A Novel Image Encryption Algorithm Based on a ... - Semantic Scholar

A Novel Image Encryption Algorithm Based on a 3D Chaotic Map A. Kanso1 and M. Ghebleh Department of Mathematics Kuwait University P.O. Box 5969, Safat 13060, Kuwait Email: akanso, [email protected]

Abstract Recently Solak et al. [International Journal of Bifurcation and Chaos, 20 (2010), 1405–1413] cryptanalyzed the chaotic image encryption algorithm of Fridrich [International Journal of Bifurcation and Chaos, 8 (1998), 1259–1284], which was considered a benchmark for measuring security of many image encryption algorithms. This attack can also be applied to other encryption algorithms that have a structure similar to Fridrich’s algorithm, such as that of Chen et al. [Chaos, Solitons & Fractals, 21 (2004), 749–761]. In this paper, we suggest a novel image encryption algorithm based on a three dimensional (3D) chaotic map that can defeat the aforementioned attack among other existing attacks. The design of the proposed algorithm is simple and efficient, and based on three phases which provide the necessary properties for a secure image encryption algorithm including the confusion and diffusion properties. In phase I, the image pixels are shuffled according to a search rule based on the 3D chaotic map. In phases II and III, 3D chaotic maps are used to scramble shuffled pixels through mixing and masking rules, respectively. Simulation results show that the suggested algorithm satisfies the required performance tests such as high level security, large key space and acceptable encryption speed. These characteristics make it a suitable candidate for use in cryptographic applications. Keywords: Chaos; Cryptography; Image Encryption; Arnold Cat Map.

1. Introduction In the last two decades, the theory of chaos has found many applications in different scientific fields such as mathematics, physics, computer science and engineering. Cryptography which can be regarded as a branch of mathematics and computer science has grasped a great deal of attention and a large number of research papers have been devoted to the development of chaos-based cryptographic algorithms [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]. The intrinsic features of chaotic maps stand behind their use in the design of such algorithms. These main features include: high sensitive dependence on initial conditions and control parameter, ergodicity, unpredictability, mixing, etc., which are analogous to the confusion and diffusion properties of Shannon [13]. In particular, the random-like behavior of the outputs of chaotic maps makes them suitable sources for use in stream ciphers, where the latter falls into the category of symmetric-key cryptography [14]. In this category, the decryption key is equal to (or can be easily derived from) the encryption key. In 1991, Habustu et al. [1] suggested the first known cipher system based on discrete chaotic maps that falls into the category of symmetric-key cryptography. However, this cipher system was easily cryptanalyzed by Biham [15]. Afterwards, many stream ciphers based on keystream generators employing one or more chaotic maps have been suggested [6, 7, 10, 11, 12]. Image encryption differs from text encryption due to some intrinsic features of images which include bulk data capacities, high redundancy, strong correlations among pixels, etc. [16, 17]. These features make conventional cipher systems such as DES, AES and RSA [14] unsuitable for practical image encryption. To resolve this problem many scientists and engineers have designed image encryption algorithms based on one or more chaotic maps [8, 9, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36]. Unfortunately, many of them have been shown to be insecure [37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54]. In [18], Fridrich suggested that a suitable chaos-based image encryption algorithm should be composed of two phases: one phase is to permute the order of the image pixels using chaotic map(s) while the other phase is to alter the numerical values representing the color of each pixel, again using chaotic map(s). These two phases are referred to as the confusion phase and the diffusion phase, and they form the basis of many existing chaos-based image encryption algorithms [8, 9, 27]. Fridrich’s chaotic image encryption scheme and other image encryption algorithms that have a structure similar to the one in [18] such as Chen et al.’s image encryption algorithm [8] was cryptanalyzed in [53]. Other encryption methods following Fridrich’s have been proposed. One is the encryption algorithm proposed in [33] which was attacked in [54]. Section 5 explains why the scheme proposed in this paper is secure against similar attacks to those in [53, 54]. In this paper, we propose a novel encryption algorithm for color (or gray scale) images that is based on a 3D chaotic map, namely, the Arnold cat map. The suggested algorithm takes an input image of any size, say M × N × 3, where the third dimension accounts for the RGB values, and uses M and N in the encryption/decryption processes. Due to the lack of security of image encryption algorithms based on the direct use of the outputs of the 3D cat map [42, 54, 53], the algorithm under 1

Corresponding author. Email: [email protected]

1

study irregularly decimates the three orbits of the 3D chaotic map according to two search rules, CR and DR in addition to a mixing rule MR, and uses their outputs in making images completely unrecognizable. The proposed algorithm is composed of the three phases that satisfy all the requirements for a secure image encryption algorithm including those suggested by Fridrich in [18]. In phase I, the image pixels are shuffled by permuting blocks (of specific size) of the RGB color components of the input color image by means of the outputs of the 3D chaotic cat map according to the search rule CR. In phases II and III, the mixing and masking of the shuffled pixels are conducted via the mixing rule MR and the masking rule DR which both use the 3D chaotic cat map. Features of the 3D chaotic cat map, i.e. its high sensitivity to initial conditions and control parameters, mixing, unpredictability, etc., together with these rules, make the suggested algorithm secure against existing cryptanalytic attacks. Furthermore, the wide range of choices for the initial conditions and control parameters lead to a large key space. The experimental results presented in this paper show the effectiveness of the suggested image encryption algorithm. This paper is organized as follows. In the next section, the 2D Arnold cat map and its 3D generalization are presented. In Section 3, we propose our image encryption algorithm based on the 3D generalization of Arnold’s cat map. This section contains descriptions of the three phases of the suggested encryption algorithm, as well as the decryption process. Some analysis of the proposed algorithm is given in Section 4. In this section, experimental results are presented to show the resistance of the algorithm against well-known cryptanalytic attacks. In Section 5, we give a comparison of the proposed algorithm to some existing encryption methods which have been attacked. We give justifications as to why is our method secure against such attacks. In Section 6, we report the running speed of the suggested encryption algorithm. Finally, we end the paper with some concluding remarks. 2. The 3D Chaotic Cat Map Arnold cat map is one of the most studied 2D invertible chaotic maps [8, 55], particularly, in image encryption, watermarking and steganographic algorithms. Arnold cat map is given by

x i+1 yi+1

=

1 1

1 2

xi yi

(mod 1),

(1)

where x i , yi ∈ [0, 1). The map of Eq. (1) is area preserving since the determinant of its linear transformation matrix, A, equals 1, i.e. |A| = 1. The twoLyapunov exponents λ1 and λ2 ofp the map of Eq. (1) are expressed via the two eigenvalues of the matrix A, namely, p 3− 5 3+ 5 = 0.9624 and λ2 = ln = −0.9624. The positive Lyapunov exponent reflects the presence of chaos in λ1 = ln 2 2 the map of Eq. (1), and hence, its exponential sensitivity to its initial conditions. In [8], it is shown that the map of Eq. (1) can be generalized by introducing two new parameters a and b as follows

x i+1 yi+1

=

1 b

a ab + 1

xi yi

(mod 1).

