1 Introduction

Coupled with the development of multimedia technology and Internet, encryption of images has become an emergency research in recent years. Images are classified by its high correlation between adjacent pixels, so traditional encryption by S-box of DES (Data Encryption Standard) or AES (Advanced Encryption Standard) is not enough. Figure 1 shows the result of encryption by a single S-box, which is the core component in DES and AES. From the figure, we can see that the outline of the image is clear, so we must find a more efficient method for image encryption.

Fig. 1
figure 1

Encryption result by a single S-box

Full size image

Chaotic systems have good features of sensitive dependence on initial conditions, pseudo-randomness, periodicity, and reproduction. Lots of image encryption algorithms based on chaos are proposed [122]. The authors presented an image encryption algorithm based on reversible cellular automata combining chaos in [1]; in [2, 15, 17] coupled chaotic system was used; the authors proposed an image encryption algorithm based on linear hyperbolic chaotic system of partial differential equations in [3]; the hyperchaotic system was used in the algorithm proposed in [19]; the authors in [6, 14] used piecewise linear chaotic map in algorithms; delayed fractional-order chaotic logistic system was employed by the authors of [7]; the authors of [8] used classical chaotic masking technique; the authors of [1113] employed chaotic maps and S-box in their algorithms; in [20], the authors presented a double optical image encryption, which used discrete Chirikov standard map and chaos-based fractional random transform; the authors presented a method using self-synchronizing to improve security of image encryption algorithms based on multichaos in [21]; in [22], the authors analyzed a chaos-base image encryption and improved the algorithm. In recent years, not only in image encryption chaotic systems are also used to construct S-boxes. S-box is one of the core components in block cipher and has been widely used in cryptographic standards such as DES and AES. Recent researches show that it is a novel and promising direction to utilize the nonlinear property of chaos to design S-boxes. Lots of S-box construction algorithms [2326] based on chaotic systems have been proposed in recent years. Furthermore, S-box was also used in image encryption [1113] and watermarking [27]. In [28], the authors proved that the algorithms cannot resist chosen plain-text attacks in which the S-boxes are generated before encryption [1113].

All above image encryption algorithms were complexly designed, and some of them cost more time while the others cannot resist certain attacks. In this paper, we proposed an image encryption algorithm, which uses dynamic S-boxes, that is, the S-boxes are generated according to the plain image when the encryption is proposed. In order to obtain a fast and secure image encryption method, we observed that if the correlation between adjacent pixels could be smashed, then we could use S-box in image encryption. To smash the correlation, a method is to shuffle the image pixels first and another method is to substitute adjacent pixels by different S-boxes. In the algorithm, the latter is employed and chaotic systems are used to construct the S-boxes. Because for only one image pixel constructing an S-box is time-consuming and unrealistic, the image pixels are divided to several groups according to rows and adjacent rows are in different groups. For each group, a new S-box is generated and used. By this way, the corrections between vertical adjacent pixels are smashed. And then we use the same method on columns in order to smash its correction between horizontal adjacent pixels. In order to get higher security, we do the encryption from four directions. An external 256-bit secret key is employed in order to get large key space. The last pixel of plain image and encrypted pixel values are going to influence the construction of S-boxes in order to resist differential attacks and chosen plain-text attacks. It is proved that the algorithm has better character in encryption speed and security.

The rest of the paper includes: In Sect. 2, chaotic systems and the construction method of a S-box are introduced, which is employed in the proposed algorithm; the encryption and decryption algorithm will be presented in Sect. 3; in Sect. 4, the speed and security analysis of the algorithm and comparison with other algorithms are illustrated and the conclusion is given in Sect. 5. Finally, the references are listed.

2 Chaotic systems and construction of S-box

The logistic map and the Kent map are two of the frequently-used chaotic maps. They can be presented as follows:

$$\begin{aligned} &{x_{n + 1} = \mu x_{n}(1 - x_{n}),} \end{aligned}$$
(1)
$$\begin{aligned} &{x_{n + 1} = \left \{ \begin{array}{l@{\quad}l} \frac{x_{n}}{b},& 0 \le x \le b, \\ \frac{1 - x_{n}}{1 - b},& b < x \le 1, \end{array} \right .} \end{aligned}$$
(2)

where x n ∈(0,1),μ∈(0,4] and b∈(0,1). When μ=4.0, the data range of x n in Eq. (1) is [0,1]. In our algorithm, we use μ=4.0.

