Image encryption using permutation generated by modified Regula-Falsi method

Abstract

Transmission and sharing of multimedia data have drastically increased in the last few years due to the availability of low-cost image capturing devices, development of communication technology, and the popularity of social networks. However several security fissure of a public network such as the Internet has made the jobs of eavesdroppers easy to grab the contents without any impediment. Well-known cipher techniques like DES, AES, RSA can be used to encrypt an image. But, due to the huge volume and high correlation of image data, a lightweight image encryption method is important. Permutation-based encryption methods disrupt the correlation and can act well with huge volumes. Chaos theory is proved to generate pseudo-random sequences and is extensively used to define permutation. A wide range of image encryption proposals based on the permutation defined by the chaotic map is found in the literature. Several non-chaotic techniques are also gaining popularity for defining a permutation. An image encryption proposal based on a non-chaotic method is presented in this current communication. The permutation is defined by the modified Regula-Falsi method and image encryption is achieved by pixel value substitution and iterative addition with the cyclic shift. As the result of the proposed method, fully noisy images are obtained. Security analysis has proved immunity against different attacks. Comparison with state-of-the-art methods has established the applicability of the proposed technique in image encryption.

1 Introduction

Introduction Image transmission through Internet can be found in diverse fields like medical image transmission, sharing personal photographs in social media, confidential military archives, enterprises and storage systems, etc. The tremendous growth in Internet and web technology, availability of image capturing devices, and moreover popularity of social media have provided wings to image transmission. But the transmitted images may be accessed easily by some eavesdroppers through several security fissure of communication channels and those may be exposed to illegal distribution, forgery, etc. To deal with the challenges, different encryption techniques like DES, AES, RSA, IDEA can be thought of for image encryption. These techniques are mainly designed for text data encryption. Since images have bulk amount of data so we need to design a lightweight image encryption technique [1, 2]. Image carries a high correlation among adjacent pixels and scrambling it at pixel or bit-level reduces the correlation and a noise-like image is produced. The scrambling can be performed by a permutation defined from a pseudo-random (PR) sequence. Permutation-based image encryption can handle redundancy, high volume of data and provides speed, less computational overhead than data encryption techniques [3].

Image encryption enters into the research scenario with the SCAN language-based data and image encryption proposal by Bourbakis et al. [4]. The image encryption proposal by Kuo [5] is based on pixel distortion. In earlier image encryption methods, encryption techniques were applied to the compressed image to get faster encryption. Some of the proposals have used quadtree [6], linear quadtree [7], Fourier transform [8] etc. to perform image encryption over compressed image.

Image encryption using permutation alters pixel/ bit positions to generate a noise-like image. The permutation must guarantee randomness and high key sensitivity. For this reason, chaos theory has established itself as an alternative choice for image encryption. “The present determines the future, but the approximate present does not approximately determine the future”- is a well-used phrase for chaos theory as a totally different sequence is generated by a little change of the initial parameter/s. Chaos theory has established itself in the area of cryptography with the encryption proposal of Robert Matthews [9]. Permutation of pixel position using chaotic map changes the pixel position and a noise-like image is produced. A number of image encryption techniques [10,11,12,13,14] have employed pixel permutation. Encrypted image generated by pixel permutation has the same histogram as the original and can easily come under the grip of chosen-ciphertext and chosen-plaintext attacks [15,16,17]. In bit-level permutation (BLP), the image is considered as a binary string and permutation is performed at bit level. This changes the pixels’ gray value and histogram attack can be prevented. A number of image encryption proposals [15, 18,19,20,21,22,23,24,25] using bit-level permutation are available in literature. Image as the single binary string is of large size and defining permutation at bit level is time consuming [19]. Several methods have defined bit-level permutation in different ways. Zhu et al. [26] have decomposed the image into eight bitplanes and eight cat maps are used independently to permute the bitplanes. In [27], the plaintext image is decomposed into bitplanes and a bitplane image is taken as a key for XOR operation with the other bitplanes. A scrambling operation of the XORed bitplanes followed by merging to pixel produces an encrypted image. A double cyclic shift is used for bit-level permutation in [23] and it is performed at the pixel level. The amount of cyclic shift is governed by the Henon map. In adaptive image encryption [28], the bitplanes are arranged into two groups, one having bit 1, 2, 7, and 8 and the remaining to another. The hash value of one group is used to permute the bits on the other group in turn using the chaotic map.

