The explosive growth in the amount of image data distributed over the Internet over the past decade has raised great concern about the protection of image information against unauthorized eavesdropping. Definitely, the most straightforward way is to use a cryptographic algorithm. Unfortunately, many of the existing studies have indicated that commonly used block ciphers, such as DES and AES, are not suitable for practical image encryption. This is because the security of these algorithms depends on the complexity of the algorithms, making them difficult to meet the demand for online communications when dealing with digital images characterized by bulk data capacity. Recently, chaos-based cryptography has suggested a promising way to deal with the intractable problems of fast and highly secure image encryption. Making use of the favourable characteristics such as extreme sensitivity to initial condition(s), ergodicity and long-term unpredictability, chaotic systems have demonstrated great potential for information, especially multimedia encryption. (Fridrich, 1998) proposed the first chaos-based image encryption scheme using iterative permutation and substitution operation. In the permutation stage, the pixels in the input image are rearranged in a pseudorandom manner, which leads to a great reduction in the correlation between neighbouring pixels. In the substitution stage, the pixel values are altered sequentially and the influence of each individual pixel is diffused to all its succeeding ones during the modification process. With such a structure, a minor change of the plain-image may result in a totally different cipher-image with several overall rounds of encryption. Following Fridrich’s pioneer work, a growing number of chaos-based image encryption algorithms and their improvements have been suggested. A brief overview of some major contributions is given below.

Conventionally, three area-preserving invertible chaotic maps, i.e. the cat map (Fu et al., 2013), the baker map (Fu et al., 2016), and the standard map (Wong et al., 2008), are widely used for image scrambling. Unfortunately, this kind of permutation strategy suffers from two main disadvantages: (1) the periodicity of discretized version of chaotic maps, and (2) only applicable to square images. To address these two drawbacks, Fu et al. (2011) suggested an image scrambling scheme using a chaotic sequence sorting mechanism. Unfortunately, this method takes a whole row/column of an image as the scrambling unit and results in weaker confusion effect compared with many of the schemes working on individual pixels. Inspired by the natural ripple-like phenomenon that distorts a reflection on a water surface, Wu et al. (2014) suggested a novel scrambling algorithm that shuffles images in an n dimensional (n D) space using wave perturbations. Chen et al. (2014) and Chen et al. (2015a) suggested image scrambling schemes using a pixel-swapping mechanism respectively. In their schemes, each pixel in the input image is swapped with another pixel chosen by keystream sequence generated from a chaotic system.

To better meet the challenge of online secure image communication, much research has been done on improving the efficiency of chaos-based image ciphers. For instance, (Xiang et al., 2007) investigated the feasibility of selective image encryption on a bit-plane. It’s concluded that only selectively encrypting the higher four bit-planes of an image can achieve an acceptable level of security. As only 50% of the whole image data are encrypted, the execution time is reduced. Wong et al. (2009) proposed a more efficient diffusion mechanism using simple table lookup and swapping techniques as a light-weight replacement of the 1-D chaotic map iteration. Following this work Chen et al. (2015b) presented an efficient image encryption scheme with confusion and diffusion operations being both performed based on a lookup table. The other advantage of their approach is that it can effectively tolerate the channel errors, which may lead to the corruption of cipher data. It has been demonstrated that images recovered from the damaged cipher data have satisfactory visual perception. Wang et al. (2011) suggested a mechanism for combining the permutation and diffusion stages. Compared with other existing schemes with separated permutation and diffusion stages, their proposed scheme reduces the image-scanning cost by half, thereby increasing the execution speed. Fu et al. (2012) proposed a fast image cipher using a novel bidirectional diffusion mechanism. Simulation results indicated that their scheme requires only one round of permutation and two rounds of substitution to satisfy the plaintext sensitivity requirement. Zhu et al. (2011), Fu et al. (2014), Zhang et al. (2016) and Chen et al. (2017) suggested chaos-based image ciphers using a bit-level permutation respectively. Owing to the substitution effect introduced in the permutation stage, the number of iteration rounds required by the time-consuming substitution procedure is reduced, and hence a shorter encryption time is needed. Chen et al. (2015c) proposed a method for obtaining diffusion keystream sequence from the permutation matrix, which is produced and preserved in the permutation stage. As no extra chaotic iteration and quantization is required in the diffusion procedure, the computational efficiency is thereby improved.

