1 Introduction

Living in an era of technology and communication, many researchers have to focus their attention on security issues. More and more people use the Internet and social media applications. Their personal data is placed on a world wide network at the risk of seeing their privacy invaded. Protecting our personal data has become of major importance and researchers are competing to build different algorithms that can guarantee the safety of our images in particular. Securing images can take place on two levels: a pixel level and a compression level. In this paper, we worked on a pixel level that ensures a higher level of security since every pixel is being processed and encrypted. While on the compression level, pixels are being nominated and chosen if they meet a specific predefined condition and are then subjected to encryption.

In fact, recently, a set of compression algorithms for encrypted images has been presented to enable the reduction of the size of the encrypted image such as [3739, 39]. This means that encrypting the image in pixel level is preferable ensuring a full protection. Employing the recent compression algorithms over encrypted images permits to reduce the overhead in terms of storage and communication. Based on these works, the proposed solution is presented and realized at the pixel level.

1.1 Problem

In fact, the existing symmetric-key standard encryption algorithms such as DES (Data Encryption Standard) [4] and AES (Advanced Encryption Standard) [8, 10, 32] are used for image encryption. However, the traditional techniques are defined for texts and are not suitable for multimedia contents since images and texts possess different characteristics. The intrinsic features of traditional ciphers such as AES or DES are based on applying a round function for multi-times, which requires higher execution time and more resources. This number of rounds is higher and depends on the size of the employed secret key to prevent differential and linear attacks. The reason that r is relatively high is that these algorithms have a static structure and consequently substitution and diffusion layers are known and public. This has a negative impact in terms of execution time and resources, which is a critical problem in the real-time delivery of multimedia streams [9] or for tiny devices that cannot handle high latency.

1.2 Related works

Therefore, redesigning the existing symmetric cryptographic algorithms is still in progress. Several recent approaches are presented which follow the dynamic structure which allows the number of rounds r to be reduced and makes the cipher’s substitution and diffusion processes variable and unknown to the attackers. One of these recent approaches is the chaotic one which consists of a non-linear dynamic system that apparently looks random. Because of its extreme sensitivity to intrinsic conditions, chaos was implemented extensively to build the cryptographic algorithms of digital images as in [1, 5, 7, 11, 15, 17, 28, 29, 31, 34]. Unfortunately, the majority of chaos-based encryption algorithms are not considered particularly secure, and many of them have been crypt-analyzed successfully as in [19, 20, 27, 36], because of the instability coming from the periodicity of mapping [14, 21] and the finite computing precision that makes the system defenseless against different kinds of attacks [2, 3].

Furthermore, other approaches have recently been introduced and are based on a hash function to ensure authentication, integrity and data confidentiality such as in [6, 33]. A hash function is essential because of its properties that prevent any retrieval of useful information about the secret key used. In [6], a hash function is presented and used to encrypt images. Digital images have been encrypted using the standard Secure Hash Algorithm (SHA-2) along with a compound forward transform and a password provided by the user. Another hash-key-based encryption scheme is discussed in [23], where the salsa20 hash function [13] is used to generate a dynamic secret key. Then, the resultant key is correlated later with the plain text image. Unfortunately, hash functions use floating calculation which makes the hardware implementation complicated and time consuming. Besides, using the pixels of the image itself will raise the probability of the error propagation. In other words, any small error caused by noisy channels (like wireless channels) will prevent the receiver from decrypting the image, thus making this system weak and intolerant to any small error.

To the best of our knowledge, a real, efficient and secure encryption algorithm is needed to meet the requirements of the modern multimedia applications and low cost devices. Therefore, an efficient and secure candidate that can ensure a high level of security with a low computational complexity and simple hardware implementation is necessary for recent applications such as multimedia IoT.

1.3 Contribution

The proposed approach ensures several contributions compared to the recent image encryption schemes towards attaining a high level of efficiency and security. These contributions are indicated in the following:

1.3.1 System performance

  • The proposed cipher is realized on the block level with a flexible size of blocks (n bytes) that can be adjusted according to the available memory, thus allowing it to be realized with tiny limited devices.

  • It is simple to implement in hardware or software solutions which is an important advantage to be considered in real implementations.

  • The required processes are reduced for each round iteration from two (mainly substitution then diffusion) to only one process compared to the majority of encryption schemes. In fact, the diffusion operation is applied in the first round, while the substitution operation is realized in the second round. This permits to reduce the required latency for each round.

  • A binary diffusion operation is proposed, in addition to an integer one. More important, the binary diffusion permits to reduce the execution time according to the obtained results (see page 13) from 17 to 45% in function of n (dimension of the diffusion matrix).

  • Efficient key dependent cryptographic primitives (a substitution table, a diffusion matrix, and a permutation table) are built to ensure a considerable cryptographic performance and can prove to be a real improvement in time and simplicity. This will reduce the required time needed to build these cipher layers and will simplify the hardware implementation. This is essential, since each primitive of these three has its effect and its role in making the proposed cipher scheme secure and efficient.

  • In addition, the proposed algorithm ensures the avalanche effect with an acceptable trade-off with error propagation.

