustness because they perform encryption using two original images. However, simply evaluating the randomness of a cipher image is not sufficient to guarantee a scheme’s security.

Many image encryption schemes using traditional symmetric cryptography, such as AES (Advanced Encryption Standard) and DES (Data Encryption Standard) [2, 29], as well as asymmetric cryptography, such as RSA and ECC [10, 32], have been proposed to prevent forgery and safeguard privacy. However, the direct use of conventional cryptographic algorithms is fraught with difficulties because they were designed to encrypt text data transmission. In contrast to text data transmission, in the image encryption field, however, fast and real-time interaction between the camera and the storage is required. Consequently, many studies have proposed specialized image encryption techniques [4, 8, 22].

Chaotic map-based image encryption methods are widely used as a mathematical tool to provide secret key sequences from simple equations. A chaotic map such as the Arnold cat map and generalized cat map are usually used to realize the diffusion property [4, 9]. Furthermore, as most image encryption schemes aim to increase randomness and reduce time complexity, chaotic map-based image encryption schemes generate more randomness and lower time complexity than conventional encryption schemes.

The performance of these schemes can be evaluated via statistical analysis and time complexity. Statistical analysis, which is generally used to evaluate randomness, can be performed on the histogram and entropy of encrypted images and the correlation coefficients between a cipher image and its original image. Further, NPCR (Number of Pixels Change Rate) and UACI (Unified Average Changing Intensity), proposed by Wu et al. [27], can be used to evaluate the randomness of image encryption. Most of the schemes previously proposed are unable to satisfy either NPCR or UACI. Some schemes, such as [16, 26, 31, 33], are able to satisfy either or both of the tests. Even if most of the schemes exhibit high performance on NPCR and UACI, they also exhibit high time complexity.

In this paper, we propose a new ARX (Addition, Rotation, and XOR) model-based image encryption scheme. Our proposed scheme performs encryption and decryption using only addition, rotation, and XOR. To satisfy Shannon’s properties, it performs confusion and diffusion processes generated via addition operations, in contrast to earlier schemes [4, 9] that use cat maps for permutation processes. The results of evaluations conducted of the proposed scheme on key space analysis, statistical analysis, sensitivity, and time complexity show that it has outstanding performance for statistical analysis and time complexity. In addition, the results of comparisons with Wang’s algorithm and Yang’s algorithm indicate that in terms of time complexity, it is about ten times more efficient than Yang’s algorithm, which is the fastest algorithm to date.

The remainder of this paper is organized as follows:

We discuss logistic maps and LEA encryption algorithms that utilize ARX in Section 2. Section 3 presents our proposed ARX model-based image encryption scheme. In Section 4 we evaluate and compare the proposed scheme to other schemes. Finally, we present our conclusions in Section 5.

2 Preliminaries

2.1 Logistic map

The logistic map proposed by May [20] in 1976 is a chaotic map with a chaos feature. The chaos feature means that a small difference in initial conditions has a significant effect on the result. The proposed map is defined by (1).

$$\begin{array}{@{}rcl@{}} X_{t+1}= \mu X_{t} (1-X_{t} ) \end{array} $$
(1)

The logistic map is defined by (1) for 0<X 0<1 and 0<μ≤4. However, the chaotic feature can be observed when 3.56<μ≤4 because a logistic map has a fractal structure.

Figure 1b shows the structure of the map for μ=4. Following the proposal of the first cipher using a chaos map in the 1990s, they have since been actively studied. This has resulted in logistic maps, which are a type of chaos map, being used extensively in the image encryption field, owing to its simple equation.

Fig. 1
figure 1

The logistic function: a function graph, b bifurcation diagram

Full size image

2.2 LEA: a lightweight 128-bit block cipher

LEA, proposed by Hong et al. [11], is a lightweight block cipher that can utilize a 128-bit, 192-bit, or 256-bit key. LEA carries out encryption and decryption at a higher speed than traditional block ciphers because it uses simpler operations. It employs only three types of operations: modular Addition, bitwise Rotation, and bitwise XOR (ARX). LEA’s en/decryption speed is faster than that of AES in both software and hardware environments. Furthermore, its performance is optimized on 32-bit and 64-bit processors. Table 1 shows the LEA encryption algorithm.

