1 Introduction

The chaotic system has various ultimate features, such as ergodicity, sensitivity to preliminary condition. It also exhibits random behavior, which can be applied to the field of cryptography [1]. The behavior of chaotic maps is predictable only if the control parameters and the initial conditions are known to the observer [2, 3]. The chaotic behaviors in the dynamical systems can be used to infer the diffusion and confusion in the plain images, thus safely transmitting the confidential data over telecommunication channels. Therefore, it is a standard indication to use chaos to enhance the strategy of novel cryptosystems.

In block cryptosystem schemes, the original data are distributed into blocks of the same size, and the encryption is carried out for the complete block. Two wide-ranging ideas of block encryption which were proposed by Shannon are confusion and diffusion. The diffusion consists in scattering the effect of plaintext bits to ciphertext bits to obscure the statistical configuration of the plaintext. Confusion is the transformation in which information of ciphertext alters according to the alteration of the plaintext information. In most cryptosystems structures, diffusion and confusion are attained by means of round recurrence. Modern block encryptions comprise four conversions: substitution, permutation, mixing, and key adding [410, 1317].

Substitution boxes, or simply S-boxes, are used in substitution permutation cipher structures as the essential nonlinear element that ensures confusion property of the block ciphers [1822]. A robust block cipher must be hardy to numerous attacks, such as linear and differential cryptanalysis. In strong substitution permutation systems, S-boxes should satisfy a number of measures. The S-box functioning in encryption procedure could be selected under the control of key, as a substitute of being static. Several random key-dependent and bijective S-boxes are generated for encryption applications, which satisfy the selected standards [2328, 3036].

Previous image encryption approaches have many defects in their internal structures and most of them present vulnerabilities and hence attacks become easier and practically feasible [11, 19, 45, 47, 48]. Li et al., analyzed the encryption scheme proposed in [12] and found that the position permutation-only part and the substitution part can be broken by chosen-plaintext attack [11]. Zhang et al. [19] analyzed the security of an image encryption algorithm based on perception model [21] and found that the equivalent secret key can be reconstructed with only one pair of known plaintext/ciphertext. Norouzi et al. proposed a hyper-chaotic system-based image cipher with only one round diffusion process [44]. However, in [45], Zhang et al. found that the scheme can be effectively broken with known-plaintext and chosen-plaintext attacks. The combination of chaos and DNA is employed for many image ciphers. SaberiKamarposhti et al. [46] introduced an image cipher based on three-cell chaotic map and DNA. Recently, Zhang et al. [47] have analyzed the scheme and found that it can be deciphered by a chosen-plaintext attack. Lately, Liu et al. [48] have analyzed the encryption scheme that uses a single-round modified permutation–diffusion pattern (ICMPD) in their internal structure. They report that ICMPD suffers from the weakness against chosen-plaintext attack. Therefore, the need of designing better cipher schemes based on S-boxes and chaos is essential for encryption applications and stimulating further development.

In this paper, an efficient S-box method based on chaotic logistic-sine map is proposed. Then, using the proposed S-box method, a new color image encryption scheme based on chaotic permutation–substitution network and S-boxes is presented. First, a chaotic cat map is used to shuffle the original image. Then, a substitution algorithm based on the suggested S-box is introduced to substitute the shuffled image in order to guarantee the nonlinearity in the generated image. To enhance the security, a diffusion process is done using keystream extracted from a combination of a chaotic logistic-Chebyshev map and the substituted image. Finally, a permutation method is carried out by chaotic sine-Chebyshev map in increasing the performance of the resulted image. Conducted tests show that the proposed S-box method has better performance than other S-boxes. Moreover, the results of cryptographic analyses demonstrate that the proposed chaos-based image encryption algorithm outperforms the current image cipher algorithms in terms of security and performance.

The rest of this paper is organized as follows: Sect. 2 outlines the preliminary work for the proposed approaches. In Sect. 3, we introduce the proposed method for the construction of strong S-box based on chaotic map. In Sect. 4, the criteria for evaluating S-box are briefly presented and the performance of the proposed S-box is evaluated and compared with other chaos-based S-boxes. The proposed encryption scheme and its performance analyses are presented in Sect. 5. Security and performance analysis of S-box-only chaotic image ciphers are investigated in Sect. 6. Finally, Sect. 7 concludes the paper.

2 The preliminary work

2.1 The logistic-sine map

The logistic-sine map is 1-D chaotic map defined as:

$$\begin{aligned} x_{n+1} =\left( {\alpha (x_n -x_n^2 )+(4-\alpha )\sin (\pi x_n )/4} \right) \bmod 1, \end{aligned}$$
(1)

where \(\alpha \) is the system parameter \(\alpha \in \left[ {0,4} \right] \), and \(x_0 \) is the initial condition. In [37], many experiments were conducted to prove that the logistic-sine map is chaotic. Figure 1 shows the bifurcation diagram of a logistic-sine map with \(\alpha \in \left[ {0,4} \right] \). It is well revealed from the bifurcation diagram that the logistic-sine is purely chaotic. The reason for choosing logistic-sine map is its simplicity compared to some other chaotic systems with assurance of higher level of security.

Note: Iterating the logistic-sine map with \((\alpha ,x_0)\) pair means iterating it with control parameter \(\alpha \) and initial condition \(x_0\).

Fig. 1
figure 1

Bifurcation diagram of the logistic-sine map

Full size image

2.2 The logistic-Chebyshev

The logistic-Chebyshev map (denoted as LCbv) is a chaotic system that uses the logistic and Chebyshev as seed maps. The definition of LCbv can be described by Eq. (2). Figure 2 shows the Hopf bifurcation diagram of the LCbv.

$$\begin{aligned} y_{n+1}= & {} ( \lambda y_n (1-y_n )\nonumber \\&+\,(4-\lambda )\cos (b.\arccos (y_n ))/4 ) \bmod 1 , \end{aligned}$$
(2)

where \(\lambda \) is the system parameter \(\lambda \in \left[ {0,4} \right] \), \(y_0 \) is an initial seed, and \(b\in \) N denotes the degree of the Chebyshev map.

Fig. 2
figure 2

Bifurcation diagram of the logistic-Chebyshev map

Full size image

2.3 The sine-Chebyshev

The sine-Chebyshev map (denoted as SCbv) is a chaotic system that uses the sine and Chebyshev as seed maps. The definition of SCbv can be described by Eq. (3). Figure 3 shows the Hopf bifurcation diagram of the SCbv.

$$\begin{aligned} y_{n+1}= & {} \left( {\lambda \sin (\pi y_n )+(4-\lambda )\cos (b.\arccos (y_n ))/4} \right) \nonumber \\&\bmod 1, \end{aligned}$$
(3)

where \(\lambda \) is the system parameter \(\lambda \in \left[ {0,4} \right] \), \(y_0 \) is an initial seed, and \(b\in \) N denotes the degree of the Chebyshev map.

