Lightweight, dynamic and efficient image encryption scheme

Abstract

Recently, there has been a growing attention for Chaos-based image encryption algorithms. This class of algorithms relies on embedded chaotic maps to ensure a high security level with minimal performance overhead. One such algorithm, which we refer to as NCIES, was proposed recently, and the authors claimed that the algorithm achieves the required cryptographic properties with just a single round. In this paper, we first assess the performance of the NCIES cipher and we show that a single round is not enough for this cipher to ensure the desired cryptographic properties. In this context, we describe how such a cipher is vulnerable to a chosen plaintext/ciphertext attack. Next, we propose a new lightweight dynamic key-dependent cipher scheme that can address and overcome the issues identified in the NCIES cipher and other recent lightweight image encryption schemes. The proposed cipher is designed in a way to achieve a good balance between the latency, the required resources, and the security level when compared to recent chaotic image cipher schemes.

1 Introduction

The protection of digital images is an essential requirement for safeguarding the confidentiality and privacy of people in general [22, 23], and more so for patients when dealing with medical images. However, traditional cryptographic techniques using symmetric-key encryption algorithms such as DES [6] and AES [11], are not efficient for encrypting image and video contents due to the intrinsic nature of images and the strong correlation among the adjacent pixels [17]. Therefore, traditional encryption algorithms do not meet the real-time requirements of multimedia streaming [12], which motivates the quest for alternative solutions.

1.1 Objective and contributions

One objective of this work is to analyze the recent lightweight image encryption algorithms presented in [15, 16, 38] and to assess their security and performance levels towards validating their suitability for protecting image contents. First, the NCIES algorithm requires a large memory size, which hinders its applicability to resource-constrained devices. We performed tests that confirmed the fact that the required number of iterations needed to achieve the required avalanche effect (plain-sensitivity property) is six and not one. With a single iteration only, the system is susceptible to different kinds of attacks such as known/chosen plain-text/cipher-text attacks since the cipher layers are based on diffusion primitives [40] that mix together the block bytes with the permuting bits. As such, the actual execution time of the secure NCIES scheme increases by a factor of 6. Therefore, to render the NCIES algorithm secure (6 rounds), the latency becomes inappropriate.

Another drawback of the scheme in [15] is that it is extremely sensitive to error, which precludes any practical implementation. An error of one bit can lead to the loss of the whole image content as we show in Section 3.4. This is caused by the avalanche effect, which employs a diffusion primitive with bit-level permutation.

Recent solutions, such as [16, 38], ensure that the avalanche effect covers the whole image by using the cipher block chaining (CBC) operation mode in forward and backward directions, without the bit permutation operation to reduce the required memory and to limit the effect of errors.

However, applying the CBC mode in forward and backward directions prevents the parallel encryption/decryption implementation and the effect of error propagation is doubled when compared to the original CBC mode, only in the forward direction.

In order to overcome the mentioned issues, in this paper, we propose a new efficient and lightweight cipher scheme that exhibits a better latency and resources’ requirement. The proposed solution can be considered as a dynamic ECB mode, which uses key-dependent substitution tables (S-boxes) to perform the substitution operation and to generate the round block keys, which are different for each block and for each iteration. The generation of round keys is lightweight and sequential. To avoid any issues from this sequential generation approach, another block permutation step is introduced at the end of encryption to randomize the order of the blocks. The proposed solution is designed and implemented to achieve 1) a high security level, 2) minimal latency and required resources, and 3) low error propagation effect, especially when compared to [15, 16, 50]. The solution is based on an optimized binary diffusion matrix to benefit from the maximal linear branch number.

Note that the proposed scheme avoids chaining operations, and consequently, it can be realized in parallel, and it limits the effect of error propagation to only the corrupted blocks in contrast to [16, 38]. Moreover, the presented cipher is based on simple integer operations in contrast to [8, 18], which use floating-point arithmetic. The scheme is more efficient than [31], which uses asymmetric encryption.

The rest of this paper is organized as follows. In Section 3, the scheme of [15] is analyzed in terms of the avalanche effect, uniformity, and difference properties. Its security robustness is analyzed against different types of attacks in Section 4, and a chosen plain/cipher text that identifies a security loophole in the NCIES scheme is presented. In Section 5, an efficient and lightweight dynamic cipher scheme is presented. In Section 6, a cryptanalysis is performed for the proposed cipher, followed by a performance analysis in Section 7 to assess the efficiency of the scheme in terms of latency, error propagation, and memory consumption. Finally, Section 8 concludes the paper.

Table of Notations

Notation	Definition
C	Number of columns of an image
R	Number of rows of an image
P	Number of plane (in gray-scale P = 1)
N B	Number of blocks in one image
B	Number of bytes of an block
len	Number of bits of an image
K p	Permutation sub-Key uses to construct πblocks.
π	A Dynamic produced permutation table (P-box)
π − 1	The inverse corresponding the permutation table (P-box)
I	original image \(=\{X_{1}, X_{2}, \ldots , X_{N_{\mathrm {B}}}\}\)
C	Encrypted image \(\{c_{1}, c_{2}, \ldots , c_{N_{\mathrm {B}}}\}\)
c j	The j th encrypted block of xi
X j	The j th original plain block
X j k	k th byte of the i th original plain block
D X j	The j th diffuses block
SK	Secret Key
N o	Nonce
DK	Dynamic Key
K S i	The i th dynamic substitution sub-key uses to construct the i th substitution table Si, respectively.
π B L	The produced dynamic permutation table uses for blocks permutations operation.
\(\pi ^{-1}_{BL}\)	The inverse produced dynamic permutation table uses for inverse blocks permutation operation.
S i	i th produced dynamic substitution table.
\(S_{i}^{-1}\)	The i th inverse corresponding substitution table.

2 Related work

One promising paradigm investigated by researchers in the last decade is chaos-based computing. Chaos consists of a non-linear dynamic system that appears to be random. Due to its extreme sensitivity to initial conditions, chaos has been considered for the design of cryptographic algorithms targeting digital images [1, 9, 26, 29, 44, 45, 48, 54].

However, chaos-based encryption algorithms are not always secure; actually, the majority of such algorithms have been successfully cryptanalyzed [32, 33, 42, 53]. This is due to their instability that stems from the periodicity of mapping [25] and the finite computing precision that renders the system vulnerable to various kinds of attacks [3, 4]. Another main disadvantage is that most chaos-based encryption algorithms rely on floating-point arithmetic, which significantly increases the computational complexity of any software or hardware implementation, and hence renders chaos-based cryptographic solutions inefficient when compared to integer-based schemes such as AES and DES. On the other hand, for more than a decade, several AES optimization were presented to make it more suitable for real-time systems with high data rates, and for limited-power devices. The main objective of these optimization is to reduce the required resources and latency in addition to render its hardware implementation a simple one [5]. In addition, a set of optimized assembly AES instructions were introduced to the instruction set of Intel processors [20, 39].