1.3.2 Security performance

  • The proposed cipher scheme presents an efficient collaboration between substitution, diffusion and block permutation towards ensuring a high level of security and efficiency.

  • A block permutation operation is introduced to randomize the sequential order of chained blocks. This operation permits to complexify the procedure of possible future attacks and consequently ensures a better security level compared to the existing cipher approaches that preserve the encryption sequential order. In addition, this step requires lower latency overhead and will not degrade the previous performance contributions.

  • The dynamic key approach is employed and the key can be changed for each fixed/chosen time (defined by an application or a user) or for each input image which will render the cryptanalysis task unfeasible. The attacker’s task becomes more difficult because of the sensitivity of the unpredicted dynamic key especially if this dynamic key is changed for each input image. This will permit to ensure a high level of security against existing and modern powerful attacks.

As a conclusion, the obtained results, in terms of performance and security, prove that the proposed approach is efficient and can ensure a high level of security compared to other recent image encryption algorithms that have static or dynamic structures. Therefore, the proposed cipher can be considered as a relevant cryptographic candidate since it ensures a positive balance between system performance and security level.

1.4 Organization

The paper will be organized as follows: Section 2 shows the derivation of the special parameters needed for encryption. Then, in Section 3 the proposed encryption and decryption schemes are explained to show how the cipher works. In Section 4, the main cipher layers of encryption are detailed. They rely on key dependent substitution layer, diffusion, and permutation. Then, the algorithm is tested under extensive performance evaluation and security analysis in Section 5 to prove the robustness and efficiency of this proposal. In Section 6, the security of this algorithm is discussed. Finally a conclusion summarizes the work and future works are mentioned in Section 7.

2 Key derivation

In this section, the proposed key derivation function and its corresponding sub-keys generation scheme are presented and illustrated in Fig. 1. In fact, the cipher layers are dynamic and are changed according to this set of sub-keys. The input of this step is a secret key K and a NONCE N o (different for each input image or a fixed time) that are Xored to produce a dynamic key DK. To ensure that a different DK is produced for each different input image, the SHA-512 cryptographic hash function is chosen and it is known that it has a high degree of collision. This will introduce better strength against any powerful attacks. This dynamic key DK is the basis to form the other required sub-keys as explained in the following.

  • Secret Key K: It is a Secret Key shared only between both entities (transmitter and receiver). To provide better security, the symmetric secret key can be renewed after each periodic interval that is chosen depending on the application. Elliptic curve Diffie Hellman (ECDH) protocols can be a good candidate for this task.

  • Nonce N o : This Nonce can be produced by a pseudo random generator. Each Nonce should be used only once and should be different for every input image (or session time). Two possible techniques of generation of Nonce can be proposed: i) generated by the emitter and transmitted in an encrypted form to the receiver by employing the secret key or by employing the receiver public key. ii) The second method is to produce the Nonce at the emitter and receiver in a synchronized manner between both entities.

  • Dynamic Key DK: The secret key K will be Xored with N o and its corresponding output is hashed by employing SHA-512 to produce the dynamic key DK, which corresponds to the MAC value and it has a 512 bit length. After this, DK key is split into four sub-keys {K p , K d , K s , K i } in a way that each one of them has 16 bytes (128 bit) length. These sub-keys are described in the following.

  • Permutation sub-key K p : K p represents the first most significant 16 bytes of DK and it is used to produce a permutation table (Pb o x) that is employed during the blocks permutation process. In this solution, any key dependent permutation generation algorithm can be employed. The selection of GRP permutation algorithm [30] is done according to its simplicity in hardware or in software implementation. To ensure that a P-box has a good cryptographic performance, GRP should be iterated for multi-iteration rp and for each iteration a control parameter register is required according to [25]. This logic continues in this paper and K p is used as a seed for the famous stream cipher RC4 to generate the required r p control parameter registers. Furthermore, R C4 is not used here in the context of a stream cipher which mixes the key stream with the input plain-text. In fact, this is different since RC4 is iterated with a dynamic sub-key. This will not introduce any weakness and will not degrade the security level. Indeed, RC4 is selected here since it has the simplest hardware and software implementation and, it is the fastest one. RC4 should be iterated for \(\lceil \frac {rp\times nb}{8}\rceil \) times to form the binary control parameters.

  • Diffusion sub-key K d : K d represents the second 16 most significant bytes. K d is used also as a seed for the RC4 stream cipher to produce a sequence VA with \(lv= \frac {n}{2}\times \frac {n}{2}\times q\) bits length, where q represents the precision in bits. q is equal to 1 in the case of a binary diffusion matrix and 8 in case of the byte integer matrix. In addition, the diffusion is realized at the block level and each block has n bytes. This means that n is the dimension of the square diffusion matrix (number of bytes in a block). Therefore, RC4 should be iterated for \(nt=\frac {lv}{8}\) times. After that, VA is reshaped into a square sub-matrix called A with size \(\frac {n}{2}\times \frac {n}{2}\), which is necessary to form the square diffusion matrix G. Moreover, G can be binary or integer. In order to reduce the complexity, a binary diffusion layer is more recommended than using other layers of diffusion such as Matrix Distance Separate (MDS) as in AES or hill cipher (invertible integer square matrix). More details are given in Section 4.

