Secure image encryption scheme using high efficiency word-oriented feedback shift register over finite field

Abstract

Image encryption is an evolving technique in the arena of data communication. In the last decade, many encryption schemes have been suggested. Unfortunately, most of the current schemes are unable to maintain a balance between security and computational complexity. To overcome this challenge, this paper introduces a novel encryption scheme that effectively maintains the trade-off between security and computational complexity. Initially, the plain image is randomized and scrambled by the Logistic map and Arnold’s scrambling technique. The intermediate image found above, is then encrypted by the special word-oriented feedback shift register (wfsr) to get the final cipher image. Wfsr is inherently suitable for high-quality pseudorandom number generation with good statistical properties. It usually posses high throughput. Further, the elliptic curve Diffie-Hellman (ECDH) is used for sharing the keys required for encryption and decryption process. The performance of the proposed cryptosystem is evaluated based on several statistical properties of the cipher image, the resistance of the cipher image to various attacks, and time required for encryption and key sharing process. The statistical properties of the encrypted image are found out through histogram analysis, correlation and entropy finding, key sensitivity analysis, chi-square test, and NIST randomness test. The resistance of the encrypted image to various attacks is either found out experimentally or indirectly by using metrics like Unified Average Changing Intensity (UACI), Number of Pixel Changing Rate (NPCR). The proposed encryption method compares favorably with similar image encryption schemes.

1 Introduction

Nowadays, image encryption is extensively used for storage and transmission of images in various multimedia applications like telemedicine, military communication, border surveillance, etc. Therefore, security has become a priority concern. Usually, the digital images have long run of pixels with the same red, green, and blue (RGB) values making the encrypted images using conventional cryptographic primitives, susceptible to cryptographic attacks. The chaotic map is an effective method for randomization of image data to alleviate the mentioned problem. The chaotic map works through a special set of mathematical equations in the one-dimensional (1D), and two-dimensional (2D) platforms [19, 22, 31, 38, 39]. 1D maps allow the high-grade model of chaotic systems like the Logistic map, Henon map, Tent map [4, 18, 28, 41]. For more random performance multi-dimensional chaotic maps have been recommended [2, 3, 5, 9, 19]. Various research articles confirm that the introduction of a scrambling process before the encryption enhances the security level of the encryption scheme [20, 25, 29, 32]. Scrambling is the preprocessing technique that rearranges the pixel positions of the plain image. Arnold’s transform, Fibonacci transform, Magic square transform, Tangram algorithm, Hilbert curve method, etc., are some of the popular scrambling techniques that have been used in many encryption systems [11, 20]. Recent encryption schemes generally use Arnold’s transform which possesses better scrambling, and security enhancement features [25, 29, 33]. Thus, as mentioned above, the image encryption system is a multi-step process. At first, the plain image is randomized by different types of a chaotic system, and next the image pixel content is encrypted with strong cryptographic primitive. The cryptographic primitives such as symmetric cipher (stream cipher, block cipher, hash function), and asymmetric standards (like elliptic curve cryptography (ECC), RSA, etc.,) are frequently used for image encryption/decryption [1, 3, 6, 7, 10, 14, 16, 23,24,25, 27, 40, 44, 45]. In order to satisfy the high security in the encrypted image, the chaos-based permutation, diffusion, and substitution processes, as well as high computationally involved cryptographic algorithms are used to encrypt the image [14, 16, 20, 25, 29, 32, 43].

P. Praveenkumar et al. [32] introduced the medical image encryption system, and the scheme exhibited enhanced security performance by using cognitive radio technology. But this scheme suffers from computational delay, and also the scheme does not provide any key sharing techniques. Z. Gan et al. [20] proposed the color image encryption scheme based on three-dimensional (3D) Brownian motion. Their proposed scheme fulfills most of the underlying security requirements because of diffusion, confusion architecture. Moreover, the scheme poses with several complex function operations which lead to high-end delay. H. Liu et al. [29] proposed a chaos-based image encryption scheme with the provision of using different keys periodically. Their proposed system claims to achieve a high-level of security due to the use of multiple keys. However, statistical security of the scheme is not evaluated exhaustively. Later, J. Chen et al. suggested an advanced image encryption scheme using self-adaptive permutation diffusion and DNA random encoding [15]. A self-adaptive permutation diffusion consists of the iterative number of rounds, and therefore, it is unable to maintain a trade-off between security and time complexity. But, their detailed statistical and attack analysis confirmed that the encryption system provides satisfactory performance. A A Abd El-Latif et al. [3] proposed an image encryption scheme based on chaotic system and cyclic elliptic curve. D. S. Laiphrakpam et al. [25] extended a similar idea and performed the scrambled image encryption scheme using elliptic curve. To improve the security of the system, they used the elliptic curve points to generate the random sequence. Their proposed design enhances the security of the image encryption system, but their key sharing time has not been taken into consideration. Inspired by the concept of image encryption, a useful scheme is designed in this paper.

