A novel image encryption based on hash function with ...

14 downloads 10349 Views 2MB Size Report
to digital images through multimedia networks. Therefore, ... an image signature to encrypt images. ...... 640-GB hard-disk capacity, and the Microsoft Windows 7.
A novel image encryption based on hash function with only two-round diffusion process Benyamin Norouzi, Seyed Mohammad Seyedzadeh, Sattar Mirzakuchaki & Mohammad Reza Mosavi Multimedia Systems ISSN 0942-4962 Multimedia Systems DOI 10.1007/s00530-013-0314-4

1 23

Your article is protected by copyright and all rights are held exclusively by SpringerVerlag Berlin Heidelberg. This e-offprint is for personal use only and shall not be selfarchived in electronic repositories. If you wish to self-archive your work, please use the accepted author’s version for posting to your own website or your institution’s repository. You may further deposit the accepted author’s version on a funder’s repository at a funder’s request, provided it is not made publicly available until 12 months after publication.

1 23

Author's personal copy Multimedia Systems DOI 10.1007/s00530-013-0314-4

REGULAR PAPER

A novel image encryption based on hash function with only two-round diffusion process Benyamin Norouzi • Seyed Mohammad Seyedzadeh Sattar Mirzakuchaki • Mohammad Reza Mosavi



Received: 16 April 2012 / Accepted: 28 February 2013  Springer-Verlag Berlin Heidelberg 2013

Abstract In this paper, a novel algorithm for image encryption based on hash function is proposed. In our algorithm, a 512-bit long external secret key is used as the input value of the salsa20 hash function. First of all, the hash function is modified to generate a key stream which is more suitable for image encryption. Then the final encryption key stream is produced by correlating the key stream and plaintext resulting in both key sensitivity and plaintext sensitivity. This scheme can achieve high sensitivity, high complexity, and high security through only two rounds of diffusion process. In the first round of diffusion process, an original image is partitioned horizontally to an array which consists of 1,024 sections of size 8 9 8. In the second round, the same operation is applied vertically to the transpose of the obtained array. The main idea of the algorithm is to use the average of image data for encryption. To encrypt each section, the average of other sections is employed. The algorithm uses different averages when encrypting different input images (even with the same sequence based on hash function). This, in turn, will significantly increase the resistance of the cryptosystem against known/chosen-

plaintext and differential attacks. It is demonstrated that the 2D correlation coefficients (CC), peak signal-to-noise ratio (PSNR), encryption quality (EQ), entropy, mean absolute error (MAE) and decryption quality can satisfy security and performance requirements (CC\0.002177, PSNR\8.4642, EQ [204.8, entropy [7.9974 and MAE [79.35). The number of pixel change rate (NPCR) analysis has revealed that when only one pixel of the plain-image is modified, almost all of the cipher pixels will change (NPCR [99.6125 %) and the unified average changing intensity is high (UACI[33.458 %). Moreover, our proposed algorithm is very sensitive with respect to small changes (e.g., modification of only one bit) in the external secret key (NPCR [99.65 %, UACI[33.55 %). It is shown that this algorithm yields better security performance in comparison to the results obtained from other algorithms. Keywords Image encryption  Salsa20 hash function  Diffusion process  Security  Sensitivity

1 Introduction Communicated by M. Kankanhalli. B. Norouzi (&)  S. M. Seyedzadeh  S. Mirzakuchaki  M. R. Mosavi School of Electrical Engineering, Iran University of Science and Technology, Narmak, 16846-13114 Tehran, Iran e-mail: [email protected] S. M. Seyedzadeh e-mail: [email protected] S. Mirzakuchaki e-mail: [email protected] M. R. Mosavi e-mail: [email protected]

Deployment of communication networks, such as mobile networks and the internet, leads to more comfortable access to digital images through multimedia networks. Therefore, much research has been performed on these images to prevent access by illegal users and attackers. Commonly, encryption is chosen as a means to ensure high security. An encryption mechanism aims at keeping the information confidential while it is being transmitted or stored on a medium that is potentially subject to unauthorized access. Image encryption methods try to convert an image to another one so that it is difficult to understand. In order to keep the image confidential between users, it is essential

123

Author's personal copy B. Norouzi et al.

that no one be able to decrypt the image without the appropriate decryption key. To meet this challenge, a variety of traditional encryption algorithms such as advanced encryption standard (AES) and data encryption standard (DES) have been proposed. But these algorithms are inefficient for image encryption due to image inherent features such as huge data capacity, high redundancy, and high correlation among pixels in image files. Recently, along with the rapid development of theory and application of chaos, many types of chaos-generating algorithms have been proposed [1–4]. Random oscillation of the solutions in deterministic systems described as differential or difference equations is called chaos. However, encryption based on chaos is not always secure. In Ref. [4], Alvarez et al. proposed a new cryptosystem based on the iteration of a chaotic system. It is a symmetric block cipher and encodes each plain block into a three-tuple cipher-block. But soon after its introduction, Alvarez et al. [5] cracked this cryptosystem with four cryptanalytic methods and pointed out some other weaknesses. In Ref. [6], chaotic key-based image encryption algorithm (CKBA) has been proposed. According to a chaotic binary sequence, the gray level of each pixel is XORed or XNORed bit-by-bit to one of the two selected keys. As mentioned in Ref. [7], CKBA is very weak to the chosen/known-plaintext attack and moreover its security to brute-force attack is also questionable. Hash functions were introduced in cryptography to provide message integrity and authentication [8–15]. These functions are the fundamental building blocks of information security and play an important role in modern cryptography. Hash functions are used because they are unique for a particular image and are very difficult to revert. Sinha and Singh [11] have used MD5 algorithm for generation of an image signature to encrypt images. As mentioned in Ref. [12], the cryptosystem proposed in [11] is insecure and the weakness of the system mainly lies on the small size of the set of possible keys and in the redundant properties of the BCH codes. In fact, the secret key and the original image can be recovered efficiently by a brute-force attack. Ref. [13] has suggested an algorithm for image encryption based on SHA-512. The main idea of this method is to use one half of image data for encryption of the other half of the image reciprocally. Conventional hash functions, such as MD5 and SHA, involve logical operations or multi-round iterations of some available ciphers. Although each step of the former is simple, the number of processing rounds could be huge even if the message is very short. The security and efficiency of the latter totally rely on the intrinsic cipher which needs complicated computations [10]. The fundamental technique to encrypt images is pixel permutation and diffusion. In the permutation stage, the positions of image pixels are changed. The main purpose of

123

the permutation process is to crack the correlation between adjacent pixels of an image but due to the fact that pixel values are not changed, the histograms of the cipher-image and the plain-image are the same. Therefore, this method is not resistant to the statistical analysis. In the diffusion stage, the pixel values of plain-image are changed sequentially. Therefore, a slight change in one pixel can spread out to almost all pixels in the whole image and the correlations between adjacent pixels of an image can be cracked simultaneously as well. Compared to the permutation, diffusion may lead to higher security. In other words, the permutation process is not necessary in an image encryption scheme. Some image encryption algorithms based on low dimensional chaotic systems with a permutation–diffusion structure have been cracked [6, 14]. As far as we know, in most of the proposed algorithms, permutation and diffusion are often combined to get high computational security [16–22]. In this paper, we propose a novel hash function-based image encryption method with only two diffusion processes. The diffusion process can change the pixel values and crack the correlations between adjacent pixels of an image simultaneously. Based on the sequence which is generated by salsa20 hash function and correlating keys with plaintext of an image to be encrypted, the algorithm uses different key streams when encrypting different input images (even with the same sequence based on hash function). This, in turn, will significantly increase the resistance of the cryptosystem against attacks. The presented scheme has shown exceptionally superior properties in many aspects such as high complexity, high security, more complex key stream, high sensitivity, high quality of encryption and decryption, and simplicity of structure. Experimental results and performance analysis prove the viability of this cryptography based on privacy, integrity, and authenticity. The rest of this paper is organized as follows. Section 2 gives a brief introduction of the hash function. Section 3 introduces the proposed encryption scheme. Section 4 evaluates the security of the proposed algorithm. Some conclusions are drawn in Sect. 5. 2 Hash functions A hash function H is a transformation that compresses an input of arbitrary length to a fixed length which is called the hash value h [that is, h = H(m)]. Hash function should satisfy three features [8, 9]: •

Pre-image resistance: for essentially all pre-specified outputs, it is computationally impossible to find any input which hashes to that output, i.e., to find any preimage m1 such that H(m1) = h when given any h for which a corresponding input is not known.

