A novel image encryption based on hash function with only two-round diffusion process Benyamin Norouzi, Seyed Mohammad Seyedzadeh, Sattar Mirzakuchaki & Mohammad Reza Mosavi Multimedia Systems ISSN 0942-4962 Multimedia Systems DOI 10.1007/s00530-013-0314-4
1 23
Your article is protected by copyright and all rights are held exclusively by SpringerVerlag Berlin Heidelberg. This e-offprint is for personal use only and shall not be selfarchived in electronic repositories. If you wish to self-archive your work, please use the accepted author’s version for posting to your own website or your institution’s repository. You may further deposit the accepted author’s version on a funder’s repository at a funder’s request, provided it is not made publicly available until 12 months after publication.
1 23
Author's personal copy Multimedia Systems DOI 10.1007/s00530-013-0314-4
REGULAR PAPER
A novel image encryption based on hash function with only two-round diffusion process Benyamin Norouzi • Seyed Mohammad Seyedzadeh Sattar Mirzakuchaki • Mohammad Reza Mosavi
•
Received: 16 April 2012 / Accepted: 28 February 2013 Springer-Verlag Berlin Heidelberg 2013
Abstract In this paper, a novel algorithm for image encryption based on hash function is proposed. In our algorithm, a 512-bit long external secret key is used as the input value of the salsa20 hash function. First of all, the hash function is modified to generate a key stream which is more suitable for image encryption. Then the final encryption key stream is produced by correlating the key stream and plaintext resulting in both key sensitivity and plaintext sensitivity. This scheme can achieve high sensitivity, high complexity, and high security through only two rounds of diffusion process. In the first round of diffusion process, an original image is partitioned horizontally to an array which consists of 1,024 sections of size 8 9 8. In the second round, the same operation is applied vertically to the transpose of the obtained array. The main idea of the algorithm is to use the average of image data for encryption. To encrypt each section, the average of other sections is employed. The algorithm uses different averages when encrypting different input images (even with the same sequence based on hash function). This, in turn, will significantly increase the resistance of the cryptosystem against known/chosen-
plaintext and differential attacks. It is demonstrated that the 2D correlation coefficients (CC), peak signal-to-noise ratio (PSNR), encryption quality (EQ), entropy, mean absolute error (MAE) and decryption quality can satisfy security and performance requirements (CC\0.002177, PSNR\8.4642, EQ [204.8, entropy [7.9974 and MAE [79.35). The number of pixel change rate (NPCR) analysis has revealed that when only one pixel of the plain-image is modified, almost all of the cipher pixels will change (NPCR [99.6125 %) and the unified average changing intensity is high (UACI[33.458 %). Moreover, our proposed algorithm is very sensitive with respect to small changes (e.g., modification of only one bit) in the external secret key (NPCR [99.65 %, UACI[33.55 %). It is shown that this algorithm yields better security performance in comparison to the results obtained from other algorithms. Keywords Image encryption Salsa20 hash function Diffusion process Security Sensitivity
1 Introduction Communicated by M. Kankanhalli. B. Norouzi (&) S. M. Seyedzadeh S. Mirzakuchaki M. R. Mosavi School of Electrical Engineering, Iran University of Science and Technology, Narmak, 16846-13114 Tehran, Iran e-mail:
[email protected] S. M. Seyedzadeh e-mail:
[email protected] S. Mirzakuchaki e-mail:
[email protected] M. R. Mosavi e-mail:
[email protected]
Deployment of communication networks, such as mobile networks and the internet, leads to more comfortable access to digital images through multimedia networks. Therefore, much research has been performed on these images to prevent access by illegal users and attackers. Commonly, encryption is chosen as a means to ensure high security. An encryption mechanism aims at keeping the information confidential while it is being transmitted or stored on a medium that is potentially subject to unauthorized access. Image encryption methods try to convert an image to another one so that it is difficult to understand. In order to keep the image confidential between users, it is essential
123
Author's personal copy B. Norouzi et al.
that no one be able to decrypt the image without the appropriate decryption key. To meet this challenge, a variety of traditional encryption algorithms such as advanced encryption standard (AES) and data encryption standard (DES) have been proposed. But these algorithms are inefficient for image encryption due to image inherent features such as huge data capacity, high redundancy, and high correlation among pixels in image files. Recently, along with the rapid development of theory and application of chaos, many types of chaos-generating algorithms have been proposed [1–4]. Random oscillation of the solutions in deterministic systems described as differential or difference equations is called chaos. However, encryption based on chaos is not always secure. In Ref. [4], Alvarez et al. proposed a new cryptosystem based on the iteration of a chaotic system. It is a symmetric block cipher and encodes each plain block into a three-tuple cipher-block. But soon after its introduction, Alvarez et al. [5] cracked this cryptosystem with four cryptanalytic methods and pointed out some other weaknesses. In Ref. [6], chaotic key-based image encryption algorithm (CKBA) has been proposed. According to a chaotic binary sequence, the gray level of each pixel is XORed or XNORed bit-by-bit to one of the two selected keys. As mentioned in Ref. [7], CKBA is very weak to the chosen/known-plaintext attack and moreover its security to brute-force attack is also questionable. Hash functions were introduced in cryptography to provide message integrity and authentication [8–15]. These functions are the fundamental building blocks of information security and play an important role in modern cryptography. Hash functions are used because they are unique for a particular image and are very difficult to revert. Sinha and Singh [11] have used MD5 algorithm for generation of an image signature to encrypt images. As mentioned in Ref. [12], the cryptosystem proposed in [11] is insecure and the weakness of the system mainly lies on the small size of the set of possible keys and in the redundant properties of the BCH codes. In fact, the secret key and the original image can be recovered efficiently by a brute-force attack. Ref. [13] has suggested an algorithm for image encryption based on SHA-512. The main idea of this method is to use one half of image data for encryption of the other half of the image reciprocally. Conventional hash functions, such as MD5 and SHA, involve logical operations or multi-round iterations of some available ciphers. Although each step of the former is simple, the number of processing rounds could be huge even if the message is very short. The security and efficiency of the latter totally rely on the intrinsic cipher which needs complicated computations [10]. The fundamental technique to encrypt images is pixel permutation and diffusion. In the permutation stage, the positions of image pixels are changed. The main purpose of
123
the permutation process is to crack the correlation between adjacent pixels of an image but due to the fact that pixel values are not changed, the histograms of the cipher-image and the plain-image are the same. Therefore, this method is not resistant to the statistical analysis. In the diffusion stage, the pixel values of plain-image are changed sequentially. Therefore, a slight change in one pixel can spread out to almost all pixels in the whole image and the correlations between adjacent pixels of an image can be cracked simultaneously as well. Compared to the permutation, diffusion may lead to higher security. In other words, the permutation process is not necessary in an image encryption scheme. Some image encryption algorithms based on low dimensional chaotic systems with a permutation–diffusion structure have been cracked [6, 14]. As far as we know, in most of the proposed algorithms, permutation and diffusion are often combined to get high computational security [16–22]. In this paper, we propose a novel hash function-based image encryption method with only two diffusion processes. The diffusion process can change the pixel values and crack the correlations between adjacent pixels of an image simultaneously. Based on the sequence which is generated by salsa20 hash function and correlating keys with plaintext of an image to be encrypted, the algorithm uses different key streams when encrypting different input images (even with the same sequence based on hash function). This, in turn, will significantly increase the resistance of the cryptosystem against attacks. The presented scheme has shown exceptionally superior properties in many aspects such as high complexity, high security, more complex key stream, high sensitivity, high quality of encryption and decryption, and simplicity of structure. Experimental results and performance analysis prove the viability of this cryptography based on privacy, integrity, and authenticity. The rest of this paper is organized as follows. Section 2 gives a brief introduction of the hash function. Section 3 introduces the proposed encryption scheme. Section 4 evaluates the security of the proposed algorithm. Some conclusions are drawn in Sect. 5. 2 Hash functions A hash function H is a transformation that compresses an input of arbitrary length to a fixed length which is called the hash value h [that is, h = H(m)]. Hash function should satisfy three features [8, 9]: •
Pre-image resistance: for essentially all pre-specified outputs, it is computationally impossible to find any input which hashes to that output, i.e., to find any preimage m1 such that H(m1) = h when given any h for which a corresponding input is not known.
Author's personal copy A novel image encryption based on hash function
•
•
Second pre-image resistance: it is computationally impossible to find any second input which has the same output as any specified input, i.e., given m, to find a second pre-image m = m1 such that h(m) = h(m1). Collision resistance: it is computationally impossible to find any two distinct inputs m and m1 which hash to the same output, i.e., such that h(m) = h(m1).