The construction algorithm of S-boxes would use the chaotic maps presented in Eqs. (1)–(2) [25]. A brief introduction of the construction method would be stated in following, and the feathers of the S-boxes constructed have been proved in [25].

Step 1. Set a sequence Y=[0,1,2,…,n−1] and an empty sequence Z=[ ] where n=N×N if we want to construct a N×N S-box.

Step 2. Divide (0,1) into n minizones and label them as T i (i=0,1,…,n−1).

Step 3. Iterate Eqs. (1)–(2) several times alternately, that is, after iterating Eq. (1) use its state as initial state of Eq. (2), iterate once and then use its state as initial state of Eq. (1). A state is obtained and if it belongs to the minizone T i and i is not in sequence Z, add i to the end of sequence Z.

Step 4. Repeat Step 3 until there are n elements in sequence Z.

Step 5. Translate sequence Z to a N×N table, then the S-box is gotten.

In proposed image encryption algorithm, 16×16 S-boxes are used, so n=256.

3 Encryption and decryption algorithm

In order to resist chosen plain-text attacks, the encryption S-boxes must be different due to different images, so we also use the last pixel value of the plain image as the secret key which is presented by pk. Coupled with pk an external 256-bit secret key is needed for calculating the initial state and parameters of chaotic systems in the proposed algorithm. The image pixels are divided into groups according to rows or columns and different groups use different S-boxes constructed by chaotic maps. Before processing the next group, we alter the initial state of the chaotic system according to the encrypted group pixel values in order to make the algorithm robust to resisting differential attacks and chosen plain-text attacks. The encryption algorithm will be stated in detail as follows:

Step 1. Present the external 256-bit secret key, the plain image and pk as

$$\begin{aligned} &{K = [k_{1},k_{2}, \ldots,k_{32}],} \end{aligned}$$
(3)
$$\begin{aligned} &{I = [v_{i,j}]\ (i,j = 1,2, \ldots,256),} \end{aligned}$$
(4)
$$\begin{aligned} &{\mathit{pk} = v_{256,256},} \end{aligned}$$
(5)

and calculate the initial state and parameters of chaotic system according to Eqs. (3)–(17).

$$\begin{aligned} &{\mathit{xsum} = \mathit{pk} \oplus k_{1} \oplus k_{2} \oplus \cdots \oplus k_{32},} \end{aligned}$$
(6)
$$\begin{aligned} &{\mu = 4.0,} \end{aligned}$$
(7)
$$\begin{aligned} &{b = \bigl\{ (k_{32} + k_{1} + \mathit{xsum}) / 2^{8} + 0.01 \bigr\},} \end{aligned}$$
(8)
$$\begin{aligned} &{d_{1} = (k_{26} + k_{7} + \mathit{xsum}) \bmod 5 + 5,} \end{aligned}$$
(9)
$$\begin{aligned} &{d_{2} = (k_{27} + k_{6} + \mathit{xsum}) \bmod 5 + 5,} \end{aligned}$$
(10)
$$\begin{aligned} &{d = [d_{1},d_{2}],} \end{aligned}$$
(11)
$$\begin{aligned} &{x_{1} = \bigl\{ (k_{23} + k_{10} + \mathit{xsum}) / 2^{8} + 0.01 \bigr\},} \end{aligned}$$
(12)
$$\begin{aligned} &{x_{2} = \bigl\{ (k_{22} + k_{11} + \mathit{xsum}) / 2^{8} + 0.01 \bigr\},} \end{aligned}$$
(13)
$$\begin{aligned} &{x_{3} = \bigl\{ (k_{21} + k_{12} + \mathit{xsum}) / 2^{8} + 0.01 \bigr\},} \end{aligned}$$
(14)
$$\begin{aligned} &{x_{4} = \bigl\{ (k_{20} + k_{13} + \mathit{xsum}) / 2^{8} + 0.01 \bigr\},} \end{aligned}$$
(15)
$$\begin{aligned} &{\mathit{xr} = [x_{1},x_{2}],} \end{aligned}$$
(16)
$$\begin{aligned} &{\mathit{xc} = [x_{3},x_{4}],} \end{aligned}$$
(17)
$$\begin{aligned} &{\mathit{round} = 1,} \end{aligned}$$
(18)

