Multimed Tools Appl DOI 10.1007/s11042-016-3504-1

Securing color images using Two-square cipher associated with Arnold map

Sachin Kumar1 · Rajendra K. Sharma1

Received: 27 May 2015 / Revised: 27 February 2016 / Accepted: 29 March 2016 © Springer Science+Business Media New York 2016

Abstract This paper presents an image encryption scheme using modified Two-square cipher associated with Arnold map. The traditional Two-square cipher is modified to make it more secure and applicable on the image data. A new block-based scheme is considered for Arnold map to handle the images of any size. The proposed scheme is structured into a substitution-permutation framework such that it has an excessively huge key space, and the correct decoding is highly sensitive to the correct keys with their correct order. The exper- imental results are given to validate the feasibility and robustness of the proposed scheme. Further, the superiority of the proposed scheme is analyzed by comparing with the related work.

Keywords Image encryption · Image decryption · Arnold map · Two-square cipher

1 Introduction

Secure transmission of digital images over the open networks is an important area being researched widely. The image data may be subject to various types of passive and active attacks such as interception, modification and substitution etc. The cryptographic functions applied to the images assure the authenticity and privacy of the image data from unautho- rized access and receiving by the intended user only. Since image data has some intrinsic characteristics such as bulk data, high data redundancy and strong correlation of adjacent pixels, the traditional algorithms like Data Encryption Standard (DES), Advanced Encryp-

 Sachin Kumar [email protected] Rajendra K. Sharma [email protected]

1 Department of Mathematics, Indian Institute of Technology Delhi, Hauz Khas, New Delhi, 110016, India Multimed Tools Appl tion Standard (AES) and Rivest Shamir Adleman (RSA) may not be ideal candidates for real-time image encryption as demanding the high computational power [17]. Thus, study of image encryption is necessary to have the techniques satisfying the requirements and characteristics of the image data. In the literature, several methods are developed to han- dle the image data based on various design techniques and primitives in combination. The fourier, discrete cosine, wavelet, gyrator, affine, arnold transforms, and the chaotic maps etc. are some of the common primitives used to determine the image encryption methods [1, 3, 5–19, 21–26]. In [5, 12, 15, 21, 23, 24], the image encoding and decoding methods are presented based on Arnold map associated with other different primitives. Guo et al. [5] proposed an image encryption method, where a color image in Red-Green-Blue (RGB) space is first trans- formed to intensity-hue-saturation (IHS) space and then encrypted in IHS space by using Arnold map and discrete fractional random transform. Liu et al. [15] presented a technique, where the pixel values of RGB components of the original image are scrambled by Arnold Map, and then translated using a matrix defined by a random angle. Further, the discrete cosine transform is employed to the scrambled and translated image. Sui and Gao [21]pre- sented the application of Arnold map associated with chaotic maps and gyrator transform. All these mentioned schemes [5, 15, 21] bring the nice application of Arnold map in con- junction with other primitives but these are limited to handle the images of square size, and also have the key sensitivity on the correct keys not on their arrangements. Tang and Zhang [23] used Arnold map with three random strategies to define a nice scheme for the images of any size. In the first strategy, image is divided into random overlapping blocks of square size followed by generating random iterative numbers in the second strategy. In the third strategy, a random encryption order is obtained for processing the overlapping blocks by Arnold map. All these strategies are governed by separate keys. In Tang and Zhang’s scheme, the random division can result in adjacent squares having overlapping regions where some pixels in overlapping regions can be processed several times by Arnold map. Since Arnold map is periodic in nature, these overlapping regions can have reduced effect or even no effect of iteration numbers. Thus, iteration numbers requires to be chosen carefully such that periodicity is not exhaust. Recently, Tang et al. [24] have proposed an efficient image encryption scheme using block shuffling and chaotic map, where Arnold map is exploited to generate a set of secret matrices used to make final encryption. The schemes [23, 24] have abilities to handle the images of any size and also the key sensitivity on the arrangements of the keys, but lack having the robustness validation against the many desired properties such as correlation, diffusion characteristics, resistance against cryptanalytical attacks etc. There are several methods for image encryption using Arnold map with different primi- tives in combination but some of these lack in having good security against brute force attack (i.e., huge key space), and some in having key sensitivity on the arrangements of the keys. None of these has complete validation of robustness as does not provide security analysis against attacks like differential, known plaintext, chosen plaintext and chosen ciphertext. The high security of the image data in transmitting over the open network has become an important agenda of the present era. This motivates us to design an image encryption scheme having high security and complete validation of robustness against the cryptana- lytical attacks. To meet our aim, we explore the combination of widely used Arnold map with a new primitive from the books of classical cryptography, i.e., traditional Two-square cipher. The traditional Two-square cipher is modified to make it applicable on images and more secure. A new block-based scheme for Arnold map is also designed to have no size Multimed Tools Appl limitation of the input images, which is combined with modified Two-square finally to have encrypted images. Further, the experimental results are conduced to validate the strength of the scheme against statistical analysis and attacks including its time complexity, key sen- sitivity and space analysis. We are able to have an image encryption scheme which has a complete validation of robustness and an extensively huge key space with security not only in terms of the keys but also in their arrangements. The scheme has ability to resist most of the statistical and cryptanalytical attacks. The proposed scheme is also compared with the related image encryption schemes. Compared to the related schemes, the proposed scheme is highly robust and secure, and has better performance. The rest of this paper is organized as follows. In Section 2, the traditional Two-square cipher and Arnold map are discussed briefly. Section 3 describes the proposed encryption and decryption algorithm for color images. Section 4 presents the experimental results and robustness validation. In Section 5, key sensitivity and key space are analyzed. In Section 6, the proposed scheme is compared with the related work. Section 7 draws the concluding remarks.

2 Traditional Two-square cipher and Arnold map

This section briefly discusses the encryption algorithms using the traditional Two-square cipher and the Arnold map.

