1 Introduction

Since chaos theory were introduced by E. Lorenz, it has been intensively researched in various fields of science and engineering [23] such as physics, chemistry, biology, etc. Besides, chaos has been interested in different areas of engineering applications e.g. information security [33], communications [65, 73], electronic circuits [30]. In the application of information security, chaotic systems are employed in two main aspects, i.e. cryptography and stenography. Similar to general approaches of stegnography, chaos-based steganographic is with the use of chaotic sequences in hiding the secret data under a cover image in either the spatial domain or the transform domain. For the spatial domain, the secret data is embedded in least significant bits of pixels of the host image with the support of chaotic sequence (e.g. [27, 45, 60]). In another way with the transform domain, chaotic sequences play a role to locate transformed coefficients (e.g. [57, 71, 72]) or together with the secret data in modulating transformed coefficients [55, 69]. Many algorithms were reported in order to improve the quality, performance and security of image steganography. With the use of chaotic sequences, two prominent types of techniques are to improve the security, i.e. the combinations of chaotic sequences and other techniques, such as transformation, DNA computing, and neural networks, etc. Chaotic values are used for encrypting the secret data before introducing into the cover image in transform domains e.g. [55, 69] or for identifying the coordinate of pixels where the secret data elements being embedded, e.g. [27]. Chaotic sequences assist to determine variable bit embedding in sub-bands of transform domains [15] or it can be combined with DNA computing in construction of steganographic algorithms, e.g. [17, 28, 43]. According to recent report by Alan A. Abdulla et al. [2], there are four main requirements for a steganography which must be met, i.e. (i) stego-image quality, (ii) hiding capacity, (iii) secret detectability, and (iv) robustness. However, most of chaotic steganography schemes have not been thoroughly examined for all requirements. The embedding efficiency as defined in [2, 20] is very important for a steganography scheme. It is conversely correlated with first three requirements and related to the performance of a steganography scheme. There are very few dedicated methods focusing on the embedding efficiency. Recently, the embedding efficiency has been improved by exploiting similarities between the secret and cover images as presented in [2], by using non-adaptive LSB technique [31], or by increasing amount of transmitted data [7].

Since the first work about chaotic encryption published by Robert Matthews [42], a huge number of chaos-based algorithms have been proposed for the image encryption with two main approaches, i.e. based on a pre-defined architecture and non-structural ones. For the first approach, a chaos-based cryptographic algorithm is designed by following one of certain well-known architectures such as Feistel and substitution-permutation network (SPN) [29, 41]. Ciphers employing the architecture of SPN can be implemented in the form of permutation and diffusion or substitution-diffusion for the chaos-based image encryption, and the security level is easily controlled by number of encryption rounds. In 1998, Fridrich proposed the permutation-diffusion architecture using chaotic maps [19] for the first time. Thereafter, the chaos-based image encryption has been developed extensively [10, 80, 82]. For chaotic ciphers using the architecture of Feistel, chaotic functions are involved in generating secret keys [11, 38], and in designing round functions [44, 51, 58, 62, 74, 89, 90]. For the second approach, a chaos-based cryptographic algorithm is not based on any specific architecture, but it is designed so that the security level is assured by means of complexity such as DNA encoding [22, 47, 76, 96, 100], transform domain [14, 26, 83], neural networks [52, 77, 87], quantum information processing [81, 101, 102] and their combinations [46, 94]. In any way, a cipher must have the confusion and diffusion properties as suggestion given by C.E. Shannon [59]. Confusion is obtained by making a relation between the ciphertext and the secret key, and it can be obtained by substitution or permutation. Diffusion is achieved by spreading the dependence of the ciphertext itself and the secret key.

For a chaos-based image encryption employing the SPN, there are two main ways to use a chaotic system in order to achieve the confusion property: chaotic substitution box and chaotic permutation. For the chaotic substitution, a psuedo-random sequence generated by a chaotic system is used for constructing a substitution table (called a chaotic S-box) and values of plain pixels are substituted by values given in a chaotic S-box, e.g. [22, 104]. Based on the sensitivity on initial values of chaotic system, dynamical S-boxes were proposed and reported e.g. [53, 66, 103]. For the chaotic permutation, pixels are permuted one another under a rule generated by a chaotic system, i.e. value of a pixel or bits of a pixel at certain location is exchanged with that of another pixel at different location. In order to get the diffusion property, chaotic values can be used for manipulating values of pixels in different ways. In most of chaotic image encryption, chaotic values, values of plain and ciphered pixels are directly involved in equations to calculate new values of pixels, and it is performed sequentially to make the diffusion.

Recent algorithms of chaos-based image encryption were proposed with two significant innovations, i.e. the image-content sensitivity encryption and fast/efficient encryption algorithms. Firstly, for the image-content sensitivity encryption, the image content is sensitively involved in the encryption process. Hash values are generated by the image data and used as initial values for chaotic maps such as in [9, 88, 91], where the encryption key does not change during the encryption process. In [10, 21], values of parameters of chaotic maps are updated and dependent on values of pixels of intermediate ciphertext during encryption of a single image. As a result, the final ciphertext is much more sensitive to the image content. However, values of only parameters of chaotic maps are changed, while the state variables are not perturbed. The final ciphertext must be most sensitive to the plaintext if both state variables and control parameters of chaotic maps are perturbed after every iteration.

Secondly, fast and efficient encryption algorithms can be achieved by several ways, i.e. combination of permutation and diffusion [12, 80], multiple image encryption [22, 34, 40, 48, 49, 56, 63, 67, 78, 79, 95, 97,98,99,100,101], selective or partial encryption [6, 13, 32, 64, 86], algorithms using high dimensional chaos [70], or encryption dealing with blocks of data [1, 18]. Among them, the chaos-based multiple image encryption (MIE) has been most interested recently because that performs encrypting multiple images at the same time. In fact, the MIE is also very useful for the application of multi-party authentication that requires all ciphertexts for the successful decryption. However, there are some flaws in the existing schemes as presented in Section 2.1. The designs of existing algorithms of MIE are not in the form of SPN for taking advantage of controlling the security level by means of adjusting number of encryption rounds.

Nowadays, most of images are digital, therefore algorithms of chaos-based image encryption must be implemented in digital platforms. In any digital platform, values of state variables and control parameters of chaotic map must be represented by a limited number of bits. Consequently, chaotic dynamics is deteriorated by the rounding or truncating errors, and there exists a finite cycle [36] in the sequence of values generated by digital chaos. A chaotic map with poor dynamics must not be used for the chaotic encryption [3, 4]. So, this leads to recent proposals in enriching dynamics of digital chaos for the chaotic encryption in order to lengthen the cycle in the sequence of values generated by digital chaos. As described in [85], there are several approaches to reduce the deterioration of dynamics of chaotic maps, i.e. expansion of the precision, combination of multiple maps, and perturbation to a chaotic map. The feedback control method is considered as the perturbation by an internal source. Under the perspective of hardware implementation, the approaches by expanding the precision in representing fractional numbers and by combining multiple chaotic maps require more hardware and computational resource than the approach of perturbation does. Under the view of perturbation, a perturbed chaotic map (PCM) with the source of perturbation coming from another chaotic map must be seen as combination of chaotic maps [8, 35, 39].

Theoretically, the perturbation on state variables makes chaotic dynamics stochastic, while that on control parameters pushes the dynamics of chaotic map into a non-stationary behavior. The most complicated dynamics is obtained with the perturbation on both state variables and control parameters. A chaotic map is perturbed in the form of feedback, that is, values of state variables are utilized to perturb on the control parameters, at the same time, values of control parameters are used to perturb back on the state variables as shown in [36, 68]. The perturbation can be a feedback in a way that a delay state variable is introduced to control parameters [37]. As presented in [16, 61, 68], state variables of a chaotic map are perturbed by external sources that makes the cycle length of the chaotic sequence extended.

In recent works by T.M. Hoang et al. [24, 25], the models of perturbed chaos at the bit level have been proposed for the chaos-based image encryption. The perturbation can be made to state variables, control parameters, or to both. Perturbation amounts come from either values of state variables (i.e. feedback) or external sources. In any scheme of perturbation, the value ranges of state variables and control parameters must be kept in the valid ones to ensure the exhibition of chaotic behavior. Chaotic values are represented in the format of fixed-point number. Statistical distributions of bits “0” and “1” are uniform for low significant bits. Such low significant bits are extracted and used for the encryption. Logically, perturbation makes chaotic dynamics more complicated, and if the PCM is used, the security of chaos-based encryption must be enhanced.

