Efficient image encryption algorithm based on dynamic high-performance S-box and hyperchaotic system

Lű chaotic system is a three-dimensional chaotic system proposed based on Lorenz system and Chen system, as shown in equation (1). When (m, n, h) = (36,3,20), the system is in chaotic state.

$$\begin{eqnarray}&&\left\{\begin{array}{c}\mathop{x}\limits^{\bullet }=m\left(y-x\right)\\ \mathop{y}\limits^{\bullet }=hy-xz\\ \mathop{z}\limits^{\bullet }=-nz+xy\end{array}\right.\end{eqnarray} \tag{ 1 }$$

A new hyperchaotic system is constructed by adding dimensions and nonlinear feedback terms to the Lű chaotic system, as shown in equation (2).

$$\begin{eqnarray}&&\left\{\begin{array}{c}\mathop{x}\limits^{\cdot }=m\left(y-x\right)+pzy+w\\ \mathop{y}\limits^{\cdot }=hy-xz+w\\ \mathop{z}\limits^{\cdot }=-nz+xy-w\\ \mathop{w}\limits^{\cdot }=yz+qxy-kw\end{array}\right.\end{eqnarray} \tag{ 2 }$$

where m, n, h, p, q, k are the control parameters and x, y, z, w are the system variables. When (m, n, h, p, q, k) = (36, 3, 20, 0.6, 2, 2), the system is a hyperchaotic system and has chaotic properties.

The Lyapunov exponent (LE) is a value that theoretically quantifies how fast the orbits diverge or contract in phase space. To ensure the unpredictability of the system, the more divergent the orbits are, the better, which means that the larger value of the Lyapunov exponent the more chaotic the system is. As shown in figure 1, the LE values of the Lű system with (m, n, h)=(36,3,20) and the new four-dimensional hyperchaotic system with (m, n, h, p, q, k)=(36,3,20,0.6,2,2) are plotted against time.

Zoom In Zoom Out Reset image size

The three LE values of the Lű system are LE1 = 1.336, LE2 = 0, and LE3=−20.338. The four LE values of the new four-dimensional hyperchaotic system are LE1 = 5.468, LE2 = 0.008, LE3 = 0, and LE4=−26.189. The maximum LE value of the Lű system is smaller than that of the new four-dimensional hyperchaotic system, which means that the dynamical property of the new four-dimensional hyperchaotic system are more complicated.

Poincaré section is a two-dimensional graph obtained by intercepting the continuous trajectory using section. The morphology of the trajectory motion can be determined from the trajectories on the Poincaré section. If there are a large number of dense points that aggregate into fractal structure on the Poincaré section, the system is chaotic. The Poincaré section of the new four-dimensional chaotic system is shown in figure 2.

Zoom In Zoom Out Reset image size

From figure 2, it can be observed that the four-dimensional hyperchaotic system has a large number of dense points that aggregate into fractal structure on the section. So the new system proposed in this paper is chaotic.

Chaotic systems include dissipative systems and conservative systems, where unique attractors exist in dissipative systems and do not exist in conservative systems. The total energy of the dissipative system changes as time changes. Equations (3) and (4) is used to judge whether the system is dissipative. When the volume element ${\rm{\nabla }}\cdot f\lt 0,$ the system is a dissipative chaotic system. When the volume element ${\rm{\nabla }}\cdot f=0,$ the system is a conservative chaotic system.

$$\begin{eqnarray}&&F=\left[\begin{array}{c}{f}_{1}\left(x,y,z,w\right)\\ {f}_{2}\left(x,y,z,w\right)\\ {f}_{3}\left(x,y,z,w\right)\\ {f}_{4}\left(x,y,z,w\right)\end{array}\right]=\left[\begin{array}{c}m\left(y-x\right)+pzy+w\\ hy-xz+w\\ -nz+xy-w\\ yz+qxy-kw\end{array}\right]\end{eqnarray} \tag{ 3 }$$

$$\begin{eqnarray}&&\left\{\begin{array}{c}{\rm{\nabla }}\cdot f=\displaystyle \frac{\partial {f}_{1}}{\partial x}+\displaystyle \frac{\partial {f}_{2}}{\partial y}+\displaystyle \frac{\partial {f}_{3}}{\partial z}+\displaystyle \frac{\partial {f}_{4}}{\partial w}\\ V\left(t\right)={e}^{{\rm{\nabla }}\cdot ft}\end{array}\right.\end{eqnarray} \tag{ 4 }$$

The volume element of the new hyperchaotic system is calculated to be ${\rm{\nabla }}\cdot f=-m-n-k$ = $-36+20-3-2$ = $-21\lt 0,$ which means that there are unique attractors in the new hyperchaotic system and the phase space volume tends to 0 at the rate of ${e}^{-21t}.$ This new hyperchaotic system is a dissipative system with unique attractors.