Through the exploration of above schemes, one can find that all these schemes can be thought of as the extensions of the Fridrich’s approach, where the permutation and substitution stages are indispensable. In this paper, we propose a novel fast colour image encryption algorithm consisting of only a single substitution part. The keystream sequence is generated from a 4-D hyperchaotic system, whose initial conditions are determined by both the secret key and the SHA-224 cryptographic hash value of the plain-image. As is known, a cryptographic hash function is extremely sensitive to an input message and a chaotic system is extremely sensitive to initial conditions. As a result, a small change in a plain-image can be diffused to the entire cipher-image after only a single round of substitution operation, whereas at least two encryption rounds are required by the state-of-the-art permutation-substitution type image ciphers. Besides, our proposed algorithm does not suffer from the key distribution problem as the hash value is not part of the secret key.

The remainder of this paper is organized as follows. Section 2 presents the architecture of the new image cipher. The detailed encryption algorithm is described in Section 3, followed by the implementation of SHA-224 hash function in Section 4. In Section 5, extensive analysis of the security of the encryption algorithm is carried out, and the diffusion performance of the encryption algorithm is compared with that of a typical permutation-substitution type image cipher. In Section 6, the speed performance of the proposed algorithm is measured and the results are compared with those of AES algorithm in CBC mode. Finally, conclusions are drawn in the last section.

The architecture of the proposed image encryption algorithm is illustrated in Fig. 1. Compared with the widely studied permutation-substitution type image ciphers, the proposed algorithm consist of only a single substitution part. The substitution keystream sequence is extracted from the trajectory of a 4-D hyperhaotic system, whose initial conditions are determined by both the secret key and the SHA-224 cryptographic hash value of the plain-image. More specifically, the 224-bit hash value is split into four equal parts, and each part is involved in determining one of the four initial conditions of the hyperchaotic system. To analyse the diffusion efficiency improvement obtained from the above change, the diffusion mechanism of the permutation-substitution type image cipher is discussed first.

Generally, the diffusion operation is done from left to right and top to bottom. Consequently, we assume a worst case that two plain-images ( M × N pixels), (I) and (II), have only 1-bit difference at the last, lower-right pixel, as illustrated in Figs. 2(a) and (b). We suppose that the differential pixel is moved to ( p , q ) during the first round of permutation operation, as illustrated in Figs. 2(c) and (d). During the subsequent substitution operation, the pixel values are modified sequentially and the modification made to a particular pixel depends on both the keystream element and the accumulated effect of all the previous pixel values. Obviously, the influence of the differential pixel will be spread out to all its succeeding ones, as illustrated in Figs. 2(e) and (f). During the second round of permutation operation, the pixels containing the influence of the differential pixel are scattered over a wider area inside the intermediate cipher-image, and the subsequent substitution operation further increases the percentage difference between the two intermediate cipher-images. Generally, the influence of each individual pixel can be diffused over the whole cipher-image after at least three rounds of permutation-substitution operation.

It’s obvious that if desired diffusion effect can be achieved with fewer number of encryption rounds, the computational efficiency will be increased. Recently, some plaintext-dependent keystream generation mechanisms have been proposed to strengthen the robustness against chosen-plaintext attack and increase the diffusion intensity. Unfortunately, these schemes can only generate different keystream elements for differential pixels. As the substitution operation can only diffuse the influence of a pixel to its succeeding ones, only some of the pixels have increased their diffusion intensity. Experimental results show that many of these schemes may take two encryption rounds to achieve desired diffusion effect. Clearly, if two totally different keystream sequences can be generated for any two different images, the desired diffusion effect will be achieved after only a single encryption round, as illustrated in Figs. 3(c) and (d).