2.1 Traditional Two-square cipher

The Two-square cipher was developed to have a classical system stronger than Playfair cipher and less cumbersome than Four-square cipher. It is a digraphic system, where two letters of plaintext (in English) are replaced with two letters of ciphertext in each encipher- ment. It consists two 5 by 5 squares either next to each other (horizontal Two-square) or one top of each other (vertical Two-square). Normally, both squares contain mixed sequences preferably using two different keywords. An example of horizontal and vertical Two-square using keywords “ENCRYPT” and “DECRYPT” is given in Fig. 1.

Fig. 1 An illustration: a Horizontal Two-square; b Vertical Two-square Multimed Tools Appl

For encipherment or decipherment, first the text message is divided into digraphs. The following rule is used for enciphering the plaintext digraph p1p2 into the ciphertext digraph c1c2. a) Locate the first letter of the digraph within the first square (left/top) and the second letter in the second square (right/bottom) b) Form the rectangle with these two letters at from the opposite corners c) Select the ciphertext or plaintext digraph from the other two corners of the rectangle In horizontal Two-square, if the letters of a digraph to be enciphered are in same row then these are replaced with the same letters in reverse order. In vertical Two-square, whenever the letters to be enciphered are in same column, however, the letters become their own equivalents. In Two-square cipher, the decipherment is handled in exactly the similar way as encipherment. Figure 2 illustrates the encipherment using horizontal and vertical Two- square as given in Fig. 1. The digraphs in ciphertext which are same as plaintext or in reverse are called transparen- cies or reverse transparencies respectively. The traditional Two-square cipher has weakness that in long run, about 20 % of the digraphs will be transparencies. We propose some mod- ifications in traditional Two-square cipher to remove this weakness as well as to make it suitable for encrypting the images.

2.2 Arnold map

It is also known as cat map face, which was proposed by V. Arnold in the research of ergodic theory [2], and is defined as      x 11 x = (mod 1) (1) y 12 y where the point (x, y) in unit square is transformed to another point (x,y). In respect to the image of size N × N, the Arnold map is defined as      x 11 x = (mod N) (2) y 12 y

The pixel at position (x, y) in the original image is mapped to the position (x,y) after one iteration of Arnold map in (2). The Arnold map is periodic in nature. The period (T )

Fig. 2 An illustration of the encipherment using: a Horizontal Two-square; b Vertical Two-square Multimed Tools Appl depends on the size of the image (not directly proportional), and can be approximated by formula (3)asgivenin[4] ⎧ ⎨ = 3N for N = 2.5s; s ∈ N = = s s; ∈ N T ⎩ 2N for N 5 or6.5 s (3) ≤ 12N 7 other N N2 ≤ Dyson and Falk [4] proved that the period of Arnold map is bound upper by 2 , i.e., T N2 2 .Table1 lists the period of Arnold map for some values of N. The application of Arnold map for image encryption requires it to be executed in many iterations. The iteration number serves as the secret key and must be selected smaller than the period of Arnold map.

3 The proposed scheme

The proposed scheme has the structure of type substitution-permutation cipher and is defined in two phases, where modified Two-square cipher acts as substitution layer in the first phase and Arnold map acts as permutation layer in the second phase. In order to make the traditional Two-square cipher applicable on images and enhance its security against the weakness of transparencies, we introduce some modifications in its encryption/decryption process. For any grayscale or color image, the value of each image pixel lies in the set {0, 1, ..., 255}. Thus, each square is selected of the size 16 × 16 having distinct values from the set {0, 1, ..., 255}. The first square can be generated by randomly distributing 256 elements of the set {0, 1, ..., 255} in a 16 × 16 square. While, the second square can be generated by permuting the elements of the first square. For each pair of the original image pixels, we propose the following encryption rule: a) Locate the first pixel within the first square (left/top) and the second pixel within the second square (right/bottom) square. b) If the original pixels are in different rows and different columns then select the pixels (in order) from the other corners of the rectangle formed by the pixels at opposite corner. c) If the original pixels are in the same row and different columns then select the pixels immediate right (in cyclic manner) to the original pixels in their respective square (case of horizontal Two-square). d) If the original pixels are in different rows and the same column then select the pixels immediate below (in cyclic manner) to the original pixels in their respective square (case of vertical Two-square). For decrypting any pair of pixels, apply the same rules as at (a) and (b). While, in rule at (b), the pixels are selected immediate left (in cyclic manner), and in rule at (c), the pixels are selected immediate above (in cyclic manner). For the image having odd number of rows and odd number of columns, the last pixel can be encrypted by pairing it with a dummy pixel.

Table 1 Period (T) of Arnold map for some values of N

NTNTNTNT

3 4 25 50 100 150 150 300 4 3 32 24 125 250 256 192 5 10 64 49 128 96 512 384 Multimed Tools Appl

Further, we introduce the encryption and decryption process of the modified Two-square cipher in Cipher Block Chaining (CBC) mode. This eliminates the weakness of transparen- cies as in traditional Two-square cipher. An IV vector is used to make the encryption randomized so that there are different pair of encrypted pixels even for the same pair of the original pixels. Each pair of the original pixels is XOR-ed (⊕) with the previous pair of the encrypted pixels before encryption. For the first pair of the original pixels, an IV vector is used to XOR with these pixels. The encryption for each pair of the original pixels depends on all the previous pair of the encrypted pixels. This ensure the small changes in IV or pair of the original pixels affect the encryption of all the subsequent pair of pixels. Figure 3 shows the encryption and decryption process in modified Two-square cipher. The first square and the order to obtain the second square serve as the secret parameters in the modified Two-square cipher. The first square should be shared between sender and receiver. It has storage cost 2048 bit or 256 bytes (.256 kb). In the present era, this storage cost is very much affordable or merely negligible. The application of Arnold map in (2) is only limited to the images of square size. We consider a new block-based scheme using Arnold map for encipherment and decipherment of images of any size shown as in Fig. 4. First, any input image is divided into non- overlapping square sub-images and non-square sub-image such that the number of rows and columns in each square sub-image are equal to minimum of number of rows and columns

Fig. 3 Modified Two-square cipher: a Encryption process; b Decryption process Multimed Tools Appl

