1 Introduction

Currently, people plan on storing their health records and sensitive photographs on their phones or in the cloud. As a result, the transmission and exchange of information via networks has become a more and more important part of daily life, making image security an inescapable issue in communication. Image encryption is widely recognized as the most important method for protecting image information in the fields of information security and applied cryptology [1, 2]. It is generally accepted that there are two major branches of image encryption: digital image encryption and optical image encryption. The Fourier transform is usually used in optical systems in conjunction with random phase masks (RPMs) to implement optical image encryption. The encryption of digital images is accomplished by digital computers. The method is commonly applied to pixels in the form of pixel scrambling or pixel diffusion [3,4,5,6,7,8,9,10]. Pseudo-random sequences are commonly used in digital image encryption in conjunction with both chaos [11] and plaintext-related technologies [12,13,14,15]. As well as this, there is another branch of study that focuses on the cryptography and protection of digital images. There are a number of representative fields, including image watermarking [16,17,18,19], image hiding [20, 21], and image fusion [22, 23].

Although great developments have been achieved in digital image encryption, we should pay much more attention to some problems. Firstly, most image encryption schemes adopted a single image information protection mode, but did not employ the comprehensive application of image cryptology methods. Second, the majority of existing image cryptosystems use pseudo-random numbers as their basic ciphers. However, the statistical security of pseudo-random sequences is not contested. Although the performance analysis was carried out in these schemes, the security of the algorithm is not guaranteed. In fact, insecure cipher-based image encryption algorithms can also pass the evaluation of performance analysis [4]. Thirdly, with the rapid performance improvement of modern computers, the pure chaotic cryptosystem with short cycles and small key space is vulnerable, and it is hard to guarantee the structural security and robustness of the encryption algorithms. To address these issues, we propose an image information hiding scheme by combining multiple images into an encrypted one. The main contributions of our work include: (i) We integrate multilayer image composition with chaos image encryption to form the compound image information protection scheme. (ii) We use a novel chaos with multiple control parameters to generate pseudo-random sequences, and these sequences are strictly tested by the universal secure criterion of pseudo-random numbers, i.e., SP800 R1a [24]; (iii) to optimize the algorithm structure, the classical image encryption pattern of 'confusion-diffusion' is expanded to one of 'diffusion-scrambling-nonlinear transform.'

The paper is mainly composed of the following parts: Part 2 introduces the mathematical foundations of the algorithm, which includes several nonlinear transforms of matrices and an irreversible chaos with multiple control parameters. Part 3 discusses the main contents of the algorithm, such as the multiple image composition, chaotic ciphers and plaintext-related ciphers, pixels diffusion, pixels scrambling, and pixels nonlinear transforms. Part 4 develops the encryption simulations. Part 5 performs the security test of the chaotic ciphers by SP800 R1a. Part 6 is the evaluation of the algorithm performance security. Part 7 summarizes the full paper.

2 Mathematical preliminaries

2.1 Matrix nonlinear transforms

This section introduces three nonlinear transforms of matrices that support the composition and encryption of images.

2.1.1 Nonlinear transform of matrices based on dot power

The ‘dot operation’ is a particular calculation in matrix theory. Rather than affecting the matrices themselves, this operation affects the elements of the matrices. \(M = (m_{ij} )_{hk}\) and \(P = (p_{ij} )_{hk}\) represent the matrices with the same size of \(h \times k\). A dot multiply, a dot divide, and a dot power [25] between \(M\) and \(P\) can be expressed as follows:

$$M. * P = (m_{ij} \times p_{ij} )_{hk} ,\;M./P = (m_{ij} \div p_{ij} )_{hk} \;M. \wedge n = (m_{ij}^{n} )_{hk}$$
(1)

where the symbol ‘\(. *\)’, ‘\(./\)’, and ‘.^’ represent the operator of dot multiplication, dot division, and dot power, respectively.

According to the dot power defined in Eq. (1), The Nonlinear Transform of Matrices based on Dot Power (NTMDP) is introduced as a transform of matrices M and P, which is expressed as follows:

$$R_{{M,P}} = k_{1} \cdot M + k_{2} \cdot P.^{ \wedge } n,$$
(2)

where \(0 \le k_{1} ,k_{2} \le 1,n > 0\) represent varied parameters. It is evident that the matrix P from Eq. (2) can be easily calculated as follows:

$$\left( {\left( {R_{M,P} - k_{1} \cdot M} \right)/k_{2} } \right).^\wedge (1/n).$$
(3)

Equation (3) is commonly referred to as the inverse of NTMDP (NTMDP −1).

2.1.2 Rational linear transform of matrices

By means of the dot power defined in Eq. (1), a rational linear transform (RLT) of \(M\) can be defined as follows:

$$M_{r} = (a_{1} \cdot M + a_{2} \cdot N)./(a_{3} \cdot M + a_{4} \cdot N) + a_{5} \cdot R,$$
(4)

where \(a,b,c,d,e \in R\) represent optional parameters, while \(c\) and \(d\) cannot be taken as zero at the same time.\(N\) represents a known constant matrix with the same size of \(M\), and \(R\) represents a random matrix.

