1 Introduction

Nowadays, the increasing pervasiveness of technologies concerning the Internet of Things (IoT) and the fast development of digital technologies and communication networks, have given rise to dense traffic of information (documents, images, audio, videos...). Therefore, it is particularly important and essential to protect data transmission against attackers. Consequently, security of data transmission has been gaining more and more importance in the last decade and has been a subject of intense research.

In this context, a growing number of cryptographic techniques to secure transmitted information have been developed. Chaos in cryptography was introduced by Matthews in 1990s [22]. Since then, investigation on chaotic image encryption has become an active field of research due to the interesting properties of chaos such as ergodicity, sensitivity to initial conditions and parameters of the system, similarity to random behavior, and broad-band power spectrum [16]. During the last 20 years, many chaotic image encryption methods have been proposed in the literature.

Chaotic image encryption which is symmetric encryption, is classified into two types: chaotic block ciphers and chaotic stream ciphers. Chaotic block ciphers are the main symmetric key cryptosystems, as their design is related to Shannon’s theory of information security based on confusion and diffusion operations. Their security properties are well studied and these ciphers encrypt the plaintext block by block.

Some block ciphers have proven to be vulnerable to certain types of attack [23, 29, 33], and others have proven to be very efficient in terms of security and computing time [7, 9, 11, 12, 35, 36].

Stream ciphers encrypt bits or samples continuously. This is achieved by masking the plaintext (XOR operation) using the keystream output of the key stream random generator, as a one-time-pad. Therefore, stream ciphers, unlike block ciphers, are suitable for applications where the plaintext length is either continuous or unknown, such as network communications. Also, apart from the security aspect, the main characteristic of a stream cipher is its speed performance on different platforms and power consumption.

In recent years, several research efforts have investigated secure stream cipher designs. Many of these have been proposed in software form, e.g., A5/1 [5], LEVIATHAN (Cisco), MUGI (Hitachi-K.U. Leuven), RC4 [14], SNOW [8], SOBER (Qualcomm) and [26]. These stream ciphers have proven to be very weak and insecure. This has incited researchers to search for new methodologies that are immune to many attacks that can be applied.

In 2004, a project under the Information Societies Technology (IST) Program of the European Network of Excellence for Cryptology (ECRYPT), called “eStream” was tasked with seeking a strong stream cipher [25]. Its goal was to give rise to a standardization of fast and secure stream ciphers. Thirty-four candidate ciphers were submitted. Only a few proposals were chosen to belong to the current official “eStream” project and the others were rejected because of security vulnerabilities or lower overall performance. Two profiles of ciphers for software and hardware implementations were defined. The first profile is oriented to software-ciphers with high throughput and is faster than the 128-bits AES-CTR. The finalist include Salsa20/12, Rabbit, HC-128, and SOSEMANUK. The second profile is oriented to hardware ciphers that are suitable for highly constrained environments and are more compact than the 80-bits AES. Finalist ciphers include Grain, Trivium and MICKEY 2.0. These ciphers were found to be secure against known attacks. However, some tangible results have been reported by newer cryptanalysis attempts for some of these ciphers (Rabbit, Salsa12, SOSEMANUK, Grain, Trivium and MICKEY2.0) [21].

A new class of chaos-based stream ciphers has emerged and seems to be robust against known attacks.

Ahmed et al., [1] published a chaos-based feedback stream cipher (ECBFSC) for image cryptosystems. The proposed stream cipher is based on the use of a logistic map and an external secret key of 256-bit. The initial conditions for the logistic map are derived using the external secret key by providing weight to its bits corresponding to their position in the key.

Liu et al., [17] designed a stream-cipher algorithm based on one-time keys and robust chaotic maps, in order to obtain high security and improve the dynamic degradation. They used the piecewise linear chaotic map as the generator of a pseudo-random key stream sequence. The initial conditions were generated by the true random number generators, the Message-Digest algorithm 5 (MD5) of the mouse positions.

In [31] Vidal et al., proposed a new fast and light stream cipher based on a hyper-chaotic dynamic system, a codifying method with a whitening technique and a non linear transformation. This stream cipher has been implemented in video-conference applications for smart phones.

In this paper, we propose and realize in an effective way two stream ciphers, based on two robust Pseudo-Chaotic Numbers Generators (PCNGs). The proposed systems are very secure, due to the use of chaotic coupling and multiplexing techniques, while having a high speed performance.