The fractal dimension is the infinite multilayer self-similar shape of the unique attractor in the chaotic system. According to the Kaplan York conjecture, the calculation method for fractal dimension is shown in equation (5).

$$\begin{eqnarray}&&FD=j+\displaystyle \frac{\displaystyle {\sum }_{i=1}^{j}L{E}_{i}}{| L{E}_{j+1}| }\end{eqnarray} \tag{ 5 }$$

where j is the maximum value that satisfies $\displaystyle {\sum }_{i=1}^{j}L{E}_{i}\gt 0.$

The fractional dimension of the new hyperchaotic system is calculated to be a fraction of $FD=3+\displaystyle \frac{5.468+0.008+0}{| -26.189| }=3.209$ and $3\lt FD\lt 4.$ Therefore, the new system is a four-dimensional hyperchaotic system with unique attractors.

Since this hyperchaotic system is a dissipative system, there will be infinite self-similar structures in the phase space and the volume of the phase space will keep decreasing and eventually converge to a set, which is the unique attractor. For four-dimensional hyperchaotic system, the phenomenon can be macroscopically observed in three dimensions as well as in two-dimensional phase space.

The projection of the attractor of the new four-dimensional hyperchaotic system on the plane is shown in figure 3.

Zoom In Zoom Out Reset image size

When the equilibrium point has a positive eigenvalue, it is called an unstable equilibrium point. The new hyperchaotic system equations were solved according to equation (6), and four sets of solutions were obtained: (−7.6483, −6.0, 15.9436, −1.9411), (0, 0, 0, 0), (−20, −45.0, 0, 900), and (0.4483, −6.0, −35.5800, 104.0502). By using Jacobi matrix, the eigenvalues of the fourth set of solutions are (26.2549, 2.1732, −4.7459, −44.6822). There are positive and negative real numbers in the eigenvalues, so this hyperchaotic system has unstable saddle point.

$$\begin{eqnarray}&&\left\{\begin{array}{c}36\left(y-x\right)+0.6zy+w=0\\ 20y-xz+w=0\\ -3z+xy-w=0\\ yz+2xy-2w=0\end{array}\right.\end{eqnarray} \tag{ 6 }$$

Initial value sensitivity refers to the fact that even if the initial value changes very slightly, the results obtained over time can be completely different.

As shown in figure 4, the four variables x, y, z, w all appear to have different chaotic trajectories at t<10 after adding 10¹⁴. This new hyperchaotic system possesses initial value sensitivity.

Zoom In Zoom Out Reset image size

In order to apply the pseudo-random sequence generated by the chaotic system to the encryption process, it is necessary to discretize pseudo-random sequence. We use SP800-22 to test whether discretized sequence is a random sequence. The discretization equation is shown in equation (7).

$$\begin{eqnarray}&&\left\{\begin{array}{c}{x}_{i}=floor\left({x}_{i}\times {10}^{12}\right)\mathrm{mod}\,256\\ {y}_{i}=floor\left({y}_{i}\times {10}^{12}\right)\mathrm{mod}\,256\\ {z}_{i}=floor\left({z}_{i}\times {10}^{12}\right)\mathrm{mod}\,256\\ {w}_{i}=floor\left({w}_{i}\times {10}^{12}\right)\mathrm{mod}\,256\end{array}\right.\end{eqnarray} \tag{ 7 }$$

Take 100 sets of 1,000,000 bits of the discretized pseudo-random sequences generated by the new hyperchaotic system for testing. From table 1, we can see that the 15 tests are successfully passed.

In summary, the newly proposed four-dimensional system is a hyperchaotic system with complex dynamics, unique attractors, unstable equilibrium points, initial value sensitivity and the ability to generate pseudo-random sequences, which is suitable for application in image encryption and decryption.

