1 Introduction

In any communication system, including the satellite and the Internet, it is almost impossible to prevent unauthorized people from eavesdropping. When information is broadcast from a satellite or transmitted through the Internet, there is a risk of information interception. Security of image and video data has become increasingly important for many applications, including video conferencing, secure facsimile, medical and military applications. The conventional encryption techniques are not suitable for image encryption due to high redundancy, strong correlation and high computation complexity. The chaos based cryptosystems are suitable for the secure transmission of images due to the intrinsic features of chaotic systems such as ergodicity, mixing property, sensitivity to initial conditions, and system parameters. It can be considered analogous to ideal cryptographic properties such as confusion and diffusion properties. Hence, many chaos based encryption systems have been proposed [4, 16, 18, 20, 21] in the last two decades.

Most chaotic image encryption systems use the permutation substitution architecture. These two processes are repeated for several rounds, to obtain the final encrypted image. Fridrich [3] suggested a chaotic image encryption method composed of permutation and substitution. All the pixels are moved using a 2D chaotic map. The new pixels moved to the current position are taken as a permutation of the original pixels. In the substitution process, the pixel values are altered sequentially. Chen et al. [2] employed a three-dimensional 3D Arnold cat map and a 3D Baker map in the permutation stage. Lian et al. [9] used a chaotic standard map in the permutation stage and a quantized logistic map in the substitution stage. Sam et al. [13] used improved chaotic map for the substitution and diffusion stages. The maps are generated a series of pseudorandom values and the scheme is highly secure. Block ciphers have been proposed to improve the security level [15, 17]. The cryptanalysis techniques on chaotic maps have also been attempted in recent years [1, 6, 7, 14].

In [10], the logistic and standard maps are used to generate a Pseudo Random Number Sequence (PRNS) controlling two kinds of encryption operations. This scheme was later cryptanalyzed by Rhouma et al. [12] and they found that it was not secure in the sense that an equivalent key can be obtained from only one known/chosen plain-image and the corresponding cipher-image. In order to resist Rhouma et al.’s attack, a modified version of the original scheme was proposed [11] by same authors. It was claimed that the modified image cipher preserves all the good properties of the original cipher and is also capable of withstanding against the chosen/known plaintext attacks. But the scheme is found to be insecure [8] in the sense that an equivalent key can be found. The major steps in the scheme are as follows:

  1. (1)

    Modified Horizontal Diffusion (mHD):

    $$\mathrm{mHD}(X)=\mathrm{HD}(X)\oplus \mathrm{mHD}(\circleddash),$$

    where X is the input matrix and ⊝ is a zero matrix of the same size as X.

  2. (2)

    Modified Vertical diffusion (mVD):

    $$\mathrm{mVD}(X)=\mathrm{VD}(X)\oplus \mathrm{mVD}(\circleddash).$$
  3. (3)

    The encryption procedure of equivalent key is as follows:

    $$I'=\mathrm{VD}\bigl(\mathrm{HD}(I)\bigr)\oplus\tilde{I}_\mathrm{key},$$

    where \(\tilde{I}_{\mathrm{key}}=\mathrm{VD}(\mathrm{HD}(I_{x\mathrm{key}}))\oplus \mathrm{VD}(\mathrm{mHD}(\circleddash))\oplus \mathrm{mVD}(\circleddash)\oplus I_{\mathrm{CKS}}\).

  4. (4)

    From the properties of steps 1 and 2, we can define

Since the above operations are linear in nature, the scheme is highly vulnerable to known plaintext attacks. Note that the equivalent key \(\tilde{I}_{\mathrm{key}}\) can be obtained as

$$\tilde{I}_\mathrm{key}=\mathrm{VD}\bigl(\mathrm{HD}(I)\bigr)\oplus I'.$$

In order to address this problem, we have introduced nonlinear operations in our scheme. An intertwining chaotic maps based scheme is suggested in this paper to overcome the above weakness. The scheme uses significant features such as sensitivity to initial conditions, permutation of keys, intertwining chaotic maps, byte substitution, nonlinear diffusion, and subdiagonal diffusion. The nonlinearity is used to overcome the limitation of the Patidar et al. [11] scheme. The rest of this paper is organized as follows. Section 2 introduces and compares the logistic map and intertwining maps. Section 3, the new image encryption scheme based on intertwining chaotic map is proposed. Section 4, the security of new scheme is analyzed. Finally, the conclusions are discussed in Sect. 5.