As shown below, it is not difficult to obtain the inverse of RLT (RLT1):

$$M = - \left( {a_{4} \cdot \left( {M_{r} - a_{5} \cdot R} \right) - a_{2} \cdot N} \right)./\left( {a_{3} \cdot \left( {M_{r} - a_{5} \cdot R} \right) - a_{1} \cdot N} \right).$$
(5)

2.1.3 Matrix truncation transform

A rounding function \({\text{ceil}}( \cdot )\) is available in MATLAB. In the case of a nonzero real number, we can obtain the minimum integer not less than \(x\) by \({\text{ceil}}(x)\). This function can be used to identify the truncation transform (TT) of the matrix \(X_{hk}\) as follows:

$$T\,(\,X\,) = {\text{ceil}}\,(\,X\,) - X.$$
(6)

Assuming that \(C = {\text{ceil}}(M)\) is a constant matrix, TT−1 can be obtained by the inverse of Eq. (6), as follows:

$$X = C - T(X)$$
(7)

In terms of pixel diffusion encryption, these nonlinear transformations (Formulas (17)) are constructed in this subsection. It is essential that the diffusion transformation of pixels is reversible in order to facilitate decryption. Consequently, the above transformations are in complete accordance with the requirements. Further, the parameters involved in these nonlinear transformations can be used as encryption keys, thereby increasing the key space of the encryption algorithm. Particularly, some matrix-specific operations are used in these transformations, such as dot operations, which are consistent with the essence of image operations, namely matrix operations.

2.2 Multi-parameter irreversible nonlinear chaotic map

It is well known that chaos has some good properties and that it is widely employed in modern encryption algorithms. There are several common chaos systems, including the Logistic map, the Standard map, the Chebyshev map, the Baker map, the Henon map, etc. To generate chaotic ciphers, Henon's map is commonly described as follows [26]:

$$\left\{ {\begin{array}{*{20}l} {x\left( {n + 1} \right) = 1 - a \cdot x^{2} \left( n \right) + y\left( n \right)} \\ {y\left( {n + 1} \right) = \beta \cdot x\left( n \right)} \\ \end{array} } \right.,$$

where \(\alpha ,\beta\) represent system parameters. When \(0.54 < \alpha < 2,0 < |\beta | < 1\), Henon system is shown to be in a hyper-chaotic state.

The following novel nonlinear chaotic map is constructed to improve the structural complexity of the Henon system:

$$\left\{ \begin{gathered} x(n + 1) = 1 - \alpha \cdot x^{2} (n) + \beta \cdot \sin (x(n)) \cdot y(n) \hfill \\ \quad \quad \quad \; + \gamma \cdot \sin (x(n)) + \lambda \cdot \cos (y(n)) \hfill \\ y(n + 1) = \mu \cdot x(n) \hfill \\ \end{gathered} \right..$$
(8)

When the parameters satisfy \(0.56 < \alpha < 2,0 < |\beta |,|\gamma |,|\lambda |,|\mu | < 1,\) Eq. forms a chaotic system because it has a positive Lyapunov exponent. In contrast to most chaotic maps, this map is irreversible. However, this feature does not affect its application in the proposed algorithm, since the encryption scheme has nothing to do with the chaos inverse. In the following text, this map is referred to as the Irreversible Generalized Henon Map (IGHM).

In comparison with the classical Henon map, trigonometric function terms and new parameters have been added to Eq. (8). As a result of such a change, the key space of the encryption algorithm is increased, and the reversible mathematical transformation is converted into an irreversible one. This enhances the security of the encryption algorithm. Despite the fact that the calculation in Eq. (8) is more complicated than that in a traditional Henon map, from the perspective of the performance of modern computing tools, the computational complexity of the algorithm has remained relatively unchanged.

3 Multiple images composition and image encryption

In the proposed algorithm, there are four basic stages: multiple image composition, compound image encryption, image decryption, and image separation from the decrypted image. Detailed information will be provided below.

3.1 Multiple images composition

Assume that \(I_{{m_{j} \times n_{j} }}^{j} ,\;j = 1,2, \cdots ,k\) represent the given images with different size of \(m_{j} \times n_{j}\). Set \(m_{r} = \mathop {\max }\limits_{j} \{ m_{j} \} ,\;n_{c} = \mathop {\max }\limits_{j} \{ n_{j} \} .\) By using the inner function 'rand' of MATLAB, a random matrix \(B_{0}\) is introduced with the dimensions \(m_{r} \times n_{c}\). The matrix \(B_{0}\) is referred to as the Base-Plate Image (BPI). In terms of the known matrix \(B_{0}\) and the given images \(I_{j} ,\) NTMDP is used in Eq. (2) in order to implement the composition of images (layer by layer) in accordance with the following arithmetic:

$$\left\{ \begin{gathered} R_{1} = p_{11} \cdot B_{r1} + p_{12} \cdot I_{1} . \wedge n_{1} \hfill \\ R_{2} = p_{21} \cdot B_{r2} + p_{22} \cdot I_{2} . \wedge n_{2} \hfill \\ \cdots \cdots \cdots \cdots \hfill \\ R_{k} = p_{k1} \cdot B_{rk} + p_{k2} \cdot I_{k} . \wedge n_{k} \hfill \\ \end{gathered} \right.,$$
(9)

where \(p_{j1} ,p_{j2} ,n_{j} ,j = 1,2, \cdots ,k\) represent the parameters similar to those mentioned in Eq. (2).\(B_{r1}\) represents a random matrix with the same size as \(I_{1}\), and the elements of \(B_{r1}\) are randomly selected from the base-plate image \(B_{0}\). Given the parameters \(p_{11} ,p_{12}\) and an integer \(n_{1}\), a transformed matrix \(R_{1}\) can be easily obtained using the first formula in Eq. (9). Then, the elements are replaced at the same position in \(B_{0}\) with the element of \(R_{1}\). We further obtain the matrix \(B_{1} .\) Quite similarly, \(B_{r2}\) represents a random matrix with the same size as \(I_{2}\), and the elements of \(B_{r2}\) are randomly selected from \(B_{1}\). The matrix \(B_{2} .\) can be obtained after the elements are replaced at the same position in \(B_{1}\) by the element of \(R_{2}\). By analogy, the final matrix \(B_{k}\) is obtained. The matrix \(B_{k}\) is referred to as the final compound image. In addition, it represents the image that needs to be encrypted.

3.2 Image encryption

3.2.1 Chaos sequence, diffusion cipher, and pixels diffusion

3.2.1.1 Chaos cipher matrix related to plaintext

Assume that a group of the parameters \(\alpha_{1} ,\beta_{1} ,\gamma_{1} ,\lambda_{1} ,\mu_{1}\) is given. Using IGHM in Eq. (8), we can obtain the chaotic sequence \(C_{0}\) in the length of \(h \cdot k\). Then,\(C_{0}\) is converted into the matrix \(C_{1}\) of h rows and k columns. For the selected parameters \(a_{1} ,b_{1} ,c_{1} ,d_{1} ,e_{1} ,\) RLT is performed in Eq. (4) among the matrix \(C_{1}\), the original image \(P_{0}\), and the random matrix \(R_{1}\), and the matrix \(C_{2}\) can be obtained as follows:

\(C_{2} = (a_{1} \cdot C_{1} + b_{1} \cdot P_{0} )./(c_{1} \cdot C_{1} + d_{1} \cdot P_{0} ) + e_{1} \cdot R_{1} ,\), (10). where \(C_{2}\) is referred to as the Chaotic Cipher Related to Plaintext (CCRP).

3.2.1.2 Pixels diffusion

The basic diffusion algorithm used in practical image encryption is based on the operation of XOR. Generally, forward and backward diffusion calculations using the XOR operator [27] can be expressed as follows:

$$Ct_{i} = Ct_{i - 1} \oplus C_{i} \oplus \overline{P}_{i} ,i = 1,2, \cdots hk,\;Ct_{i} = Ct_{i + 1} \oplus C_{i} \oplus \overline{P}_{i} ,\;i = hk,hk - 1, \cdots 1$$
(11)

where \(Ct\) represents the diffused result, \(\widetilde{C}\) represents the cipher vector,\(\overline{P}\) represents the row vector rearranged from \(P_{0}\).The initial value of \(Ct_{0} ,Ct_{hk}\) is obtained by the keys, and the symbol \(\oplus\) represents the XOR operator.

In Eq. (11), it is evident that the diffusion process is implemented on each element sequentially. The following pattern of forward and backward diffusion is introduced to increase the speed of pixels diffusion:

$$Ct_{i}^{(r)} = Ct_{i - 1}^{(r)} \oplus C_{i}^{(r)} \oplus P_{i}^{(r)} ,i = 1,2, \cdots h,\;Ct_{j}^{(c)} = Ct_{j - 1} \oplus C_{j}^{(c)} \oplus P_{j}^{(c)} ,j = 1,2, \cdots k$$
(12)
$$Ct_{j}^{(c)} = Ct_{j + 1}^{(c)} \oplus C_{j}^{(c)} \oplus P_{j}^{(c)} ,\;j = k,k - 1, \cdots 1,\;Ct_{i}^{(r)} = Ct_{i + 1}^{(r)} \oplus C_{i}^{(r)} \oplus P_{i}^{(r)} ,\;i = h,h - 1, \cdots 1$$
(13)

where \(Ct^{(r)}\) and \(Ct^{(c)}\) represent the diffused result;\(C^{(r)}\) and \(C^{(c)}\) represent the cipher matrix's row vectors and column vectors, respectively; \(P^{(r)}\) and \(P^{(c)}\) represent the row and column vectors of \(P_{0}\),respectively. The initial value of \(Ct_{0}^{(r)} ,Ct_{0}^{(c)} ,Ct_{h}^{(r)} ,Ct_{k}^{(r)}\) is obtained by the initial keys. The operations expressed by Eqs. (12) and (13) are referred to as Pixels Diffusion Row by Row and Column by Column (PDRC).