Furthermore, the map of Eq. (2) can be generalized to a 3D cat map described as follows     xi x i+1 X i+1 =  yi+1  = A  yi  (mod 1), zi+1 zi where A is a matrix which provides chaotic behavior. A family of such matrices is given by [8]   1 + a x az b y az a y + a x az + a x a y az b y A =  bz + a x b y + a x az b y bz az bz + 1 a y bz + a x a y az b y bz + a x az bz + a x a y b y + a x  , ax bx b y + b y bx ax a y bx b y + ax bx + a y b y + 1

(2)

(3)

(4)

with a x , a y , az , b x , b y , bz all being positive integers. As a special case, one can let a x = a y = az = 1 and b x =    x i+1 3 X i+1 =  yi+1  =  8 6 zi+1

b y = bz = 2.  1 4 3 11   2 9

Thus, the map of Eq. (3) becomes  xi yi  (mod 1). zi

(5)

It is easy to verify that |A| = 1, and the eigenvalues of A are Λ1 = 14.3789, Λ2 = 0.4745 and Λ3 = 0.1466. Since the leading eigenvalue is greater than 1, the map of Eq. (5) has chaotic behavior. Therefore, it preserves all the features of chaos. Figure 1 depicts the attractor of Eq. (5). 150 150 Figure 2 shows the time series plots of the three sequences {x i }150 i=0 , { yi }i=0 and {zi }i=0 generated by the map of Eq. (5), where x 0 = 0.8467, y0 = 0.2394 and z0 = 0.65758. From Figure 2, one can observe the irregularity in the time series of the 150 150 three sequences {x i }150 i=0 , { yi }i=0 and {zi }i=0 .

2

1

0.8

z

0.6

0.4

0.2

0 1 0.8

1 0.6

0.8 0.6

0.4 0.4

0.2

0.2 0

y

0 x

Figure 1: The attractor of Eq. (5) for i = 0..10000.

1

1

0.9

0.9

0.8

0.8

0.7

0.7

0.6

0.6

0.5

0.5

0.4

0.4

0.3

0.3

0.2

0.2

0.1

0.1

0

0 0

50

100

150

0

(a) Plot of {x i }150 i=0 versus time.

50

(b) Plot of { yi }150 i=0 versus time.

1

0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1

0 0

100

50

100

150

(c) Plot of {zi }150 i=0 versus time. Figure 2: Time series plots of Eq. (5) for i = 0..150.

3

150

3. The Proposed Image Encryption Algorithm In this section, we propose an image encryption algorithm based on a 3D chaotic cat map. The suggested algorithm is divided into three phases: phase I, phase II and phase III. In phase I, we shuffle the positions of blocks of pixels of the original image by means of the outputs of the chaotic map under the search rule CR. In phase II, a random-like sequence obtained from the iterates of a 3D chaotic cat map is used to scramble and mix the shuffled bitmap obtained from phase I under the mixing rule MR. This sequence is designed to mix the contents of the image to achieve sensitivity to the plain-image. In phase III, we mask the resulting pixels of phase II by means of the output of a 3D chaotic cat map under the search rule DR. The three rules CR, MR and DR are described later in this section. 3.1. Secret key The secret key consists of three parts, each holding the parameters of one of the three rules of the encryption algorithm, namely CR, MR and DR. Each rule uses the 3D cat map of Eq. (3) and an initial triple of numbers in [0, 1). Thus each of the keys K1 , K2 and K3 contains a 3 × 3 matrix A of positive integers, and an initial triple (x 0 , y0 , z0 ) which guarantee chaotic behavior. Note that these do not need to be the same for different phases. In addition to these common features, CR uses an extra parameter Φ, which is the number of equal-width subintervals of [0, 1) used in the search. This parameter Φ is also included in K1 . Each round of MR consists of forward and backward encryptions of the image. These could be initialized differently by including a second triple (x 00 , y00 , z00 ) of numbers in [0, 1) in K2 . For better security, the rule MR uses a sequence of numbers generated using the logistic map, to control the iterations of the 3D cat map used. We include in K2 , the initial conditions w0 , w00 ∈ (0, 1) for the logistic map in forward and backward stages. Finally, the secret key is K = (K1 ; K2 ; K3 ). 3.2. Preprocessing Suppose that the color image to be encrypted is of size M ×N ×3. For better confusion, we start with a (simple) permutation of bytes from the original image. For example, one may reverse the order of the odd numbered rows and columns of the original image, and rotate the RGB values of the pixels in these rows and columns. This step will be reversed as the last step of the decryption process. We then flatten the resulting 3–dimensional array to a 2–dimensional one by copying the red, green, and blue values of each pixel next to each other. Thus, the new array has size M × 3N . After the completion of the algorithm, the encrypted bytes are put back in an M × N × 3 array and are output as an RGB image. 3.3. Phase I In this phase, we shuffle selected blocks of pixels of the original image in a random-like manner. These blocks are chosen by means of the output of the 3D chaotic cat map defined in Eq. (3) under the search rule CR to be defined below. We use iterations of the map of Eq. (3) to pair r × s blocks of pixels to be interchanged. The choice to shuffle blocks of pixels instead of individual pixels is made in order to improve speed. This of course could reduce the confusion if the blocks are too big. We choose r (resp. s) to be the largest divisor of M (resp. 3N ) which does not exceed 16. For the sake of simplicity, we refer to the r × s block of pixels with its top–left corner at the pixel (αr + 1, βs + 1) as the block (α, β). Note that we have 0 ¶ α < m = M /r and 0 ¶ β < n = 3N /s. To guarantee reversibility of this phase, we use a flag to make sure that each block is modified at most once during this phase. Each block (α, β) is associated with the subintervals Iα = [α/m, (α + 1)/m) and Jβ = [β/n, (β + 1)/n) of [0, 1). Thus, each triple X = (x, y, z) with x, y, z ∈ [0, 1) gives a unique block (α, β) such that x ∈ Iα and y ∈ Jβ , namely α = bmxc and β = bn yc. The component z of X is used in the search rule. Initially all blocks are unflagged. After interchanging a pair of blocks, we flag both of them. Phase I is based on iterating the map of Eq. (3) according to the following search rule CR. Starting with i = 0, repeatedly applying this map gives a sequence X 0 , X 1 , X 2 , . . . of triples of numbers all with components from the interval [0, 1). Let X i denote the state of the map of Eq. (3) at time i, i.e. X i = (x i , yi , zi ). The search rule is based on “pseudo cycles” X i , X i+1 , . . . , X j such that zi and z j lie in the same subinterval Iγ of [0, 1), where 0 ¶ γ < Φ and Iγ = [γ/Φ, (γ + 1)/Φ). In that case the blocks associated with X i and X j+1 are interchanged. If flags prohibit this operation to proceed, we look for the next j with the same property. We denote the block of pixels corresponding to X i by Bi . That is, Bi = (bmx i c , bn yi c). The following steps define the search rule CR. 0. 1. 2. 3. 4.

