This paper suggests a new fast colour image cipher to meet the increasing demand for secure online image communication applications. Unlike most other existing approaches using a permutation-substitution network, the proposed algorithm consists of only a single substitution part. The keystream sequence is generated from a 4-D hyperchaotic system, whose initial conditions are determined by both the secret key and the SHA-224 cryptographic hash value of the plain-image. Favoured by the avalanche effect of hash functions, totally different keystream sequences will be generated for different images. Consequently, desired diffusion effect can be achieved after only a single round of substitution operation, whereas at least two encryption rounds are required by the state-of-the-art permutation-substitution type image ciphers. We also demonstrate the computational efficiency of the proposed algorithm by comparing it with the AES encryption algorithm. A thorough security analysis is carried out in detail, demonstrating the satisfactory security of the proposed algorithm.

The explosive growth in the amount of image data distributed over the Internet over the past decade has raised great concern about the protection of image information against unauthorized eavesdropping. Definitely, the most straightforward way is to use a cryptographic algorithm. Unfortunately, many of the existing studies have indicated that commonly used block ciphers, such as DES and AES, are not suitable for practical image encryption. This is because the security of these algorithms depends on the complexity of the algorithms, making them difficult to meet the demand for online communications when dealing with digital images characterized by bulk data capacity. Recently, chaos-based cryptography has suggested a promising way to deal with the intractable problems of fast and highly secure image encryption. Making use of the favourable characteristics such as extreme sensitivity to initial condition(s), ergodicity and long-term unpredictability, chaotic systems have demonstrated great potential for information, especially multimedia encryption. (Fridrich,

Conventionally, three area-preserving invertible chaotic maps, i.e. the cat map (Fu

To better meet the challenge of online secure image communication, much research has been done on improving the efficiency of chaos-based image ciphers. For instance, (Xiang

Through the exploration of above schemes, one can find that all these schemes can be thought of as the extensions of the Fridrich’s approach, where the permutation and substitution stages are indispensable. In this paper, we propose a novel fast colour image encryption algorithm consisting of only a single substitution part. The keystream sequence is generated from a 4-D hyperchaotic system, whose initial conditions are determined by both the secret key and the SHA-224 cryptographic hash value of the plain-image. As is known, a cryptographic hash function is extremely sensitive to an input message and a chaotic system is extremely sensitive to initial conditions. As a result, a small change in a plain-image can be diffused to the entire cipher-image after only a single round of substitution operation, whereas at least two encryption rounds are required by the state-of-the-art permutation-substitution type image ciphers. Besides, our proposed algorithm does not suffer from the key distribution problem as the hash value is not part of the secret key.

The remainder of this paper is organized as follows. Section

The architecture of the proposed image encryption algorithm is illustrated in Fig.

Architecture of the proposed image encryption algorithm.

Generally, the diffusion operation is done from left to right and top to bottom. Consequently, we assume a worst case that two plain-images (

It’s obvious that if desired diffusion effect can be achieved with fewer number of encryption rounds, the computational efficiency will be increased. Recently, some plaintext-dependent keystream generation mechanisms have been proposed to strengthen the robustness against chosen-plaintext attack and increase the diffusion intensity. Unfortunately, these schemes can only generate different keystream elements for differential pixels. As the substitution operation can only diffuse the influence of a pixel to its succeeding ones, only some of the pixels have increased their diffusion intensity. Experimental results show that many of these schemes may take two encryption rounds to achieve desired diffusion effect. Clearly, if two totally different keystream sequences can be generated for any two different images, the desired diffusion effect will be achieved after only a single encryption round, as illustrated in Figs.

Encryption process of permutation-substitution type image cipher.

Encryption process of our proposed cipher.

As is known, good hash functions, including the SHA-224, hold the following properties. 1) Every binary digit, bit, of input message data influences the content of its hash value. That is, any change to a message will almost surely result in a different hash value. 2) It is computationally infeasible to find a message that corresponds to a given message digest, or to find two different messages that produce the same message digest. Clearly, if the initial conditions of a chaotic system depend on the hash value of the input image as well as the secret key, a slight change of the plain-image can lead to a totally different keystream sequence. Besides, as the hash value is not part of the secret key, it can be transmitted in plaintext form together with the cipher-image. Therefore, our proposed algorithm does not suffer from the key distribution problem, a serious practical drawback of one-time pads.

Moreover, as the differential or diffused pixel(s) no longer need(s) to be transferred to different positions of the original or intermediate cipher-image, the permutation part can be removed, which further decreases the computational complexity. The detailed image encryption algorithm and the SHA-224 cryptographic hash function will be discussed in the next two sections.