Let S(x) denote the value in the S-box and x denote the position. As shown in figure 5, a new general structure is designed to generate a high-performance S-box. The expression that generates the high-performance S-box is shown in equation (8), where $b\ne c,$ $b\in {{\mathbb{Z}}}_{256},$ $c\in {{\mathbb{Z}}}_{256}.$

$$\begin{eqnarray}&&S\left(x\right)=\left\{\begin{array}{c}{\left(Ax+b\right)}^{-1}\left(Ax+c\right),\,{\rm{others}}\\ 1\,,\,Ax+b=0\end{array}\right.\end{eqnarray} \tag{ 8 }$$

Zoom In Zoom Out Reset image size

The expression of an eighth irreducible binary polynomial is {${d}_{8}{x}^{8}+{d}_{7}{x}^{7}+{d}_{6}{x}^{6}$ + ${d}_{5}{x}^{5}+{d}_{4}{x}^{4}+{d}_{3}{x}^{3}$ + ${d}_{2}{x}^{2}+{d}_{1}{x}^{1}+1$}, where ${d}_{i}\in \{0,1\}.$ There are 30 eighth irreducible binary polynomials. The maximum nonlinearity of the 30 irreducible binary polynomials is 112 [35], and the corresponding irreducible binary polynomials are 'x⁸+x⁴+x³+x+1', 'x⁸+x⁶+x⁵+x+1', and 'x⁸+x⁷+x⁶+x⁵+x⁴+x+1', as shown in table 2.

The expression of the affine transformation defined on GF(2) is y = Ax+b, where A is the 8 $\times$ 8 invertible matrix and b is a constant of 8 bits. A₁, A₂ and A₃ are relatively good affine matrices [36, 37], and their corresponding affine transformations are equations (9)–(11), respectively. Assuming that A is taken as A₁ and b is taken as 45, the corresponding affine transformations are equation (12).

$$\begin{eqnarray*}&&{{\rm{A}}}_{1}=\left[\begin{array}{c}{\rm{11000001}}\\ {\rm{11100000}}\\ {\rm{01110000}}\\ {\rm{00111000}}\\ {\rm{00011100}}\\ {\rm{00001110}}\\ {\rm{00000111}}\\ {\rm{10000011}}\end{array}\right]{{\rm{A}}}_{2}=\left[\begin{array}{c}{\rm{11001011}}\\ {\rm{11100101}}\\ {\rm{11110010}}\\ {\rm{01111001}}\\ {\rm{10111100}}\\ {\rm{01011110}}\\ {\rm{00101111}}\\ 1{\rm{0010111}}\end{array}\right]{{\rm{A}}}_{3}=\left[\begin{array}{c}{\rm{00101111}}\\ {\rm{10010111}}\\ {\rm{11001011}}\\ {\rm{11100101}}\\ 1{\rm{1110010}}\\ 01{\rm{111001}}\\ 101{\rm{11100}}\\ {\rm{0}}101{\rm{1110}}\end{array}\right]\end{eqnarray*}$$

$$\begin{eqnarray}&&{y}_{i}={x}_{i}\oplus {x}_{\left(i+1\right)\mathrm{mod}\,8}\oplus {x}_{\left(i+7\right)\mathrm{mod}\,8}\oplus {c}_{i}\end{eqnarray} \tag{ 9 }$$

$$\begin{eqnarray}&&{y}_{i}={x}_{i}\oplus {x}_{\left(i+1\right)\mathrm{mod}\,8}\oplus {x}_{\left(i+2\right)\mathrm{mod}\,8}\oplus {x}_{\left(i+4\right)\mathrm{mod}\,8}\oplus {x}_{\left(i+7\right)\mathrm{mod}\,8}\oplus {c}_{i}\end{eqnarray} \tag{ 10 }$$

$$\begin{eqnarray}&&{y}_{i}={x}_{\left(i+1\right)\mathrm{mod}\,8}\oplus {x}_{\left(i+2\right)\mathrm{mod}\,8}\oplus {x}_{\left(i+3\right)\mathrm{mod}\,8}\oplus {x}_{\left(i+4\right)\mathrm{mod}\,8}\oplus {x}_{\left(i+6\right)\mathrm{mod}\,8}\oplus {c}_{i}\end{eqnarray} \tag{ 11 }$$