where μ and b are parameters of logistic map and the Kent map, respectively; {x} can get decimal part of x; d is a vector by which the image pixels are divided into groups; xr, xc are the initial states of chaotic system while encrypting groups in rows and columns, respectively, by S-boxes.

Step 2. Do

$$\begin{aligned} &{\mathit{pace} = d(\mathit{round}),} \\ &{x_{n} = \mathit{xr}(\mathit{round}),} \\ &{\mathit{xsum} = 0.} \end{aligned}$$

And make

$$\begin{aligned} \mathit{group}_{1} = [v_{1,j}] \end{aligned}$$

and

$$\begin{aligned} &{\mathit{group}_{l} = [v_{l,j},v_{l + \mathit{pace},j},v_{l + 2\mathit{pace},j}, \ldots ]} \\ &{\quad(l = 2,3, \ldots,\mathit{pace} + 1).} \end{aligned}$$

Step 3. Iterate the chaotic maps alternately and construct an S-box.

Step 4. Substitute the pixels of group 1 by the S-box constructed in Step 3 and after each substitution xor the encrypted pixel to xsum.

Step 5. Alter the x n by

$$x_{n} = \bigl\{ x_{n} + \mathit{xsum} / 2^{8}\bigr \}. $$

Initialize

$$\mathit{xsum} = 0. $$

Step 6. Repeat the Steps 3–5 for group l .

Step 7. Do

$$x_{n} = \mathit{xc} (\mathit{round}), $$

and

$$\mathit{xsum} = 0; $$

make

$$\mathit{group}_{1} = [v_{i,1}] $$

and

$$\mathit{group}_{l} = [v_{i,l},v_{i,l + \mathit{pace}},v_{i,l + 2\mathit{pace}}, \ldots ]. $$

Step 8. Repeat Steps 3–6. Then reverse the image pixels and do round=2.

Step 9. Repeat Steps 2–8.

Now, the cipher image is gotten. The decryption steps are almost the same with the encryption steps except that the reverse of image pixels must be done first and S-boxes must be changed into their inverse S-boxes. The experimental result is shown in Fig. 2. Figure 2(a) shows the plain-text image of peppers and its cipher-text image and decoding image are shown in Fig. 2(b) and Fig. 2(c), respectively.

Fig. 2
figure 2

Experimental results of the algorithm proposed

Full size image

4 Security analysis and speed analysis

4.1 Statistical analysis

It is well known that the statistical property of a cipher image is enormously vital and an ideal image algorithm should be robust against any statistic attacks. Histogram and correlation of two adjacent pixels are two important indicators of statistical analysis. To describe the statistical property of the proposed algorithm, the authors applied the encryption algorithm to 256×256 256-grey images.

Histogram: Histograms of plain image and cipher image are plotted, through which we can intuitively see the number of pixels of each value. A good image algorithm should make the histogram of cipher image as much as possible flat. The histograms of lena and its cipher image are shown in Fig. 3. Figures 3(a) and (c) are lena image and its histogram; Figs. 3(b) and (d) are the cipher image of lena and its histogram.