Author's personal copy A novel image encryption based on hash function





Second pre-image resistance: it is computationally impossible to find any second input which has the same output as any specified input, i.e., given m, to find a second pre-image m = m1 such that h(m) = h(m1). Collision resistance: it is computationally impossible to find any two distinct inputs m and m1 which hash to the same output, i.e., such that h(m) = h(m1).

In our algorithm, a 512-bit long external secret key is used as the input value of the salsa20 hash function. This section defines salsa20 from bottom up, starting from three simple operations on 4-byte words. 2.1 Background and definitions

ðz15 ; z3 ; z7 ; z11 Þ ¼ QRðy15 ; y3 ; y7 ; y11 Þ

If the input {y0, y1,…,y15} is a square matrix, then the column-round operation modifies the columns of the matrix in parallel by feeding a permutation of each row through the quarter-round operation. The column-round operation is the transpose of the row-round function. The double-round (DR) operation: if x is a 16-word sequence, then DR(x) is a 16-word sequence as follows: DR(xÞ ¼ RRðCRðxÞÞ

ð4Þ

This operation modifies the columns of the input in parallel and then modifies the rows in parallel. Each word is modified twice. The littleendian (L) operation: if b = (b0, b1, b2, b3) is a 4-byte sequence, then L(b) is a word as given by:

In order to better understand the structure, the equivalent description of the process is presented first and then the hash function is described in next section [15]. The quarter-round (QR) operation: if y = {y0, y1, y2, y3} is a 4-word (32 byte) sequence, then QR(y) = {z0, z1, z2, z3} is a 4-word sequence, where:

2.2 The salsa20 hash function

z1 ¼ y1  bitshift(ðy0 þ y3 Þ; 7Þ

ð1aÞ

xi ¼ Lðk4i ; k4iþ1 ; k4iþ2 ; k4iþ3 Þ

z2 ¼ y2  bitshiftððz1 þ y0 Þ; 9Þ

ð1bÞ

z3 ¼ y3  bitshiftððz2 þ z1 Þ; 13Þ

ð1cÞ

z0 ¼ y0  bitshiftððz3 þ z2 Þ; 18Þ

ð1dÞ

where x  y returns the result after a bitwise XOR operation and bitshift(A, k) returns the value of A shifted by k bits. According to above equation, first y1 modifies to z1, then y2 modifies to z2, then y3 modifies to z3, and finally y0 modifies to z0. The row-round (RR) operation: if y = {y0, y1,…,y15} is a 16-word sequence then RR(y) = {z0, z1,…,z15} is a 16-word sequence, where:

ð3dÞ

L(bÞ ¼ b0 þ 28 b1 þ 216 b2 þ 224 b3 :

ð5Þ

Starting from the 512-bit external secret key, K = (k0, k1,…,k63), we define: ð6Þ

where i = 0, 1,…,15. Then we have: ðz0 ; z1 ; . . .; z15 Þ ¼ DR10 ðx0 ; x1 ; . . .; x15 Þ

ð7Þ -1

Finally, salsa20(x) is the concatenation of L (xi ? zi). In short: salsa20ðxÞ ¼ x þ DR10 ðxÞ

ð8Þ

where i = 0, 1,…,15. Note that each 4-byte sequence is viewed as a word in littleendian form. Therefore, the core of salsa20 is a hash function with 64-byte input and 64-byte output.

ðz0 ; z1 ; z2 ; z3 Þ ¼ QRðy0 ; y1 ; y2 ; y3 Þ

ð2aÞ

ðz5 ; z6 ; z7 ; z4 Þ ¼ QRðy5 ; y6 ; y7 ; y4 Þ

ð2bÞ

3 The proposed encryption scheme

ðz10 ; z11 ; z8 ; z9 Þ ¼ QRðy10 ; y11 ; y8 ; y9 Þ

ð2cÞ

ðz15 ; z12 ; z13 ; z14 Þ ¼ QRðy15 ; y12 ; y13 ; y14 Þ

ð2dÞ

The encryption algorithm proposed in this paper is based on two rounds of diffusion. In order to encrypt images of size M 9 N, we pad the gray level image by replication of the right-most column and the bottom row to make sure that the number of rows and columns in the image are both a multiple of 8 [17]. Then, the padded image is partitioned into sections of size 8 9 8 and is encrypted using the previous encrypted sections and subsequent unencrypted sections. Therefore, as a result of this dependency, a swift change in the original image will result in a significant change in the ciphered image. On the other hand, the hash-based key streams are designed so that the algorithm for images with various sizes is greatly sensitive to the change in even a single bit of the

If the input {y0, y1,…,y15} is a square matrix, then the row-round operation modifies the rows of the matrix in parallel by feeding a permutation of each row through the quarter-round operation. The column-round (CR) operation: if y = {y0, y1,…,y15} is a 16-word sequence then CR(y) = {z0, z1,…,z15} is a 16-word sequence, where: ðz0 ; z4 ; z8 ; z12 Þ ¼ QRðy0 ; y4 ; y8 ; y12 Þ

ð3aÞ

ðz5 ; z9 ; z13 ; z1 Þ ¼ QRðy5 ; y9 ; y13 ; y1 Þ

ð3bÞ

ðz10 ; z14 ; z2 ; z6 Þ ¼ QRðy10 ; y14 ; y2 ; y6 Þ

ð3cÞ

123

Author's personal copy B. Norouzi et al.

512-bit secret key. Therefore, the proposed scheme can achieve high sensitivity, high complexity, and high security through only two rounds of diffusion process. The following is the detailed description of our image encryption and decryption algorithms. 3.1 Encryption algorithm We assume that the original image is a 256 gray-scale image of size M 9 N. This is an integer matrix of M rows by N columns in which the values range from 0 to 255. The detailed encryption algorithm is described as follows. 3.1.1 First round of diffusion process Step 1: the external 512-bit secret key is applied. The salsa20 hash function is used to generate the original pseudo-random 64-byte key stream according to Sect. 2.2. The key stream is converted to 8 9 8 matrix denoted by ‘‘hash.key’’. Step 2: the matrix of the original image is transformed into 8 9 MN/8 array denoted by P. The obtained matrix is equally partitioned to MN/64 sections as P = {Se.0, Se.1, Se.2,…,Se.(MN/64-1)}. Suppose the pixel sequence of cipher-image is denoted by C89MN/8 = {c0, c1,…,cMN/64-1}, where ci denotes the section of the cipher-image pixels. The size of each section is 8 9 8. Let C / P and i / 0; Step 3: using the following equations, we can calculate ‘‘meanSe.i’’ and ‘‘keySe.i’’: ! ! MN=641 X   meanSe:i ¼ mean2 cj  mean2ðci Þ j¼0 .   1014 4  2564 ð9Þ keySe:i ¼ floorðmodðhash:key  meanSe:i; 256ÞÞ

ð10Þ

where mean2(ci) computes the mean of the values in ci. The size of ‘‘keySe.i’’ is 8 9 8. If i = 0, we go to step 4; else we go to step 5. Step 4: the first section of the cipher-image is obtained by the first section of the plain-image and the keys ‘‘hash.key’’ and ‘‘keySe.0’’, according to the following formula: c0 ¼ Se:0  mod ðhash:key þ keySe:0; 256Þ  keySe:0

ð11Þ

Now we go to step 6. Step 5: the ith section of cipher-image is obtained by the values of the ith section of P, the previously

123

encrypted section, ‘‘hash.key’’:

the

ith

key

(keySe.i),

and

ci ¼ Se:i  mod ðhash:key þ ci1 ; 256Þ  keySe:i

ð12Þ

The size of each section (ci) is 8 9 8. Step 6: we let i / i ? 1 and return to step 3 until i reaches MN/64-1. Then, we get the encrypted array C = {c0, c1,…,cMN/64-1}. The size of this array is 8 9 MN/8. We set d1 = cMN/64-1. The size of d1 is 8 9 8. According to Eqs. (9) and (10), to encrypt each section, the average of other sections is employed. The algorithm uses different averages when encrypting different input images (even with the same sequence based on hash function). This, in turn, will significantly increase the resistance of the cryptosystem against known/chosenplaintext and differential attacks. 3.1.2 Second round of diffusion process Step 1: replace C (which is obtained in previous round) with its transpose. The size of obtained matrix is MN/ 8 9 8. Let i / 0. Step 2: compute ‘‘meanSe.i’’ and ‘‘keySe.i’’ using Eqs. (9) and (10), respectively. Step 3: if i = 0; go to step 4; else go to step 5. Step 4: obtain the first section of the cipher-image using the values of the first section and the last section of the cipher-image outputted after the first round operation (c0 and d1), the key ‘‘keySe.0’’, as well as ‘‘hash.key’’ according to the following formula: c0 ¼ c0  mod ðhash:key þ d1 ; 256Þ  keySe:0

ð13Þ

Then go to step 6. Step 5: obtain the corresponding section of the cipherimage using the values of the currently operated section and the previously encrypted section, the ith key (keySe.i) and ‘‘hash.key’’, as follows: ci ¼ ci  mod ðhash:key þ ci1 ; 256Þ  keySe:i

ð14Þ

Step 6: let i / i ? 1; return to step 2 until i reaches MN/ 64-1. Then get the encrypted array C = {c0, c1,…,cMN/ 64-1}. The size of this array is MN/8 9 8. The final pixel sequence of cipher-image is obtained by converting the size of this array to M 9 N. Note that each modification is invertible and thus the entire algorithm is invertible.