In fact, AES may not satisfy the future requirements for lightweight cipher schemes according to NIST [35]. Therefore, a new initiative has been launched for the design of new lightweight cryptographic algorithms, especially for the Internet of Things (IoT).

Accordingly, different cipher algorithms have been proposed recently [5] to solve this issue by reducing the number of rounds. Examples of such algorithms include LEA [24], FeW[30], Prince [7], TWINE [47], Lblock [51], Piccolo [46], and LED [21].

However, since these ciphers are also based on static substitution and diffusion primitives, they require iterating a round function for a large number of rounds, r (see Table 1). This is mandatory to reach the desired security level. Unfortunately, these ciphers can provide the required security level, yet at the expense of high overhead in terms of latency and required computational resources.

Table 1 List of recent lightweight encryption algorithms

Ensuring data confidentiality within limited systems might introduce an overhead that would hinder their proper operation by impacting the overall system performance [35]. As such, designing a new cipher scheme that achieves a high security level with low computational complexity and required resources becomes more than mandatory towards overcoming the limitations for a set of modern systems, applications and devices.

The minimum required number of iterations for recent lightweight cryptographic algorithms is 4 according to Table 1, wich is the case of Hummingbird2 cipher. On the other side, the recent lightweight chaotic image encryption algorithms such as [8, 18, 27, 31, 36] base also on the multi-round structure. The hard challenge that limits the majority of chaotic cipher schemes that they use floating-point calculations and require conversion operations to integer, which introduces an important overhead in terms of latency and required resources. In addition, [31] requires asymmetric encryption, which requires more resources and introduces more overhead [19] when compared to symmetric encryption.

Recently, an integer chaotic cipher scheme was proposed in [15], and we shall refer to it as the NCIES cipher; it is based on a static binary diffusion layer, followed by a key-dependent bit-permutation that is based on a periodic 2D cat map, and that iterates only for a single round. The authors claim that the avalanche effect, difference and uniformity properties can be achieved after the first round, as shown in Fig. 7 of [15]. The authors deduced such results based on a small image of size 16 × 16, and then, they generalized the avalanche effect result of one round to larger images. However, typically, the number of iterations increases with the number of blocks.

3 Analysis of the NCIES approach

In this section, plain message sensitivity, difference between plain and encrypted messages, and uniformity tests of the NCIES cipher scheme [15] are performed to analyze its performance. The encryption and decryption schemes of this solution are illustrated in Figs. 1 and 2, respectively. From a cryptanalysis viewpoint, the required number of iterations is determined when the required security level is reached, independent of the message type. Such a value cannot be justified based on standard images such as Lenna. The tests conducted should take into account the possibility of chosen plain/cipher messages attack, whereby an attacker may select any message to recover the secret or figure out the cryptographic primitives. These tests should employ special messages that trigger the maximum number of iterations to better quantify the required number of rounds to reach the desired cryptographic strength. Examples of such messages are those having all bytes inactive (zero) except for just one random non-zero byte with the least significant bit (LSB) set to 1.

Fig. 1

Architecture of the NCIES encryption algorithm described in [15]

Fig. 2

Architecture of the NCIES decryption algorithm described in [15]

3.1 Plain/cipher text sensitivity

An acceptable sensitivity level leads to considerable change in the cipher text (or decrypted plain text) in response to a slight change in the original (or encrypted) message. Let I and I^′ represent two chosen images. A cipher algorithm E_K() with secret key K is considered to be robust against chosen/known plain/cipher text attacks, if it ensures the avalanche effect when applied to I and I^′. In other words, the percentage of the Hamming distance (in bits) between the corresponding cipher images C = E_K(I) and C^′ = E_K(I^′) should be close to 50%, while I and I^′ only differ by one bit. The chosen image I has all values equal to zero, while I^′ differs from I by only one random pixel that has a value of one.

The sensitivity (PS) of the plain image is analyzed for a large number N of random plain images and secret keys, using the following average Hamming distance metric between the cipher images:

$$\begin{array}{@{}rcl@{}} \text{PS} &\triangleq& \frac{1}{N}\sum\limits_{w = 1}^{N} H(E_{K_{w}}(I_{w}),E_{K_{w}}(I^{\prime}_{w})) \end{array} $$

(1)

$$\begin{array}{@{}rcl@{}} H(C_{w},C^{\prime}_{w}) &=&\frac{1}{T}\sum (\mathsf{Byte2bit} (C_{w}) \oplus \mathsf{Byte2bit}(C_{w}^{\prime}) ) \times 100\% \end{array} $$

(2)

where T is the length in bits of the original and cipher images, \(C_{w}=E_{K_{w}}(I_{w})\) and \(C_{w}^{\prime }=E_{K_{w}}(I^{\prime }_{w})\) are the corresponding w th cipher images of the original images I_w and \(I_{w}^{\prime }\), respectively, and K_w is the wth secret key. The Byte2bit function converts its input argument into a binary string, and the XOR operator returns the bit-wise exclusive-or of its string operands. The summation in (2) accumulates the non-zero bits in the resulting binary string. We emphasize that all the elements of \(I_{w}^{\prime }\) and I_w are zero, except for a randomly chosen byte that has its LSB set to one.

The avalanche effect results are plotted in Fig. 3 for the Lenna image and for the chosen image, respectively, for different sizes M. The results show the average value of PS over N = 1,000 random dynamic keys versus the number of rounds r for M × M sized images. The results clearly indicate that the minimum number of iterations required to reach the avalanche effect for different image sizes is at least six. The results are shown numerically in Table 2 for the Lenna image. These results differ from the ones presented in [15]. On one hand, setting r = 1 as recommended in [15] yields a low plain/cipher text sensitivity, which renders the approach weak against chosen/known plain-text attacks since the scheme is based on static diffusion primitives. On the other hand, selecting r = 6 leads to a six-fold increase in execution time and power consumption, which defeats the main objective of [15].

Fig. 3

Variation of the avalanche effect over 1000 random keys versus the number of rounds r for a the Lenna image, and b the chosen Zeros image using the NCIES algorithm

Table 2 Variation of avalanche effect versus size of Lenna image and number of rounds r using the NCIES algorithm

3.2 Independence

The independence between the plain and cipher images is measured using the Hamming distance metric between I and its encrypted version C:

$$\begin{array}{@{}rcl@{}} H(I_{w},C_{w}) =\frac{1}{T}\sum (\mathsf{Byte2bit} (I_{w}) \oplus \mathsf{Byte2bit}(C_{w}) ) \times 100\% \end{array} $$

(3)

where T,I_w,C_w,K_w are as defined in (1)–(2). Moreover, all the elements of I_w are equal to zero, except for a randomly chosen byte whose LSB is set to one, for w = 1,…,N.