$$\begin{eqnarray}&&y=\left[\begin{array}{c}{y}_{7}\\ {y}_{6}\\ {y}_{5}\\ {y}_{4}\\ {y}_{3}\\ {y}_{2}\\ {y}_{1}\\ {y}_{0}\end{array}\right]=\left[\begin{array}{c}{\rm{11000001}}\\ {\rm{11100000}}\\ {\rm{01110000}}\\ {\rm{00111000}}\\ {\rm{00011100}}\\ {\rm{00001110}}\\ {\rm{00000111}}\\ {\rm{10000011}}\end{array}\right]\left[\begin{array}{c}{x}_{7}\\ {x}_{6}\\ {x}_{5}\\ {x}_{4}\\ {x}_{3}\\ {x}_{2}\\ {x}_{1}\\ {x}_{0}\end{array}\right]+\left[\begin{array}{c}0\\ 0\\ 1\\ 0\\ 1\\ 1\\ 0\\ 1\end{array}\right]\end{eqnarray} \tag{ 12 }$$

To generate S-boxes with better performance, the irreducible binary polynomials (283, 355, 499) and affine matrices (A₁, A₂, A₃) are combined and applied to equation (8), respectively. Under different combinations of irreducible polynomials and affine matrices, 1000 S-boxes are generated by taking $b\in {{\mathbb{Z}}}_{100},$ $c\in \{c| 101\leqslant c\leqslant 110,c\in {\mathbb{Z}}\}$ and the average value of S-box performance is calculated. As shown in table 3, there are nine combinations.

According to the comparison results in table 3, the irreducible binary polynomial is chosen as x⁸+x⁷+x⁶+x⁵+x⁴+x+1 (499), and the affine matrix is chosen as A₁.

By changing the values of the constants $b,c\in {{\mathbb{Z}}}_{256},$ different high-performance S-boxes can be generated. Generating S-boxes mainly consists of three operations on GF(2⁸): affine multiplication Ax, multiplication inverse, and multiplication operations. Because A is fixed A₁ and $x\in {{\mathbb{Z}}}_{256},$ affine multiplication has 256 items of data. The multiplication inverse on GF(2⁸) also has 256 items of data. The multiplication operation can be simplified as a combination of time operations, then the results of multiplying $x\in {{\mathbb{Z}}}_{256}$ and $x\in \{1,2,4,8,16,32,64,128\}$ contains 2048 items of data. As shown in table 4, the average time taken for the 256 times direct calculation and for the 256 times calculations with the help of the precomputing data is obtained by repeating 100 times.

It can be observed from table 4 that multiplication inverse saves the most time, followed by affine multiplication and finally multiplication operation. Considering the balance between speed and memory, the data of affine multiplication and the data of multiplication inverse are selected to save, corresponding to tables 5 and 6, so that S-boxes can be generated dynamically.

A flow chart for dynamically generating high-performance S-box is shown in figure 6. The specific steps are shown as follows.

Zoom In Zoom Out Reset image size

Step 1: Parameter input. Enter the values of parameters b, c, where $b\ne c,$ $b,c\in {{\mathbb{Z}}}_{256}.$

Step 2: Initialize the S-box. Initialize the S-box in the order of {0,1,2,...,255}.

Step 3: Affine multiplication. The result of multiplying the element x with the affine matrix A₁ is found in table 5, then the number B at position x of table 5 is the result of affine multiplication.

Step 4: XOR. M is the result of B xor parameter b. E is the result of B xor parameter c.

Step 5: Multiplication inverse. Calculate multiplication inverse D of M according to table 6.

Step 6: Multiply. The final result S(x) is obtained by multiplying E with D under GF(2⁸), and the irreducible polynomial is selected to be x⁸+x⁷+x⁶+x⁵+x⁴+x+1.

Step 7: Determine if all x have been processed. if not, turn to Step 3. Otherwise, Sbox is obtained.

When b = 5 and c = 22, the resulting S-box Sbox1 is shown in table 7.

Bijectivity means that the S(x) obtained for any x is unique, and similarly for any one S(x) the obtained x is unique. We can know from table 7 that the 256 values in Sbox1 are non-repeating integer arrangements in the range [0,255], and the S-boxes all satisfy the bijection property.