In fact, chaotic values of state variables consist of large number of bits. From chaotic bit sequences, high quality bit sequences in terms of randomness can be generated and those are tested and confirmed random enough to be used for the cryptographic application, e.g. [54, 75]. However, most of chaos-based encryption use chaotic values in computation with pixel values. Values of pixels are normally represented by either 8-bit integers for grayscale images or three times of 8-bit integers for RGB color images. For existing algorithms of chaos-based image encryption, many bits in values of state variables are not used for increase the efficiency of chaos-based encryption.

This paper presents a new design of chaos-based multiple image encryption with the architecture of permutation-diffusion network. Therein, a chaotic map is perturbed by the location information of pixels in the permutation, and another chaotic map is perturbed by values of plain and intermediate ciphered pixels in the diffusion. All perturbations to chaotic maps are made at the bit level after every iteration. Two main contributions are as follows:

  • For the first time, the chaos-based multiple image encryption is designed with the structure of permutation-diffusion network, in which PCMs are employed. With the proposed design, any chaotic map can be used in the design of encryption. Bits of values of state variables produced by PCMs are thoroughly exploited for the MIE.

  • In both the permutation and diffusion processes are designed such that dynamics of chaotic maps is perturbed after every iteration. The source for amounts of perturbation is switched between the image content and values of state variables. Therefore, the encryption possesses the property of authentication. With the perturbation, the dynamics of chaotic maps is more complicated, and the dynamical degradation is reduced. As a result, the merit of perturbed chaos enhances the security logically.

The example is demonstrated and the simulation result shows the effectiveness of the proposed design of MIE.

The rest of the paper is organized as follows. In Section 2, the related works about the existing MIEs and the PCM are reviewed. Then, the detail about the proposed design of MIE using PCMs is presented in Section 3. Section 4 shows the exemplar simulation and detailed results of analysis. Finally, Section 5 gives the discussions and conclusions of the work.

2 Related works

In this section, the existing chaos-based multiple image encryption (MIE) is reviewed and then the drawbacks of existing algorithms of MIE are pointed out. Recent models of perturbed chaotic maps are also presented.

2.1 Multiple image encryption

As presented in [97], the big image is obtained by merging multiple smaller images, k = K1K2 images and each image sized M × N. The permutation is carried out at blocks of pixels with the size M1 × M1 (e.g. 8 × 8 pixels) with the rule generated by sorting a chaotic sequence. The scrambled blocks of pixels are merged to become a big image and then the big image is segmented into images with the original size. It is a lack of diffusion effect in the encryption. A similar method of multiple image encryption is presented in [98] by the same group of authors, in which the diffusion process is inserted into the encryption by XORing between scrambled images and the same chaotic matrix.

Inspired by the magic cube game, a 3D permutation model using the rule generated by chaotic sequence was proposed and presented in [99] to encrypt k images with the same size. There, the permutation is carried out with the internal-row, internal-column modes for rows and columns of pixels in individual images, and then with the external mode for all plain images. The XOR operation is used as the diffusion between permuted images and the same chaotic image. A similar idea to this work is presented in [56]. A limited number of original images are arranged into the form of cube image with the size 128 × 128 × 128 for the pixel permutation in three directions. The XOR operation is performed between the scrambled cubic image and the cubic chaotic image. The resultant cubic image after XORed is rearranged to produce the encrypted images.

As presented in [100], the DNA computing is employed in the design. Multiple images with the same size are merged to become a big image for scrambling. Then, the big scrambled image is segmented into multiple smaller images for diffusion. The DNA operation is used for encoding. The DNA XOR operation between matrices does not make domino effect in the diffusion and all the scrambled images are masked with the same chaotic image.

In [95], the multiple image encryption deals with significant bit planes in order to reduce the volume of plaintext to be encrypted. The XOR operation between the scrambled images and the same chaotic image is performed to produce the encrypted images. In that work, four most significant bits of plain images are extracted, and bits in each plane are permuted. Then, the scrambled bit planes are combined with four least significant bits by another permutation. Lastly, the scrambled images are XORed with the chaotic image to produce the ciphertexts.

In [67], the multiple image encryption is presented, in which plain images are decomposed into bit planes and from that bit blocks are formed. Bit blocks are swapped and then XORed with the chaotic matrix. Four plain images with the same size are demonstrated. The Henon map is employed for determining pattern of bit blocks and the Logistic map is used for generating the chaotic matrix. The disadvantage is that the random size of bit blocks makes the duration for the encryption uncertain.

The novel quantum multi-image encryption was proposed by Nanrun Zhou et al. as presented in [101]. There, the quantum representation model for multiple images and the quantum multi-image encryption scheme were devised by combining the quantum 3D Arnold transform and quantum XOR operations with the scaled Zhongtang chaotic system. There are two stages of diffusion and permutation for single round of encryption. However, a large number of computational operation are required with a series of summation and multiplication for quantum transformations.

In [49], K Abhimanyu Kumar Patro et al. proposed the multiple image encryption with various sizes, and that operates the permutation and diffusion on m blocks of pixels with the size of 2 × 2 and rem_size remaining pixels. Then, the shuffled blocks and pixels are XORed sequentially with chaotic values, and finally the combination is performed to produce the ciphertexts.

In the similar idea in [49] by the same group of authors, the multiple RGB-image encryption is presented in [48], but the difference is that the plain images are not divided into blocks. k plain RGB images with the same size are considered, and three color channels of each image are separately encrypted. The k components of the same color are concatenated horizontally for pixel permutation. Next, combinations of pairs of color images are concatenated vertically for pixel-row permutation and then horizontally for pixel-column permutation. Finally, the diffusion is performed by sequential XORing operation hopping over shuffled components of different colors. Multiple grayscale images are also encrypted in a similar way as presented in [50].

In [40], multiple RGB images with the equal size are merged to become a big image, and then pixels in the images of three color channels are scrambled using three sorted chaotic sequences generated by the 3D Lorenz chaotic system. The XOR operation is performed between the scrambled image and the chaotic image to produce the encrypted images.

In [22] the method of multiple image encryption using the DNA encoding is presented. Multiple RGB images are merged and the images of color channels are encrypted separately and parallel. Several S-boxes are generated using chaotic sequences. The permutation rules are generated by chaotic sequences, then the XOR operation is performed to produce the images of color channels before merging into encrypted RGB images.

In 2019, M. Zarebnia et. al. reported in [93] about the algorithm of fast multiple-image encryption for grayscale images. Each image are divided into four equal non-overlapped sub-images. Sub-images are permuted within an image and then a big image is obtained by combining all images together. Such the sub-blocks are relocated, and then pixels of big image are permuted. Bits in pixels of the permuted big image are XORed with bits of chaotic values, and after that the column values of resultant big image is cyclic shifted. The XOR operation and the cyclic shift are carried out two times to create the diffusion in the encrypted images. However, it is noted that chaotic values for the XOR operation and the rules of sub-images, and pixels permutation are produced by chaotic maps. It is clear that the diffusion is obtained by the cyclic shift of pixels combining with the XOR operation.

In conclusion, there are three drawbacks in the existing methods of multiple image encryption. First, all of the above-mentioned methods of MIE are designed to work for a single round of encryption. The security level in terms of statistical analysis of ciphertext can not be changeable by changing number of encryption rounds. Second, most of above researches for the MIE use the XOR operation for diffusion. In fact, the XOR operation in [40, 56, 67, 95, 98,99,100] does not bring the mean of diffusion or an avalanche effect in pixel values does not exist. It is simply considered as a masking process between the scrambled images and chaotic images. However, the truly mean of diffusion property with the domino fashion only exists in [48,49,50]. Third, in order to resist from the known-plaintext and chosen-plaintext attacks, some of encryption algorithms use hash values from plain images (e.g. SHA-3 in [92], SHA-256 in [48,49,50, 95, 98,99,100], or SHA-512 [56]), and those values are used as initial values for chaotic systems or for other processes but those are kept constant throughout encryption. This means that the dynamics of chaotic maps in those algorithms is stationary with fixed values of initial conditions and parameters. The security of chaos-based encryption must be significantly enhanced if the dynamics of chaotic maps is non-stationary.