Load the matrix A, the triple X 0 , and Φ from K1 . Set k0 = 0. Let i > k0 be the smallest index such that the block Bi is not flagged. Let γ = bΦzi c. Let j > i be the smallest index such that bΦz j c = γ and B j+1 is not flagged. Interchange the blocks Bi and B j+1 , and flag both of them. If all blocks are flagged, stop. Otherwise, go back to step 1 with k0 = j + 1.

Implementing CR, in steps 1 and 2 we keep iterating the map of Eq. (3) until we arrive at a triple with the desired properties. Note that the second step above does not necessarily terminate. For example, if the number of blocks is odd and Bi is the only unflagged block left. We can avoid this issue by capping the number of iterations performed in this step, if we fail to find a match for Bi in this number of iterations, we give up on Bi . Thus, step 2 can be tuned as follows. 2’ Let j ∈ {i + 1, . . . , i + Mitr } be the smallest index such that bΦz j c = γ and B j+1 is not flagged. If no such j exists, flag Bi and go to step 4.

4

9000

600

8000 500 7000

6000

400

5000 300 4000

3000

200

2000 100 1000

0

0 1

20

40

60

80

100

120

1

20

40

60

80

100

120

Φ = 128 subintervals.

4500

1800

4000

1600

3500

1400

3000

1200

2500

1000

2000

800

1500

600

1000

400

500

200

0

0 1

50

100

150

200

250

1

50

100

150

200

250

Φ = 256 subintervals.

3500

2000

3000

2500 1500 2000

1000

1500

1000 500 500

0

0 1

50

100

150

200

250

300

350

400

450

500

1

50

100

150

200

250

300

350

400

450

500

Φ = 512 subintervals. Figure 3: Left: The number of times each subinterval is reached after iterating the map of Eq. (5) 1000000 times. Right: The required number of iterations applied to the map of Eq. (5) to reach a subinterval.

5

Start

Load an M × 3N bitmap Load A, (x0 , y0 , z0 ) and Φ from K1

r := largest divisor of M not exceeding 16 s := largest divisor of 3N not exceeding 16 (m, n) := (M/r, 3N/s) X = (x, y, z) := (x0 , y0 , z0 ) f (α, β) := false for all α, β nf := 0

X := AX mod 1 (α, β, γ) := (bmxc, bnyc, bΦzc)

true

f (α, β)? false nswp := false nitr := 0

X := AX mod 1 (α0 , β 0 , γ 0 ) := (bmxc, bnyc, bΦzc) nitr := nitr + 1 false

γ = γ0 ? true

X := AX mod 1 (α0 , β 0 , γ 0 ) := (bmxc, bnyc, bΦzc)

true

f (α0 , β 0 )? false

Interchange blocks (α, β) and (α0 , β 0 ) f (α, β) := true f (α0 , β 0 ) := true nf := nf + 2 nswp := true

nswp

false

or nitr = Mitr ? true nswp ?

true

false f (α, β) := true nf := nf + 1 true

nf < mn? false Return the modified bitmap

Finish

Figure 4: Flowchart of phase I of the encryption algorithm.

6

Because of the cap on the number of iterations in step 2, there is a chance that many blocks are left intact after the completion of this phase, particularly if the cap is too small. In order to find an appropriate number of iterations of the map of Eq. (3) as the cap Mitr in step 2 above, we perform the following two experiments using the map of Eq. (5). The aim of the first experiment is to determine whether all of the Φ subintervals are visited equally likely, when iterating the map of Eq. (5) q times, for some positive integer q. Whereas, the aim of the second experiment is to determine the number of iterations to be applied to the map of Eq. (5) to reach a specific subinterval. Figure 3 (left) shows the total number of times each of the Φ subintervals is visited when iterating the map of Eq. (5) 1000000 times, where Φ = 128, 256 and 512. This experiment demonstrates that all the Φ subintervals are equally likely to be visited. Furthermore, for Φ = 128, 256 and 512, on average, a subinterval is visited 7812, 3906 and 1953 times, respectively. Figure 3 (right) shows the total number of iterations of the map of Eq. (5) required to reach each of the Φ subintervals of [0, 1), for Φ = 128, 256 and 512. One can observe that, for Φ = 128, 256 and 512, on average, the number of iterations is 127, 260 and 489, respectively. It is also observed from these graphs that the maximum number of iterations of the map of Eq. (5) needed to hit a specific subinterval in DR is about 6Φ. This gives us an idea to what value of Mitr to choose. For example, setting Mitr to 30Φ means that we abandon the search after at least 5 failures. Based on our experiments, Mitr = 150Φ gives good results. In Figure 4, we present a flowchart of phase I of the suggested encryption algorithm. 3.4. Phase II In this phase, each entry of the M × 3N array resulting from phase I is mixed by means of the output of the 3D chaotic cat map defined in Eq. (3) according to the mixing rule MR given below. In this rule, quasi-random numbers are used in scrambling and mixing the shuffled pixels. On the other hand, since this phase can be performed sequentially on the image as a stream of bytes, the rule will be more symmetric in this phase. For simplicity of notation in MR and also in DR, we assume that the image is “flattened” to a one dimensional array P of length 3M N . The search rule MR consists of a forward and a backward processing of the image. We use two different sequences of triples of numbers for each pass. Let X 0 = (x 0 , y0 , z0 ) and Y0 = (x 00 , y00 , z00 ) be imported from K2 . By way of the map of Eq. (3) we define the sequences X 0 , X 1 , X 2 , . . . and Y0 , Y1 , Y2 , . . . to be used for the encryption process. In the forward pass, for each block of three bytes of the image, we generate three pseudo-random bytes by iterating the 3D cat map to obtain a triple X r , then taking the floor of 256X r . We then scramble the three pixels Pi , Pi+1 , Pi+2 via bitwise xor with these bytes and proceed to the next three bytes of the image. The number of times the 3D cat map is iterated is initialized to a predefined value amin and is recalculated based on the scrambled values just obtained, as well as an extra pseudo-random number b50wc generated using iterations of the logistic map. The backward pass is performed in a similar manner. A more detailed description of the rule MR is given in the following steps, and a flowchart of this rule is presented in Figure 5. Load the matrix A, the triples X 0 = (x 0 , y0 , z0 ) and Y0 = (x 00 , y00 , z00 ), and the numbers w = w0 , and w0 = w00 from K2 . Let r := amin and i := 1. Let Pi := Pi ⊕ b256 x r c, Pi+1 := Pi+1 ⊕ b256 y r c, Pi+2 := Pi+2 ⊕ b256 z r c. Iterate 10 + bPi /10c times the calculation w := 4w(1 − w). 4. Let r := r + amin + (Pi + Pi+1 + Pi+2 + b50wc) mod (amax − amin ) .