If S(x)=x, then position x is a fixed point of the S-box. Fixed points can cause threat to the security of the algorithm, so the existence of fixed points should be reduced. From table 7, we can get that there is no fixed point in Sbox1.

For all elements in S(x), if satisfied ${S}^{n}(x)=x,$ n is the iteration period of x. The maximum value of n is 256, the minimum value of n is 1. The smallest positive integer n is taken as the iteration period of the S(x). The formula for calculating the iteration period of S(x) is shown in equation (13).

$$\begin{eqnarray}&&Period=\mathop{\min }\limits_{x\in {{\mathbb{Z}}}_{2}^{m}}\left(\left\{n| {S}^{n}\left(x\right)=x,n\in {\mathbb{Z}}\right\}\right)\end{eqnarray} \tag{ 13 }$$

After calculation, the iteration period of all elements in Sbox1 is 256. Therefore, S-box have long iteration periods.

The insertion attack is effective against block ciphers with few algebraic expression terms and low algebraic degree. In order to prevent insertion attacks, the algebraic expression of the S-box should be made to have the highest algebraic degree as well as the highest number of terms. We use the algebraic representation of the elemental components [38] to calculate the algebraic expression of the S-box.

When irreducible polynomial is x⁸+x⁷+x⁶+x⁵+x⁴+x+1:

$$\begin{eqnarray*}&&\begin{array}{c}\left[\begin{array}{c}{x}_{0}\\ {x}_{1}\\ {x}_{2}\\ {x}_{3}\\ {x}_{4}\\ {x}_{5}\\ {x}_{6}\\ {x}_{7}\end{array}\right]\,=\left[\begin{array}{llllllll}49 & 216 & 174 & 203 & 88 & 27 & 182 & 120\\ 208 & 238 & 99 & 135 & 160 & 159 & 19 & 246\\ 104 & 194 & 25 & 178 & 104 & 194 & 25 & 178\\ 52 & 201 & 92 & 11 & 69 & 185 & 45 & 123\\ 43 & 111 & 215 & 251 & 129 & 180 & 124 & 33\\ 221 & 191 & 57 & 152 & 6 & 20 & 227 & 50\\ 166 & 139 & 240 & 196 & 13 & 81 & 90 & 31\\ 98 & 134 & 161 & 158 & 18 & 247 & 209 & 239\end{array}\right]\left[\begin{array}{c}x\\ {x}^{2}\\ {x}^{4}\\ {x}^{8}\\ {x}^{16}\\ {x}^{32}\\ {x}^{64}\\ {x}^{128}\end{array}\right]\end{array}\end{eqnarray*}$$

$$\begin{eqnarray*}Ax=\left[\begin{array}{llllllll}131 & 176 & 108 & 210 & 234 & 115 & 116 & 97\\ 137 & 244 & 212 & 254 & 144 & 70 & 188 & 60\\ 140 & 229 & 38 & 62 & 141 & 228 & 39 & 63\\ 119 & 100 & 146 & 66 & 172 & 207 & 72 & 232\\ 194 & 25 & 178 & 104 & 194 & 25 & 178 & 104\\ 80 & 91 & 30 & 167 & 138 & 241 & 197 & 12\\ 25 & 178 & 104 & 194 & 25 & 178 & 104 & 194\\ 245 & 213 & 255 & 145 & 71 & 189 & 61 & 136\end{array}\right]\left[\begin{array}{c}x\\ {x}^{2}\\ {x}^{4}\\ {x}^{8}\\ {x}^{16}\\ {x}^{32}\\ {x}^{64}\\ {x}^{128}\end{array}\right]\end{eqnarray*}$$

After calculation, we can get $Ax=6x+36{x}^{2}+238{x}^{4}+23{x}^{8}+94{x}^{16}+229{x}^{32}+82{x}^{64}+177{x}^{128}$

So when b = 5, c = 22,

$$\begin{eqnarray*}&&\begin{array}{c}S\left(x\right)={\left(Ax+b\right)}^{-1}\left(Ax+c\right)={\left(Ax+b\right)}^{254}\left(Ax+c\right)\,=\\ 96+43x+231{x}^{2}+\mathrm{..}.+167{x}^{253}+41{x}^{254}\end{array}\end{eqnarray*}$$

The algebraic expression of Sbox1 has 255 terms and the maximum degree of this is 254, reaching the maximum number of terms and the maximum degree. Sbox1 algebraic expression coefficient matrix is shown in table 8.

