Information Sciences 181 (2011) 1171–1186

Contents lists available at ScienceDirect

Information Sciences
journal homepage: www.elsevier.com/locate/ins

A chaos-based symmetric image encryption scheme using

a bit-level permutation
Zhi-liang Zhu a, Wei Zhang c,⇑, Kwok-wo Wong b, Hai Yu a
a
Software College, Northeastern University, No. 11, Lane 3, WenHua Road, Shenyang, Liaoning, China
b
Department of Electronic Engineering, City University of Hong Kong, 83 Tat Chee Avenue, Kowloon Tong, Hong Kong
c
College of Information Science and Engineering, Northeastern University, No.11, Lane 3, WenHua Road, Shenyang, Liaoning, China

a r t i c l e i n f o a b s t r a c t

Article history: In recent years, a variety of chaos-based digital image encryption algorithms have been sug-
Received 9 July 2009 gested. Most of these algorithms implement permutations and diffusions at the pixel level
Received in revised form 4 November 2010 by considering the pixel as the smallest (atomic) element of an image. In fact, a permutation
Accepted 8 November 2010
at the bit level not only changes the position of the pixel but also alters its value. Here we
propose an image cryptosystem employing the Arnold cat map for bit-level permutation
and the logistic map for diffusion. Simulations have been carried out and analyzed in detail,
Keywords:
demonstrating the superior security and high efficiency of our cryptosystem.
Bit-level permutation
Chaos
Crown Copyright Ó 2010 Published by Elsevier Inc. All rights reserved.
Cryptography
Image encryption

1. Introduction

Information security plays a significant role in all fields, especially those related to confidential business or military af-
fairs. This topic is not new and can be traced back to Shannon’s classic paper [18]. In recent years, this has attracted increas-
ing research attention [2–11,19,23]. Due to some interesting intrinsic features such as ergodicity, sensitivity to initial
conditions and system parameters, the use of chaotic systems for data encryption has been studied extensively
[3,6–10,15–17,20–22,24,26]. Chaos-based algorithms have shown exceptionally superior properties in aspects such as secu-
rity and complexity [3].
The existing chaos-based image cryptosystems can be classified into two categories. In the first category, a pixel is con-
sidered as the smallest element, and a digital image is considered as a collection of pixels. However, in the second class, a
pixel can be further divided into a number of bits, on which bit-level operations are performed. For example, a pixel in a
grey-scale image usually consists of 8 bits, but these bits carry different amount of information. In [22], Xiang et al. proposed
a selective image encryption algorithm that only encrypts the four higher bits of each pixel and leaves the lower four bits
unchanged. This algorithm has a reduced execution time because it only encrypts half of the bits.
In [25], a typical bit-level cipher called Bit Recirculation Image Encryption (BRIE) was suggested. Its two-dimensional ver-
sion, Two-Dimension Circulation Encryption Algorithm (TDCEA), was studied in [4]. In TDCEA, eight consecutive pixels are
treated as a group and the corresponding 64 bits form a matrix M of size 8  8. There are two kinds of bit rotation operating
on M. They are defined as follows:

1. In the horizontal direction, X p;r

i denotes the cyclic shift of the ith row of the matrix to the left (when p = 1) or the right
(when p = 0) by r bits.

⇑ Corresponding author. Tel.: +86 13998228657.

E-mail address: [email protected] (W. Zhang).

0020-0255/$ - see front matter Crown Copyright Ó 2010 Published by Elsevier Inc. All rights reserved.
doi:10.1016/j.ins.2010.11.009
1172 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186

2. In the vertical direction, Y q;s

j denotes the cyclic shift of the jth column of the matrix upwards (when q = 1) or downwards
(when q = 0) by s bits.