In value substitution, a gray value is replaced by another value and it incorporates an extra level of security in image encryption. In [29] pixel value substitution is performed at the time domain where the permutation is defined by the Bernoulli map. 2D sine logistic map is used in [30] to perform value substitution and a faster encrypted image can be obtained. In cryptography, a substitution box, well known as S-Box is a type of symmetric key encryption system to perform the substitution. Adopting substitution mechanism in block cipher obscures the relationship between key used and the ciphertext received. A plenty of proposals [31,32,33,34,35,36,37] have adopted S-Box in image encryption.

The development of IoT in the healthcare system requires medical images to be transmitted. The images often used in medical fields; like MRI, Ultrasound sonography, X-ray, etc. contain sensitive medical information which are required to be protected from access by wrong hands while transmitting through a public channel like the Internet. Some recent proposals on medical image encryption are addressed in [38,39,40,41,42,43,44,45].

In recent years DNA encoding has become a prior choice for image encryption. There are four bases A, C, G, and T in a single-strand DNA sequence, where A and T are complements to each other, so are C and G. In binary 00, 01, 10, and 11 are used to represent A, C, G, and T respectively as 00 and 11, 01 and 10 are complementary. From it the number of coding combinations is 4! = 24. Due to complementary relation, only eight kind of coding combination is achievable. These coding sequences are used to encode 8-bit binary pixels. In recent years, a wide application of DNA encoding and Genetic algorithms are noticed in image encryption proposals [46,47,48,49,50].

Though chaos theory is well accepted in research communities for image encryption; but several non-chaotic methods are also getting popular to generate PR sequence and which are further used in image encryption. Good results are obtained by these non-chaotic techniques, and some of the proposals even give better results than the chaos-based image encryption method. Some of the non chaotic image encryption techniques like Grey code based [51], Rubik’s cube principal based [52], prime factorization based [53], circle property based [54], binary tree traversal based [55], cyclic group based [56], interval bisection of polynomial function [57] are available in literature.

It is a proven fact that chaotic maps generate the pseudo-random sequences, thus image encryption based on the permutation defined by pseudo-random sequence generated by chaotic map will return good results. In [54,55,56,57] authors have addressed non-chaotic image encryption methods. Using a non-chaotic method the first step is to generate a sequence and to prove it random. This article is pillared on the modified Regula-falsi method to generate the pseudo-random sequence. Generated random sequences have been used in pixel permutation and in pixel value modification. In pixel value modification, the pixel substitution is followed by iterative addition with a cyclic shift operation. High key sensitivity, large keyspace, minimized correlation coefficient, immunity from differential attack, etc. have shown that the proposed technique is robust and secure in comparison to some state-of-the-art image encryption techniques.

The rest of the article is structured as follows. The classical Regula-Falsi method is discussed in Section 2. Permutation generation using modified Regula-Falsi method and the proposed image encryption technique using the permutation is presented in Section 3. Experimental results are introduced in Section 4. Security analysis of the proposed technique is performed in Section 5. Finally, Section 6 draws the conclusion.

2 Regula-Falsi method

The Regula-Falsi method or false position method is used to find an approximate root of a univariate continuous function g(x). In addition to the function g(x), the method requires two boundary values, \(a_1\) and \(a_2\), such that the condition \(g(a_1)\times g(a_2)< 0\) is maintained. In each iteration a straight line S is defined joining the points (\(a_1, g(a_1)\)) and (\(a_2, g(a_2)\)). The approximate root \(x_{new}\) is the point of intersection of S and the X-axis. If \(\vert g(x_{new})\vert\) is very close to zero, then \(x_{new}\) may be consider as an approximate root. So, if \(\vert g(x_{new})\vert\) is less than a predefined margin of error \(\tau\), the process terminates and \(x_{new}\) is returned as the approximation of the root. If not, the process is continued. In that case, if \(g(a_1)\times g(x_{new}) < 0\), then \(x_{new}\) replaces \(a_2\), otherwise, \(a_1\) is replaced by \(x_{new}\) - hence the plausible range where the root lies is narrowed down in each iteration. Algorithm 1 discusses the classical Regula-Falsi method.