Table 1 LEA encryption algorithm
Full size table

To encrypt plain data, LEA starts key expansion from the k e y S c h e d u l e function and iteration of the R o u n d function. The k e y S c h e d u l e function generates 192-bit round keys from secret key K. Then, it encrypts plaintext X i to ciphertext X i+1 using round keys R K i and round function R o u n d(X i ,R K i ) which consists of ARX operations. Fast en/decryption is enabled by the R o u n d function, which comprises a simple combination of ARX operations. Table 2 outlines the procedure used by the LEA R o u n d function.

Table 2 A round function of LEA
Full size table

Notation 1

Addition ( \(x \; \boxplus \; y\)): An operation defined as IntToBit ((BitToInt(x) + BitToInt(y) ) mod 232) for 32-bit array x and y.

  • 1 BitToInt (x) : A function that returns an integer n=x 0⋅20 +x 1 ⋅2 1 +⋯+x 31⋅231 for 32-bit binary stream x=x 31 ||x 30 ||⋯||x 0.

  • 2 IntToBit (n) : A function that returns a 32-bit binary stream x=x 31 ||x 30 ||⋯||x 0 for an integer n=x 0 ⋅ 20 +x 1 ⋅ 21 + ⋯ + x 31 ⋅ 231.

Notation 2

Rotation (ROR n (x) or ROL n (x)) : Used for 32-bit bitstream x, n-bit right or left rotation.

Notation 3

XOR (x ⊕ y ) : An exclusive OR for two bitstreams x and y that have the same length.

3 Proposed encryption

In this section, we propose an ARX (modular Addition, bitwise Rotation, and eXclusive OR)-based image encryption scheme. A combination of S-Box and chaotic map is commonly used to satisfy Shannon’s confusion and diffusion properties in the image encryption field. AES and DES, which are used to be the most common techniques, have proved the security of S-Box in previous years. Further, these two algorithms are designed to perform on lightweight devices. Consequently, the S-Box of these algorithms can be designed with six bits or eight bits. The S-Box of AES is different from that of DES, which has not been proved mathematically, and can be used in the image encryption and various other fields because it has been mathematically proved to be nonlinear. However, most applications implement S-Box in the form of a lookup table, in which case a large memory space is required for storing its values. The amount of memory required can be calculated using (2).

$$ row \times column \times bits \times sboxes $$
(2)

Eq. (2) gives the amount of memory needed to store the respective S-Box of AES and DES as 512 bytes and 256 bytes, respectively. The S-Box of AES can be implemented without a lookup table, but such a scenario results in high computational complexity because the Galois field has to be calculated. We propose an ARX model-based image encryption algorithm that is both appropriate for lightweight devices and overcomes these disadvantages. The proposed algorithm also consists of confusion and diffusion processes. The main property of the proposed algorithm is that, unlike existing S-Box implementations, no substitution process is used. Instead of substitution, the proposed algorithm employs Addition, Rotation, and XOR for its encryption logic (Fig. 2).

Fig. 2
figure 2

The entire concept of ARX based image encryption

Full size image

The encryption process in the proposed scheme comprises three phases: XOR phase, Round phase, and Rotation phase. The XOR and Rotation phases are used to satisfy the confusion property, while the Round phase is used to satisfy the diffusion property. In the confusion process, two key sequences are calculated via two logistic maps using two key pairs. The decryption process is the inverse of the encryption process.

3.1 Confusion process

In the confusion process, several bits of ciphertext are changed whenever a bit of a key is changed in order for the process to satisfy Shannon’s confusion property. In the proposed algorithm’s confusion process, the parameters of the logistic maps are the secret keys \(\mu , x_{0}, \mu ^{\prime }\; and\; x^{\prime }_{0}\)) and they confuse the entire cipherimage via the XOR and Rotation phases. To encrypt the image pixels as a unit, two random sequences generated by the logistic maps are divided by eight bits. One of the sequences is the addition operation parameter, and the other uses only three bits for the rotation operation parameter. Two logistic maps are calculated independently in the XOR and Rotation phases of our scheme. They help to reduce the memory space required to save the secret information, thereby generating a sequence using secret keys. The logistic map can be represented by (3):

$$\begin{array}{@{}rcl@{}} x_{n+1}= \mu x_{n} (1-x_{n} ) \end{array} $$
(3)

where μ is a control parameter of the logistic map and the initial value x 0 of the random variable is in the range (0<x 0<1). x 1 to x n is a chaotic sequence with a pattern determined by μ and x 0.