The coefficients p, q, r, and s of the two rotation operations are governed by a logistic map. These operations are applied to
each binary matrix, which contains 8 consecutive pixels. The encryption is complete when all the pixels have been
processed.
Because cyclic bit shift is the only encryption operation in both BRIE and TDCEA, these two ciphers belong to the class of
permutation-only ciphers which are insecure under a known/chosen-plaintext attack [13]. In fact, BRIE and TDCEA are crypt-
analyzed in [14] and [12], respectively. Some of the natural defects of these two ciphers include the following [12]. First of all,
the values of some pixels remain unchanged or have a similar value after bit rotation, which results in some subregions
emerging in the cipher-image. For example, when the bits in a plain-image pixel are all 1 or 0, the TDCEA cryptosystem does
not work. Second, due to the high correlation property of a meaningful image, adjacent pixels in a subregion usually have the
same or similar values. This results in similar pixels in the cipher-image, even after bit rotation. As a result, the boundary of
such a subregion remains visible.
In TDCEA, all the elements are relocated in the binary matrix, but the value of each element is not modified. As a conse-
quence, the statistical information of the binary matrix is unchanged after encryption. Furthermore, the mapping between an
element in the plain-image matrix and the corresponding element in the cipher-image matrix can be considered as a bijec-
tion, which can be easily identified by a known/chosen plaintext attack. Given a sufficient number of pairs of a known plain-
image and the corresponding cipher-image, the original and the new locations of each element can be traced to recover the
permutation matrix. The cryptosystem is effectively broken once this matrix is constructed. In [12], only 7 plain-image and
corresponding cipher-image pairs are required to break TDCEA via a known plaintext attack. The computational complexity
is O(16(n + 15)MN), where n is the number of known plain-images, and M and N are the width and height of the image,
respectively.
2 3
1 1 1 1 1 1 1 1
60 0 0 0 0 0 0 07
6 7
6 7
60 0 0 0 0 0 0 07
6 7
60 0 0 0 0 0 0 07
6 7
M 0;k ¼6 7: ð1Þ
60 0 0 0 0 0 0 07
6 7
60 0 0 0 0 0 0 07
6 7
6 7
40 0 0 0 0 0 0 05
0 0 0 0 0 0 0 0
2 3
1 0 0 0 0 0 0 0
61 0 0 0 0 0 0 07
6 7
6 7
61 0 0 0 0 0 0 07
6 7
61 0 0 0 0 0 0 07
6 7
M 1;k ¼6 7: ð2Þ
61 0 0 0 0 0 0 07
6 7
61 0 0 0 0 0 0 07
6 7
6 7
41 0 0 0 0 0 0 05
1 0 0 0 0 0 0 0
A chosen plaintext attack on TDCEA is also proposed in [12]. The bit rotation operation in each binary matrix is divided into 8
column rotations in the vertical direction and 8 row rotations in the horizontal direction. The two chosen plain-images are
given by Eqs. (1) and (2). By comparing M0,k and its corresponding cipher-image M 00;k , the vertical permutation matrix can be
worked out. Similarly, the horizontal permutation matrix can be recovered by comparing M1,k and its corresponding cipher-
image M01;k . The final permutation matrix, which is considered as an equivalent key, is constructed by combining the two
permutation matrices. The computational complexity of this attack is O(17MN).
Due to the vulnerability of permutation-only ciphers to known/chosen plaintext attacks, an architecture for a chaos-based
image cryptosystem was suggested by Fridrich [7]. Under this architecture, permutations and diffusions are performed sev-
eral times in alternation to achieve a satisfactory security level. As an image can be considered as a 2-D array of pixels, 2-D or
3-D chaotic maps are naturally employed in the permutation stage, where all the plain-image pixels are relocated using the
chaotic map [3,6,17]. In the diffusion stage, the value of each pixel is modified sequentially so as to spread its information to
other pixels [7]. In [24], Xiao et al. used an Arnold cat map to permute the pixels and the Chen system to change the value of
each pixel in a sequential manner. Lian et al. employed the 2-D standard map in the permutation stage and the logistic map
for diffusion [16].
This paper is organized as follows. In the next section, the idea of a bit-level permutation is introduced with a simple
example. The proposed image cryptosystem is described in Section 3. Simulation results and performance analyses are re-
ported in Section 4. In the last section, a conclusion is drawn.
 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186 1173