Author's personal copy A novel image encryption based on hash function

3.2 Decryption algorithm The decryption procedure is similar to that of the encryption process except that some steps are followed in a reversed order. Step 1: generate the key stream according to the external 512-bit secret key. All operations are the same as steps 1 and 2 in the first round of diffusion process. Step 2: the matrix of the cipher-image is transformed into an MN/8 9 8 array denoted by C. This matrix is equally partitioned to MN/64 sections as C = {c0, c1,…,cMN/64-1}. The size of each section is 8 9 8. Step 3: first round of operation to remove the effect of diffusion: Implementing the reverse operations is equivalent to the second round of diffusion operation in the encryption process from the last section to the first section. The formulas for removing the effect of diffusion are the same as Eqs. (14) and (13). Step 4: replace C with its transpose. The size of obtained matrix is 8 9 MN/8. Step 5: second round of operation to remove the effect of diffusion: Implementing the reverse operations is equivalent to the first round of diffusion operation in the encryption process from the last section to the first section. Obtain the recovered image sections Q = {Se.0, Se.1,…,Se.(MN/64-1)} from C = {c0, c1,…,cMN/64-1} using the following formulas: Se:i ¼ ci  mod ðhash:key þ ci1 ; 256Þ  keySe:i

ð15Þ

Se:0 ¼ c0  mod ðhashkey þ keySe:0; 256Þ  keySe:0 ð16Þ where i = MN/64-1,…,2, 1. The size of Q = {Se.0, Se.1,…,Se.(MN/64-1)} is 8 9 MN/8. The final pixel sequence of image is obtained by converting the size of this array to M 9 N.

4 Performance and security analysis A good encryption scheme should resist all kinds of known attacks, such as known-plaintext attack, cipher text only attack, statistical attack, differential attack, and various brute-force attacks [21–27]. In this section, the proposed image cryptosystem is analyzed using different security measures. These measures consist of statistical analysis, key space analysis, information entropy analysis, sensitivity analysis, and avalanche criterion. In order to compare the performance of the proposed algorithm to other methods, first the proposed method is used and applied to eight standard images and its performance is evaluated against several criteria. The averages of these

criteria for these eight images are obtained. These averages are considered as the performance of the proposed algorithm. Then, the performances of other methods, based on these criteria, are compared to the performance of the proposed image encryption system. Each of these criteria is described in detail in the following subsections. 4.1 Statistical analysis 4.1.1 Histogram Eight 256 gray-level images are selected with size of 256 9 256 and with different contents and their histograms are calculated. With respect to Figs. 1, 2, 3, 4, 5, 6, 7, and 8, the histogram of plain-images contains large sharp rises followed by sharp declines and the histogram of all cipherimages under the proposed algorithm is fairly uniform and significantly different from that of the plain-images. This fact can well protect the information of the image to withstand the statistical attack. The equation used to compute the uniformity of a histogram caused by the proposed encryption scheme is justified by the Chi-square test [16] as follows: v2 ¼

256 X ðmk  256Þ2 k¼1

ð17Þ

256

where k is the number of gray levels (256) and vk is the observed occurrence frequencies of each gray level (0–255). The lower value of the Chi-square value indicates a better uniformity (see Table 1). 4.1.2 Correlation analysis of two adjacent pixels There exists a high correlation between pixels of an image which is considered as an intrinsic feature. Statistical attack uses this intrinsic property to carry out the cryptanalysis. Thus, a secure encryption scheme should remove this intrinsic correlation to improve resistance against statistical analysis [17–30]. To test the correlation between two adjacent pixels in plain-image and ciphered image, the following procedure was carried out. First, 4,096 pairs of two adjacent pixels (in horizontal, vertical and diagonal direction) from plain-image and cipherimage were randomly selected. Then correlation coefficients (CC) (rxy) of each pair were calculated using the following equations: pffiffiffiffiffiffipffiffiffiffi rxy ¼ covðx; yÞ= Dx Dy ð18aÞ Ex ¼

N 1X xi N i¼1

ð18bÞ

123

Author's personal copy B. Norouzi et al.

Fig. 1 a Lena image; b histogram of Lena; c Lena encryption; and d histogram of Lena encryption

Fig. 2 a Cameraman image; b histogram of cameraman; c cameraman encryption; and d histogram of cameraman encryption

Fig. 3 a Baboon image; b histogram of baboon; c baboon encryption; and d histogram of baboon encryption

Fig. 4 a Peppers image; b histogram of peppers; c peppers encryption; and d histogram of peppers encryption

123

Author's personal copy A novel image encryption based on hash function

Fig. 5 a Tiffany image; b histogram of Tiffany; c Tiffany encryption; and d histogram of Tiffany encryption

Fig. 6 a F16 image; b histogram of F16; c F16 encryption; and d histogram of F16 encryption

Fig. 7 a Lake image; b histogram of lake; c lake encryption; and d histogram of lake encryption

Fig. 8 a Elaine image; b histogram of Elaine; c Elaine encryption; and d histogram of Elaine encryption

123

Author's personal copy B. Norouzi et al. Table 1 Chi-square test and correlation coefficient of different plain-image and cipher-image Image

Original image Chi-square

Lena Cameraman

Encrypted image Correlation coefficients

Chi-square

Horizontal

Vertical

Diagonal

Correlation coefficients Horizontal

28,588

0.9187466

0.9557728

0.8877604

189.61

113,654

0.9439921

0.9618159

0.9155575

268.28

-0.002259

44,395 36,778

0.6910626 0.9436501

0.5797986 0.9527033

0.6034725 0.9074691

240.01 237.50

-0.003668 0.000127

Baboon Peppers

0.0008213

Diagonal

0.0008423 -0.000313 0.0003721 0.0003223

0.0005083 -0.000009 -0.0009163 0.0089575

Tiffany

133,363

0.8875606

0.9324861

0.8492056

249.30

F16

163,822

0.8993711

0.8939348

0.8185195

255.24

-0.000986

Lake

42,952

0.9309474

0.9373847

0.8972699

244.82

-0.000337

Elaine

34,297

0.9593344

0.9645689

0.9341779

238.29

-0.000607

Average

74,731

0.896833

0.897308

0.851679

240.38

0.001196

0.000746

0.002804

Ref. [16]

35,452

0.9148

0.9275

0.8640

265

0.0079

0.0099

0.0077

Dx ¼

N 1X ðxi  EðxÞÞ2 N i¼1

covðx; yÞ ¼

ð18cÞ

N 1X ðxi  EðxÞÞðyi  EðyÞÞ N i¼1

ð18dÞ

where x and y are gray-scale values of two adjacent pixels in the image. N is the total number of duplets (x, y) obtained from the image. Chi-square test and CC of different plain/cipher-images are reported in Table 1 according to the plain-images of Figs. 1, 2, 3, 4, 5, 6, 7, and 8. Absolute values of CC are used for computing the average values which is shown in Table 1. The measured CC of the plain-image are close to 1 while those of the cipher-image are nearly 0. Also, the Chi-square value of cipher-image should be a low value corresponding to a great difference between the original image and the encrypted image. Table 2 Comparison correlation coefficient of the proposed method with the other methods Encryption methods

Vertical

Diagonal

Proposed scheme

0.0008213

0.0008423

0.0005083

Ref. [2]

0.0171888

0.0098527

0.0330454

Ref. [13]

-0.0006

-0.0030

0.0061

Ref. [16]

0.0041

0.0308

0.0053

0.001005

-0.00085

Ref. [19]

0.0004992

-0.00198

Ref. [20]

-0.000848277

Ref. [22]