2 Logistic map

The logistic map is a simple nonlinear model, but it has complicated dynamic behavior. The chaotic sequence produced by the logistic map is extremely sensitive to the change of its initial value. The logistic map is defined as

$$x_{n+1}=\mu x_{n}(1-x_{n}),$$

where 0 < x n < 1 and 0<μ≤4. The sequences produced by the logistic map are controlled by the parameter value of μ and the initial value of x n . The system has a different characteristics with different values of μ called the bifurcation parameter. The process of bifurcation starts from μ>3.564 to μ<4. It may be noted that the more closer the value of μ to four, the system response will be more chaotic. Figure 1 shows the different characteristics for the values of μ. The horizontal axis shows the values of the parameter μ and the vertical axis shows the possible long term values of x n .

Fig. 1
figure 1

Bifurcation of the logistic map

Full size image

Logistic mapping sequences also have good autocorrelation and cross-correlation properties. The iterative sequences which are produced by the logistic map can replace traditional pseudorandom sequences produced by the linear feedback shift register (LFSR) used in encryption.

In general, the logistic map has some common weaknesses such as stable windows, blank windows, uneven distribution of sequences, and a weak key as suggested by Jianquan et al. [5]. The blank window is a more serious weakness than the other mentioned ones. Figure 2 illustrates the blank window by logistic map when μ=3.828.

Fig. 2
figure 2

Blank Window of the logistic map

Full size image

Hence, a new type of intertwining logistic maps are required to alleviate the weaknesses. The maps are mixed well together so as to achieve larger key space and to attain chaotic behavior.

2.1 Intertwining logistic map

The proposed intertwining logistic maps are defined as follows:

where 0<μ≤3.999, |k 1|>33.5, |k 2|>37.9, |k 3|>35.7. These are used to increase the chaotic key space. Along with the key k i the distribution of the sequences becomes better. Figure 3 shows the uniform distribution of sequences. The aforementioned weaknesses such as stable windows, blank windows, uneven distribution of sequences, and weak key are completely resolved.

Fig. 3
figure 3

Distribution of the sequences for intertwining map

Full size image

Thus, the proposed intertwining logistic map does not have security issues which are present in the logistic map. Moreover, the resulting chaotic sequences are uniformly distributed and the key size has been increased greatly.

2.1.1 Comparison between logistic map and intertwining chaotic map

In order to determine whether a map is chaotic or not, the simplest way is to calculate the map’s Lyapunov exponent. A chaotic system is sensitive to small changes in the initial state. The parameter is positive; the new map is extremely sensitive to small changes in the values. The basic expression of the discrete Lyapunov exponent is defined as

$$\lambda_{F}=\frac{1}{M}{ \sum_{i=0}^{M-1}\ln\frac{d(F(m_{i+1}),F(m_{j}))}{d(m_{i+1},m_{j})}},$$

where m i is the subset of the trajectory of a digitalized map F in length M and d(m i ,m j ) is the distance between m i and m j . The computation of the Lyapunov exponents for logistic map is shown in Fig. 4.

Fig. 4
figure 4

Lyapunov exponents of the logistic map

Full size image

Figure 5 shows that the complex degrees of the intertwining chaotic model are larger and more random than logistic map. The positive frequency indicates the sequence are more random and complex.

Fig. 5
figure 5

Lyapunov exponents of the intertwining map

Full size image

We have constructed a histogram to display the frequency in which the states along a trajectory fall into a given region in the state space. We have divided the state space [0,1] into n=256 discrete nonintersecting intervals, where the ith interval is \([\frac{i-1}{n},\frac{i}{n} ]\); for i=1,2,…,n=256. Then a long trajectory of length 100000 is calculated, using an initial system state x 0 as follows:

For the logistic map,

where i=1,2,3,…,100000. Figure 6 shows the histogram of the logistic map.