In the present paper, a hyperchaotic system (Li

Projections of phase portrait of system (1) with

The secret key of the proposed encryption algorithm consists of four real numbers

As can be seen from the above description, each pixel in the original image is encrypted using XOR operation. Therefore, the decryption uses the same algorithm as encryption.

As discussed above, the initial conditions of the employed hyperchaotic system are determined by both the secret key and the SHA-224 cryptographic hash value of the plain-image. In this section, the implementation of SHA-224 cryptographic hash function is briefly discussed.

SHA-224 may be used to hash a message,

The words of the message schedule are labelled

428a2f98 | 71374491 | b5c0fbcf | e9b5dba5 | 3956c25b | 59f111f1 | 923f82a4 | ab1c5ed5 |

d807aa98 | 12835b01 | 243185be | 550c7dc3 | 72be5d74 | 80deb1fe | 9bdc06a7 | c19bf174 |

e49b69c1 | efbe4786 | 0fc19dc6 | 240ca1cc | 2de92c6f | 4a7484aa | 5cb0a9dc | 76f988da |

983e5152 | a831c66d | b00327c8 | bf597fc7 | c6e00bf3 | d5a79147 | 06ca6351 | 14292967 |

27b70a85 | 2e1b2138 | 4d2c6dfc | 53380d13 | 650a7354 | 766a0abb | 81c2c92e | 92722c85 |

a2bfe8a1 | a81a664b | c24b8b70 | c76c51a3 | d192e819 | d6990624 | f40e3585 | 106aa070 |

19a4c116 | 1e376c08 | 2748774c | 34b0bcb5 | 391c0cb3 | 4ed8aa4a | 5b9cca4f | 682e6ff3 |

748f82ee | 78a5636f | 84c87814 | 8cc70208 | 90befffa | a4506ceb | bef9a3f7 | c67178f2 |

The words of the hash value are labelled

SHA-224 uses six logical functions, where each function operates on three 32-bit words, which are represented as

The detailed hash procedures are described as follows.

For

{

1. Prepare the message schedule, {

2. Initialize the eight working variables,

3. For

4. Compute the

After repeating steps one through four a total of

To evaluate the dependency of the initial conditions of the employed hyperchaotic system on input image, we first select five standard test images (512 × 512 pixels, 24-bit RGB colour) from the USC-SIPI image database. Then, we randomly choose a pixel in each test image and change its least significant bit, as illustrated in Table

Changes made to the original images.

Test image name | Colour component | Pixel position |
Pixel | value |

Original | Revised | |||

avion | blue | (294, 305) | 172 | 173 |

baboon | red | (511, 335) | 67 | 68 |

house | blue | (403, 196) | 182 | 181 |

Lena | red | (263, 67) | 102 | 103 |

peppers | blue | (159, 496) | 151 | 150 |

Numbers derived from the SHA-224 hash values of the original images and the revised ones.

In cryptography, key size or key length is the size measured in bits of the key used in a cryptographic algorithm. As is known, even if a symmetric cipher is currently unbreakable by exploiting structural weaknesses in its algorithm, it is possible to run through the entire space of keys in what is known as a brute force attack. As longer keys require exponentially more work to brute force search, the key length of an effective cryptosystem should be sufficiently long to make this line of attack impractical. Generally, cryptographic algorithms use keys with a length greater than 100 bits are considered to be “computational security” as the number of operations required to try all possible

A chosen-plaintext attack is an attack model for cryptanalysis which presumes that the attacker can obtain the ciphertexts for arbitrary plaintexts. As is known, a chosen-plaintext attack is more powerful than known-plaintext attack. This is because the attacker can directly target specific terms or patterns without having to wait for these to appear naturally, allowing faster gathering of data relevant to cryptanalysis. Therefore, any cipher that prevents chosen-plaintext attacks is also secure against known-plaintext and ciphertext-only attacks. To carry out a chosen-plaintext attack on a XOR cipher, the simplest way is to input an all-zero (black) image, and the output is exactly the same as the keystream sequence. Obviously, the proposed encryption algorithm cannot be broken in such a way, because it never reuses a keystream sequence for encrypting different images, i.e. different keystream sequences are used for encrypting different images. Differential cryptanalysis is the most powerful chosen-plaintext attack that analyses how the differences in two plaintext messages affect the differences between the corresponding ciphertexts. To do this, an opponent may firstly create two plain-images with a slight difference, and then encrypt the two images using the same secret key. If some meaningful relationship between the plain-image and cipher-image can be found by comparing the two cipher images, the secret key may be determined with the help of some other analysis methods. Obviously, this kind of cryptanalysis may become impractical if a slight change in the plain-image can be effectively diffused to the entire cipher-image, i.e. changing one bit of the plain-image affects every bit in the cipher-image.