Linear attacks are one of the common attacks. This paper measures the ability of S-box to resist linear attacks by nonlinearity(NL) and Linear approximation probability(LP).

After calculation, the eight nonlinearities of both Sbox1 and the average of 1000 dynamic S-boxes are 112,112,112,112,112,112,112,112. The LP of both Sbox1 and the average of 1000 dynamic S-boxes is 0.0625, which means that the dynamic S-boxes generated in this paper has strong resistance to linear attacks.

Differential attack is used to break the cipher algorithm by analyzing the effect of the difference of the plaintext pair on the difference of the ciphertext pair. The differential uniformity is calculated as in equation (14).

$$\begin{eqnarray}&&DU=\mathop{\max }\limits_{{\rm{\Delta }}x\ne 0,{\rm{\Delta }}y}\left(\#\left\{x\in S\left(x\right)| S\left(x\right)\oplus S\left(x\oplus \bigtriangleup x\right)=\bigtriangleup y\right\}\right)\end{eqnarray} \tag{ 14 }$$

where ${\rm{\Delta }}x$ and ${\rm{\Delta }}y$ represent the input differential value and the output differential value, respectively. The smaller the differential uniformity, the better the S-box performance.

After calculation, the differential uniformity of both Sbox1 and the average of 1000 dynamic S-boxes is 4, which means that the dynamic S-boxes has strong resistance to differential attacks.

The strict avalanche criterion means that any input bit changes with a change probability of 0.5 for each output bit. The SAC correlation matrix is calculated as in equation (15).

$$\begin{eqnarray}&&{P}_{t,i}\left(f\right)={2}^{-n}\displaystyle \displaystyle \sum _{x\in {{\mathbb{Z}}}_{2}^{n}}{f}_{i}\left(x\right)\oplus {f}_{i}\left(x\oplus {e}_{t}\right)\end{eqnarray} \tag{ 15 }$$

where ${e}_{t}=1\lt \,\lt t,\,t\in {{\mathbb{Z}}}_{m}.$ Let offset denote the average distances between all values in the SAC correlation matrix and 0.5. The smaller the offset is, the better of S-box performance is.

The SAC correlation matrix for Sbox1 is shown in table 9. The offset of Sbox1 is 0.0291. The offset average of 1000 dynamic S-boxes is 0.0268. Therefore, the S-boxes generated by the dynamic high-performance S-box generation algorithm satisfy the strict avalanche criterion.

The bits independence criterion of S-box is measured by the nonlinearity BIC_NL and strict avalanche criterion BIC_SAC of ${f}_{i}\left(x\right)\oplus {f}_{j}\left(x\right)$ $\left(0\leqslant i,j\lt m\right),$ where ${f}_{i}\left(x\right)$ and ${f}_{j}\left(x\right)$ belong to two different output bits of S(x). BIC_NL and BIC_SAC are calculated in a similar way as NL and SAC.

After calculation, the BIC_NL of both Sbox1 and the average of 1000 dynamic S-boxes is 112. The BIC_SAC of both Sbox1 and the average of 1000 dynamic S-boxes is 0.0105 and 0.0086. It means that the S-boxes generated by the dynamic high-performance S-box generation algorithm has good bits independence criterion.

From table 10, it can be observed that the performance of Sbox1 and 1000 S-boxes generated by the dynamic S-box generation algorithm proposed in this paper is superior to that of other literature S-boxes.