In [8, 14, 15, 18, 23,24,25, 30, 36, 44,45,46,47], a large number of iterations are required for encryption and decryption system. So, the mentioned schemes suffer from a high computation cost. To maintain the computation complexity within the acceptable range, it is desirable to use a word-oriented feedback shift register (wfsr) in the final encryption stage instead of high processing cryptographic algorithm. Wfsr has a large period and capable of generating the cryptographically secure keystream. Usually, most of the classical Linear-feedback shift register (LFSR)-based stream ciphers are bit-oriented [17, 42]. With the rapid growth of multimedia technology, many emerging applications demand high-speed encryption with desirable randomness properties for dealing with high data volume. In that situation, bit-oriented stream ciphers do not provide adequate performance. So, this issue also may be addressed if one uses a word-oriented feedback shift register [12, 37]. In 2007, Zeng et al. [42] proposed special word-based LFSR. They designed the improved version of wfsr (called as σ-LFSR) that uses word-operations in modern processors with parallelism techniques [42]. Moreover, wfsr provides good quality pseudorandom sequence, high linear complexity, and it is (5-10) times faster than a block cipher in the software implementation [37, 42]. The cryptosystem will be considered as strong if the system generates highly random keystream. Therefore, the scheme is cryptographically secure when the attackers may not be able to obtain valuable information from statistical analyses, adding noise, and different types of attacks. After the image encryption, anonymous key sharing protocol is required that allows sender and receiver to establish the secret key over the insecure channel. ECDH is an efficient key sharing technique because it requires less computational complexity, bandwidth, and memory compared to other public cryptosystems [13]. That motivates to investigate strong cryptographic primitive in the proposed image encryption scheme.

The proposed work focuses on high-level confidentiality in the encryption system. The proposed structure consists of two cryptographic stages, namely, encryption and key sharing phase. The contributions are as follows:

• In the encryption phase Logistic map, Arnold’s scrambling, and wfsr are used to produce the cipher image. The use of wfsr contributed to the generation of high-quality pseudorandom number with high speed.

• The key of the encryption system has been efficiently transmitted by ECDH scheme.

• Additionally, the proposed scheme is able to resist known and chosen-plaintext attack, Brute force attack, differential attack, and noise attack.

Before proceeding further, let us describe the organization of this paper. Section 2 presents the basic specifications of the scheme. Section 3 explains the proposed framework. Section 4 shows simulation and statistical result. Section 5 presents performance and security analyses of the proposed scheme. Section 6 provides comparative analysis. Finally, Section 7 concludes the paper.

2 Preliminaries

This section revisits some of the background studies about the Logistic map, Arnold’s transformation, and word-oriented feedback shift register.

2.1 Logistic map

The Logistic map represented as:

$$ x_{n+1} = \varphi x_{n}(1 - x_{n}) $$

(1)

where, φ is the driving parameter. After using the equation, it provides the random sequence for a single pair of φ and x values. Here, the ranges of x is (0 < x < 1) and φ is (3 < φ < 4) respectively.

2.2 Arnold’s transformation

In the digital image, Arnold’s scrambling performed as:

$$ \left[\begin{array}{ll} x^{\complement} \\ y^{\complement} \end{array}\right] = \left[\begin{array}{ll} 1 & \mathcal{A} \\ \mathcal{B} & \mathcal{AB} +1 \end{array}\right] \left[\begin{array}{ll} x \\ y \end{array}\right] \ (\text{mod}\ n) $$

(2)

where,

$$ \begin{array}{@{}rcl@{}} &\left[\begin{array}{ll} x \\ y \end{array}\right] & :\text{ initial pixel position of the digital image}\\ &\left[\begin{array}{ll} 1 & \mathcal{A} \\ \mathcal{B} & \mathcal{AB} +1 \end{array}\right] & : 2 \times 2 \text{ matrix with determinant 1} \\ &\left[\begin{array}{ll} x^\complement \\ y^\complement \end{array}\right] & :\text{ traversed point after Arnold's scrambling}\\ &n &: \text{the order of digital image matrix like } (256 \times 256) \end{array} $$