The diffusion effect of an image cryptosystem is usually measured using two criteria, i.e.

The second criterion,

Clearly, no matter how similar the two input images are, a good image cryptosystem procedure outputs with

For instance, the

To evaluate the worst-case diffusion performance, we use the five test image pairs listed in Table

Results of

No. of cipher rounds (proposed algorithm) | No. of cipher rounds (conventional algorithm) | |||||||

Test image name | 1 | 1 | 2 | 3 | ||||

avion | 0.50649 | 0.00397 | 0.99604 | 0.33661 | ||||

baboon | 0.72392 | 0.00568 | 0.99619 | 0.33359 | ||||

house | 0.24593 | 0.01544 | 0.99625 | 0.33367 | ||||

Lena | 0.21977 | 0.00086 | 0.99532 | 0.32542 | ||||

peppers | 0.72565 | 0.00284 | 0.99594 | 0.33318 |

A good image cryptosystem should flatten the frequency distribution of cipher-pixel values so as to make frequency analysis infeasible. That is, the redundancy of plain-image or the relationship between plain-image and cipher-image should not be observed from the cipher-image as such information has the potential to be exploited in a statistical attack. The frequency distribution of pixel values in an image can be easily determined by using histogram analysis. An image histogram is a graph showing the number of pixels in an image at each different intensity value found in that image. The histograms of the RGB colour channels of the “Lena” test image and its corresponding cipher-image are shown in Fig.

Histogram analysis. (a) and (h) are the test image and its output cipher-image, respectively. (b)–(d) and (i)–(k) are the three colour channels of (a) and (h), respectively. (e)–(g) and (l)–(n) are the histograms of (b)–(d) and (i)–(k), respectively.

The distribution of pixel values can be further quantitatively determined by calculating the information entropy of the image. Information entropy, introduced by Claude E. Shannon in his classic paper “A Mathematical Theory of Communication”, is a key measure of the randomness or unpredictability of information content. The information entropy is usually expressed by the average number of bits needed to store or communicate one symbol in a message, as described by

The information entropies of the test images and their corresponding cipher-images are calculated, and the results are listed in Table

Information entropies of the test images and their corresponding cipher-images.

Test image name | Information entropy | |

Plain-image | Cipher-image | |

Avion | 6.663908 | 7.999799 |

Baboon | 7.762436 | 7.999773 |

House | 7.485787 | 7.999759 |

Lena | 7.750197 | 7.999723 |

Peppers | 7.669826 | 7.999741 |

Pixels in an ordinary image are usually highly correlated with their neighbours either in horizontal, vertical or diagonal direction. However, an effective image cryptosystem should process cipher-images with sufficiently low correlation between neighbouring pixels. A scatter diagram is commonly used to qualitatively explore the possible relationship between two data sets. To plot a scatter diagram for image data, the following procedures are carried out. First, randomly select

Figs.

To further quantitatively measure the correlation between neighbouring pixels in an image, the correlation coefficients

Graphical analysis for correlation of neighbouring pixels. (a)–(c) and (d)–(f) are scatter diagrams for horizontally, vertically and diagonally neighbouring pixels in the red channel of the “Lena” test image and its output cipher-image, respectively.

Table

Correlation coefficients between neighbouring pixels in the test images and their corresponding cipher-images.

