1 Introduction

With the rapid development of network communication and multimedia technology, information exchange and sharing are more and more frequent. In the meantime, the situation of information security becomes increasingly severe. As the main information carrier, images account for more than 70% of the total amount of daily information. Under a variety of security threats, image encryption has become an important issue. In recent years, image encryption methods [11, 23, 29] mainly represented by chaotic encryption algorithms have attracted extensive attentions, and many important researching results have been achieved.

Adopting sequence diffusion transform, pixels 8-bit decomposition and chaotic scrambling, Zhu, Zhang, Wong et al. [33] constructed the bit-plane scrambling encryption scheme (2011). Applying DNA coding and Chen hyper-chaotic system, Wei, Guo, Zhang et al. [25] discussed DNA image encryption method (2012). Using the chaotic encryption system of three-dimensional Arnold map, Kanso and Ghebleh [13] performed a hybrid algorithm for gray images direct encryption (2012). Combing public key cryptosystem with mixed reality technology, Amalarethinam and Geetha [3] provided a new image encryption scheme (2015). Based on chaotic map, Liu, Sun and Zhu [17] put forward a fast image encryption algorithm (2016). On the basis of block scrambling and dynamic index based diffusion, Xu, Guo, Li et al. [26] proposed a novel chaotic image encryption algorithm (2017). Utilizing SPIHT coding and Chirikov standard map, Fu, Chen, Zou et al. [9] studied a selective compression encryption of images (2017). By means of DNA sequence operations, Chai, Chen and Broyde [4] suggested a novel chaos-based image encryption algorithm (2017).

Since 2012, the chaotic digital image encryption related to plaintext has received special attentions. Because part of the plaintext data is added to the cipher generating pattern, this method enhanced the security of the cryptogram, and thus, highlighted the characteristics of one time pad for encryption. Zhang [27, 28] is one of the early scholars to study the chaotic image encryption associated with the plaintext. He proposed a chaotic cipher system using plaintext data, and suggested a perfect image encryption mode of diffusion-scrambling-diffusion. These works laid a solid foundation for further research. After this, other researchers have developed a series of related studies. Using reverse 2-dimensinal chaotic map and dependant diffusion, Zhang, Wong, Yu, et al. [30] constructed a new image encryption scheme (2013). Based on hash function, Norouzi, Seyedzadeh, Mirzakuchaki et al. [19] designed an image encryption scheme with only two-round diffusion process (2014). On the basis of eight dimensional chaotic cat map, Ganesan and Murali [10] researched image encryption (2014). Adopting temp-value feedback technique, Zhang, Hu, Liu et al. [31] proposed a chaotic image encryption algorithm (2014). Utilizing chaotic and lookup table, Cheng, Yang, Wei, et al. [6] provided a fast image encryption method (2015). Applying chaos and Langton’s Ant cellular automation, Wang and Xu [24] put forward a novel image encryption scheme (2015). For medical applications, Kanso and Ghebleh [14] formed an efficient and robust image encryption algorithm (2015). By the aid of chaos maps with Markov properties, Liu, Li, Zhang et al. [16] studied a novel image encryption algorithm (2015).

In general, a secure image encryption system should have the following characteristics [21, 29]: First, the key space is large enough, and the key length is not less than 128bit. Second, the system is sensitive to the key, plaintext, and ciphertext. Third, the ciphertext has statistical properties similar to noise. Fourth, the cryptosystem can effectively resist various types of attacks. Fifth, the encryption and decryption algorithms are efficient and effective. To meet these requirements, some problems should be taken seriously. Firstly, only the encryption scheme related to the keys cannot effectively defend the selected plaintext attack and the known plaintext attack. The research on the algorithm both related to the keys and to the plaintext should be highly valued. Secondly, the traditional chaotic transformation is limited in variety and easy to crack. It is necessary to discuss the new chaotic map to encrypt image. Thirdly, the research of the combination of multiple mathematical methods for the generation of cryptogram should be accelerated.

It is worth pointing out that, as early as 1979, Shamir [22] put forward a key sharing method based on Lagrange interpolation, which opened the applied research of interpolation polynomial in cryptography. In 2012, Akif [2] comprehensively applied Lagrange polynomial, quadtree technology, and RC4 standard to image encryption and achieved good security results.

Using Lagrange interpolation [18], generalized Henon map, matrix nonlinear operations, and the random functions in Matlab [15], we construct a novel image encryption scheme related to plaintext. From the perspective of mathematics, our work focuses on expanding the application of algebraic interpolation, irreversible chaotic map and non-linear transformation in image processing. In view of practical technology, this paper provides a candidate of image encryption method.

The paper consists of the following main parts: The first part introduces the concepts of algebraic interpolation, Lagrange polynomial, and the generating of interpolation cryptographic matrix. The second part constructs a generalized chaotic map based on Henon map [23], and gives the method of the chaotic cipher sequence. The third part discusses three types of matrix nonlinear transformations. The fourth part describes the algorithm in details. The fifth part carries out the encryption simulation. The sixth part gives the performance and security evaluation of the proposed algorithm, and compares the effects of the algorithm with those of other algorithms. The seventh part summarizes the full paper.