2.3 Word-oriented feedback shift register

This paper reconsiders some definitions and outcomes reported in [12, 37, 42]. In many of the effective applications, one generally uses finite fields with characteristic 2. We shall restrict to fields with characteristic 2 and their extensions. Throughout this paper, σ-LFSR shall be referred to as wfsr. The work represents as general by \(\mathbb {F}_{2}\) the finite field with 2 components, by \(\mathbb F_{2^{m}}\) the extended field of \(\mathbb {F}_{2}\) of degree m and by \(\mathbb {F}_{2}[Y]\) the ring of polynomials in one variable Y among coefficients in \(\mathbb {F}_{2}\). Let the ring R and assumed M_d(R) is for the set of all d × d matrices with entries in R where, d is the integer. Subsequently use the positive integers m and n, and a vector space basis \(\{\omega _{0}, \dots , \omega _{m-1}\}\) of \({\mathbb F}_{2^{m}}\) over \(\mathbb F_{2}\). For convenience, any \(\textsf {s} \in {\mathbb F}_{2^{m}}\), there are particular equation \(\textsf {s}_{0}, \dots , \textsf {s}_{m-1} \in {\mathbb F}_{2}\) to the extent that s = s₀ω₀ + ⋯ + s_m− 1ω_m− 1, and next use the corresponding co-ordinate vector \((\textsf {s}_{0}, \dots , \textsf {s}_{m-1})\) of s by \(\mathcal {S}\). In fact, the union \(\textsf {s}\longmapsto \mathcal {S}\) provides a vector space isomorphism of \(\mathbb F_{2^{m}}\) onto \(\mathbb {F}_{2}^{m}\). Elements of \(\mathbb {F}_{2}^{m}\) might be formation of as row vectors and so \( \mathcal {S}B\) is the distinct element of \(\mathbb {F}_{2}^{m}\) for any \(\mathcal {S} \in \mathbb {F}_{2}^{m}\) and \(B\in M_{m}(\mathbb {F}_{2})\).

Definition 1

Let \(B_{0}, B_{1}, \dots , B_{n-1} \in M_{m}(\mathbb F_{2})\). For any n-tuple \((\mathcal {S}_{0}, \dots , \mathcal {S}_{n-1})\) of elements of \(\mathbb F_{2^{m}}\), let \((\mathcal {S}_{i})_{i=0}^{\infty }\) represent the infinite sequence of elements of \({\mathbb F}_{2^{m}}\). It can be measured by the linear recurrence equation:

$$ \begin{array}{@{}rcl@{}} {\mathcal{S}}_{i+n}=B_{0}{\mathcal{S}}_{i}+B_{1}{\mathcal{S}}_{i+1}+{\cdots} +B_{n-1}{\mathcal{S}}_{i+n-1} \quad i=0,1,\dots. \end{array} $$

(3)

In general, the equation (3) is called by wfsr of order n over \(\mathbb F_{2^{m}}\), while the sequence \((\mathcal {S}_{i})_{i=0}^{\infty }\) is quoted as the sequence generated by the wfsr (3). So, the n-tuple \((\mathcal {S}_{0},\mathcal {S}_{1}, \ldots , \mathcal {S}_{n-1})\) is represented as initial state of the wfsr (3) and the polynomial I_mYⁿ − B_n− 1Y^n− 1 −⋯ − B₁Y − B₀ with matrix coefficients is the matrix polynomial of the wfsr (3). The string \((\mathcal {S}_{i})_{i=0}^{\infty }\) is basically periodic if there are integers r,n₀ with r ≥ 1 and n₀ ≥ 0 such that \(\mathcal {S}_{j+r}=\mathcal {S}_{j}\) for all j ≥ n₀. The least positive integer r with this property is the period of \((\mathcal {S}_{i})_{i=0}^{\infty }\) and the corresponding least nonnegative integer n₀ is the preperiod of \((\mathcal {S}_{i})_{i=0}^{\infty }\). The sequence \((\mathcal {S}_{i})_{i=0}^{\infty }\) is periodic if its preperiod is 0.

The subsequent outcome provides some interesting facts about wfsr.

Fig. 1

Schematic diagram of wfsr. LR- Left Rotation, RR- Right Rotation, ∧- AND operation, and 5e8491f8- 32-bit vector

Proposition 1

In [37] , pseudorandom sequence \((\mathcal {S}_{i})_{i=0}^{\infty }\) produced by the wfsr (3) of order n over \(\mathbb F_{2^{m}}\), it consists

1. (i)

   \((\mathcal {S}_{i})_{i=0}^{\infty }\) has periodic behaviour, and the period is 2^mn − 1;

2. (ii)

   if B₀ is nonsingular, then \((\mathcal {S}_{i})_{i=0}^{\infty }\) is periodic; in an opposite way, if \((\mathcal {S}_{i})_{i=0}^{\infty }\) is periodic whenever the initial state is of the form \((b, 0, {\dots } , 0)\), where, \(b\in \mathbb F_{2^{m}}\) with b≠ 0, then B₀ is nonsingular.