3.2.2 Scrambling ciphers and pixels scrambling

3.2.2.1 Scrambling ciphers related to the diffused image

In this subsection, the ciphers related to the diffused image are used to scramble the diffused image \(C_{d}\). In terms of another group of parameters \(\alpha_{2} ,\beta_{2} ,\gamma_{2} ,\lambda_{2} ,\mu_{2}\), Eq. (8) is used to derive another chaotic sequence \(V\) in the length of \(hk\) and convert \(V\) into the matrix \(V_{m}\) with the same size of \(C_{d}\). The second group of parameters \(a_{2} ,b_{2} ,c_{2} ,d_{2} ,e_{2}\) is used to carry out RLT in Eq. (4) among \(C_{d}\),\(V_{m}\) and another nonzero random matrix \(R_{2}\), and the following \(C_{s}\) can be obtained as follows:

$$C_{s} = (a_{2} \cdot C_{d} + b_{2} \cdot V_{m} )./(c_{2} \cdot C_{d} + d_{2} \cdot V_{m} ) + e_{2} \cdot R_{2} ,$$
(14)

where the matrix \(C_{s}\) is referred to as the Scrambling Cipher Matrix (SCM).

3.2.2.2 Pixels scrambling

Assume that \(\overline{{C_{s} }}\) represents the row vector converted from \(C_{s}\). By using MATLAB's function 'randperm,' a series of random positive integers are generated in the interval \([1,h \cdot k]\). Therefore, \(\overline{{C_{s} }}\) is arranged into \(\overline{\overline{{C_{s} }}}\) and the elements numbers are recorded before and after the rearranging as \(I_{{{\text{old}}}}\) and \(I_{{{\text{new}}}}\), respectively.\(\overline{{C_{d} }}\) is first rearranged by the sequence \(I_{{{\text{new}}}}\). Then, the rearranged result is converted into a matrix \(\overline{\overline{{C_{d} }}}\) with \(h\) rows and \(k\) columns. Thus, the scrambled image can be obtained.

3.2.3 Encryption using the truncation transformation

Performing TT in Eq. (6) to the scrambled result \(\overline{\overline{{C_{d} }}}\), we can obtain

$$CT = {\text{ceil}}\left( {\overline{\overline{{C_{d} }}} } \right) - \overline{\overline{{C_{d} }}}$$
(15)

In this section,\(C = {\text{ceil}}\left( {\overline{\overline{{C_{d} }}} } \right)\) is referred to as the Procedural Cipher Matrix (PCM). The final encrypted image \(CT\) has been obtained so far.

3.3 Image decryption

Cryptography can be decrypted by performing the inverse operation and inverse transformation on it. In terms of the encrypted image \(CT\), we use Eq. (7) to deduce \(CT_{1}\). In the following step, we change \(CT_{1}\) into a one-dimensional array, rearrange the array by \(I_{old}\), and convert the result into the matrix \(CT_{2}\). The matrix \(CT_{2}\) represents the decrypted result of the scrambled image. Furthermore, \(C_{3}\) is used to perform the inverse of pixels diffusion (column by column and row by row) as follows:

$$\begin{gathered} I_{j} = CT^{(c)}_{2,j - 1} \oplus CT^{(c)}_{2,j} \oplus C^{(c)}_{3,j} ,\;\;\;\;j = 1,2, \cdots k \hfill \\ I_{i} = CT^{(r)}_{2,i - 1} \oplus CT^{(r)}_{2,i} \oplus C^{(r)}_{3,i} ,\;\;\,\,\;i = 1,2, \cdots h \hfill \\ \end{gathered}$$
(16)
$$\begin{gathered} I_{i} = CT^{(r)}_{2,i + 1} \oplus CT^{(r)}_{2,i} \oplus C^{(r)}_{3,i} ,\;\;\;\;\;i = h,h - 1, \cdots 1 \hfill \\ I_{j} = CT^{(c)}_{2,j + 1} \oplus CT^{(c)}_{2,j} \oplus C^{(c)}_{3,j} ,\;\;\,j = k,k - 1, \cdots 1 \hfill \\ \end{gathered}$$
(17)

where the symbols \([ \cdot ]^{(c)}\) and \([ \cdot ]^{(r)}\) represent the column and row vector of the corresponding matrix, respectively. Finally, the final decrypted image \(I\) can be obtained.

3.4 Image separation from the decrypted result

The final decrypted image \(I\) contains the information about the multiple compound images and the base-plate image. As a general principle, image separation involves extracting every image from \(I\) in reverse order of composition.