In our algorithm, a 512-bit long external secret key is used as the input value of the salsa20 hash function. This section defines salsa20 from bottom up, starting from three simple operations on 4-byte words. 2.1 Background and definitions
ðz15 ; z3 ; z7 ; z11 Þ ¼ QRðy15 ; y3 ; y7 ; y11 Þ
If the input {y0, y1,…,y15} is a square matrix, then the column-round operation modifies the columns of the matrix in parallel by feeding a permutation of each row through the quarter-round operation. The column-round operation is the transpose of the row-round function. The double-round (DR) operation: if x is a 16-word sequence, then DR(x) is a 16-word sequence as follows: DR(xÞ ¼ RRðCRðxÞÞ
ð4Þ
This operation modifies the columns of the input in parallel and then modifies the rows in parallel. Each word is modified twice. The littleendian (L) operation: if b = (b0, b1, b2, b3) is a 4-byte sequence, then L(b) is a word as given by:
In order to better understand the structure, the equivalent description of the process is presented first and then the hash function is described in next section [15]. The quarter-round (QR) operation: if y = {y0, y1, y2, y3} is a 4-word (32 byte) sequence, then QR(y) = {z0, z1, z2, z3} is a 4-word sequence, where:
2.2 The salsa20 hash function
z1 ¼ y1 bitshift(ðy0 þ y3 Þ; 7Þ
ð1aÞ
xi ¼ Lðk4i ; k4iþ1 ; k4iþ2 ; k4iþ3 Þ
z2 ¼ y2 bitshiftððz1 þ y0 Þ; 9Þ
ð1bÞ
z3 ¼ y3 bitshiftððz2 þ z1 Þ; 13Þ
ð1cÞ
z0 ¼ y0 bitshiftððz3 þ z2 Þ; 18Þ
ð1dÞ
where x y returns the result after a bitwise XOR operation and bitshift(A, k) returns the value of A shifted by k bits. According to above equation, first y1 modifies to z1, then y2 modifies to z2, then y3 modifies to z3, and finally y0 modifies to z0. The row-round (RR) operation: if y = {y0, y1,…,y15} is a 16-word sequence then RR(y) = {z0, z1,…,z15} is a 16-word sequence, where:
ð3dÞ
L(bÞ ¼ b0 þ 28 b1 þ 216 b2 þ 224 b3 :
ð5Þ
Starting from the 512-bit external secret key, K = (k0, k1,…,k63), we define: ð6Þ
where i = 0, 1,…,15. Then we have: ðz0 ; z1 ; . . .; z15 Þ ¼ DR10 ðx0 ; x1 ; . . .; x15 Þ
ð7Þ -1
Finally, salsa20(x) is the concatenation of L (xi ? zi). In short: salsa20ðxÞ ¼ x þ DR10 ðxÞ
ð8Þ
where i = 0, 1,…,15. Note that each 4-byte sequence is viewed as a word in littleendian form. Therefore, the core of salsa20 is a hash function with 64-byte input and 64-byte output.
ðz0 ; z1 ; z2 ; z3 Þ ¼ QRðy0 ; y1 ; y2 ; y3 Þ
ð2aÞ
ðz5 ; z6 ; z7 ; z4 Þ ¼ QRðy5 ; y6 ; y7 ; y4 Þ
ð2bÞ
3 The proposed encryption scheme
ðz10 ; z11 ; z8 ; z9 Þ ¼ QRðy10 ; y11 ; y8 ; y9 Þ
ð2cÞ
ðz15 ; z12 ; z13 ; z14 Þ ¼ QRðy15 ; y12 ; y13 ; y14 Þ
ð2dÞ
The encryption algorithm proposed in this paper is based on two rounds of diffusion. In order to encrypt images of size M 9 N, we pad the gray level image by replication of the right-most column and the bottom row to make sure that the number of rows and columns in the image are both a multiple of 8 [17]. Then, the padded image is partitioned into sections of size 8 9 8 and is encrypted using the previous encrypted sections and subsequent unencrypted sections. Therefore, as a result of this dependency, a swift change in the original image will result in a significant change in the ciphered image. On the other hand, the hash-based key streams are designed so that the algorithm for images with various sizes is greatly sensitive to the change in even a single bit of the
If the input {y0, y1,…,y15} is a square matrix, then the row-round operation modifies the rows of the matrix in parallel by feeding a permutation of each row through the quarter-round operation. The column-round (CR) operation: if y = {y0, y1,…,y15} is a 16-word sequence then CR(y) = {z0, z1,…,z15} is a 16-word sequence, where: ðz0 ; z4 ; z8 ; z12 Þ ¼ QRðy0 ; y4 ; y8 ; y12 Þ
ð3aÞ
ðz5 ; z9 ; z13 ; z1 Þ ¼ QRðy5 ; y9 ; y13 ; y1 Þ
ð3bÞ
ðz10 ; z14 ; z2 ; z6 Þ ¼ QRðy10 ; y14 ; y2 ; y6 Þ
ð3cÞ
123
Author's personal copy B. Norouzi et al.
512-bit secret key. Therefore, the proposed scheme can achieve high sensitivity, high complexity, and high security through only two rounds of diffusion process. The following is the detailed description of our image encryption and decryption algorithms. 3.1 Encryption algorithm We assume that the original image is a 256 gray-scale image of size M 9 N. This is an integer matrix of M rows by N columns in which the values range from 0 to 255. The detailed encryption algorithm is described as follows. 3.1.1 First round of diffusion process Step 1: the external 512-bit secret key is applied. The salsa20 hash function is used to generate the original pseudo-random 64-byte key stream according to Sect. 2.2. The key stream is converted to 8 9 8 matrix denoted by ‘‘hash.key’’. Step 2: the matrix of the original image is transformed into 8 9 MN/8 array denoted by P. The obtained matrix is equally partitioned to MN/64 sections as P = {Se.0, Se.1, Se.2,…,Se.(MN/64-1)}. Suppose the pixel sequence of cipher-image is denoted by C89MN/8 = {c0, c1,…,cMN/64-1}, where ci denotes the section of the cipher-image pixels. The size of each section is 8 9 8. Let C / P and i / 0; Step 3: using the following equations, we can calculate ‘‘meanSe.i’’ and ‘‘keySe.i’’: ! ! MN=641 X meanSe:i ¼ mean2 cj mean2ðci Þ j¼0 . 1014 4 2564 ð9Þ keySe:i ¼ floorðmodðhash:key meanSe:i; 256ÞÞ
ð10Þ
where mean2(ci) computes the mean of the values in ci. The size of ‘‘keySe.i’’ is 8 9 8. If i = 0, we go to step 4; else we go to step 5. Step 4: the first section of the cipher-image is obtained by the first section of the plain-image and the keys ‘‘hash.key’’ and ‘‘keySe.0’’, according to the following formula: c0 ¼ Se:0 mod ðhash:key þ keySe:0; 256Þ keySe:0
ð11Þ
Now we go to step 6. Step 5: the ith section of cipher-image is obtained by the values of the ith section of P, the previously
123
encrypted section, ‘‘hash.key’’:
the
ith
key
(keySe.i),
and
ci ¼ Se:i mod ðhash:key þ ci1 ; 256Þ keySe:i
ð12Þ
The size of each section (ci) is 8 9 8. Step 6: we let i / i ? 1 and return to step 3 until i reaches MN/64-1. Then, we get the encrypted array C = {c0, c1,…,cMN/64-1}. The size of this array is 8 9 MN/8. We set d1 = cMN/64-1. The size of d1 is 8 9 8. According to Eqs. (9) and (10), to encrypt each section, the average of other sections is employed. The algorithm uses different averages when encrypting different input images (even with the same sequence based on hash function). This, in turn, will significantly increase the resistance of the cryptosystem against known/chosenplaintext and differential attacks. 3.1.2 Second round of diffusion process Step 1: replace C (which is obtained in previous round) with its transpose. The size of obtained matrix is MN/ 8 9 8. Let i / 0. Step 2: compute ‘‘meanSe.i’’ and ‘‘keySe.i’’ using Eqs. (9) and (10), respectively. Step 3: if i = 0; go to step 4; else go to step 5. Step 4: obtain the first section of the cipher-image using the values of the first section and the last section of the cipher-image outputted after the first round operation (c0 and d1), the key ‘‘keySe.0’’, as well as ‘‘hash.key’’ according to the following formula: c0 ¼ c0 mod ðhash:key þ d1 ; 256Þ keySe:0
ð13Þ
Then go to step 6. Step 5: obtain the corresponding section of the cipherimage using the values of the currently operated section and the previously encrypted section, the ith key (keySe.i) and ‘‘hash.key’’, as follows: ci ¼ ci mod ðhash:key þ ci1 ; 256Þ keySe:i
ð14Þ
Step 6: let i / i ? 1; return to step 2 until i reaches MN/ 64-1. Then get the encrypted array C = {c0, c1,…,cMN/ 64-1}. The size of this array is MN/8 9 8. The final pixel sequence of cipher-image is obtained by converting the size of this array to M 9 N. Note that each modification is invertible and thus the entire algorithm is invertible.