Figure 4 plots the independence between the plain and cipher images for Lenna and Zeros. Figure 4a shows that the independence between original and encrypted Lenna is obtained after the first round. However, Fig. 4b clearly shows that the original scheme of [15] requires the same number of iterations as the avalanche effect for the zeros image, which means that r should be at least six to achieve independence. This validates our recommendation for the need to rely on images of mostly zeros to better quantify the required number of rounds necessary to achieve independence and the avalanche effect.

Fig. 4

Variation of the difference between plain and cipher-text over 1000 random keys versus the number of rounds r for a Lenna, and b the chosen Zeros image using the NCIES algorithm

3.3 Uniformity

Resistance against common statistical attacks is assessed using the uniformity property, which measures how uniform the frequency of occurrence of each symbol in the encrypted image is. On average, each symbol should have a probability of occurrence close to \(\frac {1}{n}\), where n is the number of symbols. To determine the degree of uniformity of an encrypted image, the chi-square test is applied as:

$$ \chi^{2}= \sum\limits_{i = 0}^{Q-1}\frac{(o_{i} - e)^{2}}{e}, $$

(4)

where Q is the number of gray levels (e.g., Q = 256 for gray scale images), o_i is the frequency of occurrence of the i th gray level, and \(e=\tfrac {len}{Q}\) is the desired uniform frequency, with len being the image length in bytes.

This statistical test is used to compare the observed data with a specific hypothesis. A null hypothesis is formulated, which is then rejected or accepted with the help of the statistical test. The probability value below which the null hypothesis is rejected is called the alpha level or the “significant level”. A typical level of confidence of 5% is often chosen to decide whether the null hypothesis is false or not [13]. A significance level of 5% is equivalent to a 95% confidence that a given result cannot occur [49]. If the number of gray levels Q equals 256, the chi-square test reaches a maximal value that is close to 293 [10].

So, all values lower than 293 are acceptable and satisfy the uniformity property. Accordingly, we employ the chi-square test in this paper to quantify the required number of rounds necessary to reach uniformity.

The cipher image C_w defined earlier versus the number of rounds is used as input to the chi-square test, again assuming the image I_w has the same structure as defined above. Figure 5 shows that the mean chi-square value reaches at most 293 after 2 iterations for certain tested Lenna image sizes, and 6 iterations for all tested chosen Zeros image sizes. This confirms our earlier observation that r ≥ 6 is needed to achieve the desired cryptographic strength.

Fig. 5

Variation of the mean chi-square value over 1000 random keys versus the number of rounds r for Q = 256 gray levels, using the NCIES algorithm for a Lenna, and b the chosen Zeros image

3.4 Error propagation

Another important criterion to be satisfied by any cipher is error tolerance as opposed to error propagation. Interference and noise are very typical in transmission channels [34] and storage media [43], which effectively cause bit errors to occur. A single bit error refers to the change of a single bit value from ‘0’ to ‘1’ or vice versa. If an error propagates, it leads to the destruction or degradation of the received data. As such, it is a challenge to design a secure cipher scheme that ensures the global avalanche effect, while simultaneously guaranteeing low error propagation [34].

In case of the cipher scheme presented in [15], a random bit error, in an encrypted block, affects the whole decrypted image. The difference between both decrypted images is calculated by using (2). Figure 6 shows the effect of channel errors on the decrypted image. The Figure clearly shows that any bit error causes about 50% error, which indicates that the scheme is highly prone to error propagation. This can seen visually in Fig. 7, which shows the degradation in the decrypted image versus channel errors.

Fig. 6

Error propagation versus percentage of errors using the NCIES algorithm

Fig. 7

Decrypted images in relation to the percentage of channel errors of [15]

Hence, such a scheme is not suitable for wireless communication channels that are subject to different kinds of noise effects [2]. As a result, the approach of [15] is inefficient compared to existing traditional ciphers (block or stream) from an error propagation perspective [14]. For example, the effect of bit errors in cipher block modes is limited to only one block entirely in the case of ECB, or partially in the cases of OFB and CTR modes. In CBC mode, such an error affects two blocks, where the first block is completely affected and the second is partially damaged.

In addition, the proposed cipher scheme will not affect three blocks as in [16, 38] or the whole image as in [15].

In summary, the proposed encryption/decryption is done at the block level, and as such, an error that occurs in a byte of an encrypted block affects only its corresponding block and it will not affect its neighbours blocks. Thus, low error propagation is guaranteed and an error correction scheme is presented, which is a great advantage for the proposed cipher scheme.

3.4.1 Visual degradation effect of error propagation

This test is specific to image and video contents, and it quantifies the visual degradation of a cipher scheme in relation to error propagation. The resulting degradation in the decrypted image after any single bit change creates noticeable distortion. To measure the visual degradation, two well known parameters are studied to measure the encryption visual quality: Peak Signal-to-Noise Ratio (PSNR) and Structural Similarity Index (SSIM).

PSNR is derived from the mean-squared error (MSE) quantity, which represents the cumulative squared error between an original and an encrypted image. A low PSNR value indicates that there is a large difference between the original and the cipher images. On the other hand, the SSIM index [32] is a metric based on the Human Visual System, and it quantifies the similarity between two images. The SSIM index lies in the interval [0,1]. A value of 0 means that there is no correlation between the original and the cipher images, while a value close to 1 means that both images are approximately the same. In this context, PSNR and SSIM are measured between two decrypted Lenna images (where the second decrypted image corresponds to the encrypted image with an error percentage). Figure 8a and b plot the variations of PSNR and SSIM as a function of error percentage, respectively. The results again confirm that the NCIES cipher results in a high difference between both decrypted images, even for low error percentages. Consequently, high visual distortion results from a small error percentage, with one-bit error being sufficient to destroy the whole image.

Fig. 8

Average of PSNR and SSIM between both decrypted Lenna images versus the percentage of channel errors, for 1000 random secret keys

Table 3 shows the statistics of PSNR, SSIM, and DIf_Decr, where DIf_Decr is the sensitivity test that measures the difference between two decrypted images when a percentage of errors is introduced into the encrypted image (we assume that it is the effect of a channel noise in the encrypted image). We can see that it is close to 50%, which is a relatively high value that prevents the recovery of the original image. Accordingly, no useful visual information or structure about the original image can be deduced from the decrypted image if any error is introduced into the channel.