2 Algebraic interpolation, Lagrange polynomial and interpolation cipher

2.1 Algebraic interpolation and Lagrange polynomial

Definition 1

Suppose that the continuous function y = f(x) is defined on the interval [a, b]. At the n + 1 different points xi ∈ [a, b], i = 0, 1, ⋯, n, f(x) satisfies f(xi) = yi. If there is a n ‐ th degree polynomial Pn(x) which satisfies Pn(xi) = yi, then Pn(x) is called the n ‐ th degree algebraic interpolation of f(x). The function f(x) is known as the interpolated function. The points xi are the interpolating nodes. And, [a, b] is the interpolation interval [18].

The basic theory of numerical analysis has proved that the solution of algebraic interpolation is existing and unique. Lagrange polynomial [18] is one of the most common solutions, which is denoted as follows:

$$ {P}_n(x)={y}_0{l}_0(x)+{y}_1{l}_1(x)+\cdots +{y}_n{l}_n(x)=\sum \limits_{k=0}^n{y}_k{l}_k(x), $$
(1)

where, li(x) are the n − th bases of Lagrange polynomial, which are defined as follows:

$$ {l}_i(x)=\frac{\left(x-{x}_0\right)\cdots \left(x-{x}_{i-1}\right)\left(x-{x}_{i+1}\right)\cdots \left(x-{x}_n\right)}{\left({x}_i-{x}_0\right)\cdots \left({x}_i-{x}_{i-1}\right)\left({x}_i-{x}_{i+1}\right)\cdots \left({x}_i-{x}_n\right)}=\prod \limits_{\begin{array}{c}i=0\\ {}i\ne j\end{array}}^n\frac{\left(x-{x}_i\right)}{\left({x}_j-{x}_i\right)},i=0,1,\cdots, n. $$
(2)

As we known, the bases li(x) satisfy the following Kronecker equation:

$$ {l}_i\left({x}_k\right)=\left\{\begin{array}{c}1k=i\\ {}0k\ne i\end{array}\right.. $$
(3)

In practice, either the quadratic or the cubic Lagrange polynomials are the most widely used. They are respectively expressed as follows:

$$ {P}_2(x)={y}_0{l}_0(x)+{y}_1{l}_1(x)+{y}_2{l}_2(x), $$
(4)
$$ {P}_3(x)={y}_0{l}_0(x)+{y}_1{l}_1(x)+{y}_2{l}_2(x)+{y}_3{l}_3(x). $$
(5)

2.2 Lagrange interpolation cipher sequence (matrix)

Suppose that the grayscales matrix is Ghk = (gij)hk, i = 1, 2, ⋯h, j = 1, 2, ⋯k, h, k ∈ N; It is easy to convert this matrix into a row vector L1 × (hk). After using the internal function ‘rand’ or ‘randn’ [15] in Matlab to generate the n + 1 random integers xj, j = 0, 1, ⋯n on the interval [1, h × k], we normalize xj to double precision floating decimals on the interval [0, 1] by the equation \( \tilde{x}_{j}=\left({x}_j-1\right)/\left(h\cdot k-1\right) \), and record the corresponding pixels by yj. And then, by means of the interpolating notes \( \left(\tilde{x}_{j},{y}_j\right) \) and Eq. (4), we construct Lagrange polynomial Nn(x), where, \( x\in \left[a,b\right],a=\mathit{\min}\left(\tilde{x}_{j}\right), \) and \( b=\mathit{\max}\left(\tilde{x}_{j}\right). \) Furthermore, we uniformly take the samples xi, i = 1, 2, ⋯hk from the interval [a, b], compute the corresponding Nn(xi), and rearrange Nn(xi) into the matrix Khk. Thus, we achieve the interpolating cipher matrix Khk.

In encryption practice, the parameter n, which is the degree of the Lagrange polynomial, can be regarded as an optional key.

3 Henon map, generalized Henon map and chaotic cipher

3.1 Henon map

Henon map [23] is one of the commonly used chaotic systems for image encryption. It is defined as follows:

$$ \left\{\begin{array}{l}x\left(k+1\right)=1-a\cdot {x}^2(k)+y(k)\\ {}y\left(k+1\right)=b\cdot x(k)\end{array}\right., $$

where, the parameters a, b are free variables. When 0.54 < a < 2, 0 <  ∣ b ∣  < 1, the system is in a hyper chaotic state with two positive Lyapunov exponents. So it is suitable for a cryptogram generating system.

3.2 GHM

Based on Henon map, we construct a novel map named as GHM (Generalized Henon Map), which is expressed as follows:

$$ \left\{\begin{array}{l}x\left(k+1\right)=1-a\cdot {x}^2(k)+b\cdot x(k)\cdot y(k)+c\cdot y(k)\\ {}y\left(k+1\right)=d\cdot x(k)\end{array}\right., $$
(6)

where, the parameters a, b, c, d are system variables. It is not hard to proved that this map has one positive Lyapunov exponent when 0.54 < a < 2, 0 <  ∣ b ∣  < 1, 0 <  ∣ c ∣  < 1, 0 <  ∣ d ∣  < 1, so it can be used to generate cipher codes.