The Regula-Falsi method is described with an example. A polynomial \(g(x) = 3x^3 -6x^2 + 7x +3.2\) with boundary points \(a_1\)=-1.5 and \(a_2\)=2 (as \(g(-1.5) \times g(2)\) = -531.910) and a threshold margin of error \(\tau\) =0.001 is considered. The newly obtained values in each iteration approaches to the original root as presented in Fig. 1. A straight line joining (\(a_1=~-1.5,~g(a_1)=-30.925\)) and (\(a_2=~2,~g(a_2)=17.2\)) is drawn in the first iteration. This is intersected by the X-axis at the point \(x_{new}=0.749\), where the polynomial takes a value of g(0.749) = 6.337. Since the points (\(-1.5, -30.925\)) and (0.749, 6.337) lie on opposite sides of the X-axis, \(a_2\) takes the value 0.749. Hence the possible range of the root is narrowed down from (\(-1.5, 2\)) to \((-1.5, 0.749)\). By this process in further iterations the plausible range where the root lies is narrowed down. Figure 1 presents four such iterations which clearly signifies that the root is being capsulized within smaller range in each iteration.

Fig. 1

Plot of six successive steps in Regula-falsi method

Let \(X_{seq}\) be the sequence generated by sequentially appending the fraction value of the function g(x) at intersection points \(x_{new}\). In other words, \(X_{seq}(i)\) is the value \(|g(x_{new})|\) - \(\lfloor |g(x_{new})|\rfloor\), received from g(x) at intersection point of the straight line with X-axis, drawn in the \(i^{th}\) iteration. Since the range (\(a_1, a_2\)) gets narrowed down in each iteration, the sequence \(X_{seq}\) asymptotically converges towards the root. Hence, the sequence of intersection points \(X_{seq}\) is a convergent sequence, and cannot be considered for long length pseudo random sequence.

3 Proposed method

An image encryption technique based on pseudo-random (PR) sequence generated by the modified Regula-Falsi (MRF) method is addressed in this article. The backbone of the proposed technique is the permutation generated from the PR sequence. The following subsection elaborates the PR sequence generation technique.

The rapid convergence of the Regula-Falsi method towards the root is clearly signified in Fig. 1. The proposed image encryption technique presented in this paper uses a permutation generated by the modified Regula-Falsi method. A PR sequence is required to define the permutation. The various stages of the encryption technique are illustrated in Fig. 2.

Fig. 2

Block diagram of the proposed technique

3.1 Modified Regula-Falsi method (MRF) and PR sequence generation

In this technique a polynomial g(x) of degree two or more along with two seed points \(a_1\) and \(a_2\) such that \(g(a_1) \times g(a_2)< 0\) are taken as input. Other requisite inputs are a real value r and the PR sequence length L. No margin of error \(\tau\) is considered, to give it the freedom to iterate as many times as necessary, in order to produce a sequence of the desired length.

In this method two values \(m_1\) and \(m_2\) are computed using the fraction part of r. The formula of computation of \(m_1\) and \(m_2\) are swapped in subsequent iteration. Between the points (\(a_1, m_1 \times y_1\)) and (\(a_2, m_2 \times y_2\)) a straight line S is considered in each iteration (like the classical Regula-Falsi method) where initial values of \(y_1\) and \(y_2\) are \(g(a_1)\) and \(g(a_2)\), respectively. In each iteration, the straight line S is intersected to the X-axis at some point let (\(x_{new}, 0\)). The fraction part of \(g(x_{new})\) contributes to the generated sequence. The process is iterated L times to produce sequence of length L. Algorithm 2 illustrates this process.

With the help of \(m_1\) and \(m_2\), the value of \(y_1\) and \(y_2\) are changed in each iteration in Algorithm 2. It may be noted that due to the change in \(y_1\) and \(y_2\) (i.e. \(y_1=m_1 \times y_1\) and \(y_2=m_2 \times y_2\)), the points \((a_1,~y_1)\) and \((a_2,~y_2)\) move vertically up or down without changing the sign. So, the negativity condition remain same and it ensures the existence of the root within \((a_1,~y_1)\) and \((a_2,~y_2)\). The step by step sequence generation process upto \(4^{th}\) iteration using the polynomial \(g(x) = 3x^3-6x^2+7x+3.2\), with \(a_1\) = -1.5, \(a_2\) = 2 and r=0.75 is presented diagrammatically in Fig. 3. The detailed presentation with the values of \(x_{new}\), \(g(x_{new})\) and the terms of Seq upto \(5^{th}\) (\(L=5\)) iteration are tabulated in Table 1.

Fig. 3

Successive steps of modified Regula Falsi algorithm upto \(4^{th}\) iteration

Table 1 Intermediate representation of different values in the sequence generation by Algorithm 2 upto first 5 iterations for \(3x^3-6x^2+7x+3.2\)

To test the randomness of the MRF method, we consider six polynomials among which two are with degree two, three, and four. The test polynomials with the parameters are given in Table 2. The test polynomials are represented by \(P_{ij}\):\(i \in \{2, 3, 4\}\) and \(j \in \{1, 2\}\), where \(P_{ij}\) is the \(j^{th}\) polynomial with degree i. Two types of randomness tests i) NIST randomness test [58] and ii) Dieharder randomness test [59] are performed over the sequence generated by the taken polynomials with respective initial parameters. For each case, 100 binary sequences each of length \(10^6\) bits are taken.