  • Substitution sub-key K s : k s represents the third set of the 16 most significant bytes and it is employed to produce a dynamic substitution table (S-box). The proposed cipher can employ any key dependent substitution generation table algorithm. In fact, in this paper, a simple technique is used and it is based on the Key Setup Algorithm (KSA) of RC4, which represents its initialization step. The output of KSA is a substitution table that is employed as a dynamic S-box in the proposed approach.

  • Initialization key (K I ): K I represents the first 16 least significant bytes of DK and it is hashed by employing S H A − 512 [22], which is an un-keyed cryptographic hash function. The output hash value has 64 bytes length and it is divided into two equal parts, each one has a 32 bytes length. These two parts are considered as two initialization vectors (I V 1, I V 2) that are employed in the forward and backward chaining modes according to the proposed approach.

Fig. 1
figure 1

Dynamic Key and the requires sub-keys generation scheme. These sub-keys are employed to form the cipher layer’s

Full size image

All the notations are shown in Table 1. These steps are enough to preserve high sensitivity since a little change in the dynamic key will lead to completely different parameters in the encryption process and this is proven in Section 5. The derivation of these parameters is illustrated in Fig. 1.

Table 1 Table of notations
Full size table

3 The proposed cipher algorithm

An input image (matrix form) is introduced to the proposed cipher and its size is r × c × p, where r is the number of rows, c is the number of columns and p is the number of planes (in gray scale P=1). The number of blocks of the image is padded if necessary to be divisible into nb complete blocks and each block consists of n bytes. In the rest of the paper, n will be set to 16 and can be changed according to the needed application and the memory space. The total number of blocks is nb where \(nb=\lceil \frac {r\times c \times p}{n}\rceil \).

3.1 Encryption algorithm

The steps of the encryption algorithm are described briefly in this section and its structure is illustrated in Fig. 2.

Fig. 2
figure 2

Scheme of the proposed lightweight cipher algorithm.

Full size image

The proposed scheme is based on a secret symmetric key that is shared between the entities of the communication system. This secret key is employed to produce a set of dynamic keys and each one is employed for one or for a set of input images.

The proposed cipher is divided into two rounds and a final block permutation process. Moreover, a Forward and a Backward Chaining CBC mode are employed to reach the required cryptographic performance such as the avalanche effect in the whole image. In the first round, a linear binary diffusion process is done by using the previously mentioned diffusion matrix G (integer of binary). Whereas in the second round, a non-linear substitution operation and a global permutation are applied. To ensure high randomness and to increase the robustness of the system, pseudo-random chaining is added in both processes. Finally, global permutation will randomize the sequence of blocks as a final step and remove any relation between successive blocks. In the following, the forward and backward processes are explained.

3.1.1 Forward process

It is the first step of the encryption algorithm, and it starts from the block B 1 that should be Xored with I V 1. Then, its corresponding output will be subjected to a diffusion operation that can be based on a binary or integer diffusion matrix G. The result will be T 1 and the following equation summarizes this step for i = {1, 2, 3, …, n b}:

$$ T_{i}= G \odot (B_{i} \oplus T_{i-1} ) $$
(1)

Where, T 0 = I V 1, and ⊙ represents the diffusion operation that can be represented as an integer multiplication matrix in case of the integer diffusion and binary matrix mixing as described in Algorithm 1 for the binary diffusion operation. In this step, the diffused blocks are chained in a forward way and the process continues till the final block B n b is reached.

3.1.2 Backward process

The backward process starts after finishing the forward process. Starting from the last diffused block T n b , it is Xored with I V 2 that represents the second initial vector. Then, its corresponding output will be subjected to a substitution operation that is based on the produced substitution table S-box. The result will be C n b and the following equation summarizes this step for i = {n b, n b − 1, …, 2, 1}:

$$ C_{i}= S\odot (T_{i} \oplus C_{i+1} ) $$
(2)

Where C n b+1 = I V 2, and S represents the produced dynamic S-box. Then, the following block will be subjected to the same process, but with a difference that I V 2 will be replaced by I V 1 and with a reverse order. This means that in this step, the diffused blocks are chained in a backward way and the process continues until the first diffused block T 1 is reached.

3.1.3 Blocks permutation

After that, the output blocks {C 1, C 2, …, C n b } are subjected to a final block permutation operation. The permutation process is introduced to add randomness and to eliminate the sequential relation order among the diffused substituted blocks. Finally, permuted blocks will be reshaped into the original size of the matrix to form the encrypted image.

3.2 Decryption

Similarly to the encryption scheme, the decryption scheme consists of an inverse block permutation process using the inverse Pb o x called Pb o x −1. In addition, the corresponding two rounds are applied in a reverse order by using the corresponding inverse dynamic substitution table S-box Sb o x −1 and the inverse diffusion matrix (G −1).

As a conclusion to this section, this cipher is designed to ensure the main properties that a strong secure cipher must reach. The confusion and diffusion properties are achieved with a lower round number and fast execution time and a high level of security as validated in the coming sections.