3.2 Diffusion process

Shannon’s diffusion property specifies that the corresponding cipher text should have a completely different value each time the plaintext is changed by one bit. The proposed algorithm performs the diffusion process as an accepting Addition calculation. This addition operation is calculated using the previous plaintext value and the IV (Initial Vector). The addition process by which IV is updated is defined by (4):

$$\begin{array}{@{}rcl@{}} IV_{n+1} = IV_{n} \oplus P_{n} \end{array} $$
(4)

Each bit of the original image has an effect on the next cipher image in that the default value is configured to IV in the first round of the proposed encryption technique. From the second round, one bit of the original image has an effect on the overall cipher image because IV accumulates all the pixel values of original image at the first round.

3.3 Encryption

The overall encryption process combines confusion logic and diffusion logic in pixel units using two secret key pairs(\(\mu ,x_{0},\mu ^{\prime },x^{\prime }_{0}\)). In the initialization process, the plain image and chaotic value are calculated using secret key μ,x 0 is calculated via the first logistic map, such as (5), and eight bits are cut from the generated chaotic sequence and used as the chaotic value.

$$\begin{array}{@{}rcl@{}} x_{n+1} &=& \mu x_{n} (1-x_{n} ) \\ C_{m} &=& P_{m} \oplus truncate_{8} (x_{n+1} ) \end{array} $$
(5)

In (5), n is the iterator of the chaotic map and is in the range 0≤n<T, where T is the number of pixels in the original image. In the next process, the diffusion property is satisfied by performing calculations on the surrounding pixels and addition of the plaintext. The diffusion rate is up to the number of encryption rounds in the R o u n d function defined below (Table 3).

Table 3 Round process of proposed scheme
Full size table

The R o u n d function consists of addition and the XOR operations for the diffusion property. Diffusion through addition is performed using (6) in the R o u n d function. As given in (6), IV is influenced by the chaotic value and pixel of the previous plain image. In (6), \(\boxplus \) represents modular addition. In the proposed scheme, the modular addition is calculated on the modulus 28 because the grayscale pixel is expressed as eight bits.

$$\begin{array}{@{}rcl@{}} IV_{n+1} &=& IV_{n} \oplus C_{m+1} \\ C_{m} &=& C_{m} \boxplus IV_{n} \end{array} $$
(6)

Another property of our scheme is that the R o u n d function iterates only the process of (6). As a result of these properties, the proposed algorithm can be implemented in three types of processes. Further, it is possible to construct a pipeline when it is implemented in hardware.

$$\begin{array}{@{}rcl@{}} x_{n+1} &=& x^{\prime}_{n} r^{\prime} (1-x^{\prime}_{n} )\\ k &=& truncate_{3}(x_{n+1})\\ C_{m} &=&Rotate_{k} (C_{m}) \end{array} $$
(7)

Rotation of C i , which is performed after the last execution of the R o u n d function, is calculated using the chaotic sequence made by the second key pair \(\mu ^{\prime },x^{\prime }_{0}\) and the logistic map. Rotation calculation on a pixel is meaningless when performed only once because the bit order is not mixed or changed. The truncate function generates a rotation key by cutting three bits from the chaotic sequence, generating eight bits each time. In other words, the result of the Rotation calculation has virtually no effect on randomness in terms of histogram analysis because the Rotation calculation can have only one result among the resulting values of the eight units made by moving the eight unit bits (Table 4).

Table 4 Encryption algorithm of proposed scheme
Full size table

The encryption process comprises the following steps:

  1. Step 1.

    Initialize the parameters (μ, x 0, μ , \(x^{\prime }_{0}\)) for two logistic maps and select the IV randomly.