Test image name | Direction | Plain-image | Cipher-image | ||||

R | G | B | R | G | B | ||

avion | horizontal | 0.9575 | 0.9671 | 0.9316 | 0.0269 | −0.0240 | 0.0259 |

vertical | 0.9728 | 0.9634 | 0.9658 | −0.0122 | 0.0156 | 0.0307 | |

diagonal | 0.9370 | 0.9336 | 0.9115 | 0.0045 | 0.0215 | 0.0141 | |

baboon | horizontal | 0.8787 | 0.7757 | 0.8769 | 0.0027 | −0.0022 | −0.0092 |

vertical | 0.9291 | 0.8655 | 0.8995 | −0.0383 | -0.018 | −0.0006 | |

diagonal | 0.8671 | 0.7462 | 0.8314 | −0.0221 | −0.0074 | −0.0215 | |

house | horizontal | 0.9566 | 0.9526 | 0.9672 | 0.0222 | 0.0030 | −0.0118 |

vertical | 0.9507 | 0.9333 | 0.9719 | 0.0243 | 0.0028 | 0.0183 | |

diagonal | 0.9165 | 0.8988 | 0.9421 | 0.0034 | 0.0162 | −0.0155 | |

Lena | horizontal | 0.9896 | 0.9823 | 0.9585 | −0.0026 | 0.0117 | −0.0199 |

vertical | 0.9799 | 0.9680 | 0.9381 | 0.0163 | −0.0226 | −0.0154 | |

diagonal | 0.9685 | 0.9566 | 0.9229 | 0.0120 | −0.0178 | 0.0062 | |

peppers | horizontal | 0.9667 | 0.9796 | 0.9672 | 0.0107 | 0.0081 | −0.0176 |

vertical | 0.9633 | 0.9808 | 0.9678 | 0.0122 | 0.0002 | −0.0076 | |

diagonal | 0.9580 | 0.9671 | 0.9461 | −0.0057 | −0.0118 | −0.0369 |

Key sensitivity, a basic design principle of cryptographic algorithms, ensures that no information about the plaintext can be revealed even if there is only a slight difference between the decryption and encryption keys. To evaluate the key sensitivity property of the proposed scheme, the “Lena” test image is firstly encrypted using a randomly generated secret key: (

Decryption keys used for key sensitivity test.

Figure | Decryption key |

7(b) | |

7(c) | |

7(d) | |

7(e) | |

7(f) | |

Results of key sensitivity test.

In the real world, transmission errors are unavoidable, especially given the presence of noise in any communication channel, leading to the change of some pixels values. Besides, digital images may also lose data if they are corrupted due to intrusion. Consequently, an image encryption algorithm should have the robustness to resist noise and the data loss. As can be derived from Eq. (

To demonstrate the robustness of the proposed algorithm against noise and data loss, we first encrypt the “Lena” test image using a randomly generated secret key, and the resulting cipher-image is shown in Fig.

Results of robustness analysis against noise and data loss. (a) cipher-image. (b) cipher-image with Gaussian noise (mean = 0 and variance = 0.01). (c) cipher-image with Poisson noise. (d) cipher-image with salt & pepper noise (density = 0.05). (e) cipher-image with speckle noise (mean = 0 and variance = 0.04). (f) cipher-image with data loss. (g)–(l) are reconstructed plain-images corresponding to (a)–(f), respectively.

PSNR values for plain-images reconstructed from cipher-images with noise and data loss.

Figure | Fig. |
Fig. |
Fig. |
Fig. |
Fig. |

PSNR | 20.2106 | 27.1379 | 18.1460 | 18.7766 | 26.6073 |

To demonstrate the efficiency of the proposed algorithm, we compare its performance with that of the AES algorithm, one of the most frequently used and most secure encryption algorithms available today. Tables

Time (in seconds) taken to encrypt/decrypt a 24-bit true colour image of size 512

Trial No. | Proposed algorithm | AES-128 | AES-192 | AES-256 | ||||

Encryption | Decryption | Encryption | Decryption | Encryption | Decryption | Encryption | Decryption | |

1 | 0.028 | 0.024 | 0.088 | 0.092 | 0.113 | 0.117 | 0.134 | 0.122 |

2 | 0.028 | 0.021 | 0.094 | 0.100 | 0.106 | 0.105 | 0.130 | 0.130 |

3 | 0.029 | 0.023 | 0.095 | 0.090 | 0.107 | 0.105 | 0.133 | 0.131 |

4 | 0.030 | 0.022 | 0.092 | 0.116 | 0.11 | 0.112 | 0.131 | 0.137 |

5 | 0.030 | 0.022 | 0.091 | 0.108 | 0.109 | 0.107 | 0.129 | 0.127 |

6 | 0.030 | 0.021 | 0.090 | 0.089 | 0.108 | 0.106 | 0.125 | 0.141 |

7 | 0.028 | 0.021 | 0.089 | 0.087 | 0.107 | 0.104 | 0.127 | 0.128 |

8 | 0.029 | 0.022 | 0.090 | 0.087 | 0.108 | 0.109 | 0.133 | 0.127 |

9 | 0.029 | 0.025 | 0.090 | 0.095 | 0.104 | 0.106 | 0.136 | 0.128 |

10 | 0.028 | 0.026 | 0.091 | 0.095 | 0.106 | 0.111 | 0.125 | 0.124 |

Mean | 0.029 | 0.023 | 0.091 | 0.096 | 0.108 | 0.108 | 0.130 | 0.130 |

Time (in seconds) taken to encrypt/decrypt a 24-bit true colour image of size 1024*1024.