-0.0025

123

0.00370914 -0.0006

0.0009769 -0.002643 0.0002046

0.0013673 -0.000903 -0.000696 -0.009078

Table 2 compares the CC for our proposed scheme, Tong’s scheme [2], Seyedzade’s scheme [13], Borujeni’s scheme [16], Zhu’s scheme [18], Kumar’s scheme [19], Zhang’s scheme [20] and Huang’s scheme [22] on Lena image. Table 2 shows that our algorithm yields better security performance in comparison to the results obtained from other algorithms. As a result, the proposed algorithm has successfully removed the correlation of adjacent pixels in the original image so that neighboring pixels in the cipherimage virtually have no correlation. Finally, Fig. 9 shows the correlation distribution of two horizontally adjacent pixels in the Lena image and that in the ciphered image. 4.1.3 Correlations between original and cipher-images We have analyzed the correlation between various pairs of plain/cipher-images by calculating the 2D CC between original and encrypted images [18]. The CC is calculated as follows: !, M X N X  ij  BÞ  CC ¼ ðAij  AÞðB vffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ! ! u M N M X N X u XX 2 2 t   ðAij  AÞ ðBij  BÞ i¼1 j¼1

Ref. [18]

-0.000297

i¼1 j¼1

Cipher-image of Lena Correlation coefficients Horizontal

0.0007661

Vertical

0.000897 0.0008371 -0.000189 -0.0050

ð19Þ

i¼1 j¼1

Here, A represents the original image and B represents the cipher-image. A and B are the mean values of the elements of matrices A and B, respectively. M and N are the height and width of the plain/cipher-image, respectively. CC values of different plain-images are reported in second column of Table 3 according to the plain-images of Figs. 1, 2, 3, 4, 5, 6, 7, and 8. The measured CCs are nearly 0. Therefore, the encrypted and original images are

Author's personal copy A novel image encryption based on hash function

Fig. 9 Correlation of two adjacent pixels: a distribution of two horizontally adjacent pixels in the plain-image, b distribution of two vertically adjacent pixels in the plain-image, c distribution of two diagonally adjacent pixels in the plain-image, d distribution of two

horizontally adjacent pixels in the cipher-image, e distribution of two vertically adjacent pixels in the cipher-image, and f distribution of two diagonally adjacent pixels in the cipher-image

Table 3 Parameters of the encryption quality Image

Proposed algorithm CC

Ref. [16]

Ref. [18] CC

MSE

PSNR

EQ

Entropy

MSE

PSNR

Entropy

Lena

0.000111

9,030

8.5740

145.7

7.9979

7,510

0.002851

9.2322

7.9977

Cameraman

0.003256

9,392

8.4031

259

7.9971

8,778

-0.003558

8.3688

7.9969 7.9970

Baboon

7,364

9.4598

189.67

7.9974

6,583

-0.006632

9.5466

Peppers

-0.003320 0.0006326

8,319

8.93

155.20

7.9974

8,298

-0.001650

8.9914

7.9973

Tiffany

0.0032111

13,159

6.9386

308.34

7.9973









F16

0.0023236

10,377

7.9699

258.58

7.9972

9,980







Lake

-0.0003063

9,854

8.1945

160.11

7.9973

9,467







Elaine

-0.0042579

7,739

9.2437

161.92

7.9974









9,404.3

8.4642

204.82

7.9974

8,369

0.003673

9.0348

7.9972

significantly different. Absolute values of CC are used for computing the average value which is shown in Table 3.

MSE ¼

Average

0.002177

4.1.4 MSE and peak signal-to-noise ratio analysis To evaluate the reliability of the proposed algorithm, mean square error (MSE) between encrypted image and original image is measured. MSE is calculated using the following equation [16]:

M X N 1 X ðaði; jÞ  bði; jÞÞ2 M  N i¼1 j¼1

ð20Þ

where M 9 N is the size of the image. The parameters a(i, j) and b(i, j) refer to the pixels located at the ith row and the jth column of original image and encrypted image, respectively. The larger the MSE value, the better the encryption security. Furthermore, the encrypted image

123

Author's personal copy B. Norouzi et al.

quality is evaluated using peak signal-to-noise ratio (PSNR) [11] which is described by the following expression:  2  I PSNR ¼ 10 log10 Max ð21Þ MSE where Imax is the maximum of pixel value of the image. The PSNR should be a low value which corresponds to a great difference between the original image and the encrypted image. The effectiveness of the proposed method, evaluated in terms of MSE and PSNR for all eight images, is tabulated in third and fourth columns of Table 3. 4.1.5 Measurement of encryption quality Plain-image pixels’ gray levels change after image encryption as compared to their original values before encryption. This means that the higher the change in pixels’ values, the more effective will be the image encryption and hence the encryption quality (EQ). The quality of image encryption may be determined as follows: let C(i, j) and P(i, j) be the gray value of the pixels at grid (i, j) in cipher and plain-image, each of size M 9 N pixels with L gray levels, respectively. Clearly, P(i, j) and C(i, j) [ {0, 1,…,L - 1}. We will define HL(P) and HL(C) as the number of occurrences for each gray level L in the plainimage and cipher-image, respectively. The EQ represents the average number of changes to each gray level L. The larger the EQ value, the better the encryption security. The EQ is calculated as: EQ ¼

255 X

ðHL ðCÞ  HL ðPÞÞ =256

Key space is the total number of different keys that can be used in an encryption system. A good encryption algorithm should be sensitive to the secret keys and the key space should be sufficiently large to make brute-force attack impossible. The size of the key space should be larger than 2100 to provide a high level of security [17]. Since the secret key of the proposed method is 512-bit long, the key space is about 2512. It seems that the size of key space compared with [17–21] is large enough to resist all kinds of brute-force attacks.

ð22Þ 4.4.1 Differential attack

In Table 3, EQ values are shown in the fifth column. 4.2 Information entropy analysis The entropy is one of the most outstanding features for measuring the randomness of image encryption algorithm. The information entropy H(s) of a message source s can be computed as: M 2X 1

i¼0

Pðsi Þ log2

1 Pðsi Þ

ð23Þ

where P(si) denotes the probability of symbol si, and 2M is the total states of the information source. For a purely random source emitting 2M symbols, the entropy should be M. For an ideally random image, the value of the information entropy is 8. Entropy values of different plainimages are reported in the sixth column of Table 3 according to the plain-images of Figs. 1, 2, 3, 4, 5, 6, 7, and 8. These entropy values are very close to the theoretical

123

4.3 Key space analysis

4.4 Sensitivity analysis 2

L¼0

HðsÞ ¼

value 8. This means that information leakage in the encryption process is negligible and the encryption scheme is secure upon entropy attack. Entropy values of Lena image in proposed algorithm is 7.9979. To compare the entropy values for Lena encryption, the entropy values of the reported schemes in the recent years are mentioned in [20]. The Sun’s algorithm reports H = 7.9965; the Baptista’s algorithm reports H = 7.9260; the Wong’s algorithm reports H = 7.9690; the Xiang’s algorithm reports H = 7.9950; and the Xiang’s algorithm reports H = 7.9950 [20]. Compared with these existing results, the entropy results of the proposed algorithm for the cipherimage Lena are better than those of the existing algorithms. Absolute values of CC are used for computing the average value which is shown in Table 3.

Attackers often make a small change to the plain-image and use the proposed algorithm to encrypt the plain-image before and after this change. By comparing these two encrypted images they find out the relationship between the plain-image and the cipher-image. This kind of attack is called differential attack. In order to resist differential attack, a minor alternation in the plain-image should cause a substantial change in the cipher-image [20, 21]. To test the influence of one-pixel change on the whole image encrypted by the proposed algorithm, two common measures can be used: number of pixels’ change rate (NPCR) and unified average changing intensity (UACI). Let’s denote two cipher-images whose corresponding plainimages have only one-pixel difference by C1 and C2, respectively. We label the gray-scale values of the pixels at grid (i, j) in C1 and C2 by C1(i, j) and C2(i, j), respectively. We define a bipolar array D which has the same size as C1 and C2. Then, D(i, j) is determined by C1(i, j) and C2(i, j). If C1(i, j) = C2(i, j), then D(i, j) = 0; otherwise,

Author's personal copy A novel image encryption based on hash function

D(i, j) = 1. NPCR and UACl are defined by the following formulas: P i;j Dði; jÞ  100 % ð24Þ NPCR ¼ MN ! X jC1 ði; jÞ  C2 ði; jÞj 1 UACI ¼  100 % ð25Þ M  N i;j 255 where M and N are the width and height of both C1 and C2. The larger the NPCR and UACI values, the better the encryption security. Researchers usually use MAE as another criterion to examine the performance of resisting differential attack. Let C(i, j) and P(i, j) be the gray level of the pixels at the ith row and the jth column of an M 9 N cipher and plainimage, respectively. The MAE between these two images is defined as: MAE ¼