The wfsr of order n over \(\mathbb F_{2^{m}}\) is primitive if for any variety of nonzero initial state, the sequence produced by that wfsr has periodic behaviour of period 2^mn − 1. By Proposition 1 if \(I_{m}Y^{n} -B_{n-1}Y^{n-1}- {\cdots } -B_{1}Y-B_{0} \in M_{m} \left (\mathbb {F}_{2}\right )[Y]\) is the matrix polynomial of primitive wfsr, then the matrix B₀ is assuredly nonsingular. Connected with a matrix polynomial \(I_{m}Y^{n} -B_{n-1}Y^{n-1}- \cdots -B_{1}Y-B_{0} \in M_{m}(\mathbb {F}_{2})[Y]\), it can be represented as a (m,n)-block companion matrix \({\textsf B}_{\textsf {wfsr}} \in M_{mn}(\mathbb {F}_{2})\) as follows

$$ {\textsf B}_{\textsf{wfsr}} = \begin {pmatrix} \mathbf{0} & \mathbf{0} & \mathbf{0} & . & . & \mathbf{0} & \mathbf{0} & B_{0}\\ I_{m} & \mathbf{0} & \mathbf{0} & . & . & \mathbf{0} & \mathbf{0} & B_{1}\\ . & . & . & . & . & . & . & .\\ . & . & . & . & . & . & . & .\\ \mathbf{0} & \mathbf{0} & \mathbf{0} & . & . & I_{m} & \mathbf{0} & B_{n-2}\\ \mathbf{0} & \mathbf{0} & \mathbf{0} & . & . & \mathbf{0} & I_{m} & B_{n-1} \end {pmatrix}, $$

(4)

where, I_m represent the m × m identity matrix over \(\mathbb {F}_{2}\), while 0 signifies the zero matrix in \(M_{m}(\mathbb {F}_{2})\). Applying a Laplace expansion or the proper order of elementary column operations, it is clear to identify \(\det {\textsf B}_{\textsf {wfsr}} = \pm \det (B_{0})\). As a result,

$$ {\textsf B}_{\textsf{wfsr}} \in \operatorname{GL}_{mn}(\mathbb{F}_{2}) \quad \text{if and only if} \quad B_{0}\in \operatorname{GL}_{m}(\mathbb{F}_{2}), $$

(5)

where, \(\operatorname {GL}_{m}(\mathbb {F}_{2})\) is the general linear group of m × m nonsingular matrices over \(\mathbb {F}_{2}\). With regard to the above mentioned that the block companion matrix (4) is the state transition matrix for the wfsr (3). Certainly, the l-th state \(\mathcal {S}_{\textsf {l}}:=\left (\mathcal {S}_{\textsf {l}}, \mathcal {S}_{\textsf {l}+1}, \dots , \mathcal {S}_{\textsf {l}+n-1}\right ) \in \mathbb {F}_{2^{m}}^{n}\) of the wfsr (3) is acquired from the initial state \(\mathcal {S}_{0}:=\left (\mathcal {S}_{0}, \mathcal {S}_{1}, \dots , \mathcal {S}_{n-1}\right ) \in \mathbb {F}_{2^{m}}^{n}\) by \(\mathcal {S}_{\textsf {l}} = \mathcal {S}_{0} {\textsf B}_{\textsf {wfsr}}^{\textsf {l}}\), for any l ≥ 0. Here, wfsr can be recognized by (3) the block companion matrix (4).

This paper studies a special set of wfsr. The value of the word size (m) is identified as (8/16/32/64/128). In the proposed work, 32-bit output based wfsr architecture has been considered and shown in Fig. 1. Before the output sequence generation, the structure must be initialized with nonzero key/seed values. In this case, wfsr loaded by 16 blocks of Hex value and per block contains 32-bit (i.e. 16 × 32 = 512-bit).

3 Proposed framework

The proposed cryptosystem is presented in three parts, namely, key sharing, encryption, and decryption. The block diagram of the proposed cryptosystem is shown in Fig. 2.

Fig. 2

Schematic view of the proposed structure

3.1 Key sharing

After the image encryption system, the user sends the encryption key to the receiver by any public-key sharing algorithm like a digital envelope. Figure 2 illustrates the generic key sharing system.

1. 1.

   As already discussed, proposed work considered 32-bit wfsr, and it uses 512-bit key value (κ) as shown in Appendix A.

2. 2.

   In a general way, the sender generates \({E_{{R}_{pub}}(x_{0}, \varphi , \widehat {r}, \kappa )}\) and shared with the receiver by the public key of the receiver. All the notations are mentioned in Fig. 2.