Fig. 6
figure 6

Histogram of the logistic map

Full size image

For the intertwining map,

The trajectory of length 100000 using the initial values of the system (x 0,y 0,z 0) are generated as follows:

Note that, in the logistic map (Fig. 6) the intensity values are not uniformly distributed and the intensity values are high near zero and near one. But the histogram of the intertwining map is uniformly distributed as shown in Fig. 7. Hence, uniform distribution is obtained for each proposed maps and also the key space of the intertwining chaotic system is larger than the logistic map. It is better and more suitable for image encryptions.

Fig. 7
figure 7

Histogram of the intertwining map

Full size image

3 Proposed scheme

The architecture of the proposed intertwining chaotic maps based image cryptosystem is shown in Fig. 8. The scheme consists of four major phases, permutation, byte substitution, nonlinear diffusion, and subdiagonal diffusion. The permutation of pixel position, the change of pixel value, and byte substitution are carried out to enable the confusion process. Two rounds of operations are carried out. The pixel value mixing effect of the whole cryptosystem is altered greatly.

Fig. 8
figure 8

Architecture of the proposed image cryptosystem

Full size image

The plain image is stored in a two-dimensional array of {R i,j ,G i,j ,B i,j } pixels. In this, 1≤iH and 1≤jW, where H and W represent the height and width of the plain-image in pixels.

3.1 Key generation

Three initial values are used for the key generation. They are randomly chosen float numbers stored in x 1,1,y 1,1, and z 1,1. They are used as the secret keys for the scheme. The corresponding integer values are X 1,1=⌊x 1,1×256⌋, Y 1,1=⌊y 1,1×256⌋and Z 1,1=⌊z 1,1×256⌋, respectively. The key stream is generated with the help of the proposed intertwining chaotic maps as follows:

where X i,j ,Y i,j ,Z i,j are the set of chaotic keys. The μ values are in between 3.567 to 3.999 to achieve chaotic behavior. The size is the same as plain-image. Moreover, we use three float numbers as multipliers k 1,k 2,k 3 in the proposed maps to increase the randomness and uniform distribution of the key values.

3.2 Initial permutation

Permutation transformations are a basic operations in many scrambling and encryption systems. There are two iterative stages in the chaos based image cryptosystem. Generally, the confusion effect is obtained in the permutation stage, while the diffusion effect is performed in the pixel value diffusion stage. Confusion makes the relationship between the key and the ciphertext as complex as possible.

The confusion stage permutes the pixels in the image, without changing its value. The pixel values are modified sequentially in the diffusion stage, so that a small change in one pixel in the image causes an enormous difference in the whole image. In order to decorrelate the relationship between adjacent pixels, the permutation of pixels is introduced in the confusion stage. The confusion stage of the proposed scheme is composed of position permutation, byte substitution, and simple pixel value modification. Here, the process uses six odd random secret key values for scrambling the plain-image and then XORing it with the first chaotic key for pixel value modification simultaneously. The pixels are permuted using the following operations:

where X i,j is the first chaotic key, R[i,j], G[i,j], B[i,j] represent the red, green, blue channels in the plain-image and \(\mathit{CR}_{i,j},\mathit{CG}_{i,j},\mathit{CB}_{i,j}\) denote the (i,j)th pixel of the permuted image. The method uses p 1,p 2,p 3,p 4,p 5,p 6 as odd random values for scrambling the image. In order to get a reversible permutation, p 1,p 3,p 5 must be chosen so that to relatively prime to H and similarly p 2,p 4,p 6 are relatively prime to W. When the typical images height and width are even numbers, the p 1,p 2,p 3,p 4,p 5,p 6 must be odd. The above permutation operations produce good scrambling of the image, and hence enhance the security.