0. 1. 2. 3.

Let i := i + 3. If i < 3M N then go back to step 2, otherwise proceed to the next step. Let r := bmin and i := 3M N − 2. Let Pi := Pi ⊕ b256 x r0 c, Pi+1 := Pi+1 ⊕ b256 y r0 c, Pi+2 := Pi+2 ⊕ b256 z r0 c. Iterate 10 + bPi /10c times the calculation w0 := 4w0 (1 − w0 ). 9. Let r := r + bmin + (Pi + Pi+1 + Pi+2 + b50w0 c) mod (bmax − bmin ) .

5. 6. 7. 8.

10. Let i := i − 3. If i > 0 then go back to step 7, otherwise stop. The parameters amin , amax , bmin , and bmax are used to limit the number of iterations of the map of Eq. (3) in each step. Most experimental results presented in this paper use amin = bmin = 4 and amax = bmax = 10. For a high level of security, we may repeat this stage of the diffusion phase Nrnd times. Although even with only one round, acceptable results are obtained, our experiments show that two rounds of mixing provides very good resistence against differential attacks (see subsection 4.6 for details). 3.5. Phase III We iterate the map of Eq. (3) to obtain a sequence X 0 , X 1 , X 2 , . . . of triples of numbers. Note that the matrix A and the initial triple X 0 are imported from K3 and may be different from those in phases I and II. In this phase, we use similar notation to that of phase I. In particular, we assume X i = (x i , yi , zi ). We divide the interval [0, 1) into 256 subintervals Iα = [α/256, (α + 1)/256) where 0 ¶ α ¶ 255 is an integer. Now each triple X = (x, y, z) is associated with three subintervals, namely Iα , Iβ and Iγ where α = b256 xc, β = b256 yc and γ = b256 zc. Starting from X i , we iterate the map until we arrive at X j whose intervals agree with those of X i in at least one component. We then use the (α, β, γ) values of X j+1 to scramble the next three pixels in P, and repeat until we exhaust all entries of P. This process is summarized in the following steps. Furthermore, a flowchart of the search rule DR is presented in Figure 6. 7

Start

Load an array P of 3M N bytes 0 , z 0 ), w and w0 from K Load A, (x0 , y0 , z0 ), (x00 , y0 0 2 0 0

X = (x, y, z) := (x0 , y0 , z0 ) w := w0 r := amin i := 1

i 6 3M N ?

false

true j := 0

X := AX mod 1 j := j + 1 false

j = r? true

Pi := Pi ⊕ b256xc Pi+1 := Pi+1 ⊕ b256yc Pi+2 := Pi+2 ⊕ b256zc Iterate 10 + bPi /10c times: w := 4w(1 − w) r := (Pi + Pi+1 + Pi+2 + b50wc) mod (amax − amin ) + amin i := i + 3

0 , z0 ) Y = (x, y, z) := (x00 , y0 0 0 w := w0 r := bmin i := 3M N − 2

i > 1?

false

true j := 0

Y := AY mod 1 j := j + 1 false

j = r? true

Pi := Pi ⊕ b256xc Pi+1 := Pi+1 ⊕ b256yc Pi+2 := Pi+2 ⊕ b256zc Iterate 10 + bPi /10c times: w := 4w(1 − w) r := (Pi + Pi+1 + Pi+2 + b50wc) mod (bmax − bmin ) + bmin i := i − 3

Return the modified bitmap

Finish

Figure 5: Flowchart of phase II of the encryption algorithm.

8

Start

Load an array P of 3M N bytes Load A and (x0 , y0 , z0 ) from K3

X = (x, y, z) := (x0 , y0 , z0 ) k := 1

k 6 3M N ?

false

true X := AX mod 1 (α, β, γ) := (b256xc, b256yc, b256zc)

X := AX mod 1 (α0 , β 0 , γ 0 ) := (b256xc, b256yc, b256zc)

false

α0 = α or β 0 = β or γ 0 = γ? true X := AX mod 1 Pk := Pk ⊕ b256xc Pk+1 := Pk+1 ⊕ b256yc Pk+2 := Pk+2 ⊕ b256zc k := k + 3

Return the modified bitmap

Finish

Figure 6: Flowchart of the phase III of the encryption algorithm.

0. Load the matrix A and the triple X 0 from K3 . Let k = 1. Let i = 1. 1. Let j > i be the least index such that at least one of the following holds: b256 x j c = b256 x i c,

b256 y j c = b256 yi c,

or

b256 z j c = b256 zi c.

2. Let Q k = Pk ⊕ b256 x j+1 c, Q k+1 = Pk+1 ⊕ b256 y j+1 c, and Q k+2 = Pk+2 ⊕ b256 z j+1 c, where ⊕ is bitwise XOR. 3. If k < 3M N , then let i = j + 2 and k = k + 3, and go back to step 1. Otherwise, stop. 3.6. The decryption process To recover an encrypted image, we merely reverse the order of the three stages of the encryption algorithm. That is, we first apply the rule DR, then MR, and finally CR. Note that the rules DR and CR are symmetric. However, MR needs a minor modification for the decryption process since it uses the encrypted values in the rule. In the decryption process, the value of r must be computed before modifying the values of Pi , Pi+1 , Pi+2 , i.e. steps 3 and 4 of the rule MR are performed before step 2, and steps 8 and 9 are performed before step 7. 4. Security Analysis A suitable encryption algorithm should be robust against all existing cryptanalytic attacks such as statistical and bruteforce attacks. In this section, we demonstrate the high security level of our suggested encryption algorithm by showcasing its performance according to a number of security analyzes such as randomness tests, key space analysis, statistical analysis, information theory entropy and differential analysis.

9

Figure 7: Plain (left), shuffled (center) and encrypted (right) Lena.

4.1. Randomness tests Randomness properties are necessary requirements for a suitable encryption algorithm. Figure 7 shows an original plainimage and its shuffled and encrypted images which are generated by our suggested algorithm. It is observed that the generated shuffled and encrypted images look random. We subject data generated by our suggested algorithm to statistical test suites to study the randomness of the algorithm. The literature contains several statistical test suites that can be used to determine randomness of data. We use NIST [56] and Diehard [57] which are amongst the most widely used test suites. Recall that the suggested encryption algorithm is based on three rules CR, MR and DR, and in each of the these rules a sequence of integers defined by iterations of the 3D cat map of Eq. (3) is used to modify a bitmap image. To showcase the chaotic behavior of this map (and thus the pseudo randomness of the sequences used), we subject such sequences of one byte integers to statistical tests. Four of the performed experiments are presented below. In the first experiment, a large number of sequences, each of length 108 , generated from the map of Eq. (5) under the rule DR were subjected to the NIST test suite [56] and the Diehard suite [57]. The outcomes of both test suites turned out to be very satisfactory. Table 1 shows the results of the NIST test suite on a sample data file of size 95.3 MB (i.e. a sample sequence of 108 bytes). The file is passed to the NIST suite, and processed as containing 100 sequences, each of length 106 bytes. Each P–value exceeds 0.0001 which means the p–values of the individual tests are uniformly distributed in (0, 1). Table 1: NIST test suite results of 100 sample sequences of integers in [0, 255] generated according to rule DR, where each sequence is of size 106 .