Considering that the subsequent contents do not involve the inverse of GHM, we do not discuss the inverse of GHM here.

4 Matrices nonlinear transformation based on dot power operation

Suppose that the original image is P = (pij)h × k, where, pij ∈ [0, 1] are pixels grayscales. The dot power of a matrix [15] is the power operation objected to the elements of the matrix, it is defined as follows:

$$ P.\hat{\mkern6mu} m={\left({\left({p}_{ij}\right)}^m\right)}_{h\times k}, $$
(7)

where, .^ is the operator of dot power, and m ∈ R.

Let A1, A2, A3 and A4 be the nonzero matrices with the size of h × k, the first type nonlinear transformation (FTNT) of the matrix P is expressed as follows:

$$ {P}_1={f}_1(P)={a}_1\left({b}_1\cdot P+{c}_1\cdot {A}_1\right).\hat{\mkern6mu} {d}_1+{e}_1\cdot {A}_2, $$
(8)

where, the parameters a1, b1, c1, d1, e1 ∈ R+ are optional.

Similarly, the second type nonlinear transformation (STNT) and the third type nonlinear transformation (TTNT) are respectively defined as follows:

$$ {P}_2={f}_2(P)={a}_2\left({b}_2\cdot P+{c}_2\cdot {A}_3\right).\hat{\mkern6mu} {d}_2, $$
(9)
$$ {P}_3={f}_3(P)={a}_3\cdot P.\hat{\mkern6mu} {b}_3+{c}_3\cdot {A}_4, $$
(10)

where, the variables a2, b2, c2, d2, a3, b3, c3 ∈ R+ are candidate.

Perform the inverse operations of Eqs. (8), (9) and (10) respectively, we can obtain:

$$ P={f^{-1}}_1(P)=\left(\left(\left({P}_1-{e}_1\cdot {A}_2\right)/{a}_1\right).\hat{\mkern6mu} \left(1/{d}_1\right)-{c}_1\cdot {A}_1\right)/{b}_1, $$
(11)
$$ P={f_2}^{-1}(P)=\left(\left({P}_2/{a}_2\right).\hat{\mkern6mu} \left(1/{d}_2\right)-{c}_2\cdot {A}_3\right)/{b}_2, $$
(12)
$$ P={f^{-1}}_3(P)=\left(\left({P}_3-{c}_3\cdot {A}_4\right)/{a}_3\right).\hat{\mkern6mu} \left(1/{b}_3\right). $$
(13)

In addition, for the known nonzero matrix Mhk, the F transformation of Mhk is denoted as follows:

$$ F(M)={M}_{hk}- floor\left({M}_{hk}\right), $$
(14)

where, the symbol floor is the rounding function of Matlab. If we consider Cd = floor(Mhk) as a constant matrix (called the third cipher matrix), then we can easily derive the inverse of F transformation as follows:

$$ M=F(M)+{C}_d. $$
(15)

5 Plaintext related image hybrid encryption algorithm

5.1 Pixels diffusion using GHM

Using GHM in Eq. (6) to generate the chaotic sequence C1 × (hk), we rearrange it into the matrix C1 with the size of hk. Performing FTNT in Eq. (8) among the known matrices P,C1 and the random matrix R1, we obtain the following result:

$$ {P}_1={a}_1\left({b}_1\cdot P+{c}_1\cdot {C}_1\right).\hat{\mkern6mu} {d}_1+{e}_1\cdot {R}_1. $$
(16)

And then, we rearrange P1 into a row vector to form the first cipher sequence \( \overset{\sim }{C} \), convert the plaintext P into a row vector \( \overset{\sim }{P} \), and successively implement the forward and backward diffusion algorithms between the vector \( \overset{\sim }{P} \) and \( \overset{\sim }{C} \). The diffusion calculations are accomplished by the following XOR operation [29]:

$$ {Ct}_i={Ct}_{i-1}\oplus {C}_i\oplus {P}_i,i=1,2,\cdots hk, $$
(17)
$$ {Ct}_i={Ct}_{i+1}\oplus {C}_i\oplus {P}_i, hk, hk-1,\cdots 1. $$
(18)

Where, the matrix Ct is referred to as the diffused image. The initial value of Ct0 in Eq. (17) and that of Cthk in Eq. (18) come from the keys. The symbol ⊕ denotes the operator of XOR.

In this stage, the parameters a, b, c, d, a1, b1, c1, d1, and e1 are the alternative keys.