CKey₁, CKey₂, CKey₃ and CKey₄ are all 48bit. The four initial values x₀, y₀, z₀, w₀ of the hyperchaotic system are obtained by processing CKey_i according to equation (16).

$$\begin{eqnarray}&&\left\{\begin{array}{c}{x}_{0}=\displaystyle \frac{CKe{y}_{1}}{{10}^{14}}-\unicode{x0230A}\displaystyle \frac{CKe{y}_{1}}{{10}^{14}}\unicode{x0230B}\\ {y}_{0}=\displaystyle \frac{CKe{y}_{2}}{{10}^{14}}-\unicode{x0230A}\displaystyle \frac{CKe{y}_{2}}{{10}^{14}}\unicode{x0230B}\\ {z}_{0}=\displaystyle \frac{CKe{y}_{3}}{{10}^{14}}-\unicode{x0230A}\displaystyle \frac{CKe{y}_{3}}{{10}^{14}}\unicode{x0230B}\\ {w}_{0}=\displaystyle \frac{CKe{y}_{4}}{{10}^{14}}-\unicode{x0230A}\displaystyle \frac{CKe{y}_{4}}{{10}^{14}}\unicode{x0230B}\end{array}\right.\end{eqnarray} \tag{ 16 }$$

First, input the initial values x₀, y₀, z₀, w₀ to the hyperchaotic system and eliminate the first 5000 pseudo-random sequences, then generate b_i , c_i , $i\in \left\{1,2,3\right\}$ according to equation (7). Judge whether b_i is equal to c_i . If so, xor c_i with 1. Then loop input b_i , c_i to generate high-performance S-box. The pseudo code is shown in Algorithm 1.

Algorithm 1. Generate S-box algorithm.

Input:	bi , ci , $i\in \left\{1,2,3\right\}$
Output:	S-boxes S1, S2, S3
1:	for i = 1:3 do
2:	if bi = ci then
3:	${c}_{i}\leftarrow {c}_{i}\oplus 1$
4:	end if
5:	for x= 0:255 do
6:	if Ax + b = 0 then
7:	${S}_{i}\left(x\right)\leftarrow 1$
8:	else
9:	${S}_{i}\left(x\right)\leftarrow {\left(Ax+b\right)}^{-1}\left(Ax+c\right)$
10:	end if
11:	end for
12:	end for

Figure 11 shows that the encryption and decryption results of the color images: House, Baboon, San Diego and grayscale image: Airplane. The corresponding sizes of the images are $256\times 256,$ $512\times 512,$ $1024\times 1024,$ $256\times 256$ respectively. Visually, all ciphertext images appear snowflake-shaped, and plaintext pictures are the same with decrypted pictures.

Zoom In Zoom Out Reset image size

MSE and MSSIM are used to quantitatively measure the similarity between two images. The larger the MSE and the smaller the MSSIM, the greater difference between the two images. It can be observed from table 12 that plaintext images and ciphertext images are not similar, and plaintext images are the same with decrypted images.

Histogram is used to visualize the frequency distribution of each pixel value. The histograms of the four plaintext images and the corresponding ciphertext images are shown in figure 12. As can be observed from figure 12, the frequency of pixel values in plaintext images is not uniformly distributed, with peaks and valleys, while the frequency distribution of each pixel value in the ciphertext image connects into a line without large fluctuations. The ciphertext image generated by the proposed cipher algorithm has a uniform frequency distribution of pixel values and is resistant to statistical attacks.

Zoom In Zoom Out Reset image size

The information entropy can be used to quantitatively describe the randomness of the ciphertext. The closer the ciphertext information entropy is to 8, the less information is revealed by the ciphertext. The information entropy is calculated for the four plaintext images and the corresponding ciphertext images, and the results are shown in table 13. From table 13, we can see that the information entropy of the plaintext images is low, and the information entropy of the ciphertext images is high and close to the theoretical value.

As can be observed from table 14, the information entropy of the 512 × 512 color ciphertext image generated by the proposed algorithm is no less than that of algorithms [33, 46–48, 50]. The ciphertext image generated by proposed cipher algorithm is secure and randomized.

Adjacent pixel correlation is the elements correlation of horizontal, vertical, and diagonal. Adjacent pixel correlation can be used to check whether the ciphertext image will reveal information and contain laws. From figure 13, it can be observed that the adjacent pixels of the plaintext image are unevenly distributed with high correlation, and the pixels of the ciphertext image are evenly distributed over the whole plane with low correlation. Therefore, the proposed cipher algorithm can make adjacent pixel correlation of image lower.

Zoom In Zoom Out Reset image size

Zoom In Zoom Out Reset image size

The ability of cipher algorithms to resist differential attacks is measured by NPCR and UACI. NPCR is the data change rate of two pairs data at the same position, and UACI is the overall change rate of two pairs data.