2. Bit-level permutation

A classical architecture using chaotic maps for image encryption is shown in Fig. 1.
A grey-level image consists of a group of pixels. Each pixel can be considered as a vector ~ p. For example, an image with
size N  N corresponds to the set of vectors f~ pi ¼ ðxi ; yi ; v aluei Þ, where xi and yi represent the x and y
pi g; 0 6 i 6 N  N  1; ~
coordinates of the pixel, respectively, and valuei is the grey level of the pixel. According to Fig. 1, all the pixels are permuted
in the confusion stage. As the pixels at different locations are exchanged, this is equivalent to encrypting the (xi, yi) coordinate
pair. In the diffusion phase, these N  N pixels are considered as a 1-D sequence, and each pixel value is modified one after
another according to the chaotic sequence. When these two operations are repeated several times, the pixel vector set f~ pi g
has been changed substantially, and the encryption is complete.
Wong et al. observed that the execution time of a diffusion round is much longer than that required by a permutation
[21]. They introduced the ‘‘add-and-then-shift’’ process to include a certain diffusion effect in the permutation stage. Sim-
ulation results show that this approach is more efficient [21] because fewer overall rounds are required if the pixel value
is allowed to change in the confusion phase. Moreover, the pixel value is modified in both the confusion and the diffusion
stages. Hence, the cryptanalysis becomes more difficult.
Conventional confusion operations usually swap two pixels. In other words, the information at these two locations is ex-
changed. It is worthwhile to investigate whether this operation can be performed at the bit level instead. This means that we
not only permute the pixels, but also the bits within the pixel. If a bit in a pixel is exchanged with a bit in another pixel,
information in the two pixels is exchanged and their values are modified. As a result, a single bit-level permutation possesses
the effects of both confusion and diffusion.
The bit-level permutation operation is defined as follows. Suppose that there is a pixel sequence seq with length l, as given
by Eq. (3).

seq ¼ fpð1Þ; pð2Þ; pð3Þ; . . . ; pðlÞg; ð3Þ

where p(i) is the grey value of the ith pixel, i 2 [1, l]. Because each pixel is composed of 8 bits, p(i) is a bit sequence from lower
to higher bits, as stated in Eq. (4).

pðiÞ ¼ fbi1 ; bi2 ; bi3 ; bi4 ; bi5 ; bi6 ; bi7 ; bi8 g; ð4Þ
where bij is the value of the jth bit in the ith pixel, bij = 0 or 1, j 2 [1, 8].
We substitute Eq. (4) into Eq. (3) and transform the sequence seq to a 2-D binary matrix using Eq. (5).
2 3
b11 b21    bl1
6b b22    bl2 7
6 12 7
Matrix bits ¼ 6
6 .. .. .. .. 7
7: ð5Þ
4 . . . . 5
b18 b28    bl8
In Eq. (5), the ith column contains the eight bits of p(i), and the jth row of the matrix is the set of the jth bits of all the pixels,
0
j 2 [1, 8]. The key point of bit-level confusion is to permute each row of Matrix_bits, and the permuted pixel p (i) is composed
of 8 recombined bits, as given by Eq. (6).
 0 0 0 0 0 0 0 0 
p0 ðiÞ ¼ bi1 ; bi2 ; bi3 ; bi4 ; bi5 ; bi6 ; bi7 ; bi8 ; ð6Þ
0
where bij is selected from {b1j,b2j, b3j, b4j, . . . , blj}.
To illustrate this bit-level permutation, we choose for example l = 9. This means that 9 pixels form a group, and the cor-
responding matrix is shown in Fig. 2. The notation a[i][j] represents the jth bit value of the ith pixel, where a[i][j] = 0 or 1,
i = 1, 2, 3, . . . , 9, j = 1, 2, 3, . . . , 8. In conventional pixel-level permutation, the 8 bits of a pixel are treated as a group. In other

m rounds

n rounds

Diffusion
Confusion
(Sequential Pixel Value
Plain-Image (Position Permutation) Cipher-Image
Modification)

Seed Key Key Generator

Fig. 1. A classic image encryption architecture.

