Asymmetric Image Encryption Approach with Plaintext-Related Diffusion

This paper deals with topic of image encryption based on chaotic maps. A solution which has advantage of robustness against chosen-plaintext attacks is proposed. Permutations of image pixels are carried out in a way that enables operations on grayscale images with arbitrary resolution. All calculations done with user key and also all diffusion processes employ the same chaotic map. This feature enables usage of look-up tables which reduce computational times. The paper includes several experiments which verify achieved results and also briefly describes advantages and drawbacks of proposed solution.


Introduction
First application of chaos for purposes of encryption was proposed by Matthews in late 1980s [1].Since then many chaotic encryption algorithms were described.One of the first papers which dealt specifically with image encryption was published by Fridrich in 1998 [2].
Fridrich's article provides scheme which was later used in many other solutions [3][4][5].This scheme employs two operations with image pixels (they serve as plaintext).First oneconfusion shuffles image pixels in a way that minimizes correlation between adjacent pixels.The other operation is diffusion, which tries to establish dependence between amplitudes of all image pixels.If two plaintext images differ in amplitude of only one pixel, good diffusion algorithm should result in two entirely different encrypted images.
Encryption algorithms designed for images have some advantages over conventional algorithms such as Advanced Encryption Standard (AES) [6], [7].One of the most noticeable advantages is relatively small number and low difficulty of operations performed during encryption or decryption.This property is crucial for reaching fast computational times.However, it also causes one drawback of chaotic image encryption algorithms -it is quite easy to perform attacks, which try to retrieve plaintext image from its encrypted version.Brute-force attacks can be prevented by large key-space, possibility of statistical and some of differential attacks can be avoided by suitable diffusion algorithm.However, newer types of attacks could cause problems.
Fridrich's algorithm was broken in 2010 by an attack introduced by Solak et al. [8].This attack changes amplitudes of plaintext image pixels and explores the dependencies between them and amplitudes of encrypted image pixels.Therefore, it could be classified as chosen-plaintext type of attack.Mentioned attack and its generalized versions are for purposes of this paper named simply as Solak's attack.
The rest of article is organized as follows: Sec. 2 contains brief survey of already published approaches.Sec. 3 describes all methods used by our proposal.Steps of encryption and decryption algorithms are mentioned in Sec. 4. Achieved results are discussed in Sec. 5.The paper ends with Sec. 6 which provides a review of advantages and drawbacks of proposed solution.

Related Work
Several ways for decreasing effects of Solak's attack or eliminating its possibility were proposed.The dependencies between amplitudes of plaintext pixels and encrypted pixels can be disturbed by modification of used key.Plaintext pixel amplitudes are used as input for hash functions by Zhang et al. in [9] and by Liu and Wang in [10].Corresponding outputs are used as a set of parameters for next steps.Therefore, different images produce various encryption keys.Thus it is not possible to establish a list of pixel dependencies by testing of various images.
Another scheme consisting of two iterations of diffusion and one iteration of confusion was presented by Zhang in [11].In this case, the relation between plaintext and key is created during confusion.Fu et al. [12] uses circular shift of key elements for producing different keys used by diffusion.Amount of shifting done in each iteration depends on values computed in previous iteration.Hence for first iteration, the shifting depends just on plaintext pixel amplitudes.
Proposal of Kanso and Ghebleh [13] adjusts number of chaotic map iterations according to plaintext image amplitudes.Results of the iterating are then used in the diffusion algorithm.Guanghui et al. uses multiple chaotic maps in [14], where the output of chaotic maps is divided into several parts.Each part is then employed for modification of key used in current iteration of encryption.