M X N 1 X jCði; jÞ  Pði; jÞj M  N i¼1 j¼1

ð26Þ

The larger the MAE value, the better the encryption security. 4.4.1.1 Key sensitivity A good encryption algorithm should be sensitive to the secret keys [21]. It means that a change in a single bit of the secret key should produce a completely different encrypted image. Key sensitivity analysis has been performed for the proposed image encryption algorithm and the results are summarized as follows. We encrypted a 256 9 256 gray image of Lena using key1: ‘‘101, 120, 112, 124, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 110, 100, 32, 49, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 54, 45, 98, 121, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 116, 101, 32, 107’’ as the first set of keys. The same plain-image was encrypted with slightly different keys (toggling the last bit of the secret key) as key2: ‘‘101, 120,

112, 124, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 110, 100, 32, 49, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 54, 45, 98, 121, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 116, 101, 32, 106’’. Now, these two ciphered images are compared. This test shows that although the two keys are different in only one bit, there is a difference of up to 99.63 % in terms of pixel gray-scale values between the image encrypted by key1 and the image encrypted by key2. Figure 10 shows the test result. As a result, if a slightly modified 512-bit key is used to decrypt the cipher-image, the decryption fails completely (see Fig. 10d). The difference between two encryptions can be observed by means of the CC, PSNR, NPCR and UACI. Changing different bits in arbitrary positions of the key has been tested with the results shown in Table 4. It can be seen that these NPCR values are very high and the average value of NPCR is 99.65 %. In other words, the parameters of the proposed method are greatly sensitive to a change in even one bit of the secret key. Therefore, the proposed scheme can resist against brute-force attacks. 4.4.1.2 Plaintext sensitivity In order to evaluate plaintext sensitivity of our proposed scheme, an original image is encrypted first. Then, one pixel in original image is randomly selected and changed. The modified image is encrypted again using the same key so as to produce a new cipher-image. Finally, the NPCR and UACI values are computed. This kind of test is performed over 100 times with different images (a total of 800 times for all images). Table 5 provides the data related to the experimental results obtained by the proposed method. Also, the MAE values are shown in the last column of Table 5. The results of NPCR and UACI for the original image Lena are shown in Fig. 11a, b, respectively. It is clear that the NPCR and UACI values remain in the vicinity of the expected values which are shown in the last row of

Fig. 10 a Lena image; b Lena encryption with key1; c decrypted image with key1; and d decrypted image with key2

123

Author's personal copy B. Norouzi et al. Table 4 Pixel difference between images encrypted by keys with one bit difference Image

Proposed algorithm

Ref. [17]

Ref. [27]

CC

PSNR

NPCR

UACI

NPCR

UACI

Lena

-0.0049

8.5260

99.6689

33.5561

0.9960981

0.3346294

99.60244

Cameraman

-0.0005

8.3871

99.6460

33.5185







Baboon

0.0041

9.4920

99.6384

33.6305

0.9960982

0.3346229



Peppers

0.0031

8.9343

99.6628

33.5712

0.9960971

0.3346120

99.60352

Tiffany

0.0088

6.9531

99.6475

33.6510







F16

NPCR

-0.0037

7.9701

99.6597

33.5383

0.9960934

0.3345708



Lake Elaine

0.0011 0.0022

8.1821 9.2928

99.6628 99.6521

33.4640 33.4739

– –

– –

– –

Average

0.00355

8.4672

99.6548

33.5504

Image size of [17]: 512 9 512



Table 5 Evaluate plaintext sensitivity and MAE Image

NPCR

UACI

MAE

Max

Min

Average

Max

Min

Average

Lena

99.66

99.55

99.6137

33.61

33.25

33.4594

Cameraman

99.69

99.55

99.6131

33.68

33.28

33.4615

79.41

Baboon

99.67

99.55

99.6111

33.65

33.22

33.4629

71.63

Peppers

99.66

99.56

99.6137

33.59

33.14

33.3948

74.76

Tiffany

99.68

99.53

99.6110

33.70

33.32

33.4913

94

F16

99.69

99.53

99.6118

33.68

33.25

33.4719

83.21

Lake Elaine

99.67 99.67

99.53 99.54

99.6118 99.6134

33.67 33.61

33.26 33.24

33.4807 33.4411

81.34 72.53

Average (800 iterations)

99.6125

33.4580

79.354

Expected values

99.60937

33.46354



77.95

Fig. 11 a NPCR for 100 modified plain-images Lena and b UACI for 100 modified plain-images Lena

Table 5. The NPCR and UACI measurements reported in Refs. [1, 24] are 50.23, 0.40 and 25.23, 0.3192 %, respectively. They can hardly satisfy any high performance requirement. To make a comparison with other algorithms, the round number of image-scanning, permutation, and diffusion rounds required to achieve this performance are tabulated

123

in Table 6. The results show that the round number of image-scanning, permutation, and diffusion required by the new algorithm is fewer than that by other comparable algorithms. Thus, the proposed algorithm indeed leads to a faster encryption speed. Table 6 shows this algorithm is superior compared to the existing algorithms mentioned in Ref. [26].

Author's personal copy A novel image encryption based on hash function Table 6 The round number of scanning-image, permutation and diffusion to achieve NPCR [99.6 % and UACI [33.4 % Algorithm

Proposed

NPCR (%)

UACI (%)

[99.61 [33.45

Table 7 Parameters of the decryption quality Image

Round number of Scanningimage 2

Permutation 0

Proposed algorithm

Ref. [11]

CC

MSE

PSNR

CC

PSNR

Lena

1

0

Inf

1

96.2956

Cameraman

1

0

Inf

1

96.2956

Baboon

1

0

Inf

1

96.2956 96.2956

Diffusion 2

Ref. [26]

[99.6

[33.3

2

2

2

Lian’s

[99.6

[33.3

18

18

6

Wong’s

[99.6

[33.3

4

4

2

Mao’s

[99.6

[33.3

6

3

3

Xiao’s

[99.6

[33.3

6

3

3

Peppers

1

0

Inf

1

Tiffany

1

0

Inf





F16

1

0

Inf





Lake Elaine

1 1

0 0

Inf Inf

– –

– –

4.4.2 Avalanche criterion It is known that the change of one bit in the plaintext should result in theoretically 50 % difference in the cipher’s bits. In order to prove the claimed sensitivity to the plaintext, we may generate two plain-images with just onebit difference. The bits change rate of the cipher-image is 49.9992370605469 %, and very close to the ideal value of 50 %. This measurement reported in Refs. [2, 17, 19, 23] is 49.98, 50.012287, 49.97 and 49.99 %, respectively. So our scheme is nearly ideal. 4.5 Resistance to known-plaintext and chosen-plaintext attacks In the two rounds of diffusion process, from Eqs. (11) to (14), one can see that the final encryption keys are (mod (hash.key ? keySe.0, 256)  keySe.0), (mod(hash.key ? d1  256), keySe.0) and (mod(hash.key ? ci-1, 256)  keySe.i)), in which ‘‘hash.key’’ and ‘‘keySe.i’’ for i [ 1 are related to the initial values of the hash function, and ci-1 for i [ 1 or d1 are related to the pixel values of the plainimage. As a result, cipher-image values depend on the plain-image and the final encryption keys. In addition, according to Eqs. (9) and (10), to encrypt each section of image, the average of other sections is employed. So the algorithm uses different key streams and averages when encrypting different input images. The attacker cannot obtain useful information by encrypting some special images since the resultant information is related to those chosen-images. Therefore, the attacks proposed in Refs. [5, 7, 12, 28, 29] become ineffective on this new scheme. The proposed scheme can well resist the known-plaintext and the chosen-plaintext attacks.

should be near 1 or equal to 1, the MSE should be a small value, and the PSNR should be large. To determine the decryption quality, the decryption algorithm is applied to all eight encrypted images. The CC, the MSE, and the PSNR are calculated for each decrypted image. The test results are shown in Table 7. For the proposed decryption, the CC of each decryption is 1. The MSE of each decryption is 0 and the PSNR of each decryption is infinite. The results suggest that every decryption is accurate. In other words, each decrypted image is identical to the corresponding original image. Thus, a good quality is demonstrated in the proposed decryption. 4.7 Other security issues The proposed scheme with two diffusion processes is capable of not only scrambling the data, but also it changes the intensity of the pixels which contributes to the safety of the encryption. For convenience, Fig. 12 shows a cropped gray-scale matrix of size 5 9 5 from a plain-image along with its encrypted version. According to this figure, the method combines the scrambling and diffusion. Notice how the same gray values are encrypted differently. This irregularity is very important to hamper any attempt to reverse-attack the algorithm. Confusion (permutation) process has not been employed due to several significant reasons: •

4.6 Decryption quality • The decryption quality has been evaluated by calculating the CC, MSE and PSNR. For a good decryption, the CC

Confusion’s security is threatened by the statistical attacks [1–3, 16–20]. In the confusion stage, the positions of image pixels are changed, but due to the fact that pixel values are not modified, the histogram of the cipher-image and the plain-image is the same. Therefore, this method is not resistant to the statistical analysis and is not secure. Confusion process usually takes more time than diffusion process to shuffle the plain-image. Refs. [32, 40, 41] have reported larger computation time for

123

Author's personal copy B. Norouzi et al.