5.2 Pixels scrambling based on Lagrange interpolating cipher

For the diffused result Ct, we apply Lagrange interpolation in Eq. (4) to deduce the second cipher matrix Khk. After carrying out STNT in Eq. (9) between Ct and Khk, we acquire the matrix as follows:

$$ Ct={a}_2\left({b}_2\cdot Ct+{c}_2\cdot {K}_{hk}\right).\hat{\mkern6mu} {d}_2. $$
(19)

Furthermore, we sort the row vector \( \overline{Ct} \) derived from \( \overset{\sim }{Ct} \) by the inner function randperm in Matlab, and record the number of the elements in \( \overline{Ct} \) before and after sorting as Iold and Inew, respectively. For the row vector \( \hat{Ct} \) converted from Ct, we firstly sort it by Inew, and then, rearrange the sorted result into the matrix \( \overset{\frown }{Ct} \) with the size of hk. Thus, we obtain the scrambled image \( \overset{\frown }{Ct} \).

In this stage, both the variable n and the parameters a2, b2, c2, d2 are optional keys.

5.3 The encryption based on TTNT

Performing TTNT in Eq. (10) between the scrambled image \( \overset{\frown }{Ct} \) and the random matrix R2, we obtain the following result:

$$ {Ct}_f={a}_3\cdot \overset{\frown }{Ct}.\hat{\mkern6mu} {b}_3+{c}_3\cdot {R}_2. $$
(20)

For the matrix Ctf, we implement the transformation in Eq. (14) to achieve:

$$ {Ct}_F={Ct}_f- floor\left({Ct}_f\right). $$
(21)

At this point, the encryption process is completed. The matrix CtF is the final encrypted image.

In this stage, the parameters a3, b3 and c3 serve as keys. The third cipher matrix Cd is interpreted as a procedural cryptogram.

5.4 Decryption algorithm

The image decryption can be fulfilled in opposite order by performing the inverse transformations and operations. By means of Eqs. (15) and (13), we successively transform the encrypted image CtF into the matrices CtF1 and CtF2. Using CtF2 to form a row vector, we rearrange the vector according to Iold, and then change the result into the matrix CtF3 with the size of hk. Thus, the scrambling decrypted image is gotten by the matrix CtF3. Furthermore, we convert CtF3 into the row vector CT, and carry out the inverse operation of forward and backward diffusing algorithms by following two equations:

$$ {P}_i={CT}_{i-1}\oplus {CT}_i\oplus {C}_i,i=1,2,\cdots hk, $$
(22)
$$ {P}_i={CT}_{i+1}\oplus {CT}_i\oplus {C}_i,i= hk, hk-1,\cdots 1. $$
(23)

And then, we rearrange the result into the matrix P0 with the size of hk. The matrix P0 is the expected diffusion decryption image, and it is also the final decrypted image.

It should be specially noted that, in the process of encryption and decryption, there is a specific matching between the various operations and the data types. If necessary, the conversion between the double precision data and 8-bit integer data should be executed in time to satisfy the requirements of the calculations.

5.5 Algorithm description

5.5.1 The encryption algorithm

The encryption algorithm includes the following steps:

  1. Step 1

    Image preprocessing

  • 1 Convert the original image into the pixels gray matrix Phk.

  1. Step 2

    Diffusion encryption

  • 2 Set the parameters a, b, c, and d respectively, generate the chaotic sequence C1 × (hk) using Eq. (6), and rearrange C1 × (hk) to the matrix C1 with the size of hk.

  • 3 Apply the function rand of Matlab to form the matrix R1 with the same size of Phk.

  • 4 Assign the parameters a1, b1, c1, d1, and e1 respectively. Perform FTNT among the matrices Phk,C1 and R1 to obtain the matrix P1.

  • 5 Rearrange P1 into the first cipher sequence \( \overset{\sim }{C} \), and covert Phk into a row vector P. For the vectors P and \( \overset{\sim }{C} \), successively implement the operations in Eqs. (17) and (18) to infer the vector Ct, and then change Ct into the matrix Cthk.

In this step, a, b, c, d and a1, b1, c1, d1, e1 are candidate keys and the matrix Cthk is the diffused image.

  1. Step 3

    Scrambling encryption

  • 6 Form the second cipher matrix Khkby Eq. (4), and carry out SINT in Eq. (19) between Cthk and Khk to deduce the matrix \( \overset{\sim }{Ct} \).

  • 7 Convert \( \overset{\sim }{Ct} \) into the row vector \( \overline{Ct} \), sort \( \overline{Ct} \) using the function randperm of Matlab, and record the elements number of \( \overline{Ct} \) before and after sorting as IoldandInew, respectively.

  • 8 Change Cthk into the row vector \( \hat{Ct} \), rearrange \( \hat{Ct} \) according to Inew, and transform the result to the matrix \( {\overset{\frown }{Ct}}_{hk} \).

In this step, the candidate keys include a2, b2, c2, d2, n. The matrix \( {\overset{\frown }{Ct}}_{hk} \) is the scrambled image.

  1. Step 4

    Encryption using nonlinear transformation

  • 9 Use the function rand to generate the random matrix R2, and perform TTNT in Eq. (20) between \( {\overset{\frown }{Ct}}_{hk} \) and R2to derive the matrix Ctf.