As is known, good hash functions, including the SHA-224, hold the following properties. 1) Every binary digit, bit, of input message data influences the content of its hash value. That is, any change to a message will almost surely result in a different hash value. 2) It is computationally infeasible to find a message that corresponds to a given message digest, or to find two different messages that produce the same message digest. Clearly, if the initial conditions of a chaotic system depend on the hash value of the input image as well as the secret key, a slight change of the plain-image can lead to a totally different keystream sequence. Besides, as the hash value is not part of the secret key, it can be transmitted in plaintext form together with the cipher-image. Therefore, our proposed algorithm does not suffer from the key distribution problem, a serious practical drawback of one-time pads.

Moreover, as the differential or diffused pixel(s) no longer need(s) to be transferred to different positions of the original or intermediate cipher-image, the permutation part can be removed, which further decreases the computational complexity. The detailed image encryption algorithm and the SHA-224 cryptographic hash function will be discussed in the next two sections.

In the present paper, a hyperchaotic system (Li et al., 2005), which is formulated by introducing an additional state into the third-order generalized Lorenz equation, is employed to generate the substitution keystream sequence. The system is described by (1) x ˙ y ˙ z ˙ u ˙ = a 11 a 12 0 0 a 21 a 22 0 0 0 0 a 33 0 − k 0 0 0 x y z u + x 0 0 0 0 0 0 − 1 0 0 1 0 0 0 0 0 0 x y z u , where a 11 , a 12 , a 21 , a 22 , a 33 are the system parameters, and k is the control parameter that determines the dynamical behaviour of the system. When parameters a 11 = − a 12 = − 35, a 21 = 7, a 22 = 12, a 33 = − 3, and either 0 < k ⩽ 21.84 or 37.44 < k ⩽ 41.84, the system exhibits hyperchaotic behaviour. The projections of phase portrait of one typical case, with k = 20, are depicted in Fig. 4.

The secret key of the proposed encryption algorithm consists of four real numbers { subkey x , subkey y , subkey z , subkey u } corresponding to the four state variables of system (1). The value of each subkey can be chosen in a range a little wider than that of its corresponding state variable. Taking a 24-bit true colour image of size H × W as input, the detailed encryption algorithm is described as follows:

Step 1: Arrange the coloured subpixels in the input image to a one-dimensional byte array imgData = { p 0 , p 1 , … , p 3 × W × H − 1 } in the order from left to right, top to bottom.

Step 2: Generate a chaotic sequence of length L c s = 3 × W × H by iterating system (1).

 Step 2.1: Calculate the SHA-224 hash of i m g D a t a, and the result is denoted by SHA img .

 Step 2.2: Divide SHA img into four 56-bit parts, which are denoted by SHA img ( p 1 ) − SHA img ( p 4 ) , respectively, from which four real numbers between 0 and 1 can be obtained according to (2) h r x = [ SHA img ( p 1 ) / ( 1 ≪ 56 ) ] , h r y = [ SHA img ( p 2 ) / ( 1 ≪ 56 ) ] , h r z = [ SHA img ( p 3 ) / ( 1 ≪ 56 ) ] , h r u = [ SHA img ( p 4 ) / ( 1 ≪ 56 ) ] , where “ ≪ s” denotes a left shift by s bit.

 Step 2.3: Set the initial conditions of system (1) according to (3) x 0 = subkey x + h r x , y 0 = subkey y + h r y , z 0 = subkey z + h r z , u 0 = subkey u + h r u ,