3. 3.

   Next, the receiver extracts the file \({D_{{R}_{pri}}\left (E_{{R}_{pub}}(x_{0}, \varphi , \widehat {r}, \kappa )\right )}\) by own private key.

In the asymmetric key sharing cryptosystem, particularly ECDH have a great prospect to satisfy the requirements of high security as well as less computation time. The proposed scheme has used ECDH key sharing algorithm and summarized in Section 5.8.

3.2 Encryption scheme

In this work, the cipher image is generated by a strong cryptosystem. The steps for generating a cipher image is as follows:

1. 1.

   Select the plain image of size (n × n).

2. 2.

   In the plain image, Logistic map has been used to provide random behavior in the digital image. As discussed, the ranges of φ and x in the Section 2.1.

3. 3.

   Let (x,y) coordinate belongs to the plain image. The Arnold’s cat map performed on the pair (x,y), and it becomes \((x^{\complement }, y^{\complement })\). Next, the value of \(\mathcal {A}\) and \({}\) are set to 1 (see (2)). Here, the number of scramble rounds termed as \(\widehat {r}\).

4. 4.

   A special kind of 32-bit wfsr is used for further encryption system. Now it is important to explain, how many times wfsr run to obtain pseudorandom sequence. Wfsr output sequence depends on the number of pixel values of the scrambled image (as the value of RGB is \(\frac {n \times n \times 3 \times 8}{m}\)). A pixel value typically consists of (3×8 = 24) bits for the color image that is one byte each for R, G, and B, and m = 32 is the output size/clock of the wfsr. For example, if (256 × 256) RGB image is used, and run the wfsr upto \(\left [\frac {256 \times 256 \times 3 \times 8}{32} = 49152\right ]\) times for random number sequence generation.

5. 5.

   Next, perform Exclusive OR (XOR) operation of the keystream of wfsr, and the binary pixel values of the scrambled image. From this result, the cipher image has been obtained.

3.3 Decryption scheme

Decryption is the inverse process of encryption system.

1. 1.

   Select the cipher image. Also collect the values of (x₀, φ, \(\widehat {r}\), and κ). Specifically, (x₀, φ) values for Logistic map, \(\widehat {r}\) for Arnold’s cat-map round number, and κ for wfsr key.

2. 2.

   Now receiver run the wfsr based on the cipher image pixel size as mentioned in step number 4 of the encryption system 3.2.

3. 3.

   XOR (cipher image pixel value, wfsr keystream).

4. 4.

   Perform Logistic map using the parameters of (x₀, φ).

5. 5.

   Unscramble the scrambled image by using Arnold’s cat map round (\(\widehat {r}\)) and get the original image.

Fig. 3

(a-d) Plain images of Nehu, Tulip, Baboon, and Lena; (e-h) Scrambled images; (i-l) Cipher images

4 Simulation and statistical analysis

In this section, simulation result has been performed to show the resistance of the proposed scheme against several statistical properties. A sample of plain images (a-d), scrambled images (e-h), and cipher images (i-l) are presented in Fig. 3 respectively. This encryption system is operated on Matlab 2016, Mathematica 10, SageMath Version 7.0, and GCC-4.8. It may be noted that (512 × 512) cipher images are considered in the paper. But the sake of simplicity, (201 × 201) dimension images have been shown in the article. In order to assess the plain image and cipher image quality, two important metrics, namely structural similarity (SSIM) index, and Peak signal-to-noise ratio (PSNR) have been measured and shown in Table 1.

Table 1 Results of PSNR and SSIM

Fig. 4

Histogram plot for plain and cipher images

In this section, we have presented histogram, correlation coefficient, entropy, and Chi-square test for the proposed cryptosystem.

4.1 Histogram analysis

In digital image processing, the histogram of an image usually indicates the frequency distribution of the pixel intensity values. Cryptographic primitive is intended to make good cipher image which comprises the uniform distribution of pixel intensity values. Thus the attacker is unable to obtain valuable data from the cipher image. Figure 4 illustrates the histogram plot of plain images, and its corresponding cipher images.

4.2 Correlation coefficient

The Correlation coefficient signifies the correlation or similarity among two adjacent pixels in the digital image. Usually, image pixels are extremely repetitive, so they have a large correlation among adjacent pixels. In that regard, the cipher image should be produced in such a way that the image has a low correlation among the adjacent pixels and it would be hard to recognize the similarity between the pixel contents by the attacker. It is measured as follows:

$$ Corr_{(X,Y)} = \frac{Cov (X,Y)}{St. Dev (X) \times St. Dev (Y)} $$

(6)

where,

$$ Cov(X,Y): \text{covariance of } X, Y $$

The correlation coefficients results of the plain images and cipher images are tabulated in Table 2. The tabulated results are close to zero that indicates there is no correlation among the adjacent pixels of the cipher images in horizontal, vertical, and diagonal areas. Correlation plot for plain and cipher Baboon image along horizontal, vertical, and diagonal element are illustrated in Fig. 5a-f.