These drawbacks in the existing algorithms of MIE are overcome in our proposed design which is based on the architecture of permutation-diffusion network using perturbed chaotic maps.

2.2 Perturbed chaotic map

2.2.1 Bit arrangement

In this research, there are two functions operating at the bit level, i.e. bit manipulation and bit arrangement. These operations are to construct models of perturbed chaotic map as reported in [25].

The bit arrangement consists of two activities, i.e., bit extraction and bit permutation. Let us consider matrices of bits A and B with the sizes IA × JA and IB × JB, or \(A=[a_{ij}]_{1\leq i\leq I_{A},~1\leq j\leq J_{A}}\) and \(B=[b_{ij}]_{1\leq i\leq I_{B},~1\leq j\leq J_{B}}\), with aij,bij ∈{0,1}. The matrix B is constructed from bits of the matrix A by a rule defined by Y (denoted by ∘) as a bit arrangement operator, that is

$$ A=Y\circ B. $$
(1)

where Y is the rule defining the way that bits of matrix A being extracted for the matrix B. Specifically, the rule of bit extraction is an array of 2-tuples as \(Y=[(y^{(row)}_{ij},y^{(col)}_{ij})]_{1\leq i\leq I_{A},~1\leq j\leq J_{A}}\), and the value ranges are \(y^{(row)}_{ij}\in [1,I_{B}]\) and \(y^{(col)}_{ij}\in [1,J_{B}]\). A bit of A is taken from that of B as \(a_{ij}=b_{y^{(row)}_{ij},y^{(col)}_{ij}}\). In case that a bit of A is deliberately fixed at a status ‘0’ or ‘1’, then the 2-tuple \((y^{(row)}_{ij},y^{(col)}_{ij})\) is expressed by B0 or B1 for bit ‘0’ or ‘1’, respectively.

In this work, the matrix B is obtained from an array of bit sequences, in which each bit sequence represents for values of a chaotic state variable. The matrix A is used for constructing an array of IA bit sequences for perturbation. Each bit sequence is collection of bits in the same row of A, i.e. \(A_{i}=||_{j=1}^{J_{A}} a_{ij}\), where || denotes for the concatenation of bits.

For example, a positive value is represented in the format of fixed-point number with eighteen bits as a whole and sixteen bits from the least significant position for the fractional part (denoted as \(\left \langle 18,16\right \rangle \)). Thus, the value of X = (0.135,2.634) in binary is

$$ X_{bin}=\left( \begin{array}{l} 00.0010001010001111\\ 10.1010001001001110 \end{array} \right). $$
(2)

Matrix B is obtained from Xbin is

$$ B=\left[ \begin{array}{l} 0~~0~~0~~0~~1~~0~~0~~0~~1~~0~~1~~0~~0~~0~~1~~1~~1~~1\\ 1~~0~~1~~0~~1~~0~~0~~0~~1~~0~~0~~1~~0~~0~~1~~1~~1~~0 \end{array} \right]. $$
(3)

If the rule of extraction is

$$ Y=\left[ \begin{array}{l} (1,14),(2,8),(1,6),(2,3)\\ (2,4),(2,9),(1,7),(1,13) \end{array} \right], $$
(4)

and the bit arrangement as given in (1), then matrix A is

$$ A=\left[ \begin{array}{l} 0~~0~~0~~1\\ 0~~1~~0~~0 \end{array} \right]. $$
(5)

Arrays of bit sequences are achieved by concatenating bits in rows of A is A1 = 0001 and A2 = 0100. Figure 1 illustrates the bit arrangement. In fact, any bit of B can be used multiple times to construct A.

Fig. 1
figure 1

Example of bit arrangement

Full size image

Let us consider the number of distinct rules Y constructed from a certain size of B. Assumed that the number of bits in B chosen to construct Y is \(L_{B}=I^{\prime }_{B}*J^{\prime }_{B}\) and the number of 2-tuples \((y^{(row)}_{ij},y^{(col)}_{ij})\) in Y is LY = IAJA. It is noted that if some of bits of B are used to construct A, so \(I^{\prime }_{B}\leq I_{B}\) and \(J^{\prime }_{B}\leq J_{B}\). Also, if any bit from B is not repetitively chosen for A, then the number of distinct variants of Y is considered as LY-permutations of LB or

$$ N_{Y}=\frac{L_{B}!}{(L_{B}-L_{Y})!}. $$
(6)

In case that a bit from B is chosen multiple times for constructing A, NY is much larger and dependent on how many times a bit of B is allowed being chosen. However, because the number of bits in A is IAJA, so the number of distinct bit patterns of A is \(2^{I_{A}*J_{A}}\). The bit arrangement will be used for bit extraction for perturbation in the PCM.

2.2.2 Bit manipulation

The function of bit manipulation is to lengthen or shorten a bit sequence dependent on the relative length of the input and the output. Note that |X| returns the number of bits or the length of bit sequence X. Let us consider a bit manipulation of two bit sequences (E1 and E2 with the lengths |E1| and |E2|, respectively) and produce bit sequence E with the length |E|. There are two cases of relative lengths, i.e. |E| < |E1| + |E2| and |E|≥|E1| + |E2|. In this work, two simplest ways to deal with two cases of lengths to get E.

BM-1: For |E|≥|E1| + |E2|, the bit sequence E is simply constructed by E = E1||E2.

BM-2: For the second case |E| < |E1| + |E2|

Step 1: Find an integer n such that (n − 1) ∗|E| < |E1| + |E2| < n ∗|E|. Step 2: Separate the sequence E into n portions, i.e. Ti i = {1...n}, such that first n − 1 portions are with the same length |E| and the last portion Tn is with the length |Tn| < |E|. Step 3: Pad the sequence of bit zeros ‘0...0’ with the length of |E|−|Tn| into the sequence Tn to become Tn||0...0. Step 4: XOR n sequences of bits Ti to have the output sequence E.

The step 4 of BM-2 is shown in Fig. 2. \(\rhd \) and \(\lhd \) are chosen to denote for the operator of BM-1 and BM-2 in the later equations. In fact, more complicated bitwise operations can be applied to generate the output bit sequence.

Fig. 2
figure 2

The bit manipulation

Full size image

2.2.3 Description of perturbed chaotic map

Let us consider a chaotic map realized in a digital platform and its state variables and parameters are perturbed at the bit level as illustrated in Fig. 3. The function of PCM F(.) is expressed by

$$ \begin{aligned} \left\{ \begin{array}{ll} X_{n+1}&=F(\hat{X}_{n},\hat{\Gamma}_{n}),\\ \hat{X}_{n}&=X_{n} \oplus {\Delta}_{X_{n}},\\ \hat{\Gamma}_{n}&={\Gamma}_{n} \oplus {\Delta}_{{\Gamma}_{n}}. \end{array} \right. \end{aligned} $$
(7)

where the vectors are of state variables Xn and control parameters Γn; and the perturbation vectors at a certain iteration are \({\Delta }_{X_{n}}\) and \({\Delta }_{{\Gamma }_{n}}\). Assumed that the chaotic map has D dimensions and G control parameters, so \(X_{n}=[x_{n}^{(D)}~x_{n}^{(D-1)}...~x_{n}^{(2)}~x_{n}^{(1)}]^{T}\), \({\Gamma }_{n}=[\gamma _{n}^{(G)}~\gamma _{n}^{(G-1)}...~\gamma _{n}^{(2)}~\gamma _{n}^{(1)}]^{T}\), \({\Delta }_{X_{n}}=[\delta _{x_{n}^{(D)}}~\delta _{x_{n}^{(D-1)}}...~\delta _{x_{n}^{(2)}}~\delta _{x_{n}^{(1)}}]^{T}\) and \({\Delta }_{{\Gamma }_{n}}=[\delta _{\gamma ^{(G)}_{n}}~\delta _{\gamma ^{(G-1)}_{n}}...~\delta _{\gamma ^{(2)}_{n}}~\delta _{\gamma ^{(1)}_{n}}]^{T}\). Amounts of perturbation to the chaotic map can be either from external source E or internal source Xn decided by the switches as

$$ \begin{aligned} {\Delta}_{{\Gamma}_{n}}=\left\{ \begin{array}{ll} Y_{1}\circ E&\text{ for } n=0,\\ Y_{2}\circ X_{n}&\text{ for } 1\leq n\leq R, \end{array} \right. \end{aligned} $$
(8)

and,

$$ \begin{aligned} {\Delta}_{X_{n}}=\left\{ \begin{array}{ll} Y_{3}\circ E&\text{ for } n=0,\\ Y_{4}\circ X_{n}&\text{ for } 1\leq n\leq R. \end{array} \right. \end{aligned} $$
(9)
Fig. 3
figure 3

The perturbed chaotic map (PCM)

Full size image

The bit arrangements Yi are described in Section 2.2.1. Assumed that values of E are represented by k1 bits, and values of state variables and control parameters are represented by D × m1 and G × m2 bits, respectively. In addition, values of state variables and control parameters are represented in the format of either integer or fixed-point number dependent on the definition of original chaotic map. In the case of fixed-point number, m1 bits of state variables are composed by the most significant bit for the sign, \(m_{1}^{(int)}\) bits for integer portion, and \(m_{1}^{(frac)}\) bits for fractional portion, i.e. \(m_{1}=m_{1}^{(int)}+m_{1}^{(frac)}+1\). That is similar for the control parameters as \(m_{2}=m_{2}^{(int)}+m_{2}^{(frac)}+1\). In practical, m1 and m2 are adopted for the desired precision to avoid the degradation of chaotic dynamics and for the desired space of secret key.