Table 2 The set of polynomials taken in generating sequences for randomness test

The results are marked as ‘Pass’ and ‘Fail’ (written as ‘P’ and ‘F’) for NIST and ‘Pass’, ‘Weak’ and ‘Fail’ (written as ‘P’, ‘W’ and ‘F’) for Dieharder test. The obtained results of both the tests for all the polynomials are presented in Tables 3 and 4 respectively.

Table 3 NIST Randomness Test results of MRF method over different polynomials

Table 4 Dieharder Randomness Test results of MRF method over different polynomials

It is clear from the results shown in Tables 3 and 4 that the sequences generated by Algorithm 2 have passed the randomness tests for all the polynomials. It is to be noted that the sequences generated by \(2^{nd}\) degree polynomial have failed certain tests of NIST and give ‘Weak’ results for Dieharder. In the literature, there are many tests to check the existence of certain patterns in the given sequence. These tests are used to comment whether the sequence is non-random or not, i.e., if the test fails (when a certain pattern is detected) then the given sequence is non-random. Even if all the tests are passed then also we cannot make the comment that the given sequence is random. But, it may be expected that the sequence is ‘possibly a random’ sequence. Using NIST and Dieharder tests (in total 17+30 = 47 tests) we check the existence of certain patterns in the given sequences. But, the sequences pass all the tests (except the sequences generated from \(2^{nd}\) degree polynomials. which are failed to pass certain (two) tests of NIST and Dieharder). We may assume that the sequences, which are generated from the polynomials of degree three or more, are free from the presence of certain patterns. Therefore, we may consider that the sequences generated from the polynomial of degree three or more for further experimentation.

3.2 Encryption technique

The proposed image encryption technique contains two phases a) Substitution Phase b) Iterative Addition with circular shift

The backbone of the proposed encryption technique is the pseudo-random sequence received from Algorithm 2.

In the first phase, permutation Per is generated from the PR sequence produced by Algorithm 2. The permutation is used to substitute the gray value of a pixel with another gray value. In the second phase, iterative addition with circular shift makes the image fully encrypted. Figure 2 presents the block diagram of the proposed image encryption technique.

3.2.1 Substitution phase

The gray value of a pixel is replaced by another gray value in the substitution phase. This can be achieved by permutation Per. The construction of Per starts with generating a sequence Seq of length(L) 256 (=\(2^8\) for 8 bit grayscale image) using Algorithm 2. The permutation Per is received from the sequence Seq by sorting.

In the actual substitution phase, each pixel of the image Img is replaced by a value. A substitution index index and the permutation Per are computed for each location from the pixel of the original image. Each pixel of the original image is substituted by Per[index] to produce the substituted image \(Img_{sub}\). Algorithm 3 describes the substitution phase.

3.2.2 Iterative addition with cyclic shift

In the substitution phase, for a given row i, all occurrences of pixel value p shall be replaced by a particular gray value q. However, for some other row l, such that \(l \bmod 256 \ne i \bmod 256\), the value p shall be replaced by a value r, different from q. To achieve more security, iterative addition with cyclic shift phase is performed.

The iterated addition with cyclic shift phase is an iterative process, carried out in row-wise fashion on image I. Here a permutation Per of length h is defined from the sequence generated in Algorithm 2. The pixels of substituted image \(Img_{sub}(i,j)\) is defined to \(Img_{acs}(i,j)\) with the help of Per and pixel of \(Img_{acs}\) computed one step earlier. Iterative addition with cyclic shift is iterated a number of times let \(itr_1\) to make it sensitive to any change (Avalanche effect). Iterative addition with cyclic shift operation is presented in Algorithm 4.

4 Experimental result

Twelve 8 bit grayscale images of size \(512 \times 512\) are considered in this experiment. There are 8 standard test images ‘Baboon’, ‘Barbara’, ‘Cameraman’, ‘House’, ‘Jetplane’, ‘Lake’, ‘Lena’, ‘Pepper’. The test set also contains two special grayscale images, one is ‘Checkerboard’ (contains 50% white and 50% black pixels) and a constant image ‘Black’ (having only black color). To have some test results over medical images we have included ‘Chest X-RAY’ and ‘Brain MRI’ into the image set. The test images are shown in Fig. 4.