In terms of the image \(I\) and the known parameters \(p_{k1} ,p_{k2} ,n_{k}\), an operation similar to Eq. (3) is performed on the last formula of Eq. (9) and the image \(I_{k}\) can be obtained as follows:

$$I_{k} = ((R_{k} - p_{k1} \cdot B_{rk} )/p_{k2} ). \wedge (1/n_{k} )$$
(18)

Similarly, the other images can be derived as follows:

$$I_{k - 1} = ((R_{k - 1} - p_{k - 11} \cdot B_{rk - 1} )/p_{k - 12} ). \wedge (1/n_{k - 1} )$$
(19)
$$I_{1} = ((R_{1} - p_{11} \cdot B_{r1} )/p_{12} ). \wedge (1/n_{1} )$$
(20)

Therefore, all the initial images are sequentially separated from the decrypted image \(I\).

3.5 Algorithm description

The proposed algorithm for hiding image information consists of five main stages: image preprocessing, image composition, the compound image encryption, the image decryption, and image separation. Following is a summary of the details:

  1. (I)

    Image preprocessing

    1Convert the initial images with different sizes into the gray ones \(I_{1} ,I_{2} , \cdots ,I_{k}\), and generate the base-plate image \(B_{0}\) using the function 'rand' of MATLAB.

  2. (II)

    Image composition

    2 Set the values of parameters \(p_{j1} ,p_{j2} ,n_{j} ,j = 1,2, \cdots ,k\), execute the operation in Eq. (9) to deduce the compound image (it is also the image to be decrypted)\(B_{k}\).

  3. (III)

    The compound image encryption

3 Compute the diffusion cipher for the given parameters according to Eq. (4), and perform the diffusion operation described in Eqs. (12) and (13) to obtain the diffused image \(C_{d}\).

4Set the proper parameters and implement the pixels scrambling operation as described in Sect. 3.2.2 to obtain the scrambled image \(\overline{\overline{{C_{d} }}}\).

5Carry out the transform for the image \(\overline{\overline{{C_{d} }}}\) in Eq. (15) to obtain the final encrypted image \(CT\).

(IV) Image Decryption.

6Use Eq. (7) to deduce \(CT_{1}\) for the encrypted image \(CT\).

7Turn the result of \(CT_{1}\) into \(CT_{2}\);

8Perform the transforms in Eqs. (16) and (17) on \(CT_{2}\).Then, rearrange the result into the matrix \(I\).

(V) Image separation.

9Run the calculations in Eqs. (18), (19), and (20), respectively. The initial images are abstracted sequentially from the image \(I\).

3.6 The flow charts of the algorithm

The flow charts for the algorithm are illustrated in Figs. 1 and 2.

Fig. 1
figure 1

The flow chart of images composition and encryption

Full size image
Fig. 2
figure 2

The flow chart of image decryption and separation

Full size image

4 Simulations

In this section, three images are selected, namely Girl, Coast, and Tulips, respectively, from the universal image datasets BSD-S500 [28] and Caltech 101 [6], to be used for image composition and the decryption and encryption of compound images. Simulations are performed using the platform MATLAB 2018a.

4.1 Images composition experiment

It should be noted that since each of the three experimental images is 481 × 321, 341 × 512, and 570 × 380 pixels, respectively, so should the base-plate be 570 × 512 pixels. The three initial images and the random base-plate can be seen in Fig. 3.

Fig. 3
figure 3

The base-plate image and the three initial images

Full size image

For each of the parameters mentioned in Eq. (9), set the following values:

$$p_{11} { = }0.75,p_{12} { = }0.25,n_{1} { = 0}{\text{.10,}}\;p_{21} { = }0.65,p_{22} { = }0.20,n_{2} { = 0}{\text{.12,}}\;p_{31} { = }0.60,p_{32} { = }0.22,n_{3} { = 0}{\text{.25}}{.}$$

Afterward, the three images are integrated into the base-plate in order, and the compound images are obtained as shown in Fig. 4. As shown in the figure, (b), (c), and (d) represent the results of integrating one, two, and three experimental images into the base-plate, respectively. Subfigure (d) represents the final compound result. The plain image to be encrypted is also shown in subfigure (d).

Fig. 4
figure 4

The compound results of different images

Full size image

4.2 The compound image encryption and decryption experiment

According to the encryption scheme described above, there are 22 parameters involved, and the key space is expressed as follows:

$$\Gamma_{1} \times \Gamma_{2} = (\alpha_{1} ,\beta_{1} ,\gamma_{1} ,\lambda_{1} ,\mu_{1} ,a_{1} ,b_{1} ,c_{1} ,d_{1} ,e_{1} ,R_{1} ) \times (\alpha_{2} ,\beta_{2} ,\gamma_{2} ,\lambda_{2} ,\mu_{2} ,a_{2} ,b_{2} ,c_{2} ,d_{2} ,e_{2} ,R_{2} ).$$