  • 10 Utilize the third cipher matrix Cd to implement the transformation in Eq. (21) to receive the matrix CtF. The matrix CtF is the final encrypted image.

In this step, the parameters a3, b3, c3 are optional keys. The matrix CtF is the final encrypted image.

5.5.2 The decryption algorithm

Based on the encrypted image CtF, the decryption process can be fulfilled as follows:

  1. Step 1

    Decryption of nonlinear transformation

  • 1 Convert the matrix CtF into the matrix CtF1 by performing the transformation in Eq. (15), and implement the transformation in Eq. (13) to achieve the matrix CtF2.

  1. Step 2

    Scrambling decryption

  • 2 Transform CtF2 into a row vector, rearrange the vector according to Iold, and then change the rearranged result into the matrix CtF3 with the size of hk.

  1. Step 3

    Diffusion decryption

  • 3 Rearrange CtF3 to the row vector CT, successively implement the transformations in Eqs. (22) and (23), and then rearrange the operating result into the matrix P0 with the size of hk.

Thus, we obtain the final decrypted image presented by the matrix P0.

5.6 The diagram of the proposed algorithm

The process of encryption and decryption are now demonstrated in Figs. 1 and 2, respectively.

Fig. 1
figure 1

The encryption diagram

Full size image
Fig. 2
figure 2

The decryption diagram

Full size image

6 Encryption simulation

The original images are downloaded from the website of BSD-S500 [8], and all of the experiments are conducted under the MATLAB 2016b integrated environment. The software is run on the platform with Intel Core (TM) i7 CPU (2.4 GHz), 8.0-GB RAM, and 64-bit operating system Win7.1.

The sizes of the three experimental images Tiger, Pilots, Pyramid are 342 × 512, 512 × 342, and 684 × 1024 pixels, respectively. The encryption and decryption algorithms are run in the key space of Ω1 × Ω2 × Ω3 = (a, b, c, d, a1, b1, c1, d1, e1) × (n, a2, b2, c2, d2) × (a3, b3, c3).

Figures 3, 4 and 5, respectively exhibit the encrypted and decrypted results of the three sample images, where, a = 1.2, b = 0.5, c = 0.8, d = 0.314, n = 3, a1 = 20, b1 = 3, c1 = 2.5, d1 = 0.5, e1 = 4, a2 = 2, b2 = 3, c2 = 2, d2 = 4, a3 = 30, b3 = 2, c3 = 3. In these figures, (a) denotes the original image; (b) shows the encrypted image of (a); and (d) presents the recovered image of (b).

Fig. 3
figure 3

The encrypted and decrypted result of the image Tiger

Full size image
Fig. 4
figure 4

The encrypted and decrypted result of the image Pilots

Full size image
Fig. 5
figure 5

The encrypted and decrypted result of the image Pyramid

Full size image

From these figures, we observe that the cipher images are messy and rambling, so the attackers could hardly obtain any useful information from the ciphertexts.

In order to evaluate the encryption and decryption effect of the algorithm objectively, we calculate the absolute values of PSNR (Peak-Signal to Noise Ratio) and SSIM (Structural Similarity) between the encrypted images and the original ones, as well as those between the decrypted images and the original ones. The data are shown in Table 1. Where, P01, S01 present the PSNR, the SSIM between the encrypted image and the original one, respectively; P02, S02 indicate the PSNR, the SSIM between the decrypted image and the original one, respectively.

Table 1 The PSNRs and SSIMs of different images
Full size table

The data shown in Table 1 prove that the algorithm can achieve good encryption and decryption effects. In addition, after performing the decryption algorithm on the decrypted images, we obtain the same results as the original images. Hence, we confirm that the proposed algorithm is a lossless encryption method.

7 Encryption performance analysis and security

In this section, we discuss several performance indicators of the proposed algorithm such as the time consuming and space occupying of the algorithm, the size of the key space, the statistical properties of the images, key sensitivity, plaintext sensitivity, etc. These indexes objectively reflect the efficiency and security of our scheme.

It is necessary to explain that, since the numerical calculations and random factors are involved in the algorithm, there may be differences in analysis data obtained from different experimental rounds, but these differences in quantity have nothing to do with the final conclusions.

7.1 Time and space consumption of the algorithm

For the five images selected from large scale datasets [1, 7, 8] with the sizes of 32 × 32, 256 × 256, 342 × 512, 512 × 512 and 1024 × 684 pixels, respectively, we record the average running time of the algorithm after 500 times tests. The results are shown in Table 2. In addition, the total amount of encoding, the size of the files and the storage spaces are also listed in this table. The data indicates that the algorithm takes up limited system resources and has high operating efficiency. Note that, since the running time of the algorithm is related to the computer system configuration and the coding volume and the storage space are subject to programming languages, the data in Table 2 is not absolute and just for reference.