STATISTICAL TEST Frequency Block-Frequency Cumulative-Sums (Forward) Cumulative-Sums (Reverse) Runs Longest-Runs Rank FFT Non-Overlapping-Templates Overlapping-Templates Universal Approximate Entropy Random-Excursions Random-Excursions Variant Serial 1 Serial 2 Linear-Complexity

P-value 0.437274 0.319084 0.699313 0.145326 0.616305 0.366918 0.999934 0.699313 0.574903 0.798139 0.719747 0.007160 0.534146 0.350485 0.554420 0.334538 0.020548

Proportion 100/100 97/100 99/100 100/100 100/100 99/100 99/100 99/100 100/100 100/100 98/100 100/100 58/58 58/58 98/100 99/100 99/100

In the next experiments, we encrypt a photo of Marburg, Germany [58] of size 7644 × 5207 pixels shown in Figure 8. We also encrypt an all black image of the same size for comparison. We then pass the two encrypted bitmaps, as well as the difference (bitwise xor) between the plain-image and the encrypted image in the case of Marburg, to the NIST test suite. Each stream is processed as 100 sequences of length 106 bytes each. It turns out that for each processed stream, over 97% of the tested sequences pass all tests of the NIST suite. In Table 2, we list the P–value of the p–values for each test. The results presented in Tables 1 and 2 support our claim that the encrypted image of our suggested encryption algorithm has highly random behavior. 4.2. Key space and sensitivity analysis The key space of an encryption algorithm should be large enough to resist brute-force attacks. As discussed in Section 3, the secret key of our suggested encryption algorithm consists of three parts: K = (K1 ; K2 ; K3 ), each part holding the parameters of one of the rules of the encryption algorithm CR, MR and DR. Each rule uses a 3D cat map of Eq. (3) and an initial

10

Table 2: NIST test suite results for encrypted black image, encrypted Marburg, and the difference of the latter with plain Marburg. Each file is processed as 100 sample sequences, each of 106 bytes. The entries in the table are P–values of all p–values of the corresponding tests performed.

STATISTICAL TEST Frequency Block-Frequency Cumulative-Sums (Forward) Cumulative-Sums (Reverse) Runs Longest-Runs Rank FFT Non-Overlapping-Templates Overlapping-Templates Universal Approximate Entropy Random-Excursions Random-Excursions Variant Serial 1 Serial 2 Linear-Complexity

Encrypted black 0.304126 0.759756 0.419021 0.883171 0.213309 0.739918 0.319084 0.637119 0.334538 0.108791 0.678686 0.514124 0.911413 0.182977 0.759756 0.719747 0.534146

Encrypted Marburg 0.085587 0.383827 0.798139 0.437274 0.383827 0.616305 0.474986 0.911413 0.437274 0.249284 0.474986 0.987896 0.236810 0.851383 0.011791 0.514124 0.494392

Figure 8: The photo of Marburg used for security tests.

11

Marburg difference 0.181557 0.935716 0.851383 0.798139 0.759756 0.851383 0.987896 0.964295 0.798139 0.474986 0.883171 0.798139 0.988549 0.900104 0.779188 0.514124 0.834308

(a)

(b)

(c)

4000 3500 3000 2500 2000 1500 1000 500 0 0

50

(d)

100

150

200

250

(e)

(f)

Figure 9: (a) Plain Lena, (b) Lena encrypted with x 0 = 0.1, (c) Lena encrypted with x 0 = 0.10000001, (d) the difference (bitwise xor) of the encrypted images in (b) and (c), (e) the histogram of the image in (d), (f) the image in (b) decrypted with x 0 = 0.10000001.

triple of numbers in [0, 1). In addition to these, CR uses a parameter Φ, and MR uses a second triple of numbers in [0, 1), as well as the numbers w0 , w00 ∈ (0, 1). The secret key thus contains three 3 × 3 integer matrices, 14 double numbers, and one integer. Note that the matrices must satisfy certain conditions to be eligible for this algorithm. However, the space of such matrices has size at least the size of 6 integers, due to the fact that the family of matrices given in Eq. (4) satisfy these conditions. Therefore, the key space of our algorithm has size at least 19 integers and 14 doubles. That is, the size of the key space is at least 21392 . If one matrix of the form of Eq. (4) together with the same initial conditions are used in the cat map for all three rules, and if it is assumed that w0 = w00 , then the size of the key space is reduced to 7 integers and 4 doubles. That is, the key space is of size at least 2480 . On the other hand, Eq. (3) is highly sensitive to its parameters including the matrix A and the initial conditions (x 0 , y0 , z0 ), which provides further resistance against cryptanalytic attacks. This point is illustrated in Figure 9: subfigures (b) and (c) present the encrypted Lena with initial conditions (0.1, 0.2, 0.3) and (0.10000001, 0.2, 0.3), respectively. Subfigure (d) shows the difference (bitwise xor) of the images presented in (b) and (c) which appears to be random-like. Subfigure (e) depicts the histogram of the image in (d). Subfigure (f) shows the result of decrypting (b) with key (0.10000001, 0.2, 0.3). 4.3. Histogram of encrypted images In Figure 10, we show the histograms of pixel values in the plain-image Lena of size 512 × 512 × 3, and its encrypted image. The histograms show that while the pixel values in the plain-image show a pattern, the distribution of pixel values in the encrypted image is close to uniform. Thus, a frequency analysis cannot be used to break the suggested algorithm. It is worth mentioning that since the images are color images the histograms in Figure 10 count all the RGB values of the image. Histograms of red, green and blue done separately exhibit similar behavior and thus we omit them here. 4.4. Adjacent pixel correlation Since the encrypted image looks random, one would expect its adjacent pixels to have almost no correlation. On the other hand, adjacent pixel correlations are a means of measuring the performance of phase I. We ran our algorithm on a 512 × 512 × 3 image (Lena) with blocks of size 16 × 16, Φ = 256 and Nrnd = 4. In Table 3, we present horizontally, vertically and diagonally adjacent pixel correlations of the plain-image, the shuffled image and the encrypted image. Each number in the table represents the correlation coefficient of N = 10000 pairs of adjacent pixel values x i and yi selected at random. The covariance of x and y is defined by [8, 59] cov(x, y) =

N 1X (x i − µ x )( yi − µ y ), N i=1

12

12000

4000 3500

10000

3000 8000

2500 2000

6000

1500 4000

1000 2000

500 0

0

0

50

100

150

200

0

250

50

100

150

200

250

Figure 10: Histograms of the plain (left) and encrypted (right) Lena. Correlation Coefficient: −0.002909

Correlation Coefficient: 0.976456 250

250

200

200

150

150

100

100

50

50

0

0

0

50

100

150

200

0

250

50

100

150

200

250

Figure 11: Correlations of two horizontally adjacent pixels in the plain (left) and encrypted (right) Lena.

where µ x and µ y are the mean values of x and y respectively. If σ x and σ y are the standard deviations of x and y, the correlation coefficient of x and y is defined by cov(x, y) r= . σx σ y

Table 3: Blocks of size 16 × 16, Φ = 256 and Nrnd = 4.