Fig. 3
figure 3

Bifurcation diagram of the sine-Chebyshev map

Full size image

2.4 2D toral automorphism

The 2D toral automorphism is a function defined as [29]:

$$\begin{aligned} \left( {{\begin{array}{l} {u_{i+1} } \\ {v_{i+1} } \\ \end{array} }} \right)= & {} \left( {{\begin{array}{c@{\quad }c} {b_{11} }&{} {b_{12} } \\ {b_{21} }&{} {b_{22} } \\ \end{array} }} \right) \left( {{\begin{array}{l} {u_i } \\ {v_i } \\ \end{array} }} \right) \bmod (1), \quad \nonumber \\&i=0,1,2,{\ldots } \end{aligned}$$
(4)

If the continuous coordinates \(u_i ,v_i \) in the unit square is replaced by the indices \(x_i ,y_i \) in the discrete lattice of width M, the generalized discretized toral automorphism can be defined as

$$\begin{aligned} \left( {{\begin{array}{l} {x_{i+1} } \\ {y_{i+1} } \\ \end{array} }} \right) =\left( {{\begin{array}{c@{\quad }c} {b_{11} }&{} {b_{12} } \\ {b_{21} }&{} {b_{22} } \\ \end{array} }} \right) \left( {{\begin{array}{l} {x_i } \\ {y_i } \\ \end{array} }} \right) \bmod (M) \end{aligned}$$
(5)

If \(b_{11} =1,b_{22} =1+b_{12} b_{21}\) then the generalized discretized toral automorphism is reduced to the generalized discretized cat map as follows:

$$\begin{aligned} \left( {{\begin{array}{l} {x_{i+1} } \\ {y_{i+1} } \\ \end{array} }} \right) =\left( {{\begin{array}{c@{\quad }c} 1&{} {b_{12} } \\ {b_{21} }&{} {b_{12} b_{21} +1} \\ \end{array} }} \right) \left( {{\begin{array}{l} {x_i } \\ {y_i } \\ \end{array} }} \right) \bmod (M) \end{aligned}$$
(6)

The above chaotic map has a period \(\varGamma \) for the parameters \(b_{12} ,b_{21} \) and M, which mean:

$$\begin{aligned} \left( {{\begin{array}{c@{\quad }c} 1&{} {b_{12} } \\ {b_{21} }&{} {b_{12} b_{21} +1} \\ \end{array} }} \right) ^\mathrm{T}\equiv \left( {{\begin{array}{c@{\quad }c} 1&{} 0 \\ 0&{} 1 \\ \end{array} }} \right) \bmod (M) \end{aligned}$$
(7)

To avoid the weak keys of the above map Eq. (6), the following equation is desirable [30]

$$\begin{aligned} \left( {{\begin{array}{l} {x_{i+1} } \\ {y_{i+1} } \\ \end{array} }} \right) =\left( {{\begin{array}{c@{\quad }c} 1&{} 1 \\ 1&{} 2 \\ \end{array} }} \right) \left( {{\begin{array}{l} {x_i } \\ {y_i } \\ \end{array} }} \right) \bmod (M) \end{aligned}$$
(8)

Where M is the modulo of the map and it is preferable to be square like 64, 128, 256 or 512 in order to have a good performance.

2.5 Gray code

The gray code is an alternative binary representation so that each two successive values differ only in a single bit. This property has been found gainful in security field. The gray code representation of a number c is given by the transformation G defined by Eq. (9):

$$\begin{aligned} G(c)=c\oplus (c>>1), \end{aligned}$$
(9)

where \(\oplus \) is the binary XOR operation, and \(>>\) represents the binary right shift. Let \(\Gamma \) be the bit reversal order function that reverses the order of bits, so the least significant bit becomes the most significant one as shown in Eq. (10):

$$\begin{aligned} \left\{ {\begin{array}{l} \Gamma :\hbox { }\Sigma ^{n}\rightarrow \Sigma ^{n} \\ c_0 c_1 \ldots c_{n-1} \rightarrow \Gamma (c_0 c_1 \ldots c_{n-1} )=c_{n-1} c_{n-2} \ldots c_0 , \\ \end{array}} \right. \end{aligned}$$
(10)

The gray codes corresponding to the first eight nonnegative integers and their bit-reversed order transformations are given in Table 1.

Table 1 The example of four-bit gray code and bit-reversed order transformations
Full size table

3 The proposed substitution box

In this section, we propose a novel method for the construction of S-boxes based on chaotic map. The new method makes full use of the traits of the chaotic logistic-sine map to construct strong S-boxes. Experimental results and performance analyses demonstrate that the proposed method is efficient and has good cipher properties compared to previous methods.

3.1 Review of the recently proposed S-boxes related to the proposed scheme

A short overview of the main chaos-based S-boxes proposed recently is given hereafter. In [1], Jakimoski and Kocarev presented a four-step method to generate S-boxes based on chaotic maps. In another construction method based on a chaotic map [23], Tang et al. proposed an approach for generating S-boxes based on a 2D discretized chaotic map. In [24], Chen et al. improved the scheme proposed in [23] using a three-dimensional Backer map. In [25], Ozkaynak et al. proposed a method for designing an S-box based on chaotic Lorenz system. Another method for designing substitution boxes based on chaotic Lorenz system was introduced in [26]. Hussain et al. presented a projective general linear group-based algorithm for the generation of S-boxes for block ciphers [27]. In [28], Khan et al. proposed another method for the construction of S-boxes to be used in block cipher with multi-chaotic systems. Furthermore, several methods of S-boxes have been proposed very recently as a development of image cryptography field based on chaotic systems [3136].

3.2 The proposed method for generating \(n\times n\) S-box

The proposed approach of S-box construction is described by the following steps:

Step 1 Iterate the logistic-sine map 256 times with \((\lambda _0 ,f_0)\) pair to produce the chaotic sequence A (1 \(\times \) 256).

Step 2 Calculate the sequence P (1 \(\times \) 256) according to Eq. (11).

$$\begin{aligned} P(i)=A(1)-A(i) \quad 1\le i\le 256, \end{aligned}$$
(11)

Step 3 Put in ascending order the elements of \(P(1\times 256)\) to obtain the sequence \(M(1\times 256)\). Then, determine the sequence Q(1 \(\times \) 256), which contains the order of each element of M (1 \(\times \) 256) in P (1 \(\times \) 256).

Step 4 Calculate the code sequence B(1\(\times \)256) and the sequence N (1\(\times \)256) according to Eqs. (12), (13), respectively.

$$\begin{aligned} B(i)= & {} Q(i)-1 \quad 1\le i\le 256, \end{aligned}$$
(12)
$$\begin{aligned} N(i)= & {} A(256)-A(i) \quad 1\le i\le 256, \end{aligned}$$
(13)

Step 5 Put in ascending order the elements of N (1\(\times \)256) and produce the sequence K (1 \(\times \) 256). Then, determine the order of each element of K (1\(\times \)256) in N (1\(\times \)256) in order to obtain the sequence R(1\(\times \)256). After that, calculate the code sequence S(1\(\times \)256) according to Eq. (14).

$$\begin{aligned} S(i)=R(i)-1 \quad 1\le i\le 256 \end{aligned}$$
(14)

Step 6 Permute the elements of B(1\(\times \)256) according to the elements of sequence S(1 \(\times \) 256) and generate the sequence Z(1\(\times \)256). In fact, the first element of B is assigned to element number S (1) in sequence Z, the second element of B is assigned to element number S (2) in sequence Z...the ith element of B is assigned to element number S(i) in sequence Z.

Step 7 Apply the gray code defined in Eq. (9), and the bit reversal order function given by Eq. (10) to each element of sequence Z to obtain a new sequence W(1\(\times \)256).

Step 8 Translate \(W(1\times 256)\) into \(n\times n\) S-box \(\hbox {SB}(16\times 16)\).