Author's personal copy A novel image encryption based on hash function
3.2 Decryption algorithm The decryption procedure is similar to that of the encryption process except that some steps are followed in a reversed order. Step 1: generate the key stream according to the external 512-bit secret key. All operations are the same as steps 1 and 2 in the first round of diffusion process. Step 2: the matrix of the cipher-image is transformed into an MN/8 9 8 array denoted by C. This matrix is equally partitioned to MN/64 sections as C = {c0, c1,…,cMN/64-1}. The size of each section is 8 9 8. Step 3: first round of operation to remove the effect of diffusion: Implementing the reverse operations is equivalent to the second round of diffusion operation in the encryption process from the last section to the first section. The formulas for removing the effect of diffusion are the same as Eqs. (14) and (13). Step 4: replace C with its transpose. The size of obtained matrix is 8 9 MN/8. Step 5: second round of operation to remove the effect of diffusion: Implementing the reverse operations is equivalent to the first round of diffusion operation in the encryption process from the last section to the first section. Obtain the recovered image sections Q = {Se.0, Se.1,…,Se.(MN/64-1)} from C = {c0, c1,…,cMN/64-1} using the following formulas: Se:i ¼ ci mod ðhash:key þ ci1 ; 256Þ keySe:i
ð15Þ
Se:0 ¼ c0 mod ðhashkey þ keySe:0; 256Þ keySe:0 ð16Þ where i = MN/64-1,…,2, 1. The size of Q = {Se.0, Se.1,…,Se.(MN/64-1)} is 8 9 MN/8. The final pixel sequence of image is obtained by converting the size of this array to M 9 N.
4 Performance and security analysis A good encryption scheme should resist all kinds of known attacks, such as known-plaintext attack, cipher text only attack, statistical attack, differential attack, and various brute-force attacks [21–27]. In this section, the proposed image cryptosystem is analyzed using different security measures. These measures consist of statistical analysis, key space analysis, information entropy analysis, sensitivity analysis, and avalanche criterion. In order to compare the performance of the proposed algorithm to other methods, first the proposed method is used and applied to eight standard images and its performance is evaluated against several criteria. The averages of these
criteria for these eight images are obtained. These averages are considered as the performance of the proposed algorithm. Then, the performances of other methods, based on these criteria, are compared to the performance of the proposed image encryption system. Each of these criteria is described in detail in the following subsections. 4.1 Statistical analysis 4.1.1 Histogram Eight 256 gray-level images are selected with size of 256 9 256 and with different contents and their histograms are calculated. With respect to Figs. 1, 2, 3, 4, 5, 6, 7, and 8, the histogram of plain-images contains large sharp rises followed by sharp declines and the histogram of all cipherimages under the proposed algorithm is fairly uniform and significantly different from that of the plain-images. This fact can well protect the information of the image to withstand the statistical attack. The equation used to compute the uniformity of a histogram caused by the proposed encryption scheme is justified by the Chi-square test [16] as follows: v2 ¼
256 X ðmk 256Þ2 k¼1
ð17Þ
256
where k is the number of gray levels (256) and vk is the observed occurrence frequencies of each gray level (0–255). The lower value of the Chi-square value indicates a better uniformity (see Table 1). 4.1.2 Correlation analysis of two adjacent pixels There exists a high correlation between pixels of an image which is considered as an intrinsic feature. Statistical attack uses this intrinsic property to carry out the cryptanalysis. Thus, a secure encryption scheme should remove this intrinsic correlation to improve resistance against statistical analysis [17–30]. To test the correlation between two adjacent pixels in plain-image and ciphered image, the following procedure was carried out. First, 4,096 pairs of two adjacent pixels (in horizontal, vertical and diagonal direction) from plain-image and cipherimage were randomly selected. Then correlation coefficients (CC) (rxy) of each pair were calculated using the following equations: pffiffiffiffiffiffipffiffiffiffi rxy ¼ covðx; yÞ= Dx Dy ð18aÞ Ex ¼
N 1X xi N i¼1
ð18bÞ
123
Author's personal copy B. Norouzi et al.
Fig. 1 a Lena image; b histogram of Lena; c Lena encryption; and d histogram of Lena encryption
Fig. 2 a Cameraman image; b histogram of cameraman; c cameraman encryption; and d histogram of cameraman encryption
Fig. 3 a Baboon image; b histogram of baboon; c baboon encryption; and d histogram of baboon encryption
Fig. 4 a Peppers image; b histogram of peppers; c peppers encryption; and d histogram of peppers encryption
123
Author's personal copy A novel image encryption based on hash function
Fig. 5 a Tiffany image; b histogram of Tiffany; c Tiffany encryption; and d histogram of Tiffany encryption
Fig. 6 a F16 image; b histogram of F16; c F16 encryption; and d histogram of F16 encryption
Fig. 7 a Lake image; b histogram of lake; c lake encryption; and d histogram of lake encryption
Fig. 8 a Elaine image; b histogram of Elaine; c Elaine encryption; and d histogram of Elaine encryption
123
Author's personal copy B. Norouzi et al. Table 1 Chi-square test and correlation coefficient of different plain-image and cipher-image Image
Original image Chi-square
Lena Cameraman
Encrypted image Correlation coefficients
Chi-square
Horizontal
Vertical
Diagonal
Correlation coefficients Horizontal
28,588
0.9187466
0.9557728
0.8877604
189.61
113,654
0.9439921
0.9618159
0.9155575
268.28
-0.002259
44,395 36,778
0.6910626 0.9436501
0.5797986 0.9527033
0.6034725 0.9074691
240.01 237.50
-0.003668 0.000127
Baboon Peppers
0.0008213
Diagonal
0.0008423 -0.000313 0.0003721 0.0003223
0.0005083 -0.000009 -0.0009163 0.0089575
Tiffany
133,363
0.8875606
0.9324861
0.8492056
249.30
F16
163,822
0.8993711
0.8939348
0.8185195
255.24
-0.000986
Lake
42,952
0.9309474
0.9373847
0.8972699
244.82
-0.000337
Elaine
34,297
0.9593344
0.9645689
0.9341779
238.29
-0.000607
Average
74,731
0.896833
0.897308
0.851679
240.38
0.001196
0.000746
0.002804
Ref. [16]
35,452
0.9148
0.9275
0.8640
265
0.0079
0.0099
0.0077
Dx ¼
N 1X ðxi EðxÞÞ2 N i¼1
covðx; yÞ ¼
ð18cÞ
N 1X ðxi EðxÞÞðyi EðyÞÞ N i¼1
ð18dÞ
where x and y are gray-scale values of two adjacent pixels in the image. N is the total number of duplets (x, y) obtained from the image. Chi-square test and CC of different plain/cipher-images are reported in Table 1 according to the plain-images of Figs. 1, 2, 3, 4, 5, 6, 7, and 8. Absolute values of CC are used for computing the average values which is shown in Table 1. The measured CC of the plain-image are close to 1 while those of the cipher-image are nearly 0. Also, the Chi-square value of cipher-image should be a low value corresponding to a great difference between the original image and the encrypted image. Table 2 Comparison correlation coefficient of the proposed method with the other methods Encryption methods
Vertical
Diagonal
Proposed scheme
0.0008213
0.0008423
0.0005083
Ref. [2]
0.0171888
0.0098527
0.0330454
Ref. [13]
-0.0006
-0.0030
0.0061
Ref. [16]
0.0041
0.0308
0.0053
0.001005
-0.00085