Fig. 4

The test images for experimental purpose

For the comparison purpose of the proposed technique with some recent proposals we have considered four techniques namely Diaconu et al. [20], Zhang et al. [31], Kumar et al. [60] and Kandar et al. [56] scheme. The first three techniques are chaos-based methods whereas the last one is a non-chaotic technique.

The proposed encryption method consists of two techniques ‘substitution’ and ‘iterrative addition with cyclic shift’ and for that two pseudo-random sequences of length 256 and h (the height of the original image) respectively are required to be produced using Algorithm 2. Two separate key sets in form of {\(g(x),a_1, a_2, r, itr_1\)} are needed to generate those sequences. In this experiment, we have produced a sequence of length \((256+h)\) from the same set of keys for simplicity. As mentioned earlier, for the experimentation purpose we have taken polynomials of degree three and four. The polynomials with initial parameters are given in Table 2.

The experimental results over eight images namely ‘Baboon’, ‘Cameraman’, ‘Lena’, ‘Peppers’, ‘Black’, ‘Checkerboard’, ‘Chest X-RAY’ and ‘Brain MRI’ are presented in Fig. 5. It is to be noted that the substituted images (received from Algorithm 3) and final encrypted images (received from Algorithm 4) are presented under headings ‘Substituted’ and ‘Encrypted’ in Fig. 5. From the experimental results, it is found that there is some hazy row-wise line in the substituted images (mainly in Cameraman, Black, Checkerboard, Chest X-RAY, and Brain MRI). These are coming due to row-wise replacement of the same gray value by some other gray value. Whereas fully noisy images are noticed for the final encrypted images from which no visual information about the original image can be received. For the case of two medical images, noise-like images are received in encrypted versions. Even the black and checkerboard images are received as noisy in the encrypted version. From the results, the proposed image encryption technique can be marked as a good one.

Fig. 5

Substituted and Encrypted images

To compute the execution time, we consider images with different sizes (\(128 \times 128\), \(256 \times 256\), \(512 \times 512\) and \(1024 \times 1024\)), derived from the test images by downsampling and upsampling (repetition of rows and columns). The test was performed in a 2.3 GHz Intel core i5 processor system, using MATLAB R2018b. The average execution times of the encryption technique for each category grouped by size are reported in Table 5. The proposed method is fast in execution as reflected by the table.

Table 5 Average encryption time of images of different sizes

5 Security analysis

There must exist some degree of robustness of an encryption technique so that it becomes really difficult to an attacker to recover sensitive information related to the plaintext from the encrypted one. Some standard matrices and statistical tests described in the following subsection are applied to measure the robustness and security of the image encryption techniques.

5.1 Secret key space

Keys play a trivial part in PR sequence generation. PR sequence can be generated easily if the keys are compromised somehow. This results in the retrieval of the original image. Limited key space makes the process easily vulnerable to the attacker using brute force attack, to prevent which a good encryption technique must have a sufficiently large keyspace.

For the proposed technique; the polynomial function g(x), two seed points \(a_1\), \(a_2\) and a real value r define the key space. Number of iteration \(itr_1\) of iterative addition with cyclic shift is also considered as a key. Two separate polynomials can be used in generating sequences for substitution and iterative addition with cyclic shift phase. As a simplified approach we have maintained g(x), \(a_1\), \(a_2\) and r same to produce all the PR sequences required. A polynomial g(x) can be represented in two ways. i) By \((cof_i, exp_i)\) for \(1 \le i \le k\) where cof denotes coefficient, exp denotes exponent and k is the number of terms or by ii) \((m +1)\) coefficients where m denotes the degree of the polynomial. If each term is represented by 64 bit floating point, then the key space will be \((2k + 3)\times 64 +3\) bits or \((m + 1 + 3) \times 64 + 3\) bits (inner ‘+3’ is for ‘\(a_1\)’,‘\(a_2\)’ and ‘r’. Outer ‘+3’ is for \(itr_1\)). The large key space makes it tough for an attacker to correctly form the polynomial g(x) and the seed values using brute force attack.

5.2 Information entropy analysis

Information entropy E of a message M is computed as

$$\begin{aligned} E(M) = \frac{1}{N}\sum \limits _{i=1}^{N}p(M_i)log_2\frac{1}{p(M_i)} \end{aligned}$$

(1)

Here the probability of symbol the \(M_i\) contains in the message M is denoted by \(p(M_i)\). N represents a total number of symbols. Maximum attainable entropy is 8 of an 8-bit grayscale image. The maximum entropy value denotes each gray value with equal probability. Whereas, a certain degree of exposer to the original is signified by an entropy value less than 8.