Table 3 Statistical results for the Lenna image over 1,000 random keys

4 Cryptanalysis of the NCIES approach

The NCIES cipher is based on diffusion primitives without any substitution operation, which means that the confusion property is missing. Consequently, the cipher is vulnerable to various kinds of attacks, such as chosen/known plain/cipher text attacks [40] as well as brute force attacks for small image sizes. We propose a chosen plain/cipher text attack that can break the cipher with only two chosen messages. Note that known plain/cipher text attacks can be realized, but they require a large number of plain and cipher text pairs.

4.1 Chosen plain/cipher text attack

Here, one can select any input message. The binary diffusion matrix D is known and is independent of the secret key. Also, its corresponding inverse matrix D^− 1 is available for the attacker. Therefore, the goal of this attack is to construct the inverse bit-permutation table, which can be considered as the only secret in the analyzed approach. This can be easily achieved by recovering the secret control parameters (u and v) and the initial conditions (rx and ry). In the following, we show how the chosen plain/cipher text attack can be devised based on specifically chosen blocks.

Note that an essential operation, (r,c) = index2sub(ix), is required to provide the equivalent row r and column c subscripts of a linear index ix, and can be calculated according to the following equation:

$$\begin{array}{@{}rcl@{}} r &=& (ix-1) \bmod{M} + 1\\ c &=& \lfloor(ix-1) / M\rfloor + 1 \end{array} $$

where ix = 1,2,…,len, len = 8 × N_B × B = M × M; N_B is the number of byte-blocks in the message, B is the number of bytes per block, \(M=\sqrt {len}\) is the dimension of the square matrix in bits, and ⌊x⌋ represents the largest integer less than or equal to x. Conversely, the operation ix = sub2index(r,c) is used to recover a linear index from its row and column subscripts as follows:

$$ix = (c-1)\times M + r $$

The attacker constructs an image I using N_B blocks X_i each containing B bytes such as \(X=\{X_{1}||\ldots ||X_{i}||\ldots ||X_{N_{\mathrm {B}}}\}\). Moreover, all blocks X_i are null except for one block, say the jth block X_j, which has a non-zero byte value. Hence,

where ()^T is the transpose operator. The block X_j is chosen according to a specific rule: its corresponding diffused block has only one active byte, say the k th byte X_jk, different than zero, and that this byte has only one bit, say the qth bit, different than zero.

This means that the diffusion block of X_j, denoted as DX_j with B bytes, has only one-byte element equals to 2^q, where q = 0,1,2,…,7 as presented in the following form:

Let ⊙ denote the vector “and-xor” dot-product operator between two binary vectors of length B:

$$\begin{array}{@{}rcl@{}} \mathbf{v}^{T} \odot \mathbf{w} = (v_{1} \cdot w_{1}) \oplus (v_{2} \cdot w_{2}) \oplus {\cdots} \oplus (v_{B} \cdot w_{B}) \end{array} $$

(5)

Then, to obtain the required X_j for the chosen plaintext attack, the inverse diffusion operation is multiplied by the desired diffused block DX_j as shown in the following equation:

$$ X_{j} = \mathbf{D}^{-1}\odot DX_{j}, $$

(6)

Note that in (6), the entries of D^− 1 are bits while the entries of DX_j are bytes. The “and-xor” operator ⊙ between a bit-vector and a byte-vector is defined similar to (5), where the presence of a 1 in D^− 1 indicates that the corresponding byte in DX_j is included in the cumulative-xor, and a 0 indicates it is excluded. For example, assume that the desired DX_j has the last byte as the active one (its LSB is active) as follows:

The desired X_j is obtained by using (6) that will produce the desired diffused block DX_j. Therefore, for the previous example with B = 32,Q = 8, and D as defined in [15] (see Appendix B), the corresponding X_j is

$$\begin{array}{@{}rcl@{}} {X_{j}^{T}} &= \mathbf{1010 ~ 0000 ~ 1001 ~ 1110 ~ 0000 ~ 1101 ~ 0000 ~ 0100} \end{array} $$

The second example of the chosen plain-text block should provide diffusion DX_j with only the first byte being the active one (MSB is active) as presented in the following:

Its corresponding X_j (according to (6)) should be equal to:

$$\begin{array}{@{}rcl@{}} {X_{j}^{T}} = \mathbf{1000 ~ 0000 ~ 1011 ~ 0000 ~ 1101 ~ 1110 ~ 1101 ~ 0101} \end{array} $$

In fact, the desired diffused block DX_j is first chosen, then the original block X_j can be computed. It is worth mentioning that the diffusion matrix used in [15] (see Appendix B) is not what is claimed in [28].

On the other hand, to launch chosen ciphertext attacks, we need to select diffused block DX_j that can provide X_j with only one active byte and with only one active bit. To obtain the required DX_j for the chosen ciphertext attack, the diffusion operation is performed on the desired original (inverse diffusion) block X_j as expressed in the following equation:

$$ DX_{j} = \mathbf{D} \odot X_{j} $$

(7)

For example, if the desired X_j has the last byte as the active one and with only the LSB active as presented in the following:

then the corresponding diffused block DX_j according to (7) is

$$\begin{array}{@{}rcl@{}} D{X_{j}^{T}} = \mathbf{1010 ~ 0001 ~ 0000 ~ 0111 ~ 0001 ~ 1101 ~ 0000 ~ 0111}. \end{array} $$

In addition, a second example of chosen cipher block DX_j that can provide X_j with only the first byte having a value equal to 1 as presented in the following:

Its corresponding DX_j (according to (7)) should be equal to:

$$\begin{array}{@{}rcl@{}} D{X_{j}^{T}} = \mathbf{1110 ~ 1001 ~ 1011 ~ 1001 ~ 0111 ~ 0000 ~ 1001 ~ 0101}. \end{array} $$

Now, for chosen plain-text attacks, an attacker builds a set of original images {I₁,I₂,…}, where for each original one, a specific unique non-null original block X_j is introduced that can ensure that the output diffused block has only one active bit. However, for chosen ciphertext attack, an attacker builds a set of encrypted images {C₁,C₂,…}, where for each encrypted one, a specific unique non-null encrypted DX_j block is introduced that can ensure that the output inverse diffusion block has only one active bit.

In fact, the diffusion of zero blocks will provide zero blocks and only the diffused X_j block, (DX_j), will provide a non-zero block with only one non-zero byte that has only one active bit. In addition, the permutation/inverse permutation operation will not change the byte values since all are zero, except for just one byte. Therefore, the indices of this bit before and after permutation (ix and ixp, respectively) are known by the attacker now for each chosen plain image or cipher image. The index ixp can be obtained easily from the encrypted/decrypted message since it is the only non-null bit. Then, the row and column subscripts of ix and ixp can be obtained as (r,c) = index2sub(ix) and (rp,cp) = index2sub(ixp).