Table 2 Time and space consumption of the proposed algorithm
Full size table

According to the data in the table, we fit out the encryption and decryption time curves using quadratic polynomial. The results are demonstrated in Fig. 6. In the integrated environment of Matlab 2016b, the memory occupied by running the encryption and decryption files of this size can be neglected, while the memory occupied by the platform is approximated to 560 MB. Thus, the system resources used by the encryption scheme are limited. A conventionally configured personal computer can meet this demand.

Fig. 6
figure 6

The fitting curves of encryption and decryption time

Full size image

7.2 Resistance to the brute force attack

7.2.1 Keys space

The set of all possible values of the keys is called the key space. It is one of the important indexes to measure whether an image encryption algorithm can resist brute force attack or not. For 8 bit integer images, the applied cryptography has affirmed that the secure key space of an encryption algorithm should be not less than 128 bit. Otherwise the encryption scheme will be broken by exhaustive search to get the secret keys in a limited amount time.

As mentioned above, the key space of the proposed algorithm is Ω1 × Ω2 × Ω3. If all of the parameters are taken as double precise decimals, then they should be set to be O (10−14). So the key space of the algorithm is not less than log2(10238) ≈ 790bit. In the encryption practice, the conservative range of the parameters is [10−4, 104], so the key space is not less than log2(10136) ≈ 451bit. Such a key space is large enough to ensure the algorithm to resist the brute force search for secret keys. In addition, the key space of the proposed algorithm is obviously larger than those of the algorithms in [5] (about 144 bit) and [20]. This indicates that the proposed algorithm is more secure than the later two with respect to resistance to brute force attack.

7.2.2 Keys sensitivity

Keys sensitivity is another important index to measure the ability of an algorithm to resist brute force attacks. In general, using two sets of keys with small difference to encrypt the same plain image, if we obtain two cipher images which have great difference, we consider that the encryption algorithm is sensitive to the keys. Obviously, the more sensitive the algorithm is to the keys, the higher the security of the algorithm.

As mentioned above, the keys of the proposed algorithm include: a, b, c, d, a1, b1, c1, d1, e1, n, a2, b2, c2, d2, a3, b3, c3. Without loss of generality, we chose the parameters a, b1, c2, and c3 for key sensitivity testing. For each parameter, we set the variation as 10−10, and let

$$ {\displaystyle \begin{array}{l}{K}_0=\left(a,b,c,d,{a}_1,{b}_1,{c}_1,{d}_1,{e}_1,n,{a}_2,{b}_2,{c}_2,{d}_2,{a}_3,{b}_3,{c}_3\right);\\ {}{K}_1=\left(a+{10}^{-10},b,c,d,{a}_1,{b}_1,{c}_1,{d}_1,{e}_1,n,{a}_2,{b}_2,{c}_2,{d}_2,{a}_3,{b}_3,{c}_3\right);\\ {}\begin{array}{c}{K}_2=\left(a,b,c,d,{a}_1,{b}_1+{10}^{-10},{c}_1,{d}_1,{e}_1,n,{a}_2,{b}_2,{c}_2,{d}_2,{a}_3,{b}_3,{c}_3\right);\\ {}{K}_3=\left(a,b,c,d,{a}_1,{b}_1,{c}_1,{d}_1,{e}_1,n,{a}_2,{b}_2,{c}_2+{10}^{-10},{d}_2,{a}_3,{b}_3,{c}_3\right);\\ {}{K}_4=\left(a,b,c,d,{a}_1,{b}_1,{c}_1,{d}_1,{e}_1,n,{a}_2,{b}_2,{c}_2,{d}_2,{a}_3,{b}_3,{c}_3+{10}^{-10}\right).\end{array}\end{array}} $$

Applying the parameter values used in Section 6, we respectively encrypt the image Tiger using the keys K0, K1, K2, K3, and K4. The ciphertexts are shown in Figs. 1c, and 7a, b, c, and d, respectively. And also, the difference figures between Figs. 7a, b, c, d and 1c are exhibited in Figs. 6e, f, g, and h, respectively. Furthermore, we calculate some objective comparison indexes between the later four ciphertexts and the first ciphertext. These indexes include the correlation coefficients, SSIM, NPCR (Number of Pixels Change Rate), UACI (Unified Average Changing Intensity) and BACI (Block Average Changing Intensity), which are fully listed in Table 3.

Table 3 Correlation, SSIM, NPCR, UACI and BACI of the ciphertexts before and after the change of the keys
Full size table

As can be seen in Fig. 7, while keeping other parameters constant, a small change in one key resulted in a great difference in ciphertexts. This shows that the proposed encryption scheme is quite sensitive to the key. Meanwhile, Table 3 reveals that the correlations and SSIM are almost zero, and the other indexes approach to the ideal values. Thus, we conclude that the algorithm has strong ability to resist exhaustive attack.

