Image Encryption Using Elliptic Curves and Rossby/Drift Wave Triads

We propose an image encryption scheme based on quasi-resonant Rossby/drift wave triads (related to elliptic surfaces) and Mordell elliptic curves (MECs). By defining a total order on quasi-resonant triads, at a first stage we construct quasi-resonant triads using auxiliary parameters of elliptic surfaces in order to generate pseudo-random numbers. At a second stage, we employ an MEC to construct a dynamic substitution box (S-box) for the plain image. The generated pseudo-random numbers and S-box are used to provide diffusion and confusion, respectively, in the tested image. We test the proposed scheme against well-known attacks by encrypting all gray images taken from the USC-SIPI image database. Our experimental results indicate the high security of the newly developed scheme. Finally, via extensive comparisons we show that the new scheme outperforms other popular schemes.


Introduction
The exchange of confidential images via the internet is usual in today's life, even though the internet is an open source that is unsafe and unauthorized persons can steal useful or sensitive information. Therefore it is essential to be able to share images in a secure way. This goal is achieved by using cryptography. Traditional cryptographic techniques such as data encryption standard (DES) and advanced encryption standard (AES) are not suitable for image transmission because image pixels are usually highly correlated [1,2]. By contrast, DES and AES are ideal techniques for text encryption [3], so researchers are trying to develop such techniques to meet the demand for reliable image delivery.
A number of image encryption schemes have been developed using different approaches [4][5][6][7][8][9][10][11][12][13][14]. Hua et al. [12] developed a highly secure image encryption algorithm, where pixels are shuffled via the principle of the Josephus problem and diffusion is obtained by a filtering technology. Wu et al. [13] proposed a novel image encryption scheme by combining a random fractional discrete cosine transform (RFrDCT) and the chaos-based Game of Life (GoL). In their scheme, the desired level of confusion and diffusion is achieved by GoL and an XOR operation, respectively. "Confusion" entails hiding the relation between input image, secret keys and the corresponding cipher image, and "diffusion" is an alteration of the value of each pixel in an input image [1].
One of the dominant trends in encryption techniques is chaos-based encryption [15][16][17][18][19][20]. The reason for this dominance is that the chaos-based encryption schemes are highly sensitive to the initial parameters. However, there are certain chaotic cryptosystems that exhibit a lower security level due to the usage of chaotic maps with less complex behavior (see [21]). This problem is addressed in [22] by introducing a cosine-transform-based chaotic system (CTBCS) for encrypting images with higher shallow layer of fluid on the surface of a rotating sphere. It is described in mathematical terms by the partial differential equation where ψ(x, y, t) ∈ R represents the geopotential height, γ is the Coriolis parameter, a real constant measuring the variation of the Coriolis force with latitude (x represents longitude and y represents latitude) and F is a non-negative real constant representing the inverse of the square of the deformation radius. We assume periodic boundary conditions: ψ(x + 2π, y, t) = ψ(x, y + 2π, t) = ψ(x, y, t) for all x, y, t ∈ R. In the literature Equation (1) is also known as the Charney-Hasegawa-Mima equation (CHM) [35][36][37][38][39]. This equation accepts harmonic solutions, known as Rossby waves, which are solutions of both the linearized form and the whole (nonlinear) form of Equation (1). A Rossby wave solution is given explicitly by the parameterized function ψ (k,l) (x, y, t) = {A e i(kx+ly−ω(k,l)t) }, where A ∈ C is an arbitrary constant, ω(k, l) = − γ k k 2 +l 2 +F is the so-called dispersion relation, and (k, l) ∈ Z 2 is called the wave vector. For simplicity, we take γ = −1 and F = 0 in what follows [32,33].
Resonant triads: As Equation (1) is nonlinear, modes with different wave vectors tend to couple and exchange energy. If the nonlinearity is weak, this exchange happens to be quite slow and is more efficient amongst groups of modes that are in resonance. To the lowest order of nonlinearity in Equation (1), approximate solutions known as resonant triad solutions can be constructed via linear combinations of the form where A 1 , A 2 , A 3 are slow functions of time (they satisfy a closed system of ODEs, not shown here), and the wave vectors (k 1 , l 1 ), (k 2 , l 2 ) and (k 3 , l 3 ) satisfy the Diophantine system of equations: for ω i = ω(k i , l i ), i = 1, 2, 3. A set of three wavevectors satisfying Equations (2) is called a resonant triad. Solutions can be found analytically via a rational transformation to elliptic surfaces (see below). Quasi-resonant triads and detuning level: If, in (2), the equation ω 1 + ω 2 = ω 3 is replaced by the inequality |ω 1 + ω 2 − ω 3 | ≤ δ −1 , for a large positive number δ, then the triad becomes a quasi-resonant triad and δ −1 is known as the detuning level of the quasi-resonant triad. It is possible to construct quasi-resonant triads via downscaling of resonant triads that have very large wave vectors [32]. For simplicity, in what follows we simply call a quasi-resonant triad a triad and denote it by ∆. Finally, to avoid over-counting of triads we will impose the condition k 3 > 0.
Rational transformation: In [32], wave vectors are explicitly expressed in terms of rational variables X, Y and D as follows: In the case F = 0, the rational variables X, Y, D lie on an elliptic surface. The transformation is bijective and its inverse mapping is given by: New parameterization: In [40], Kopp parameterized the resonant triads and in terms of parameters u and t it follows by [40] (Equation (1.22)) that: In 2019, Hayat et al. [33] found a new parameterisation of X, Y and D in terms of auxiliary parameters a, b and hence k 1 and l 1 k 3 are given by: Elliptic curve (EC): Let F p be a finite field for any prime p, then an EC E p over F p is defined by where b, c ∈ F p . The integers b, c and p are called parameters of an EC. The number of all (x, y) ∈ F 2 p satisfying the congruence (11) is denoted by #E p .