Note that two matrices (A and R_xy) are generated from the permutation key and they are used to build the permutation table and its corresponding inverse permutation table.

For a successful chosen plain-text attack or vice-versa for the chosen cipher-text attack, these matrices should be known. Indeed, A is based on both control parameters (u, v) and R_xy is based on two initial conditions rx and ry.

$$ \mathbf{A} = \left[\begin{array}{cc} 1 & u \\ v & 1+u\times v \end{array}\right], \text{and } \mathbf{R}_{xy}= \left[\begin{array}{c} rx+ry\\ ry \end{array}\right] $$

(8)

Then, from the first chosen plain-text or cipher-text attack, the following relation can be established:

$$ \left[\begin{array}{c} rp\\ cp \end{array}\right]= \mathbf{A} \cdot \left[\begin{array}{c} r\\ c \end{array}\right]+ \mathbf{R}_{xy}= \left[\begin{array}{cc} 1 & u \\ v & 1+u\times v \end{array}\right] \cdot \left[\begin{array}{c} r\\ c \end{array}\right]+\left[\begin{array}{c} rx+ry\\ ry \end{array}\right] $$

(9)

Additionally, one chosen plain/cipher text is not sufficient to solve this transformation and to recover these unknown parameters and initial conditions. Therefore, we require iterating the chosen plain/cipher attack again while choosing a new different chosen block to obtain a new system of equations. So, the same steps are repeated and new indices of this bit before (ix2) and after (ixp2) permutation are computed. Similarly, ixp2 can be obtained easily from the encrypted/decrypted message since it is the only non-null bit. Therefore, their corresponding rows and columns (r2, c2) for ix2 and (rp2, cp2) for ixp2 can be calculated using also the index2sub operation.

This means a new system of equations can be built, which is given by:

$$ \left[\begin{array}{c} rp2\\ cp2 \end{array}\right]= \mathbf{A} \cdot \left[\begin{array}{c} r2\\ c2 \end{array}\right]+ \mathbf{R}_{xy} \bmod M= \left[\begin{array}{cc} 1 & u \\ v & 1+u\times v \end{array}\right] \cdot \left[\begin{array}{c} r2\\ c2 \end{array}\right]+\left[\begin{array}{c} rx+ry\\ ry \end{array}\right] \bmod M $$

(10)

Now, subtracting (10) from (8) permits to remove R_xy and the output becomes only related to the unknown matrix A:

$$ \left[\begin{array}{c} rp2-rp1\\ cp2-cp1 \end{array}\right] = \left[\begin{array}{cc} 1 & u \\ v & 1+u\times v \end{array}\right] \cdot \left[\begin{array}{c} r2-r1\\ c2-c1 \end{array}\right] \bmod M $$

(11)

Then, u can be calculated by using the following equation:

$$ u=\frac{rp2-rp1-r2+r1}{c2-c1} \bmod M $$

(12)

After the calculation of u, v can be computed by using the following equation:

$$ v=\frac{(cp2-cp1-c2+c1)}{r2-r1+u\times (c2- c1)} \bmod M $$

(13)

Now, the attacker can build the matrix A since u and v are known. The next step is to determine the matrix R_xy. This is possible by using (8) or (10). In the following, (8) is used to recover first ry and then rx.

ry and rx can be computed using the following equations:

$$ ry=cp1-v\times r1 -(1+ u \times v) \times c1 \bmod M $$

(14)

$$ rx=rp1-r1-u\times c1 -ry \bmod M $$

(15)

Therefore, the proposed cryptanalysis requires only two chosen plain/cipher blocks to recover the permutation key (u, v, rx, and ry). Accordingly, the employed permutation table P-box and its corresponding inverse can be generated by using the recovered permutation key. Indeed, the inverse permutation table π^− 1 can be obtained by using the produced P-box π according to the following equation:

$$ \pi^{-1}[\pi (t)]=t , t = 1, 2, \ldots, M^{2} $$

(16)

where 1 ≤ π(t) ≤ M². Then, by calculating the permutation or inverse permutation table, chosen plain-text or cipher-text attacks allow the decryption of the next encrypted images easily. Consequently, NCIES is broken and it cannot ensure the data confidentiality.

As lessons learned from NCIES cipher, several security vulnerabilities should be fixed and these are as follows:

1. 1.

   with only one round, the avalanche effect is not reached.

2. 2.

   the diffusion process is broken since no addition round key operation exists in the analyzed scheme. The diffusion of zero blocks will preserve their zero values after diffusion.

3. 3.

   no substitution operation to ensure the non-linearity property and to make the solution of this system of equations a hard task.

Algorithm 1 presents the steps of chosen plain-text attacks, which can be summarized by forming two plain images, followed by calculating the indices of the active bit before and after encryption, and then, using these indices to obtain the permutation key, which in turn is used to form the permutation table and consequently its inverse. In addition, to perform a chosen cipher-text attack, minor modifications are required, which are:

1. 1.

   Using chosen cipher images instead of the original ones, and

2. 2.

   Iterating the decryption algorithm instead of the encryption one (lines 5 and 10).

In the pseudo-code, the notation A(i : j) refers to the elements of A at indices i to j.

In the following section, we propose a cipher scheme that introduces substitution and round block key operations, in addition to ensuring the avalanche effect at the block level. Moreover, round keys are different for each block and for each iteration to complicate the cryptanalysis process and to make it a hard task.

4.2 Brute force attacks

In fact, NCIES [15] uses the secret key to produce the permutation key. Moreover, the permutation key is divided into two parts: control parameters (u and v) and two initial conditions (rx and ry), where each one requires qp bits. Therefore, the size of the permutation key is 4 × qp × rp, where qp = ⌈log₂(M)⌉ and r = rp = 1 according to their configuration. Therefore, the permutation key depends on the size of the square input image (M × M). Furthermore, independent of the large size of the secret key, which is used as a seed for this chaotic generator, the length of the produced permutation key is not sufficient to resist brute force attacks, specifically for small-size images.

In fact, for M ≤ 256, their chaotic generator is iterated once to produce a permutation key with 32-bit length. Hence, a brute force attack is possible [40] for this small size of the permutation key. On the other hand, their generator may require to iterate twice for M ≥ 256. This means that the length of the permutation key is 64 and it is also not sufficient to resist brute force attacks [40].