The paper is organized as follows: we describe the general scheme of a stream cipher in Section 2. The proposed structure of the two PCNGs is detailed in Section 2.1. In Section 2.1.1, we describe the architecture of the first proposed PCNG and in Section 2.1.2 the architecture of the second proposed PCNG. In Section 2.1.3, we analyze the obtained results of mapping and approximated invariant values of the two PCNGs. Section 2.1.4 presents the performance measures of the two PCNGs in terms of average generation time, average Bit Rate (BR), and average Number of Cycles needed to generate one Byte (NCpB) according to the data size. Section 3 introduces the security analysis of the two proposed stream ciphers and their speed performance. Finally, Section 4 concludes the paper and gives some perspectives for our future work.

2 Proposed chaos-based stream ciphers

Stream ciphers, as shown in Fig. 1, are a class of symmetric cryptography, along with block ciphers [15]. In order to obtain a cipher text C i , the plain-text P i is combined, using a XOR operation, with a random keystream used only once and having the same length as the plaintext. The keystream is produced by a PCNG having as input a secret shared key K and an initial vector IV, which must be different for each encryption round. As the PCNG is deterministic, the same keystream can be generated in the decryption. Then, one can recover the original plaintext P i , by XORing the same keystream with the cipher text C i .

Fig. 1
figure 1

General scheme of a stream cipher

Full size image

The keystream must be random enough to ensure that if an attacker knows the keystream, he cannot recover the secret key or derive the internal state. Thus, the security of any stream cipher depends on the randomness of the keystream, therefore on the robustness of the used PCNG which is the main element of a stream cipher. Note that the same secret key and IV must be shared by the emitter and the receiver in order to encrypt/ decrypt the message sent through the communication channel and must be protected from access by others.

Several techniques have been proposed for the distribution of keys and IV. Concerning our algorithms, a symmetric key distribution is used in the generation and management of the secret keys and IV, in order to provide confidentiality and integrity of the keys. This technique is based on the use of a master key, which is infrequently used and is long lasting, and session keys which are generated and distributed for each communication between emitter and receiver [28].

In the following, we will describe in detail the general structure of the proposed PCNGs and their architectures.

2.1 Description of the general proposed structure for both PCNGs

The general structure of the proposed PCNGs is presented in Fig. 2. It takes the parameters of the system (N and the number of samples N s), a secret key “K” and a 32-bit initial vector “IV” as input, and as output, it generates pseudo-chaotic samples X(n), n=1, 2, ..., each quantified on N = 32 bits.

Fig. 2
figure 2

General structure of the proposed PCNGs

Full size image

The structure consists of four function blocks: IV-setup, Key-setup, Internal State and Output function. Both proposed PCNGs have the same general structure but completely differ in their internal state and slightly change in their Key-setup and IV-setup. Each function block will be detailed in the architectural description of the proposed PCNGs.

2.1.1 Architecture of the first proposed PCNG

In this section, we describe in detail the architecture of the first proposed chaotic generator. It is given in Fig. 3. The architecture uses three weakly coupled chaotic maps: PWLCM, Skew Tent and Logistic and includes a multiplexing chaotic technique [3, 18, 19, 24, 30].

Fig. 3
figure 3

Architecture of the first proposed PCNG

Full size image

The Key-setup function consists of two main parts. It takes the secret key K and the initial vector IV as input and calculates the initial values X p(0), X s(0) and X l(0) of the three chaotic maps: PWLCM, Skewtent and Logistic respectively.

The secret key of the system is formed by:

  • the initial conditions X p, X s and X l of the three chaotic maps: PWLCM, Skewtent and Logistic respectively, ranging from 1 to 2N-1,

  • the control parameter Pp and Ps of PWLCM and Skewtent maps, in the range [ 1,2N−1 − 1] and [ 1,2N − 1] respectively,

  • the parameters of the coupling matrix A, ε i j , ranging from 1 to 2k with k ≤ 5.

All the initial conditions, parameters and initial vector are chosen randomly from Linux generator: "/dev/urandom".

The initial values X p(0), X s(0) and X l(0) are calculated as follows:

$$ \left\{\begin{array}{lll} Xp(0) = Xp \oplus IVp\\ Xs(0) = Xs \oplus IVs\\ Xl(0) = Xl \oplus IVl \end{array}\right. $$
(1)

Where

$$ \left\{\begin{array}{llll} IVp = lsb(IV)\\ IVs = L_{cir}[lsb(IV),3]\\ IVl = L_{cir}[lsb(IV),2] \end{array}\right. $$
(2)

with ⊕ denotes the XOR operator, l s b(I V ) is the 32 least significant bits of IV and L c i r [S,q] performs the q-bits left circular shift on the binary sequence S.