Table 6 presents the information entropy of the original and encrypted images. The table reflects that for all test images the information entropy is very near to 8 in their encrypted version. This signifies uncertainty of the proposed technique in an unknown platform, so it can be marked as secure.

The proposed method is compared with the four earlier mentioned techniques in terms of information entropy and the results are listed in Table 7. It is noted that the average results for ‘Lena’, ‘Baboon’ and ‘Peppers’ are considered for the comparison. It is observed that the performance of the proposed technique is as close to the state-of-the-art methods.

Table 6 Information Entropy of original images and their encrypted versions

Table 7 Information Entropy analysis

5.3 Key sensitivity analysis

The key sensitivity of an image encryption technique can be measured in two ways - from the encryption point and from the decryption point.

1. i)

   From an encryption point of view, image encryption is marked as sensitive if two completely different encrypted images are produced with a slide change of the encryption key.

2. ii)

   From the decryption point of view, an image encryption technique is marked as sensitive if a noise-like image is produced, in choosing a slightly changed decryption key.

Key sensitivity is measured by the percentage of changed pixels in the two encrypted or the two decrypted images. In the proposed method the keys are the seed points \(a_1\) and \(a_2\), a real value r and number of iteration \(itr_1\). For key sensitivity analysis, the change is made only to \(a_1\) and r but the polynomial g(x) and number of iterations \(itr_1\) are kept unaltered for simplicity. The test configuration for key sensitivity analysis of the technique is presented in Table 8

Table 8 Test configuration for key sensitivity analysis

1. I.

   (i) ‘Lena’ image is encrypted to \(I'\) and \(I''\) using polynomial \(3x^3-6x^2+7x+3.2\) with keys \((-1.5,~2,~0.75)\) and \((\boldsymbol-\mathbf1\boldsymbol.\mathbf{5000001},\;2,\;0.75)\) respectively. It is found that \(99.598694\%\) pixels are different while comparing I and \(I''\). Two encrypted images, the difference image \((I'' - I')\) and its corresponding histogram are shown in Fig. 6b to e.

2. II.

   (ii) ‘Lena’ image is encrypted to \(I'\) and \(I''\) using polynomial \(3x^3-6x^2+7x+3.2\) with keys \((-1.5,~2,~0.75)\) and \((-1.5,\;2,\;\mathbf0\boldsymbol.\mathbf{75000001})\) respectively. It is found that \(99.608612\%\) pixels are different while comparing I and \(I''\). Two encrypted images, the difference image \((I'' - I')\) and its corresponding histogram are shown in Fig. 6b, f to h.

3. III.

   (i) ‘Lena’ image (I) is encrypted to \(I'\) using polynomial \(3x^3-6x^2+7x+3.2\) with keys \((-1.5,~2,~0.75)\). \(I'\) is decrypted to \(I''\) using keys \((\boldsymbol-\mathbf1\boldsymbol.\mathbf{5000001},\;2,\;0.75)\). It is found that \(99.605179\%\) pixels are different while comparing ‘Lena’ and \(I''\). Figure 6a, b and i present respectively the original, encrypted and decrypted image (using slidely different key) .

4. IV.

   (ii) ‘Lena’ image (I) is encrypted to \(I'\) using polynomial \(3x^3-6x^2+7x+3.2\) with keys \((-1.5,~2,~0.75)\). \(I'\) is decrypted to \(I''\) using keys \((-1.5,\;2,\;\mathbf0\boldsymbol.\mathbf{7500001})\). It is found that \(99.621963\%\) pixels are different while comparing ‘Lena’ and \(I''\). Figure 6a, b and (j) present respectively the original image, encrypted image and decrypted image (using slidely different key).

The results for the key sensitivity of the image encryption technique for all the polynomials of degree 3 and degree 4 are listed in Table 9. It can be remarked from the obtained results that the proposed method is sensitive to any change of the key.

Table 9 Key sensitivity of ‘Lena’ image for degree 3 and degree 4 polynomials

5.4 Statistical attack

Digital image contains a number of correlated pixels. The statistical weakness of a cryptosystem is the key target of an attacker in a statistical attack. In image encryption, mainly two types of statistical attack are the point of a target for an attacker.

1. i)

   Histogram attack, where the difference of the original image histogram and the encrypted image histogram is observed and ii) correlation coefficient analysis, where correlation coefficient of original and encrypted images are analyzed.