Fig. 12 a A 5 9 5 cropped plain-image, b gray-scale matrix of a, c encrypted version of a using the proposed algorithm and d gray-scale matrix of c





confusion process than diffusion process. For example, we can see that the operation speeds of diffusion process of Refs. [32, 41] are about 5 and 720 ms faster than confusion process, respectively. The diffusion process can modify the pixel values and break the correlations between adjacent pixels of an image simultaneously [1–3, 16–20]. In other words, in the diffusion stage, the pixel values of plain-image are changed sequentially. Therefore, a slight change for one pixel can spread out to almost all pixels in the whole image and the correlations between adjacent pixels of an image can be cracked simultaneously as well. Other researchers such as [18, 21] have also used only diffusion process in their algorithm.

Statistical analysis such as histogram, Chi-square test, correlation of adjacent pixels, 2D CC between original and encrypted images, MSE, PSNR, and entropy information, all indicate that our scheme possesses a good property of scrambling and diffusion. To evaluate the robustness of our algorithm against JPEG compression, noise, and data loss attacks, two modes are considered: (a) We suppose meanSe.i = 10-14 for i = 0, 1,…,MN/ 64-1. As a result, hash.key = keySe.i [see Eq. (10)]. Now, we test the robustness of our algorithm against JPEG compression, noise, and data loss attacks. 4.7.1 JPEG compression attack To evaluate the resistance of proposed method against JPEG compression attack, first the Lena original image shown in Fig. 1a was encrypted by the encryption algorithm. Then, we compressed the encrypted image with different quality factors (Q). The results are shown in Fig. 13. The PSNR index was used to quantitatively evaluate the similarity between reconstructed images and the original images [8, 39, 42–50]. As shown in Fig. 13, the encryption scheme is secure upon JPEG compression attack.

123

4.7.2 Noise attacks To test the robustness of proposed method against noise attacks, the following procedure was carried out. The original image shown in Fig. 1a was encrypted by the encryption algorithm. Then, salt and pepper noise with a density of 0.05 is added to the encrypted images [39, 42– 46]. Then, we tried to reconstruct the original image from these noisy encrypted images. The PSNR index was used to quantitatively evaluate the similarity between reconstructed images and the original ones. The results are shown in Fig. 14. It is very obvious that the proposed image encryption algorithm is not merely an XOR operation since the PSNR is different than that obtained from original image. 4.7.3 Data loss attacks The data (gray value of image pixels) within a 20 9 20 window in the center of the cipher-images were removed by replacing them with zeros. Then, we tried to reconstruct the original image from the cipher-images with data loss. The reconstructed images were evaluated by the PSNR index measure [39]. The results are shown in Fig. 15. It is concluded that the proposed scheme can resist against different attacks (noise attack and data loss attacks) in the spatial domain and compressed domain (JPEG compression). (b) We suppose meanSe:i 6¼ 1014 for i = 0, 1,…,MN/ 64-1. In other words, the average of image data is employed for encryption and decryption (according to Eqs. (10)–(16)). To encrypt each section, the average of other sections is employed. The algorithm uses different averages when encrypting different input images (even with the same sequence based on hash function). In this case, our algorithm is very sensitive to any small change in the plain and cipher-image. So it can be concluded that a small change in the cipher-image (caused by compression, noise, cropping, rotation, etc.) will generate a completely different decryption result and cannot get the correct plain-

Author's personal copy A novel image encryption based on hash function

Fig. 13 Image recovery after JPEG attack with different quality factors (Q)

image. This shows the resistance of the cryptosystem against differential attacks. 4.8 Speed analysis Apart from the security consideration, some other issues on image encryption are also important [51–53]. This includes the encryption speed for real-time processes. In general, encryption speed is highly dependent on the CPU/MPU structure, RAM size, operating system platform, the programming language, and also on the compiler options.

Table 8 compares the encryption time of the proposed cryptosystem, Zhu’s algorithm [18], Zhu’s algorithm [32] and Gao’s algorithms [33, 34]. The experiments are all performed using MATLAB 7.6.0.324 (R2008a) on a personal computer (PC) with a 2.4-GHz CPU, 4-GB RAM, 640-GB hard-disk capacity, and the Microsoft Windows 7 operating system. In the proposed cryptosystem, we only need two rounds of diffusion process; so, it just takes us 0.41 s to complete the whole process for a gray image of size 256 9 256. Therefore, the encryption method proposed in this paper is fast.

123

Author's personal copy B. Norouzi et al. Fig. 14 Image recovery after salt and pepper noise: a original Lena image with salt and pepper noise; b decrypted Lena image after adding salt and pepper noise to the encrypted image

Fig. 15 Data loss attacks: a the cipher-image with data loss and b reconstructed image

Table 8 The comparison of encryption time between our proposed method and the other cryptosystems Algorithm

Encryption time (s)

Proposed algorithm

0.41

Zhu’s [18]

0.69

Zhu’s [32]

[2.9

Gao’s [33]

0.83

Gao’s [34]

[3

Several studies have also reported the encryption time of their algorithm as shown in Table 9. Both Tables 8 and 9 demonstrate that our algorithm can achieve high speed. There are three main contributing factors: •

Only a two-round diffusion operation is enough to yield a perfect cipher-image with high security in our method. However, for Lian’s scheme six rounds are needed [40] (see Table 6).

Table 9 Encryption speed test results for image size of 256 9 256 pixels Algorithm

Size

Encryption time (s)

System characteristics

Platform

Ref. [1]

256 9 256

0.4

Pentium IV 1 GHz

VisualC??

Ref. [35]

256 9 256

[0.5

Pentium IV 1.5 GHz

VisualC??

\1.37

Core 2 Duo CPU 1.40 GHz

Matlab2009

Ref. [36]

256 9 256

Ref. [37]

256 9 256

0.547

Core(TM) 2, 2.00 GHz

Matlab 6.5

Ref. [38]

256 9 256

0.9

Pentium(R) 1.7 GHz

C and gcc-4.6.0

123

Author's personal copy A novel image encryption based on hash function





4.10 The analytical/mathematical argument of the proposed algorithm for encrypting all images

Only simple operations are included in our image encryption algorithm. In each round, for each section, there are only a few XOR operations, addition, etc. The cryptosystem proposed in [32] employed the Arnold cat map for permutation and the logistic map for diffusion. Ref. [18] employs improved hyper-chaotic sequences in key scheming. In the diffusion processes, instead of encrypting each pixel, a block of pixels are encrypted. In other words, the algorithm can be executed in parallel.

The proposed algorithm consists of two processes: key schedule process and diffusion process. The diffusion process includes two rounds whose first round applies key stream generated in key schedule process to encrypt original 8-bit pixels. In the second round, the diffusion process uses key streams to encrypt 8-bit pixels encrypted in the first round and satisfy the security requirements. For binary images, black and white pixels are considered as 8-bit pixels with values of 0 and 255, respectively, and are then encrypted/decrypted. For 10, 12, and 16-bit images, pixels are divided into 8-bit sub-pixels and then the proposed algorithm encrypts/decrypts sub-pixels. In the following paragraphs, analytical/mathematical arguments are given to prove that the pseudo-random nature of the encrypted image and its histogram are independent of the original image. According to Refs. [54, 55], it is obvious that if x and k are the pseudo-random sequence and the constant value (or pseudo-random sequence), respectively, then it can be written as follows:  x 2 fpseudo-random sequenceg if k ¼ cteðor pseudo-random sequenceÞ 8 ð27Þ > : z¼kx

Therefore, as far as the encryption speed is concerned, our scheme is fast. 4.9 Comparison The performances of other methods, based on several criteria, are compared to the performance of the proposed image encryption system. Table 10 shows the results. The results reveal the fact that the proposed algorithm yields better security performance in comparison to other algorithms. We have conducted the supplementary experimental study on many large-scale images CVG-UGR. Table 11 shows the average results for a large number of images of various sizes. For color image encryption, the proposed algorithm utilizes the same method to encrypt its R, G, and B components three times independently. With respect to speed, simultaneous generation of pseudo-random number by hash-based key stream generation process in parallel mode causes the proposed cryptosystem to achieve high speed performance for color images.