To ensure that chaotic dynamics is retained without disrupting the model of chaotic map, values of perturbed state variables as well as perturbed control parameters, \(\hat {X}_{n}\) and \(\hat {\Gamma }_{n}\) in (7), must be constrained in its valid ranges as defined by the original chaotic dynamics. Therefore, a number of selective bits at specific positions in Xn and Γn may be kept its states fixed, while states of other bits can be flippable by the perturbation. In fact, the state variables and control parameters can be interpreted by arithmetic operations as

$$ \begin{aligned} \begin{array}{ll} \hat{X}_{n}&=X_{n} \pm {\Theta}_{X_{n}},\\ \hat{\Gamma}_{n}&={\Gamma}_{n} \pm {\Theta}_{{\Gamma}_{n}}, \end{array} \end{aligned} $$
(10)

where \({\Theta }_{X_{n}}\) and \({\Theta }_{{\Gamma }_{n}}\) are seen as amounts of perturbations and those are considered as vectors of instant noise interfering the original orbit of chaotic map, i.e. \({\Theta }_{X_{n}}=[\theta _{x_{n}^{(D)}}~\theta _{x_{n}^{(D-1)}}...\theta _{x_{n}^{(2)}}~\theta _{x_{n}^{(1)}}]^{T}\) and \({\Theta }_{{\Gamma }_{n}}=[\theta _{\gamma ^{(G)}_{n}}~\theta _{\gamma ^{(G-1)}_{n}}...~\theta _{\gamma ^{(2)}_{n}}~\theta _{\gamma ^{(1)}_{n}}]^{T}\). The sign “+” or “–” in (10) is dependent on the relative difference between values of Xn and Γn before and after perturbed. Values of \(\theta _{x_{n}^{(i)}}\) and \(\theta _{\gamma ^{(i)}_{n}}\) are dependent on the status of the most significant bit being changed before and after perturbation in \(x_{n}^{(i)}\) and \(\gamma ^{(i)}_{n}\), respectively.

According to the statistical analysis [25], the distribution of bits at low-weight positions in chaotic values is uniform. Therefore, low-weight bits in values of Xn should be chosen to perturb high-weight bits in the feedback, or those should be used for making up amounts of perturbation \({\Delta }_{X_{n}}\) and \({\Delta }_{{\Gamma }_{n}}\).

3 Proposed design of multiple image encryption based on perturbed chaos

Figure 4 illustrates the proposed design of MIE for k images. Figure 4a presents the encryption with two stages, i.e. chaotic pixel permutation (CPP) and chaotic diffusion (CD). Respectively, P, \(P^{\prime }\) and C are sets of k plain images, permuted images and ciphered images. The CPP and CD are performed Np and Nd rounds, respectively. Both the CPP and CD are iterated Ne rounds. The secret key consists of Sp and Sd. The decryption as displayed in Fig. 4b consists of the inverse chaotic pixel permutation (iCPP) and inverse chaotic diffusion (iCD). The order of the permutation and the diffusion is reversed in compared with that in the encryption. Here, the PCM presented in Fig. 3 is employed for the permutation and diffusion.

Fig. 4
figure 4

The abstract design of multiple image cryptosystem

Full size image

3.1 Chaotic pixel permutation for MIE

It is known that the pixel permutation is to exchange values between a pair of pixels within the spatial range of image. Here, the coordinate of destination pixels is produced by the chaotic map in the CPP.

Figure 5 displays the structure of CPP for the MIE, in which the PCM produces the destination coordinates for pixels. There, \({\Gamma }_{0}^{(p)}\) and \(X_{0}^{(p)}\) are vectors of initial values. It is assumed that all k plain images are with the same size of M × N; \(M=2^{k_{1}^{(x)}}\) and \(N=2^{k_{1}^{(y)}}\).

Fig. 5
figure 5

The proposed structure of chaotic pixel permutation (CPP) for the multiple image encryption

Full size image

In the case of multiple image permutation, there are two possible schemes as shown in Fig. 6, i.e. intra-image permutation and inter-image permutation. A pixel of an image can be shuffled with another pixel either of the same image as the scheme of intra-image permutation in Fig. 6a or of another image as the scheme of inter-image permutation in Fig. 6b. Therefore, the single coordinate of k original pixels is represented by bit sequence XYorig as the input of the CPP for perturbation. For simplicity, the bit sequence XYorig is obtained by concatenating bit sequences what represents for row number X and column number Y, i.e. XYorig = X||Y as shown in Fig. 7a.

Fig. 6
figure 6

Two options of pixel permutation

Full size image
Fig. 7
figure 7

Array of bit sequences encodes the original and destination pixels in the permutation

Full size image

The bit sequence XYorig with the length \(k_{1}^{(p)}=k_{1}^{(x)}+k_{1}^{(y)}\) at the input is converted to the bit sequence Ep with the length \(k^{(p)}_{1}\) by the block Bit Manipulation using the function BMp. The bit sequence Ep is used for perturbing the PCM. After Rp iterations, chaotic values of state variables of PCM, \(X_{R_{p}}\), are produced and utilized for figuring out destination coordinates kXYdes for k original pixels corresponding to the same original coordinate XYorig of k images. kXYdes is achieved by

$$ kXY_{des}=Y_{p}\circ X_{R_{p}}. $$
(11)

where Yp is the function of Bit arrangement that defined similarly to Yi in the PCM.

For the scheme of inter-image permutation, the array of bit sequences kXYdes representing for the destination coordinates of pixels is given in Fig. 7b. There, the destination coordinate for an original pixel at XYorig of image Pi is the i-th row of kXYdes. Each row of kXYdes is a bit sequence that comprises of the destination coordinate represented by \(k_{1}^{(x)}\) and \(k_{1}^{(y)}\) bits and the index of destination image encoded by Log2k bits. Therefore, the array of bit sequences for the destination coordinate kXYdes has \(k*(k^{(x)}_{1}+k^{(y)}_{1}+Log_{2}k)\) bits. However, for the scheme of intra-image permutation, the bit portion for the destination image is not necessary.

It is noted that the CPP is carried out for pixels in the images from left to right and row by row. The structure of inverse chaotic permutation (iCPP) in the decryption is exactly the same as that of the CPP, except that the scanning order of pixels is in reverse way in compared with that in the CPP. The block Bit Manipulation with the function BMp manipulates its input XYorig to become Ep for the perturbation to the PCM. In case that \(Log_{2}(M*N)\geq k^{(p)}_{1}\), BMp shortens Log2(MN) bits into \(k^{(p)}_{1}\) bits. However, if \(Log_{2}(M*N)<k^{(p)}_1\), the bit lengthening operation can be carried out by Y1 and Y2 in the PCM. In any case, the bitwise operations can be optionally used by BMp.

Let us consider the contribution of the permutation to the secret key of cryptosystem. Due that the PCM is perturbed by the coordinate information of pixels, only flippable bits in values of state variables and control parameters are counted for the secret key. The number of bits that contributes to the secret key is \(S_{p}=|{\Gamma }_{n}^{(p)}|_{flip}+|X_{n}^{(p)}|_{flip}\); where |.|flip returns the number of flippable bits.