Ref. [19]
0.0004992
-0.00198
Ref. [20]
-0.000848277
Ref. [22]
-0.0025
123
0.00370914 -0.0006
0.0009769 -0.002643 0.0002046
0.0013673 -0.000903 -0.000696 -0.009078
Table 2 compares the CC for our proposed scheme, Tong’s scheme [2], Seyedzade’s scheme [13], Borujeni’s scheme [16], Zhu’s scheme [18], Kumar’s scheme [19], Zhang’s scheme [20] and Huang’s scheme [22] on Lena image. Table 2 shows that our algorithm yields better security performance in comparison to the results obtained from other algorithms. As a result, the proposed algorithm has successfully removed the correlation of adjacent pixels in the original image so that neighboring pixels in the cipherimage virtually have no correlation. Finally, Fig. 9 shows the correlation distribution of two horizontally adjacent pixels in the Lena image and that in the ciphered image. 4.1.3 Correlations between original and cipher-images We have analyzed the correlation between various pairs of plain/cipher-images by calculating the 2D CC between original and encrypted images [18]. The CC is calculated as follows: !, M X N X ij BÞ CC ¼ ðAij AÞðB vffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ! ! u M N M X N X u XX 2 2 t ðAij AÞ ðBij BÞ i¼1 j¼1
Ref. [18]
-0.000297
i¼1 j¼1
Cipher-image of Lena Correlation coefficients Horizontal
0.0007661
Vertical
0.000897 0.0008371 -0.000189 -0.0050
ð19Þ
i¼1 j¼1
Here, A represents the original image and B represents the cipher-image. A and B are the mean values of the elements of matrices A and B, respectively. M and N are the height and width of the plain/cipher-image, respectively. CC values of different plain-images are reported in second column of Table 3 according to the plain-images of Figs. 1, 2, 3, 4, 5, 6, 7, and 8. The measured CCs are nearly 0. Therefore, the encrypted and original images are
Author's personal copy A novel image encryption based on hash function
Fig. 9 Correlation of two adjacent pixels: a distribution of two horizontally adjacent pixels in the plain-image, b distribution of two vertically adjacent pixels in the plain-image, c distribution of two diagonally adjacent pixels in the plain-image, d distribution of two
horizontally adjacent pixels in the cipher-image, e distribution of two vertically adjacent pixels in the cipher-image, and f distribution of two diagonally adjacent pixels in the cipher-image
Table 3 Parameters of the encryption quality Image
Proposed algorithm CC
Ref. [16]
Ref. [18] CC
MSE
PSNR
EQ
Entropy
MSE
PSNR
Entropy
Lena
0.000111
9,030
8.5740
145.7
7.9979
7,510
0.002851
9.2322
7.9977
Cameraman
0.003256
9,392
8.4031
259
7.9971
8,778
-0.003558
8.3688
7.9969 7.9970
Baboon
7,364
9.4598
189.67
7.9974
6,583
-0.006632
9.5466
Peppers
-0.003320 0.0006326
8,319
8.93
155.20
7.9974
8,298
-0.001650
8.9914
7.9973
Tiffany
0.0032111
13,159
6.9386
308.34
7.9973
–
–
–
–
F16
0.0023236
10,377
7.9699
258.58
7.9972
9,980
–
–
–
Lake
-0.0003063
9,854
8.1945
160.11
7.9973
9,467
–
–
–
Elaine
-0.0042579
7,739
9.2437
161.92
7.9974
–
–
–
–
9,404.3
8.4642
204.82
7.9974
8,369
0.003673
9.0348
7.9972
significantly different. Absolute values of CC are used for computing the average value which is shown in Table 3.
MSE ¼
Average
0.002177
4.1.4 MSE and peak signal-to-noise ratio analysis To evaluate the reliability of the proposed algorithm, mean square error (MSE) between encrypted image and original image is measured. MSE is calculated using the following equation [16]:
M X N 1 X ðaði; jÞ bði; jÞÞ2 M N i¼1 j¼1
ð20Þ
where M 9 N is the size of the image. The parameters a(i, j) and b(i, j) refer to the pixels located at the ith row and the jth column of original image and encrypted image, respectively. The larger the MSE value, the better the encryption security. Furthermore, the encrypted image
123
Author's personal copy B. Norouzi et al.
quality is evaluated using peak signal-to-noise ratio (PSNR) [11] which is described by the following expression: 2 I PSNR ¼ 10 log10 Max ð21Þ MSE where Imax is the maximum of pixel value of the image. The PSNR should be a low value which corresponds to a great difference between the original image and the encrypted image. The effectiveness of the proposed method, evaluated in terms of MSE and PSNR for all eight images, is tabulated in third and fourth columns of Table 3. 4.1.5 Measurement of encryption quality Plain-image pixels’ gray levels change after image encryption as compared to their original values before encryption. This means that the higher the change in pixels’ values, the more effective will be the image encryption and hence the encryption quality (EQ). The quality of image encryption may be determined as follows: let C(i, j) and P(i, j) be the gray value of the pixels at grid (i, j) in cipher and plain-image, each of size M 9 N pixels with L gray levels, respectively. Clearly, P(i, j) and C(i, j) [ {0, 1,…,L - 1}. We will define HL(P) and HL(C) as the number of occurrences for each gray level L in the plainimage and cipher-image, respectively. The EQ represents the average number of changes to each gray level L. The larger the EQ value, the better the encryption security. The EQ is calculated as: EQ ¼
255 X
ðHL ðCÞ HL ðPÞÞ =256
Key space is the total number of different keys that can be used in an encryption system. A good encryption algorithm should be sensitive to the secret keys and the key space should be sufficiently large to make brute-force attack impossible. The size of the key space should be larger than 2100 to provide a high level of security [17]. Since the secret key of the proposed method is 512-bit long, the key space is about 2512. It seems that the size of key space compared with [17–21] is large enough to resist all kinds of brute-force attacks.
ð22Þ 4.4.1 Differential attack
In Table 3, EQ values are shown in the fifth column. 4.2 Information entropy analysis The entropy is one of the most outstanding features for measuring the randomness of image encryption algorithm. The information entropy H(s) of a message source s can be computed as: M 2X 1
i¼0
Pðsi Þ log2
1 Pðsi Þ
ð23Þ
where P(si) denotes the probability of symbol si, and 2M is the total states of the information source. For a purely random source emitting 2M symbols, the entropy should be M. For an ideally random image, the value of the information entropy is 8. Entropy values of different plainimages are reported in the sixth column of Table 3 according to the plain-images of Figs. 1, 2, 3, 4, 5, 6, 7, and 8. These entropy values are very close to the theoretical
123
4.3 Key space analysis
4.4 Sensitivity analysis 2
L¼0
HðsÞ ¼
value 8. This means that information leakage in the encryption process is negligible and the encryption scheme is secure upon entropy attack. Entropy values of Lena image in proposed algorithm is 7.9979. To compare the entropy values for Lena encryption, the entropy values of the reported schemes in the recent years are mentioned in [20]. The Sun’s algorithm reports H = 7.9965; the Baptista’s algorithm reports H = 7.9260; the Wong’s algorithm reports H = 7.9690; the Xiang’s algorithm reports H = 7.9950; and the Xiang’s algorithm reports H = 7.9950 [20]. Compared with these existing results, the entropy results of the proposed algorithm for the cipherimage Lena are better than those of the existing algorithms. Absolute values of CC are used for computing the average value which is shown in Table 3.