From [51], the theoretical values of NPCR and UACI for images with maximum pixel value of 255 are μ_N = 99.6094% and μ_u = 33.4635%. The NPCR and UACI tests were most stringent when $\alpha =0.05.$ The NPCR and UACI thresholds corresponding to different image sizes at $\alpha =0.05$ are shown in table 15. When NPCR ≥ ${N}_{0.05}^{* },$ UACI $\in$ (${u}_{0.05}^{* -},$ ${u}_{0.05}^{* +}$), image passes NPCR and UACI tests.

Table 15. Thresholds about NPCR and UACI for different image sizes.

	NPCR(%)		UACI(%)
Image Size	${N}_{0.05}^{* }$	${\mu }_{N}$	${u}_{0.05}^{* -}$	${u}_{0.05}^{* +}$	${\mu }_{u}$
64 × 64	99.4491	99.6094	32.7389	34.1882	33.4635
128 × 128	99.5292	99.6094	33.1012	33.8259	33.4635
256 × 256	99.5693	99.6094	33.2824	33.6447	33.4635
512 × 512	99.5893	99.6094	33.3730	33.5541	33.4635
1024 × 1024	99.5994	99.6094	33.4183	33.5088	33.4635

The average of the corresponding NPCR and UACI obtained by repeating 100 times are shown in table 16 and all ciphertext images pass the NPCR and UACI tests.

As shown in table 17, the results of NPCR and UACI tests on 512*512 color images are compared with other literature. The NPCR of the proposed algorithm is closer to the theoretical value than that of other algorithms. The UACI is closer to the theoretical value than UACI of the literature [33, 46, 49, 50, 52]. Therefore, the proposed cryptographic algorithm is resistant to differential attacks.

Selective plaintext attack means that the attacker can know the ciphertext corresponding to any of the plaintexts, so the ciphertext with a regular pattern can be obtained by carefully constructing the contents of plaintext and be used to crack the cipher algorithm. The cipher images obtained by encrypting 512*512 all-black and all-white color images are analyzed to judge whether the proposed cipher algorithm can resist the selective plaintext attack. As shown in figure 14, the proposed algorithm is visually resistant to the selective plaintext attack.

Zoom In Zoom Out Reset image size

As shown in table 18, the white and black cipher images still have high security, which means that the cryptographic algorithm proposed in this paper can resist selective plaintext attack.

The key size for the proposed cipher algorithm is 192bit which is exceeds 128, so the proposed cipher algorithm can resist brute-force attack.

Key sensitivity refers to two aspects: one is decryption sensitivity: a small change in the key will make the decrypted image of the ciphertext image different from the plaintext image; The second is encryption sensitivity: small changes in the key will cause the ciphertext image to be different. The proposed algorithm sets up three 192-bit keys K₁, K₂ and K₃, of which K₁ is only 1 bit different from K₂ and K₃.

K₁= 210CD20802249A787989BCD0774428912873145693293AB3

K₂= 310CD20802249A787989BCD0774428912873145693293AB3

K₃= 210CD20802249A787989BCD0774428912873145693293AB2

As shown in figure 15, visually, the ciphertext image obtained by using key K₁ encryption can only be decrypted by the original key K₁ and cannot be decrypted by using keys K₂ and K₃. The key of the proposed cipher algorithm has decryption sensitivity.

Zoom In Zoom Out Reset image size

PSNR is used to measure whether two pairs data are similar or not. The encryption sensitivity is measured by NPCR, UACI, PSNR and MSSIM. The closer the NPCR is to 99.6094%, the closer the UACI is to 33.4635%, and the smaller the PSNR and MSSIM are, the more sensitive the key is.

Suppose that the encrypted images obtained by keys K₁, K₂ and K₃ are E₁, E₂ and E₃, respectively. As shown in table 19, the values indicate that a mere 1bit change in the key can also cause the ciphertext image to be very different, so the key of the proposed image cipher algorithm has encryption sensitive.

In order to verify the efficiency of the proposed image cipher algorithm, the average time to encrypt the same color image and same grayscale image of size 256 × 256, 512 × 512, 1024 × 1024 repeated 100 times is compared and the results are shown in table 20. From table 20, it can be observed that the proposed image cipher algorithm has high efficiency in processing both grayscale and color images at different scales.