4 Proposed cipher layers

According to the theorem of Shannon, a successful cipher should achieve the confusion and diffusion properties. Mainly, the majority of the existing standard cryptographic algorithms is based on static keys. However, until now, no standard block cipher based on the dynamic approach is proposed and standardized. In fact, the benefits of the dynamic structure are important and we believe that the modern structure of cryptographic algorithm should be dynamic. Therefore, we follow this logic and this paper is a first step towards our goal. Thus, the proposed cipher is based on a dynamic key and it is designed to be a primary step towards standardizing it as a dynamic block cipher. The objective of this paper is to explain that it is possible to define a cipher with a high security level and with a lower computational complexity.

The dynamicity is reached since all the cipher operations (layers) are variable and depend on the dynamic key as the substitution, diffusion and permutation. The dynamic key can be changed for every input image which ensures the maximum level of security. Another configuration can be realized using DK for a fixed time that means for a set of input images. This means that for a specific session time, DK is not changed. In both scenarios, the dynamicity prevents any powerful attack or prevents getting any useful information from the collected plain and cipher images.

4.1 Proposed diffusion technique

Mainly, the diffusion operation, whether integer or binary, requires an initial step which is the construction of the invertible diffusion matrix G. In this paper, an integer and binary technique to build a diffusion matrix G is proposed. The main algebraic rule for a successful diffusion matrix G is to be an invertible matrix with a determinant equal to 1 and has to have full rank.

G is based on an invertible and bijective 2D matrix form. It is represented as follows:

$$ \left( \begin{array}{cc} a & b \\ c & d \end{array}\right)\;\;\;, det(A)={a\times d- b\times c} $$
(3)

Then, if d e t(A) = 1 ⇒ a × d = 1 + b × c. To obtain the proposed structure of invertible key dependent diffusion matrix, we consider that d should be equal to a, which leads to

$${a^{2}= 1+ b c\Rightarrow bc=a^{2}-1=(a-1)(a+1).} $$

This results in b and c being equal to (a + 1) and (a − 1), respectively. Then, the form of the secret matrix will become in 2D as follows:

$$ G=\left( \begin{array}{cc} a & a+1 \\ a-1 & a \end{array}\right) $$
(4)

In the following, the dimension of diffusion matrix can be extended to n dimension for integer and then for binary one, which is a special case of the integer one. In fact, the benefit of the binary diffusion operation compared to the integer one is its simplicity in implementation in hardware or software in addition to a lower execution time.

4.1.1 Integer diffusion matrix form

It is obvious that only one parameter a is needed to build G. To form the diffusion matrix G with n dimension, a is replaced by a sub-matrix A with size \(\frac {n}{2} \times \frac {n}{2}\) as presented in the following equation:

$$ G=\left( \begin{array}{cc} A & A+I \\ A-I & A \end{array}\right)\;\;\; $$
(5)

Where I is the identity matrix and A is a non-zero square matrix of size \(\frac {n}{2} \). The elements of A can be freely chosen from any Galois field (Binary or integer) such that G is full rank.

To validate that the proposed diffusion matrix G is invertible, the following demonstration is presented.

Suppose that G is built from four sub-matrices (A, B, C, D) as shown in:

$$ G=\left( \begin{array}{cc} A & B \\ C & D \end{array}\right)\;\;\; $$
(6)

Its determinant is given by:

$$\begin{array}{@{}rcl@{}} det (G)&=& det (A) \times det (D - CA^{-1}B) \\ & =&det (A) \times det (D - C B A^{-1}) \\ &=&det(A )\times det(A- A^{2} A^{-1}+I^{2}\times A^{-1})\\ & =&det(A )\times det(A-A+A^{-1})\\ &=&det(A)\times det(A^{-1}) \\ & =&det(A \times A^{-1})\\ & =&det(I) \\ &=&1 \end{array} $$
(7)

where C × B = (A 2I 2), A 2 × A −1 = A and A −1 I 2 = A −1. Thus, the basic condition is verified and an inverse matrix G −1 can be easily calculated at the receiver side according to the following equation.

$$ G=\left( \begin{array}{cc} A & -(A+I) \\ -(A-I) & A \end{array}\right)\;\;\; $$
(8)

4.1.2 Binary diffusion matrix form

The diffusion process in the binary Galois Field requires to employ a binary diffusion matrix G which enables to reduce the required computational complexity and can consequently reduce the execution time. Here, the scheme of creation of the invertible pseudo-random binary G is described. To obtain the diffusion binary matrix form, the sub-matrix A should be binary and we need to replace the operation of addition and subtraction with the logical operation Xor. Then, the form of the binary matrix is presented below:

$$ G=G^{-1}=\left( \begin{array}{cc} A & A\oplus I_{m} \\ A\oplus I_{m} & A \end{array}\right) $$
(9)

According to [18], the calculation of the inverse binary matrix G is possible while the determinant of the binary matrix is 1 which is reached with the defined binary diffusion matrix form. Moreover, the proposed form has another advantage which is G −1 is equal to G, so the inverse matrix operation at the receiver side is not required and the same required latency of diffusion is close to the inverse diffusion one.