The internal state function achieves the weak coupling of the chaotic maps and produces the future samples X p(n), X s(n) and X l(n) from which the output function, by using a chaotic switching technique, produces the output sequence X(n) (see Fig. 3).

The system is governed by the following equation :

$$ \left[\begin{array}{llll} Xp(n) \\ Xs(n) \\ Xl(n) \end{array}\right] = \textbf{A} \times \left[\begin{array}{llll} Fp[Xp(n-1)] \\ Fs[Xs(n-1)] \\ Fl[Xl(n-1)] \end{array}\right]. $$
(3)

where A represents the weak coupling matrix:

$$ \textbf{A} = \left[\begin{array}{lll} (2^{N}-\varepsilon_{12}-\varepsilon_{13})&\varepsilon_{12}&\varepsilon_{13} \\ \varepsilon_{21}&(2^{N}-\varepsilon_{21} -\varepsilon_{23})&\varepsilon_{23} \\ \varepsilon_{31}&\varepsilon_{32}&(2^{N}-\varepsilon_{31}-\varepsilon_{32}) \end{array}\right]. $$
(4)

with ε i j are the weakly coupling parameters, ranging from 1 to 2k and k ≤5.

And F p[X p(n − 1)], F s[X s(n − 1)] and F l[X l(n − 1)] are the discrete functions of the chaotic maps PWLCM, Skew Tent and Logistic respectively defined as follows:

$$ \begin{array}{lcl} Fp[Xp(n-1)]= \left\{\begin{array}{llll}\left\lceil 2^{N} \times \frac{Xp[n-1]}{Pp} \right\rceil& \text{if}~0<Xp[n-1]\leq Pp \\ \\ \left\lceil 2^{N} \times \frac{Xp[n-1]-Pp}{2^{N-1}-Pp} \right\rceil & \text{if}~Pp<Xp[n-1]\leq 2^{N-1} \\ \\ \left\lceil 2^{N} \times \frac{2^{N} - Pp - Xp[n-1]}{2^{N-1} - Pp} \right\rceil\ & \text{if}~2^{N-1}<Xp[n-1]\leq 2^{N} - Pp \\ \\ \left\lceil 2^{N} \times \frac{2^{N}-Xp[n-1]}{Pp} \right\rceil& \text{if}~2^{N} - Pp<Xp[n-1]\leq 2^{N} -1 \\ \\ 2^{N}-1-Pp & otherwise \end{array}\right. \end{array} $$
(5)
$$ \begin{array}{lcl} Fs[Xs(n-1)] = \left\{\begin{array}{llll} \left\lfloor \frac{2^{N}\times Xs[n-1]}{Ps} \right\rfloor & \text{ if}~0 < Xs[n-1] < Ps \\ 2^{N}-1 & \text{ if}~Xs[n-1] =Ps \\ \left\lfloor \frac{2^{N}\times (2^{N}-Xs[n-1])}{2^{N}-Ps} \right\rfloor & \text{ if}~Ps < Xs[n-1] < 2^{N} \end{array}\right. \end{array} $$
(6)
$$ \begin{array}{lcl} Fl[Xl[n-1]]= \left\{\begin{array}{llll} \left\lfloor \frac{Xl[n-1]\times [2^{N} - Xl[n-1] ]}{2^{N}-1} \right\rfloor& \text{if} ~Xl[n-1] \neq [3 \times 2^{N-2},2^{N}]\\ \\ 2^{N}-1 &\text{if} ~Xl[n-1] = [3 \times 2^{N-2},2^{N}]\\ \end{array}\right. \end{array} $$
(7)

The obtained multiplexed samples of the sequence X(n) are controlled by the chaotic sample X t h(n) and a threshold T, as shown in Fig. 3, and are defined as follows:

$$ X(n)=\left\{\begin{array}{cl} Xp(n),& \text{if} ~0 < Xth(n) < T\\ Xs(n),& \text{otherwise}\end{array}\right. $$
(8)

Where X t h(n) = X l(n) ⊕ X s(n).

After the generation of all needed samples X(n), the IV-setup function computes a new IV that will be used for the next running of the PCNG. The new IV is generated from the Linux generator: "/dev/urandom".

2.1.2 Architecture of the second proposed PCNG

The architecture of the second proposed PCNG is presented in Fig. 4. In comparison with the previous architecture, the main difference lies in the internal-state function, which is based on a binary diffusion matrix D.