The analyzed scheme [15] can be broken by employing other types of attacks because of r = 1. For example, the scheme cannot resist statistical attacks (uniformity is not reached) in addition to chosen/known plain-text attacks with the miss-configuration. Moreover, the problem of single image failure and accidental key disclosure is not taken into consideration by this scheme. Finally, the analyzed cipher cannot resist different kinds of attacks in addition to different performance limitations.

4.3 Discussion and recommendations

Based on the results of the NCIES cipher analysis, a new efficient cipher solution should be designed to overcome the discussed weaknesses. Several recommendations will be presented and discussed to justify the proposed cipher structure and how such a solution achieves better efficiency without degrading the security level.

1. 1.

   Employing key dependent Substitution-Diffusion Primitives: The proposed cipher is based on key-dependent substitution and diffusion primitives similar to the techniques presented in [37, 38]. The key-dependent approach for the confusion and diffusion primitives is preferable since different entities use different primitives that are unknown by the attackers and hence, introduce a challenge to break.

2. 2.

   Dynamic-key Approach: Our main recommendation is to use a dynamic key-dependent approach [16, 37, 38, 41] to achieve high resistance against attacks. This makes the cipher primitives change with time and constitute a hard problem for the attackers who will not be able to gather useful information from different sets of encrypted/decrypted images resulting from different dynamic keys. Moreover, the binary diffusion matrix is independent of the secret key. Recent cipher solutions that employ a dynamic key approach are presented in [16, 37, 38]. Note that the dynamicity should be preserved such that the confusion and diffusion primitives are able to reach the required level of cryptographic strength.

3. 3.

   Towards reducing the high error propagation: To limit the effect of error propagation, the encryption should be performed independently of the block level, which can be considered as a good balance between the avalanche effect and error propagation.

4. 4.

   Towards reducing the memory consumption: Substitution and diffusion primitives should be performed at the byte or word levels instead of the bit level, and the round function should be limited to the block level to reduce the required memory size, latency and error propagation. Note that the bit permutation operation introduces an important overhead compared to the byte permutation since it requires conversion and re-conversion operations. This was the case of DES and to avoid such an overhead, the AES logic was recommended to avoid all cipher operations at the bit level.

5. 5.

   Towards reducing the latency: Designing a simple lightweight round function is essential to reduce the latency and the required resources. More importantly, reaching the avalanche effect with the minimum possible number of iterations is mandatory. In fact, the dynamic key-dependent approach allows for the reduction of the number of rounds since the cipher primitives would not be known to the attacker and they are built to ensure a high possible level of confusion, diffusion and avalanche effect at the block level. Additionally, the cipher scheme should avoid chaining operations between blocks to allow for parallel implementations.

5 Proposed image cipher scheme

The proposed approach is based on a dynamic key, DK, which is obtained by applying a secure cryptographic hash function such as SHA-512 on the mixing of a secret key SK and Nonce N_o. Then, the key is divided into 5 sub-keys as illustrated in Fig. 9, which are required to form three substitutions tables (S₁, S₂, S₃, one permutation table, π_BL, and a selection index table, SI). For more details about the construction of the key-dependent substitution and permutation tables, readers are referred to our previous work presented in [38].

Fig. 9

Architecture of the proposed dynamic key derivation function

The proposed cipher scheme deals with flexible image sizes. If the number of bytes of an image is not a multiple of 32, a padding operation is required. Then, the input image is divided into N_B blocks \(\{X_{1}, X_{2}, \ldots , X_{N_{\mathrm {B}}}\}\), where each has a size of B =32 bytes. Furthermore, the cipher process is illustrated in Fig. 10, while its pseudo-code is described in Algorithm 2.

Fig. 10

Architecture of the proposed image encryption algorithm

This scheme consists of two main layers as illustrated in Fig. 10. First, the proposed round function is iterated twice, which is sufficient to ensure the avalanche effect at the block level. Therefore, a single bit change of any input block will lead to a different cipher block with a high percentage change (close to 50% at the bit level). Finally, a block permutation process is introduced to randomize the sequential order of the blocks.

The round function and its corresponding inverse are shown in Fig. 11. The proposed round function consists of three operations: the addition round key (uses S₁ for the first iteration and S₂ for the second one, in addition to a selection table SI to control the generation of round block keys), substitution using S₃, and a binary diffusion. The inverse round function has the same operations in a reverse order, and it uses the inverse substitution table, \(S_{3}^{-1}\), and the inverse diffusion matrix.

Fig. 11

Architecture of the proposed round function (a) and its corresponding inverse one (b)

The diffusion operation is based on the inverse binary diffusion matrix of [28] and it has a linear branch number equals to 10. Indeed, the proposed diffusion operation is based on a static binary mixing matrix G. While the addition round key, substitution and permutation operations are based on the generated S-boxes and P-box. For further details about the permutation and substitution construction and realization, readers are referred to our previous work [38].

S₁ and S₂ are used to generate the round block keys for the first and second iterations, respectively, while S₃ is used in the substitution process.

Similarly, the decryption scheme consists of applying first an inverse block permutation process using the inverse of π_BL, \(\pi _{BL}^{-1}\). In addition, the corresponding two rounds are applied in reverse order and they use the corresponding round block keys, inverse dynamic substitution table, \(S_{3}^{-1}\), and the inverse binary diffusion matrix, G^− 1.

The round block keys generation is designed to be lightweight, and the produced keys ensure a high level of randomness and uniformity as shown in the statistical tests (See Section 6.1).

6 Cryptanalysis of the proposed cipher scheme

In this section, all the required cryptographic metrics of the proposed cipher scheme are verified: high level of randomness, avalanche effect, independence, and high key sensitivity. The experiments were performed on the standard image “Lenna” and Zeros Image. The results, shown below, validate the robustness of the proposed approach. For more details about the description of the security and performance tests, readers are referred to our previous work [38]. Table 4 presents the statistical results of these tests.

Table 4 Statistical results of the proposed cipher scheme using Lenna image using and for 1000 random keys

6.1 Randomness

In order to be immune against statistical attacks, the proposed cipher scheme should exhibit specific random properties such as uniformity and independence [52].

The uniformity can be verified visually by plotting the Probability Density Function (PDF) of the encrypted message and it should be uniform. Original and encrypted “Lenna” with their corresponding PDFs are shown in Fig. 12. While original and encrypted zeros image (all elements are equal to 0) with their corresponding PDF are shown in Fig. 13. Figure 14 shows a 8 × 8 sub-matrix of the original Lenna image of Fig. 12a and their corresponding encrypted sub-matrix of Fig. 12c. As shown, all numerical values are changed, this ensures the randomness property. In addition, the PDF of the encrypted Lenna image is close to a uniform distribution with a value close to 0.039 (\(\frac {1}{256}\)), where 256 represents the number of possible symbols. Moreover, the entropy of the encrypted message should be close to its maximum value (In our case 8, since the data precision is “UINT-8”). We measure the entropy at the sub-matrix level to better quantify its level, where each sub-matrix has 256-byte elements. According to Fig. 15, the entropy of the encrypted sub-matrices of the gray and colored Lenna has a value close to 7.3, which is greater than that of the original sub-matrices and closer to the desired value of 8 as compared to the original ones.