Fig. 7
figure 7

The ciphertexts of the slightly varied ciphers and the difference images

Full size image

7.3 Resistance to the statistic attack

7.3.1 Gray histogram and gray surface

Generally, the gray distribution of the ciphertext obtained by a robust encryption algorithm should be uniform, which is usually reflected in the ciphertext gray histogram. Meanwhile, another intuitive tool, the gray surface, can be either used to reveal this phenomenon. The gray surface is a spatial graphics, in which the pixels coordinates constitute a plane grid, and every pixel grayscale denotes the altitude of each vertex for the grid. Corresponding to the uniformity of the gray histogram, the gray surface should put up the shape of equal height almost everywhere.

Figure 8 shows the gray histograms of the plaintext and ciphertext for the three experimental images. Figure 9 is the corresponding gray surfaces.

Fig. 8
figure 8

Gray histograms of plaintext and cipher images

Full size image
Fig. 9
figure 9

Gray surfaces of plaintext and cipher images

Full size image

Figure 8 reveals that the gray histograms of the plaintexts have a large fluctuation, whereas those of the ciphertexts are flat and uniform. This means the statistical attacks are impossible. Meanwhile, the same conclusion can be drawn from the gray surfaces in Fig. 9.

7.3.2 Pixels correlation

In general, the pixels of a plain image with clear meanings have a certain correlation, but an effective and safe encryption algorithm can successfully eliminate this correlation. That is, the pixels correlation of the corresponding cipher image is uncertain.

Taking the image Tiger as an example, we now discuss the pixels correlation of the plaintext and ciphertext in the horizontal, vertical, and diagonal directions, respectively. For the plaintext, we randomly select 3000 pixels in the three directions, respectively calculate the absolute values of their correlation coefficients, and list them in Table 4. Then we draw their distribution diagrams as shown in Fig. 10a, b, and c, respectively. As a contrast, the corresponding data of the ciphertext are also given in Table 4, and the diagrams are shown in Figs. 10d, e, and f, respectively.

Table 4 Correlations of the plaintext and cipher images in the three directions
Full size table

From Fig. 10 we find that the plaintext pixels exhibit approximately linear distribution in all of the three directions, whereas the distributions of the ciphertext pixels are not clear. This indicates the encryption algorithm effectively destroyed the pixels correlation of the plaintext. Thus, the statistical attacks are invalid. This conclusion is also supported by the data in Table 4.

Fig. 10
figure 10

The plaintext and ciphertext pixels distributions of the image Tiger

Full size image

7.3.3 Information entropy

Information entropy (IE) is the measure of the disorder state for an information system. It reflects the randomness and unpredictability of an information sources. For an 8-bit integer image, the ideal value of IE is 8. In fact, the closer the IE of the cipher image is to the ideal value, the stronger the robustness of the algorithm.

The information entropies of the plaintexts and ciphertexts for the three experimental images are now shown in Table 5. The data show that the information entropies of the ciphertexts are very close to 8. Thus, it is inferred that the proposed algorithm is robustness and strong enough to resist statistical attack. Meanwhile, the data also proves that the proposed algorithm is superior to that mentioned in [20] in the sense of information entropy.

Table 5 Entropies of the plaintext and cipher images
Full size table

7.4 Resistance to differential attack and plaintext sensitivity

Under the same condition of keys, plaintext sensitivity focuses on the influence extent of the quantitative changes in plaintext on ciphertext. Using \( {P}_0,{P}_0+\varDelta P,{C}_{P_0}, \) and \( {C}_{P_0+\varDelta P} \), respectively to represent the plaintexts and the corresponding ciphertexts before and after the variation, the plaintext sensitivity analysis is to find the differences between \( {C}_{P_0} \) and \( {C}_{P_0+\varDelta P} \) when ΔP is taken as a small numerical value. If the difference is great, then the algorithm is considered to be sensitive to the plaintext.

Respectively increasing the gray values of the three experimental images by 10−10, we calculate the correlation coefficients, SSIM, NPCR, UACI, and BACI of the two cipher images before and after the change. The results are shown in Table 6. The data state clearly that the correlations and SSIM of the ciphertexts are very close to zero. Meanwhile, the values of NPCR, UACI, and BACI are very close to the ideal values, respectively. This demonstrates that the proposed algorithm is sensitive to plaintext and can effectively defend against differential attacks.

Table 6 Correlation, SSIM, NPCR, UACI, and BACI of the ciphertexts before and after the variation of the plaintexts
Full size table

7.5 Resistance to chose-plaintext attack

The practice of image encryption has proved that pure scrambling encryption or sequence encryption is insecure for chose-plaintext attack. Compared with these simple encryption methods, the proposed scheme adopts such an encryption pattern of diffusion- scrambling-nonlinear transformation to improve the security for chose-plaintext attacked. From the differential attack test, we find that even a light change in plain image should cause a huge change in the cipher image. This fully shows that the algorithm is very sensitive to the change of plaintext. And what’s more, as mentioned in the Section 2.2, the generating of Lagrange interpolation cipher sequence is based on the two important factors, that are random components and plaintext relation. This feature guarantees that the algorithm is still secure against chose-plaintext attacks even when other part of the key is cracked.