Fig. 4 An illustration of Block-based scheme using Arnold Map: a Encryption process; b Decryption process in input image. The input image division is done by adopting either left/top to right/bottom or right/bottom to left/top division order such that the last remaining part forms the non- square sub-image. Further, each square sub-image is again divided into blocks (say R)of equal size and processed by encrypting the blocks using Arnold map with iteration numbers α1,α2, ...., αR applied in some predefined order. To process the non-square sub-image, the encrypted image is again divided into non-overlapping square sub-images and a non-square sub-image in an order opposite to the previously selected division order. Each square sub- image is again divided into blocks (say S) of equal size and encrypted block-wise using Arnold map with iteration numbers β1,β2, ...., βS applied in some predefined order. This confirms the processing of each pixel of the original input image by Arnold map. There are chances that an input image pixel can be processed by Arnold map as a part of some square sub-image during the first as well as second time division. Thus, the iteration numbers αi (1 ≤ i ≤ R)andβj (1 ≤ j ≤ S) should not be larger than the half of the period of Arnold ∈ TR ∈ TS map (say TR and TS respectively), i.e., αi (1, 2 ) and βj (1, 2 ). The input image Multimed Tools Appl division order and the iteration numbers α1,α2, ...., αR and β1,β2, ...., βS with their correct order serve as the secret parameters in the proposed block-based scheme using Arnold map. Here, for each square sub-image at the time of the first (respectively second) division, the same sequences of the iteration numbers are considered but depending on the application or security of the input image, the different sequences of iterations numbers can be used for each square sub-image. The diagram of the proposed encryption scheme for color images is shown in Fig. 5a. First, the color image is decomposed into three color components Red, Green and Blue. Then, each color component is encrypted by Modified Two-square Cipher (MTSC) in the first stage (as in Fig. 3a) followed by encryption using the proposed scheme for Arnold map (AM) (as in Fig. 4a) in the second stage. All three encrypted color components as output of the second stage are combined to form the encrypted image. The process of decrypting the image is depicted in Fig. 5b, where the corresponding inverse Arnold map (i-AM) and inverse Modified Two-square Cipher (i-MTSC) are utilized in the first stage and second stage respectively.

4 Experimental results and robustness validation

In this section, several experiments are conducted so that the proposed scheme can be analyzed in terms of its feasibility and robustness against different attacks.

Fig. 5 Flowchart of the proposed scheme: a Encryption process; b Decryption process Multimed Tools Appl

Fig. 6 Experimental results of the proposed scheme: a Original image; b Encrypted image; c Correctly decrypted image with correct IV, key and order in the first phase, and correct keys and order in the second phase; d Incorrectly decrypted image with approximate key but correct IV and order in the first phase, and correct keys and order in the second phase; e Incorrectly decrypted image without the correct order but with correct IV and key in the first phase, and correct keys and order in the second phase; f Incorrectly decrypted image with correct IV, key and order in the first phase, but approximate keys and correct order in the second phase; g Incorrectly decrypted image with correct IV, key and order in the first phase, and correct keys but without correct order in the second phase

4.1 Demonstration of the procedure

The proposed scheme is applied to a color image of size 512 × 600 as shown in Fig. 6a, where keys and their order are same for each color component (Red, Green or Blue). The encryption process in the first phase is accomplished by using an IV vector [45, 233] and horizontal Two-square cipher, where the following 16 × 16 matrix is selected as the first square. ⎛ ⎞ 227 209 81 239 47 183 61 214 0 152 64 237 117 29 6 148 ⎜ ⎟ ⎜ 222 20 68 195 42 115 25 88 186 184 95 35 178 37 149 192 ⎟ ⎜ ⎟ ⎜ 40 76 198 103 225 17 104 232 118 210 31 75 151 247 218 93 ⎟ ⎜ ⎟ ⎜ 22 52 18 2 159 120 109 166 194 155 46 89 112 100 83 121 ⎟ ⎜ ⎟ ⎜ 45 11 203 129 132 87 65 9 24 187 217 224 144 226 153 78 ⎟ ⎜ ⎟ ⎜ 167 253 179 213 91 174 200 158 196 208 82 80 86 215 128 108 ⎟ ⎜ ⎟ ⎜ 160 250 96 48 122 190 185 223 51 219 137 202 228 176 236 136 ⎟ ⎜ ⎟ ⎜ 110 207 246 7 5 79 41 165 113 38 123 59 70 201 114 26 ⎟ ⎜ ⎟ ⎜ 131 124 53 249 234 171 21 240 233 145 44 92 50 197 133 43 ⎟ ⎜ ⎟ ⎜ 67 156 177 254 23 107 102 33 139 28 248 243 180 15 125 221 ⎟ ⎜ ⎟ ⎜ 126 169 146 62 111 163 212 36 73 170 4 229 66 130 188 39 ⎟ ⎜ ⎟ ⎜ 143 10 244 12 54 162 13 14 94 175 56 216 77 231 49 72 ⎟ ⎜ ⎟ ⎜ 116 147 251 119 173 255 164 168 8 142 154 19 99 191 134 230 ⎟ ⎜ ⎟ ⎜ 32 211 252 193 150 34 98 97 58 220 55 199 69 105 27 71 ⎟ ⎝ 181 101 242 90 60 85 141 3 172 235 157 241 245 135 63 140 ⎠ 206 30 182 238 205 74 161 106 189 204 1 16 127 84 57 138 Multimed Tools Appl

The second square is obtained by permuting the columns of the first square in an order defined by [81521610712311146495131]. In the second phase, output of the first phase is processed by partitioning it into a square sub-image of size 512 × 512 and a non-square sub-image of size 512 × 88 in a left to right order. Further, the square sub-image is divided into 4 sub-blocks of equal size 256 × 256, and encrypted using Arnold map with iteration numbers 20,5,27 and 7 in an order from the first to fourth block respectively. Combine the square sub-image processed by Arnold map with non-square sub-image. The combined image is again partitioned into a square sub- image of size 512 × 512 and non-square sub-image of size 512 × 88 in a right to left order. The square sub-image is processed by Arnold map in 4 blocks of equal size 256 × 256 with iteration numbers 6,36,4 and 30 in an order from the first to fourth block respectively, and then combined with non-square sub-image. The final combined image represents the encrypted image as shown in Fig. 6b. Figure 6c shows the decrypted image when all the keys and their arrangements are supplied correctly to the decryption algorithm. An incorrectly decrypted image with approx- imate key (first square) but correct IV and order in the first phase, and correct keys with correct order in the second phase is shown in Fig. 6d. The approximate key in the first phase can be obtained by applying an affine function, for example, a fixed value from 1 to 255 can be added to each entry in the first square w.r.t. addition modulo 256. Figure 6e