Table 10 Comparison of our proposed method with other algorithms Algorithm

Image

NPCR (%)

UACI (%)

Entropy

Average of correlation coefficients

Key space

Proposed algorithm

Lena

99.6137

33.4594

7.9979

0.000742

2512

Ref. [2]

Lena

0.4144

33.42

7.9971

0.020029

4 9 1028

Ref. [20] (2 rounds)

Lena

99.6063

33.4758

7.9975

0.001582

2104

Ref. [22]

Lena

99.54

28.27

7.9967

0.0027

1048

Ref. [23]

Goldhill

0.39

0.33

7.9989

0.005833

2225

Ref. [24]

Cameraman

0.40

0.3192



0.001343

10289m9n

Ref. [25]

Boat

0.46

0.39

7.9972

0.003333

2186

Ref. [30]

Barbara

0.41962

0.3325

7.9968

0.002167

2260

Ref. [31]

Lena

0.38

7.9980

0.003267

1072

EQ

Entropy

Chi-square

NPCR

UACI

MAE 80.2

99.61

Table 11 The average results for different images Image size

Correlation coefficients

CC

MSE

PSNR

256 9 256

0.00084

0.00056

0.00021

0.0023

9,610

8.3877

214.4

7.9973

247.3

99.61

33.51

512 9 512

0.00074

0.00097

0.00068

0.0014

9,236

8.5550

832.79

7.9993

254.6

99.61

33.46

78.6

1,024 9 1,024

0.00048

0.00079

0.00095

0.0007

9,203

8.5717

3,341.88

7.9998

257.40

99.61

33.46

78.8

123

Author's personal copy B. Norouzi et al.

where the sequence of z will be the pseudo-random sequence. As a result, the constant, nonzero value of k does not change the randomness of the pseudo-random sequence. As mentioned in the previous section, the matrix of ‘‘hash.key’’ is the output of the salsa hash function which generates the pseudo-random sequence with the uniform distribution [56–59]. In order to encrypt the first block (c0), the value of the keySe.0 in Eq. (10) should be calculated. The equation is equivalent to a multiplicative congruential random number generator [60, 61] where the constant multiplier must be always chosen between 0 and modulus. In order to satisfy this provision in Eq. (10), values of ‘‘hash.key’’ always range between 0 and 255. Accordingly, Eq. (10) generates the pseudo-random numbers in each of the iterations. In Eq. (11), pseudo-random values of ‘‘hash.key’’ and ‘‘keySe.0’’ are used to calculate the first encrypted block (c0). According to argument presented in Eq. (27), the combination of the ‘‘hash.key’’ and ‘‘keySe.0’’ leads to: A0 ¼ modðhash:key þ keySe:0 ; 256Þ  keySe:0 |fflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} |fflfflfflffl{zfflfflfflffl} Pseudorandom Pseudorandom |fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}

ð28Þ

Pseudorandom

where A0 will be a random sequence and the exclusive-OR of each integer or pseudo-random matrix with A0 results in a pseudo-random sequence (see Eq. (27)): C0 ¼ Se:0  A0

ð29Þ

Regardless of matrix type of Se.0, for instance binary and gray level, etc., Eq. (29) can result in random values. The encryption of other blocks is similar to the first block and uses the previous encrypted values in encryption structure. In Eq. (12), the chaining mechanism causes cipher-text ci to depend on Se.i and the pseudo-random sequence which consists of ci-1, ‘‘hash.key’’ and ‘‘keySe.0’’. As mentioned earlier, ‘‘hash.key’’ is the initial pseudo-random salsa20 sequence [56–59], ‘‘keySe.0’’ is a pseudo-random sequence and ci-1 is the preceding cipher value. As a result, Eq. (12) is similar to the equation used in n-bit block cipher such as cipher-block chaining (CBC) [54] which is presented as follows: ci ¼ Se.i  Ai

ð30Þ

where Ai ¼ modðhash:key þ ci1 ; 256Þ  keySe:i |fflfflffl{zfflfflffl} |fflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflffl} Pseudorandom Pseudorandom |fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} Pseudorandom |fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}

ð31Þ

As mentioned above, it is obvious that the randomness of cipher-image is independent of the type of plain-image such as binary, gray level and so on. It is worth mentioning once again that the proposed algorithm considers pixels of binary images as eight bits and encrypts/ decrypts them. For 10, 12, and 16-bit images, pixels of the image are divided into 8-bit sub-pixels and then this algorithm encrypts/decrypts these sub-pixels. As a result, we strongly claim that the proposed algorithm can be applied to all sorts of images for generating a random output.

5 Conclusion In this paper, a novel algorithm for image encryption based on hash function is presented. A 512-bit long external secret key is used as the input value of the salsa20 hash function. The key space is large enough to resist brute-force attacks. The key stream in the encryption process depends on both the initial keys and the plain-image. The proposed method is a private key encryption system with only two rounds of diffusion process. In the first round of diffusion process, an original image is partitioned horizontally to an array which consists of 1,024 sections each of size 8 9 8. In the second round, the same operation is applied vertically to the transpose of the obtained array. To encrypt each section, the average of other sections is employed. The algorithm uses different averages when encrypting different input images. This, in turn, will significantly increase the resistance of this cryptosystem against known/chosenplaintext and differential attacks. Statistical analysis shows that the scheme can well protect the image against statistical attack. The scheme possesses high key sensitivity and has a good ability to resist differential attacks. The measured EQ shows that the proposed algorithm has a better EQ than others. MAE, NPCR and UACI were used as three criterions to examine the performance of resistance against differential attacks. The results demonstrate that a swift change in the original image and the key will result in a significant change in the ciphered image and cannot yield the correct plain-image. All parts of the encryption system were simulated using MATLAB. The decryption procedure is similar to that of the encryption but in the reversed order. Overall, it seems that the proposed algorithm can be a good candidate for image encryption.

Pseudorandom

Therefore, the output of Eq. (30) like mode CBC in the block cipher can produce a random output.

123

Acknowledgments The authors would like to thank the Editor and the anonymous Referees for their valuable comments and suggestions to improve this paper.

Author's personal copy A novel image encryption based on hash function

References 1. Chen, G., Mao, Y., Chui, C.K.: A symmetric image encryption scheme based on 3D chaotic cat maps. J. Chaos Solitons Fractals 21, 749–761 (2004) 2. Tong, X., Cui, M., Wang, Z.: A new feedback image encryption scheme based on perturbation with dynamical compound chaotic sequence cipher generator. J. Opt. Commun. 282, 2722–2728 (2009) 3. Wei, X., Guo, L., Zhang, Q., Zhang, J., Lian, S.: A novel color image encryption algorithm based on DNA sequence operation and hyper-chaotic system. J. Syst. Softw. 85, 290–299 (2012) 4. Alvarez, E., Fernandez, A., Garcı´a, P., Jimenez, J., Marcano, A.: New approach to chaotic encryption. J. Phys. Lett. A 263, 373–375 (1999) 5. Alvarez, G., Montoya, F., Romera, M., Pastor, G.: Cryptanalysis of a chaotic encryption system. J. Phys. Lett. A 276, 191–196 (2000) 6. Yen, J.C., Guo, J.I.: A new chaotic key-based design for image encryption and decryption. Proc. IEEE Int. Conf. Circuits Syst. 4, 49–52 (2000) 7. Li, S., Zheng, X.: Cryptanalysis of a chaotic image encryption method. Proc. IEEE Int. Symp. Circuits Syst. 2, 708–711 (2002) 8. Cheddad, A., Condell, J., Curran, K., Kevitt, P.M.: A hash-based image encryption algorithm. J. Opt. Commun. 283, 879–893 (2010) 9. Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. J. Fast Softw. Encryption 3017, 371–388 (2004) 10. Wang, Y., Liao, X., Xiao, D., Wong, K.W.: One-way hash function construction based on 2D coupled map lattices. J. Inf. Sci. 178, 1391–1406 (2008) 11. Sinha, A., Singh, K.: A technique for image encryption using digital signature. J. Opt. Commun. 218, 229–234 (2003) 12. Encinas, L.H., Dominguez, A.P.: Comment on ‘A technique for image encryption using digital signature’. J. Opt. Commun. 268, 261–265 (2006) 13. Seyedzade, S.M., Atani, R.E., Mirzakuchaki, S.: A novel image encryption algorithm based on hash function. In: Iranian Conference on Machine Vision and Image Processing, No. 5941167 (2010) 14. Belkhouche, F., Qidwai, U.: Binary image encoding using onedimensional chaotic map. In: Proceedings of the IEEE Annual Technical Conference, pp. 39–43 (2003) 15. Bernstein, D.J.: Salsa20 specification. http://cr.yp.to/snuffle. html#xsalsa (2005) 16. Borujeni, S.E., Eshghi, M.: Chaotic image encryption system using phase-magnitude transformation and pixel substitution. J. Telecommun. Syst. (2011). doi:10.1007/s11235-011-9458-8 17. Seyedzadeh, S.M., Mirzakuchaki, S.: A fast color image encryption algorithm based on coupled two-dimensional piecewise chaotic map. J. Signal Process. 92, 1202–1215 (2012) 18. Zhu, C.: A novel image encryption scheme based on improved hyperchaotic sequences. J. Opt. Commun. 285, 29–37 (2012) 19. Kumar, A., Ghose, M.K.: Extended substitution–diffusion based image cipher using chaotic standard map. J. Commun. Nonlinear Sci. Numer. Simul. 16, 372–382 (2011) 20. Zhang, G., Liu, Q.: A novel image encryption method based on total shuffling scheme. J. Opt. Commun. 284, 2775–2780 (2011) 21. Mazloom, S., Eftekhari-Moghadam, A.M.: Color image encryption based on coupled nonlinear chaotic map. J. Chaos Solitons Fractals 42, 1745–1754 (2009) 22. Huang, C.K., Liao, C.W., Hsu, S.L., Jeng, Y.C.: Implementation of gray image encryption with pixel shuffling and gray-level

23.