Fig. 12

a Original Lenna, b PDF of original Lenna with size 512 × 512 × 3, c Encrypted Lenna, d PDF of encrypted Lenna using the proposed scheme

Fig. 13

a Zeros image with size 512 × 512 × 3, b Encrypted Zeros image, d PDF of encrypted image using the proposed scheme

Fig. 14

a 8 × 8 cropped plain-image Lenna with its corresponding gray-scale matrix, b encrypted version of this matrix using the proposed cipher algorithm with its gray-scale value

Fig. 15

a The variation of the entropy test on the original and encrypted sub-matrices of the gray (a) and color (b) Lenna images with size 512 × 512 × 3 using the proposed scheme

On the other hand, the independence can be quantified by measuring the correlation between plain and encrypted messages, as well as the difference between the original and encrypted images; the independence value should be very close to zero.

Figure 16 shows the Empirical Cumulative Distribution Function (ECDF) of the correlation coefficient of the adjacent pixels of the encrypted “Lenna” image in horizontal, vertical and diagonal directions, with 1,000 random keys. We can see that the coefficient correlation of the adjacent pixels in encrypted Lenna images is very low and close to 0, which demonstrates that the proposed scheme eliminates the spatial redundancy. Similarly, the ECDF of the percent difference between original and encrypted Lenna images (at the bit level) is shown in Fig. 17. The results show a large difference between the original and encrypted images.

Fig. 16

ECDF of the correlation coefficient of adjacent pixels in ciphered Lenna images: a horizontally, b vertically and c diagonally, respectively using the proposed scheme

Fig. 17

ECDF of the difference test result (between original and encrypted Lenna images) using the proposed cipher scheme

Consequently, the proposed cipher scheme ensures independence and uniformity, and hence it exhibits the required cryptographic randomness degree.

6.2 Visual degradation

Figure 18 shows the histogram of the obtained results of PSNR and SSIM between the original and the encrypted Lenna image for 1,000 dynamic keys. As shown, the PSNR has low values between [9.2, 9.26] with a mean equals to 9.23 dB. In addition, the SSIM values vary within [0.031, 0.041], which is very low and close to zero. Accordingly, a hard visual distortion is achieved and no useful information about the original image could be revealed from the encrypted image.

Fig. 18

Histogram of the obtained PSNR and SSIM (between the original and the encrypted Lenna images) for 1000 dynamic keys using the proposed scheme

6.3 Plain block sensitivity: avalanche effect

Figure 19 shows the ECDF results of the avalanche effect at the block level by using zero blocks with only one active bit. The results show that the low probabilities of the avalanche effect are less than 45% and the minimum is close to 40%; while the high percentages are in the interval [47,48,49,50,51,52]. This clearly satisfies the avalanche effect at the block level.

Fig. 19

The variation of the percent of the avalanche effect results using the proposed cipher scheme for 10000 random keys at the block level. The both chosen blocks have all elements equal to zeros, except the second block has only one byte that has only one active bit

6.4 Key sensitivity test

To avoid different kinds of key-related attacks, a sufficient large key size is required in addition to a high key sensitivity. Any slight difference in the key (usually one bit difference) must affect significantly the resultant encrypted image.

The ECDF of the key sensitivity test is illustrated in Fig. 20 against 1,000 random dynamic keys. The majority of values can be seen to be close to the optimal value of 50 %. This proves the high key sensitivity and consequently, the ability of the proposed cipher to resist all key-related attacks. Moreover, a visual result is shown in Fig. 21 for a decrypted Lenna image with one-bit difference in the dynamic key. We can see that the decrypted image carries no useful information.

Fig. 20

ECDF of the Key sensitivity results using the proposed scheme for 1,000 random dynamic keys

Fig. 21

Decrypted Lenna image using the proposed scheme with its corresponding correct dynamic key (a) and with one bit error in the dynamic key used (b)

6.5 Security analysis of the proposed cipher scheme

In the following, well-known cryptanalytic analysis is performed to assess the immunity of the proposed cipher against such attacks. The proposed cipher scheme follows the Kerchoff’s concept, where the structure is considered to be public and the cryptanalyst has a complete knowledge of the construction technique of the dynamic substitution and permutation tables and the employed static diffusion, but no knowledge about the secret key or the nonce, and hence no knowledge about the dynamic key.

6.5.1 Statistical attacks

The proposed scheme ensures a high degree of randomness since the uniformity and the independence were proved in Section 6.1 (PDF, entropy analysis; correlation test in addition to difference test). Therefore, the scheme can ensure a high resistance degree against statistical attacks.

6.5.2 Weak keys attacks

In fact, the scheme is based on a dynamic approach (see Fig. 9) in contrast to the majority of the existing schemes that are based on a static approach. Furthermore, the dynamic key generation process leads to a set of dynamic keys with a high degree of randomness since a secure cryptographic hash function with maximum collision resistance is used, SHA-512. In addition, all cipher operations such as the generated substitution and permutation tables are related to this dynamic key. If any weakness in any dynamic key exists, it will not affect the previous and the next encrypted images. Therefore, the proposed cipher scheme exhibits a high resistance degree against weak keys and limits its impact. Moreover, the frequent variation of the secret key results in different sets of dynamic keys and consequently, prevents the accidental key disclosure.

6.5.3 Related key attacks: key sensitivity

As previously shown, the proposed cipher ensures a key and nonce sensitivity, (see Section 6.4). Also, the dynamic key has high sensitivity since all cipher primitives are related to it except the diffusion operation. As such, a change to these primitives leads to a different cipher image on the sender side or a different decrypted image at the receiver side with a 50% change. Thus, the proposed cipher exhibits a high resistance degree against related-key attacks.

6.5.4 Brute force attacks

The size of the secret key can be 128, 192, or 256 bits in a similar manner to AES, and the size of the dynamic key is 512 bits, which are sufficient enough to protect the proposed cipher against brute force attacks.