Logistic Map
Logistic map (LM) was introduced by May in 1976 [15].May considered LM as a tool for modelling growths or decreases of wildlife population.LM can be also presented as one dimensional chaotic map, which maps x(n) ∈ 0, 1 to x(n + 1) in the same range with respect to parameter r ∈ (0, 4 (1): where n denotes iteration number.
Properties of LM depend on parameter r.Effects of various r can be viewed on bifurcation diagram (see Fig. 1).As it can be seen, first bifurcation occurs when r ∼ 3. The chaotic behavior of LM starts at r ∼ 3.56995 which is also known as 'onset of chaos' [16].However several islands of stability are present also after this point.One example of these islands is located at r ∼ 3.82843.

Arnold's Cat Map
Arnold's cat map (ACM) was described in 1968 by Arnold and Avez [17] as an example of toral automorphism.Name of this map was chosen by picture of cat head which was used for experiments.ACM can be described as two dimensional chaotic map which preserves measure -the range of outputs stays the same as the range of inputs.Set of equations for discretized version ACM is given as (2): where x(n), y(n), x(n + 1) and y(n + 1) ∈ {0, 1, . . ., N − 1}, n denotes iteration number, N is the height and also width of image.Modulus of N in both equations restrains usage of ACM only to square images (resolution of N × N pixels).
As ACM maps each pair of coordinates x(n), y(n) to unique pair x(n + 1), y(n + 1), it is possible to construct inverse set of equations (3): x(n − 1) One known drawback of ACM is existence of fixed points.These are matrix elements which do not change their coordinates in consecutive iterations of ACM.An example of fixed point is shown on Fig. 2  In our solution, we tried to suppress occurence of fixed points by shifting elements prior to each iteration of ACM.The shift of element e with original coordinates l, k to new coordinates l , k can be given as (4) for direct version of ACM and as (5) for inverse version of ACM: where l, k, l and k ∈ {0, 1, ..., N − 1}, N is the height and also width of matrix or image.
The shifting ensures that matrix element with coordinates of a fixed point is changed before each iteration of ACM.Therefore this element would move to location which is not a fixed point and its coordinates would be changed in following iterations of ACM.

Ciphertext Chaining
Chaining of ciphertext helps to introduce dependencies between adjacent pixels of encrypted images.Hence it is important for establishing robustness against statistical and differential attacks.For spreading a change in amplitude of arbitrary pixel into amplitudes of all other pixels, it is possible to employ two iterations of a simple feedback (6): where i ∈ {1, 2} denotes sequential number of iteration, f i is vector after ith iteration of chaining, f 0 is a vector of image pixel amplitudes prior to encryption, n denotes index of currently processed pixel, n ∈ {0, 1, ..., num P − 1}, num P is the total number of image pixels, L is the color depth of image.
Operation inverse to chaining done by ( 6) can be given as (7):

Key Diffusion
The output of diffusion algorithm should be sensitive to even small differences between entered diffusion keys.Because our proposal uses diffusion key consisting of 8 bytes, these bytes need to be diffused prior to encryption or decryption.The principle of direct key diffusion is illustrated on Fig. 3. Key diffusion consists of three iterations which are used for creating dependencies between every possible pair of key bytes B 0 (b), b ∈ {0, 1, . . ., 7}.Inverse key diffusion used during decryption iterates in reverse order.In the case of direct key diffusion, block denoted as 'ACM' employs set of equations ( 2), inverse key diffusion uses set (3).

Key Expansion
In our solution, the dependencies between key and image pixels are introduced by using ACM, which takes one key byte and current pixel amplitude as inputs x(n) and y(n).Therefore one key byte is needed for each image pixel.Because keys of such length are not practical, we employ key expansion which enlarges the key to desired length.Key expansion is related to one of properties of our algorithm -it uses different initial keys for encryption and for decryption.Because encryption uses expanded key from its start to its end, the decryption needs to start with end of expanded key.Thus it is necessary to provide last elements of expanded key to the decryption algorithm.Amount of these key elements is in presented case fixed to 8 bytes.