Table 2 Histogram analysis of the proposed image encryption scheme

Image Histogram

Red component Green component Blue component

Fig. 6a

Fig. 6b

Fig. 6d

Fig. 6e

Fig. 6f

Fig. 6g Multimed Tools Appl shows an incorrectly decrypted image without correct arrangement (order to obtain the sec- ond square and to place the first and second square) but with correct IV and key in the first phase, and correct keys with correct order in the second phase. An order defined by [12861093472131165111415] is considered to permute the column of the first square in the decryption process instead of the correct order. An incorrectly decrypted image with correct IV, key and order in the first phase, but approximate keys (iteration numbers for Arnold map) with correct order in the second phase is shown in Fig. 6f. The iteration numbers (keys) are approximated closely as 19,6,26 and 8 (for the first to fourth block respectively) at the time of first division, and 7,35,5 and 31 (for the first to fourth block respectively) at the time of second division. Figure 6g represents an incorrectly decrypted image with correct IV, key and order in the first phase, but correct keys without correct arrangement (order in which iteration numbers are applied to blocks) in the second phase. A change in the correct order of iteration numbers is adopted as 7,20,5 and 27 (for the first to fourth block respectively) at the time of the first division and 30,6,36 and 4 (for the first to fourth block respectively) at the time of the second division.

4.2 Histogram analysis

Table 2 shows the histogram of the images given in Fig. 6. The histogram is plotted for each color component Red, Green and Blue. The histogram of the encrypted image (Fig. 6b) is completely different from the histogram of the original image (Fig. 6a), and attains uniform distribution. However, the histogram of the images decrypted with missing either correct keys or their correct order (Fig. 6d–g) have also uniform distribution of pixels. Thus, no information can be obtained about the original image by histogram analysis of the encrypted image, and decrypted images without correct keys or correct order, i.e., the scheme is secure against histogram analysis.

4.3 Entropy analysis

Entropy [20] represents the information provided by a random process and measures the degree uncertainty in an encryption system. The entropy H(m) of a message m can be calculated by formula

2 n−1 H(m) =− p(mi)log2p(mi) (4) i=0 where p(mi) denotes the probability of occurrence of the symbol mi. For a true random system that generates 256 symbols with an equal probability, the entropy is calculated as 8 according to (4). However, in general, entropy is not exactly equal to the ideal value 8 as the real encryption systems seldom produce true random output. For an image encryption scheme, entropy for the encrypted image is accepted close to the ideal value. If entropy is smaller than the ideal value, then the scheme may lack resistance to entropy attack as there exists certain degree of predicability. Table 3 shows the entropy values for each color component of the images given in Fig. 6. The entropy values for the encrypted image (Fig. 6b) and decrypted images (Fig. 6d–g) are very close to the ideal value 8. Thus, the entropy value remains close the ideal value even for the slight change in either correct keys or correct order. For 25 plain images given in Fig. 7 and their corresponding encrypted images, the entropy values are calculated and plotted as in Fig. 8. The entropy value for each encrypted image is found very close to the ideal value Multimed Tools Appl

Table 3 Entropy of the images given in Fig. 6.

Image Entropy

Red component Green component Blue component

Fig. 6a 7.3452 7.5597 7.1666 Fig. 6b 7.9994 7.9994 7.9995 Fig. 6d 7.9994 7.9994 7.9993 Fig. 6e 7.9994 7.9994 7.9994 Fig. 6f 7.9992 7.9993 7.9991 Fig. 6g 7.9993 7.9995 7.9994

8. This confirms that there is no possibility of predicability and information leakage, i.e., the proposed scheme is secure enough to resist entropy based attacks.

4.4 Correlation analysis

The performance of the proposed scheme is measured against the pixel intensity distribution of adjacent pixels. The degree of similarity is measured between the adjacent pixels in horizontal, vertical and diagonal directions by calculating the correlation coefficient using (5)  n − − i=1(xi X)(yi Y) r(X,Y) =   (5) n − 2 n − 2 i=1(xi X) i=1(yi Y) where X and Y denote the mean of variable X and Y respectively. Table 4 shows the cor- relation coefficients of adjacent pixels in horizontal, vertical and diagonal directions for the images given in Fig. 6. Correlation coefficient is calculated by randomly selecting 3000 pairs of adjacent pixels (in horizontal, vertical or diagonal direction) from each image. For each direction (horizontal, vertical or diagonal), the correlation coefficients for the origi- nal image are close to 1, while for the encrypted image these are close to 0. Thus, there is very negligible correlation of adjacent pixels in the image encrypted by the proposed scheme even the adjacent pixels in the original image are highly correlated. Further, for the decrypted images with either approximate keys or wrong order, the correlation of adjacent pixels is also found close to 0. Figure 9 shows the pixel intensity distribution of adjacent

Fig. 7 Set of 25 images used for analyzing the entropy and diffusion characteristics in the proposed scheme Multimed Tools Appl

Fig. 8 Entropy analysis of the proposed scheme pixels in horizontal, vertical and diagonal directions for the original image (Fig. 6a) and the encrypted image (Fig. 6b). Thus, in the proposed technique, no original information can be obtained by correlating the pixels in the encrypted image, and even in the decrypted images with either approximate keys or wrong order.