In Fig. 3, two examples of the different steps required to build the secret diffusion matrix G (Integer and Binary) for n = 8 are presented. In Fig. 4, a visual integer matrix G (a) and a binary one (b) are shown respectively for n = 32. While for the visual binary G, the red color means that the index is equal to zero and 1 otherwise. As seen in Fig. 5, a block can be diffused in two different ways: (a) using the integer diffusion operation that employs arithmetic operations such as addition and multiplication mod 2q, and (b) using the binary diffusion operation that requires only the logical operation XOR.

Fig. 3
figure 3

An example of constructed secret integer (a) and binary (b) matrices G for n = 8

Full size image
Fig. 4
figure 4

A visual example of a produced secret matrix G in a binary field (a) and in an integer field (b) with a pseudo random sub-matrix A for n = 32

Full size image
Fig. 5
figure 5

Integer (a) and binary (b) diffusion operation to produce a diffused element X i by employing the i th vector G i of the diffusion matrix G

Full size image

4.1.3 Binary diffusion matrix mixing operation

The input of the diffusion operation is n bytes. The diffusion process is performed on a series of n bytes B = {B 1, B 2, …, B n }, and its output is the diffused block X = {X 1, X 2, …, X n }. The relationship among an input block B of n bytes, a binary diffusion matrix G and the output block X can be described as follows:

$$ X=G \odot (B^{t}) $$
(10)

Where B and X are n −dimensional byte vectors and t is the transpose function. In addition, G is a square n × n binary matrix and it consists of n diffusion vectors {G 1, G 2, …, G n }. Each binary diffusion vector G i is represented as a sequence of independent random numbers from a binary Galois field, where G i,j is a binary diffusion coefficient of the line i and column j and i,j = 1, 2, …, n and can be equal to 0 or 1. This means that if G i,j is equal to 0, its corresponding byte j is not introduced in the diffusion process of the i th diffused byte.

The values of the different indexes in each vector (G i ) equal to 1 correspond to the byte introduced in the diffusion process. The diffused byte is the result of m xoring bytes, where the corresponding index of its diffusion vector is 1. The following listing shows the mixing algorithm (⊙) in pseudo code in Algorithm 1.

figure g

The average of the execution time for the diffusion operation is done for 250000 iteration and for different sizes of block n using “GCC” with optimization “O2” for the proposed integer and binary diffusion techniques. Therefore, the ratio between their execution times is shown in Fig. 6. The obtained results indicate that the binary approach can ensure a reduction in execution time compared to the integer one from to 17 to 45% in function of n. More important, increasing n permits to reduce more and more the execution time. This proves that the proposed binary approach is significant since it permits to reduce the execution time and consequently less latency and resources can be achieved compared to the integer diffusion operation.

Fig. 6
figure 6

The ratio time analysis between the proposed binary diffusion approach and of the integer one in function of n and for 25 0000 iterations

Full size image

4.2 Key dependent substitution operation

An important property that should be ensured during the design of a cipher system is the confusion property which is ensured by employing a substitution technique that is a non linear operation. This operation makes the algorithm immune against differential and linear attacks. The existing substitution techniques use a lookup table called an S-box or employ a nonlinear function.

In this paper, the selected technique is to use a dynamic S-box that can ensure a lower latency compared to other ones. The proposed algorithm of construction dynamic S-boxes is based on the KSA of RC4. Moreover, the KSA algorithm is stated and explained in Algorithm 2. The cryptographic performance (LPF (Linear Probability Approximation Function), SAC(Strict Avalanche Criterion), BIC (Output Bit Independence Criterion) and DPF (Differential Probability Approximation Function)) of the produced substitution table is quantified after using each element of the substitution key K s . The corresponding results are shown in Fig. 7 and clearly indicate that a good performance has been reached attained such as lower LPF, lower DPF, SAC and BIC are close to the ideal value = 0.5. In addition, the produced S-box is bijective which consequently means that the inverse S-box, S-box −1 can be obtained. Hence, it can be generated easily by the following operation S-box−1[S-box(i)] = i. Indeed, these criteria are explained briefly in the following.

  • LPF: Quantifies the nonlinear degree of a given substitution table and it must be as low as possible. The variation of LPF versus the size of sub-substitution in byte length is shown in Fig. 7a. LPF is so stable and close to the minimum value from the third iteration (LPF close to 2−4.8).

  • DPF: Quantifies the differential uniformity of a given substitution table. It must reach its minimum value and in our case it reaches the minimum in a stable value after 3 iterations according to Fig. 7b.

  • SAC: A S-box satisfies SAC whenever a single input bit is complemented, the output substituted bit should be changed at least with a probability of half. According to Fig. 7c, the SAC is attained and becomes close to its ideal value (0.5) from the third iteration.

  • BIC: Specifies that two output bits j and k should be changed independently when a single input bit i is changed. It can also be seen that BIC reached its desirable value 0.5 after two iterations according to Fig. 7d.

figure h
Fig. 7
figure 7

Variation of the average LPF (a), DPF (b), (c) SAC, (d) BIC versus the number of iterations i

Full size image

According to all these criteria, the produced dynamic S-box achieves a good cryptographic performance from the third iteration. However, to ensure a high number of unique S-boxes, the size of the dynamic substitution sub-key K s is set to 16 bytes (16 iterations and for each iteration a byte is selected) in order to reach this objective.