Proposed Solution
In this paper, we would like to describe a reasonably fast image encryption algorithm with results that are still sufficient by means of resistance against known types of attacks.The algorithm works with grayscale images with arbitrary resolution (M × N pixels).Confusion step uses logistic map for shuffling (permutation) of plaintext image pixels.Diffusion operates with results of Arnold's cat map.

Encryption
Encryption is done by following steps of Algorithms 1 and 2: Algorithm 1: Confusion algorithm.
Input: grayscale plaintext image P, its height h and width w, 8 byte encryption keys key x , key y Output: grayscale image after confusion C 1. Keys key x and key y are mapped to values r x , r y ∈ 0, 0.01).
3. Map L M rows is iterated h + 10 times, map L M cols is iterated w + 10 times.
5. Each pixel with coordinates l, k in current image row l is shifted to new coordinates l, k : (l, k ) = (l, k + sh rows (k) (mod w)).

Each pixel with coordinates
As it can be seen, the logisitic maps are used for producing h + 10 and w + 10 iterates, respectively.First ten iterates are not used for pixel shifting but they help reaching sufficient chaotic properties of generated sequences.
The number of iterations of ACM is set as 11 for the same reason as for the LM -the map needs to produce results with chaotic behavior.Usage of N = 256 is caused by number of grayscale image pixel amplitudes and number of possible binary representations of one key byte.As these parameters of ACM are fixed, the computation speed could be improved through usage of look-up tables.These tables provide values of x , y for all possible initial pairs of x, y.

Algorithm 2: Diffusion algorithm.
Input: grayscale image after confusion C, its height h and width w, 8 byte encryption key key z Output: grayscale encrypted image E, 8 byte decryption key key d 1. Look-up tables for matrix of all possible inputs x, y ∈ {0, 1, . . ., 255} are created.These tables contain new coordinates of matrix elements after 11 iterations of Arnold's cat map (2).
2. Image after confusion C is reshaped to vector C vec with 1 row and h • w columns.
Then it is copied into first 8 elements of vector with extended key key z .8. Vector E vec is reshaped to matrix E with h rows and w columns.
9.Last 8 bytes of extended key key z are copied into vector key d .Then this decryption key undergoes key diffusion (see Fig. 3).

Decryption
Decryption is in case of the proposed algorithm analogous to encryption.The only differences are present in the used key, equations and therefore also look-up tables.Because decryption algorithm needs to start with decryption of pixel amplitudes which were encrypted as last, it uses last 8 bytes of extended key which was produced during encryption.These bytes are then used as input for inverse key diffusion.
The key is then extended 'backwards' by look-up tables produced by inverse ACM (3).The tables are also used for computing pixel amplitudes after first round of diffusion.Then the effect of chaining is eliminated by (7).This process is repeated also for removing first iteraton of diffusion.Finally, decrypted image is achieved by performing inverse shifts of pixels in image rows and columns.
The safety of proposed solution is based on fact that potential attackers do not have access to decryption key.If key values would become compromised, the attackers should be able to use look-up tables and find pixel amplitudes which correspond to encrypted pixel amplitudes.

Experimental Results
Following experiments used three plaintext images.These images and their versions encrypted with key K 1 are shown on Fig. 4. Their resolution was 512 × 512 pixels in case of lena, 512 × 256 pixels for black and 256 × 256 pixels for image f16.The color depth of all images was 8 bits.used two kinds of keys: encryption keys K 1 , K 2 which consisted of three parts key x , key y and key z and decryption keys K 1 , K 2 with their parts key x , key y and key d .Differences between keys are indicated by bold characters, their values were set as: • K 1 = (key x , key y , key z ) = (0xA0B32465, 0xFD326667, 0x9745BC3470CD64EE), • K 2 = (key x , key y , key z ) = (0xA0B32465, 0xFD326668, 0x9745BC3470CD64EE), • K 1 = (key x , key y , key d ) = (0xA0B32465, 0xFD326667, 0x6E960C921BCC1FCD), • K 2 = (key x , key y , key d ) = (0xA0B32465, 0xFD326668, 0x6E960B921BCC1FCD).