Horizontal Vertical Diagonal

Plain-image 0.976456 0.980769 0.966270

Shuffled image 0.010958 −0.049989 −0.002211

Encrypted image −0.002909 −0.01503 0.012901

It is observed in Table 3 that while in the plain-image, adjacent pixels have high correlation, there is very little correlation between pairs of adjacent pixels in the shuffled and the encrypted images. Figure 11 shows the correlation distribution of two horizontally adjacent pixels in the plain and encrypted Lena. 4.5. Entropy of encrypted images The entropy is considered amongst the most important features of randomness [60]. The information entropy H(s) of a source s with 2N symbols si is defined by N 2X −1 H(s) = − P(si ) log2 P(si ), (6) i=0

where P(si ) denotes the probability of the symbol si being emitted from s. If s is a truly random source, that is, if P(si ) = 2−N for all i, we have H(s) = 2N 2−N log2 2N = N . An encrypted RGB image could be considered as a set of bytes (thus N = 8). For a 512 × 512 image (Lena) encrypted using our suggested algorithm with blocks of size 16 × 16 and Φ = 256 we computed H(s) = 7.9997, which is very close to the ideal value of N = 8. For larger encrypted images such as the 7644 × 5207 image of Figure 8 we get an entropy of 8 in Matlab.

13

4.6. Differential attack Differential attack is another important attack that can be used to measure the security of an image encryption algorithm. In this attack, the cryptanalyst is assumed to have the capability of modifying one single pixel of the plain-image and observing the resulting encrypted image. If such a change results in a significant change in the encrypted image, then the attack is considered to be inefficient and impractical. There are two measures for testing the influence of one single pixel change of the plain-image of size M × N × 3 namely, the number of pixels change rate (NPCR) and the unified average changing intensity (UACI) [59, 27]. They are defined as follows P i, j,k D(i, j, k) × 100%, (7) NPCR = M ×N ×3 ! X |C (i, j, k) − C (i, j, k)| 1 1 2 UACI = × 100%, (8) M × N × 3 i, j,k 255 where C1 and C2 are two encrypted images corresponding to two plain-images differing by one single pixel, and D(i, j, k) is of size M × N × 3 defined by ¨ 1 if C1 (i, j, k) = C2 (i, j, k), D(i, j, k) = 0 otherwise. We have tested several images of different sizes against the differential attack. For each image, we have computed the NPCR and UACI, once with the first byte changed, and again with the last byte changed. In all tests, we got an NPCR of at least 99% and a UACI of at least 33%. Table 4 presents a sample of the results of these tests for Lena. We conclude that a minor change in the plain-image leads to a significant change in the encrypted image. Thus, the differential attack is impractical on our algorithm. Table 4: Results of differential attack tests on Lena.

Test information

NPCR (%)

UACI (%)

NPCR (%)

UACI (%)

99.62 99.60 99.60 99.61 99.61

33.49 33.51 33.47 33.46 33.45

99.58 99.59 99.61 99.60 99.61

33.41 33.43 33.50 33.42 33.47

Nrnd = 1, 2 × 2 blocks, Φ = 128 Nrnd = 1, 2 × 2 blocks, Φ = 256 Nrnd = 1, 16 × 16 blocks, Φ = 128 Nrnd = 1, 16 × 16 blocks, Φ = 256 Nrnd = 2, 16 × 16 blocks, Φ = 128

(last byte changed)

(first byte changed)

5. Comparison with Existing Work In Section 1, we cited some of the existing image encryption algorithms that have been shown to be insecure. Some of the common weaknesses of these algorithms, as summarized in [36], are as follows: • Drawbacks in generating the keystream which can lead to guessing the key. • Bad statistical properties of the used chaotic map. • Weakness to chosen- and known-plaintext attacks. • Insensitivity to changes in plaintext and keystream generated by any key. • Poor diffusion function. Based on the analysis provided in Section 4, the image encryption scheme proposed in this work overcomes these security weaknesses. Furthermore, the proposed scheme is resistance to the attacks suggested in [53, 54] which can be applied on image encryption schemes that follow the guidelines of [18]. In [53], the encryption algorithm of Fridrich [18] is cryptanalyzed. This attack is a chosen ciphertext attack based on casuality paths. If in the diffusion phase each pixel is mixed only with its previous pixel, then each pixel of the cipher image depends on at most 2R pixels of the plain image in case R rounds of mixing are performed. Similarly, a change in a pixel of the cipher image would affect at most 2R pixels of the recovered image. This allows finding casuality paths using a chosen ciphertext attack. The casuality paths are in turn used to reveal the encryption algorithm using the fact that each pixel value c is modified via xor with a value g(c) where g is a fixed function. Phase II of our proposed algorithm is designed so that it does not allow such attacks. First, the value of each ciphered byte depends on values of all preceding bytes. Moreover, the value c 0 chosen to modify a value c is not a fixed function of c, and depends on the preceding values as well. To demonstrate why the above attack fails on the present encryption algorithm, we perform the following experiment. A plain image P is fed to phase II only to obtain a cipher image C. Then one byte of C is modified by adding ±1 to obtain an image C 0 which is fed to the extraction module of phase II to obtain a recovered

14

Figure 12: Plain Lena (left), mixed using phase II (center), recovered after changing one byte in the mixed image (right).

image P 0 . This recovered image P 0 is totally scrambled in all the experiments we performed and exhibits no correlation with the original plain image P. An example of this experiment is presented in Figure 12. The encryption algorithm of [33] which more or less follows the guidelines of [18] was broken in [54] by a differential attack with chosen plaintext. It is also mentioned in [54] that this algorithm is not sensitive to the changes of the plaintext, and that the maps used for encryption do not provide enough randomness. In the case of our proposed algorithm none of these weaknesses apply since the maps provide excellent randomness as witnessed by NIST and Diehard (see section 4.1 for details). Moreover, phase II of our algorithm is highly sensitive to the plaintext as observed earlier in this section. In Table 5, we compare the proposed algorithm with some existing algorithms, with respect to their resistance against differential attacks. All results in Table 5 are based on tests performed on a 256 × 256 grey-scale Lena. It is evident in this table that our proposed algorithm has a better resistance against such attacks, even with only one or two rounds of mixing. Table 5: Comparative study of NPCR and UACI of the proposed algorithm with some existing algorithms.