The matrices \(R_{1}\) and \(R_{2}\) in this set are randomly generated, and the other keys are assigned sequentially as follows:

$$\alpha_{1} = 1.2,\beta_{1} = 0.58,\gamma_{1} = 0.72,\lambda_{1} = 0.35,\mu_{1} = 0.40,$$
$$a_{1} = 2.00,b_{1} = 5.00,c_{1} = 3.00,d_{1} = 4.00,e_{1} = 4.00,$$
$$\alpha_{2} = 1.1,\beta_{2} = 0.55,\gamma_{2} = 0.68,\lambda_{2} = 0.30,\mu_{2} = 0.45,$$
$$a_{2} = 4.00,b_{2} = 5.00,c_{2} = 2.00,d_{2} = 3.00,e_{2} = 3.00.$$

As shown in Fig. 5, the results of the encryption and decryption of the compound image are displayed, respectively. The subfigure (a) represents the compound image, the subfigure (b) represents the encrypted image, and the subfigure (c) represents the decrypted image.

Fig. 5
figure 5

The compound, the encrypted and decrypted images

Full size image

It is evident that the cipher pixels are random and disordered from an intuitive perspective. Therefore, we are able to preliminarily conclude that the encryption algorithm is valuable.

A more objective evaluation of the encryption result can be obtained by calculating the three indexes (PSNR, SSIM, and coefficient correlation (CORR). A comparison of PSNR, SSIM, and coefficient correlation (CORR), which are typically used to assess the similarity between two images, is presented in Table 1. As can be seen from Table 1, the values of the three indicators are very close to theoretical values. Thus, it can be inferred that the proposed algorithm has good encryption effect.

Table 1 PSNR, SSIM, and CORR
Full size table

4.3 Experimentation with separating the encrypted image from the unencrypted image

The separated images are shown in Fig. 6. A table of similarity indexes is also included in Table 2.

Fig. 6
figure 6

The separated images from the decrypted image

Full size image
Table 2 PSNR, SSIM, and CORR between the initial images and the corresponding decrypted images
Full size table

It is evident from Fig. 6 that the initial images can be clearly separated from the decrypted images. According to Table 2, the PSNR, SSIM, and CORR values are quite close to those predicted by the theory. It is clear from this that the proposed algorithm provides excellent results in terms of decryption. Additionally, the data in lines 4 and 5 demonstrate that the algorithm is lossless, since decrypted images are identical to their original ones.

5 Security testing of the cryptosystem

Pseudo-random sequences are universal in nature. A cryptographic system cannot be constructed using an arbitrary pseudo-random sequence. Cryptosystems can only be based on those that have been proven to be secure. In this paper, the cryptosystem is based on the chaotic sequence generated by Eq. (8). Therefore, it is necessary to test the security of the chaotic sequence. It is assumed that the parameters in Eq. (8) are assigned as 1.2, 0.58, 0.72, 0.35, and 0.40, respectively. A statistical analysis of random numbers is carried out using 15 indicators based on the international standard SP800.R1a [24]. As shown in Table 3, the results are recorded.

Table 3 The 15 statistical indicators of SP800.R1a for chaotic sequence
Full size table

As per SP800, R1a, if the value of an indicator is greater than 0.01, the indicator is considered to pass the security test. The random number generation method is considered secure if all the indicators pass the test. According to Table 3, all the indicators of the proposed chaotic sequence pass the test. Based on these findings, it can be concluded that the cryptosystem based on the proposed chaotic sequence is secure.

6 Algorithm performance analysis and security evaluation

In this section, a quantitative analysis of the proposed algorithm security indexes will be presented. Because the algorithm involves a number of operations, the results obtained from one round may differ from those obtained from another. As a result, this is the inherent characteristic of the algorithm. As a matter of fact, this characteristic does not affect the conclusions drawn from the analysis.

6.1 The average running time of the algorithm

The purpose of this subsection is to provide a running time evaluation of the proposed algorithm. To compute the algorithm time cost, we randomly select five groups of images (each group includes three images with different sizes) from [28] and [6]. As shown in Table 4, the average time it takes for the algorithm to run 50 times is summarized. Figure 7 illustrates the time fitting curves of the cubic polynomial (the abscissa represents the number of pixels in the base-plate image, while the ordinate represents the time). It is evident that the algorithm consumes a relatively small amount of time. Despite the fact that some random factors and calculations are involved in the algorithm and the experimental result is closely related to the computer configuration, data presented in Table 4 should be regarded as relative and should only be used as reference.

Table 4 Resources consumption and occupancy
Full size table
Fig. 7
figure 7

Time fitting curves of the cubic polynomial

Full size image

6.2 Security of the brute force attack

6.2.1 Keys space

A key space is the dataset composed of all the possible values of the keys, which is a key indicator of how secure the algorithm will be against brute force attacks. The application of cryptography has demonstrated the need for a secure key space that exceeds 128 bits for an 8-bit integer image.

It is known that the algorithm's key space is \(\Gamma_{1} \times \Gamma_{2}\). Assume that all the parameters are double-precision floating-point decimals. Based on theoretical considerations, the magnitude of each parameter is 1014. Therefore, the key space is not less than \(\log_{2} (10^{308} ) \approx 1024\) bit. Even if these variables are conservatively taken from the interval [10–4, 104], the key space is greater than \(\log_{2} (10^{176} ) \approx 585\) bit. In such a case, the key space is large enough to withstand brute force attacks.