Fig. 4
figure 4

Architecture of the second proposed PCNG

Full size image

The initial values X p(0), X s(0) and X l(0) are initialized throughout the key-setup function, as in Eqs. (1) and (2).

The equation of the system is given by:

$$ \left[\begin{array}{llll} Xp(n) \\ Xs(n) \\ Xl(n) \end{array}\right] = \textbf{D} \odot \left[\begin{array}{lll} Fp[Xp(n-1)] \\ Fs[Xs(n-1)] \\ Fl[Xl(n-1)] \end{array}\right]. $$
(9)

where D is the binary diffusion matrix:

$$ D = \left[\begin{array}{lll} 1 & 1 & 0 \\ 0 & 1 & 1\\ 1 & 0 & 1 \end{array}\right]. $$
(10)

And ⊙ is the operator defined as follows :

$$ \left[\begin{array}{llll} Xp(n) \\ Xs(n) \\ Xl(n) \end{array}\right] = \left[\begin{array}{llll} Fp[Xp(n-1)] \oplus Fs[Xs(n-1)] \\ Fs[Xs(n-1)] \oplus Fl[Xl(n-1)]\\ Fp[Xp(n-1)] \oplus Fl[Xl(n-1)] \end{array}\right]. $$
(11)

The choice of the output samples X(n) is governed, as in Eq. (8) by a threshold T and the chaotic sample X t h, with X t h(n) = X p(n) ⊕ X s(n).

For each new running of the system, the initial vector IV is updated using the Linux generator.

In the following paragraphs, we study two statistical performances, namely mapping and approximated invariant values, and the speed performance of the two PCNGs.

2.1.3 Mapping and approximated invariant values

The mapping or the phase space trajectory is one of the characteristics of the generated sequence that reflects the dynamic behaviour of the system. We draw in Fig. 5a and c the mapping of sequences X1 and X2, each containing Ns = 31250 samples, generated by the first and second architectures and a zoom of these mappings in Fig. 5b and d.

Fig. 5
figure 5

Mapping of sequences X1(a) and X2(c) of length 31250 samples, generated by the first and the second PCNGs and a zoom of these mapping in (b) and (d) respectively

Full size image

The resulting mapping of X1 and X2 seems to be random. This is due to the used techniques of coupling and chaotic multiplexing. In this case, it is impossible from the generated sequences to know which type of map is used. However, in the mapping of X2, we observe small empty areas. Then, we can say that the generated sequences of the first PCNG are more uniform than those generated by the second PCNG. This observation will be confirmed by the Chi-square test of the ciphered text. Also, we notice that the mapping of the coupled sequences seems to be random.

To prove the value uniformity of the generated sequences, Lozi [19] uses the ”approximated invariant measures”. This function was computed with floating numbers and based on the partition of the mapping space to M 2 small squares (boxes). In finite precision N, we defined the approximated invariant measures P d N (s i,t j) in the same manner as in [19]. First, the space mapping is divided into M 2 boxes r i,j as follows:

$$ s_{i} = X_{min} + i \times l , i=0,...,M. $$
(12)
$$ t_{j} = X_{min} + j \times l , j=0,...,M. $$
(13)

where

$$ l = \frac{X_{max}-X_{min}}{M} . $$
(14)

with X m i n = m i n(X i(N s)) , X m a x = m a x(X i(N s)) and N s is the number of samples under test.

The box r i,j is given by :

$$ r_{i,j}=[s_{i},s_{i+1}[\times[t_{j},t_{j+1}[ , i,j = 0,...,M-1. $$
(15)

In Fig. 6a and b, we show the r 6,6 box, after zooming the mapping of sequences X1 and X2.

Fig. 6
figure 6

Zoom on the phase space of sequences X1 and X2 generated by the first and second PCNGs

Full size image

The approximated probability distribution function P d N (s i,t j) is defined as follows:

$$ Pd_{N}(si,tj) = \frac{\#r_{i,j}}{Ns/M^{2}}. $$
(16)

with # r i,j is the number of samples inside the box r i,j .

Obtained values of # r i,j and P d N (s i,t j) for sequences X1 and X2 are given in Tables 1 and 2 respectively, for all boxes with M = 10 and N s = 31250. In Tables 3 and 4 we give the values of # r i,j and P d N (s i,t j) for N s = 31250 × 100.