Rounds NPCR (%) UACI (%)

2 25 8.46

[61]

3 99.61 33.5

[62] 2 3 78.12 91.85 22.69 29.60

[36] 12 99.61 33.41

[63] 2 99.62 33.25

Proposed algorithm 1 2 99.55 99.61 33.39 33.44

6. Running Speed The running speed of an encryption algorithm is an important factor in applications. As is evident from the security analysis presented in Section 4, a choice of Φ = 128, with 16 × 16 blocks for Phase I of the suggested algorithm, together with Nrnd = 1 rounds of mixing in Phase II provide very good security. The running speed of our algorithm on a 2.27GHz TM Intel R Core i5 notebook with 4GB of RAM running Ubuntu Linux 10.04 is about 1.93 MB/s (megabytes per second) with Nrnd = 1, about 1.46 MB/s with Nrnd = 2, and about 1.0 MB/s with Nrnd = 4. Thus, the proposed image encryption algorithm has acceptable running speed for use in software. On the other hand, the superior security of our algorithm compared to exisiting methods, compensates for speed shortcomings, if any. 7. Concluding Remarks In this paper, we use a 3D chaotic map to design a novel image encryption algorithm. A 3D chaotic cat map makes a suitable candidate for this purpose. The iterates of the 3D cat map are subjected to three rules to determine the shuffling, mixing and scrambling process of the pixel values of the plain-image. It is shown that these rules lead to confusing and diffusing the relationship between the plain-image and encrypted image, thereby significantly defeating various cryptanalytic attacks such as statistical, differential and causality analysis attacks. Simulation results presented in this paper demonstrate that the suggested algorithm is efficient and possesses a high level of security against existing cryptanalytic attacks. These characteristics encourage us to put forward this algorithm, as a suitable encryption algorithm, for further studies by the cryptographic community. 8. Acknowledgment The authors are grateful to the anonymous referees for their insightful comments.

15

References [1] T. Habutsu, Y. Nishio, I. Sasase, and S. Mori, A secret key cryptosystem by iterating a chaotic map, Advances in Cryptology: Proceedings of EUROCRYPT 91, LNCS 547, Berlin:Springer-Verlag, 1991, pp. 127-140. [2] Z. Kotulski, and J. Szczepanski, Discrete chaotic cryptography, Annalen der Physik, 509(5), (1997), pp. 381-394. [3] G. Alvarez, F. Monotoya, G. Pastor, and M. Romera, Chaotic cryptosystems, In Proceedings of IEEE International Carnahan Conference on Security Technology, 1999, pp. 332-338. [4] M. S. Baptista, Cryptography with chaos, Physics Letters A 240, (1998), pp. 50-54. [5] G. Jakimoski, and L. Kocarev, Chaos and cryptography: Block encryption ciphers based on chaotic maps, IEEE Transactions on Circuits and Systems-I: Fundamental Theory and Applications 48(2), (2001), pp. 163-169. [6] S. Li, X. Mou, and Y. Cai, Pseudo-random bit generator based on couple chaotic systems and its applications in streamcipher cryptography, In Proceedings of INDOCRYPT 01, Lecture Notes in Computer Science 2247, Berlin: SpringerVerlag, 2001, pp. 316-329. [7] S. Li, Analyses and new designs of digital chaotic ciphers, Ph.D. thesis, School of Electronics and Information Engineering, Xian Jiaotong University, Xian, China, available online at http://www.hooklee.com/pub.html (2003). [8] G. Chen, Y. Mao, and C. Chui, A symmetric image encryption scheme based on 3D chaotic cat maps, Chaos, Solitons & Fractals 21, (2004), pp. 749-761. [9] Z. Guan, F. Huang, and W. Guan, Chaos-based image encryption algorithm, Physics Letters A 346, (2005), pp. 153-157. [10] A. Kanso, and N. Smaoui, Irregularly decimated chaotic map(s) for binary digits generations, International Journal of Bifurcations and Chaos 19(4), (2009), pp. 1169-1183. [11] A. Kanso, and N. Smaoui, Logistic chaotic maps for binary numbers generations, Chaos, Solitons & Fractals 40(5), (2009), pp. 2557-2568. [12] A. Kanso, Self-shrinking chaotic stream ciphers, Communications in Nonlinear Science and Numerical Simulation 16(2), (2011), pp. 822-836. [13] C. Shannon, Communication theory of secrecy systems, Bell System Technical Journal 28(4), (1949), pp. 656-715. [14] A. Menezes, P. Van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, Boca. Raton, FL: CRC Press, 1997. [15] E. Biham, Cryptanalysis of the chaotic-map cryptosystem suggetsed at EUROCRYPT 91, Advances in Cryptology: Proceedings of EUROCRYPT 91, LNCS 547, Berlin:Springer-Verlag, 1991, pp. 532-534. [16] K. Jastrzebski, and Z. Kotulski, On improved image encryption scheme based on chaotic map lattices, Engineering Transactions 57(2), (2009), pp. 69-84. [17] K. L. Chung, and L. C. Chang, Large encryption binary images with higher security, Pattern Recognition Letters 19(56), (1998), pp. 461-468. [18] J. Fridrich, Symmetric ciphers based on two-dimensional chaotic maps, Int. J. Bifurcation and Chaos 8(6), (1998), pp. 1259-1284. [19] J. Scharinger, Fast encryption of image data using chaotic Kolmogorov flows, J. Electronic Imaging 7(2), (1998), pp. 318-325. [20] C. C. Chang, M. S. Hwang, and T. S. Chen, A new encryption algorithm for image cryptosystems, J. Systems and Software 58(2), (2001), pp. 83-91. [21] K. Yano, and K. Tanaka, Image encryption scheme based on a truncated Baker transformation, IEICE Trans. Fundamentals E85-A(9), (2002), pp. 2025-2035. [22] H. C. Chen, J. C. Yen, and J. I. Guo, Design of a new cryptography system, in Proc. PCM2002, ser. LNCS 2532, Berlin: Springer-Verlag, 2002, pp. 1041-1048. [23] Y. Mao, G. Chen, Chaos based image encryption, in Handbook of Computational Geometry for Pattern Recognition, Computer Vision, Neural Computing and Robotics, E. Bayro-Corrochano Ed., New York: Springer-Verlag, 2003. [24] H. C. Chen, and J. C. Yen, A new cryptography system and its VLSI realization, J. Systems Architecture 49, (2003), pp. 355-367. [25] S. S. Maniccam, and N. G. Bourbakis, Image and video encryption using SCAN patterns, Pattern Recognition 37(4), (2004), pp. 725-737. 16