In our experiments, \(\lambda _0 =3.6034099541280193\); \(f_0 =0.22784293570604186.\)

The block diagram of the proposed S-box is shown in Fig. 4.

Fig. 4
figure 4

Block diagram of the proposed S-box

Full size image

The generated S-box is presented in Table 2.

Table 2 The S-box generated by the proposed algorithm
Full size table

4 Performance analysis of the proposed S-box

Efficient substitution boxes should satisfy some specific cryptographic criteria, such as bijective, nonlinearity, outputs bit independence, strict avalanche and linear approximation probability [2327]. Here, we give a detailed analysis of the proposed S-box in terms of the aforementioned cryptographic properties. Some chaos-based S-boxes presented in [1, 2326, 28], were chosen to be compared with our S-box.

4.1 Bijective property

An \(n\times n\) S-box is bijective if all its different output values are within the interval \(\left[ {0,2^{n}-1} \right] \) [2428]. Our generated S-box has different output values within the interval \(\left[ {0,255} \right] \). Therefore, it accept the bijective criterion.

4.2 Nonlinearity criterion

The nonlinearity of a Boolean function h(x) can be represented by the Walsh spectrum (WS)

$$\begin{aligned} N_h =2^{n-1}\left( {1-2^{-n}\mathop {\max }\limits _{\chi \in GF(2^{n})} \left| {S_{\prec h\succ } (\chi )} \right| } \right) \end{aligned}$$
(15)

The WS of h(x) is defined as:

$$\begin{aligned} S_{<h>} (\chi )=\sum _{x\in GF(2^{n})} {(-1)^{h(x)\oplus x.\chi }} \end{aligned}$$
(16)

where \(\chi \in GF(2^{n})\) and \(x.\chi \) means the dot product of x and \(\chi \), which is given by:

$$\begin{aligned} x.\chi =x_1 \oplus \chi _1 +\cdots +x_n \oplus \chi _n. \end{aligned}$$

The nonlinearities of the generated S-box and S-boxes studied in [1, 2326, 28] are shown in Table 3. It is observed that the mean value obtained from the suggested method is better than those of the other S-boxes.

Table 3 Nonlinearity of the proposed S-box in comparison with other S-boxes
Full size table

4.3 Strict avalanche criterion

The strict avalanche criterion (SAC), firstly published by Webster and Tavares [38], indicate that when a single input bit is complemented, all of the output bits change with a probability of a half.

The S-box satisfies the SAC, if each value of the dependence matrix [38] is approximately equal to 0.5. Table 4 gives the values of the dependence matrix for the generated S-box. From Table 4, we can see the average value is 0.4956 \(\approx \) 0.5. The comparison of SAC of different S-boxes is displayed in Table 5. The results given in Tables 4 and 5 demonstrate the efficiency of the proposed S-box.

Table 4 The SAC values of the generated S-box
Full size table
Table 5 SAC of the proposed S-box in comparison with other S-boxes
Full size table

4.4 Statistical curve analysis of the proposed S-box

In this subsection, we mainly discuss the curve fitting of our proposed S-box. We drew the Chi-square and binomial distribution (Fig. 5a and b, respectively) of our suggested nonlinear component for the block cipher. Both these curves show symmetrical shapes, with respect to average values which clearly reflect the non-repeating and uniqueness of each values in the S-box design. The analyses of this S-box have not been devised in the literature so far.

Fig. 5
figure 5

a, b Chi-square and Binomial distributions for the proposed S-box

Full size image

4.5 Output bits independence criterion (BIC)

BIC means that all the avalanche variables must be pair-wise independent for a given set of avalanche vectors by complementing a single bit [38]. The correlation coefficient between the couples is applied to measure the degree of independence between the avalanche variable couples.

Suppose the Boolean functions in the proposed S-box were \(h_1 ,h_2 ,\ldots ,h_n \), it is denoted in [38] that if the S-box achieves BIC, \(h_j \oplus h_k (j\ne k,\hbox { }1\le j,k\le n)\) should be highly nonlinear and fulfill the avalanche criterion. Thus, we can calculate the SAC and the nonlinearity of \(h_j \oplus h_k \hbox { (}j\ne k)\) to check the BIC of an S-box.

Tables 6 and 7 give the results of BIC-nonlinearity and BIC-SAC criteria for the proposed S-box, respectively. As can be seen from Table 6, the maximum value is 108, the average is 103.8 and the minimum is 100. Table 7 gives the results of BIC-SAC criterion for the proposed scheme. The mean value of this criterion is 0.4996. In addition, Table 8 gives the results of comparing BIC-SAC and BIC-nonlinearity. From this Table, we observe that the values of BIC-SAC of the presented S-box are more advantageous than those of the other S-boxes, while the proposed S-box and the S-boxes studied in [1, 2326] have better BIC-nonlinearity property compared with that proposed in [28].

Table 6 BIC-nonlinearity results for the proposed S-box
Full size table
Table 7 BIC-SAC results for the proposed S-box
Full size table
Table 8 BIC of the proposed S-box compared to previous S-boxes
Full size table

4.6 The equiprobable input/output XOR distribution

Biham and Shamir presented the idea behind the equiprobable input/output XOR distribution using imbalances in the input/output XOR distribution table [39]. Mathematically, the equiprobable input/output XOR distribution or differential approximation probability (DP) of a given S-box is estimated by calculating the differential uniformity as follows:

$$\begin{aligned}&\hbox {DP}_h (\Delta d\rightarrow \Delta x)\nonumber \\&\quad =\left( {\frac{\# \left\{ {d\in D|h(d)\oplus h(d\oplus \Delta d)=\Delta x} \right\} }{2^{n}}} \right) \end{aligned}$$
(17)

where D represents the set of all possible input values, and \(2^{n}\) is the number of its elements.

Tables 9 and 10 give the differential approach table and its DP for the proposed S-box. As can be seen from these tables, the DP of the proposed S-box is 0.039062, which proves its efficiency against differential attacks. Table 10 shows the DPs of previous S-boxes. To conclude, the introduced S-box has a higher performance than competitive S-boxes.

Table 9 Results of DP for the generated S-box
Full size table
Table 10 DP for different S-boxes
Full size table

4.7 Linear approximation probability

The linear approximation probability (LP) is the maximum value of the imbalance of an event. The parity of the input bits selected by mask a is equal to the parity of the output bits selected by mask b. According to Matsui’s original definition [22], linear approximation probability is defined by:

$$\begin{aligned} \hbox {LP}=\mathop {\max }\limits _{u,v\ne 0} \left| {\frac{\# \left\{ {d\in D|d\cdot u=h(d)\cdot v} \right\} }{2^{n}}-\frac{1}{2}} \right| \end{aligned}$$
(18)

where u and v are the input and output masks. D is defined as the set of all possible inputs and \(2^{n}\) is the number of its elements. The linear approximation probability of the presented S-box and previous S-boxes [1, 2326, 28] are recorded in Table 11. From this table, we can conclude that the S-box generated by the proposed method has better LP performance than the other S-boxes.