Table 1 Values of # r i,j and P d N (s i,t j) for sequence X1 with N s = 31250 samples
Full size table
Table 2 Values of # r i,j and P d N (s i,t j) for sequence X2 with N s = 31250 samples
Full size table
Table 3 Values of # r i,j and P d N (s i,t j) for sequence X1 with N s = 31250 × 100 samples
Full size table
Table 4 Values of # r i,j and P d N (s i,t j) for sequence X2 with N s = 31250 × 100 samples
Full size table

Theoretically, the number of samples inside each box r i,j is N s/M 2 ≃ 312. Furthermore, the closer the P d N (s i,t j) value is to 1, the better the uniformity.

As we can see, compared to results in Table 2, results of Table 1 are closer to uniform distribution. Indeed, for sequence X1, the smallest value of P d N (s i,t j) is 0.832 and we only have 4 values smaller than 0.88. Likewise, the biggest P d N (s i,t j) value is 1.142 and only we have 5 values bigger than 1.10. For sequence X2, we observe that: the smallest value of P d N (s i,t j) is 0.246 and there are 34 values smaller than 0.88. Additionally, the highest P d N (s i,t j) value is 1.658 and there are 40 values higher than 1.10.

Besides, compared to results in Table 1, the obtained values of P d N (s i,t j) in Table 3, are closer to 1. Indeed, the uniformity is better when the number of samples N s is larger. However, these results are not valid for the PCNG2 when comparing Tables 2 and 4. This is due to the fact that the samples are distributed on a periodic orbit with a small period length.

We give also the cumulative relative error calculated by:

$$ CRE = \sum\limits_{i,j=1}^{M} | \frac{Ns/M^{2} - \# r_{i,j}}{Ns/M^{2}} |. $$
(17)

In Table 5, we report the obtained values of CRE for sequences X1 and X2. For this experiment, we took three different values for N s : N s = 31250, N s = 31250 × 10, and N s = 31250 × 100. And for each N s, we consider two values of M: M = 5 and M = 10.

Table 5 Values of the cumulative relative error
Full size table

We observe that, whatever the values of N s and M, the Cumulative Relative Error CRE of sequences generated by PCNG1 is smaller than the CRE of sequences generated by PCNG2. Also, we notice that, for each M, the CRE of PCNG1 decreases with a factor approximately equal to \(\sqrt {Ns}\), when N s increases. However, sequences generated by PCNG2 do not follow the previous rule.

2.1.4 Speed performance of the proposed PCNGs

Speed performance is an important factor for practical applications of the encryption algorithms. We study the computing performance of the proposed PCNGs. The experiment is performed on the flowing materials composed of Intel(R) Core(TM) i5-4300M CPU @2.60GHZz 2.60 GHz with 16.0 GB Running on Ubuntu 14.04 Trusty Linux distribution, using GNU GCC Compiler. The two PCNGs are implemented in C language using sequential and parallel programming.

For the parallel version, we implement the proposed PCNGs with multi-threaded programming using the POSIX threads ("pthread library"). Only the internal state and the output functions are implemented in parallel programming. The key-setup function is implemented sequentially. We use a number of cores equal to four. For this, we create four threads T h i ,i = 0..3 using the function "pthread_create" of the C Language. New sub-initial conditions and parameters (X p i ,X s i ,X s i ,I V p i ,I V s i and I V l i ) are needed for each thread T h i . These parameters are calculated as follows:

$$ \left\{\begin{array}{llll} Xp_{i} = L_{cir}[Xp_{i-1},3]\\ Xs_{i} = L_{cir}[Xs_{i-1},3]\\ Xl_{i} = L_{cir}[Xl_{i-1},3] \\ IVp_{i} = L_{cir}[IVp_{i-1},3]\\ IVs_{i} = L_{cir}[IVs_{i-1},3]\\ IVl_{i} = L_{cir}[IVl_{i-1},3] \end{array}\right. $$
(18)

where i = 1..3 and and L c i r [S,q] performs the q-bits left circular shift on the binary sequence S.

Figure 7 shows the structure and locations of samples in S e q u e n c e_X of length equal to 10 samples, generated using parallel programming.

Fig. 7
figure 7

Location of samples in Sequence_X using parallel programming

Full size image

In Tables 6 and 7 we give, the average generation time in microsecond (μ s), the average bit rate in Megabits/second (Mbits/s) and the average required number of cycles to generate one byte for different lengths of sequences, using sequential and parallel programming respectively. The average is calculated over 100 different sequences using a different secret key for each one.