3.2 Chaotic diffusion for MIE

Figure 8 illustrates the proposed structure of chaotic diffusion (CD) and inverse chaotic diffusion (iCD) using the PCM for the MIE. In both of the CD and iCD, initial values for the PCM is \(X_{0}^{(d)}\) and \({\Gamma }_{0}^{(d)}\), and initial values of plain and ciphered pixels are kP0 and kC0. However, 2 ∗ kk2 bits of E1 and E2 are transformed to \(k^{(d)}_{1}\) by the function BMd. The value of each pixels is represented by k2 bits. In the CD and iCD, the scanning order for pixels is from left to right, row by row, and top to bottom.

Fig. 8
figure 8

The proposed structure of (CD) and iCD using the PCM

Full size image

The CD in Fig. 8a shows that the array of bit sequences kPxy is with the size kk2 bits representing for values of k pixels from k images. With the perturbation Ed, the PCM iterates Rd times to produce \(X_{R_{d}}\). The array of bit sequences kCxy that represents for values of ciphered pixels of k images is extracted from \(X_{R_{d}}\). The equations describe the operation of the CD as follows

$$ E_{1}=\left\{ \begin{array}{ll} kC_{0}&\text{for } (x,y)=(1,1);\\ kC_{xy}&\text{for } (x,y)\neq (1,1), \end{array} \right. $$
(12)
$$ E_{2}=\left\{ \begin{array}{ll} kP_{0}&\text{for } (x,y)=(1,1);\\ kP_{xy}&\text{for } (x,y)\neq (1,1), \end{array} \right. $$
(13)

and

$$ \begin{array}{ll} kC_{xy}&= kP_{xy}\oplus O_{d},\\ &=kP_{xy}\oplus (Y_{d}\circ X_{R_{d}}). \end{array} $$
(14)

For the iCD in Fig. 8b, the process to recover plain pixels is almost identical to that of the CD, except that the block Z− 1 is to delay the data to match with the operation in the CD. The equations for the operation of the iCD are

$$ E_{1}=\left\{ \begin{array}{ll} kC_{0}&\text{for } (x,y)=(1,1);\\ kC^{-1}_{xy}&\text{for } (x,y)\neq (1,1), \end{array} \right. $$
(15)
$$ E_{2}=\left\{ \begin{array}{ll} kP_{0}&\text{for } (x,y)=(1,1);\\ kP^{-1}_{xy}&\text{for } (x,y)\neq (1,1), \end{array} \right. $$
(16)

and

$$ \begin{array}{ll} kP_{xy}&= kC_{xy}\oplus O_{d},\\ &=kC_{xy}\oplus (Y_{d}\circ X_{R_{d}}). \end{array} $$
(17)

It is noted that values of plain pixels are utilized not only for calculating the cipher pixels in the CD and for recovering the plain pixels in the iCD, but also perturbing to the PCM. This makes the diffusion double dependent on the plain pixels.

The block Bit Manipulation in the CD is identical to that in the iCD, and its function BMd is generally to manipulate the inputs E1 and E2 with the length 2 ∗ kk2 bits to become \(k^{(d)}_{1}\)-bit Ed for the PCM.

The number of bits that the diffusion contributes to the secret key as \(S_{d}=|{\Gamma }_{n}^{(d)}|_{flip}+|X_{n}^{{(d)}}|_{flip}+|kP_{0}|+|kC_{0}|\). Therefore, the total number of bits of the secret key in the proposed design is S = Sp + Sd. Next, the specific example will demonstrate the performance of the proposed design.

4 Exemplar simulation

Let us consider the example using the perturbed Standard map for both the permutation and diffusion with the equations as

$$ \left\{ \begin{array}{ll} x^{(1)}_{n+1}&=(\hat{x}^{(1)}_{n} +\hat{x}^{(2)}_{n})~mod~2\pi,\\ x^{(2)}_{n+1}&=(\hat{x}^{(2)}_{n} + \hat{\gamma}_{n}^{(1)}sin(\hat{x}^{(1)}_{n}+\hat{x}^{(2)}_{n}))~mod~2\pi,\\ \hat{x}_{n}^{(1)}&=x_{n}^{(1)}\oplus {\Delta} x_{n}^{(1)},\\ \hat{x}_{n}^{(2)}&=x_{n}^{(2)}\oplus {\Delta} x_{n}^{(2)},\\ \hat{\gamma}_{n}^{(1)}&=\gamma_{n}^{(1)}\oplus {\Delta} \gamma_{n}^{(1)}; \end{array} \right. $$
(18)

where the vectors of state variables \(X_{n}=[x^{(2)}_{n}~~x^{(1)}_{n}]^{T}\) and control parameter \({\Gamma }_{n}=[\gamma _{n}^{(1)}]\) are respectively perturbed by \({\Delta } \hat {X}_{n}=[{\Delta } \hat {x}^{(2)}_{n}~~{\Delta } \hat {x}^{(1)}_{n}]^{T}\) and \({\Delta } \hat {\Gamma }_{n}=[{\Delta } \hat {\gamma }_{n}^{(1)}]\). The PCM is with D= 2 and G= 1. The value range of \(x^{(1)}_{n}\) and \(x^{(2)}_{n}\) is [0,2π] as in the original Standard map. Let us choose the value range for the control parameter of the chaotic map as \(1.0\leq \gamma _{n}^{(1)}{<} 8.0\). The values of state variables and control parameters are represented in the format of fixed-point number with 32 bits for fractional portions. The chosen bit patterns and the corresponding value ranges are given in Table 1. The bits with the state ‘x’ are flippable by the perturbation while other ones are fixed with the state ‘1’.

Table 1 The format of fixed-point number, bit patterns, value ranges and the length of the secret key in the ciphers
Full size table

The simulation is carried out with a set of eight plain images, i.e. Lena, Cameraman, House, Boat, Clock, Black and White. All of the images are with the same size of 256 × 256 and with the 8-bit grayscale, thus kPn and kCn are the array of 8-bit numbers. According to the size of chosen images, the values of parameters in the CPP and CD are adopted as \(k^{(x)}_{1}=8\), \(k^{(y)}_{1}=8\) (or \(k^{(p)}_{1}=16\)), k = 8 and k2 = 8. In the following text, the notations with the superscripts (p) and (d) are to indicate the state variables and parameters of the PCMs in the permutation and diffusion, respectively.

As shown in Table 1 and Fig. 5, the PCM in the CPP has 102 bits at maximum what can be perturbed by 16 bits, i.e. X and Y, representing for row and column numbers as illustrated in Fig. 7a. Therefore, BM-1 as described in Section 2.2.2 is chosen for BMp to produce Ep = X||Y. Respectively, \(Y^{(p)}_{1}\), \(Y^{(p)}_{2}\), \(Y^{(p)}_{3}\) and \(Y^{(p)}_{4}\) are equivalent Y1, Y2, Y3 and Y4 in the PCM of the CPP, and those are chosen as shown in Table 2. It is noted that B0 is denoted for the bit at that position in state variables and control parameters not being perturbed. The CPP gives Sp = 102 bits to the secret key.

Table 2 Bit arrangements Yi in the perturbed Standard map
Full size table

Similarly, the number of flippable bits in the PCM of the CD is 102 bits, and the number of bits in initial values of kP0 and kC0 is 128. Therefore, the number of bits that the diffusion contributes to the secret key is Sd = 230 bits. The total number of bits of the secret key is S = Sp + Sd = 102 + 230 = 332 bits.

Table 3 shows the rules that bits are extracted for kXYdes, kCxy and kPxy as explained in Section 3. Yp shows that eight sequences of bits kXYdes are extracted from \(X_{R_{p}}\) as illustrated in Fig. 7b. Each sequence consists of 16 bits representing for the destination coordinate Xdes and Ydes, and 3 bits indicating the index of destination image Pdes for the scheme of inter-image permutation as shown in Fig. 6b. Similarly, Yd displays that eight sequences of bits Od are obtained from \(X_{R_{d}}\), and each sequence is of 8 bits representing for a chaotic value used in (14) to produce a diffused pixel.

Table 3 Bit arrangements Yp and Yd in the permutation and diffusion in the CPP and CD as illustrated in Figs. 5 and 8
Full size table

The initial values of the cipher are chosen for the simulation as shown in Table 4. Due that eight images are encrypted at the same time or k = 8, the initial values of eight plain pixels and eight cipher ones for the diffusion are also given.