Fig. 6

Key sensitivity analysis

5.5 Histogram attack

The histogram represents the frequency of occurrence of distinct pixel intensity values of a digital image graphically. Some statistical information - mainly the tonal distribution of the original image may be revealed from the histogram. A histogram having equal or least variation of the frequency of pixels does not disclose useful information about the original image. Thus a flat or nearly flat histogram is desirable for a good image encryption technique. The histograms of the original and final encrypted images of ‘Lena’, ‘Baboon’, ‘Cameraman’, ‘Peppers’, ‘Checkerboard’, ‘Black’, ‘Chest X-RAY’ and ‘Brain MRI’ are presented in Fig. 7. It is observed from Fig. 7 that the encrypted images’ histograms are nearly unvarying and are different from that of the original versions. It can be remarked from the results that the proposed technique is competent in resisting histogram attacks.

5.6 Correlation coefficient analysis

The original image bears a high correlation among the neighboring pixels- taken in a horizontal, vertical, or diagonal direction. The goal is to minimize the adjacent pixels’ correlation of an image encryption technique. A standard image encryption algorithm is marked as good if correlation nearly equal to zero is obtained for the encrypted images. The correlation coefficient of an image is calculated using (2). Many encryption techniques available in the literature have used position permutation at pixel and/or bit-level to reduce correlation. In the proposed method this is achieved by pixel substitution and iterative addition with the cyclic shift method.

$$\begin{aligned} r_{X,Y}= & {} \frac{\frac{1}{N}{(\sum _{i=1}^{N}(x_i-E(X))(y_i-E(Y))}}{\sqrt{D(X)*D(Y)}}\nonumber \\ D(X)= & {} \frac{\sum _{i=1}^{N}(x_i-E(X))^{2}}{N}\nonumber \\ E(X)= & {} \frac{\sum _{i=1}^{N}(x_i)}{N} \end{aligned}$$

(2)

Fig. 7

Histograms of Original and encrypted image

For the experiment, 1000 random locations are selected for each of the test images. Correlation coefficients of the original and its corresponding encrypted images are computed using (2) for the same randomly selected pair of pixels in each direction for each case. Due to randomly selected pixel pairs, correlation coefficients do not come the same in each run for any particular image. Here the average of absolute correlation coefficients received from ten trials for each of the test images and its corresponding encrypted images in horizontal, vertical, and diagonal direction are presented in Table 10. It is noted that the results listed in Table 10 are from encrypted images using polynomial \(P_{31}\) (due to space problem the results achieved using all the polynomials are not listed. The results for all the cases are nearly equal to the results presented). From the data listed in Table 10 it is clear that the original image holds a higher correlation coefficient, whereas its encrypted form has a correlation coefficient nearly equal to zero. The acceptance of the proposed method is signified from the obtained results.

Figure 8 shows the scatter diagrams of horizontally, vertically and diagonally adjacent pairs for ‘Lena’, ‘Baboon’, ‘Cameraman’, ‘Peppers’, ‘Checkerboard’, ‘Black’, ‘Chest X-RAY’ and ‘Brain MRI’ with their encrypted images achieved from polynomial \(P_{31}\). Diagonally densely populated dots in the case of the original image signify higher correlation whereas scattered dots over the area for the encrypted images reflect very low or no correlation. Thus the scatter diagrams indicate a good performance of the scheme.

For comparison purposes, we have computed the average correlations with respect to the polynomials \(P_{31}\), \(P_{32}\), \(P_{41}\), \(P_{42}\) and same set of selected pixels. This average result is reported in Table 11. Comparison of the proposed technique with the state-of-the-art proposals reflects the better performance of the proposed methods in most of the cases than the existing methods as displayed in Table 11.

5.7 Differential attack

To find the nature of the encryption algorithm, an attacker makes a small change of the original image; even a single bit and feeds both the original and the modified images in the encryption algorithm separately. This technique is called differential attack. Number of Pixel Change Rate (NPCR) and Unified Average Changing Intensity (UACI) as denoted in (3) are the widely used techniques to measure the influence of differential attack. Here \(I_1\) is the encrypted image obtained from the original and \(I_2\) is from the modified image. The ideal value of NPCR is 100% and that of UACI is 33.33%.