 Step 2.4: Pre-iterate system (1) for T 0 times to avoid the harmful effect of transitional procedure, where T 0 is a constant. The system can be numerically solved by using fourth-order Runge–Kutta method, as given by (4) x n + 1 = x n + ( h / 6 ) ( K 1 + 2 K 2 + 2 K 3 + K 4 ) , y n + 1 = y n + ( h / 6 ) ( L 1 + 2 L 2 + 2 L 3 + L 4 ) , z n + 1 = z n + ( h / 6 ) ( M 1 + 2 M 2 + 2 M 3 + M 4 ) , u n + 1 = u n + ( h / 6 ) ( N 1 + 2 N 2 + 2 N 3 + N 4 ) , where K j = a 11 x n + a 12 y n , L j = a 21 x n + a 22 y n + u n − x n z n , M j = a 33 z n + x n y n , N j = − k x n , ( with j = 1 ) K j = a 11 ( x n + h K j − 1 / 2 ) + a 12 ( y n + h L j − 1 / 2 ) , L j = a 21 ( x n + h K j − 1 / 2 ) + a 22 ( y n + h L j − 1 / 2 ) + ( u n + h N j − 1 / 2 ) L j = − ( x n + h K j − 1 / 2 ) ( z n + h M j − 1 / 2 ) , ( with j = 2 , 3 ) M j = a 33 ( z n + h M j − 1 / 2 ) + ( x n + h K j − 1 / 2 ) ( y n + h L j − 1 / 2 ) , N j = − k ( x n + h K j − 1 / 2 ) , K j = a 11 ( x n + h K j − 1 ) + a 12 ( y n + h L j − 1 ) , L j = a 21 ( x n + h K j − 1 ) + a 22 ( y n + h L j − 1 ) + ( u n + h N j − 1 ) − ( x n + h K j − 1 ) ( z n + h M j − 1 ) , M j = a 33 ( z n + h M j − 1 ) + ( x n + h K j − 1 ) ( y n + h L j − 1 ) , N j = − k ( x n + h K j − 1 ) , ( with j = 4 ) and the step size h is chosen as 0.005.

 Step 2.5: Continue to iteration for T i = L c s / 4 times. For each iteration, the current states ( x n , y n , z n , u n ) of the system(1) are in turn stored into array subSeq = { s s 0 , s s 1 , … , s s 3 × W × H − 1 }.

Step 3: Extract a substitution keystream sequence s u b K s t r = { s k 0 , s k 1 , … , s k 3 × W × H − 1 } by quantifying subSeq according to (5) s k n = mod [ sig ( ( abs ( s s n ) , m ) , G L ] , where a b s ( x ) returns the absolute value of x, sig ( x , m ) returns the m most significant decimal digits of x, mod ( x , y ) divides x by y and returns the remainder of the division, and G L is the number of gray levels in the input image (for a 24-bit RGB image, G L = 256). An m value of 15 is recommended as all the state variables in our scheme are declared as double-precision type, which has 15 or 16 decimal places of accuracy.

Step 4: Encipher the coloured subpixels in imgData sequentially according to Eq. (6). (6) c n = p n ⊕ s k n , where p n and c n are the currently operated plain-subpixel and the resulting cipher-subpixel, respectively, and ⊕ performs bit-wise exclusive OR operation.

As can be seen from the above description, each pixel in the original image is encrypted using XOR operation. Therefore, the decryption uses the same algorithm as encryption.

As discussed above, the initial conditions of the employed hyperchaotic system are determined by both the secret key and the SHA-224 cryptographic hash value of the plain-image. In this section, the implementation of SHA-224 cryptographic hash function is briefly discussed.

SHA-224 may be used to hash a message, M, having a length of l bits, where 0 ⩽ l ⩽ 2 64 . The algorithm uses 1) a message schedule of sixty-four 32-bit words, 2) eight working variables of 32 bits each, 3) sixty-four constant 32-bit words, and 4) a hash value of eight 32-bit words. The final result of SHA-224 is a 224-bit message digest.

The words of the message schedule are labelled W 0 , W 1 , … , W 63 . The eight working variables are labelled a, b, c, d, e, f, g, and h. The sixty-four constant words are labelled, K 0 ( 256 ) , K 1 ( 256 ) , … , K 63 ( 256 ) . These words represent the first thirty-two bits of the fractional parts of the cube roots of the first sixty-four prime numbers. In hex, these constant words are (from left to right)

The words of the hash value are labelled H 0 ( i ) , H 1 ( i ) , … , H 7 ( i ) , which will hold the initial hash value, H ( 0 ) , replaced by each successive intermediate hash value (after each message block is processed), H ( i ) , and ending with the final hash value, H ( N ) . SHA-224 also uses two temporary words, T 1 and T 2 .