  2. Step 2.

    Generate the first chaotic sequence(x a) using (3) with x 0 and μ;.

  3. Step 3.

    Calculate the XOR of the chaotic sequences and pixels, C m = P m x m .

  4. Step 4.

    Update IV by calculating the XOR of IV and C m . I V n+1 = I V n C m .

  5. Step 5.

    Calculate the addition value of (3) and (4), \(C_{m}=IV_{n\, mod\, m}^{floor(\frac {n}{m})} \boxplus C_{m}\)

  6. Step 6.

    Generate the second chaotic sequence(x b) by using \(x^{\prime }_{0}\), μ in (3)

  7. Step 7.

    Perform rotation using the second chaotic sequence, \( C_{m} = Rotate_{{x^{b}_{m}}} (C_{m} )\)

In the steps above, m signifies the pixel position in each round and IV is not dependent on the round, so it has the range 0<n<T×r o u n d s where T is the total number of original image pixels. Figure 3 shows the encryption process logic in detail. The keys are obtained from the logistics maps, which are two chaotic maps. For addition calculation, we use the chain of IV accumulating pixels in the original image. As depicted in Fig. 3, the rounds of chaining blocks are iterated through addition calculation to increase the diffusion effect of the proposed technique.

Fig. 3
figure 3

Encryption process of the proposed scheme

Full size image

3.4 Simulated result

The proposed encryption/decryption algorithm was implemented using Xcode on a computer with the following system configuration: 2.4 GHz CPU, 4 GB RAM, 500 GB HDD, Mac OS X Yosemite. We used the 512×512 Lena grayscale image and \(x_{0}=0.02,\mu =3.923,x^{\prime }_{0}=0.005\) and μ =3.955 as the secret key in the encryption/decryption performance evaluation.

4 Security analysis

In this section, we discuss the evaluation conducted of our scheme in terms of key space, statistical analysis, sensitivity, and time complexity. For statistical analysis, we evaluated histogram, correlation, and entropy. To analyze sensitivity, the performances of NPCR and UACI were estimated using (11) and (13). Subsequently, we compared the results with those of Wang’s algorithm and Yang’s algorithm.

4.1 Key space analysis

The key space needs to be sufficiently large to overcome brute force attack. In cryptography, a computational complexity above 128 bits is considered sufficiently secure. In this section, we analyze whether the key space of the proposed scheme is above 128 bits. The keys in our proposed encryption algorithm consist of two pairs of x 0 and r from the logistic map. More specifically, x 0, \(x^{\prime }_{0}\), μ and μ are used for our proposed encryption process. Each parameter can be 10-bits, 23-bits, 52-bits, or 112-bits according to the floating-point precision standards of [25]. Therefore, our proposed encryption satisfies the security criteria from a cryptographic perspective because the key length of our scheme can support up to 448-bits.

4.2 Statistical analysis

We performed statistical security analysis of the proposed encryption with three analyses: histogram, correlation, entropy. In the histogram analysis, we evaluated the fairness of color distribution. To estimate the relationship between the original image and the encrypted image, we calculated their correlation coefficient for three directional features. In the final statistical analysis, we proved the randomness of the proposed encryption through Shannon’s entropy.

4.2.1 Histogram analysis

We used the Lena 512×512 grayscale image as a sample image in our histogram analysis. First, we evaluated the color distribution of the diffusion process. Figure 4 depicts the addition feature, which is a key operation of the diffusion process. As can be seen, the addition gradually hides the original image. In other words, the addition has no periodic feature, unlike the Arnold cat map. Figure 5 shows the variances in the addition histogram. In the case of addition at the first round, the distribution is similar to that of the original image. However, as the rounds progress, the distribution becomes straighter. As shown in Fig. 5, the most uniform distribution occurs after five rounds.