6.5.5 Chosen/known plaintext/ciphertext attacks

The proposed scheme, with its dynamic and static cipher primitives, exhibits excellent cryptographic performance. The cipher uses three dynamic substitution tables that ensure low linear and differential approximation probabilities, and it is strictly compliant to the avalanche criterion according to our previous work [38]. Equally important, the employed diffusion matrix of Koo et al. [28] ensures a linear branch equals to 10. Furthermore, the addition round keys along with the substitution operation are mandatory to avoid chosen/known plain/cipher text attacks as indicated previously.

The generation of addition round block keys is based on both substitution tables (S₁ and S₂). In fact, the blocks’ permutation operation is introduced after the encryption of all blocks since the required round block keys are sequentially generated to reduce the computational cost of the generation process and to allow for a parallel implementation. However, an attacker cannot detect any sequential relation of the round block keys based on the proposed lightweight complex schemes of substitution and diffusion. It is very important to note that these primitives change for each new dynamic key generation, which prevents these kinds of attacks to collect the required set of plaintexts/ ciphertexts.

6.5.6 Resistance against modern future powerful attacks

This paper benefits from the dynamic key approach to prevent different kinds of modern powerful attacks [41]. This can be justified since different cipher primitives are used for each dynamic key and consequently attackers cannot build their required information to break the proposed scheme. Let us indicate also that the maximum level of security can be reached by using a dynamic key for each input message.

7 Performance of the proposed cipher scheme

In this section, we assess the performance of the proposed cipher scheme in terms of execution time, memory consumption and error propagation. The experiments were conducted using the standard image of “Lenna”. The obtained results (below) validate the efficiency of the proposed approach.

7.1 Effect of error propagation

Note that since the proposed cipher can be considered as an ECB mode, thus, the effect of any bit error will only propagate to its corresponding block. Moreover, the limitation of ECB with identical blocks is solved since different keys are used for different blocks.

In Fig. 22, we show the effect of errors at the bit level (uniform random distribution within the encrypted image) on the proposed cipher scheme. The impact of errors on the proposed cipher scheme is low compared to NCIES (see Fig. 6), which suffers from high error propagation. In addition, visual results of the decrypted noisy images are shown in Fig. 23. This also validates the previous remarks by comparing to Fig. 7 of NCIES. Moreover, the effect of errors on the visual degradation of the proposed scheme is shown in Fig. 24. Indeed, by comparing it to Fig. 8 of NCIES, we can see a lower error propagation and consequently, lower visual degradation.

Fig. 22

Variation of the impact of the error propagation on the proposed cipher scheme (a) and of [16, 38] according to the percentage of errors. Introduced errors follows the uniform distribution, which is the worst case

Fig. 23

Decrypted images in function of different errors percentage using the proposed scheme

Fig. 24

The average variation of the PSNR and SSIM of the proposed cipher scheme versus the percentage of errors

In addition, for [16, 38], a bit error in any byte of the encrypted block C_i, will affect three blocks \(\{\hat {X_{i-1}}, \hat {X_{i}}, \hat {X_{i + 1}}\}\) in the decrypted image. Two of them \(\{ \hat {X_{i}}, \hat {X_{i + 1}}\}\) have random bit errors that occur independently in any bit position with an expected probability of \(\frac {1}{2}\) and the third block \(\hat {X_{i-1}}\) has only one specific bit error in the same bit-error position. While, for the proposed scheme, the effect of bit error introduces only random bit errors at the same block position with an expected probability of \(\frac {1}{2}\) in the decrypted image.

Figure 22 shows the difference between both decrypted images versus the percentage of channel error (random with a uniform distribution) for both approaches as well as the proposed one. The results indicate that the error in the decrypted image for [16, 38] is close to 50% for a channel error ≥ 2%, while it requires 4% for the proposed approach. This indicates also the suitability of the proposed cipher in terms of error propagation as compared to [16, 38].

7.2 Space complexity

To encrypt one block, we only need the current block and not the whole image as in [15]. Hence, the total space complexity is reduced from O(M × N × P × 8) to O(h), the space complexity for a block of size h.

7.3 Execution time

The average calculation time to encrypt the standard Lenna image as a function of its size (Q × Q) length is performed by using the proposed approach and of that of NCIES.

The time analysis is performed using the same machine with the same environment conditions. In addition, the employed software and hardware environments are: MATLAB R2015a simulator, 2 Intel(R) Xeon(R) CPU E5-2623 v4 @ 2.60GHz running Debian Linux. The required execution time is shown in Fig. 25a for both approaches and the ratio of the proposed one and the compared one is presented in Fig. 25b. First of all, the required execution time of the proposed scheme is approximately threes times less when compared to the execution time of [15].

Fig. 25

Average of execution times between our approach and the NCIES approach in function of the size of the input image (Q × Q) for 10000 iterations (a) and the corresponding speedup between the proposed solution and the NCIES approach

Accordingly, the proposed scheme reduces the required execution time while ensuring a high level of security (see Section 6.5). In conclusion, the proposed scheme is more efficient and can be suitable for real-time applications and limited devices.

In addition, we computed the ratio between the scheme of [16] and the proposed one with parallel computations for a different number of threads, n. First of all, the required execution time of the proposed scheme without parallelism is very close to the execution time of [16]. However, when applying parallelism, the results show that the proposed approach is faster compared to [16], which cannot be parallelized. Moreover, the results clearly indicate that increasing the number of threads (n) permits further reduction of the execution time. This makes the proposed scheme more suitable for real-time applications when compared to [16].

8 Conclusion

In this paper, the NCIES cipher, in addition to two lightweight image encryption schemes that require only two rounds, are analyzed from different aspects such as desirable cryptographic properties (avalanche effect, difference between original and cipher text, and uniformity), execution time and error propagation. The results showed that the NCIES scheme does not exhibit the claimed results concerning the avalanche effect, difference and uniformity. Consequently, the proposed round number leads to several cryptographic weaknesses. We showed that a chosen plain/cipher text attack can recover the permutation key with only two chosen messages in addition to the possibility of brute force attacks for a small size image. Furthermore, the effect of error propagation was studied and the results showed a high level of error propagation on the decryption side since no useful data could be obtained even for a single bit error. Therefore, the NCIES cipher is not suitable for wireless applications due to the high risk of data loss. Also, the analyzed cipher requires a substantial memory size and a high latency for the proper configuration of r ≥ 6. These results are presented in order to verify the credibility and the safe employment of the NCIES cipher. In parallel, other related lightweight image encryption schemes, which use CBC in forward and backward directions, cannot be realized in parallel and they double the effect of error propagation compared to the original CBC in the forward direction only.

Moreover, we proposed an efficient cipher solution that overcomes all the stated challenges (weaknesses) of the analyzed ciphers. Finally, the work in this paper provides an overview for the design of modern, efficient, and secure lightweight image encryption schemes with a structure that combines static and dynamic keys.