4.3 Key dependent permutation layer

This step consists in applying a block permutation among the diffused substituted blocks. It is designed to remove and to randomize the order relation of blocks. The block permutation operation is performed by using the produced dynamic Pb o x that has nb length. This permutation table is built based on the GRP permutation algorithm that is described in [30].

GRP is chosen here since it is known to be simple and efficient in hardware and software implementations. The pseudo-code of GRP algorithm is shown in Algorithm 3. The basic idea of GRP is to split the indexes into two groups according to a pseudo random bit sequence which is CR. If the bit in CR is 0, this index is placed in the first group. Otherwise, the element is placed in the second group. These three vectors have the same length, which will be equal to the number of blocks nb of the image. For further details about the permutation construction and realization, we can refer to [24] that describes GRP with variable control registers.

figure i

5 Statistical analysis

In order to have a strong immunity against statistical attacks, histogram and entropy analysis are performed to validate the uniformity property of the encrypted image. The correlation among the adjacent pixels of the plain and encrypted images in addition to the coefficient correlation between plain and encrypted images is also computed to check the independence property. These properties allow us to validate that the proposed cipher can ensure a high degree of randomness.

5.1 Histogram analysis

A uniform histogram for the encrypted image is necessary to ensure that this cipher meets the uniformity property. This means that each symbol has an occurrence frequency close to \(\frac {r\times c\times p}{n}\), where n is the number of symbols, r, c and p are respectively the number of rows, columns and plane of the input image. The histogram of two original plain-images (512 × 512 × 3) and their corresponding cipher images are shown in Fig. 8. It is shown that the histogram of the encrypted images is close to a uniform distribution (close to 3072).

Fig. 8
figure 8

a Original Lena a and Pepper e and its corresponding histogram (b) and (f), respectively. Encrypted Lena (c) and Pepper (g) and its corresponding histogram (d) and (h), respectively

Full size image

5.2 Information entropy analysis

The information entropy of a data sequence m is a parameter that measures the level of uncertainty [35]. Note that the entropy is expressed in q bits and it quantifies the amount of information which can be coded by a compression algorithm. The information entropy is calculated according to the following equation:

$$ H(m)= -\sum\limits_{i=1}^{2^{q}} p(m_{i})\log_{2} \frac{1}{p(m_{i})} $$
(11)

Where p(m i ) represents the occurrence probability of the symbol m i and 2q is the total number of symbols for q bits. In this paper, towards quantifying the uniformity between adjacent pixels, the entropy is selected to be calculated on the level of sub-matrix.

This test divides the image into a set of sub-matrices, where each one has a size h × h. Each sub-matrix can be considered a truly random source with uniform distribution if it has an entropy equal or close to \(\log _{2}(h^{2})\) for h 2 < 2q.

$$ H(m)= -\sum\limits_{i=1}^{h^{2}} \frac {1}{h^{2}} \log_{2} \frac{1}{h^{2}}=log_{2}(h^{2}) $$
(12)

The entropy variation of plain and cipher sub-matrices of the Lena image under the usage of a random secret key and a Nonce for h = 8 is shown in Fig. 9. It is shown that the encrypted blocks always have an entropy close to the desired value 6 (\(\log _{2}(8\times 8)=\log _{2}(2^{6})=6\)) in case h = 8. According to this, the proposed cipher ensures the uniformity and eliminates the redundancy between adjacent pixels.

Fig. 9
figure 9

The Entropy analysis for the sub-matrices of encrypted Lena image under the usage of a random dynamic key for h = 8 and b a zoom of the entropy of the encrypted image. Ent-OB and ENT-CB are the entropy of the plain and cipher sub-matrices, respectively

Full size image

5.3 Test correlation between original and cipher image

The high linear correlation between adjacent pixels must be removed after encryption which is a mandatory principal to resist statistical attacks [23, 26]. Having a correlation coefficient close to zero means that the cipher scheme ensures a high degree of randomness. The correlation test is realized by randomly taking N = 2,000 pairs of two adjacent pixels of the defined known two plain images and their corresponding cipher images. Correlation is done in three directions: horizontal, vertical and diagonal. The correlation coefficient r x y is calculated using the following equations:

$$ r_{xy}=\frac{cov (x,y)} {\sqrt{D(x)\times{D(y)}}} $$
(13)

where

$$\begin{array}{@{}rcl@{}} &&E_{x}=\frac{1}{N}\times \sum\limits_{i=1}^{N} x_{i} \\ &&D_{x}=\frac{1}{N}\times \sum\limits_{i=1}^{N} (x_{i}-E(x))^{2}\\ &&cov (x,y)=\frac{1}{N}\times \sum\limits_{i=1}^{N} (x_{i}-E(x))(y_{i}-E(y)) \end{array} $$

The obtained results for both encrypted images (Lena and pepper) are presented in Fig. 10.

Fig. 10
figure 10

Correlation in adjacent pixels in original Lena: a horizontally, b vertically and c diagonally. Correlation in adjacent pixels in ciphered Lena: d horizontally, e vertically and f diagonally

Full size image

The obtained results indicate that the correlation coefficients of a plain image in horizontal, vertical and diagonal direction are higher and close to 1 where it is very low and close to 0 for the ciphered images. This shows that the proposed cipher scheme eliminates spatial redundancy.