3.3 Byte substitution

Each individual RGB pixel byte of the state is replaced with a new byte by using the S-box of the AES (Advanced Encryption Standard) algorithm. The size of the S-box is 16×16 values. Here, the RGB component of each pixel is divided into two parts; the left half consists of the left most four bits and the right half consists of the right most four bits. They are denoted by LR, RR, LG, RG, LB, RB. For the red channel, the byte substitution is performed treating LR as the row number and RR as the column number of the S-box. Similarly, the other channel substitutions are done. The resultant values are XORed with the second chaotic key. It improves the security against the known/chosen plaintext attacks.

3.4 Nonlinear diffusion

Diffusion refers to the property that redundancy in the statistics of the plaintext is dissipated in the statistics of the cipher text. The RGB diffusion is obtained by the 5 Least Significant Bits (LSB) circular shift method. The resultant values are again XORed with the first chaotic key to all the red, green, and blue channels. The procedure for the nonlinear diffusion is as follows:

where X i,j is the first chaotic key, \(\mathit{CR}_{i,j},\mathit{CG}_{i,j},\mathit{CB}_{i,j}\) denotes the resultant values of the circular shift operation and \(\mathit{CSR}_{i,j},\mathit{CSG}_{i,j},\mathit{CSB}_{i,j}\) denotes the nonlinear diffusion image of the XORed operation. The combination of the 5 bit circular shift and XORing make the encryption operation nonlinear, and hence the system becomes strong against known/chosen-plaintext attacks.

3.5 Subdiagonal diffusion

Diffusion is obtained with the help of subdiagonal XORing and XORing with the third chaotic key and so on. The subdiagonal operation is shown in Fig. 9.

Fig. 9
figure 9

Subdiagonal pixel value reading

Full size image

The procedure for the red channel is as follows:

Choose three random integers R 0, G 0, B 0 in the range 1 to 256.

Here, max is the maximum size of the image, \(\mathrm{in}R\) and \(\mathrm{out}R\) are the input and output of the image and \(\mathrm{Iv}R,\mathrm{Iv}G,\mathrm{Iv}B\) are the initial vector of each channel which may also be treated as an 8-bit secret key. Z i,j is the third chaotic key. The pixel is modified by XORing the first and second pixels with the chaotic key, the third pixel is modified by XORing modified second and third pixels with key and the process continues until the end of the image. The similar procedure is applied for the other channels. These operations enhance the diffusion property and hence improve the security levels.

3.6 Rounds

The whole confusion-diffusion steps 3.2 to 3.5 are repeated from beginning to end to achieve a satisfactory level of security. Simulation of the scheme is discussed in Sect. 4, shows that the desired level of security can be achieved only in two rounds.

3.7 Decryption

The decryption algorithm is just the reverse of the encryption one. In order to get the original image, encrypted image pixel values are XORed with the same set of secret keys which were used in the encryption process.

3.7.1 Inverse subdiagonal diffusion

The reverse procedure for the red channel is as follows:

3.7.2 Inverse nonlinear diffusion

The inverse nonlinear diffusion is obtained by the 5 bit reverse circular shift method. The resultant values are XORed with the same RGB channels. The procedure for the inverse nonlinear diffusion is as follows:

3.7.3 Inverse byte substitution

The inverse S-box is used for byte substitution. Each individual RGB pixel byte of the state is replaced with a new byte by using the inverse S-box of the AES algorithm. The same technique is followed as for encryption to replace the substituted values. Finally, the inverse resultant values are XORed with the second chaotic key.

3.7.4 Inverse permutation

The permutation is replaced by the inverse value permutation. The inverse method is described by:

where \(p_{1}^{-1}\operatorname{mod} H,p_{2}^{-1}\operatorname{mod} W,\ldots\) inverse odd random values. The original image can be recovered once the above decryption process is completed.

4 Security analysis

A good encryption scheme should resist all kinds of known attacks, such as known-plaintext, ciphertext only, statistical, differential, and various brute force attacks. Some security analyzes have been performed on the proposed image encryption scheme, including the most important ones like the key sensitivity, statistical, and differential analyses, which have demonstrated the robust security of the new scheme, as shown in the following.