Fig. 4
figure 4

The feature of addition operation: a Original image, b 1-round addition, c 2-rounds addition, d 3-rounds addition, e 4-rounds addition, f 5-rounds addition, g 6-rounds addition

Full size image
Fig. 5
figure 5

Histograms of original and addition-operated images: a Original image, b 1-round addition, c 2-rounds addition, d 3-rounds addition, e 4-rounds addition, f 5-rounds addition

Full size image

The histogram in Fig. 6 shows the results of encryption and decryption. The original and decrypted images are shown as fractal graphs, which provide substantial information about the images. In contrast, the histogram of the encrypted image is uniformly distributed. Thus, our proposed encryption is sufficiently secure in terms of histogram analysis.

Fig. 6
figure 6

Encryption and decryption results: a original image, b cipher image, c decrypted image, d histogram of original image, e histogram of histogram of cipher image

Full size image

4.2.2 Correlation analysis

In order to evaluate the correlation, we calculated the correlation coefficients of the original image and the cipher image for the horizontal, vertical, and diagonal directions. For the correlation coefficients, we randomly chose a thousand pixels and then computed the correlation coefficients between a chosen pixel and its adjacent pixel from the original image and the encrypted image for the horizontal, vertical, and diagonal directions, respectively. Figure 7 presents the correlations between the original image and cipher image for the horizontal, vertical, and diagonal directions. In Fig. 7, it is clear that the pixels of the original image have a high dependency in all directions. Conversely, the cipher image shows negligible correlation features in all directions.

Fig. 7
figure 7

Correlations: a horizontal correlation of original image, b horizontal correlation of cipher image, c vertical correlation of original image, d vertical correlation of cipher image, e diagonal correlation of original image, f diagonal correlation of cipher image

Full size image

For numerical analysis of correlation, we calculated the correlation coefficients for three directions of the original and encrypted images using (8).

$$\begin{array}{@{}rcl@{}} r_{xy} = \frac{cov(x,y)}{\sqrt{D(x)}\sqrt{D(y)}} \end{array} $$
(8)

where c o v(x,y) and D(x) can be calculated using (9)

$$\begin{array}{@{}rcl@{}} cov(x,y)&=&\frac{1}{N}\sum\limits_{i=1}^{N}{(x_{i} -E(x))(y_{i} - E(y))},\\ D(x)&=&\frac{1}{N}\sum\limits_{i=1}^{N}{(x_{i}- E(x))^{2}},\\ E(x)&=&\frac{1}{N}\sum\limits_{i=1}^{N}{x_{i}} \end{array} $$
(9)

In (8) and (9), x is a set of selected pixels and y is a set of adjacent pixels to x for the three directions. Assume x = p(i,j), then y becomes p(i,j+1), p(i+1,j), or p(i+1,j+1) for the horizontal, vertical, or diagonal directions, respectively. The correlation coefficients are presented in Table 5. There is high correlation in the original image, but the cipher image shows negligible correlation coefficients.

Table 5 Correlation coefficients with one round cipher image
Full size table

4.2.3 Information entropy

Information entropy is one of the key methods used to measure randomness. We calculated the entropy of the images using (10). Let p(x) be the probability of occurrence of x and N be 2b−1 where b is the bit length per pixel. A grayscale image can be 8-bit or 16-bit. In this study, all of the grayscale images used were based on 8-bit grayscale; thus, N was 255. Because the bit length per pixel was 8-bit, it is called “true random” when the entropy is eight. In other words, the algorithm grants higher randomness closer to eight.

$$\begin{array}{@{}rcl@{}} H(s) = \sum\limits_{i=1}^{N}p(s_{i})log_{2}\frac{1}{p(s_{i})} \end{array} $$
(10)

Table 6 shows the entropies of four images. The best entropy reaches up to 7.99. In addition, the entropy of the cipher image marginally depends on that of the original image. Therefore, it is similar to the ranks of the entropy between original images and cipher images. For example, the two highest entropy values both appear in the pirate image. Conversely, the two lowest entropy values are both appear in the cameraman image. Consequently, the original images with entropy values more than 7.2 are expected to have entropy values close to true randomness.