Table 2 Results of correlation coefficients (CC) of the plain images and cipher images

Fig. 5

Distributions of adjacent pixel pairs of the Baboon plain image and cipher image. (a-c) depicts the horizontal, vertical, and diagonal pixel distribution of the Baboon plain image; (d-f) corresponding cipher image regions

4.3 Information entropy

Shannon proposed the fundamental notion of information entropy, and it is reported in [35]. It can be defined as follows:

$$ H(X) = -N \sum\limits_{i=1}^{N} p(x_{i})\ log_{2}\ p(x_{i}) $$

(7)

where, p(x_i) is the probability mass function. In data communications, the word ‘entropy’ associates to the relative degree of randomness. Thus, a high value of the entropy indicates the high-level of randomness. Table 3 summarizes the entropy results of plain images and the corresponding cipher images.

Table 3 Entropy evaluation

4.4 Chi-square test

Chi-square test measuring the difference between the observed and the expected result to evaluate the statistical value of the uniform distribution of pixels in the cipher image. There is a well-known equation for measuring this Chi-square test (χ²):

$$ \chi^{2} = \sum\limits_{i=0}^{255}\frac{(O_{i} - E_{i})^{2}}{E_{i}} $$

(8)

where,

O _i :

: observed intensity distribution of each gray level (0-255)

E _i :

: expected intensity distribution of each gray level (0-255)

In this test, α = 0.05 value has been preferred for the significance level, which is the default value for the Chi-square test. Next, the Chi-square values of the different size cipher images are tabulated in Table 4. Chi-square test reveals that the cipher image produces a uniform distribution of pixel values.

Table 4 Chi-square test result

5 Security and performance analysis

This section provides known and chosen-plaintext attack, key sensitivity test, differential attack, noise attacks, occlusion attack, NIST randomness test, encryption time, and ECDH performance analysis.

5.1 Known and chosen-plaintext attack

In the chosen plaintext attack, an attacker can choose random plaintext data to encrypt and get the ciphertext. After achieving good cryptographic results also, a few image encryption systems have been vulnerable to known and chosen-plaintext attacks [20]. In the suggested scheme, firstly the plain image pixel has been randomized by the Logistic map and further, it has been scrambled by Arnold’s scrambling technique. Next, the highly random keystream is used for cipher image generation. Therefore, it is extremely difficult for an attacker to obtain any information from plain and cipher image. Hence, it can be claimed that the proposed encryption system efficiently resists known-plaintext and chosen-plaintext attacks.

5.2 Key analysis

Key analysis is used to show the sensitivity of the image encryption scheme for the input key. A small level of difference in the key may produce a severe difference in the output image. Kerckhoffs stated [21]: ‘A cryptosystem should be secure even if everything about the system, except the key, is public knowledge'. In general, the bigger keyspace helps to resist the ciphers Brute force attack. In this scheme, 512-bit key has been used. That signifies 2⁵¹² keyspace of the proposed scheme has enough capability to resist the Brute force attack.

Fig. 6

Key sensitivity test. (a) Plain image; (b) corresponding cipher image; (c) decryption with original key; (d) decryption with one bit changes in the original key; and (e) decryption with one word changes in the original key

Typically, the key sensitivity analysis of the cryptosystem can be judged by two phases: (a) solely modified plain image should be obtained while slightly altered keys are used to decrypt the same cipher image; (b) the cipher image should not be extracted in the correct manner if there is a small change between the encryption and decryption keys.

In order to evaluate the key sensitivity test, two types of faulty key has been used which is simply (i) a bit and (ii) a word changed from the original key of the recipient. As seen from Fig. 6, that the proposed scheme performs no similarity between the original cipher image and wrong decipher image.

5.3 Differential attack

In general, NPCR and UACI are used to compute the differential attack resistance of the cryptographic system. Specifically, NPCR means the rate of variation of pixel position between the original and the cipher image, and UACI represented as the variations in average intensity rates among the plain and cipher image. The NPCR and UACI formulas are specified as follows:

$$ NPCR = \frac{{\sum}_{(\imath,\jmath)} D(\imath,\jmath)}{width (w) \times height (h)} \times 100<percent> $$

(9)

$$ UACI = \frac{1}{(w) \times (h)} \left[ \sum\limits_{(\imath,\jmath)}^{} \frac{P_{1}(\imath,\jmath) - P_{2}(\imath,\jmath)}{255}\right] \times 100<percent> $$

(10)

where,

$$ D(\imath,\jmath) = \left\{\begin{array}{ll} 0\ when\ P_{1}(i, j) = P_{2}(i, j)\\ 1\ when\ P_{1}(i, j) \neq P_{2}(i, j) \end{array}\right. $$

(11)

The NPCR and UACI results are tabulated in Table 5, and it is observed that the proposed scheme has the ability to avoid the differential attack.