Size of Key Space and Key Sensitivity
Key space is a set of all keys which could be used for encryption.In case of our algorithm the confusion keys key x and key y do not depend on diffusion key key z and vice versa.This means that the key space includes all possible combinations of confusion and diffusion keys.As key x and key y are both represented by 4 bytes and key z is given as 8 bytes, the size of keyspace can be computed as num k = 256 4 • 256 4 • 256 8 = 2 32+32+64 = 2 128 .
If we would estimate the time necessary for decryption of image with resolution of 512 × 512 pixels as 100 ms, the brute-force attack would take approx.1.079 × 10 30 years.Thus this type of attack can be considered as not feasible.
Key sensitivity of our algorithms is shown on Fig. 5.

Statistical Attacks
These attacks compare properties of images before and after encryption.Ideally, an encrypted image should not provide any information about plaintext image.Level of robustness against statistical attacks could be evaluated by histograms, correlation diagrams and coefficients or by values of entropy.  in relatively uniform distribution of pixel amplitudes.Hence it can be concluded that statistical attacks are hardly possible.

Histograms of plaintext image lena and its version encrypted with key
Correlation diagrams display amplitudes of pairs of two adjacent image pixels on their axes.The adjacency is horizontal, vertical or diagonal.In an ideal case, the points should be located on the diagram with uniform distribution.The diagrams showing correlation of 1000 randomly chosen pairs of diagonally adjacent pixels for plaintext image lena and its version encrypted with key K 1 are displayed on Fig. 7.
Correlation coefficients ρ could be calculated by (8)(9)(10): ρ = cov(P, E) where P and E denote plaintext and encrypted images, cov(P, E) is their covariance, σ 2 I m is dispersion of image Im, Ī m denotes its arithmetic mean, l and k are row and column indices, h is height and w is width of image in pixels.
Entropy can be viewed as a measure of randomness of an information flow.Maximal possible value of entropy is determined by amount of bits which represent one element of the flow.Hence for grayscale image the maximal entropy is set as 8 bits/pixel.Entropy H is calculated by using ( 11): where L is color depth of image, p(a) denotes probability of occurence of image pixel with amplitude a.
Calculated values of correlation coefficients ρ and entropy H are included in Tab. 1. Subscripts h, v and d denote horizontal, vertical or diagonal adjacency of pixels in 1000 randomly chosen pixel pairs.All presented values except for entropy are arithmetic means of 100 repeated measurements.

Differential Attacks
Differential attacks investigate changes in encrypted images caused by modifications of corresponding plaintext images.Thus encryption algorithm should be sensitive even to small perturbations done in plaintext images.
Robustness against differential attacks can be evaluated by two measures.First one is called Number of Pixel Change Rate (NPCR).Its calculation requires two plaintext images P 1 and P 2 , second one is a copy of first one with change of amplitude of one pixel.The size of this modification is minimal (one amplitude level).Then these images are encrypted as E 1 and E 2 and the value of NPCR is computed by (12): where l and k are row and column indices, h is height and w is width of image in pixels.
Second measure is known as Unified Average Changing Intensity (UACI).UACI also uses two encrypted images E 1 and E 2 which were created by the same way as for NPCR (13): where l and k are row and column indices, h is height and w is width of image in pixels and L is its color depth.
The difference between NPCR and UACI is hidden in the way of evaluating difference of encrypted images.While NPCR reflects only the amount of pixels with different amplitude, values of UACI are affected also by the size of amplitude change.Computed values of NPCR and UACI are shown in Tab. 2. These values were acquired from set of 100 repeated measurements.The coordinates of pixel with modified amplitude were chosen randomly in each measurement.