Mordell elliptic curve (MEC):
In the special but important case b = 0, the above EC is known as an MEC and is represented by For p ≡ 2 (mod 3), there are exactly p + 1 points (x, y) ∈ F 2 p satisfying the congruence (12), see [41] for further details.
If points on E p are ordered according to some total order ≺ then E p is said to be an ordered EC. Recall that total order is a binary relation which possesses the reflexive, antisymmetric and transitive properties. Azam et al. [42] introduced a total order known as a natural ordering on MECs given by and generated efficient S-boxes using the aforesaid ordering. We will use natural ordering to generate S-boxes. Thus from here on E p stands for a naturally ordered MEC unless it is specified otherwise.

The Proposed Encryption Scheme
The proposed encryption scheme is based on pseudo-random numbers and S-boxes. The pseudo-random numbers are generated using quasi-resonant triads. To get an appropriate level of diffusion we need to properly order the ∆s. For this purpose we define a binary relation as follows.

Ordering on Quasi-Resonant Triads
Let ∆, ∆ represent the triads (k i , l i ), (k i , l i ), i = 1, 2, 3, respectively, then where a, b and a , b are the corresponding auxiliary parameters of ∆ and ∆ , respectively. Lemma 1. If T denotes the set of ∆s in a box of size L, then is a total order on T.
Proof. The reflexivity of follows from a = a, b = b and k 3 = k 3 and hence ∆ ∆. As for antisymmetry we suppose ∆ ∆ and ∆ ∆. Then, by definition a ≤ a and a ≤ a, which imply a = a . Thus we are left with two results: b ≤ b and b ≤ b, which imply b = b . Thus, we obtain the results k 3 ≤ k 3 and k 3 ≤ k 3 , which ultimately give k 3 = k 3 . Solving Equations (8)-(10) for the obtained values, we get k 1 = k 1 , l 3 = l 3 and from Equation (2) it follows that l 2 = l 2 . Consequently ∆ = ∆ and is antisymmetric. As for transitivity, let us assume ∆ ∆ and ∆ ∆ . Then a ≤ a and a ≤ a , implying a ≤ a . If a < a , then transitivity follows. If a = a , then a = a too.
Let * T stand for the set of ∆s ordered with respect to the order . The main steps of the proposed scheme are explained as follows.