Attackers often make a small change to the plain-image and use the proposed algorithm to encrypt the plain-image before and after this change. By comparing these two encrypted images they find out the relationship between the plain-image and the cipher-image. This kind of attack is called differential attack. In order to resist differential attack, a minor alternation in the plain-image should cause a substantial change in the cipher-image [20, 21]. To test the influence of one-pixel change on the whole image encrypted by the proposed algorithm, two common measures can be used: number of pixels’ change rate (NPCR) and unified average changing intensity (UACI). Let’s denote two cipher-images whose corresponding plainimages have only one-pixel difference by C1 and C2, respectively. We label the gray-scale values of the pixels at grid (i, j) in C1 and C2 by C1(i, j) and C2(i, j), respectively. We define a bipolar array D which has the same size as C1 and C2. Then, D(i, j) is determined by C1(i, j) and C2(i, j). If C1(i, j) = C2(i, j), then D(i, j) = 0; otherwise,
Author's personal copy A novel image encryption based on hash function
D(i, j) = 1. NPCR and UACl are defined by the following formulas: P i;j Dði; jÞ 100 % ð24Þ NPCR ¼ MN ! X jC1 ði; jÞ C2 ði; jÞj 1 UACI ¼ 100 % ð25Þ M N i;j 255 where M and N are the width and height of both C1 and C2. The larger the NPCR and UACI values, the better the encryption security. Researchers usually use MAE as another criterion to examine the performance of resisting differential attack. Let C(i, j) and P(i, j) be the gray level of the pixels at the ith row and the jth column of an M 9 N cipher and plainimage, respectively. The MAE between these two images is defined as: MAE ¼
M X N 1 X jCði; jÞ Pði; jÞj M N i¼1 j¼1
ð26Þ
The larger the MAE value, the better the encryption security. 4.4.1.1 Key sensitivity A good encryption algorithm should be sensitive to the secret keys [21]. It means that a change in a single bit of the secret key should produce a completely different encrypted image. Key sensitivity analysis has been performed for the proposed image encryption algorithm and the results are summarized as follows. We encrypted a 256 9 256 gray image of Lena using key1: ‘‘101, 120, 112, 124, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 110, 100, 32, 49, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 54, 45, 98, 121, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 116, 101, 32, 107’’ as the first set of keys. The same plain-image was encrypted with slightly different keys (toggling the last bit of the secret key) as key2: ‘‘101, 120,
112, 124, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 110, 100, 32, 49, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 54, 45, 98, 121, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 116, 101, 32, 106’’. Now, these two ciphered images are compared. This test shows that although the two keys are different in only one bit, there is a difference of up to 99.63 % in terms of pixel gray-scale values between the image encrypted by key1 and the image encrypted by key2. Figure 10 shows the test result. As a result, if a slightly modified 512-bit key is used to decrypt the cipher-image, the decryption fails completely (see Fig. 10d). The difference between two encryptions can be observed by means of the CC, PSNR, NPCR and UACI. Changing different bits in arbitrary positions of the key has been tested with the results shown in Table 4. It can be seen that these NPCR values are very high and the average value of NPCR is 99.65 %. In other words, the parameters of the proposed method are greatly sensitive to a change in even one bit of the secret key. Therefore, the proposed scheme can resist against brute-force attacks. 4.4.1.2 Plaintext sensitivity In order to evaluate plaintext sensitivity of our proposed scheme, an original image is encrypted first. Then, one pixel in original image is randomly selected and changed. The modified image is encrypted again using the same key so as to produce a new cipher-image. Finally, the NPCR and UACI values are computed. This kind of test is performed over 100 times with different images (a total of 800 times for all images). Table 5 provides the data related to the experimental results obtained by the proposed method. Also, the MAE values are shown in the last column of Table 5. The results of NPCR and UACI for the original image Lena are shown in Fig. 11a, b, respectively. It is clear that the NPCR and UACI values remain in the vicinity of the expected values which are shown in the last row of
Fig. 10 a Lena image; b Lena encryption with key1; c decrypted image with key1; and d decrypted image with key2
123
Author's personal copy B. Norouzi et al. Table 4 Pixel difference between images encrypted by keys with one bit difference Image
Proposed algorithm
Ref. [17]
Ref. [27]
CC
PSNR
NPCR
UACI
NPCR
UACI
Lena
-0.0049
8.5260
99.6689
33.5561
0.9960981
0.3346294
99.60244
Cameraman
-0.0005
8.3871
99.6460
33.5185
–
–
–
Baboon
0.0041
9.4920
99.6384
33.6305
0.9960982
0.3346229
–
Peppers
0.0031
8.9343
99.6628
33.5712
0.9960971
0.3346120
99.60352
Tiffany
0.0088
6.9531
99.6475
33.6510
–
–
–
F16
NPCR
-0.0037
7.9701
99.6597
33.5383
0.9960934
0.3345708
–
Lake Elaine
0.0011 0.0022
8.1821 9.2928
99.6628 99.6521
33.4640 33.4739
– –
– –
– –
Average
0.00355
8.4672
99.6548
33.5504
Image size of [17]: 512 9 512
–
Table 5 Evaluate plaintext sensitivity and MAE Image
NPCR
UACI
MAE
Max
Min
Average
Max
Min
Average
Lena
99.66
99.55
99.6137
33.61
33.25
33.4594
Cameraman
99.69
99.55
99.6131
33.68
33.28
33.4615
79.41
Baboon
99.67
99.55
99.6111
33.65
33.22
33.4629
71.63
Peppers
99.66
99.56
99.6137
33.59
33.14
33.3948
74.76
Tiffany
99.68
99.53
99.6110
33.70
33.32
33.4913
94
F16
99.69
99.53
99.6118
33.68
33.25
33.4719
83.21
Lake Elaine
99.67 99.67
99.53 99.54
99.6118 99.6134
33.67 33.61
33.26 33.24
33.4807 33.4411
81.34 72.53
Average (800 iterations)
99.6125
33.4580
79.354
Expected values
99.60937
33.46354
–
77.95
Fig. 11 a NPCR for 100 modified plain-images Lena and b UACI for 100 modified plain-images Lena
Table 5. The NPCR and UACI measurements reported in Refs. [1, 24] are 50.23, 0.40 and 25.23, 0.3192 %, respectively. They can hardly satisfy any high performance requirement. To make a comparison with other algorithms, the round number of image-scanning, permutation, and diffusion rounds required to achieve this performance are tabulated
123
in Table 6. The results show that the round number of image-scanning, permutation, and diffusion required by the new algorithm is fewer than that by other comparable algorithms. Thus, the proposed algorithm indeed leads to a faster encryption speed. Table 6 shows this algorithm is superior compared to the existing algorithms mentioned in Ref. [26].
Author's personal copy A novel image encryption based on hash function Table 6 The round number of scanning-image, permutation and diffusion to achieve NPCR [99.6 % and UACI [33.4 % Algorithm
Proposed
NPCR (%)
UACI (%)
[99.61 [33.45
Table 7 Parameters of the decryption quality Image
Round number of Scanningimage 2
Permutation 0
Proposed algorithm
Ref. [11]
CC
MSE
PSNR
CC
PSNR
Lena
1
0
Inf
1
96.2956
Cameraman
1
0
Inf
1
96.2956
Baboon
1
0
Inf
1
96.2956 96.2956
Diffusion 2
Ref. [26]
[99.6
[33.3
2
2
2
Lian’s
[99.6
[33.3
18
18
6
Wong’s
[99.6
[33.3
4
4
2
Mao’s
[99.6
[33.3
6
3
3
Xiao’s
[99.6
[33.3
6
3
3
Peppers
1
0
Inf
1
Tiffany
1
0
Inf
–
–
F16
1
0
Inf
–
–
Lake Elaine
1 1
0 0
Inf Inf
– –
– –
4.4.2 Avalanche criterion It is known that the change of one bit in the plaintext should result in theoretically 50 % difference in the cipher’s bits. In order to prove the claimed sensitivity to the plaintext, we may generate two plain-images with just onebit difference. The bits change rate of the cipher-image is 49.9992370605469 %, and very close to the ideal value of 50 %. This measurement reported in Refs. [2, 17, 19, 23] is 49.98, 50.012287, 49.97 and 49.99 %, respectively. So our scheme is nearly ideal. 4.5 Resistance to known-plaintext and chosen-plaintext attacks In the two rounds of diffusion process, from Eqs. (11) to (14), one can see that the final encryption keys are (mod (hash.key ? keySe.0, 256) keySe.0), (mod(hash.key ? d1 256), keySe.0) and (mod(hash.key ? ci-1, 256) keySe.i)), in which ‘‘hash.key’’ and ‘‘keySe.i’’ for i [ 1 are related to the initial values of the hash function, and ci-1 for i [ 1 or d1 are related to the pixel values of the plainimage. As a result, cipher-image values depend on the plain-image and the final encryption keys. In addition, according to Eqs. (9) and (10), to encrypt each section of image, the average of other sections is employed. So the algorithm uses different key streams and averages when encrypting different input images. The attacker cannot obtain useful information by encrypting some special images since the resultant information is related to those chosen-images. Therefore, the attacks proposed in Refs. [5, 7, 12, 28, 29] become ineffective on this new scheme. The proposed scheme can well resist the known-plaintext and the chosen-plaintext attacks.
should be near 1 or equal to 1, the MSE should be a small value, and the PSNR should be large. To determine the decryption quality, the decryption algorithm is applied to all eight encrypted images. The CC, the MSE, and the PSNR are calculated for each decrypted image. The test results are shown in Table 7. For the proposed decryption, the CC of each decryption is 1. The MSE of each decryption is 0 and the PSNR of each decryption is infinite. The results suggest that every decryption is accurate. In other words, each decrypted image is identical to the corresponding original image. Thus, a good quality is demonstrated in the proposed decryption. 4.7 Other security issues The proposed scheme with two diffusion processes is capable of not only scrambling the data, but also it changes the intensity of the pixels which contributes to the safety of the encryption. For convenience, Fig. 12 shows a cropped gray-scale matrix of size 5 9 5 from a plain-image along with its encrypted version. According to this figure, the method combines the scrambling and diffusion. Notice how the same gray values are encrypted differently. This irregularity is very important to hamper any attempt to reverse-attack the algorithm. Confusion (permutation) process has not been employed due to several significant reasons: •
4.6 Decryption quality • The decryption quality has been evaluated by calculating the CC, MSE and PSNR. For a good decryption, the CC
Confusion’s security is threatened by the statistical attacks [1–3, 16–20]. In the confusion stage, the positions of image pixels are changed, but due to the fact that pixel values are not modified, the histogram of the cipher-image and the plain-image is the same. Therefore, this method is not resistant to the statistical analysis and is not secure. Confusion process usually takes more time than diffusion process to shuffle the plain-image. Refs. [32, 40, 41] have reported larger computation time for
123
Author's personal copy B. Norouzi et al.