4.1 Statistical analysis

Statistical analysis has been performed on the proposed image encryption scheme, demonstrating its superior confusion-diffusion properties which strongly resist statistical attacks. This is shown by the test on the histograms of the enciphered images and on the correlations of the adjacent pixels in the ciphered image.

4.1.1 Histogram analysis

The histogram analysis is used to illustrate the confusion and diffusion properties in the encrypted data. We have chosen USC-SIPI image database (freely available at http://sipi.usc.edu/database/) for testing purposes. In the permutation process, the odd values are taken as p 1=7,p 2=31,p 3=23,p 4=9, p 5=15,p 6=91. In the inverse permutation process the values are used as \(p_{1}^{-1}=183,p_{2}^{-1}=223\), \(p_{3}^{-1}=167,p_{4}^{-1}=57,p_{5}^{-1}=239,p_{6}^{-1}=211\). The histogram of the plain image “Lena” and the histogram of the encrypted image are shown in Fig. 10. Comparing the two histograms, it may be observed that the histogram of the encrypted image is uniform and is significantly different from that of the original image, and that the encrypted images transmitted do not provide any suspicion to the attacker, which can strongly resist statistical attacks.

Fig. 10
figure 10

Histogram of plain image ‘Lena’ and its encrypted image

Full size image

4.1.2 Correlation of two adjacent pixels

The effect of image scrambling is related to the correlation of adjacent pixels. A better scrambling effect is indicated the lower correlation value. In order to test the correlation between two adjacent pixels in plain-image and cipher-image, we have analyzed the correlation between pairs of plain-image channels and cipher-image channels. The following formulae is used to calculate the correlation coefficients in the horizontal, vertical and diagonal directions. The calculated results are listed in Table 1.

where α and β denote two adjacent pixels and N is the total number of duplets (α,β) obtained from the image.

Table 1 Correlation coefficients between adjacent pixels of plain-image and cipher-images
Full size table

The proposed cipher image channel values are close to zero and shows a better scrambling effect.

4.2 Key space analysis

An ideal encryption scheme should have larger secret key length, such that the key space should be large enough to make brute-force attacks infeasible. In the proposed scheme, the initial conditions and parameters of three maps are used as keys. The multiplier k 1k 2, and k 3 treated as key in the intertwining maps and the key space is approximately 2192. \(\mathrm{Iv}R,\mathrm{Iv}G,\mathrm{Iv}B\) are also used as part of the key, then the key space is increased up to 2216. The combination of the key space is large enough in the proposed scheme to resist the attacks.

As shown in Table 2, the proposed scheme has larger key size than other schemes.

Table 2 Key space size of the proposed scheme and different encryption scheme
Full size table

4.3 Sensitivity analysis

Key sensitivity means that the change of a single bit in the secret key should produce a completely different encrypted image. The two cipher-images are compared pixel-by-pixel. Different images and different key values are tested. A test image “pepper” is encrypted with the following set of secret key: x 0=0.41324738544344, y 0=0.52638928350638, z 0=0.98644737157579, k 1=33.1,k 2=37.3,k 3=35.7, and \(\mathrm{Iv}R=35,\mathrm{Iv}G=25,\mathrm{Iv}B=65\). The output cipher is shown in Fig. 11(a).

Fig. 11
figure 11

Key sensitivity analysis of the proposed scheme on the test image “pepper”. (a) Plain-image. (b) Cipher-image using single bit change of plain text. (c) Cipher-image using single bit change of secret key

Full size image

In order to test key and plaintext sensitivity a single bit is changed any one of the key or plaintext. Here, we changed the key as: x 0=0.41324738544345, y 0=0.52638928350638, z 0=0.98644737157579, k 1=33.1,k 2=37.3,k 3=35.7 and \(\mathrm{Iv}R=35\), \(\mathrm{Iv}G=25\), \(\mathrm{Iv}B=65\). The output cipher is shown in Fig. 11(b).

There is a 99.82 % difference between the two cipher-images. It shows that this algorithm has a great sensitivity to the key and plain text.