Table 5 NPCR and UACI values

Fig. 7

Different forms of encrypted and decrypted images under Gaussian noise attack. (a) Baboon Cipher image added noise with mean = 0, variance = 0.01; (b) cipher image added noise with mean = 0, variance = 0.02; (c) cipher image added noise with mean = 0, variance = 0.03; and (d) cipher image added noise with mean = 0, variance = 0.05. (e-h) decrypted images of Baboon; and (i-l) decrypted images of Nehu

Fig. 8

Different forms of decrypted images under salt and pepper noise attack. The cipher image added with 10%, 20%, 30%, and 50% noise. (a, e) decrypted images with 10% noise; (b, f) decrypted images with 20% noise; (c, g) decrypted images with 30% noise; and (d, h) decrypted images with 50% noise

5.4 Noise attack analysis

Noise attack is one of the powerful attacks for the cipher image. If anyone imposes high noise on the cipher image, it would be very difficult to obtain the original image. In order to evaluate the robustness test of the proposed scheme against noise attacks, two types of noises, namely the Gaussian, salt and pepper are applied in the encrypted images. The data obtained from the experiments are presented in the following parts.

5.4.1 Gaussian noise

This part measures the robustness test, i.e., how the proposed scheme is resisting against the four variances of Gaussian noise. Figure 7a-d shows the Baboon cipher images, (e-h) Baboon decrypted images, and (i-l) Nehu decrypted images. As seen from Fig. 7, that if the attacker attaches different parameters of noises (like 0.01, 0.02, 0.03, and 0.05), the proposed scheme has the capability to recover the maximum information of the image.

5.4.2 Salt and pepper attack

This noise is popular as impulse noise. Here, the noise can be affected by sharp and unexpected interruptions inside the image signal. The performance of the cipher image has been evaluated using various levels of salt and pepper noise. After imposing 10%, 20%, 30%, and 50% salt and pepper noise, it is capable of recovering the original images, as shown in Fig. 8.

Fig. 9

Cipher and decrypted images under occlusion attack. (a-d) cipher images with occlusion levels 6.25%, 12.5%, 25%, and 50%; (e-h) decrypted images of Nehu; (i-l) decrypted images of Baboon

Fig. 10

PSNR results. (a) salt and pepper noise; (b) Gaussian noise; and (c) occlusion attack

5.5 Occlusion attack

When the sender send some images and if knowingly or unknowingly, some portion of the image pixel values are dissipated is known as occlusion attack. To evaluate the proposed scheme, different levels of occlusions (like 6.25%, 12.5%, 25%, and 50%) are tempered with the encrypted images. Figure 9i-l illustrates the decrypted images of Fig. 9a-d, respectively. As seen from Fig. 9, that even after contaminated by different levels of occlusions, the plain image can be recovered to some extent.

Different noise variances against PSNR (dB) results are plotted graphically, and shown in Fig. 10. Further, Mean square error (MSE) and SSIM results for the different types of noise attacks are tabulated in Table 6. From the result, it is clear that the mentioned attacks unable to affect the proposed scheme.

Table 6 SSIM and MSE values for different levels of noises

5.6 Randomness analysis

The randomness test plays a vital role in the design of cryptosystem because it easily detects the weaknesses of the crypto structure. Randomness test of the selected cipher images has been carried out by NIST test suite [34]. For randomness test, at least 10⁶ (1 Million) keystream is required from cipher image pixel value. The result of the randomness test is analyzed by P-value. Throughout the test, the P-value is evaluated, if the P-value is less than 0.01, then the selected keystream is supposed to be non-random else it is judged to be random. NIST test suite consists of 15 different statistical tests. NIST randomness test results of cipher images are elaborated in Table 7.

Table 7 Cipher images randomness test result using NIST test suite

5.7 Encryption time

Computational speed is very much important for real-time encryption system. The configuration of the system is as follows: Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz, 3408 MHz, 4 Core(s), 8 Logical processor(s). The encryption time requirement is measured by the sum of time spent during wfsr random number generation, XOR operation of wfsr keystream sequence with scrambled image bitstream, and parameter initialization. The average encryption time (in seconds) taken by the algorithm for (512 × 512) sized image is presented in Table 8.