4.5 Diffusion characteristics

The diffusion characteristics of the proposed scheme is examined by commonly used mea- sures, i.e., Number of Pixels Change Rate (NPCR) and Unified Average Change Intensity (UACI) [17]. NPCR measures the number of pixels change rate in the encrypted image while one pixel of the original image is changed. UACI measures the average intensity of differences between the original and encrypted image. Between two grayscale images I1 and I2 of size h × w, NPCR and UACI can be calculated as ⎡ ⎤ 1 h w NPCR = ⎣ D(i,j)⎦ × 100% (6) h × w i=1 j=1

  1 h w |I (i, j) − I (i, j)| UACI = 1 2 × 100% (7) h × w 255 i=1 j=1 where D is defined by I1 and I2, i.e., if I1(i, j) = I2(i, j) then D(i,j) = 0; else D(i,j) = 1. Figure 10 shows the plot of NPCR and UACI values calculated for 25 images as given in Fig. 7. The NPCR for each image is calculated by considering 1-bit random change in

Table 4 Correlation coefficient of adjacent pixels for the images in Fig. 6

Direction Correlation coefficient

Fig. 6aFig.6bFig.6dFig.6eFig.6fFig.6g

Horizontal 0.9966 0.0019 0.0005 0.002 0.004 0.0008 Vertical 0.9985 − 0.0051 0.0024 0.0023 − 0.0011 − 0.0001 Diagonal 0.9944 − 0.0023 0.0025 − 0.001 0.0026 0.0002 Multimed Tools Appl

Fig. 9 Correlation of adjacent pixels in: a Original image; b Encrypted image the first pixel of the image. In the proposed scheme, NPCR and UACI values are found very close to ideal values 99.61 and 33.46 respectively [3]. For the graph shown in Fig. 10, the average values for NPCR and UACI are 99.61 and 33.47 respectively. It indicates that the proposed image encryption algorithm has strong diffusion characteristics and ability to resist differential attack.

4.6 Robustness against cropping attack

To validate the robustness against cropping attack, we consider the encrypted images cropped with various format as in Fig. 11. The encrypted image (Fig. 6b) is cropped left with 25 % pixels, right with 25 % pixels, top with 25 % pixels, bottom with 25 % pixels and center with 25 % pixels as shown in Fig. 11a–e respectively. Figure 11f–j show the decrypted images corresponding to cropped images (Fig. 11a–e) with all cor- rect keys and correct arrangements. It is evident that the original image can be recognized visually from the decrypted images, i.e., the proposed scheme has robustness against cropping attack. Multimed Tools Appl

Fig. 10 NPCR and UACI analysis of the proposed scheme

4.7 Robustness against noise attack

The proposed scheme is tested against Gaussian random noise, and Salt and pepper noise. The gaussian noise G with mean 0 and standard deviation 1 is added to the encrypted image I in the following way

 I = I(1 + γG) (8) where I  is the encrypted image added with Gaussian noise and γ is coefficient controlling the noise intensity. Figure 12a shows the original image considered for simulation of noise attack. Figure 12b and c are the decrypted images under Gaussian noise with γ = 0.005 and γ = 0.01 respectively. The decrypted images under Salt and pepper noise with intensity 0.1 and 0.2 are shown in Fig. 12d and e respectively. The content of original image can still be recognized from the decrypted images under contamination with noise. Thus, the proposed image encryption scheme has robustness against noise attack.

Fig. 11 Experimental results of cropping attack: a Encrypted image cropped left with 25 % pixels; b Encrypted image cropped right with 25 % pixels; c Encrypted image cropped top with 25 % pixels; d Encrypted image cropped bottom with 25 % pixels; e Encrypted image cropped center with 25 % pixels; f Decrypted image for Fig. 11a; (g) Decrypted image for Fig. 11b; (g) Decrypted image for Fig. 11c; (g) Decrypted image for Fig. 11d; (g) Decrypted image for Fig. 11e Multimed Tools Appl

Fig. 12 Experimental results of noise attack: a Original image; b Decrypted image under Gaussian noise with γ = 0.005; c Decrypted image under Gaussian noise with γ = 0.01; d Decrypted image under Salt and pepper noise with intensity 0.1; e Decrypted image under Salt and pepper noise with intensity 0.2

4.8 Robustness against known plaintext, chosen plaintext and chosen ciphertext attacks

In known plaintext attack, adversary has access to several plaintexts and corresponding ciphertexts, while in chosen plaintext attack, adversary has liberty to choose plaintexts to get encrypted. Adversary attempts to deduce the correct keys in order to decrypt any new ciphertext encrypted with same keys. In chosen ciphertext attack, adversary has chance to choose a number of ciphertexts and obtain resulting plaintexts so that the information about the correct keys can be inferred. The proposed image encryption method has resis- tance against known plaintext, chosen plaintext and chosen ciphertext attacks as correct decryption requires the correct keys with their correct order. Suppose by analyzing several original and corresponding cipher images against known plaintext, chosen plaintext or cho- sen ciphertext attack, adversary is able to infer the correct keys used to encrypt the original images, i.e., the first square and the iteration numbers. To decrypt any new image encrypted with same keys, adversary has to guess the correct order of these keys. The number of attempt to search the correct order are at least 256!(≈ 21684), which are enormous. Hence, the proposed scheme is secure against known plaintext, chosen plaintext and chosen cipher- text attacks as for an adversary to exhaustively search the correct order of the keys even having the knowledge of correct keys is infeasible.

4.9 Time complexity

The running time analysis of an image encryption scheme is important to ensure its real time usage. However, the computation of running time for any scheme depends on several parameters like computer configuration, algorithms used for code optimization, proficiency of the programmer etc. Therefore, the proposed scheme is analyzed for its time complexity as well as running speed. We analyze the time complexity of the encryption process in each phase of our scheme. In the first phase, each pixel is first located in a square (first or second), and then substi- tuted as per encipherment rule. Locating the pixel in any square can take 256 steps in worst case. Thus, for any image of size h × w, time complexity of the first phase is O(256hw), i.e., O(hw). In the second phase, Arnold map is applied in many iterations to square sized blocks. We first analyze the time complexity of Arnold map for one iteration. Applying Arnold map to a square sized block (say m × m) is equivalent to find first permutation of m2 positions in block, i.e. (x, y),0≤ x,y ≤ m − 1) and then permuting the elements at these positions. Multimed Tools Appl