Table 11 LP for the proposed S-box in comparison with other S-boxes
Full size table

5 The proposed image encryption algorithm

5.1 Encryption scheme

In this section, we present the proposed encryption scheme. This cryptosystem is intended to color images and it contains three rounds; we firstly split the RGB image into R, G and B components and we set \(cmpt=1\). Secondly, we permute the R, G and B components by the cat map function and we get three shuffled matrixes. In order to guarantee the nonlinearity of the proposed scheme, we substituted each shuffled matrix by the proposed S-box. Then, we got three substituted matrixes. Thirdly, to scramble the pixels of the different components, we carried out bitwise XOR operation between each substituted matrix and three random matrixes generated by logistic-Chebyshev map, then we obtained three scrambled matrixes. Fourthly, we permute each scrambled component using three chaotic matrixes obtained by iterating sine-Chebychev map. So, we got the results of the first round. Moreover, we updated the parameters of the logistic-Chebyshev and the sine-Chebyshev maps, and we set \(cmpt=cmpt+1\). After that, we repeated all these operations in a loop until \(cmpt\le 3\). Finally, if \(cmpt=4\), we combined the R, G, B components and we get the encrypted image. The block diagram of the cryptosystem is presented in Fig. 6.

Fig. 6
figure 6

Block diagram of the proposed encryption approach

Full size image

The whole encryption process consists of the following operation steps.

Step 1 Input 24-bit color image P(MM, 3), where \(M\times M\) are the image dimensionalities of rows and columns, respectively and set \(cmpt=1\).

Step 2 Split the RGB image into R, G and B components.

Step 3 Block division and permutation

Decompose the matrixes of R, G and B to blocks of size \((m\times m)\). The number of blocks is \(\frac{M\times M}{m\times m}\). The results of this decomposition were the matrixes \(R_d ,G_d\) and \(B_d\) each created by these blocks with size \(\left( {\frac{M}{m},\frac{M}{m}} \right) \). Next, permute each matrix \(R_d ,G_d\) and \(B_d\) by the use of cat map function (Eq. 6) and get three permuted matrixes \(R_p ,G_p\) and \(B_p\). The permutation procedure is given by

$$\begin{aligned} \left[ {\begin{array}{l} {x}' \\ {y}' \\ \end{array}} \right] =\left( {{\begin{array}{c@{\quad }c} 1&{} {b_{12} } \\ {b_{21} }&{} {b_{12} b_{21} +1} \\ \end{array} }} \right) ^{k}\left[ {\begin{array}{l} x \\ y \\ \end{array}} \right] \bmod \frac{M}{m} \end{aligned}$$
(19)

where, \(x,y=1,\ldots ,\frac{M}{m}\). The (xy), \(({x}',{y}')\) pairs represent the coordinates of the block in each decomposed component and in each permuted component, respectively.

Step 4 Substitution phase

To ensure that the proposed encryption scheme is secure against known-/chosen-plaintext attacks, a substitution operation is necessary. Hence, we generated three S-boxes, denoted by \(\hbox {SB}_r^i \), \(\hbox {SB}_g^i \) and \(\hbox {SB}_b^i\), using the method described in Sect. 3, with \((\lambda _r^i ,f_r^i )\), \((\lambda _g^i ,f_g^i )\) and \((\lambda _b^i ,f_b^i )\) pairs, respectively. Then, we substituted the matrixes \(R_p ,G_p\) and \(B_p\) by \(\hbox {SB}_r^i\), \(\hbox {SB}_g^i \) and \(\hbox {SB}_b^i \), respectively, to obtain three substituted matrixes \(R_s ,G_s \) and \(B_s\).

The parameters \(\left\{ {\lambda _r^i ,f_r^i ,\lambda _g^i ,f_g^i ,\lambda _b^i ,f_b^i } \right\} _{i=1,\ldots ,N_r } =\left( {\lambda _j^i ,f_j^i } \right) _{i=1,\ldots ,N_r }^{j=r,g,b}\) are given as follows:

$$\begin{aligned} \lambda _r^i= & {} 0.5\times \lambda _r^{i-1} \\&+\,{\bmod \left( {\sum _{i=1}^M {\sum _{j=1}^M {R_p (i,j),256)} } } \right) }/{256}\times 0.5\\ f_r^i= & {} 0.5\times f_r^{i-1}\\&+\,{\bmod \left( {\sum _{i=1}^M {\sum _{j=1}^M {R_p (i,j),256)} } } \right) }/{256}\times 0.5\\ \lambda _g^i= & {} 0.5\times \lambda _g^{i-1}\\&+\,{\bmod \left( {\sum _{i=1}^M {\sum _{j=1}^M {G_p (i,j),256)} } } \right) }/{256}\times 0.5\\ f_g^i= & {} 0.5\times f_g^{i-1}\\&+\,{\bmod \left( {\sum _{i=1}^M {\sum _{j=1}^M {G_p (i,j),256)} } } \right) }/{256}\times 0.5\\ \lambda _b^i= & {} 0.5\times \lambda _b^{i-1}\\&+\,{\bmod \left( {\sum _{i=1}^M {\sum _{j=1}^M {B_p (i,j),256)} } } \right) }/{256}\times 0.5\\ f_b^i= & {} 0.5\times f_b^{i-1}\\&+\,{\bmod \left( {\sum _{i=1}^M {\sum _{j=1}^M {B_p (i,j),256)} } } \right) }/{256}\times 0.5 \end{aligned}$$

where, \(i=1,\ldots ,N_r \), \(N_r \) is the number of the encryption scheme iteration.

Here, \(\lambda _r^0 =\lambda _g^0 =\lambda _b^0 =\lambda _0 \) and \(f_r^0 =f_g^0 =f_b^0 =f_0 \).

Step 5 Scrambling phase

Generate three chaotic matrixes \(x_n ,y_n\) and \(z_n\) with size \((M\times M)\) using the logistic-Chebyshev map (Eq. 2) in the condition of initial values are \(x_0 ,y_0\) and \(z_0\), and the system parameters are \(\mu _0 ,\mu _1\) and \(\mu _2\). Then, map each chaotic matrix from \(\left[ {0,1} \right] \) to \(\left\{ {0,1,2,\ldots ,255} \right\} \) using the following equations:

$$\begin{aligned} x_n^b= & {} \bmod \left( {x_n 10^{16},256} \right) \end{aligned}$$
(20)
$$\begin{aligned} y_n^b= & {} \bmod \left( {y_n 10^{16},256} \right) \end{aligned}$$
(21)
$$\begin{aligned} z_n^b= & {} \bmod \left( {z_n 10^{16},256} \right) \end{aligned}$$
(22)

Then, calculate the scrambled components according to the following formulas:

$$\begin{aligned} R_{scr}= & {} bitxor(R_s ,x_n^b ) \end{aligned}$$
(23)
$$\begin{aligned} G_{scr}= & {} bitxor(G_s ,y_n^b ) \end{aligned}$$
(24)
$$\begin{aligned} B_{scr}= & {} bitxor(B_s ,z_n^b ) \end{aligned}$$
(25)

Step 6 Block division and permutation

Decompose the matrixes \(R_{scr} ,G_{scr}\) and \(B_{scr}\) to blocks of size \((n\times n)\). The number of blocks is then \(r=\frac{M\times M}{n\times n}\) and get three matrixes \(R_{dd} ,G_{dd}\) and \(B_{dd} \) each created by these blocks with size \(\left( {\frac{M}{n},\frac{M}{n}} \right) \). Then, permute each matrix \(R_{dd} ,G_{dd}\) and \(B_{dd}\) by sequences \(J_1 ,J_2\) and \(J_3 \), respectively to get three permuted matrixes \(R_{pp} ,G_{pp} \) and \(B_{pp}\). The sequences \(J_1 ,J_2\) and \(J_3\) are obtained as follows:

Iterate the sine-Chebyshev map (Eq. 3) with the initial conditions \(g_0 ,g_1 \), \(g_2\) and the control parameters \(\alpha _0 ,\alpha _1\) and \(\alpha _2\). Therefore, get three chaotic sequences \(I_1 ,I_2\) and \(I_3\) which will be mapped to \(\left\{ {1,2,\ldots ,r} \right\} \) range to obtain three new sequences \(J_1 ,J_2\) and \(J_3 \).