7.6 Comparison with other schemes

In order to evaluate the algorithm more objectively, we compare some performance indicators of our scheme with that of two other image encryption methods published in recent years, namely, Refs. [5, 12, 32]. The indexes are listed in Table 7, which are obtained based on the image Tiger.

Table 7 Performance comparison of the proposed algorithm with other schemes
Full size table

From this table, we can see that the key space of our algorithm is the biggest among the four schemes. This reveals that our method is optimal for resisting brute force attack. The data in line 2 show that the information entropy values of the three schemes are all very close to 8.0. Although the value of our scheme is slightly smaller than that of Ref. [12, 32], it has little influence since which can guarantee no information leak of cipher image. For correlation indicators in horizontal, vertical and diagonal direction, our method is superior to Ref. [12, 32] and inferior to Ref. [5], but this slight difference has little influence since they are all extremely close to zero. As for differential analysis, the values of NPCR and UACI of the three schemes are all very close to the ideal values, so all the four schemes can resist differential attack effectively. In contrast, our algorithm takes advantages of mathematical methods not commonly used in cryptography, such as non-linear interpolation, irreversible chaotic system, non-linear transformation, etc., which can achieve high security with simple structure. Thus, the proposed scheme demonstrates some advantages and is expected to be applied to image encryption practice.

7.7 Performance evaluation on large scale datasets

Only the three experimental images can not reveal all the truth. In order to strongly prove the effectiveness and security of our method, we use two large scale image datasets to evaluate the proposed algorithm. The Cifar-10 [7] dataset contains images of objects belonging to 10 categories, with 6000 images per category. Another image processing dataset BSD500 [8] includes 800 images belong to various species and scenes. For performance evaluation, we randomly pickup 5 images per category from Cifar-10 and other 50 images from BSD500 respectively, which forms a testing subset of 100 images. We encrypt all the 100 images using the proposed algorithm and calculate the main performance data. Limited to the space, the encrypted images and detailed data of the various indexes are omitted here. The statistical results of the indexes are shown in Table 8. In this table, the sub-index CORL of differential analysis means the correlation coefficients of the two cipher images before and after the plain image variation. The data demonstrate that the mean of every indicator is very close to the ideal value and the distribution of the data is reasonable, uniform, and stable. So, our encryption scheme is effective and safe for large scale image datasets.

Table 8 Statistical results of the indexes for performance and security
Full size table

7.8 Decryption of cropped, noised, and compressed cipher image

In this subsection, we discuss whether a cipher can be correctly de decrypted if it is cropped, noised, of compressed. For the three images used in Section 6, we carry out the decryption experiment. The results are exhibited in Figs. 11, 12, and 13, respectively.

Fig. 11
figure 11

Decrypted results of the cropped cipher for the experimental image Tiger

Full size image
Fig. 12
figure 12

Decrypted results of the noised cipher for the experimental image Pilots

Full size image
Fig. 13
figure 13

Decrypted results of the compressed cipher for the experimental image Pyramid

Full size image

In Fig. 11, (a) is the initial image of Tiger, (b) is the decrypted result of the cipher in which 80,000 random pixels are replaced with the Matlab constant ‘Nan’, (c) is the decrypted image of the cipher in which an image block is substituted by ‘Nan’. The block ranges from the 10000th pixels to the 40000th pixel.

In Fig. 12, (a) is the initial image of Pilots, (b), (c), and (d), respectively are the decrypted results in three different noised ciphers. These ciphers include those in which 40,000 random pixels, a block of pixels, and all the pixels, are added with random noise, respectively.

In Fig. 13, (a) is the initial image of Pyramid, (b) is the decrypted result of the cipher after Huffman compression and decompression, and (c) is the decrypted image of the cipher after DCT compression and decompression.

These figures show that, for lossless compressed ciphertext, the result after decompression and decryption is exactly the same as the plain image. Even for cropped, noised, and loss compressed ciphertext, the decrypted results are extremely close to the plain image.

8 Conclusions

In this paper, the plaintext related image hybrid encryption scheme is detailed discussed based on multiple theories and techniques such as Lagrange interpolation, generalized chaotic map, matrix nonlinear transformation, random matrix, and sequence rearrangement, etc. The encryption scheme is implemented in the mode of diffusion-scrambling-transformation. Using the operation of XOR and the first cipher matrix, the image diffusion is carried out. Combing Lagrange interpolation cipher with random matrices and sequence rearrangement, the image scrambling is performed. Utilizing the point operation and rounding operation, the compound transformation encryption is executed. Accordingly, the decryption process is fulfilled by the inverse operations in the contrary order. In our algorithm, the cryptographic mechanism related to plain image is fully complied through nonlinear transformations and operations. The results of the experimental simulation show that the proposed algorithm is feasible and effective. And the performance evaluation reveals that the scheme is quite secure to resist different attacks, such as statistical attack, chosen-plaintext attack, brute force attack, and differential attack, etc. Compared with other algorithms, the characteristics of our method are demonstrated in the paper. So it can be regarded as a candidate for practical image encryption.