6.2.2 Keys sensitivity

In this subsection, three parameters \(\alpha_{1} ,b_{1} ,c_{2}\) are selected to estimate the algorithm key sensitivity. The compound image is encrypted using the following four groups of keys.

\(K_{0} = (\overline{\alpha }_{1} ,\overline{\beta }_{1} ,\overline{\gamma }_{1} ,\overline{\lambda }_{1} ,\overline{\mu }_{1} ,\overline{a}_{1} ,\overline{b}_{1} ,\overline{c}_{1} ,\overline{d}_{1} ,\overline{e}_{1} ,\overline{\alpha }_{2} ,\overline{\beta }_{2} ,\overline{\gamma }_{2} ,\overline{\lambda }_{2} ,\overline{\mu }_{2} ,\overline{a}_{2} ,\overline{b}_{2} ,\overline{c}_{2} ,\overline{d}_{2} ,\overline{e}_{2} ,\overline{R}_{1} ,\overline{R}_{2} )\);

$$K_{1} = (\overline{\alpha }_{1} + 10^{ - 10} ,\overline{\beta }_{1} ,\overline{\gamma }_{1} ,\overline{\lambda }_{1} ,\overline{\mu }_{1} ,\overline{a}_{1} ,\overline{b}_{1} ,\overline{c}_{1} ,\overline{d}_{1} ,\overline{e}_{1} ,\overline{\alpha }_{2} ,\overline{\beta }_{2} ,\overline{\gamma }_{2} ,\overline{\lambda }_{2} ,\overline{\mu }_{2} ,\overline{a}_{2} ,\overline{b}_{2} ,\overline{c}_{2} ,\overline{d}_{2} ,\overline{e}_{2} ,\overline{R}_{1} ,\overline{R}_{2} )$$
$$K_{2} = (\overline{\alpha }_{1} ,\overline{\beta }_{1} ,\overline{\gamma }_{1} ,\overline{\lambda }_{1} ,\overline{\mu }_{1} ,\overline{a}_{1} ,\overline{b}_{1} + 10^{ - 10} ,\overline{c}_{1} ,\overline{d}_{1} ,\overline{e}_{1} ,\overline{\alpha }_{2} ,\overline{\beta }_{2} ,\overline{\gamma }_{2} ,\overline{\lambda }_{2} ,\overline{\mu }_{2} ,\overline{a}_{2} ,\overline{b}_{2} ,\overline{c}_{2} ,\overline{d}_{2} ,\overline{e}_{2} ,\overline{R}_{1} ,\overline{R}_{2} )$$
$$K_{3} = (\overline{\alpha }_{1} ,\overline{\beta }_{1} ,\overline{\gamma }_{1} ,\overline{\lambda }_{1} ,\overline{\mu }_{1} ,\overline{a}_{1} ,\overline{b}_{1} ,\overline{c}_{1} ,\overline{d}_{1} ,\overline{e}_{1} ,\overline{\alpha }_{2} ,\overline{\beta }_{2} ,\overline{\gamma }_{2} ,\overline{\lambda }_{2} ,\overline{\mu }_{2} ,\overline{a}_{2} ,\overline{b}_{2} ,\overline{c}_{2} + 10^{ - 10} ,\overline{d}_{2} ,\overline{e}_{2} ,\overline{R}_{1} ,\overline{R}_{2} )$$

The summary of the four cipher images can be found in Fig. 8. We cannot determine the difference between the ciphertexts from the visual representations. As a result, we calculate the objective indicators between (a) and (b), (a) and (c), and (a) and (d) in order to evaluate the difference between the ciphers. As shown in Table 5, the results are summarized. As shown in Table 5, the encryption algorithm exhibits a high level of keys sensitivity.

Fig. 8
figure 8

Cipher images corresponding to the four groups of different keys

Full size image
Table 5 CCOR, SSIM, NPCR, UACI, and BACI of the ciphertexts before and after the key’s alternation
Full size table

6.3 Security of the statistic attack

6.3.1 Gray histogram

For an image encryption scheme to be secure and robust, the pixels of the ciphertext should display a uniform distribution that differs from the distribution of the plaintext. This feature is revealed by the gray histogram of the encrypted image. We plot the compound image and cipher image histograms in Fig. 9.

Fig. 9
figure 9

Histograms of plaintext and ciphertext

Full size image

As shown in Fig. 9, the gray histogram of plaintext is convex, whereas that of ciphertext is uniform and smooth. Consequently, it can be concluded that the algorithm is secure and robust in terms of gray statistical characteristics.

6.3.2 Pixels correlation

In order to generate the compound image, we randomly select 3000 pixels from the plaintext and the corresponding pixels from the ciphertext in the x-direction, the y-direction, and the direction of the line y = x, respectively. After that, we plot the distribution diagrams of pixels in Figs. 10 and 11.