Table 6 Speed Performance of PCNG1 and PCNG2 using sequential implementation
Full size table
Table 7 Speed performance of PCNG1 and PCNG2 using parallel implementation
Full size table

The bit rate and the number of cycles needed to generate one byte N C p B is defined as follows:

$$ Bit \ rate (Mbits/s) = \frac{Generated \ data \ size (Mbits)}{Average \ generation \ time (s)} $$
(19)
$$ NCpB = \frac{ CPU speed (Hz)}{Bit \ rate (Byte/s)} $$
(20)

From results of Tables 6 and 7, we remark first that, due to its less complex internal state, the speed performance of the second PCNG is better than the first one. Second, we observe that, for small size data (up to 32768 bytes) the PCNG implemented with sequential programming is faster than that programmed in parallel (see also Figs. 8 and 9). This is due to the time synchronization between the four threads.

Fig. 8
figure 8

NCpB of the first proposed PCNG

Full size image
Fig. 9
figure 9

NCpB of the second proposed PCNG

Full size image

Notice that, apart from the stream cipher, the proposed PCNGs can be used in several applications that require the generation of a large amount of secure random numbers.

In Table 8, we give the performance in terms of N C p B of some known pseudo random number generators: Wang et al., [32], Akhshani et al., [2] and our proposed PCNGs. The comparison is performed for a data size equal to 786432 bytes. It can be observed that the N C p B performance of the proposed PCNGs is better than the others cited.

Table 8 Computing performance of some known pseudo random number generators
Full size table

In the following section, we will study the security analysis and the speed performance of the two proposed stream ciphers.

3 Security analysis and speed performance of the proposed stream ciphers

A good stream cipher algorithm should be robust against all kinds of cryptanalytic, statistical and brute-force attacks. Also, it should provide a high encryption speed. In this section, we discuss the security analysis of the proposed stream cipher algorithms, based on the first and second proposed PCNGs described in Section 2.1 and their speed performance. Key space, Key sensitivity and Statistical analysis is carried out in order to prove that the proposed stream ciphers are secure against the most common attacks.

As most encryption algorithms (AES-CTR, Rabbit, HC-128...) encrypt 128 bits by 128 bits, our stream cipher algorithms are adjusted also to encrypt 128 by 128 bits of the plain text. For this, the keystream generator produces 128 bits of keystream to be combined with 128 bits of plain text by an XOR operation. Recall that for each new encryption, a new IV is produced.

From the speed performance of the PCNGs given in Tables 6 and 7, the PCNGs are faster when generating 128 bits of keystream in sequential programming. For this, we use sequential programming in the implementation of the two proposed stream ciphers.

To evaluate the performance of the proposed stream ciphers, a number of experiments were performed based on several color images, which were used as plain images having the sizes (128 × 128), (256 × 256), (512 × 512) and (1024 × 1024).

3.1 Cryptanalytic analysis

In the following part, some habitual cryptanalytic analysis is performed.

3.1.1 Key space analysis

For any secure crypto-system, the key space should be large enough to resist a brute-force attack. The sizes of the secret keys for the first and second architectures are respectively given by:

$$\begin{array}{@{}rcl@{}} |K1| = (|Xp| + |Xs| + |Xl| ) + (|Pp| + |Ps|) + 6 \times |\varepsilon_{ij}| = 189 \ bits \end{array} $$
(21)
$$\begin{array}{@{}rcl@{}} |K2| = (|Xp| + |Xs| + |Xl|) + (|Pp| + |Ps|) = 159 \ bits. \end{array} $$
(22)

where |X p| = |X s| = |X l| = |P s| = 32 bits ; |P p| = 31 bits and |ε i j | is equal to 5 bits.

The proposed algorithms have 2189 and 2159 different combinations of the secret key. Therefore the secret key sizes of the two architectures are large enough to make brute-force attack infeasible.

3.1.2 Key sensitivity analysis

An efficient stream cipher should be very sensitive to the secret key. The change of a single bit in the secret key should produce a completely different encrypted image. Indeed, to verify this feature, we calculate the average Hamming Distance D H (X,Y ) (using 100 secret keys), between two ciphered images C 1 and C 2, of the same plain image P, with only one change in the least significant bit of the parameter P p.

D H (C 1,C 2) is given by the following equation:

$$ D_{H} (C_{1},C_{2}) = \frac{1}{Nb} \times \sum\limits_{K=1}^{Nb}(C_{1}[K] \oplus C_{2}[K]) $$
(23)

With N b is the number of bits in an encrypted image.

The obtained results of the Hamming distance for three different ciphered images by the two algorithms are close to the optimal value of 50% (see Table 9). Such results are obtained regardless of the position of the changed bit in the secret key. This demonstrates that the proposed algorithms are highly sensitive to the secret key.