Relation Between Key and Plaintext
Previous paragraph contained an example of chosen-plaintext attack.Robustness against whole class of these attacks can be ensured by establishing a relation between used key and plaintext in form of pixel amplitudes.
Diffusion algorithm of our solution is based on usage of ACM, which takes parameters x(n), y(n) as its input.The output also consists of two parametersx(n+1) and y(n+1).As the inputs are current byte of extended key x(n) and value of processed pixel amplitude after chaining y(n), the outputs of ACM also relate to them.First output, x(n + 1) is used for extending the key and second output, y(n + 1) represents amplitude of image pixel after diffusion.These relations produce various extended keys for sets of images with minimal differences.Therefore it is not feasible to assume steps of encryption algorithm from testing of multiple plaintext images, because these images would result in different keys.Also the effects of key diffusion which is applied prior to encryption have to be taken into account.
Differences between various extended keys can be examined by their cross-correlation.Resulting function for first 100 elements of extended keys produced by second iteration of diffusion is illustrated on Fig. 8. Encryption with key K 1 was done on image lena (see Fig. 4), and its copy where amplitude of one pixel was changed by one level.Values of extended key elements were mapped to range −0.5, 0.5 before computation of cross-correlation.

Computational Difficulty
Speed tests of proposed algorithm were conducted in MAT-LAB R2015a on PC with 2.5 GHz CPU, 12 GB of RAM and Windows 10 operating system.The values presented in Tab. 3 were achieved by 100 repeated measurements.
Computational difficulty of algorithms can be compared by values of processing speed v proc .This measure expresses amount of data which is encrypted during one second (14): where h is height and w is width of image, L is its color depth and t is time required for one encryption given in seconds.
The values of v proc presented in Tab. 3 are calculated from arithemetic means of measured durations.

Comparison with Other Approaches
The comparison of results is quite a hard task due to many differences between experiments in other papers.For instance, color versions of lena were used in [10], [13], while [9], [12] tested effects of their proposals on various other grayscale images.Also some of processing speed measurements were conducted on considerably slower machines [9], [11], [13].Therefore only some parameters could be compared.
Results from Tab. 4 and Tab. 5 show that our solution achieves better values of processing speed v proc , correlation coefficients ρ and UACI.However, its performance is not as good in case of entropy and NPCR.These drawbacks are possible topics for our future work.

Conclusion
This paper proposed an image encryption algorithm based on chaotic maps.Properties of Arnold's cat map were employed for creating relation between used key and plaintext in form of image pixel amplitudes.This correspondence seems crucial for establishing certain level of robustness against class of chosen-plaintext attacks which could create a list of dependencies between encrypted and plaintext image.Effects of presented algorithms were verified by series of experiments.Their numeric results were compared with values yielded by approaches which used the same plaintext image.Processing speeds were calculated for algorithms which provided sufficient information about used images.
Main advantage of our proposal is its simplicity which enables fast processing speed.Also the correlation coefficients of adjacent encrypted pixels are in case of presented image better than those achieved by other algorithms.However, these solutions provided higher values of NPCR.Future work can be done on the key diffusion algorithm, which currently restrains the length of entered diffusion key to 8 bytes.

4 .
First iteration of diffusion.Each pixel from C vec (n) undergoes chaining by (6), resulting value overwrites its input.Then look-up tables are used for acquisition of pair x (n), y (n).Initial values are set as x(n) = key z (n), y(n) = C vec (n).

5 .
Resulting x (n) are used as next bytes of extended key -they are copied into key z (n + 8).Computed y (n) are used as amplitudes of image pixels after first iteration of diffusion D vec (n).6.Second iteration of diffusion.Each pixel from D vec (n) undergoes chaining by (6), resulting value overwrites its input.Then look-up tables are used for acquisition of pair x (n), y (n).Initial values are set as x(n) = key z (n + h • w), y(n) = D vec (n).

7 .
Resulting x (n) are used as next bytes of extended key -they are copied into key z (n + h • w + 8).Computed y (n) are used as amplitudes of encrypted image pixels E vec (n).

Fig. 4 .
Fig. 4. Set of plaintext images and their encrypted versions.