A. Public parameters:
In order to exchange the useful information the sender and receiver should agree on the public parameters described as below: (1) Three sets: choose three sets A i = [A i , B i ], i = 1, 2, 3 of consecutive numbers with unknown step sizes, where the end points A i , B i , i = 1, 2, 3 are rational numbers. (2) A total order: select a total order ≺ so that the triads generated by the above-mentioned sets may be arranged with respect to that order.
Suppose that P represents an image of size m × n to be encrypted, and the pixels of P are arranged in column-wise linear ordering. Thus, for positive integer i ≤ mn, P(i) represents the i-th pixel value in linear ordering. Define S P as the sum of all pixel values of the image P. Then the proposed scheme chooses the secret keys in the following ways.

B. Secret keys:
To generate confusion and diffusion in an image, the sender chooses the secret keys as follows. (1) Step size: select positive integers a i , b i to construct the step sizes α i = a i b i of A i , i = 1, 2. Additionally, choose a non-negative integer a 3 as a step size of A 3 in such a way that ∏ 3 i=1 n i ≥ mn, where #A i = n i represents the number of elements in A i .
Detuning level: fix some posive integer δ to find the detuning level δ −1 allowed for the triads.
Bound: select a positive integer L such that |k i |, |l i | ≤ L for i = 1, 2, 3. This condition is imposed in order to bound the components of the triad wave vectors. Furthermore, choose an integer t to find r = S P /t , where · gives the nearest integer when S P is divided by t. The reason for choosing such a t is to generate key-dependent S-boxes and the integer r is used to diffuse the components of triads.
A prime: select a prime p ≥ 257 such that p ≡ 2 (mod 3) as a secret key for computing nonzero c ≡ S P + t (mod p) to generate an S-box ζ E p (p, t, S P ) on the E p . The S-box construction technique is made clear in Algorithm 1, and the S-box generated for p = 1607, t = 182 and S = 0 by Algorithm 1 is shown in Table 1. Furthermore, the cryptographic properties of the said S-box are evaluated in Sections 4.1 and 4.2.

Algorithm 2: Generating quasi-resonant triads.
/* T is a set containing the Quasi-resonant triads, while m and n are the dimensions of an input image. */ Input : Three sets A i , i = 1, 2, 3, inverse detuning level δ, bound L, two positive integers m and n. Output : Quasi-resonant triads Calculate and store the values of k 1 (c 1 ), l 3 (c 1 ), and l 1 (c 1 ) for each pair (a, b) using Equations (8)-(10). Thus ∆ j represents the j-th triad in ordered set * T. Moreover, (k ji , l ji ), i = 1, 2, 3 are the components of ∆ j . In Algorithm 3, the generation of β * T (t, S P ) is interpreted.

Algorithm 3:
Generating the proposed pseudo-random sequence.
Input : An ordered set * T, an integer t and a plain image P.
The proposed sequence β * T (t, S P ) is cryptographically a good source of pseudo-randomness because triads are highly sensitive to the auxiliary parameters (a, b) [33] and inverse detuning level δ. It is shown in [32] that the intricate structure of clusters formed by triads depends on the chosen δ, and the size of the clusters increases as the inverse detuning level increases. Moreover, the generation of triads is rapid due to the absence of modular operation.

Decryption
In our scheme the decryption process can take place by reversing the operations of the encryption process. One should know the inverse S-box ζ −1 E p (n, t, S P ) and the pseudo-random numbers β * T (t, S P ). Assume the situation when the secret keys a 1 , b 1 , a 2 , b 2 , a 3 , δ, L, S P , t and p are transmitted by a secure channel, so that the set * T is obtained using keys a 1 , b 1 , a 2 , b 2 , a 3 , δ and L, and hence the S-box ζ −1 E p (p, t, S P ) and the pseudo-random numbers β * T (t, S P ) can be computed by S P , t and p. Finally, the receiver gets the original image P by applying the following equations:

Security Analysis
In this section the cryptographic strength of both the S-box construction technique and encryption scheme are analyzed in detail.