Fig. 12 a A 5 9 5 cropped plain-image, b gray-scale matrix of a, c encrypted version of a using the proposed algorithm and d gray-scale matrix of c
•
•
confusion process than diffusion process. For example, we can see that the operation speeds of diffusion process of Refs. [32, 41] are about 5 and 720 ms faster than confusion process, respectively. The diffusion process can modify the pixel values and break the correlations between adjacent pixels of an image simultaneously [1–3, 16–20]. In other words, in the diffusion stage, the pixel values of plain-image are changed sequentially. Therefore, a slight change for one pixel can spread out to almost all pixels in the whole image and the correlations between adjacent pixels of an image can be cracked simultaneously as well. Other researchers such as [18, 21] have also used only diffusion process in their algorithm.
Statistical analysis such as histogram, Chi-square test, correlation of adjacent pixels, 2D CC between original and encrypted images, MSE, PSNR, and entropy information, all indicate that our scheme possesses a good property of scrambling and diffusion. To evaluate the robustness of our algorithm against JPEG compression, noise, and data loss attacks, two modes are considered: (a) We suppose meanSe.i = 10-14 for i = 0, 1,…,MN/ 64-1. As a result, hash.key = keySe.i [see Eq. (10)]. Now, we test the robustness of our algorithm against JPEG compression, noise, and data loss attacks. 4.7.1 JPEG compression attack To evaluate the resistance of proposed method against JPEG compression attack, first the Lena original image shown in Fig. 1a was encrypted by the encryption algorithm. Then, we compressed the encrypted image with different quality factors (Q). The results are shown in Fig. 13. The PSNR index was used to quantitatively evaluate the similarity between reconstructed images and the original images [8, 39, 42–50]. As shown in Fig. 13, the encryption scheme is secure upon JPEG compression attack.
123
4.7.2 Noise attacks To test the robustness of proposed method against noise attacks, the following procedure was carried out. The original image shown in Fig. 1a was encrypted by the encryption algorithm. Then, salt and pepper noise with a density of 0.05 is added to the encrypted images [39, 42– 46]. Then, we tried to reconstruct the original image from these noisy encrypted images. The PSNR index was used to quantitatively evaluate the similarity between reconstructed images and the original ones. The results are shown in Fig. 14. It is very obvious that the proposed image encryption algorithm is not merely an XOR operation since the PSNR is different than that obtained from original image. 4.7.3 Data loss attacks The data (gray value of image pixels) within a 20 9 20 window in the center of the cipher-images were removed by replacing them with zeros. Then, we tried to reconstruct the original image from the cipher-images with data loss. The reconstructed images were evaluated by the PSNR index measure [39]. The results are shown in Fig. 15. It is concluded that the proposed scheme can resist against different attacks (noise attack and data loss attacks) in the spatial domain and compressed domain (JPEG compression). (b) We suppose meanSe:i 6¼ 1014 for i = 0, 1,…,MN/ 64-1. In other words, the average of image data is employed for encryption and decryption (according to Eqs. (10)–(16)). To encrypt each section, the average of other sections is employed. The algorithm uses different averages when encrypting different input images (even with the same sequence based on hash function). In this case, our algorithm is very sensitive to any small change in the plain and cipher-image. So it can be concluded that a small change in the cipher-image (caused by compression, noise, cropping, rotation, etc.) will generate a completely different decryption result and cannot get the correct plain-
Author's personal copy A novel image encryption based on hash function
Fig. 13 Image recovery after JPEG attack with different quality factors (Q)
image. This shows the resistance of the cryptosystem against differential attacks. 4.8 Speed analysis Apart from the security consideration, some other issues on image encryption are also important [51–53]. This includes the encryption speed for real-time processes. In general, encryption speed is highly dependent on the CPU/MPU structure, RAM size, operating system platform, the programming language, and also on the compiler options.
Table 8 compares the encryption time of the proposed cryptosystem, Zhu’s algorithm [18], Zhu’s algorithm [32] and Gao’s algorithms [33, 34]. The experiments are all performed using MATLAB 7.6.0.324 (R2008a) on a personal computer (PC) with a 2.4-GHz CPU, 4-GB RAM, 640-GB hard-disk capacity, and the Microsoft Windows 7 operating system. In the proposed cryptosystem, we only need two rounds of diffusion process; so, it just takes us 0.41 s to complete the whole process for a gray image of size 256 9 256. Therefore, the encryption method proposed in this paper is fast.
123
Author's personal copy B. Norouzi et al. Fig. 14 Image recovery after salt and pepper noise: a original Lena image with salt and pepper noise; b decrypted Lena image after adding salt and pepper noise to the encrypted image
Fig. 15 Data loss attacks: a the cipher-image with data loss and b reconstructed image
Table 8 The comparison of encryption time between our proposed method and the other cryptosystems Algorithm
Encryption time (s)
Proposed algorithm
0.41
Zhu’s [18]
0.69
Zhu’s [32]
[2.9
Gao’s [33]
0.83
Gao’s [34]
[3
Several studies have also reported the encryption time of their algorithm as shown in Table 9. Both Tables 8 and 9 demonstrate that our algorithm can achieve high speed. There are three main contributing factors: •
Only a two-round diffusion operation is enough to yield a perfect cipher-image with high security in our method. However, for Lian’s scheme six rounds are needed [40] (see Table 6).
Table 9 Encryption speed test results for image size of 256 9 256 pixels Algorithm
Size
Encryption time (s)
System characteristics
Platform
Ref. [1]
256 9 256
0.4
Pentium IV 1 GHz
VisualC??
Ref. [35]
256 9 256
[0.5
Pentium IV 1.5 GHz
VisualC??
\1.37
Core 2 Duo CPU 1.40 GHz
Matlab2009
Ref. [36]
256 9 256
Ref. [37]
256 9 256
0.547
Core(TM) 2, 2.00 GHz
Matlab 6.5
Ref. [38]
256 9 256
0.9
Pentium(R) 1.7 GHz
C and gcc-4.6.0
123
Author's personal copy A novel image encryption based on hash function
•
•
4.10 The analytical/mathematical argument of the proposed algorithm for encrypting all images
Only simple operations are included in our image encryption algorithm. In each round, for each section, there are only a few XOR operations, addition, etc. The cryptosystem proposed in [32] employed the Arnold cat map for permutation and the logistic map for diffusion. Ref. [18] employs improved hyper-chaotic sequences in key scheming. In the diffusion processes, instead of encrypting each pixel, a block of pixels are encrypted. In other words, the algorithm can be executed in parallel.
The proposed algorithm consists of two processes: key schedule process and diffusion process. The diffusion process includes two rounds whose first round applies key stream generated in key schedule process to encrypt original 8-bit pixels. In the second round, the diffusion process uses key streams to encrypt 8-bit pixels encrypted in the first round and satisfy the security requirements. For binary images, black and white pixels are considered as 8-bit pixels with values of 0 and 255, respectively, and are then encrypted/decrypted. For 10, 12, and 16-bit images, pixels are divided into 8-bit sub-pixels and then the proposed algorithm encrypts/decrypts sub-pixels. In the following paragraphs, analytical/mathematical arguments are given to prove that the pseudo-random nature of the encrypted image and its histogram are independent of the original image. According to Refs. [54, 55], it is obvious that if x and k are the pseudo-random sequence and the constant value (or pseudo-random sequence), respectively, then it can be written as follows: x 2 fpseudo-random sequenceg if k ¼ cteðor pseudo-random sequenceÞ 8 ð27Þ > : z¼kx
Therefore, as far as the encryption speed is concerned, our scheme is fast. 4.9 Comparison The performances of other methods, based on several criteria, are compared to the performance of the proposed image encryption system. Table 10 shows the results. The results reveal the fact that the proposed algorithm yields better security performance in comparison to other algorithms. We have conducted the supplementary experimental study on many large-scale images CVG-UGR. Table 11 shows the average results for a large number of images of various sizes. For color image encryption, the proposed algorithm utilizes the same method to encrypt its R, G, and B components three times independently. With respect to speed, simultaneous generation of pseudo-random number by hash-based key stream generation process in parallel mode causes the proposed cryptosystem to achieve high speed performance for color images.