Step 7 Set \(cmpt=cmpt+1\). If \(cmpt\le 3\) update the values of \(x_0 \), \(y_0 \), \(z_0 \), \(g_0 \), \(g_1 \) and \(g_2\) according to Eqs. (26)–(31):

$$\begin{aligned} x_0= & {} 0.1\times x_0\nonumber \\&+\frac{\bmod (\sum _{i=1}^M {\sum _{j=1}^M {R_{pp} (i,j)^{2},256)} } }{256}\times 0.9 \nonumber \\\end{aligned}$$
(26)
$$\begin{aligned} y_0= & {} 0.1\times y_0 \nonumber \\&+\frac{\bmod (\sum _{i=1}^M {\sum _{j=1}^M {G_{pp} (i,j)^{2},256)} } }{256}\times 0.9 \nonumber \\\end{aligned}$$
(27)
$$\begin{aligned} z_0= & {} 0.1\times z_0 \nonumber \\&+\frac{\bmod (\sum _{i=1}^M {\sum _{j=1}^M {B_{pp} (i,j)^{2},256)} } }{256}\times 0.9 \nonumber \\\end{aligned}$$
(28)
$$\begin{aligned} g_0= & {} 0.1\times g_0\nonumber \\&+\frac{\bmod (\sum _{i=1}^M {\sum _{j=1}^M {R_{pp} (i,j)^{2},256)} } }{256}\times 0.9 \nonumber \\\end{aligned}$$
(29)
$$\begin{aligned} g_1= & {} 0.1\times g_1\nonumber \\&+\frac{\bmod (\sum _{i=1}^M {\sum _{j=1}^M {G_{pp} (i,j)^{2},256)} } }{256}\times 0.9 \nonumber \\\end{aligned}$$
(30)
$$\begin{aligned} g_2= & {} 0.1\times g_2\nonumber \\&+\frac{\bmod (\sum _{i=1}^M {\sum _{j=1}^M {B_{pp} (i,j)^{2},256)} } }{256}\times 0.9\nonumber \\ \end{aligned}$$
(31)

Then, repeat steps (3)–(6).

Else if \(cmpt>3\) recover the RGB image C and this is the encrypted color image.

The original images and their encrypted images with the proposed cryptosystem are shown in Fig. 7.

Fig. 7
figure 7

ac Plain images and their encrypted images df, respectively

Full size image

5.2 Decryption process

The decryption process, illustrated in Fig. 8, consists of the following steps:

Fig. 8
figure 8

Block diagram of the proposed decryption process

Full size image

Note: Set \(cmpt=1\) and use the last values of \(x_0 \), \(y_0 \), \(z_0 \), \(g_0 \), \(g_1 \) and \(g_2\) obtained from the encryption process.

Step 1 Split the encrypted color image C into red, green, and blue channels denoted by \(R_c\), \(G_c\) and \(B_c\), respectively.

Step 2 Decompose the matrixes \(R_c\), \(G_c\) and \(B_c\) to blocks of size \((n\times n)\). Then, obtain three new matrixes \({R}'_d \), \({G}'_d \) and \({B}'_d \) each created by these blocks with size \(\left( {\frac{M}{n},\frac{M}{n}} \right) \). Therefore, permute each matrix \({R}'_d \), \({G}'_d \) and \({B}'_d \) by sequences \(J_1^{-1} ,J_2^{-1} \) and \(J_3^{-1} \), respectively. Then, get three permuted matrixes \({R}'_p \), \({G}'_p \) and \({B}'_p \). The sequence \(J_1^{-1} ,J_2^{-1}\) and \(J_3^{-1}\) are the inverse sequences of \(J_1 ,J_2\) and \(J_3\) obtained in Step 6 of the encryption process.

Step 3 Make bitwise XOR operation between the matrixes \(x{ }_n^b ,y_n^b ,z_n^b \) and the permuted matrixes \({R}'_p ,{G}'_p,{B}'_p \), respectively.

$$\begin{aligned} {R}'_{scr}= & {} bitxor({R}'_p ,x_n^b ), \end{aligned}$$
(32)
$$\begin{aligned} {G}'_{scr}= & {} bitxor({G}'_p ,y_n^b ), \end{aligned}$$
(33)
$$\begin{aligned} {B}'_{scr}= & {} bitxor({B}'_p ,z_n^b ). \end{aligned}$$
(34)

Here, the matrixes \(x_n^b ,y_n^b ,z_n^b \) are the three chaotic matrixes generated as in Step 5 of encryption process.

Step 4 Substitute \({R}'_{scr} ,{G}'_{scr} \hbox { and }{B}'_{scr} \) with the inverse S-boxes of \(\hbox {SB}_r^i\), \(\hbox {SB}_g^i \) and \(\hbox {SB}_b^i \) (Here, \(i=N_r ,\ldots ,1)\), respectively. The outputs of this step are the matrixes \({R}'_s \), \({G}'_s \) and \({B}'_s \).

Step 5 Decompose the matrixes \({R}'_s \), \({G}'_s \) and \({B}'_s \) to blocks of size \((m\times m)\). Then, obtain three new matrixes \({R}'_{dd} \), \({G}'_{dd} \) and \({B}'_{dd} \) each formed by these blocks with size \(\left( {\frac{M}{m},\frac{M}{m}} \right) \). Therefore, permute the matrixes \({R}'_{dd} \), \({G}'_{dd} \) and \({B}'_{dd}\) by the inverse cat map. Then, get three permuted matrixes \({R}'_{pp} \), \({G}'_{pp} \) and \({B}'_{pp} \). The permutation was carried out as follows:

$$\begin{aligned} \left[ {\begin{array}{l} {i}' \\ {j}' \\ \end{array}} \right] =\left( {{\begin{array}{c@{\quad }c} 1&{} {b_{12} } \\ {b_{21} }&{} {b_{12} b_{21} +1} \\ \end{array} }} \right) ^{T-k}\left[ {\begin{array}{l} i \\ j \\ \end{array}} \right] \bmod \frac{M}{m} \end{aligned}$$
(35)

where (ij) pair is the block coordinates of the matrixes \({R}'_{dd} \) and \({G}'_{dd}\), \({B}'_{dd}\) and \(({i}',{j}')\) is the block coordinates of the permuted matrixes \({R}'_{pp} \), \({G}'_{pp} \) and \({B}'_{pp}\).