1174 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186

1st bit a[1][1] a[2][1] a[3][1] a[4][1] a[5][1] a[6][1] a[7][1] a[8][1] a[9][1]

2nd bit a[1][2] a[2][2] a[3][2] a[4][2] a[5][2] a[6][2] a[7][2] a[8][2] a[9][2]

3rd bit a[1][3] a[2][3] a[3][3] a[4][3] a[5][3] a[6][3] a[7][3] a[8][3] a[9][3]

4th bit a[1][4] a[2][4] a[3][4] a[4][4] a[5][4] a[6][4] a[7][4] a[8][4] a[9][4]

5th bit a[1][5] a[2][5] a[3][5] a[4][5] a[5][5] a[6][5] a[7][5] a[8][5] a[9][5]

6th bit a[1][6] a[2][6] a[3][6] a[4][6] a[5][6] a[6][6] a[7][6] a[8][6] a[9][6]

7th bit a[1][7] a[2][7] a[3][7] a[4][7] a[5][7] a[6][7] a[7][7] a[8][7] a[9][7]

8th bit a[1][8] a[2][8] a[3][8] a[4][8] a[5][8] a[6][8] a[7][8] a[8][8] a[9][8]

Pixel 1 Pixel 2 Pixel 3 Pixel 4 Pixel 5 Pixel 6 Pixel 7 Pixel 8 Pixel 9

Fig. 2. Original bit arrangement for the nine pixels.

1st bit a[8][1] a[6][1] a[4][1] a[3][1] a[7][1] a[2][1] a[1][1] a[9][1] a[5][1]

2nd bit a[1][2] a[4][2] a[2][2] a[9][2] a[8][2] a[5][2] a[7][2] a[6][2] a[3][2]

3rd bit a[9][3] a[3][3] a[7][3] a[1][3] a[4][3] a[8][3] a[6][3] a[2][3] a[5][3]

4th bit a[6][4] a[4][4] a[2][4] a[9][4] a[7][4] a[1][4] a[5][4] a[3][4] a[8][4]

5th bit a[3][5] a[7][5] a[8][5] a[4][5] a[1][5] a[6][5] a[9][5] a[5][5] a[2][5]

6th bit a[2][6] a[8][6] a[9][6] a[6][6] a[3][6] a[1][6] a[5][6] a[7][6] a[4][6]

7th bit a[7][7] a[9][7] a[2][7] a[6][7] a[4][7] a[1][7] a[8][7] a[5][7] a[3][7]

8th bit a[4][8] a[8][8] a[1][8] a[5][8] a[3][8] a[9][8] a[6][8] a[2][8] a[7][8]

Pixel 1 Pixel 2 Pixel 3 Pixel 4 Pixel 5 Pixel 6 Pixel 7 Pixel 8 Pixel 9

Fig. 3. Bit arrangement for the nine pixels after bit-level permutation.

words, after a pixel-level permutation only the pixel location has changed, whereas the relative positions of the 8 bits within
the pixel remain the same.
Fig. 3 shows the result of the bit-level permutation. The jth bits of all pixels are permuted, where j = 1, 2, . . . , 8. Without
loss of generality, simple random confusion is employed in this example to exchange the information among bits.
The purpose of pixel-level confusion is to change the locations of the original pixels. In other words, information belong-
ing to different locations is exchanged. For bit-level permutation, the situation is quite different. When the jth bits among the
9 pixels are permuted, 2j1/255 of the total information of each pixel is exchanged. For example, 50.2% of the information of
each pixel is changed if the 8 th bits of the pixels are permuted. When j = 7, 25.1% of the information of each pixel is altered.
Therefore, one can conclude that bit-level permutation not only exchanges the information of the pixels but also modifies the
pixel values. Because the chaotic map parameters for different bit-level permutations can be selected independently, the
permuted sequences are also different.
In the next section, the bit-level permutation is extended to a more general situation, i.e., from 1-D 9 pixels to 2-D
512  512 pixels.