5.4 Difference between plain and ciphered images

The encrypted image must be different by at least 50% from the original image in the bit level. Figure 11a shows the variation of the percentage of bit difference between the plain and cipher Lena images for 1,000 random dynamic keys. According to this result, the obtained value of the percentage difference is always close to 50%, which means that the proposed cipher scheme ensures the independence. This test, in addition to the previous ones, validates that the proposed cipher ensures a high randomness degree.

Fig. 11
figure 11

a Difference between plain Lena and ciphered (D i f), b Key Sensitivity (KS), c Plain Sensitivity (PS) and d Cipher Sensitivity (CS)

Full size image

5.5 Sensitivity test

Differential attacks are based on studying the relation between two encrypted images resulting from a slight change, usually one bit difference compared to the original one. A successful sensitivity test shows how much a slight change in the original-image or in the key will affect the resulted cipher image. The higher the encryption change, the better the sensitivity of the encryption algorithm is proven. There are two types of sensitivity: a Plain Sensitivity (PS) and a Key Sensitivity (KS). A key sensitivity shows how much the plain image is affected by a one bit change in the key. The result must be a change with at least 50% in the ciphered image. In Fig. 11b, the key sensitivity versus 1,000 random keys is always close to the optimal value (50% ). This indicates that any little change in the dynamic key will certainly affect the ciphered image.

Concerning plain-text Sensitivity, a dynamic key is used and the avalanche effect of the cipher is tested. One bit in two plain images is changed and it is clear that the images differ by at least 50%. Indeed, the obtained two ciphered images are totally different as illustrated in Fig. 11c where plain sensitivity was tested for 1,000 random dynamic keys. The cost of reducing the number of rounds and latency is given, since some values are far from 50% but still in an accepted manner. Therefore, the cipher has successfully met the avalanche effect and is considered to have enough sensitivity against any change in the plain image.

In addition to that, the sensitivity of the deciphered images is also tested. Changing one bit in the decrypted images must lead into a different image from the original one. The difference test between two decrypted images is done with the LSB bit of a chosen byte changed in the ciphered image. The result obtained is at least 50% different deciphered image. Then, the proposed algorithm has also a deciphering sensitivity. The result is shown in Fig. 11d. Note that in Fig. 11, all the results are obtained with a binary diffusion matrix. The results are similar using an integer diffusion matrix.

In fact, a statistical comparison between the proposed scheme with integer diffusion operation and the approach of [12] is presented in Table 2. Based on the obtained result, we can conclude that the proposed approach achieves a similar cryptographic performance compared to [12]. In addition, in Table 3, a statistical cryptographic performance of the proposed approach with a binary diffusion operation is presented. Also, the obtained results are similar to [12]. This indicates that the binary diffusion operation preserves the required cryptographic performance and consequently it can be safely employed in the proposed cipher.

Table 2 Statistical results of [12] and of the proposed scheme by using the integer diffusion matrix for 1000 random keys with Lena as plain image
Full size table
Table 3 Statistical results of the proposed scheme by using the proposed binary modification for 1000 random keys with Lena as plain image
Full size table

5.6 Visual degradation

This test is specific for image and video contents and enables to quantify the visual degradation reached by employing the cipher scheme. In fact, the degradation operated on the encrypted image prevents the contents of an image from being recognized. To measure the visual degradation, a well known parameter is studied to measure the encryption visual quality, which is the Peak Signal-to-Noise Ratio (PSNR) [16].

Indeed, PSNR is derived from the Mean Squared Error (MSE), which represents the cumulative squared error between an original and encrypted image. A lower PSNR value indicates that there is a high difference between the original and the cipher images. In the proposed algorithm PSNR was measured between the original and the encrypted image for 1,000 random dynamic keys and is presented in Fig. 12. As shown, the mean PSNR value is 8.621 dB, which is close to the desirable value. This low value validates that the proposed encryption technique provides a high difference between the original and the encrypted image. As a conclusion, the proposed cipher scheme ensures a hard visual degradation so that no useful information can be revealed about the contents of the original image from the ciphered image.

Fig. 12
figure 12

PSNR variation between the original and the encrypted Lena image versus 1000 dynamic keys

Full size image

5.7 Propagation of errors

Error propagation is an important criterion that should be low (error is not propagated) to consider the proposed cipher as efficient. Interference and noise existing in the transmission channel are the main causes of error. However, a bit error means that a substitution of ‘0’ bit into ‘1’ bit or vice versa will take place. In the proposed algorithm, if any block is affected in an image, it will only affect its previous and next neighboring blocks. This presents an acceptable error propagation. In fact, this is the cost of ensuring the avalanche effect in the whole image.

5.8 Execution time

The main motivation of this paper is to design a lightweight cipher scheme that can reach the required level of security, with a lower execution time, and respect the time limitations of real time and reduce the required resources. In fact, a lower time of execution leads to a lower energy consumption of calculation, which is critical for limited devices that use a battery. The average calculation time (within 1,000 iterations) to encrypt the plain Lena image of size 256 × 256 × 3 is performed using the following software and hardware environment : Matlab R2013b simulator, micro-computer Intel Core i5, 3 GHZ CPU, 2 GB RAM Intel and the Microsoft Windows 7 operating system.