Table 6 Entropy with one round cipher image
Full size table

4.3 Sensitivity

Claude Shannon identified two properties of operation of a secure cipher: confusion and diffusion. Confusion is the relationship between the ciphertext and the key whereas diffusion is the relationship between the ciphertext and the plaintext. In other words, if a character of the key or the plaintext varies, several characters of the ciphertext will be changed. Modern cryptographic algorithms use a SP(substitution-permutation) network as the simplest approach to achieve both properties. For the typical case, the S-Box of AES is one of the popular methods. However this kind of substitution requires a large memory or high computational complexity.

To overcome this drawback, we adopted the ARX model to achieve both confusion and diffusion. The ARX model consists of addition, rotation, and XOR, which are very efficient in both software and hardware implementation. In order to show that our scheme satisfies Shannon’s properties, we evaluated NPCR and UACI using (11) and (13).

NPCR signifies the number of pixels from the original image that have changed in the cipher image. In other words, if we assume that a plain image is 512×512 pixels, then the total number of pixels will be 218. If ten percent of the pixels are changed then NPCR would be 0.1. For confusion and diffusion tests, we compared NPCR and UACI with cipher images encrypted with 1-bit difference keys and 1-bit difference plain images.

$$\begin{array}{@{}rcl@{}} NPCR=\frac{{\sum}_{j=1}^{H}{{\sum}_{i=1}^{W}{D(i,j)}}}{WH}\times 100~\% \end{array} $$
(11)

Let W be width and H be height and D be a function. The function D returns one when c 1(i,j) and c 2(i,j) are the same values, otherwise it returns zero.

$$\begin{array}{@{}rcl@{}} D(i,j) = \left\{ \begin{array}{rcl} 1 & \text{if} & c_{1}(i,j) \neq c_{2}(i,j) \\ 0 & \text{if} & c_{1}(i,j) \equiv c_{2}(i,j) \end{array}\right. \end{array} $$
(12)

UACI signifies the number of pixels that vary from the original image. For instance, if we assume that the total average number of pixels in the original image is 100. After encryption, if the total average number of pixels of the cipher image is 130, then the UACI test gives a value of 30. P in (13) denotes the value for the number of pixels. For example, there are 255 possible values in an 8-bit grayscale image. Therefore, P becomes 255 in 8-bit grayscale images.

$$\begin{array}{@{}rcl@{}} UACI= \sum\limits_{j=1}^{H}{\sum\limits_{i=1}^{W}{\frac{|c_{1}(i,j)-c_{2}(i,j)|}{P\times WH}}} \times 100~ \% \end{array} $$
(13)

Increasing the values of NPCR and UACI practically means that the algorithm has more secure features against differential attack. Tables 7 and 8 show the results of NPCR and UACI, respectively, for the intermediate image in each round from the first round to the seventh round. As Tables 7 and 8 show, our proposed scheme provides reasonable values for NPCR and UACI from the first round and the values remain unaffected as the number of rounds increases.

Table 7 NPCR performance of the four images
Full size table
Table 8 UACI performance of the four images
Full size table

4.3.1 Key sensitivity

To evaluate the key sensitivity, we encrypted the same image with two pairs of keys. The key pair consisted of x, x , μ and μ . We encrypted the grayscale Lena image with (3.923,3.955,4.94e–324,0.005) and (3.923,3.955,9.88e–324,0.005). The values 4.94e–324 and 9.88e–324 are different by only one bit in double precision; they are 0×1 and 0×2 in hexadecimal, respectively. Figure 8 shows the variance of the cipher image from a few different key pairs. In addition, it can be seen that the encrypted image also has a virtually uniform distribution. Therefore, our proposed encryption satisfies the confusion property.

Fig. 8
figure 8

Key sensitivity from 1-bit different key: a encrypted image with 4.94e–324, b encrypted image with 9.88e–324, c histogram of (a), d histogram of (b)

Full size image

4.3.2 Plain image sensitivity

To evaluate the influence of the plain image, we encrypted four images of size 512×512 pixels with an arbitrary pixel added. The modified images gave similar NPCR and UACI performances to those of original images, as shown in Tables 7 and 8, the NPCR and UACI performance of original images. The results indicate that our proposed encryption is sensitive to the plain image. This feature is important for defense against differential attacks.