The permutation can be found by multiplying the 2 × 2matrixusedinArnoldmapwitha 2 × m2 matrix determined by m2 positions as in (9)      01.. m − 1 ... m − 1 .. m − 2 11 00.. 0 ... m − 1 .. m − 1 = (mod m) 02.. m − 2 ... m − 1 .. m − 3 12 01.. m − 1 ... 0 .. m − 1 (9) Thus, time complexity to find permutation is equivalent to complexity of multiplying two matrices of the size 2 × 2and2× m2,whichisO(2 ∗ 2 ∗ m2) = O(4m2). Once the permutation of the positions is found, the time complexity to permute the elements in the block is O(m2). Thus, applying the Arnold map has time complexity O(4m2 + m2), i.e., O(m2). To apply Arnold map in many iterations, the permutation of positions is determined only once and used same for every iteration as it is defined by fixed matrix used in Arnold map. At the time of first division in the second phase, the input image is processed into R blocks of equal size (say mR × mR) using Arnold map with iterations α1,α2, ..., αR.This 2 + 2 + + 2 2 ∈ TR has time complexity O(α1mR α2mR ... αRmR ), i.e., O(RTRmR ) as αi (1, 2 ) 2 ∀i ∈{1, 2, ..., r}. Similarly, time complexity at the time of second division is O(STSmS ). 2 2 Thus, the second phase has time complexity O(RTRmR + STSmS ) . Consequently, time complexity for the encryption process in the proposed scheme deduce 2 2 to O(hw + RTRmR + STSmS ). The decryption process of the proposed scheme also has the same time complexity. Since mR ≤ min(h, w) and ms ≤ min(h, w), time complexity in the proposed scheme grows linearly with respect to the size of the input image. Further, we analyze the running time of our encryption scheme for grayscale and color images. The Lena image is selected in grayscale and color format for different sizes. The scheme is implemented with Matlab 7.9 and executed on a personal computer equipped with 3.4 GHz Intel Core i7-4770 CPU and 4 GB RAM. Table 5 lists the running time for encryption of the different size images. We observe that the running time of the proposed scheme grows linearly with the input image size.

5 Key space and key sensitivity analysis

Key space is the most important attribute to determine the strength of any encryption system. It refers to the set of all possible keys that can be used in the encryption system. The key space in the proposed image encryption algorithm depends on the total keys possible in both the phases of algorithm, i.e., the first and second phase. In the first phase, the first and second squares serve as the secret keys. The total number of possible ways in which the first square can be generated are 256! (≈ 21684), while the second square is obtained by permuting the elements of the first square. There are total 256! possible ways in which elements of the first square can be permuted. Thus, for the image (say binary) of size h×w , the key space in the

Table 5 Running time of encryption process in the proposed scheme (Unit: second)

Image type Image size

64 × 64 128 × 128 192 × 192 256 × 256 384 × 384 512 × 512 768 × 768 1024 × 1024

Gray image 0.015 0.046 0.0109 0.171 0.375 0.734 1.562 2.812 Color image 0.031 0.140 0.296 0.5 1.171 1.984 4.515 8.218 Multimed Tools Appl first phase is of size min(2h×w, 23368). In addition, the correct order (vertical or horizontal) of two squares is also important in correct decryption of the encrypted image. In the second phase, the iteration numbers, i.e., α1,α2, ..., αR and β1,β2, ..., βS serve as the secret keys for each sub-image at the time of the first and second division respectively. =| TR | =| TS | ∈ TR ∈ TS ≤ ≤ Let CR (1, 2 ) and CS (1, 2 ) ,whereαi (1, 2 ) and βj (1, 2 ) for 1 i R ≤ ≤ R × S and 1 j S. Hence, the total number of possible keys in the second phase are CR CS . In addition, the correct decryption process also depends on the correct order of partitioning the original image. h×w 3368 × R × Consequently, the key space in the proposed scheme is of size min(2 , 2 CR S CS ). For the experimental result in subsection 4.1, the key space can be approximated as 23368 × 252 (= 23420). Thus, the key space of the proposed image encryption scheme is extensively huge and is clearly impractical to brute force attack. The proposed encryption scheme is highly sensitive to the correct keys and their correct order. The key sensitivity of the proposed scheme can be validated form Fig. 6c–g, and also from the experimental results provided against the histogram, entropy and correlation anal- ysis. The correctness of the decrypted image depends on the correct keys applied in correct order as used in the encryption process. Even the keys are closely approximated near to the original keys, the decrypted image completely differs from the original image and reveals no information about the original image. Similarly, slight change in the original order of keys also yield an incorrectly decrypted image, nearly close a random image. Thus, high sensitivity of the proposed scheme makes it more robust and force an attacker to exhaus- tively search the huge key space for correct keys and their correct order, which is totally impractical.

6 Comparison with the related work

The proposed scheme is compared with the formerly developed schemes [5, 15, 21, 23, 24] in terms of various factors as listed in Table 6. We have paid the close attention to most of the performance factors, and reported the results for each scheme, if available. Compared to the reported schemes, the merits of the proposed scheme are brought out, however including demerits, if any. In Guo et al.’s scheme [5], the application of Arnold map is only limited to images of square size. Guo et al. measured the sensitivity of key by plotting the Mean Square Error (MSE) values of the decrypted images for various approximated keys. As per the results given in [5], the MSE values for Red, Green and Blue components are smaller than 9000, 6000 and 8000 respectively. We consider the similar image (“Flower”) of size 256 × 256 astakenin[5], and measure the sensitivity of key (first square) by approximating it under additive error (each element is added with a fixed value from 1 to 255 w.r.t. addition modulo 256). The decrypted images are found with different approximate keys (additive errors) in the first phase and no change in IV, all other keys and their arrangements. The MSE values are calculated for each color component of the decrypted images, and found to be greater than 10000 for each color component. This indicates that the decrypted images with approx- imate keys in our scheme are largely dissimilar to the original image than the decrypted images with approximate keys in [5], i.e., the proposed scheme has higher sensitivity of keys. Multimed Tools Appl