A comparison in execution time is done with the recent algorithm of [12], which was compared with recent cipher schemes and indicates that it can ensure a lower execution time compared to the selected recent state of the art. The average of the execution time for 1,000 iterations and for different sizes of block n is obtained for the proposed approach (integer diffusion operation) and for [12]. Therefore, the ratio between the execution time of the proposed cipher and of [12] is shown in Fig. 13. In addition, the linear interpolation of the variation of ration versus n is also calculated, and it is shown in Fig. 13-a and presented in the following equation:

$$ Ratio = -0.0013253 \times n+0.76247 $$
(14)
Fig. 13
figure 13

a the ratio time analysis between the proposed approach and the one in [12] in function of n and for 1000 iterations and b the ratio of each operation (integer diffusion, substitution, and blocks permutation) of the proposed approach

Full size image

According to this result, the proposed approach ensures a reduction in execution time from to 22 to 26% in function of n compared to [12]. In addition, increasing n permits to reduce more and more the execution time. This proves that the proposed scheme requires a lower execution time and consequently less latency and resources compared to [12]. Consequently, the execution time of the proposed cipher is lower compared to [5, 14, 17, 23, 28, 31, 35, 40]. On the other hand, in Fig. 13b, the ratio of the execution time of each operation of the proposed approach is presented. The obtained result indicates that the diffusion operation requires the higher percentage of execution time in function of n. Moreover, employing the binary diffusion operation will permit to reduce more the execution time according to Fig. 6. Therefore, and according to the previous results, the execution time is reduced to 50% for n ≥ 16 by employing the binary diffusion operation compared to [12].

6 Discussion and cryptanalysis: resistance against the well-known types of attacks

All the previous tests were carried out to prove that the proposed scheme is efficient. In this section, a brief cryptanalysis discussion is presented to validate its secure employment and to prove that it can resist the different kinds of existing attacks. Uniformity was proven by getting the histograms of the ciphered images and by applying the entropy analysis. Then, independence between plain and cipher images is verified based on the correlation test among the adjacent pixels and between the original and cipher images in addition to measuring the difference in bit level between the plain and cipher images, which is close to 50%. Therefore, the encrypted images ensure a high degree of randomness and consequently provides it with a high resistance degree against statistical attacks.

The sensitivity of the plain image is accomplished with an acceptable value (always > 45) and the avalanche effect is reached in the whole image. A small reduction in terms of avalanche effect is introduced towards reducing the execution time. However, this will not degrade the security level since the lower value of plain image sensitivity is always greater than 45%. Therefore, any change in any bit of the plain image will provide a different deciphered image.This in turn will prevent chosen/known plain/cipher image attacks.

The sensitivity of secret and dynamic key in addition to a Nonce is attained and any change in any bit of these parameters provides a different cipher image on the emitter side or a different decrypted image on the receiver side with a 50% changed, which is a very satisfying result. These results validate that the proposed scheme can resist the related key attacks.

On the other hand, the size of the secret key can be 128, 196, and 256 bits as AES and the size of the dynamic key and Nonce are 512 bits, which are sufficient enough to protect the proposed cipher against the brute force attacks.

More important, the proposed dynamic key approach played a massive role in making this scheme more secure compared to the existing and modern powerful attacks. In addition, the variation of the secret key permits to overcome the problem of accident key disclosure.

This discussion will enable the proposed cipher to be considered as a good candidate for lightweight modern image encryption.

7 Conclusion

Our aim was to ensure a better security level and to meet the limitations of modern multimedia applications and low cost devices that are used today with limited resources. Therefore, the objective of this paper is to propose an efficient and robust lightweight cipher candidate that can ensure lower latency for the real time applications and to reduce the required resources for the low cost devices.

In contrast with the existing image encryption ciphers, the proposed scheme uses the substitution and diffusion only once but in two different rounds towards reducing the required latency and resources and without any degradation in the level of security.

In this paper, the proposed cipher is based on the dynamic key approach which permits to produce a dynamic key for each validate time (session) or for each input image (depending on the configuration). Then, based on this dynamic key, a set of sub-keys are obtained to produce the required dynamic initialization vectors, substitution and permutation tables in addition to a diffusion matrix, which are the basic elements of the proposed dynamic cipher scheme. Furthermore, the structure of the proposed cipher employs two different round functions using the CBC operation mode in forward and backward directions. After that, a block permutation operation is applied to randomize the sequential order of blocks. This operation permits to complicate the procedure of possible future attacks. Furthermore, the first round employs a dynamic diffusion operation that can be an integer or binary, while the second round uses a substitution operation. Therefore, both rounds permit to ensure the confusion and diffusion properties. In addition, the advantage of employing the CBC with forward and backward directions is to achieve the avalanche effect in the whole image.

Extensive tests were done to prove that the proposed candidate ensures the desired cryptographic performances. As a conclusion, due to its flexibility, high security as well as fast execution time achieved, it can be considered as a good cipher candidate. This cipher can compete with the available image cryptographic algorithms that can ensure image data confidentiality and privacy in real implementations for modern applications.