Step 6 Set \(cmpt=cmpt+1\) and update the values of \(x_0 \), \(y_0 \), \(z_0 \), \(g_0 \), \(g_1 \) and \(g_2\) as in Eqs. (36)–(41):

$$\begin{aligned} x_0= & {} \frac{x_0 }{0.1}-\frac{\bmod (\sum _{i=1}^M {\sum _{j=1}^M {{R}'_{pp} (i,j)^{2},256)} } }{256}\times 0.9 \nonumber \\\end{aligned}$$
(36)
$$\begin{aligned} y_0= & {} \frac{y_0 }{0.1}{-}\frac{\bmod (\sum _{i=1}^M {\sum _{j=1}^M {{G}'_{pp} (i,j)^{2},256)} } }{256}\times 0.9 \nonumber \\\end{aligned}$$
(37)
$$\begin{aligned} z_0= & {} \frac{z_0 }{0.1}-\frac{\bmod (\sum _{i=1}^M {\sum _{j=1}^M {{B}'_{pp} (i,j)^{2},256)} } }{256}\times 0.9 \nonumber \\\end{aligned}$$
(38)
$$\begin{aligned} g_0= & {} \frac{g_0 }{0.1}-\frac{\bmod (\sum _{i=1}^M {\sum _{j=1}^M {{R}'_{pp} (i,j)^{2},256)} } }{256}\times 0.9 \nonumber \\\end{aligned}$$
(39)
$$\begin{aligned} g_1= & {} \frac{g_1 }{0.1}{-}\frac{\bmod (\sum _{i=1}^M {\sum _{j=1}^M {{G}'_{pp} (i,j)^{2},256)} } }{256}\times 0.9 \nonumber \\\end{aligned}$$
(40)
$$\begin{aligned} g_2= & {} \frac{g_2 }{0.1}-\frac{\bmod (\sum _{i=1}^M {\sum _{j=1}^M {{B}'_{pp} (i,j)^{2},256)} } }{256}\times 0.9\nonumber \\ \end{aligned}$$
(41)

Step 7 Repeat Steps (2-6) twice and get the decrypted channels \(R_{decrypt}\), \(G_{decrypt} \) and \(B_{decrypt} \). Then, recover the RGB decrypted image D.

5.3 Security and performance analysis

Simulation results of the proposed scheme were performed using an Intel Core i3-3227U 1.9 CPU with 4 GB RAM running on Windows 7 and Matlab 7.9. The 256 \(\times \) 256 true color JPEG images of ‘Lena’, ‘Baboon’ and ‘Peppers’ (Fig. 4a–c, respectively) are used as plain images. The initial conditions \((x_0 ,y_0 ,z_0 ,g_0 ,g_1 ,g_2 )\) were fixed at (0.99997, 0.99998, 0.99978, 0.12346, 0.11252, 0.17982) and the control parameters \((\mu _0 ,\mu _1 ,\mu _2 ,\alpha _0 ,\alpha _1 ,\alpha _2 )\) were chosen as (3.99978, 3.99978, 3.99978, 3.99799, 3.99999, 3.99999). The integers m and n were chosen as 4 and 8, respectively. The parameters of cat map were \(b_{12} =1\), \(b_{21} =1\) and \(k=90\).

5.3.1 Key space analysis

The key space is the total number of different keys that can be used in the encryption procedure. An effective encryption scheme should present a large key space to make the brute-force attacks impossible. In the proposed cryptosystem, the key space included:

  1. 1.

    The initial conditions \(f_0 ,x_0 ,y_0 \), \(z_0 \), \(g_0 ,g_1 \)and \(g_2 \).

  2. 2.

    The control parameters \(\lambda _0 ,\mu _0 ,\mu _1 \),\(\mu _2 \alpha _0 ,\alpha _1 \) and \(\alpha _2 \).

  3. 3.

    The parameters of cat map \(b_{12} \),\(b_{21} \) and k.

  4. 4.

    The integers m and n.

where \(f_0 ,x_0 ,y_0 \), \(z_0 \), \(g_0 ,g_1 \), \(g_2\in \left[ {0,1} \right] \lambda _0 ,\mu _0 ,\mu _1 \), \(\mu _2\), \(\alpha _0,\alpha _1\), \(\alpha _2\in \left[ {0,4} \right] \). The integers m and n were selected as follows: \((M\times M)\bmod (m\times m)\equiv 0\) and \((M\times M)\bmod (n\times n)\equiv 0\).

Assume that the initial conditions and the control parameters are double-precision numbers. If the computational precision of the double-precision numbers is \(10^{-16}\), the total number of different values \(f_0\) which can be used as secret keys is more than \(10^{16}\), so are the numbers of \(x_0 ,y_0 \), \(z_0 \), \(\lambda _0 ,\mu _0 ,\mu _1 \), \(\mu _2 \), \(g_0 ,g_1 \), \(g_2 \), \(\alpha _0 ,\alpha _1\) and \(\alpha _2 \). Also, assume that the number of possible triplets \((b_{12} ,b_{21} ,k)\) is K and the number of possible values of m and n is L.

Therefore, the key space of the proposed image encryption scheme is:

$$\begin{aligned}&KS( f_0 ,x_0 ,y_0 ,z_0 ,\lambda _0 ,\mu _0 ,\mu _1 ,\mu _2 ,g_0 ,g_1 ,g_2 ,\alpha _0 ,\\&\quad \alpha _1 ,\alpha _2 ,b_{12} ,b_{21} ,k,m,n )>K\times L\times 10^{224} \end{aligned}$$

Accordingly, the key space of the encryption algorithm is adequate to resist all kinds of brute-force attacks.

5.3.2 Key sensitivity analysis

A good encipherment scheme should be sensitive to any bit flipping in the secret key to ensure security against brute-force attacks. Avalanche effect is used to test the sensitivity with respect to a slight change in the key. Experimental results are reported in Table 12. As can be seen from this table, the avalanche effects for all encrypted images with the proposed algorithm are very close to 50 % and are better than those of algorithms studied in [40, 41]. The results prove a high key sensitivity performance of the proposed scheme with a tiny change in the key (s).

Table 12 Avalanche effect for different algorithms
Full size table

5.3.3 Histogram analysis

To examine the resistance of the suggested scheme against statistical attacks, we analyzed the histograms of different color cipher images. Figure 9 shows the histograms of the plain image of ‘Lena’ for red, green and blue channels, whereas their corresponding histograms of the encrypted image of ‘Lena’ are shown in Fig. 10. The histograms of the cipher images have an approximately uniform distribution and show a significant difference from those of the original images. Thus, the statistical attack is hard to apply on the proposed cryptosystem.

Fig. 9
figure 9

Histograms of original images of ‘Lena’ a Red, b Green and c Blue

Full size image
Fig. 10
figure 10

Histograms of ciphered images of ‘Lena’ a Red, b Green and c Blue

Full size image

5.3.4 Correlation analysis

A robust encryption scheme should produce cipher image with low correlation between adjacent pixels [8, 9]. The visual testing of the correlation of adjacent pixels can be conducted by plotting the distribution of the adjacent pixels in the plain image and its corresponding cipher image. The correlation coefficient between two adjacent pixels in an image is determined as:

$$\begin{aligned} r_{\alpha \beta } =\frac{cov(\alpha ,\beta )}{\sqrt{\psi (\alpha )}\sqrt{\psi (\beta )}}, \end{aligned}$$
(42)

where,

$$\begin{aligned}&\psi (\alpha )=\frac{1}{N}\sum _{i=1}^N {\left[ {\alpha _i -E(\alpha )} \right] ^{2},} \end{aligned}$$
(43)
$$\begin{aligned}&cov(\alpha ,\beta )=\frac{1}{N}\sum _{i=1}^N {\left[ {\alpha _i -E(\alpha )} \right] } \left[ {\beta _i -E(\beta )} \right] , \end{aligned}$$
(44)

where \(\alpha _i\) and \(\beta _i\) denote two adjacent pixels (either vertical, horizontal or diagonal), N is the total number of duplets \((\alpha _i ,\beta _i)\) obtained from the image; \(E(\alpha )\) and \(E(\beta )\) are the mean values of \(\alpha _i\) and \(\beta _i\), respectively. Table 13 shows the correlations of two adjacent pixels in the plain images mentioned above and their encrypted images. Moreover, Figs. 1112, and 13 show the correlation of adjacent pixels in the three directions of the original and ciphered images, respectively.