24.

25.

26.

27.

28.

29. 30.

31.

32.

33. 34. 35. 36.

37. 38.

39.

40.

41.

42.

43.

44.

encryption by single chaotic system. J. Telecommun. Syst. (2011). doi:10.1007/s11235-011-9461-0 Akhshani, A., Behnia, S., Akhavan, A., Hassan, H.A., Hassan, Z.: A novel scheme for image encryption based on 2D piecewise chaotic maps. J. Opt. Commun. 283, 3259–3266 (2010) Sun, F., Liu, S., Li, Z., Lu, Z.: A novel image encryption scheme based on spatial chaos map. J. Chaos Solitons Fractals 38, 631–640 (2008) Behnia, S., Akhshani, A., Ahadpour, S., Mahmodi, H., Akhavan, A.: A fast chaotic encryption scheme based on piecewise nonlinear chaotic maps. J. Phys. Lett. A 366, 391–396 (2007) Wang, Y., Wong, K.W., Liao, X., Chen, G.: A new chaos-based fast image encryption algorithm. J. Appl. Soft Comput. 11, 514–522 (2011) Kwok, H.S., Tang, W.K.S.: A fast image encryption system based on chaotic maps with finite precision representation. J. Chaos Solitons Fractals 32, 1518–1529 (2007) Rhouma, R., Belghith, S.: Cryptanalysis of a new image encryption algorithm based on hyper-chaos. J. Phys. Lett. A 372, 5973–5978 (2008) Ge, X., Liu, F., Lu, B., Yang, C.: Improvement of Rhouma’s attacks on Gao algorithm. J. Phys. Lett. A 374, 1362–1367 (2010) Behnia, S., Akhshani, A., Mahmodi, H., Akhavan, A.: A novel algorithm for image encryption based on mixture of chaotic maps. J. Chaos Solitons Fractals 35, 408–419 (2008) Zhang, Q., Guo, L., Wei, X.: Image encryption using DNA addition combining with chaotic maps. J. Math. Comput. Model. 52, 2028–2035 (2010) Zhu, Z.L., Zhang, W., Wong, K.W., Yu, H.: A chaos-based symmetric image encryption scheme using a bit-level permutation. J. Inf. Sci. 181, 1171–1186 (2011) Gao, T., Chen, Z.: A new image encryption algorithm based on hyper-chaos. J. Phys. Lett. A 372, 394–400 (2008) Gao, T., Chen, Z.: Image encryption based on a new total shuffling algorithm. J. Chaos Solitons Fractals 38, 213–220 (2008) Gao, H., Zhang, Y., Liang, S., Li, D.: A new chaotic algorithm for image encryption. J. Chaos Solitons Fractals 29, 393–399 (2006) Zhao, L., Adhikari, A., Xiao, D., Sakurai, K.: On the Security analysis of an image scrambling encryption of pixel bit and its improved scheme based on self-correlation encryption. J. Commun. Nonlinear Sci. Numer. Simulat. 17, 3303–3327 (2012) Huang, X.: Image encryption algorithm using chaotic Chebyshev generator. J. Nonlinear Dyn. 67(4), 2411–2417 (2012) Francois, M., Grosges, T., Barchiesi, D., Erra, R.: A new image encryption scheme based on a chaotic function. J. Signal Process. Image Commun. 27, 249–259 (2012) Zhou, Y., Panetta, K., Agaian, S., Chen, C.L.P.: Image encryption using P-Fibonacci transform and decomposition. J. Opt. Commun. 285, 594–608 (2010) Lian, S., Sun, J., Wang, Z.: A block cipher based on a suitable use of the chaotic standard map. J. Chaos Solitons Fractals 26, 117–129 (2005) Chen, H.C., Guo, J.I., Huang, L.C., Yen, J.C.: Design and realization of a new signal security system for multimedia data transmission. J. EURASIP J. Appl. Signal Process. 13, 1291–1305 (2003) Yuen, C.H., Wong, K.W.: A chaos-based joint image compression and encryption scheme using DCT and SHA-1. J. Appl. Soft Comput. 11, 5092–5098 (2011) Cheddad, A., Condell, J., Curran, K., Kevitt, P.M.: A skin tone detection algorithm for an adaptive approach to steganography. J. Signal Process. 89, 2465–2478 (2009) Cheddad, A., Condell, J., Curran, K., Kevitt, P.M.: A secure and improved self-embedding algorithm to combat digital document forgery. J. Signal Process. 89, 2324–2332 (2009)

123

Author's personal copy B. Norouzi et al. 45. Chen, T.S., Chen, J., Chen, J.G.: A simple and efficient watermark technique based on JPEG2000 Codec. Multimed. Syst. 10, 16–26 (2004) 46. Chang, E.C., Kankanhalli, M.S., Guan, X., Huang, Z., Wu, Y.: Robust image authentication using content based compression. Multimed. Syst. 9, 121–130 (2003) 47. Guo, H., Georganas, N.D.: A novel approach to digital image watermarking based on a generalized secret sharing scheme. Multimed. Syst. 9, 249–260 (2003) 48. Pommer, A., Uhl, A.: Selective encryption of wavelet-packet encoded image data: efficiency and security. Multimed. Syst. 9, 279–287 (2003) 49. Yeo, I.K., Kim, H.J.: Generalized patchwork algorithm for image watermarking. Multimed. Syst. 9, 261–265 (2003) 50. Jiang, J., Armstrong, A., Feng, G.C.: Web-based image indexing and retrieval in JPEG compressed domain. Multimed. Syst. 9, 424–432 (2004) 51. Norouzi, B., Mirzakuchaki, S., Seyedzadeh, S.M., Mosavi, M.R.: A simple, sensitive and secure image encryption algorithm based on hyper-chaotic system with only one round diffusion process. Multimed. Tools Appl. (2012). doi:10.1007/s11042-012-1292-9 52. Seyedzadeh, S.M., Mirzakuchaki, S.: Image encryption scheme based on Choquet fuzzy integral with pseudo-random keystream generator. In: 11th International Symposium on Artificial Intelligence and Signal Processing (AISP), June 2011, pp. 101–106

123

53. Seyedzadeh, S.M., Hashemi, Y.: Image encryption algorithm based on Choquet fuzzy integral with self-adaptive pseudo-random number generator. In: 11th International Conference on Intelligent Systems Design and Applications (ISDA), November 2011, pp. 642–647 54. Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997) 55. Goldreich, O.: Foundations of Cryptography. Weizmann Institute of Science, Rehovot (1995) (fragment of a book) 56. Bernstein, D.: Salsa20 security. http://www.ecrypt.eu.org/stream/ e2-salsa20.html 57. Seyedzadeh, S.M., Moosavi, S.M.S., Mirzakuchaki, S.: Using self-adaptive coupled piecewise nonlinear chaotic map for color image encryption scheme. In: 19th Iranian Conference on Electrical Engineering, pp. 1–6 (2011) 58. Neves, S.: Cryptography in GPUs. Master’s thesis, Universidade de Coimbra, Coimbra (2009). [Online]. http://eden.dei.uc.pt/ *sneves/gpucrypto.pdf 59. Mukherjee, P.: An overview of eSTREAM ciphers. [Online]. http://cs.au.dk/*pratyay/eSTREAM.pdf 60. Mascagni, M., Chi, H.: Parallel linear congruential generators with Sophie–Germain moduli. Parallel Comput. 30(11), 1217– 1231 (2004) 61. Wu, P., Huang, K.: Parallel use of multiplicative congruential random number generators. J. Parallel Comput. 175(1), 25–29 (2006)