SHA-224 uses six logical functions, where each function operates on three 32-bit words, which are represented as x, y, and z. The result of each function is a new 32-bit word. (7) C h ( x , y , z ) = ( x ∧ y ) ⊕ ( ¬ x ∧ z ) , Maj ( x , y , z ) = ( x ∧ y ) ⊕ ( x ∧ z ) ⊕ ( y ∧ z ) , ∑ 0 { 256 } ( x ) = ROTR 2 ( x ) ⊕ ROTR 13 ( x ) ⊕ ROTR 22 ( x ) , ∑ 1 { 256 } ( x ) = ROTR 6 ( x ) ⊕ ROTR 11 ( x ) ⊕ ROTR 25 ( x ) , σ 0 { 256 } ( x ) = ROTR 7 ( x ) ⊕ ROTR 18 ( x ) ⊕ SHR 3 ( x ) , σ 1 { 256 } ( x ) = ROTR 17 ( x ) ⊕ ROTR 19 ( x ) ⊕ SHR 10 ( x ) , where ∧ , ⊕ , ¬ performs bitwise AND, XOR and complement operations, respectively, ROTL n ( x ) circularly left shifts x by n bits, and SHR n ( x ) right shifts x by n bits.

The detailed hash procedures are described as follows.

Step 1: Set the initial hash value, H ( 0 ) , which shall consist of the following five 32-bit words, in hex: H 0 ( 0 ) = c 1059 e d 8 , H 1 ( 0 ) = 367 c d 507 , H 2 ( 0 ) = 3070 d d 17 , H 3 ( 0 ) = f 70 e 5939 , H 4 ( 0 ) = f f c 00 b 31 , H 5 ( 0 ) = 68581511 , H 6 ( 0 ) = 64 f 98 f a 7 , H 7 ( 0 ) = b e f a 4 f a 4 .

Step 2: Pad the message. The purpose of this padding is to ensure that the padded message is a multiple of 512 bits. Suppose that the length of the message, M, is l bits. Append the bit “1” to the end of the message, followed by k zero bits, where k is the smallest, non-negative solution to the equation l + 1 + K ≡ 448 mod  512. Then append the 64-bit block that is equal to the number l expressed using a binary representation.

Step 3: Parse the message. The message and its padding are parsed into N 512-bit blocks, M ( 1 ) , M ( 2 ) , … , M ( N ) . As the 512 bits of the input block may be expressed as sixteen 32-bit words, the first 32 bits of message block i are denoted M 0 ( i ) , the next 32 bits are M 1 ( i ) , and so on up to M 15 ( i ) .

Step 4: Compute the hash value. Each message block, M ( 1 ) , M ( 2 ) , … , M ( N ) , is processed in order, using the following substeps. Notice that addition ( + ) is performed modulo 2 32 .

 For i = 1 to N:

 {

   1. Prepare the message schedule, { W t }: W t = M t ( i ) , 0 ⩽ t ⩽ 15 , σ 1 { 256 } ( W t − 2 ) + W t − 7 + σ 0 { 256 } ( W t − 15 ) + W t − 16 , 16 ⩽ t ⩽ 63 ,

   2. Initialize the eight working variables, a, b, c, d, e, f, g, and h, with the ( i − 1 )st hash value: a = H 0 ( i − 1 ) ; b = H 1 ( i − 1 ) ; c = H 2 ( i − 1 ) ; d = H 3 ( i − 1 ) ; e = H 4 ( i − 1 ) ; f = H 5 ( i − 1 ) ; g = H 6 ( i − 1 ) ; h = H 7 ( i − 1 ) .