Table 8 Encryption time requirement

5.8 Performance analysis of ECDH

In a generic way, the proposed scheme has shown that digital envelope has used for key exchange among sender and receiver. Usually, RSA, Diffie-Hellman, ECDH, Curve25519, etc., are some common public key protocols generally considered for key exchange. But, in the proposed scheme, the key exchange protocol needs to be lightweight. The ECDH key sharing protocol [13] is normally much faster than other conventional public key systems. Additionally, ECDH has some benefits in terms of key length and secure performance. The elliptic curve discrete logarithm problem (ECDLP) [26] is assumed to be a hard problem by the state of till date best practices technology. But still, there are a few uncertainties linked with it because of the lack of mathematical proof.

In this experimental work, ECDH has been implemented in C language. Moreover, key exchange time performances have been analyzed by two important attainable parameters, namely encryption time and decryption time. Experimental results are tabulated in Table 9. Specifically, the proposed method uses 512-bit lengths key in ECDH, which requires in total 0.150202 seconds for encryption and decryption.

Table 9 Time requirement for Key sharing using ECDH

6 Comparison

This section highlights the performance of the proposed system compared with state-of-the-art schemes [2, 3, 5, 9, 10, 20, 25, 29, 32]. Table 10 shows the comparison result of some important performance metrics such as entropy, NPCR, UACI, and correlation coefficient (in terms of HC, VC, DC). As seen from Table 10, proposed scheme performance metrics results are better and close to the recent schemes. Projected system security is enhanced by wfsr, which is designed as a high-quality pseudo-random number generator. Despite this pseudo-random behavior, the system can maintain a proper balance between robustness and computational performance. Regarding the computation cost as one of the tools to resolve the complexity of the system; Table 8 reveals that the proposed system is faster than the schemes of [2, 5, 9, 25] for encryption speed. Compared to Ref. [2, 5, 9, 25] key sharing time has not considered while it has been addressed in the proposed method and shown in Table 9. Therefore, the comparative evaluation assures that the performance of the proposed system has the ability to maintain the trade-off between high security with computational complexity.

Table 10 Entropy, NPCR, UACI, and correlation results of different image encryption schemes

7 Conclusions

The proposed method is an efficient and secure image encryption scheme. A three-level image encryption method is implemented where first two levels namely Logistic map and Arnold’s scrambling are used for the randomization of pixel values, and third-level encrypt the pixel values by the keystream generated by a special wfsr. The wfsr offers not only fast software encryption but also provides high-quality pseudorandom sequences with desired level statistical properties. Next, the ECDH scheme has been suggested for the image encryption key sharing. Simulations and performance evaluations showed that the scheme requires lower time complexity in encryption and key sharing. Detailed statistical analyses like entropy, correlation coefficient, keyspace, key sensitivity, NIST randomness test were carried out to show the effectiveness of the proposed system. The various security analyses show that the proposed scheme can resist many attacks like known and chosen-plaintext attack, differential attack, different types of noise attacks. Further, some important metrics are compared with state-of-the-art schemes, and the proposed method exhibits superior performance. Therefore, the proposed system has good prospects in real-time multimedia-based applications.

Appendices

Appendix A: wfsr details

Note for Test Vectors:

In [42, B, Page No. -13], all the polynomial equations are listed. As mentioned earlier, 32-bit wfsr has been considered. Initially, 16 blocks of Hex value (i.e., 16 × 32 = 512 bit key/seed value) are loaded in the wfsr and as shown in below.

Appendix B: PSNR, MSE, and SSIM

$$ \text{PSNR} = 1 - \log_{10}[m \times n]\frac{1}{\text{MSE}} $$

(12)

where,

m × n: image size

$$ \text{MSE} = \frac{1}{m \times n} \sum\limits_{i=0}^{m-1}\sum\limits_{i=0}^{n-1}\left[ I_{i,j} - K_{i,j}\right]^{2} $$

(13)

where,

• I_i,j: plain image pixel

• K_i,j: cipher image pixel

$$ \text{SSIM}_{x,y} = \frac{(2\eta_{x}\eta_{y} + l_{1})(2\tau_{xy} + l_{2})}{({\eta_{x}^{2}} + {\eta_{y}^{2}} + l_{1})({\tau_{x}^{2}} + {\tau_{y}^{2}} + l_{2})} $$

(14)

where,

• η_x: Average of x

• η_y: Average of y

• τ_xy: Covariance of x, y

• τ_x: St. Dev of x

• τ_y: St. Dev of y

• ε₁: 0.01

• ε₂: 0.03

• l₁: (ε₁b)²

• l₂: (ε₂b)²

• b: 2^{Number of bits per pixel} - 1