Table 4 Chosen initial values of state variables and control parameters
Full size table

4.1 Simulation results

The set of test images consists of six natural images (Lena, Cameraman, House, Peppers, Boat and Clock) and two special ones (Black and White) as shown in the first column of Fig. 9. The simulation to verify the effectiveness of the proposed design is carried out in two phases.

Fig. 9
figure 9

Permuted images with various number of iterations Rp = 1...4 with a single permutation round at Np = 1

Full size image

In the first phase, the simulation is performed separately for the permutation and diffusion with respect to various number of iterations (R) applied to the PCMs for every pixel and with respect to various number of permutation and diffusion rounds for images (Np and Nd). From the intensity analysis of permuted and diffused images, suitable values of R, Np and Nd are adopted for the simulation of encryption.

In the second phase, the encryption with the structure of the permutation and diffusion as shown in Fig. 4a is simulated with various number of encryption rounds (Ne) and the result will be presented.

4.1.1 Simulation result of permutation

A pixel of an image is shuffled with another pixel of either itself or another image in the scheme of inter-image permutation as illustrated in Fig. 6b. The permutation does not change the value of pixels regardless to number of iterations Rp as well as that of permutation rounds Np. Therefore, the intensity of each permuted image approaches to the mean intensity of test images (called a saturation value) after a number of permutation rounds. Here, the saturation value of intensity is 137.175 for the chosen set of test images.

Firstly, in order to choose a suitable value for iteration number Rp applied to the PCM of the CPP for each pixel, the permutation is simulated with varying number of Rp while fixed Np = 1. Figure 9 displays the permuted images for Rp = 1..4 in each row for each image. Intuitively, the permuted images with Rp = 1 in the second column retain the intensities of original ones. Even the intensities among permuted images are unbalanced, the objects in the original images can not be recognized. For Rp = 2..4, the permuted images look random and their intensities get balanced. Table 5 and Fig. 10 show the change of intensity in the permuted images with respect to number of iterations Rp = 1..9. It is clear that, starting at Rp = 2, the intensities of permuted images approach to and fluctuate around the saturation value, 137.175. Number of iterations applied to the PCM should be chosen as Rp ≥ 3 to guarantee the randomness and balance in the intensities of permuted images. Therefore, Rp = 4 is adopted for all the later simulations.

Table 5 Intensity of original and permuted images with various number of iterations Rp
Full size table
Fig. 10
figure 10

Intensity of original and permuted images with various number of iterations, Rp = 1...9 and fixed Np = 1

Full size image

Then, the permutation is simulated with various number of permutation rounds while iteration number is fixed at Rp = 4. Figure 11 illustrates the permuted images with varying number of permutation rounds Np = 2...5 in rows. Visually, the structural elements in the original images are replaced by the noise-like pattern. Table 6 and Fig. 12 show the intensity of permuted images with respect to Np. It is clear that the intensities of permuted images are diminished to 137.175, the mean intensity of original images. The deviation of the intensities of permuted images is reduced significantly for Np ≥ 3, thus Np = 4 is chosen for the later simulations of encryption.

Fig. 11
figure 11

Permuted images with various number of permutation rounds, Np = 2...5 and fixed Rp = 4

Full size image
Table 6 Intensity of original and permuted images
Full size table
Fig. 12
figure 12

Intensity of original and permuted images with various number of permutation rounds Np = 1...5 and fixed Rp = 4

Full size image

It is noted that the most significant change in the intensities of the original images is observed with two special images (Black and White).

4.1.2 Simulation result of diffusion

Similar to the simulation of permutation, the diffusion is simulated with various number of iterations (Rd) applied to the PCM of the CD and with that of diffusion rounds Nd. Figure 13 illustrates the diffused images with various number of iterations Rd = 1...4 and fixed number of diffusion round Nd = 1. It is clear that the noise-like pattern is observed in the diffused images even at Rd = 1. The intensities of diffused images for Rd = 1..9 are shown in Table 7 and Fig. 14. The intensities of diffused images fluctuate around 127.5 with small deviation for Rd ≥ 1. The value of 127.5 is the ideal one for 8-bit grayscale images, or the central value of the range [0,255]. The number of iterations should be larger than 2, and Rd = 4 is chosen for all the later diffusion simulations.

Fig. 13
figure 13

Diffused images with various number of iterations, Rd = 1...4, with a single diffusion round at Nd = 1

Full size image
Table 7 Intensity of original and diffused images with various number of iterations Rd
Full size table
Fig. 14
figure 14

Intensity of original and diffused images with various number of iterations Rd = 1...9 and fixed Nd = 1

Full size image

Furthermore, the diffusion is simulated with various number of diffusion rounds Nd and fixed number of iterations at Rd = 4. Figure 15 shows the diffused images with various number of diffusion rounds Nd = 1...4. It looks all diffused images random and independent from number of diffusion rounds, Nd. More specifically, Table 8 and Fig. 16 show that the intensities of diffused images rapidly approach and fluctuate around ideal value (127.5). The fluctuation is low and obtained even at Nd = 1, thus the encryption should adopt Nd ≥ 2. Nd = 4 is chosen for the simulations of encryption later.

Fig. 15
figure 15

Diffused images with various number of diffusion rounds, Nd = 2...5 and fixed Rd = 4

Full size image
Table 8 Intensity of original and diffused images
Full size table
Fig. 16
figure 16

Intensity of original and diffused images with various number of diffusion rounds Nd = 1...5 and fixed Rd = 4

Full size image

4.1.3 Simulation result of encryption

According to the simulation results for the permutation and diffusion given above, the encryption is simulated with the parameters chosen at fixed Rp = Rd = 4 for the PCMs in the CPP and CD, and Np = Nd = 4 for the permutation and diffusion, while number of encryption rounds is varying as Ne = 1..5.

Figure 17 displays the simulation result of encryption for Ne = 1..4, where original images and corresponding ciphered ones are presented in rows. Intuitively, the encrypted images have good randomness and balanced intensities.

Fig. 17
figure 17

Encrypted images with a number of encryption rounds Ne and fixed Np = Nd = 4

Full size image

4.2 Statistical analyses

Let us quantify the randomness of the encrypted images by means of histogram, information entropy and correlation of two adjacent pixels. The encryption performs on multiple images at the same time, so the mean values of the measures are considered for the effectiveness of the encryption.

4.2.1 Histogram analysis

The histogram of an image provides the distribution of pixel values. Let us consider the statistical analysis of histogram by means of χ2 for a 8-bit grayscale image as

$$ \chi^{2}=\sum\limits_{i=0}^{255}\frac{(O_{i}-E_{i})^{2}}{E_{i}}, $$
(19)

where the expected occurrence frequency Ei for the image with the size of M × N is \(\frac {M*N}{256}\); observed occurrence frequency Oi is the number of pixels with the value i. The significance of histogram is considered if it is conformed a uniform distribution by means of a hypothesis test. Here, the hypothesis test is accepted if \(\chi ^{2}\leq \chi ^{2}_{\alpha }(255)\); α is the significance level. It is chosen as α = 0.05, so \(\chi ^{2}_{0.05}(255)=293.247\). This means that the histogram is considered as a uniform distribution if χ2 ≤ 293.247.

Table 9 shows the χ2-test results for the encrypted images with various number of encryption rounds. Remarkably, italicized numbers indicate that χ2 tests are not passed. For Ne ≥ 3, all encrypted images pass the χ2 test with the values less than 293.247. In other words, the distribution of pixel values of encrypted images is uniform for Ne ≥ 3.

Table 9 Histogram analysis
Full size table

4.2.2 Information entropy

Information entropy of an image indicates the probability of values of pixels vi, p(vi), for a 8-bit grayscale image and it is computed by

$$ \begin{array}{cc} IE={\sum}^{255}_{i=0}p(v_{i})log_{2}\frac{1}{p(v_{i})}&~~\text{(bits)}. \end{array} $$
(20)

It is expected that an encrypted image has IE as close to the ideal value (8 bits for a 8-bit grayscale image) as possible. Table 10 displays the information entropy of plaintext images and that of corresponding encrypted ones with various number of encryption rounds. The information entropy of individual encrypted images and its averages are greater than 7.99 for any number of encryption rounds. Figure 18 presents the entropy approaching to 7.9972 as the increase of Ne. This means that pixel values of the encrypted images are almost random for Ne ≥ 2.