Fig. 3
figure 3

Histograms of plain image and cipher images

Full size image

Correlation of two adjacent pixels: Generally speaking, the two adjacent pixels of a plain image would come near to each other and a good image encryption algorithm could smash this relation between them. 10000 pairs of adjacent pixels from plain image of a bird and its cipher image are selected randomly in horizontal direction, vertical direction, and diagonal direction, respectively, and the correlation of them is plotted out. The results are showed in Fig. 4. Moreover, the correlation coefficients r xy of each pair are calculated using the following equations [17]:

$$\begin{aligned} &{\operatorname{cov} (x,y) = E\bigl\{ \bigl(x - E(x)\bigr) \bigl(y - E(y) \bigr)\bigr\},} \end{aligned}$$
(19)
$$\begin{aligned} &{r_{xy} = \frac{{\mathop{\mathrm{cov}}} (x,y)}{\sqrt{D(x)} \sqrt{D(y)}},} \end{aligned}$$
(20)

where x and y are values of the two adjacent pixels in the image,

$$E(x) = \frac{1}{N}\sum_{i = 1}^{N} x_{i}, $$

and

$$D(x) = \frac{1}{N}\sum_{i = 1}^{N} \bigl(x_{i} - E(x) \bigr)^{2}. $$
Fig. 4
figure 4

Correlations of two adjacent pixels

Full size image

The correlation coefficients of the plain image and cipher images are shown in Table 1. From Fig. 4 and Table 1, it could be known that there are no detectable correlations exist between the plain image and its corresponding cipher images.

Table 1 Correlation coefficients of two adjacent pixels in the plain and cipher images
Full size table

4.2 Key space analysis

It is widely known that a good encryption algorithm should have big key space and be sensitive to its key. In this research, an external 256-bit secret key is designed and all initial conditions, parameters, and group basis are generated by the secret key and the last pixel value of plain image.

Key space: In the proposed algorithm, a 256-bit external key is needed, so that the key space is 2256 and it is big enough to stand up brute force attacks.

Sensitivity to secret key: the external key “116, 3, 163, 12, 213, 82, 4, 130, 56, 112, 27, 101, 127, 90, 110, 19, 216, 19, 1, 157, 149, 24, 223, 68, 1, 30, 41, 65, 23, 64, 19, 16” in which each 8-bit is presented by decimalism is used to encrypt the plain image “boat.bmp.” A slightly changed key “116, 3, 163, 12, 213, 82, 4, 130, 56, 112, 27, 101, 127, 90, 110, 19, 216, 19, 1, 157, 149, 24, 223, 68, 1, 30, 41, 65, 23, 64, 19, 17” and the correct key are used to decrypt the cipher image, respectively. The results are shown Fig. 5. The different rates of cipher images, which are encrypted by the correct key and the slightly changed key, respectively, are shown in Table 2.

Fig. 5
figure 5

The plain image, encoding image, decoding correctly image and decoding by a slightly changed key

Full size image
Table 2 Different rate of the cipher images encrypted by correct key and the slightly changed key
Full size table

4.3 Information entropy

The information entropy can be calculated by

$$ H(m) = \sum_{0}^{M - 1} p(m_{i} ) \log \frac{1}{p(m_{i})}, $$
(21)

in which m is a set of symbols; M is the total number of symbols m i m; p(m i ) is the probability of m i . In the experiment, 256 gray level images are used, so the theoretical H(m) should be 8. The information entropies of cipher images using our algorithm are shown in Table 3. From Table 3, it is known that the information entropies are close to eight, so the algorithm proposed has good property of information entropy.

Table 3 Information entropies of cipher image
Full size table

4.4 Resisting differential attack analysis

In order to resist differential attacks, a petty change in plain image must cause amount of differences of pixels in cipher images. Two quantitative measures, which are number of pixels change rate (NPCR) and unified average changing intensity (UACI), are used to measure the influences on cipher images of a one-pixel change in plain image. A cipher image and its plain image are presented as C 1,I 1 and another cipher image and its plain image are presented as C 2,I 2 where there is only one pixel value different between I 1 and I 2. A matrix D is created, where if C 1(i,j)=C 2(i,j), D(i,j)=0; otherwise D(i,j)=1. NPCR and UACI are calculated by [18]:

$$\begin{aligned} &{\mathit{NPCR} = \frac{\sum_{i,j} D(i,j)}{W \times H} \times 100~\%,} \end{aligned}$$
(22)
$$\begin{aligned} &{\mathit{UACI} \,{=}\, \frac{1}{W \,{\times}\, H}\biggl(\sum _{i,j} \frac{\vert C_{1}(i,j) \,{-}\, C_{2}(i,j) \vert }{255} \biggr) \,{\times}\, 100~\%,} \end{aligned}$$
(23)

where W, H are the width and height of the image, respectively.