Table 10 Comparison of our proposed method with other algorithms Algorithm
Image
NPCR (%)
UACI (%)
Entropy
Average of correlation coefficients
Key space
Proposed algorithm
Lena
99.6137
33.4594
7.9979
0.000742
2512
Ref. [2]
Lena
0.4144
33.42
7.9971
0.020029
4 9 1028
Ref. [20] (2 rounds)
Lena
99.6063
33.4758
7.9975
0.001582
2104
Ref. [22]
Lena
99.54
28.27
7.9967
0.0027
1048
Ref. [23]
Goldhill
0.39
0.33
7.9989
0.005833
2225
Ref. [24]
Cameraman
0.40
0.3192
–
0.001343
10289m9n
Ref. [25]
Boat
0.46
0.39
7.9972
0.003333
2186
Ref. [30]
Barbara
0.41962
0.3325
7.9968
0.002167
2260
Ref. [31]
Lena
0.38
7.9980
0.003267
1072
EQ
Entropy
Chi-square
NPCR
UACI
MAE 80.2
99.61
Table 11 The average results for different images Image size
Correlation coefficients
CC
MSE
PSNR
256 9 256
0.00084
0.00056
0.00021
0.0023
9,610
8.3877
214.4
7.9973
247.3
99.61
33.51
512 9 512
0.00074
0.00097
0.00068
0.0014
9,236
8.5550
832.79
7.9993
254.6
99.61
33.46
78.6
1,024 9 1,024
0.00048
0.00079
0.00095
0.0007
9,203
8.5717
3,341.88
7.9998
257.40
99.61
33.46
78.8
123
Author's personal copy B. Norouzi et al.
where the sequence of z will be the pseudo-random sequence. As a result, the constant, nonzero value of k does not change the randomness of the pseudo-random sequence. As mentioned in the previous section, the matrix of ‘‘hash.key’’ is the output of the salsa hash function which generates the pseudo-random sequence with the uniform distribution [56–59]. In order to encrypt the first block (c0), the value of the keySe.0 in Eq. (10) should be calculated. The equation is equivalent to a multiplicative congruential random number generator [60, 61] where the constant multiplier must be always chosen between 0 and modulus. In order to satisfy this provision in Eq. (10), values of ‘‘hash.key’’ always range between 0 and 255. Accordingly, Eq. (10) generates the pseudo-random numbers in each of the iterations. In Eq. (11), pseudo-random values of ‘‘hash.key’’ and ‘‘keySe.0’’ are used to calculate the first encrypted block (c0). According to argument presented in Eq. (27), the combination of the ‘‘hash.key’’ and ‘‘keySe.0’’ leads to: A0 ¼ modðhash:key þ keySe:0 ; 256Þ keySe:0 |fflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} |fflfflfflffl{zfflfflfflffl} Pseudorandom Pseudorandom |fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}
ð28Þ
Pseudorandom
where A0 will be a random sequence and the exclusive-OR of each integer or pseudo-random matrix with A0 results in a pseudo-random sequence (see Eq. (27)): C0 ¼ Se:0 A0
ð29Þ
Regardless of matrix type of Se.0, for instance binary and gray level, etc., Eq. (29) can result in random values. The encryption of other blocks is similar to the first block and uses the previous encrypted values in encryption structure. In Eq. (12), the chaining mechanism causes cipher-text ci to depend on Se.i and the pseudo-random sequence which consists of ci-1, ‘‘hash.key’’ and ‘‘keySe.0’’. As mentioned earlier, ‘‘hash.key’’ is the initial pseudo-random salsa20 sequence [56–59], ‘‘keySe.0’’ is a pseudo-random sequence and ci-1 is the preceding cipher value. As a result, Eq. (12) is similar to the equation used in n-bit block cipher such as cipher-block chaining (CBC) [54] which is presented as follows: ci ¼ Se.i Ai
ð30Þ
where Ai ¼ modðhash:key þ ci1 ; 256Þ keySe:i |fflfflffl{zfflfflffl} |fflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflffl} Pseudorandom Pseudorandom |fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl} Pseudorandom |fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}
ð31Þ
As mentioned above, it is obvious that the randomness of cipher-image is independent of the type of plain-image such as binary, gray level and so on. It is worth mentioning once again that the proposed algorithm considers pixels of binary images as eight bits and encrypts/ decrypts them. For 10, 12, and 16-bit images, pixels of the image are divided into 8-bit sub-pixels and then this algorithm encrypts/decrypts these sub-pixels. As a result, we strongly claim that the proposed algorithm can be applied to all sorts of images for generating a random output.
5 Conclusion In this paper, a novel algorithm for image encryption based on hash function is presented. A 512-bit long external secret key is used as the input value of the salsa20 hash function. The key space is large enough to resist brute-force attacks. The key stream in the encryption process depends on both the initial keys and the plain-image. The proposed method is a private key encryption system with only two rounds of diffusion process. In the first round of diffusion process, an original image is partitioned horizontally to an array which consists of 1,024 sections each of size 8 9 8. In the second round, the same operation is applied vertically to the transpose of the obtained array. To encrypt each section, the average of other sections is employed. The algorithm uses different averages when encrypting different input images. This, in turn, will significantly increase the resistance of this cryptosystem against known/chosenplaintext and differential attacks. Statistical analysis shows that the scheme can well protect the image against statistical attack. The scheme possesses high key sensitivity and has a good ability to resist differential attacks. The measured EQ shows that the proposed algorithm has a better EQ than others. MAE, NPCR and UACI were used as three criterions to examine the performance of resistance against differential attacks. The results demonstrate that a swift change in the original image and the key will result in a significant change in the ciphered image and cannot yield the correct plain-image. All parts of the encryption system were simulated using MATLAB. The decryption procedure is similar to that of the encryption but in the reversed order. Overall, it seems that the proposed algorithm can be a good candidate for image encryption.
Pseudorandom
Therefore, the output of Eq. (30) like mode CBC in the block cipher can produce a random output.
123
Acknowledgments The authors would like to thank the Editor and the anonymous Referees for their valuable comments and suggestions to improve this paper.
Author's personal copy A novel image encryption based on hash function
References 1. Chen, G., Mao, Y., Chui, C.K.: A symmetric image encryption scheme based on 3D chaotic cat maps. J. Chaos Solitons Fractals 21, 749–761 (2004) 2. Tong, X., Cui, M., Wang, Z.: A new feedback image encryption scheme based on perturbation with dynamical compound chaotic sequence cipher generator. J. Opt. Commun. 282, 2722–2728 (2009) 3. Wei, X., Guo, L., Zhang, Q., Zhang, J., Lian, S.: A novel color image encryption algorithm based on DNA sequence operation and hyper-chaotic system. J. Syst. Softw. 85, 290–299 (2012) 4. Alvarez, E., Fernandez, A., Garcı´a, P., Jimenez, J., Marcano, A.: New approach to chaotic encryption. J. Phys. Lett. A 263, 373–375 (1999) 5. Alvarez, G., Montoya, F., Romera, M., Pastor, G.: Cryptanalysis of a chaotic encryption system. J. Phys. Lett. A 276, 191–196 (2000) 6. Yen, J.C., Guo, J.I.: A new chaotic key-based design for image encryption and decryption. Proc. IEEE Int. Conf. Circuits Syst. 4, 49–52 (2000) 7. Li, S., Zheng, X.: Cryptanalysis of a chaotic image encryption method. Proc. IEEE Int. Symp. Circuits Syst. 2, 708–711 (2002) 8. Cheddad, A., Condell, J., Curran, K., Kevitt, P.M.: A hash-based image encryption algorithm. J. Opt. Commun. 283, 879–893 (2010) 9. Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. J. Fast Softw. Encryption 3017, 371–388 (2004) 10. Wang, Y., Liao, X., Xiao, D., Wong, K.W.: One-way hash function construction based on 2D coupled map lattices. J. Inf. Sci. 178, 1391–1406 (2008) 11. Sinha, A., Singh, K.: A technique for image encryption using digital signature. J. Opt. Commun. 218, 229–234 (2003) 12. Encinas, L.H., Dominguez, A.P.: Comment on ‘A technique for image encryption using digital signature’. J. Opt. Commun. 268, 261–265 (2006) 13. Seyedzade, S.M., Atani, R.E., Mirzakuchaki, S.: A novel image encryption algorithm based on hash function. In: Iranian Conference on Machine Vision and Image Processing, No. 5941167 (2010) 14. Belkhouche, F., Qidwai, U.: Binary image encoding using onedimensional chaotic map. In: Proceedings of the IEEE Annual Technical Conference, pp. 39–43 (2003) 15. Bernstein, D.J.: Salsa20 specification. http://cr.yp.to/snuffle. html#xsalsa (2005) 16. Borujeni, S.E., Eshghi, M.: Chaotic image encryption system using phase-magnitude transformation and pixel substitution. J. Telecommun. Syst. (2011). doi:10.1007/s11235-011-9458-8 17. Seyedzadeh, S.M., Mirzakuchaki, S.: A fast color image encryption algorithm based on coupled two-dimensional piecewise chaotic map. J. Signal Process. 92, 1202–1215 (2012) 18. Zhu, C.: A novel image encryption scheme based on improved hyperchaotic sequences. J. Opt. Commun. 285, 29–37 (2012) 19. Kumar, A., Ghose, M.K.: Extended substitution–diffusion based image cipher using chaotic standard map. J. Commun. Nonlinear Sci. Numer. Simul. 16, 372–382 (2011) 20. Zhang, G., Liu, Q.: A novel image encryption method based on total shuffling scheme. J. Opt. Commun. 284, 2775–2780 (2011) 21. Mazloom, S., Eftekhari-Moghadam, A.M.: Color image encryption based on coupled nonlinear chaotic map. J. Chaos Solitons Fractals 42, 1745–1754 (2009) 22. Huang, C.K., Liao, C.W., Hsu, S.L., Jeng, Y.C.: Implementation of gray image encryption with pixel shuffling and gray-level
23.