   3. For t = 0 to 63 { T 1 = h + ∑ 1 { 256 } ( e ) + C h ( e , f , g ) + K t { 256 } + W t ; T 2 = h + ∑ 0 { 256 } ( a ) + M a j ( a , b , c ) ; h = g ; g = f ; f = e ; e = d + T 1 ; d = c ; c = b ; b = a ; a = T 1 + T 2 . }

   4. Compute the ith intermediate hash value H ( i ) : H 0 ( i ) = a + H 0 ( i − 1 ) ; H 1 ( i ) = b + H 1 ( i − 1 ) ; H 2 ( i ) = c + H 2 ( i − 1 ) ; H 3 ( i ) = d + H 3 ( i − 1 ) ; H 4 ( i ) = e + H 4 ( i − 1 ) ; H 5 ( i ) = f + H 5 ( i − 1 ) ; H 6 ( i ) = g + H 6 ( i − 1 ) ; H 7 ( i ) = h + H 7 ( i − 1 ) .

After repeating steps one through four a total of N times (i.e. after processing M ( N ) ), the resulting 224-bit message digest of the message, M, is obtained by truncating the final hash value, H ( N ), to its left-most 224 bits: H 0 ( N ) | | H 1 ( N ) | | H 2 ( N ) | | H 3 ( N ) | | H 4 ( N ) | | H 5 ( N ) | | H 6 ( N ) .

To evaluate the dependency of the initial conditions of the employed hyperchaotic system on input image, we first select five standard test images (512 × 512 pixels, 24-bit RGB colour) from the USC-SIPI image database. Then, we randomly choose a pixel in each test image and change its least significant bit, as illustrated in Table 1. A differential image is named by append a “_d” to the name of its original version. Finally, we calculate the SHA-224 hash values of all the original images and the revised ones, from which the four real numbers h r x , h r y , h r z , and h r u are derived. The results are given in Table 2, from which it can be seen that changing 1-bit of the plain-image will lead to the trajectory of the hyperchaotic system starting from totally different initial conditions.

To demonstrate the efficiency of the proposed algorithm, we compare its performance with that of the AES algorithm, one of the most frequently used and most secure encryption algorithms available today. Tables 8–10 show the time required by the proposed algorithm and the AES algorithm to encrypt/decrypt 24-bit true colour images of size 512 × 512, 1024 × 1024 and 2048 × 2048, respectively. The AES algorithm works in CBC mode and the performance of all its three versions (128-bit, 192-bit and 256-bit) are measured. All the algorithms have been implemented using C programming language on Windows 7 64-bit platform, and the tests have been done on a personal computer with an Intel i7-7700 3.6 GHz processor and 8 GB RAM. To make the comparison fair, we run each algorithm 10 times on each test image and compute the average running time. As can be seen from Tables 8–10, the proposed algorithm is approximately three times faster than the simplest version of the AES algorithm, i.e. AES-128. Besides, it’s found that our algorithm takes less time to decrypt than encrypt. This is because the decryption procedure does not include the step of calculating the digest of the original image. It can therefore be concluded from these results that the proposed algorithm provides a good candidate for online secure image transmission over public networks.

In this paper, we have proposed a fast and robust approach for image data protection. We first calculate the SHA-224 hash value of the original image, and then the hash value, together with the secret key, is used to generate the initial conditions of a 4-D hyperchaotic system. Subsequently, the hyperchaotic system is iterated for appropriate times to produce a keystream sequence used for the substitution operation. Due to the avalanche effect of hash functions, a slight change of the plain-image can lead to a totally different keystream sequence. Consequently, desired diffusion effect can be achieved with only a single round of substitution operation, whereas at least two encryption rounds are required by the state-of-the-art permutation-substitution type image ciphers. We have also demonstrated the computational efficiency of the proposed algorithm by comparing it with the AES encryption algorithm. Our theoretical analysis and experimental results have indicated that the proposed algorithm has a high security level, which can effectively resist all common attacks, such as brute force attack, statistical attack and differential attack. In conclusion, the proposed image encryption algorithm is particularly suitable for online applications.