Table 6 Comparison of the proposed scheme with the related work

Performance Guo Liu Sui and Tang and Tang Proposed factor et al. [5]etal.[15]Gao[21] Zhang [23]etal.[24] scheme

Image Square Square Square Square Square and Square and size Non-square Non-square Non-square Correct decryption Correct Correct Correct Correct keys Correct keys Correct keys requirement keys keys keys and order and order and order Sensitive to Yes Yes Yes Yes Yes Yes secret keys Resistance against Yes Yes Yes Yes Yes Yes noise attack Resistance against Yes Yes Not Yes Yes Yes cropping attack mentioned Correlation of Not Not Horizontal: 0.0208 Not Not Horizontal: − 0.0022 adjacent pixels mentioned mentioned Vertical: 0.0064 mentioned mentioned Vertical: 0.0001 Diagonal: 0.0119 Diagonal: − 0.0002 Entropy Not Not Not Not 7.999 7.999 analysis mentioned mentioned mentioned mentioned Diffusion Not Not Not Not Not NPCR: 99.61 characteristics mentioned mentioned mentioned mentioned mentioned UACI: 33.47 Resistance against Not Not Not Not Not Yes known plaintext, mentioned mentioned mentioned mentioned mentioned chosen plaintext chosen ciphertext attacks

Liu et. al’s scheme [15] is based on Arnold map and discrete cosine transform, where random angle function serves as the main key. They have shown the decrypted images, where main key has constant error or part of the data of main key is known. The content of the original image can be identified from these decrypted images [15]. Similarly, in our scheme when the original key (first square) is considered with a constant additive error (each element is added with a fixed value 1 w.r.t. addition modulo 256), but IV, all other keys

Fig. 13 Decrypted images under Salt and pepper noise with intensity 0.05 in: (a) Tang and Zhang’s scheme [23]; (b)Tangetal.’sscheme[24]; (c) Our scheme Multimed Tools Appl

Fig. 14 Decrypted images under Salt and pepper noise with intensity 0.1 in: (a) Tang and Zhang’s scheme [23]; (b)Tangetal.’sscheme[24]; (c) Our scheme and their order are unaltered, the decrypted image (Fig. 6d) appears completely random and revels no information about the original image. Compared to [15], the proposed scheme is highly sensitive to the keys with additional requirement of correct order of keys. Sui and Gao’s scheme [21] is only limited to the images of square size, and has the key sensitivity only for correct keys not for their arrangements. We consider Lena image of size 256 × 256 as in [21] and calculate the correlation coefficient of adjacent pixels in its encrypted image. Compared to Sui and Gao’s scheme, adjacent pixels are significantly less correlated for all three directions in our scheme. The schemes presented in [23, 24] have some properties similar to our scheme such as input image of any size, keys with their order, resistance against noise and cropping attacks. But, these schemes lack in terms of analysis against some of the properties as listed in Table 6. However, we compare our scheme against the similar analysis as carried in [23, 24], i.e., key space, time complexity, contamination by Gaussian noise, Salt and pepper noise and random block missing attacks. We select the Lena image as in [23, 24] to get encrypted using our algorithm. The encrypted image is contaminated by Salt and pepper noise with intensities 0.05 and 0.1, Gaussian noise with intensity 0.01, and 15 random blocks missing attacks, where each block size is 20 × 20. Figures 13, 14, 15 and 16 shows the comparison of the decrypted images in our scheme and [23, 24] for the attacks as mentioned. We exploit the Peak Signal to Noise Ratio (PSNR) to measure the performance of each scheme. Table 7 lists the PSNR values of the decrypted images in [23, 24] and the proposed scheme. Here,

Fig. 15 Decrypted images under Gaussian noise with γ = 0.1in:(a) Tang and Zhang’s scheme [23]; (b) Tang et al.’s scheme [24]; (c) Our scheme Multimed Tools Appl

Fig. 16 Decrypted images under 15 random blocks missing attack in: (a) Tang and Zhang’s scheme [23]; (b)Tangetal.’sscheme[24]; (c) Our scheme the results for decrypted images and PSNR values w.r.t [23, 24] are reported from [24]. Thus, the proposed scheme performs better than [23, 24] in resisting the said attacks. In [23], random division, random iteration numbers and random encryption order serve as the secret parameters and define the key space. The second phase of our scheme is based on a method where division order, iteration numbers and their arrangements define the key space. Thus, the second phase our scheme itself has a key space comparable to [23]. Tang 96 m et al. [24] has shown that the key space in their scheme is 2 q ,wherem and q are the scheme parameters. The number of possible keys in their scheme are at least 296,where for the experimental results given in [24], the key space can be approximated as 2147.In h×w 3368 × R × S the proposed scheme, the key space is of size min(2 , 2 CR CS ). The proposed scheme has a huge key space and is more secure compared to [23, 24]. Out from the reported schemes, only Tang et al. [24] has analyzed the running time of their scheme. Although, the proposed scheme does not achieve the encryption speed as in [24] but has the characteristic that the encryption speed is linear in the size of input image. Further, compared to [5, 15, 21], the proposed method can handle images of any size and additionally requires correct order of keys in decryption process. The analysis of proposed scheme clearly mention the entropy, correlation of adjacent pixels and resistance against cropping attack as not analyzed in [5, 15, 21, 23], [5, 15, 23, 24]and[21] respectively. NPCR and UACI analysis of the proposed scheme confirm that it has strong diffusion char- acteristics whereas none of [5, 15, 21, 23, 24] has analyzed the diffusion characteristics of their scheme. Also, compared to [5, 15, 21, 23, 24], the robustness of the proposed scheme against known plaintext, chosen plaintext and chosen ciphertext attacks is confirmed.