24.
25.
26.
27.
28.
29. 30.
31.
32.
33. 34. 35. 36.
37. 38.
39.
40.
41.
42.
43.
44.
encryption by single chaotic system. J. Telecommun. Syst. (2011). doi:10.1007/s11235-011-9461-0 Akhshani, A., Behnia, S., Akhavan, A., Hassan, H.A., Hassan, Z.: A novel scheme for image encryption based on 2D piecewise chaotic maps. J. Opt. Commun. 283, 3259–3266 (2010) Sun, F., Liu, S., Li, Z., Lu, Z.: A novel image encryption scheme based on spatial chaos map. J. Chaos Solitons Fractals 38, 631–640 (2008) Behnia, S., Akhshani, A., Ahadpour, S., Mahmodi, H., Akhavan, A.: A fast chaotic encryption scheme based on piecewise nonlinear chaotic maps. J. Phys. Lett. A 366, 391–396 (2007) Wang, Y., Wong, K.W., Liao, X., Chen, G.: A new chaos-based fast image encryption algorithm. J. Appl. Soft Comput. 11, 514–522 (2011) Kwok, H.S., Tang, W.K.S.: A fast image encryption system based on chaotic maps with finite precision representation. J. Chaos Solitons Fractals 32, 1518–1529 (2007) Rhouma, R., Belghith, S.: Cryptanalysis of a new image encryption algorithm based on hyper-chaos. J. Phys. Lett. A 372, 5973–5978 (2008) Ge, X., Liu, F., Lu, B., Yang, C.: Improvement of Rhouma’s attacks on Gao algorithm. J. Phys. Lett. A 374, 1362–1367 (2010) Behnia, S., Akhshani, A., Mahmodi, H., Akhavan, A.: A novel algorithm for image encryption based on mixture of chaotic maps. J. Chaos Solitons Fractals 35, 408–419 (2008) Zhang, Q., Guo, L., Wei, X.: Image encryption using DNA addition combining with chaotic maps. J. Math. Comput. Model. 52, 2028–2035 (2010) Zhu, Z.L., Zhang, W., Wong, K.W., Yu, H.: A chaos-based symmetric image encryption scheme using a bit-level permutation. J. Inf. Sci. 181, 1171–1186 (2011) Gao, T., Chen, Z.: A new image encryption algorithm based on hyper-chaos. J. Phys. Lett. A 372, 394–400 (2008) Gao, T., Chen, Z.: Image encryption based on a new total shuffling algorithm. J. Chaos Solitons Fractals 38, 213–220 (2008) Gao, H., Zhang, Y., Liang, S., Li, D.: A new chaotic algorithm for image encryption. J. Chaos Solitons Fractals 29, 393–399 (2006) Zhao, L., Adhikari, A., Xiao, D., Sakurai, K.: On the Security analysis of an image scrambling encryption of pixel bit and its improved scheme based on self-correlation encryption. J. Commun. Nonlinear Sci. Numer. Simulat. 17, 3303–3327 (2012) Huang, X.: Image encryption algorithm using chaotic Chebyshev generator. J. Nonlinear Dyn. 67(4), 2411–2417 (2012) Francois, M., Grosges, T., Barchiesi, D., Erra, R.: A new image encryption scheme based on a chaotic function. J. Signal Process. Image Commun. 27, 249–259 (2012) Zhou, Y., Panetta, K., Agaian, S., Chen, C.L.P.: Image encryption using P-Fibonacci transform and decomposition. J. Opt. Commun. 285, 594–608 (2010) Lian, S., Sun, J., Wang, Z.: A block cipher based on a suitable use of the chaotic standard map. J. Chaos Solitons Fractals 26, 117–129 (2005) Chen, H.C., Guo, J.I., Huang, L.C., Yen, J.C.: Design and realization of a new signal security system for multimedia data transmission. J. EURASIP J. Appl. Signal Process. 13, 1291–1305 (2003) Yuen, C.H., Wong, K.W.: A chaos-based joint image compression and encryption scheme using DCT and SHA-1. J. Appl. Soft Comput. 11, 5092–5098 (2011) Cheddad, A., Condell, J., Curran, K., Kevitt, P.M.: A skin tone detection algorithm for an adaptive approach to steganography. J. Signal Process. 89, 2465–2478 (2009) Cheddad, A., Condell, J., Curran, K., Kevitt, P.M.: A secure and improved self-embedding algorithm to combat digital document forgery. J. Signal Process. 89, 2324–2332 (2009)
123
Author's personal copy B. Norouzi et al. 45. Chen, T.S., Chen, J., Chen, J.G.: A simple and efficient watermark technique based on JPEG2000 Codec. Multimed. Syst. 10, 16–26 (2004) 46. Chang, E.C., Kankanhalli, M.S., Guan, X., Huang, Z., Wu, Y.: Robust image authentication using content based compression. Multimed. Syst. 9, 121–130 (2003) 47. Guo, H., Georganas, N.D.: A novel approach to digital image watermarking based on a generalized secret sharing scheme. Multimed. Syst. 9, 249–260 (2003) 48. Pommer, A., Uhl, A.: Selective encryption of wavelet-packet encoded image data: efficiency and security. Multimed. Syst. 9, 279–287 (2003) 49. Yeo, I.K., Kim, H.J.: Generalized patchwork algorithm for image watermarking. Multimed. Syst. 9, 261–265 (2003) 50. Jiang, J., Armstrong, A., Feng, G.C.: Web-based image indexing and retrieval in JPEG compressed domain. Multimed. Syst. 9, 424–432 (2004) 51. Norouzi, B., Mirzakuchaki, S., Seyedzadeh, S.M., Mosavi, M.R.: A simple, sensitive and secure image encryption algorithm based on hyper-chaotic system with only one round diffusion process. Multimed. Tools Appl. (2012). doi:10.1007/s11042-012-1292-9 52. Seyedzadeh, S.M., Mirzakuchaki, S.: Image encryption scheme based on Choquet fuzzy integral with pseudo-random keystream generator. In: 11th International Symposium on Artificial Intelligence and Signal Processing (AISP), June 2011, pp. 101–106
123
53. Seyedzadeh, S.M., Hashemi, Y.: Image encryption algorithm based on Choquet fuzzy integral with self-adaptive pseudo-random number generator. In: 11th International Conference on Intelligent Systems Design and Applications (ISDA), November 2011, pp. 642–647 54. Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997) 55. Goldreich, O.: Foundations of Cryptography. Weizmann Institute of Science, Rehovot (1995) (fragment of a book) 56. Bernstein, D.: Salsa20 security. http://www.ecrypt.eu.org/stream/ e2-salsa20.html 57. Seyedzadeh, S.M., Moosavi, S.M.S., Mirzakuchaki, S.: Using self-adaptive coupled piecewise nonlinear chaotic map for color image encryption scheme. In: 19th Iranian Conference on Electrical Engineering, pp. 1–6 (2011) 58. Neves, S.: Cryptography in GPUs. Master’s thesis, Universidade de Coimbra, Coimbra (2009). [Online]. http://eden.dei.uc.pt/ *sneves/gpucrypto.pdf 59. Mukherjee, P.: An overview of eSTREAM ciphers. [Online]. http://cs.au.dk/*pratyay/eSTREAM.pdf 60. Mascagni, M., Chi, H.: Parallel linear congruential generators with Sophie–Germain moduli. Parallel Comput. 30(11), 1217– 1231 (2004) 61. Wu, P., Huang, K.: Parallel use of multiplicative congruential random number generators. J. Parallel Comput. 175(1), 25–29 (2006)