Table 9 NPCR and UACI performance
Full size table

Other common measures used to test sensitivity to the secret key on the encrypted image when changing one bit are the Number of Pixel Change Rate (NPCR) and Unified Average Changing Intensity (UACI). The former is used to measure the number of different pixels between the two images, whereas the latter is used to measure the average intensity difference.

Let C 1[i,j,p] and C 2[i,j,p] be the (i,j,p)th pixel of two ciphered images C 1 and C 2, respectively. The NPCR and UACI are defined by (24) and (26), respectively.

$$ NPCR = \frac{1} { L\times C \times P} \times \sum\limits_{p=1}^{P} \sum\limits_{i=1}^{L} \sum\limits_{j=1}^{C} {D[i,j,p] \times 100} \% $$
(24)
$$ D[i,j,p]= \left\{\begin{array}{lllll} 0,& \text{if } C_{1}[i,j,p]=C_{2}[i,j,p] \\ 1,& \text{if } C_{1}[i,j,p] \neq C_{2}[i,j,p] \end{array}\right. $$
(25)
$$ UACI = \frac{1} { L\times C \times P \times 255} \times \sum\limits_{p=1}^{P} \sum\limits_{i=1}^{L} \sum\limits_{j=1}^{C} {|C_{1}-C_{2}| \times 100} \% $$
(26)

Table 9 also shows the obtained results of NPCR and UACI for the previous three ciphered images. The resulting values are near to the expected values of NPCR and UACI which are 99.60% and 33.46%, respectively [20, 34].

So, as we can see, the proposed algorithms are very sensitive with respect to small changes in the secret Key.

3.2 Statistical analysis

To prove the robustness of the proposed stream ciphers against statistical attacks, we perform the following experiments: histogram, chi-square test, correlation and NIST.

3.2.1 Histogram and Chi-square test analysis

Another key property of a secure stream cipher algorithm is that the encrypted image should have a uniform distribution. We applied the first proposed stream cipher on three different plain images (Lena, Baboon and Peppers) of size (512 × 512 × 3). The obtained results are given in Figs. 1011 and 12. On each one, we show (a) the plain image, (b) the corresponding cipher image, (c) the histogram of the plain image and (d) the histogram of the ciphered image.

Fig. 10
figure 10

a Lena image, b Lena cipher image, c the histogram of Lena image and d the histogram of the ciphered Lena image

Full size image
Fig. 11
figure 11

a Baboon image, b Baboon cipher image, c the histogram of Baboon image and d the histogram of the ciphered Baboon image

Full size image
Fig. 12
figure 12

a Peppers image, b Peppers cipher image, c the histogram of Peppers image and d the histogram of the ciphered Peppers image

Full size image

We can visually observe that the histograms of the encrypted images are uniform and significantly different from those of the plain-images. The same visual results are obtained for the second proposed algorithms.

In order to assert the uniformity of the encrypted images, we apply the Chi-Square test. The experimental Chi-Square test χ 2 is calculated by the following formula:

$$ \chi_{\exp}^{2}=\sum\limits_{i=0}^{K-1}{(O_{i}-E_{i})^{2}\over E_{i}}. $$
(27)

Where K is the number of levels (here 256), O i are the observed occurrence frequencies of each color level (0 −255) in the histogram of the ciphered image, and E i is the expected occurrence frequency of the uniform distribution, given here by E i = (L × C × P)/256 [9].

We compare the experimental value with the theoretical value obtained for a threshold α = 0.05 and a degree of freedom K −1 = 255. To prove the uniformity of a sequence, the experimental value of Chi-Square must be lower than the theoretical one \(\chi _{\exp }^{2} < \chi _{th}^{2}\) (255, 0.05). The smaller the experimental value of Chi-Square is than the theoretical one, the better the uniformity of the histogram.

In Table 10, we reported the experimental and theoretical values of the Chi-Square test for the three ciphered images (Baboon, Peppers, and Lena) obtained by both proposed algorithms. We note that for the three images, \(\chi _{\exp }^{2}<\chi _{th}^{2} (255, 0.05)\). Also, images encrypted by the first algorithm have a better uniform distribution those encrypted by the second algorithm.