Trial No. | Proposed algorithm | AES-128 | AES-192 | AES-256 | ||||

Encryption | Decryption | Encryption | Decryption | Encryption | Decryption | Encryption | Decryption | |

1 | 0.115 | 0.085 | 0.363 | 0.355 | 0.430 | 0.439 | 0.495 | 0.508 |

2 | 0.114 | 0.097 | 0.358 | 0.396 | 0.427 | 0.432 | 0.500 | 0.491 |

3 | 0.114 | 0.085 | 0.354 | 0.351 | 0.429 | 0.429 | 0.494 | 0.496 |

4 | 0.117 | 0.087 | 0.363 | 0.374 | 0.424 | 0.435 | 0.499 | 0.497 |

5 | 0.117 | 0.085 | 0.370 | 0.352 | 0.426 | 0.439 | 0.495 | 0.492 |

6 | 0.117 | 0.089 | 0.368 | 0.364 | 0.424 | 0.449 | 0.494 | 0.500 |

7 | 0.115 | 0.091 | 0.364 | 0.352 | 0.423 | 0.437 | 0.496 | 0.500 |

8 | 0.114 | 0.088 | 0.358 | 0.363 | 0.431 | 0.429 | 0.503 | 0.509 |

9 | 0.116 | 0.096 | 0.364 | 0.377 | 0.427 | 0.440 | 0.502 | 0.505 |

10 | 0.113 | 0.089 | 0.359 | 0.366 | 0.430 | 0.444 | 0.501 | 0.518 |

Mean | 0.115 | 0.089 | 0.362 | 0.365 | 0.427 | 0.437 | 0.498 | 0.502 |

Time (in seconds) taken to encrypt/decrypt a 24-bit true colour image of size 2048

Trial No. | Proposed algorithm | AES-128 | AES-192 | AES-256 | ||||

Encryption | Decryption | Encryption | Decryption | Encryption | Decryption | Encryption | Decryption | |

1 | 0.459 | 0.348 | 1.426 | 1.415 | 1.719 | 1.821 | 1.994 | 2.108 |

2 | 0.455 | 0.340 | 1.430 | 1.431 | 1.707 | 1.764 | 2.002 | 2.003 |

3 | 0.492 | 0.348 | 1.421 | 1.421 | 1.718 | 1.745 | 1.991 | 2.087 |

4 | 0.457 | 0.346 | 1.437 | 1.414 | 1.722 | 1.726 | 2.001 | 2.053 |

5 | 0.454 | 0.341 | 1.431 | 1.414 | 1.713 | 1.736 | 1.995 | 2.043 |

6 | 0.456 | 0.345 | 1.428 | 1.422 | 1.704 | 1.738 | 2.014 | 2.031 |

7 | 0.452 | 0.341 | 1.426 | 1.414 | 1.706 | 1.732 | 2.003 | 2.020 |

8 | 0.459 | 0.341 | 1.428 | 1.426 | 1.704 | 1.728 | 1.997 | 1.992 |

9 | 0.456 | 0.341 | 1.420 | 1.417 | 1.706 | 1.716 | 1.991 | 1.972 |

10 | 0.457 | 0.344 | 1.421 | 1.417 | 1.701 | 1.735 | 1.997 | 2.015 |

Mean | 0.460 | 0.344 | 1.427 | 1.419 | 1.710 | 1.744 | 1.999 | 2.032 |

In this paper, we have proposed a fast and robust approach for image data protection. We first calculate the SHA-224 hash value of the original image, and then the hash value, together with the secret key, is used to generate the initial conditions of a 4-D hyperchaotic system. Subsequently, the hyperchaotic system is iterated for appropriate times to produce a keystream sequence used for the substitution operation. Due to the avalanche effect of hash functions, a slight change of the plain-image can lead to a totally different keystream sequence. Consequently, desired diffusion effect can be achieved with only a single round of substitution operation, whereas at least two encryption rounds are required by the state-of-the-art permutation-substitution type image ciphers. We have also demonstrated the computational efficiency of the proposed algorithm by comparing it with the AES encryption algorithm. Our theoretical analysis and experimental results have indicated that the proposed algorithm has a high security level, which can effectively resist all common attacks, such as brute force attack, statistical attack and differential attack. In conclusion, the proposed image encryption algorithm is particularly suitable for online applications.

This work was supported by the Fundamental Research Funds for the Central Universities (Nos. N150402004 and N171903003) and the National Nature Science Fundation of China (No. 61802055).