Table 7 PSNR values of the decrypted images in [23, 24] and proposed scheme under different attacks

Attacks PSNR (dB)

Tang and Zhang [23]Tangetal.[24] Proposed scheme

Salt and pepper noise with intensity 0.05 18.5 22.2 25.3 Salt and pepper noise with intensity 0.1 15.4 19.1 22.0 Gaussian noise with intensity 0.1 11.4 11.5 11.9 15 random blocks missing 21.7 25.6 27.4 Multimed Tools Appl

7Conclusion

This paper presents a new image encryption method using Two-square cipher associated with Arnold map. Traditional Two-square cipher is modified to use along with a block-based scheme for Arnold map. The proposed scheme can handle the images of any size. It is struc- tured in such a way that it has an extensively huge key space and is highly sensitive to the keys and their order. The scheme has ability to resist the histogram and correlation analysis based attacks. The scheme has strong diffusion characteristics, and is secure against entropy based attacks. The robustness against the cropping, noise, known plaintext, chosen plain- text and chosen ciphertext attacks is analyzed and confirmed. The experimental results and comparison provided confirm that the proposed is highly secure and has good performance.

References

1. Antonini M, Barlaud M, Mathieu P, Daubechies I (1992) Image coding using wavelet transform. IEEE Trans Image Process 1(2):205–220 2. Arnold VI, Avez A (1968) Ergodic problems of classical mechanics. New York, Benjamin [Translated from Russian] 3. Borujeni SE, Eshghi M (2009) Chaotic image encryption design using tompkins-paige algorithm. Hindawi J Math Problem Eng 2009:22 4. Dyson FJ, Falk H (1992) Period of a discrete cat mapping. Amer Math Month 99(7):603–614 5. Guo Q, Liu Z, Liu S (2010) Color image encryption by using arnold and discrete fractional random transforms in ihs space. Opt Lasers Eng 48(12):1174–1181 6. Hennelly B, Sheridan JT (2003) Optical image encryption by random shifting in fractional fourier domains. Opt Lett 28(4):269–271 7. Huang X, Ye G (2014) An image encryption algorithm based on hyper-chaos and dna sequence. Multimed Tools Appl 72(1):57–70 8. Kumar M, Mishra DC, Sharma RK (2014) A first approach on an rgb image encryption. Opt Lasers Eng 52:27–34 9. Kwok H, Tang WK (2007) A fast image encryption system based on chaotic maps with finite precision representation. Chaos Solitons Fractals 32(4):1518–1529 10. Li H (2009) Image encryption based on gyrator transform and two-step phase-shifting interferometry. Opt Lasers Eng 47(1):45–50 11. Li L, Ahmed AE, Niu X (2012) Elliptic curve elgamal based homomorphic image encryption scheme for sharing secret images. Signal Process 92(4):1069–1078 12. Li M, Liang T, He YJ (2013) Arnold transform based image scrambling method. In: 3rd international conference on multimedia technology(ICMT 2013), pp 1309–1316 13. Liu Z, Chen H, Liu T, Li P, Dai J, Sun X, Liu S (2010) Double-image encryption based on the affine transform and the gyrator transform. J Opt 12(3):035,407 14. Liu Z, Chen H, Liu T, Li P, Xu L, Dai J, Liu S (2011) Image encryption by using gyrator transform and arnold transform. J Electron Imag 20(1):013,020–1–013,020–6 15. Liu Z, Xu L, Liu T, Chen H, Li P, Lin C, Liu S (2011) Color image encryption by using arnold transform and color-blend operation in discrete cosine transform domains. Opt Commun 284(1):123–128 16. Liu Z, Gong M, Dou Y, Liu F, Lin S, Ahmad MA, Dai J, Liu S (2012) Double image encryption by using arnold transform and discrete fractional angular transform. Opt Lasers Eng 50(2):248–255 17. Mao Y, Chen G (2005) Chaos-based image encryption. Handbook Geomet Comput:231–265 18. Pandurangan HT, Naveen Kumar SK (2014) Application of algebra and discrete wavelet transform in two-dimensional data (rgb-images) security. Int J Wavelets Multiresol Inf Process 12(6):1450,040–1– 1450,040–25 19. Scharinger J (1998) Fast encryption of image data using chaotic kolmogorov flows. J Electron Imag 7(2):318–325 20. Shannon CE (1948) A mathematical theory of communication. Bell Syst Tech J 27:379–423 21. Sui L, Gao B (2013) Color image encryption based on gyrator transform and arnold transform. Opt Laser Technol 48:530–538 22. Taneja N, Raman B, Gupta I (2012) Chaos based cryptosystem for still visual data. Multimed Tools Appl 61(2):281–298 Multimed Tools Appl

23. Tang Z, Zhang X (2011) Secure image encryption without size limitation using arnold transform and random strategies. J Multimed 6(2):202–206 24. Tang Z, Zhang X, Lan W (2015) Efficient image encryption with block shuffling and chaotic map. Multimed Tools Appl 74(15):5429–5448 25. Zhang Y, Zheng CH, Tanno N (2002) Optical encryption based on iterative fractional fourier transform. Opt Commun 202(4–6):277–285 26. Zheng Y, Jin J (2015) A novel image encryption scheme based on hnon map and compound spatiotemporal chaos. Multimed Tools Appl 74(8):7803–7820

Sachin Kumar received his postgraduate degree in mathematics in 2004 from Indian Institute of Technology (IIT) Roorkee, India. In 2012, he received his PhD degree in Cryptology from Indian Institute of Technology Delhi, India. The title of his PhD thesis is “Design and Analysis of Visual Secret Sharing Schemes”. He has published eight research papers in international journals/conferences including reputed crypto journals Cryptologia, Fundamenta Informaticae, Security and Communication networks etc. His research interests include image encryption, visual cryptography, secret sharing and elliptic curve cryptography.

Rajendra K. Sharma is Professor and former Head at Department of Mathematics, Indian Institute of Tech- nology (IIT) Delhi, India. Earlier, he has been on the faculty of mathematics at IIT Kharagpur. He has been teaching UG/PG classes for more than 26 years. He has guided sixteen PhD theses and more than 54 M.Tech projects. He has published more than 80 research papers in international journals. He has also published two books, Algebra I, by Pearson (three volumes are planned), Complex Numbers by Anthem Press. He has developed some web courses also under the NPTEL program. He has participated in several conferences including the coveted International Congress of Mathematicians (ICM) 1994, in Zurich, Switzerland. He was a post-doctoral fellow in France and Germany for three years. Several students are working with him on sponsored projects. His main area of research is Algebra and Cryptography