Table 10 Information entropy (IE)
Full size table
Fig. 18
figure 18

Entropy of encrypted images with various number of encryption rounds Ne = 1...5 and fixed Rp = Rd = 4, Np = Nd = 4

Full size image

4.2.3 Correlation of two adjacent pixels

It is well-known that the equation for the Pearson correlation coefficient of two sequences X and Y is

$$ \rho_{X,Y}=\frac{{\sum}_{i=1}^{N_{pair}}(x_{i}-\overline{X})(y_{i}-\overline{Y})}{\sqrt{\left( {\sum}_{i=1}^{N_{pair}}(x_{i}-\overline{X})^{2}\right)\left( {\sum}_{i=1}^{N_{pair}}(y_{i}-\overline{Y})^{2}\right)}}, $$
(21)

where xi and yi are values of elements in the sequences X and Y, respectively; It is assumed that X and Y are the same length, Npair; \(\overline {X}\) and \(\overline {Y}\) are the means of X and Y, respectively. The lower correlation coefficient is, the higher independence of a sequence from the other is. In the case of 2D image, the correlation coefficients of adjacent pixel pairs are measured to quantify the visual structure of images. Specifically, the pairs of adjacent pixels are chosen in three directions, i.e. horizontal (H), vertical (V ) and diagonal (D). Here, xi and yi are values of adjacent pixels in a specified direction, and the number of pairs Npair is adopted by all possible pairs over the image.

Table 11 shows the correlation coefficients of the original images and corresponding encrypted ones. The correlation coefficients of encrypted images are very small in compared with those of original images. As seen in Table 12, the average correlation coefficients over all images in each direction are also small. It means that the micro visual structures in the original images are almost completely removed and replaced by the random pattern to become the encrypted images, even after a single round of encryption.

Table 11 Correlation coefficients of original images and their encrypted ones
Full size table
Table 12 Average correlation coefficients \(\bar {\rho }_{X,Y}\) of original and encrypted images
Full size table

4.3 Security analyses

4.3.1 Space of secret key

It is obvious that the secret key of the cipher is constructed by the number of flippable bits in the CPP and CD, and those of initial values of kP0 and kC0. Table 1 displays the number of bits from each parameter contributing to the secret key, i.e. 102 bits by the permutation and 230 bits by the diffusion. Therefore, the total number of bits of the secret key is 332, or the space of secret key is 2332. That is large enough to resist the type of brute force attack on the nowadays computer.

4.3.2 Sensitivity of secret key

The sensitivity of secret key is considered by the difference in two versions of encrypted images which are produced by the cryptosystem using two value sets of secret key, i.e. the original one and modified one. To evaluate the sensitivity of secret key on a parameter, the value of a single interested parameter of the secret key is slightly modified to have a modified value set of secret key. The original and modified value sets of secret key are used for encrypting the same set of test images. The difference in two sets of encrypted images given by the tolerance in the secret key is estimated by the ciphertext difference rate (Cdr), the number of pixels change rate (NPCR), and the unified averaged changed intensity (UACI).

The ciphertext difference rate (Cdr) quantifies the sensitivity of secret key. It is calculated by

$$ Cdr=\frac{Diff(C,C_{1})+Diff(C,C_{2})}{2M*N} 100\%, $$
(22)

where M and N are the number of rows and columns of pixels; Respectively, C, C1 and C2 are three ciphertext images what are produced by the encryption with the use of three value sets of secret key K, K + ΔK and K −ΔK. The difference between corresponding pairs of images is measured by the difference function Diff(A,B), which returns the number of pixels in the image A with values different from those in B. It is expressed by

$$ Diff(A,B)=\sum\limits_{x=1}^{M}\sum\limits_{y=1}^{N}Difp(A(x,y),B(x,y)), $$
(23)

where Difp(.) is considered by a pair of pixels at the position (x,y) as

$$ Difp(A(x,y),B(x,y))=\left\{ \begin{array}{ll} 1, &\text{for } A(x,y)\neq B(x,y),\\ 0, &\text{for } A(x,y)= B(x,y). \end{array} \right. $$
(24)

In this work, the original value set of secret key is as given in Table 4. The amounts of tolerance ΔK to evaluate the sensitivity for interested parameters of secret key are adopted as small as possible. Here, those are chosen as equal to the precision of value representation for parameters presented in Table 13. It is noted that the names of interested parameters are showed in the subscript and those belonging to the permutation and diffusion are indicated in the superscript. To evaluate the sensitivity of a specific parameter, the simulation is carried out with a modified value of only single interested parameter while the value of other parameters is unchanged as it is in the original value set of secret key. Therefore, there are eight modified value sets of the secret key corresponding to eight parameters as given in Table 14. It is noted that the tolerances kP0 and kC0 are only applied to the last elements, i.e. kP0(8) and kC0(8). The plain images are encrypted using the original value and eight modified value sets of secret key for estimation of the sensitivity.

Table 13 The value of ΔK for Cdr, NPCR and UACI
Full size table
Table 14 The original value of secret key and eight modified versions
Full size table

Table 15 displays Cdr for the sensitivity on parameters of secret key. For Ne ≥ 2, a slight difference in the value of secret key makes, on average, the value of more than 99.5% pixels changed in encrypted images. This means that the encryption is very high sensitivity to every parameter of the secret key.

Table 15 Sensitivity of the secret key by means of Cdr with various encryption rounds Ne
Full size table

Besides, the sensitivity of secret key can be analysed by using the NPCR and UACI between a pair of encrypted images C and C1 using the original value of secret key K and its modified version K + ΔK. The equations for NPCR and UACI are as

$$ NPCR = \frac {Diff(C,C_{1})}{M*N} 100\%, $$
(25)

and

$$ UACI=\frac{1}{M*N}\left[\sum\limits_{x,y} \frac{|C(x,y)-C_{1}(x,y)|}{255}\right] 100\%, $$
(26)

where C(x,y) and C1(x,y) are pixels at location (x,y) of encrypted images C and C1, respectively; the difference function Diff(.) is as shown in (23).

However, the question is that how high the sensitivity of secret key is enough that a cryptosystem can resist from differential attacks. The statistical hypothesis for the NPCR and UACI tests is employed to answer this question. The critical values of tests for NPCR and UACI were estimated at a significance level α as presented in [84]. For 8-bit grayscale images with the size of 256 × 256, the critical value at α = 0.05 for NPCR is \(NPCR^{*}_{0.05}=99.569\%\) and that for UACI is in the range of \(UACI^{*-}_{0.05}=33.282\%\) and \(UACI^{*+}_{0.05}=33.644\%\). The NPCR and UACI scores what are calculated from the simulation are sufficient to resist from differential attacks if \(NPCR\geq NPCR^{*}_{0.05}\) and \(UACI \in [UACI^{*-}_{0.05},UACI^{*+}_{0.05}]\)

The simulation results for NPCR and UACI are shown in Tables 16 and 17, respectively. For Ne ≥ 4 all the individual values of NPCR and UACI pass the tests of statistical hypothesis. In other words, values of NPCR are larger than the critical one \(NPCR^{*}_{0.05}\) and those of UACI are within the range of \([UACI^{*-}_{0.05},UACI^{*+}_{0.05}]\), respectively. In other words, the tests for the sensitivity of secret key are passed for every parameters of secret key. Moreover, all the average values of NPCR and UACI pass the tests for Ne ≥ 3. In consequence, a small change in the secret key makes large change in the ciphertexts, and it can resist from differential attacks based on the analysis of secret key for Ne ≥ 4.

Table 16 Sensitivity of the secret key by means of NPCR with various encryption rounds Ne
Full size table
Table 17 Sensitivity of the secret key by means of UACI with various encryption rounds Ne
Full size table

4.3.3 Analysis of differential attacks

Differential attack is based on analysis a pair of ciphered images produced by encryption of a pair of plain images for the purpose to learn about the secret key used in the encryption. It is noted that a pair of plain images are used in which one of them is slightly different from the other. In fact, the analysis of differential attack is to measure the plaintext sensitivity, and it is characterized by the NPCR and UACI of a pair of ciphered images.