Table 10 Correlation coefficient of original and encrypted images using \(P_{31}\)

Table 11 Correlation coefficient analysis

$$\begin{aligned} NPCR(I_1, I_2)= & {} \frac{1}{w*h}*\sum \limits _{i=1}^{h}\sum \limits _{j=1}^{w}D(i,j)*100\nonumber \\ UACI(I_1, I_2)= & {} \frac{1}{w*h*255}*\sum \limits _{i=1}^{h}\sum \limits _{j=1}^{w}\vert I_1(i,j) - I_2(i,j) \vert * 100\nonumber \\ D(i,j)= & {} {\left\{ \begin{array}{ll} 1, &{} \text {if } I_1(i,j) = I_2(i,j)\\ 0, &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

(3)

Here the LSB of the last pixel of the original image is changed to generate a modified image and both of them are passed through the encryption algorithm for each of the test images. NPCR and UACI are calculated over the pair of encrypted images. From the results listed in Table 12 it is clear that the NPCR and UACI values are very close to the ideal values. This signifies the immunity of the proposed schemes against differential attacks.

Fig. 8

Scatter diagram of original and encrypted images using \(P_{31}\)

To have more test analysis ‘Lena’ image is modified to five different images only by changing LSB of first [(0,0)], middle [(256, 256)], last [(512,512)] and two random locations [(50, 450), (490, 10)] pixels values. The results of NPCR and UACI received using polynomial \(P_{31}\) are presented in Table 13. The comparative analysis of average NPCR and UACI of the proposed technique with the state-of-the-art methods reflects better performance in most of the cases as presented in Table 14.

Table 12 NPCR and UACI of the test images by modifying LSB of last pixel

Table 13 NPCR and UACI values of encrypted Lena image using \(P_{31}\) for five modified pixel position

Table 14 Comparison of plaintext sensitivity of proposed method with state-of-the-art techniques

5.8 Different attack model for cryptanalysis

For any encryption technique, it is assumed that the intruder has complete knowledge about the encryption algorithm but does not have information about the key used. S/He tries to compromise the encryption system by different types of attack models such as

1. i)

   Ciphertext only attack

2. ii)

   Known plain text attack

3. iii)

   Chosen plaintext attack

4. iv)

   Chosen ciphertext attack

In this subsection, the immunity of the proposed encryption system is discussed against the kind of attacks.

1. i)

   Ciphertext only attack: In this attack, the intruder has access only to the ciphertext (may access from the transmission channel) and from that, it tries to retrieve the plaintext or key information. The noisy cipher image along with its entropy, correlation, and histogram indicates that the cipher image is a kind of random image. So, nothing can be guessed about the plaintext image from the cipher image. The attacker will fail to get key information as the size of the keyspace is significantly large.

2. ii)

   Known plaintext attack: In this kind of attack, the attacker has gained (maybe from some previous communication) some plenty amount of plaintexts and its corresponding ciphertexts. From those, it tries to get information of the key used or tries to retrieve the plaintext from the currently captured ciphertext. The proposed technique is highly sensitive to the key (see Fig. 6) and has immunity against differential attack (see Table 12). Thus from the acquired information of plaintext, ciphertext of earlier communications it is hard to retrieve the plaintext of current communication.

3. iii)

   Chosen plaintext attack: Here the attacker has temporary access to the encryption system and it tries with some combinations of plaintext and ciphertext to find a match with the received ciphertext. The proposed technique has a large keyspace (see Section 5.1), thus the brute-force attack will fail. The attacker may try to use some temporary vectors like the permutation used in Algorithm 3 and/or Algorithm 4. The permutation used in Algorithms 3 and 4 have 256 and h (height of the image) entry thus 256! and h! different combination of permutations are there respectively. To successfully retrieve the plaintext, the attacker has to opt \(256! \times h!\) different trails. It is infeasible for an attacker to opt for the trails in some bounded time frame even by using a supercomputer having the capacity of calculation \(2^{80}\) instructions per second.

4. iv)

   Chosen ciphertext attack: It is the same as (iii), but here the attacker has temporary access to the decryption algorithm and it tries with some possible combination of ciphertext (or some possible combination of keys on ciphertext) to retrieve the plaintext. This technique will fail due to the large keyspace and a huge number of trials of the permutations.

From the above discussion, it can be concluded that the proposed technique has resistance against different attacks of cryptoanalysis.

6 Conclusions

An image encryption proposal using a non-chaotic technique is presented in this paper. Modified Regula-Falsi method is used to generate a pseudo-random sequence which is further applied to ‘define permutation in the image encryption technique. Pixel value substitution and addition with the cyclic shift are used to encrypt an image. The technique requires only \((256+h)\) length sequence where h is the height of the image. Good experimental results in terms of noise like encrypted images provide evidence of good performance. From security analysis, it is found that the proposed method is secure against different kinds of attacks. Comparison of the proposed technique with state-of-the-art methods signifies its acceptability as an image encryption technique.