4.4 Differential analysis

In order to assess the changing a single bit of key or any pixel value in the plain-image on the cipher-image, the number of pixel change rate (NPCR) and the unified averaged changing intensity (UACI) are computed in the proposed scheme. The NPCR is used to measure the change rate of the number of pixels of the cipher-image when only one bit of key or pixel is modified. The UACI measures the average intensity of two one bit changes of cipher-images. Let us assume, the two ciphered images C 1 and C 2 whose corresponding plain images have only one-pixel difference. The color RGB-level values of ciphered images C 1 and C 2 at row i, column j are labeled as C 1(i,j) and C 2(i,j), respectively. The NPCR is defined as

where W and H are the width and height of two random images and D(i,j) is defined as

Further, the \(\mathrm{UACI}\), is used to measure the average intensity difference in a color component between the two cipher images C 1(i,j) and C 2(i,j). It is defined as

where L is the number of bits used to represent the color channels of red, green, and blue, respectively. The results of \(\mathrm{NPCR}\) and \(\mathrm{UACI}\) are presented in Table 3.

Table 3 NPCR and UACI criteria of the proposed scheme
Full size table

The performance of each stage of the difference between the cipher and plain-images is measured by the mean absolute error (MAE) is defined as

$$\mathrm{MAE}=\frac{1}{W\times H}\sum_{i=1}^{H}\sum_{j=1}^{W}| P_{i,j}-C_{i,j}|,$$

where the parameters P i,j and C i,j are pixel values of plain and cipher images. The MAE indicates the better security. The results for the MAE values are shown in Table 4.

Table 4 A comparison of MAE of different stages
Full size table

The value is found that in the proposed scheme is high. Thus, the cryptosystem is better security.

Wu et al. [19] tested and claimed that many existing image encryption methods are actually not as good as they are purported, although some methods do pass these randomness tests. The results show that a small change in the original image will result in a significant difference in the cipher-image, proposed scheme can be found that the \(\mathrm{NPCR} > 99.63~\%\), \(\mathrm{MAE}>84.24~\%\), and the \(\mathrm{UACI} > 33.43~\%\). So the scheme has a good ability to withstand a differential attack.

4.5 Performance analysis

Apart from the security consideration, the running speed of the algorithm is also an important aspect for a good encryption scheme. The simulator for the proposed scheme is implemented using MATLAB 7.4. The performance is measured on a 3.0 GHz Pentium Core 2 Duo with the 4 GB RAM running Windows Vista Business Edition. Simulation results show that the total encryption time is 0.8645 s and 1.4609 s for decryption.

4.6 Information entropy analysis

Information entropy is one of the criteria to measure the strength of a symmetric cryptosystem. The entropy H(m) of a message m can be calculated as

$$H(m)={ \sum_{i=0}^{2^{N}-1}p(m_{i})\log_{2}\frac{1}{p(m_{i})}}$$

where p(m i ) represents the probability of the occurrence of symbol m i and log denotes the base 2 logarithm. If there are 256 possible outcomes of the message m with equal probability, it is considered as random. In this case, H(m)=8, is an ideal value.

As shown in Table 5, we notice that the values obtained in the proposed scheme are closer to the theoretical value of 8, than the other schemes. This means that information leakage in the encryption process is negligible and the encryption system is secure against entropy attack.

Table 5 The entropy analysis of the proposed and other schemes
Full size table

5 Conclusion

In this paper, an intertwining chaotic maps based image encryption scheme is proposed. The proposed cipher provides good confusion and diffusion properties that ensures high security. Confusion and diffusion have been achieved using permutation, byte substitution, nonlinear diffusion, and subdiagonal diffusion. This scheme is immune to various types of cryptographic attacks like known/chosen plain text attacks and brute force attacks. We have carried out statistical analysis, key sensitivity analysis, key space analysis differential analysis, and entropy analysis to demonstrate the security of the new image encryption procedure. Based on the various analyses, it is shown that the proposed scheme is more secure and fast, and hence more suitable for real time image encryption for transmission applications.