Evaluation of the Designed S-Box
An S-box with good cryptographic properties ensures the quality of an encryption technique. Generally, some standard tests such as nonlinearity (NL), linear approximation probability (LAP), strict avalanche criterion (SAC), bit independence criterion (BIC) and differential approximation probability (DAP) are used to evaluate the cryptographic strength of an S-box.
The NL [43] and the LAP [44] are outstanding features of an S-box, used to measure the resistance against linear attacks. The NL measures the level of nonlinearity and the LAP finds the maximum imbalance value of an S-box. The optimal value of the nonlinearity is 112. A low value of LAP corresponds to a high resistance. The minimum NL and the LAP values for the displayed S-box are 106 and 0.1484, respectively. This ensures that the proposed S-box is immune to linear attacks. Webster and Tavares [45] developed the concepts of the SAC and the BIC, which are used to find the confusion and diffusion creation potential of an S-box. In other words, the SAC criterion measures the change in output bits when an input bit is altered. Similarly, the BIC criterion explores the correlation in output bits when change in a single input bit occurs. The average values of the SAC and the BIC for the constructed S-box are 0.4951 and 0.4988, respectively, which are close to the optimal value 0.5. Thus, both tests are satisfied by the suggested S-box. The DAP [46] is another important feature used to analyze the capability of an S-box against differential attacks. The lowest value of DAP for an S-box implies the highest security to the differential attacks. Our DAP result is 0.0234, which is good enough to resist differential cryptanalysts.

Evaluation of the Proposed Encryption Technique
In this section the current scheme is implemented on all gray images of the USC-SIPI Image Database [56]. The USC-SIPI database contains images of size m × m, m = 256,512,1024. Furthermore, some security analyses that are explained one by one in the associated subsections are presented.
To validate the quality of the proposed scheme, the experimental results are compared with some other encryption schemes. The parameters used for the experiments are A 1 = A 2 = −1.0541, A 3 = 401, B 1 = B 2 = −0.8514 and B 3 = 691, 3036, 5071 for m = 256,512,1024, respectively; a 1 = 2, b 1 = 1000, a 2 = 19, b 2 = 1000, a 3 = 5, δ = 1000, t = 2, p = 293, L = 90,000 and S P varies for each P. The experiments were performed using Matlab R2016a on a personal computer with a 1.8 GHz Processor and 6 GB RAM. All encrypted images of the database along with histograms are available at [57]. Some plain images, House 256×256 , Stream 512×512 , Boat 512×512 and Male 1024×1024 and their cipher images are displayed in Figure 1.

Statistical Attack
A cryptosystem is said to be secure if it has high resistance against statistical attacks. The strength of resistance against statistical attacks is measured by entropy, correlation and histogram tests. All of these tests are applied to evaluate the performance of the discussed scheme.
(1) Histogram. A histogram is a graphical way to display the frequency distribution of pixel values of an image. A secure cryptosystem generates cipher images with uniform histograms. The histograms of the encrypted images using the proposed method are available at [57]. However, the respective histograms for the images in Figure 1 are shown in Figure 2. The histograms of the encrypted images are almost uniform. Moreover, the histogram of an encrypted image is totally different from that of the respective plain image, so that it does not allow useful information to the adversaries, and the proposed algorithm can resist any statistical attack. (2) Entropy. Entropy is a standout feature to measure the disorder. Let I be a source of information over a set of symbols N. Then the entropy of I is defined by: where p(I i ) is the probability of occurrence of symbol i. The ideal value of H(I) is log 2 (#N), if all symbols of N occur in I with the same probability. Thus, an image I emanating 256 gray levels is highly random if H(I) is close to 8 (notice, however, that this definition of entropy does not take into account pixel correlations). The entropy results for all images encrypted by the suggested technique are shown in Figure 3, where the minimum, average and maximum values are 7.9966, 7.9986 and 7.9999, respectively. These results are close to 8, and hence the developed mechanism is secure against entropy attacks.
Pixel correlation. A meaningful image has strong correlation among the adjacent pixels. In fact, a good cryptosystem has the ability to break the pixel correlation and bring it close to zero. For any two gray values x and y, the pixel correlation can be computed as: where E[x] and K[x] denote expectation and variance of x, respectively. The range of C xy is −1 to 1. The gray values x and y are in low correlation if C xy is close to zero. As the pixels may be adjacent in horizontal, diagonal and vertical directions, the correlation coefficients of all encrypted images along all three directions are shown in Figure 3 In addition, 2000 pairs of adjacent pixels of the plain image and cipher image of Lena 512×512 are randomly selected. Then correlation distributions of the adjacent pixels in all three directions are shown in Figure 4, which reveals the strong pixel correlation in the plain image but a weak pixel correlation in the cipher image generated by the current scheme.