Table 10 Theoretical and experimental values for the Chi-Square test
Full size table

3.2.2 Correlation analysis

The adjacent pixels in a plain image may have strong correlation. Also, the pixels in an encrypted image with a high security level is expected to be randomly distributed. Therefore, a good encryption scheme should have the ability to efficiently reduce the correlation among adjacent pixels. We measured the correlation coefficient between adjacent pixels, selected randomly from three directions: horizontally, vertically and diagonally. The correlation coefficient ρ x y of adjacent pixels is calculated by the following (28):

$$ \rho_{xy}= \frac{{\sum}_{i=1}^{M} (x_{i}-\frac{1}{M} {\sum}_{j=1}^{M}x_{j}) (y_{i}-\frac{1}{M} {\sum}_{j=1}^{M}y_{j})}{[{\sum}_{i=1}^{M} (x_{i}-\frac{1}{M} {\sum}_{j=1}^{M}x_{j})^{2}]^{1/2} \times {[{\sum}_{i=1}^{M} (y_{i}-\frac{1}{M} {\sum}_{j=1}^{M}y_{j})^{2}]^{1/2}}}. $$
(28)

where x i and y i form i th pair of horizontally/vertically/diagonally adjacent pixels, M is the total number of pairs of horizontally/ vertically/diagonally adjacent pixels.

In Table 11, we give the obtained correlation coefficients in horizontal, vertical and diagonal directions of 1000 pairs of adjacent pixels of the plain images mentioned above and their corresponding ciphered images.

Table 11 Correlation coefficients between pairs of plain and encrypted images
Full size table

These results show that the correlation coefficients of the plain images are close to 1 while those of encrypted images are near to 0. Then, the proposed encryption schemes generate an image with uncorrelated adjacent pixels. This indicates that the proposed algorithms are secure against statistical attacks.

In addition, such results are confirmed in Fig. 13, which shows the correlation of two horizontally, vertically and diagonally adjacent pixels in the plain and ciphered Baboon image (512 × 512 × 3) using the first algorithm. Similar results are obtained when using the second algorithm.

Fig. 13
figure 13

The distribution of two adjacent pixels in the plain and encrypted images of ’Lena’ a and b distributions of two horizontally adjacent pixels in the plain and encrypted images of ’Lena’, respectively. c and d are distributions of two vertically adjacent pixels in the plain and encrypted images of ’Lena’, respectively. e and f are distributions of two diagonally adjacent pixels in the plain and encrypted images of ’Lena’, respectively

Full size image

3.2.3 NIST

To evaluate the performance of the proposed algorithms, we also use one of the most popular standards for investigating the randomness of binary data, namely the NIST statistical test. This test is a statistical package that consists of 15 tests that are proposed to assess the randomness of arbitrarily long binary sequences [10, 27].

We encrypted 100 different binary sequences of plain text, P 1 and P 2; using the first and second algorithms respectively, each one with a different secret key and containing 106 bits. We present the results of NIST for the encrypted sequences C 1 and C 2 in Table 12, with a level of significance of the test α = 0.01. Results show that sequences C 1 and C 2 have successfully passed all NIST tests. In addition, we observe that globally, the data ciphered by the first algorithm pass NIST tests more efficiently than data ciphered by the second one. This is in accordance with results previously obtained by the others tests.

Table 12 P-values and Proportion results of NIST for the first and second proposed algorithms
Full size table

3.3 Speed performance of the proposed stream ciphers

In Table 13 we give the speed performance in terms of average encryption time in (μ s), average encryption throughput in (Mbits/s), and the number of cycles needed to encrypt one byte (NCpB) of the proposed algorithms for different sizes of data. We remark that globally, the speed performance of the stream ciphers is approximately 17% less than that of the corresponding PCNGs.

Table 13 Speed Performance of the two proposed stream ciphers
Full size table

In Table 14, we give a comparison of NCpB for the proposed algorithms (for Lena 512 × 512 × 3) with other chaos-based algorithms and the most known stream ciphers [4, 6].

Table 14 Comparison of speed performance between different algorithms
Full size table

We observe that the proposed algorithms have a better speed performance than the cited chaos-based algorithms except that of [31]. However, in [31], the authors do not explain the measurement method used to obtain such excellent results, given that the complexity of their system is similar to ours. Compared to the AES-CTR, Rabbit, HC-128, Salsa20/12 and SOSEMANUK, the obtained performance is not as good. However, the non linearity of the proposed systems is higher than the other systems, consequently, its robustness against known attacks is higher.

4 Conclusion

In this paper, we developed two novel chaos-based stream ciphers. The high efficiency obtained from these systems is due to the designed PCNG structure. Indeed, their architectures integrate three chaotic maps weakly coupled using a predefined matrix or coupled by a binary diffusion matrix and using a chaotic multiplexing technique. Simulation tests and security analyses were carried out to prove the efficiency in terms of robustness and speed performance of the proposed stream ciphers. The obtained results show that the proposed stream ciphers can be used in practical applications including secure network communication.