Fig. 11
figure 11

Distributions of two horizontally adjacent pixels in plain and encrypted images of ‘Lena’: a R-plain image, b G-plain image, c B-plain image, d R-encrypted image, e G-encrypted image and f B-encrypted image

Full size image
Fig. 12
figure 12

Distributions of two vertically adjacent pixels in plain and encrypted images of ‘Lena’: a R-plain image, b G-plain image, c B-plain image, d R-encrypted image, e G-encrypted image and f B-encrypted image

Full size image
Fig. 13
figure 13

Distributions of two diagonally adjacent pixels in plain and encrypted images of ‘Lena’: a R-plain image, b G-plain image, c B-plain image, d R-encrypted image, e G-encrypted image and f B-encrypted image

Full size image
Table 13 Correlation coefficients of two adjacent pixels in plain images and encrypted images
Full size table

The strong correlations between adjacent pixels in plain images are greatly reduced in the encrypted images generated by the proposed encryption scheme (Table 13). Therefore, the proposed cryptosystem generates de-correlated adjacent pixels in the cipher image and thus satisfies the confusion and diffusion properties.

5.3.5 Sensitivity analysis

To measure the influence of one pixel change on the encrypted image quantitatively, two most common criteria, namely number of pixel change rate (NPCR) and unified average changing intensity (UACI) are used [4, 29]. Let I(ij) and J(ij) be the (ij)th pixel of two images I and J, respectively. NPCR is defined as:

$$\begin{aligned} \hbox {NPCR}_{R,G,B} =\frac{\sum \limits _{i;j} {D(i,j)} }{L}\times 100\,\% , \end{aligned}$$
(45)

where L is the total pixels in an image and D(ij) is described as

$$\begin{aligned} D(i,j)=\left\{ {{\begin{array}{l} {0\quad \hbox {if}\;I(i,j)=J(i,j),} \\ {1\quad \hbox {if}\;I(i,j)\ne J(i,j).} \\ \end{array} }} \right. \end{aligned}$$
(46)

While, UACI, is defined as:

$$\begin{aligned} \hbox {UACI}_{R,G,B} =\frac{1}{L}\sum _{i,j} {\frac{\left| {I(i,j)-J(i,j)} \right| }{2^{N}-1}} \times 100\,\% , \end{aligned}$$
(47)

where N is the number of bits used to represent the pixel value. The expected values of NPCR and UACI for an efficient cryptosystem scheme are defined by:

$$\begin{aligned}&\hbox {NPCR}_{R,G,B} (Expected)\nonumber \\&\quad =\left( {1-\frac{1}{2^{n_{R,G,B} }}} \right) \times 100\,\% , \end{aligned}$$
(48)
$$\begin{aligned}&\hbox {UACI}_{R,G,B} (Expected)\nonumber \\&\quad =\frac{1}{2^{2n_{R,G,B} }}\left( {\frac{\sum _{p=1}^{2^{n_{R,G,B} }-1} {p(p+1)} }{2^{n_{R,G,B} }-1}} \right) \times 100\,\%,\nonumber \\ \end{aligned}$$
(49)

where, \(2^{n_{R,G,B} }\) means the number of bits in one pixel of color channels(R, G and B) in a color image. The expected values of NPCR and UACI in a 24-bit true color image are 99.6094 and 33.4635 %, respectively.

A large number of plain images are evaluated using two measurements, i.e., NPCR and UACI, in order to test the influence of pixels change in the plain image on the cipher image. The results of NPCR and UACI of each component (red, green and blue) of ‘Lena’, ‘Baboon’ and ‘Peppers’ images for different algorithms are shown in Table 14. The proposed encryption scheme has little better NPCR and UACI performances compared to the other algorithms. Thus, the proposed cipher demonstrates resistance against differential attacks.

Table 14 The NPCR and UACI of encrypted images by changing their plain images one bit
Full size table

5.3.6 Information entropy analysis

Information entropy is a statistical measure of randomness. The formula to calculate information entropy can be found in [13]. The entropies of the ciphered images were measured to evaluate their uncertainties. For a random source emitting 256 symbols, the entropy is 8 bits and is obtained only if all symbols have the same probability. Consequently, the best entropy value (approximately 8) indicates the efficiency of the proposed encryption scheme. The entropies of the Red, Green and Blue channels of each encrypted image, using the proposed method, are very close to 8 (Table 15) and are better than those of the schemes used in [40, 41]. It is clear that the randomness is satisfactory and the probability of accidental information leakage is very little.

Table 15 Entropy results for encrypted images
Full size table

5.3.7 Encryption speed and computation complexity

5.3.7.1. Encryption speed

The speed of an algorithm can be characterized by measuring the time required for the encryption process. We measured this parameter for the proposed algorithm and for the ones already available in the literature (Table 16). The average time required to encrypt the data using the proposed scheme was 166 kb/s; however, using the algorithms in [40, 41] the encryption took 214 and 125 kb/s, respectively. The result of our proposed algorithm is quite promising, compared to the already existing algorithms. Therefore, it is suitable for real time applications.

Table 16 Encryption speeds (kb/s)
Full size table

5.3.7.2. Computation complexity

The multifaceted calculation of a cipher scheme is measuring the span of an occasion (the quantity of operations and steps required to fulfill the encryption/unscrambling process)—ignoring a few subtle elements, for example, the working framework, the programming dialect, the equipment the calculation keeps running on, and the programming aptitude [42]. Formally, the computational complexity of the proposed encryption plan can be computed as in Table 17. In this way, the most pessimistic scenario execution of the proposed encryption plan was O(n), which is adequate for constant applications.

Table 17 Computation complexity of the proposed algorithm
Full size table

where n is the number of pixels.

5.3.8 NIST SP 800-22 tests for the cipher

In order to test the cipher randomness, NIST SP 800-22 [43] tests are used. The role of these tests is to analyze the randomness of (arbitrary sequence) binary sequences produced by encryption systems. The NIST Tests consists of 16 tests which are used to detect any non-randomness that exists in a sequence. In this sense, the 16 tests were carried out for 150 sequences of ciphers with a length equal to 10\(^{6}\) bits. The ciphered data were a colored image of size \(256\times 256\).

The proposed algorithm went through all NIST SP 800-22 tests successfully (Table 18). Consequently, the ciphers generated by the proposed encryption scheme are absolutely stochastic.