[26] S. Li, G. Chen, and X. Zheng, Chaos-based encryption for digital images and videos, in: Multimedia Security Handbook, B. Furht and D. Kirovski Eds., Boca Raton: CRC Press, 2004, pp. 133-167. [27] Y. Mao, G. Chen, and S. Lian, A novel fast image encryption scheme based on 3D chaotic Baker maps, Int. J. Bifurcation and Chaos 14(10), (2004), pp. 3613-3624. [28] C. P. Wu, and C. C. J. Kuo, Design of integrated multimedia compression and encryption systems, IEEE Trans. Multimedia 7(5), (2005), pp. 828-839. [29] Y. Mao, and M. Wu, A joint signal processing and cryptographic approach to multimedia encryption, IEEE Trans. Image Processing 15(7), (2006), pp. 2061-2075. [30] N. J. Flores-Carmona, and M. Carpio-Valadez, Encryption and decryption of images with chaotic map lattices, Chaos 16 (3), (2006), art. no. 033118. [31] H. Gao, Y. Zhang, S. Liang, and D. Li, A new chaotic algorithm for image encryption, Chaos Solitons & Fractals 29(2), (2006), pp. 393-409. [32] T. Gao, Q. Gu, and Z. Chen, A new image encryption algorithm based on hyper-chaos, Phys Lett A 374(4), (2008), pp. 394-400. [33] S. Behnia, A. Akhshani, H. Mahmodi, A. Akhavan, Chaotic cryptographic scheme based on composition maps, International Journal of Bifurcation and Chaos 18(1), (2008), pp. 251-261. [34] V. Patidar, N. Pareek, K. Sud, A new substitution-diffusion based image cipher using chaotic standard and logistic maps, Communications in Nonlinear Science and Numerical Simulation 14(7), (2009), pp. 3056-3075. [35] S. Lian, Efficient image or video encryption based on spatiotemporal chaos system, Chaos Solitons & Fractals 40(5), (2009) pp. 2509-2519. [36] M. Amin, O. Faragallah, and A. Abd El-Latif, A chaotic block cipher algorithm for image cryptosystems, Communications in Nonlinear Science and Numerical Simulation 15(11), (2010), pp. 3484-3497. [37] C. C. Chang, and T. X. Yu, Cryptanalysis of an encryption scheme for binary images, Pattern Recognition Letters 23(14), (2002), pp. 1847-1852. [38] S. Li, and X. Zheng, On the security of an image encryption method, in Proc. IEEE Int. Conference on Image Processing (ICIP2002), vol. 2, 2002, pp. 925-928. [39] S. Li and X. Zheng, Cryptanalysis of a chaotic image encryption method, in Proc. IEEE Int. Symposium on Circuits and Systems (ISCAS2002), vol. II, 2002, pp. 708-711. [40] C. D. Canniere, J. Lano, and B. Preneel, Cryptanalysis of the two-dimensional circulation encryption algorithm, EURASIP J. Applied Signal Processing 2005(12), (2005), pp. 1923-1927. [41] C. Li, S. Li, G. Chen, G. Chen, and L. Hu, Cryptanalysis of a new signal security system for multimedia data transmission, EURASIP J. Applied Signal Processing 2005(8), (2005), pp. 1277-1288. [42] K. Wang, W. Pei, L. Zou, A. Song, and Z. He, On the security of 3D cat map based symmetric image encryption scheme, Physics Letters A 343(6), (2005), pp. 432-439. [43] C. Li, S. Li, D. C. Lou, and D. Zhang, On the security of the Yen-Guos domino signal encryption algorithm (DSEA), Journal of Systems and Software 79(2), (2006), pp. 253-258. [44] C. Li, and G. Chen, On the security of a class of image encryption schemes, in: Proceedings of 2008 IEEE Int. Symposium on Circuits and Systems, 2008, pp. 3290-3293. [45] S. Li, C. Li, G. Chen, K.-T. Lo, Cryptanalysis of the RCES/RSES image encryption scheme, Journal of Systems and Software 81(7), (2008), pp. 1130-1143. [46] D. Arroyo, R. Rhouma, G. Alvarez, S. Li, V. Fernandez, On the security of a new image encryption scheme based on chaotic map lattices, Chaos 18(3), (2008), art. no. 033112. [47] C. Li, S. Li, G. Chen, W. A. Halang, Cryptanalysis of an image encryption scheme based on a compound chaotic sequence, Image and Vision Computing 27(8), (2009), pp. 1035-1039. [48] R. Rhouma, and S. Belghith, Cryptanalysis of a spatiotemporal chaotic image/video cryptosystem, Physics Letters A Volume 372(36), (2008), pp. 5790-5794. [49] R. Rhouma, and S. Belghith, Cryptanalysis of a new image encryption algorithm based on hyper-chaos, Physics Letters A 372(38), (2008), pp. 5973-5978.

17

[50] C. Li, and G. Chen, On the security of a class of image encryption schemes, IEEE International Symposium on Circuits and Systems, (2008), pp. 3290-3293. [51] G. Alvarez, and S. Li, Cryptanalyzing a nonlinear chaotic algorithm (NCA) for image encryption, Communications in Nonlinear Science and Numerical Simulation 14(11), (2009), pp. 3743-3749. [52] R. Rhouma, E. Solak, and S. Belghith, Cryptanalysis of a new substitution-diffusion based image cipher, Communications in Nonlinear Science and Numerical Simulation 15(7), (2010), pp. 1887-1892. [53] E. Solak, C. Çokal, O. T. Yildiz, and T. Biyikoˇ glu, Cryptanalysis of Fridrich’s chaotic image encryption, International Journal of Bifurcation and Chaos 20(5), (2010), pp. 1405-1413. [54] C. Li, D. Arroyo, and K. Lo, Breaking a chaotic cryptographic scheme based on composition maps, International Journal of Bifurcation and Chaos 20(8), (2010), pp. 2561-2568. [55] G. Chen, and X. Dong, From chaos to order: methodologies, perspectives and applications, Singapore: World Scientific; 1998. [56] NIST Special Publication 800-22 rev1, A statistical test suite for the validation of random number generators and pseudo random number generators for cryptographic applications, (2008), online document, http://csrc.nist. gov/groups/ST/toolkit/rng/documentation_software.html. [57] G. Marsaglia, DIEHARD: A battery of tests of Randomness, 1996, (http://www.stat.fsu.edu/pub/diehard/). [58] Andreas Trepte, http://commons.wikimedia.org/wiki/File:Elisabeth-Kirche-Marburg.jpg. [59] A. G. Bluman, Elementary Statistics: a Step by Step Approach, McGraw-Hill, Boston, 1997. [60] W. Li, On the Relationship Between Complexity and Entropy for Markov Chains and Regular Languages, Complex Systems 5(4), (1991), pp. 381-399. [61] Q. Zhou, K.W. Wong, X. Liao, T. Xiang, and Y. Hu, Parallel image encryption algorithm based on discretized chaotic map, Chaos, Solitons & Fractals 38, (2008), pp. 1081-1092. [62] J. Giesl, and K. Vlcek, Image encryption based on strange attractor, ICGST-GVIP Journal 9(II), (2009), pp. 19-26. [63] D. Chattopadhyay, M. K. Mandal, and D. Nandi, Robust chaotic image encryption based on perturbation technique, ICGST Int. J. of Graphics, Vision & Image Processing 11(2), (2011), pp. 41-50.

18