For the multiple grayscale-image encryption, the set of eight original images are encrypted using the secret key as given in Table 4 to achieve the set of eight encrypted images, each encrypted image is denoted by C. Then, one of original images is modified slightly and that together with the other original images are encrypted to produce another set of eight ciphered images, each encrypted image is named C1. The analysis of NPCR and UACI as given in Eqs. (25)-(26) is carried on every pair of ciphered images C and C1. To analyse the sensitivity of each plaintext, eight sets of modified images are encrypted individually using the same value of secret key. NPCR and UACI are calculated for every pair of ciphertexts and their averages are obtained for each of sets of modified images. Similar to the analysis of the sensitivity of secret key, NPCR and UACI are compared with the critical value and the critical range to evaluate the randomness tests for image encryption [84].

Normally, a modified image is obtained by choosing a random pixel from the plain image and slight change applied to adopted pixel value. In this example, the last pixel of image at the position (255,255) is chosen deliberately to minimize the affect of pixel selection to the result encrypted images due that the diffusion is carried out in the forward direction. The value of chosen pixel is added 1 to if it is less than 255, or subtracting 1 if it is equal to 255. With this modification, the sensitivity of plaintext is lowest in the first round of encryption, and it is increased with larger number of encryption rounds.

Tables 18 and 19 show the result of NPCR and UACI measured for the sensitivity of plaintexts with various number of encryption rounds. The individual values of NPCR and UACI pass the tests of statistical hypothesis for Ne ≥ 4. The average values of NPCR pass the tests for Ne ≥ 4 while those of UACI meet the critical range for Ne ≥ 2. It means that a small change in the plaintext results large change in the ciphertexts, or the encryption is highly sensitive to the plaintext for few number of encryption rounds. It is clear that a number of individual values of NPCR and UACI are increased significantly from the first to the second round of encryption. That is due to the last pixel of plain images being modified. In fact, with the scanning order of row by row and left to right, the diffusion will makes the value of more pixels changed if the modified pixel is permuted with the one at lower row number. However, for the second round of encryption and beyond (Ne ≥ 2), the sensitivities on the plaintexts are equal for every plaintext.

Table 18 Sensitivity of the plaintext by means of NPCR with various encryption rounds Ne
Full size table
Table 19 Sensitivity of the plaintext by means of UACI with various encryption rounds Ne at fixed Np = Nd = 4
Full size table

4.4 Comparison with existing methods

In this section, the simulation result of the example employing the proposed design is compared with very recent methods regardless to their structures, plaintext images and the size of images. The simulation results in our example are obtained at Ne ≥ 4 and Np = Ne = 4 for the comparison. In addition, the simulation results of existing methods are re-interpreted by calculating the average for the context of multiple images, except for those in qualitatively presentation. Table 20 presents the measures for the statistical and the security analyses in which V/D and N/A stand for visual demonstration and not available. The visual demonstration means that the result is considered as a qualitative measure rather than quantitative one. H, V, and D are denoted for the horizontal, vertical, and diagonal directions of pixels in the calculation of correlation of an image. Here, the range is used for either different encryption round in our example or different encryption algorithms in the compared works.

Table 20 Comparison between the result of example at Ne ≥ 4, Np = Nd = 4 with other existing methods
Full size table

The histogram of encrypted images is measured and its distribution is analyzed by χ2-test for the homogeneous. All the tests of encrypted images in this example are passed for Ne ≥ 3 as given in Table 9. It indicates that the gray level of all the encrypted images are with the uniform distribution. Whereas, all the referral works only qualitatively demonstrate by plotting. The information entropy of the encrypted images in this example is comparable with that given in most of referral works. Specifically, it is better than that obtained in [97] and [101]. The correlation of adjacent pixels is computed and presented in most of reports, except for [97], and the result of this example is as good as those in the existing methods in all directions.

In fact, as one of advantage of chaos-based image encryption is that the space of secret key is large, and it can be easily adjusted for the desire of applications. It shows that the space of secret key in the example is as large as that in the referral works, and it is large enough to resist the brute force attack running on the nowadays computer. The sensitivity of secret key is usually considered by means of Cdr, NPCR, and UACI for two encrypted images what are produced by using two slightly different values of secret key. NCPR and UACI pass the test of statistical hypothesis with the significance level α = 0.05 for Ne ≥ 4. Also, the range of Cdr in this example are overlapped with that in other referral works. It means that the encryption in this example has as good sensitivity of secret key as that in other works. Similarly, the result of sensitivity of plaintext in this example shows that the encryption is also comparable with those in other referral works.

In summary, it is clear that the exemplar encryption using the proposed design is as good as those in the existing works.

5 Discussions and conclusions

The proposed model has some advantages in compared with the existing methods. First, the architecture of the model is based on the permutation-diffusion network. Therefore, the statistical properties of ciphered images and the level of security can be adjusted by either number of permutation, diffusion, and encryption rounds (Np, Nd, and Ne), or number of iterations applying to chaotic maps in the permutation and diffusion (Rp and Rd). For a specific configuration using the proposed model, the procedure for choosing parameters is as follows. For the permutation, the number of iteration Rp for the PCM in the permutation is chosen at what the statistical properties of output images are saturated while Np = 1. Then, at a chosen value of Rp, the simulation for various number of permutation rounds Np is performed and the value of Np is chosen at what the statistical properties of permuted images are with small fluctuation. The same process is carried out to choose the value of Rd and Nd for the diffusion. With chosen value of Rp, Rd, Np, and Nd, the encryption is simulated to choose number of encryption rounds, Ne, such that the criteria to choose Ne is based on the statistical properties of final ciphered images. The above example has demonstrated these processes, and the simulation results show that, with the perturbed Standard maps chosen for both the permutation and diffusion, the value of encryption are chosen as Rp = Rd = 4, Np = Nd = 4, and Ne ≥ 4.

Second, the PCMs in the proposed design are perturbed on both state variables and control parameters, so its dynamics is non-stationary. It is dependent on the coordinate of pixels in the permutation and on the value of pixels in the diffusion as shown in Figs. 5 and 8, respectively. The proposed design possesses the property of authentication. Therefore, the attack is successful only if the secret key of S bits is fully known. In the example, the numbers of chaotic orbits of PCMs in the permutation and diffusion are 2102 and 2230, respectively. The dynamics of PCMs are hopping among such huge numbers of orbits during encryption.

Third, with the fixed-point representation for values of state variables and control parameters, the space of secret key can be larger by increasing the number of bits in the fractional portion. However, the loss is that computation time is longer. Moreover, the value ranges of control parameters as well as state variables are dependent on the patterns of bits chosen to represent fractional numbers, and those can be segmented like control parameters given in Table 1 of the example. In that case, values of parameters are hopping on such the ranges.

Forth, it is clear from Fig. 8 that the proposed design of MIE is with the strong dependence on the content of images by means of the perturbation on the control parameters and state variables during the diffusion. Therefore, it makes the chosen-plaintext and known-plaintext attacks hardly successful in applying to the proposed design.

In fact, there are some extents to the proposed design. First, the proposed design can encrypt k images with k unequal to the power of two. Also, the images can be with different sizes and even with the size of images being unequal to the power of two. In the case of k≠ 2i (i is an integer), the number of bits in the third portion in Fig. 7b must be \(k_1^{(img)}=ceil(log_2k)\) (the function ceil(.) rounds a number up to the nearest integer). The index of the destination image for the pixel permutation is calculated by using the function mod(k) applying to the value for the index represented by the corresponding sequence of bits in kXYdes. For the case of M≠ 2j or N≠ 2t (j and t are integers), the coordinate of destination pixels can be identified in the same way.

Second, the proposed design can be used for the RGB images in one of two ways. In one way, each color channel of a RGB image can be dealt as a grayscale image in the encryption. In another way, each pixel of a RGB image is considered as normal, in which its number of bits are equal to sum of bits from all channels.

Third, there are two options of pixel permutation, i.e. intra-image and inter-image ones. Similarity, for the diffusion, it is carried out on the pixels only within individual images in the example. However, the diffusion in the proposed design can be developed for inter-image one by additional consideration of the destination image for a pixel as the same way in the pixel permutation. In the proposed model, if the encryption using the intra-image permutation together with intra-image diffusion, the encryption performs for each image independently and all images are encrypted in parallel.

In conclusion, the proposed design allows to encrypt more than one image at the same time by thoroughly exploiting a large number of bits generated by chaotic maps. Intuitively, chaotic maps are used more efficiently in compared with single image encryption. In addition, the security of the proposed design is enhanced by using the perturbed chaotic map and high sensitivity on the content of images. Also, it can be adjusted by the use of permutation-diffusion architecture.