Differential Attack
In differential attacks the opponents try to get the secret keys by studying the relation between the plain image and cipher image. Normally attackers encrypt two images by applying a small change to these images, then compare the properties of the corresponding cipher images. If a minor change in the original image can cause a significant change in the encrypted image, then the cryptosystem has a high security level. The two tests NPCR (number of pixels change rate) and UACI (unified average changing intensity) are usually used to describe the security level against differential attacks. For two plain images P and P different at only one pixel value, let C P and C P be the cipher images of P and P , respectively, then NPCR and UACI are calculated as: where τ(u, v) = 0 if C P (u, v) = C P (u, v) and τ(u, v) = 1, otherwise. The expected values of NPCR and UACI for 8-bit images are 0.996094 and 0.334635, respectively [13]. We applied the above two tests to each image of the database by randomly changing the pixel value of each image. The experimental results are shown in Figure 5, giving average values of NPCR and UACI of 0.9961 and 0.3334, respectively. It follows from the obtained results that our scheme is capable of resisting a differential attack. (d) Figure 5. (a,b) The NPCR and UACI results for each image in the USC-SIPI database; (c) First 256 pseudo-random numbers and (d) two S-boxes generated for Lena 512×512 with a small change in an input key t.

Key Analysis
For a secure cryptosystem it is essential to perform well against key attacks. A cryptosystem is highly secure against key attacks if it has key sensitivity and large key space and strongly opposes the known-plaintext/chosen-plaintext attack. The proposed scheme is analyzed against key attacks as follows. (1) Key sensitivity. Attackers usually use slightly different keys to encrypt a plain image and then compare the obtained cipher image with the original cipher image to get the actual keys. Thus, high key sensitivity is essential for higher security. That is, cipher images of a plain image generated by two slightly different keys should be entirely different. The difference of the cipher images is quantified by Equations (19) and (20). In experiments we encrypted the whole database by changing only one key, while other keys remain unchanged. The key sensitivity results are shown in Table 9, where the average values of NPCR and UACI are 0.9960 and 0.3341, respectively, which specify the remarkable difference in the cipher images. Moreover, our cryptosytem is based on the pseudo-random numbers and S-boxes. The sensitivity of pseudo-random numbers sequences β * T (2, S P ) and β * T (1, S P ) and S-boxes ζ E p (p, 2, S P ) and ζ E p (p, 1, S P ) for Lena 512×512 is shown in Figure 5. Table 9. Difference between two encrypted images when key t = 2 is changed to t = 1. NPCR: number of pixels change rate; UACI: unified average changing intensity. (2) Key space. In order to resist a brute force attack, key space should be sufficiently large. For any cryptosystem, key space represents the set of all possible keys required for the encryption process. Generally, the size of the key space should be greater than 2 128 . In the present scheme the parameters a 1 , b 1 , a 2 , b 2 , a 3 , δ, L, S P , t and p are used as secret keys, and we store each of them in 28 bits. Thus the key space of the proposed cryptosystem is 2 280 which is larger than 2 128 and hence capable to resist a brute force attack.