Table 18 SP800-22 tests suite for cipher image
Full size table

5.3.9 Resistance to known-plaintext and chosen-plaintext attacks

The initial values of the logistic-sine, logistic-Chebyshev and sine-Chebyshev maps of the proposed algorithm are exchanged according to the cipher values after each round. Their state values depend on the plain image. Since the parameters of diffusion and permutation, which are the important part of the keystream, i.e., \(\left( {\hbox {SB}_r^i,\hbox {SB}_g^i,\hbox {SB}_b^i } \right) ^{_{i=1,\ldots ,N_r}},x_n^b ,y_n^b,z_n^b ,J_1 ,J_2\) and \(J_3\) are correlated to the state values of these maps, different images will have different \(( {SB_r^i ,SB_g^i,SB_b^i } )^{_{i=1,\ldots ,N_r } }\), \(x_n^b ,y_n^b,z_n^b ,J_1 ,J_2\) and \(J_3\). Therefore, the attacker cannot decrypt a particular cipher image using the parameters obtained from other images. As a result, the proposed algorithm can resist the known-plaintext and chosen-plaintext attacks properly [5052].

6 Security and performance analysis of S-box-only chaotic image ciphers

6.1 Statistical analysis

The factual investigations give insight into the working of any cryptographic framework. So as to assess the execution of the proposed S-box, we conducted correlation analysis, entropy analysis, contrast analysis, homogeneity test and energy analysis. The aftereffects of correlation examination demonstrate the degree of likeness between the plain and encrypted information. In the event that there are any hints of correlation, there is a probability that cryptanalysis can decode the original information or might have the capacity to incompletely translate data. In the entropy examination, we measured irregularity presented in the plaintext. This measure is likewise valuable in picture encryption application where the visual type information may give extra data about the original information. The contrast analysis gives a review of the measure of dissemination presented in the plain image. This measure is particularly helpful in image encryption applications. A closeness of circulation among various arrangements of components is additionally seen to decide the homogeneity in the scrambled information. This measure decides the resistance to maintain a strategic distance from the cryptanalysis of the fundamental factual assaults. At long last, we carried out the energy analysis to decide the dispersion of energy before and after the encryption procedure. Despite these tests, the correlation of the whole picture was additionally assessed. We examined with interest the execution and investigation of the tests used to benchmark the execution of the proposed S-box. Experimental results of these analyses are reported in Tables 192021.

Table 19 Second-order texture analyses for the proposed cryptosystem with one round of Lena image of size 256*256
Full size table
Table 20 Second-order texture analyses for the proposed cryptosystem with one round of Baboon image of size 256*256
Full size table
Table 21 Second-order texture analyses for the proposed cryptosystem with one round of Pepper image of size 256*256
Full size table

Because of haphazardness, the estimations of contrast and entropy expand. This makes the encrypted picture hard to identify. The homogeneity, correlation and energy qualities are likewise distinctive in unique and encrypted pictures. The shaded parts of unique and scrambled pictures clarify the quality of disarray in relating layers as well. These qualities can be further improved by including some dispersion attributes in the proposed algorithm, however our principle is just to manage nonlinear component of block cipher, specifically the impacts of composition elements taking into account S-boxes. Expanding the estimations of contrast in encrypted pictures when contrasted with the original image is the impression of quality in outlined algorithm. It can be considered as a straight reliance of gray levels of neighboring pixels. In the event that the neighboring pixels are fundamentally the same as in their dark level values then the difference in the picture is low. If there should arise an occurrence of composition, the dark level variations demonstrate the variation of the surface itself. High contrast qualities are normal for heavy textures and low for smooth delicate surfaces. In the event of encrypted pictures the estimations of contrast increment however they decrease for the plain pictures.

The values of the original images homogeneity are high as their pixels concentrate along the corner to corner, implying that there are many pixels with the same or fundamentally the same gray level quality. The bigger the adjustments in gray qualities are, the lower the homogeneity is, which makes the contrast higher. The experimental results of our algorithm which depends on S-boxes show that there is a huge variation which plainly makes the homogeneity not equivalent to 1 that is just for pictures having no variations after encryption. Accordingly, high homogeneity alludes to surfaces that contain perfect redundant structures, while low homogeneity alludes to enormous variety in both, texture elements and their spatial arrangements as portrayed from the classified qualities introduced in Tables 192021 individually. A totally arbitrary dispersion would have high entropy.

This component can be helpful in indicating whether the entropy is greater for scrambled pictures. This gives us an idea of which kind of algorithm can be factually considered more secure. The estimation of randomness would increment as we applied our recommended algorithm to plain pictures that produce encrypted pictures with high entropy estimations. Energy is a measure of local homogeneity and therefore it portrays the conflict of entropy. Mainly this component will inform us of how undeviating the surface is. The more propelled the energy estimation, the greater the homogeneity of the composition. Correlation is a measure of gray level straight reliance between the pixels at the predetermined positions in respect to each other. The estimation of the relationship reduces if there should be an occurrence of scrambled pictures and is close to 1 if there should be an occurrence of plain pictures. All these factual estimations guarantee the confirmation of our proposed criteria of building S-boxes and its appropriateness in picture encryption applications.

6.2 Differential attack analysis

In this section, we performed several tests to prove the effectiveness of the proposed S-box-only-based image encryption against differential attacks. In this sense, we tested the NPCR and UACI for some selected color images. Experimental results are given in Table 22.

Table 22 Differential analysis of S-box-only-based encryption
Full size table

Table 22 shows that the proposed S-box-only-based encryption has good performance on sensitivity of the plaintext and can resist differential attacks.

6.3 Resistance of S-box-only chaotic image ciphers against chosen-plaintext attacks (CPA)

In fact, substitution boxes play a good role in designing secure substitution architecture in most ciphers. However, most of the previous S-boxes designs are weak, especially if they are only used in image ciphers, against attacks such as CPA. In addition, the S-box analyses like nonlinearity and SAC cannot reveal the real efficiency against CPA attacks if it is used in image cryptosystem.

A good procedure to prove the resistance of S-box-only chaotic image cipher against CPA attacks was proposed by Zhang and Xiao in [53]. Therefore, to follow the rules raised in [53], we applied them to the proposed S-box-only chaotic image ciphers. After careful analysis, one can conclude that the proposed algorithm is secure enough according to the following rules:

Rule 1: The key generation of the S-box depends on the plain image

Rule 2: A well-designed cryptosystem must satisfy the confusion and diffusion [1]. In the proposed S-box, confusion is satisfied by a secure permutation method and diffusion is done by gray code combined with chaotic maps.

Rule 3: In the proposed cryptosystem, we used chaotic dynamical systems that are approximately uniform distribution to generate the pseudorandom number sequences.

Rule 4: The inner cipher rounds are not included as part of the keys, since its assessment can be obtained through an abstract analysis of the encipherment time.

In short, the proposed image cipher-based S-box in this paper is secure according to the above raised rules.

7 Conclusion

This paper proposes a simple and efficient S-box method based on logistic-sine map. To cope with the disadvantages of small key space and weak obscurity in the current chaotic encryption methods, an efficient chaos-based image encryption scheme in the form of permutation–substitution structure was proposed. The objective of using the permutation–substitution structure was to create confusion between the cipher image and the keystream and enhance the security by adding diffusion in the plain image. Detailed differential and statistical analyses were carried out to show the effectiveness of the proposed schemes. Results demonstrate that the proposed encryption scheme meets all the performance requirements of image encryption design criteria. It also has the advantages of large key space and is therefore adequate for and the practical implementation of encryption schemes.