4.4 Time complexity

Encryption speed is a very important feature of image encryption. In particular, in order to satisfy the requirement of the real-time feature in the area of image encryption, lightweight computation is needed because image data requires more computation then text data. Therefore, we measured the encryption and decryption time complexity of the proposed encryption. Table 9 shows the time complexity from round one to round six. As the number of rounds increased, the time complexity linearly increased by approximately 0.7 ms.

Table 9 Encryption and decryption speed with increased number of rounds
Full size table

4.5 Linear and differential cryptanalysis

Linear cryptanalysis is used to obtain information about a key by finding the XOR of two or more plaintexts and ciphertexts. In the proposed encryption, a pixel of a cipher image can be denoted as a chaining of a plain image because IV accumulates the pixels of the original image. Moreover, although two or more pairs of plain images and cipher images are used to acquire key information, it is very difficult because all pixels in a cipher image are calculated by addition of accumulative IV. Even if a combination of two or more keys could be revealed, it is close to impossible because a logistics map is a forward problem algorithm. In other words, calculating a key from a combination of keys is based on the difficulty of the inverse of the logistic map.

Differential cryptanalysis is an analysis scheme that uses the distance between two ciphertexts. For this cryptanalysis, let a white image and a black image be denoted as X and X , respectively, and let the differential value of the white image and black image be ΔX = XX , where ΔY is the differential value of these cipher images. Assume that in the first round of our proposed scheme, each pixel can be XORed twice, one addition and one rotation. The first XOR operation is performed with the original image and a chaos sequence from the logistics map, for the i-th pixel probability to obtain ΔY i from ΔX i is approximately \(2^{8-Pr[CS_{n} | CS_{n} =CS_{n+1}]}\), where CS denotes the chaotic sequence. The second XOR operation updates IV with the current pixel, and then an addition operation is performed with the current pixel and the updated IV, where P rXY] is 2−8 and the probability of obtaining ΔY i from ΔX i becomes \(\frac {1}{8}\) because the final rotation also has an n-bit probability. Consequently, the proposed encryption has the same differential safety as the logistic map.

4.6 Comparison

In this section, we compare our proposed scheme with Wang’s algorithm and Yang’s algorithm in terms of correlation, NPCR, UACI, and time complexity. Table 10 shows the results obtained. As can be seen, the proposed algorithm has good values for correlation coefficients, Shannon’s entropy, and time complexity. In general, correlation coefficients in the range above 0.1 and less than −0.1 signify that two images have a positive or negative relationship. A correlation coefficient in the range −0.1<r<0.1 signifies that no relationship exists between two images. As can be seen in Table 10, the proposed scheme has no relationship in three directions. In terms of time complexity, our scheme is ten times better than that of Yang’s algorithm.

Table 10 Comparisons in terms of entropy, NPCR, UACI and time complexity
Full size table

5 Conclusion and future works

In this paper, we proposed a new chaotic image encryption scheme based on the ARX model. The proposed scheme consists of the confusion and diffusion processes typical of chaotic image encryption schemes. In the proposed scheme, several sub-keys are derived from logistic maps with two given key pairs, which results in a bit of the given keys influencing all the bits of the cipher image. Consequently, our proposed scheme satisfies Shannon’s confusion property. Further, to satisfy the diffusion property, all pixels in the cipher image are calculated by addition with accumulative IV. In the first round, a bit of the plain image influences the position of the next bits. After the second round, the bit is extended to the entire cipher image as a result of the accumulative feature of IV. The main feature of the proposed scheme is use of addition instead of cat map or S-Box for the diffusion process. Consequently, the encryption and decryption speeds are approximately ten times better than those of Yang’s algorithms, the fastest known algorithm. In addition, the combination of XOR, addition, and rotation provides very good entropy values in the three directions. Even though the NPCR and UACI performances are poorer than those of Wang’s algorithm, our proposed scheme is secure against linear and differential cryptanalysis. Through various analyses, we showed that the proposed ARX-based chaotic image encryption scheme has secure and good features via various analyses. In particular, our proposed scheme has a time complexity that is around ten times better than that of other schemes. Therefore, we expect that our scheme can be very useful for real-time applications.