Image NPCR(%) UACI(%) Image NPCR(%) UACI(%)
Known-plaintext/chosen-plaintext attack. In a known-plaintext attack, the attacker has partial knowledge about the plain image and cipher image, and tries to break the cryptosystem, while in a chosen-plaintext attack the attacker encrypts an arbitrary image to get the encryption keys. An all-white/black image is usually encrypted to test the performance of a scheme against these powerful attacks [29,58]. We analyzed our scheme by encrypting an all-white/black image of size 256 × 256. The results are shown in Figure 6 and Table 10, revealing that the encrypted images are significantly randomized. Thus the proposed system is capable of preventing the above mentioned attacks. (f) Figure 6. (a) All-white; (b) all-black; (c,d) cipher images of (a,b); (e,f) histograms of (c,d).

Comparison and Discussion
Apart from security analyses, the proposed scheme is compared with some well-known image encryption techniques. The gray scale images of Lena 256×256 and Lena 512×512 are encrypted using the presented method, and experimental results are listed in Table 11. It is deduced that our scheme generates cipher images with comparable security. Furthermore, we remark that the scheme in [29] generates pseudo-random numbers using group law on EC, while the proposed method generates pseudo-random numbers by constructing triads using auxiliary parameters of elliptic surfaces. Group law consists of many operations, which makes the pseudo-random number generation process slower than the one we present here. The scheme in [26] decomposes an image to eight blocks and uses dynamic S-boxes for encryption purposes. The computation of multiple S-boxes takes more time than computing only one S-box. Similarly the techniques in [2,27] use a set of S-boxes and encrypt an image in blocks, while our newly developed scheme encrypts the whole image using only one dynamic S-box. Thus, our scheme is faster than the schemes in [2,27]. The security system in [61] uses a chaotic system to encrypt blocks of an image. The results in Table 11 reveal that our proposed system is cryptographically stronger than the scheme in [61]. The algorithms in [3,59] combine chaotic systems and different ECs to encrypt images. It follows from Table 11 that the security level of our scheme is comparable to that of the schemes in [3,59]. The technique in [60] uses double chaos along with DNA coding to get good results, as shown in Table 11, but the results obtained by the new scheme are better than that of [60]. Similarly the technique in [31] encrypts images using ECs but does not guarantee an S-box for each set of input parameters, thus making our scheme faster and more robust than the scheme developed in [31].
Furthermore, the following facts put our scheme in a favorable position: (i) Our scheme uses a dynamic S-box for each input image while the S-box used in [29] is a static one, which is vulnerable [63] and less secure than a dynamic one [64]. (ii) The presented scheme guarantees an S-box for each image, which is not the case in [31]. (iii) To get random numbers, the described scheme generates triads for all images of the same size, while in [31] the computation of an EC for each input image is necessary, which is time consuming. (iv) The scheme in [26] uses eight dynamic S-boxes for a plain image, while the current scheme uses only one dynamic S-box for each image to get the desired cryptographic security.

Conclusions
An image encryption scheme based on quasi-resonant triads and MECs was introduced. The proposed technique constructs triads to generate pseudo-random numbers and computes an MEC to construct an S-box for each input image. The pseudo-random numbers and S-box are then used for altering and scrambling the pixels of the plain image, respectively. As for the advantages of our proposed method, firstly triads are based on auxiliary parameters of elliptic surfaces, and thus pseudo-random numbers and S-boxes generated by our method are highly sensitive to the plain image, which prevents adversaries from initiating any successful attack. Secondly, generation of triads using auxiliary parameters of elliptic surfaces consumes less time than computing points on ECs (we find a 4x speed increase for a range of image resolutions m ∈ [128, 512]), which makes the new encryption system relatively faster. Thirdly, our algorithm generates the cipher images with an appropriate security level.
In summary, all of the above analyses imply that the presented scheme is able to resist all attacks. It has high encryption efficiency and less time complexity than some of the existing techniques. In the future, the current scheme will be further optimized by means of new ideas to construct the S-boxes using the constructed triads, so that we will not need to compute an MEC for each input image.
Author Contributions: All authors contributed equally to this work. All authors have read and agree to the published version of the manuscript.
Funding: This research is funded through the HEC project NRPU-7433.