Fig. 10
figure 10

Distributions of the plain pixels

Full size image
Fig. 11
figure 11

Distributions of the cipher pixels

Full size image

Figures 9 and 10 illustrate that plain pixels have an approximate ellipse distribution in the three directions, whereas cipher pixels have a decentralized and indefinite distribution. As a result, the plain pixels correlation has been effectively eliminated by the encryption algorithm.

6.3.3 Information entropy

The term entropy is used to describe the randomness and unpredictable nature of a system. Cryptography and chaos have demonstrated that the least upper bound for the entropy of an 8-bit integer image is 8. In image processing, a secure and robust encryption algorithm should be able to guarantee that the cipher entropy nearly equals 8.

In Table 6, the results of the entropies are presented. Based on these data, it can be concluded that the algorithm has good statistical properties.

Table 6 Entropies of the plain image and cipher image
Full size table

6.4 Plaintext sensitivity

\(P_{0} ,P_{0} + \Delta P,C_{{P_{0} }} ,\) and \(C_{{P_{0} + \Delta P}}\) are used to denote the plaintext images before and after the pixels alteration and the corresponding ciphertext images, respectively. We consider an encryption scheme to have plaintext sensitivity if a slight variation of plaintext pixels results in a large difference between \(C_{{P_{0} }}\) and \(C_{{P_{0} + \Delta P}}\).

Assume that \(\Delta P = 10^{ - 10}\). We calculate a number of similarity indicators between the two ciphertexts and record the results in Table 7. The results of the study indicate that the encryption algorithm is highly sensitive to plaintext attacks and secure against differential attacks.

Table 7 The similarity indicators of the two ciphertexts
Full size table

6.5 Resistance to chosen-plaintext attack

In the early days of image encryption, simple pixels scrambling or pure sequence encryption was mainly used. Several image encryption schemes are vulnerable to chosen-plaintext attacks due to their limited structure complexity and robust stability. We use a compound pattern of diffusion, scrambling, and nonlinear transformation in this work in order to ensure the structural complexity of the encryption system. It is concluded in Sect. 6.4 that this composed mode is quite sensitive to plaintext. Particularly, both scrambling and diffusion ciphers are generated using secure chaos, multiple nonlinear transforms, and plaintext-related technology. Additionally, the ciphers include random components. As a result, the algorithm's structural security has been greatly enhanced. The measures outlined above provide the algorithm with powerful barriers against the attack of the chosen-plaintext.

6.6 Comparison with other schemes

A comparison is made between the proposed algorithm and the secured performance indicators in References [9, 28, 29] and [29] in this subsection. A summary of the results can be found in Table 8. Based on the data, two indicators of our algorithm are more effective than others. Regarding the other indicators, the proposed algorithm is neither the best nor the worst. All other indicators of all schemes approximate the theoretical values quite closely. The slight differences between them have no substantive impact on the security. We rank every performance indicator as a score in order to evaluate these encryption schemes comprehensively. In general, the smaller the difference between each index and the theoretical value, the higher the score. As a general rule, 5 points are awarded for the best, 4 points for the suboptimal, and 1 point for the worst performance. Table 9 provides a detailed listing of the rating scores. Table 9 indicates that the proposed algorithm has overall comparative advantages. Particularly, the algorithm has some innovative characteristics, such as the mode of hiding image information, the application of multiple nonlinear transforms, and the composed algorithm structure.

Table 8 Performance data of different algorithms
Full size table
Table 9 Indicator scores and the comprehensive evaluation of algorithm security
Full size table

The purpose of this paper is only to simulate the encryption of conventional images, due to space constraints. Due to the fact that the encryption and decryption algorithm is implemented at the pixel level, the proposed encryption and decryption algorithm is also suitable for images in other formats or forms, including images and compressed images.

7 Conclusions

A combined image information hiding scheme is presented in this paper. We have developed a new chaos, multiple nonlinear transforms, a new diffusion mode for pixels, and plaintext-related ciphers in order to support this scheme. As a result of the application of nonlinear transforms and the mechanism of plaintext-related functions, the proposed algorithm possesses a high structural complexity. According to the results of the experiment, the new cryptosystem is capable of passing the international standard test for pseudo-random sequences. Moreover, the performance evaluations indicate that the algorithm is sufficiently secure to withstand a variety of attacks. Compared to other image encryption methods, our proposed algorithm demonstrates some local advantages and can serve as a candidate for image information hiding.

In this paper, the basic flow of the algorithm is as follows: image composition—composite image encryption—encrypted image decryption—decrypted image decomposition. The following composed encryption and decryption modes may also be considered: single image encryption—encrypted image composition—composed image decryption—image decomposition. In another paper, we will discuss the algorithm and security of this encryption mode. Furthermore, we propose a new key generation scheme and encryption algorithm based on a combination of neural network, generalized chaotic map, and nonlinear transformation. With this new idea, we hope to be able to deduce the keys of better statistical properties and to develop novel algorithms that are more secure.