A pixel from plain image is changed by adding 1 to it and a new cipher image is got which is compared with the old cipher image to calculate NPCR and UACI. In the experiment, for each sample image the last pixel and 999 randomly selected pixels are taken to change and 1000 pairs of cipher images are compared, then the average, the minimum, and the maximum of NPCRs and UACIs are calculated, respectively. The experiment results are shown in Table 4 and a conclusion can be inferred that the proposed algorithm has good property in resisting differential attacks. By contrast, the algorithm proposed in [19] cannot resist differential attacks, because the authors did not do any diffusion in the encryption progress, the cipher pixels only relating with the hyperchaos and plain image’s current pixels.

Table 4 NPCRs and UCAIs between different ciphers while plain images only have only one different pixel
Full size table

4.5 Resisting known-plaintext and chosen-plaintext attacks analysis

In [28], the authors proposed a cryptanalysis algorithm of S-boxes-only cipher images against chosen attacks. This algorithm can break image encryption algorithms in which the S-boxes are constructed in advance.

But according to our algorithm, the construction of S-boxes are doing in the encryption procedure and the initial conditions of the chaotic system for constructing S-box are influenced by the last pixel of plain image and encrypted pixel values. So, with different images, the S-boxes for groups are different. Even if the attackers get a certain plain image and its cipher image, they could not use it in other cipher images. Therefore, the proposed algorithm can well resist the known- and chosen-plaintext attacks (as described in [2931]). And as described above in Sect. 4.4, because of that the algorithm in [19] also cannot resist known- and chosen-plaintext attacks.

4.6 Speed analysis

In the proposed algorithm, we desert the traditional method of doing shuffling and diffusion stage and directly substitute the image pixels value by S-boxes for four times. We do not need to construct S-box for each row or column of image; we divide the image pixels into groups and use different S-boxes for different groups instead. So we reduce the time in constructing S-boxes. Comparisons with [14, 16, 17] and [19] are made and the results are shown in Table 5. Our experimental environments are MATLAB R2012a and a PC computer with Intel Core 2 Duo CPU E4500@ 2.20 GHz, 2.19 GHz, 1.98 G RAM, and Window XP OS. From experimental results shown in Table 5, it can be proved that our algorithm has better property in speed. In order to meet the highest security, we run the algorithms for different number of rounds accordingly.

Table 5 Comparison the proposed algorithm with other algorithms on speed
Full size table

In [17], they combine the shuffling and diffusion stage and reduce the iteration of the chaotic system, but they do too much logic operation on 64 numbers, which are used to encrypt a block. This makes the program scanning the 64 numbers repeatedly in encryption of each block, so its encryption speed is slow.

5 Conclusion

In this paper, an image encryption algorithm based on dynamic S-boxes is proposed and the security of the algorithm is analyzed. The cipher image is divided into groups and each group uses an S-box. In the experiment, we divide the image into less than ten groups, so although we scan the image for four times, we only need to construct less than 50 S-boxes. Before the construction of a new S-box the initial state would be altered by the prior encrypted group. And comparisons with the encryption algorithms proposed in [14, 16, 17], and [19] are made for proving that the proposed algorithm has better property in resisting differential attacks and speed. It is also illustrated that this algorithm has big key space and can stand up to information entropy analysis, known plaintext attacks, and chosen plaintext attacks.

Although the proposed algorithm has higher speed and good secure feature, there is still a lot of work to do. When an algorithm is complicated, the speed must be expensed and absolutely a high security will be obtained. By contrast, when an algorithm is simple, less time is consumed and the security will be low. We must find an image encryption algorithm, which has high security and consume as less time as possible. Also, the precision of the decimal in different computers or different OS could affect the decryption of image and it is important because the proposed algorithm is used in communication in Internet. So, the next work will be solving the accordance between different environments.