3. The proposed cryptosystem

The classical confusion-diffusion architecture is adopted in the proposed image cryptosystem shown in Fig. 4, but with
one modification is made in the confusion phase.
 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186 1175

m rounds

Diffusion
Confusion
(Sequential Pixel Value
Plain-Image (Bit Permutation) Cipher-Image
Modification)

Seed Key Key Generator

Fig. 4. Block diagram of the proposed image cryptosystem.

In the confusion stage, each pixel is separated into 8 parts according to the bit positions. The new position of each bit is
calculated. Each permuted pixel is composed of the rearranged 8 bits. It carries the 8-bit information previously belonging to
other plain-image pixels. The superiority of this approach is that each bit contains a certain amount of information from
other pixels, and the value of each pixel is modified. On the other hand, traditional permutation schemes treat the 8 bits
of a pixel as a group and relocate these bits all together. Due to this superior feature, we adopt the bit-level permutation
method in our proposed image cryptosystem.

3.1. Confusion phase in the proposed cryptosystem

First, the test image ‘‘Lena,’’ of size 512  512 and with 256 grey levels (Fig. 5), is divided into 8 binary images (Fig. 6)
according to the bit locations within a pixel. In Fig. 6, Pici represents the binary image obtained by collecting the ith bits
of all the plain-image pixels.
A bit can contain different amounts of information depending on its position in the pixel. For example, a ‘‘1’’ at the 8th bit
of a pixel represents 128 (27), but it only represents 1 (20) at the first bit. The percentage of information p(i) provided by the
ith bit is given by Eq. (7) and is listed in Table 1. Although p(i) does not necessarily reflect the exact perceptual information
perceived by the human eye, it shows that higher-order bits are more significant than lower-order bits.where i 2 [0, 7].

2i
pðiÞ ¼ P7 i
: ð7Þ
i¼0 2

Table 1 shows that the higher 4 bits (8th, 7th, 6th and 5th) carry 94.125% of the total information of the image. On the other
hand, the lower 4 bits (4th, 3rd, 2nd and 1st) carry less than 6% of the image information. Two strategies are suggested for
these two groups. The binary images formed by the higher 4 bits, i.e., Pic8, Pic7, Pic6 and Pic5, are permuted independently
using the same chaotic map with different coefficients. On the other hand, the binary images of the lower 4 bits are permuted
as a whole to reduce the execution time. This means that a 512  512 matrix is permuted, where each matrix element is a 4-
bit sequence. Each element of the matrix can be considered as a kind of pixel, but it carries the lower 4-bit information only.
An Arnold cat map defined in Eq. (8) is employed in the confusion phase.
      
x0 x 1 p x
¼A mod N ¼ mod N: ð8Þ
y0 y q pq þ 1 y
where p and q are the parameters of the cat map.

Fig. 5. Original Lena image of size 512  512.

1176 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186

Fig. 6. Eight binary images of Lena.

Table 1
Percentage of pixel information contributed by different bits.

Bit position (i + 1) Percentage p(i) of the pixel

in the pixel information (%)
1 0.3922
2 0.7843
3 1.5686
4 3.137
5 6.275
6 12.55
7 25.10
8 50.20

The bit-level permutation operation is shown in Fig. 7. In this figure, pi, qi are the cat map parameters, and ni is the
number of rounds when Pici is permuted. To reduce the execution time, ni can be set to a fixed value. Otherwise, it can
be a random value or be generated by a chaotic map. In our cryptosystem, pi and qi are generated by the logistic map given
by Eq. (9).

xn ¼ Uðxn1 Þ ¼ axn1 ð1  xn1 Þ; ð9Þ

where a is the logistic map parameter. The output sequence is chaotic when a 2 [3.57, 4]. Two chaotic sequences (xi, yi) can be
generated by the chaotic map starting with two initial values x0 and y0. When a = 3.99999, x0 = 0.12345678912342, and
y0 = 0.87865765433212, (pi, qi, ni) is obtained from Eq. (10).
8
< ni ¼ 1;
>
pi ¼ ðjx100þi  1014 jÞmod 512; ð10Þ
>
:
qi ¼ ðjy100þi  1014 jÞmod 512:

In Eq. (10), ni is set to a fixed value 1 for simplicity, but the performance is still satisfactory. Otherwise, ni can be calculated by
Eq. (11).

ni ¼ ðjx1000þi j  1014 Þmod 5 þ 1: ð11Þ

In this case, the performance is slightly better but a longer execution time is required.
 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186 1177

5 groups of parameters generated by Logistic map

(p5, q5, n5)

(p1, q1, n1)

(p6, q6, n6)

(p7, q7, n7)

(p8, q8, n8)

Arnold Arnold Arnold Arnold Arnold
Cat Map Cat Map Cat Map Cat Map Cat Map

n5 rounds

n6 rounds

n7 rounds
n1 rounds

n8 rounds
Pic4 3 2 1 Pic5 Pic6 Pic7 Pic8

Permuted bits are combined to form a cipher image

Bit-level permutation finish

Fig. 7. The bit-level permutation operation.

3.2. Diffusion phase in the proposed cryptosystem

In cryptanalysis, the attacker usually makes an alteration in the plain-image and observes the corresponding change in
the cipher-image. A meaningful relationship between the plain-image and the cipher-image may appear, and this kind of
attack is called a differential attack. However, if the specific changes in the plain-image do not lead to non-uniform altera-
tions in the cipher-image, the differential attack becomes ineffective and practically useless. This requires an effective dif-
fusion stage that spreads out the change to all other pixels.
In the confusion phase of our cryptosystem, the higher 4 bits are permuted individually, whereas the lower 4 bits are relo-
cated as a whole. The effect of this permutation is that not only the locations of the pixels are exchanged, but also the value of
each pixel is modified. In the diffusion phase, all the pixels are scanned horizontally from the upper left corner to the lower
right corner to form a sequence. Each pixel value is altered sequentially at the pixel-level by the output of the logistic map
listed in Eq. (9). The operations in this phase are governed by Eq. (12).
8
> c½i ¼ p½i  L½i;
>
> 0
< c ½i ¼ c½i=1000;
ð12Þ
>
> f ðc0 ½iÞ ¼ a  ðc0 ½iÞ  ð1  c0 ½iÞ;
>
:
L½i þ 1 ¼ ½ðf ðc0 ½iÞ  1000Þ þ ðcs½i þ 1  1010 Þmod 256mod 256:
In Eq. (12), the initial value c[1] = {[4  (key_d)  (1  key_d)]  1014} mod 256, where key_d is the secret key for diffusion.
Here a is set to 4, and key_d is arbitrarily selected as 0.34565487923280. cs[i] is the chaotic sequence generated by Eq. (9)
with the initial value key_d. p[i] is the value of the ith pixel of the permuted image, and c[i] is the ith pixel value of the dif-
fused image. L[i] and c0 [i] are temporary variables. The four expressions in Eq. (12) describe the relationship between c[i + 1]
and c[i]. For clarity, they are combined into a single expression given by Eq. (13).

c½i þ 1 ¼ p½i þ 1  ff½a  ðc½i=1000Þ  ð1  c½i=1000Þ  1000 þ ðcs½i þ 1  1010 Þmod 256gmod 256g: ð13Þ
In Eq. (13), the relationship between c[i + 1] and c[i] is clear. The value of the current pixel depends on that of the previous
pixel. If the value of any pixel has been changed, for example, by a bit modification, the subsequent pixels will become totally
different. In the next permutation round, this modification spreads out to the whole image.

4. Experimental results

In this section, the simulation results and performance analyses of the proposed cryptosystem are provided. Furthermore,
three comparable cryptosystems are also investigated, and the performance of these four image encryption schemes is com-
pared. All the tests are performed on a personal computer with an Intel Core 1.8 G CPU, 2 GB memory and 250 GB hard disk
with a Windows XP Professional operating system. The compilation platform is Visual C++ 6.0, and some graphs are plotted
using MATLAB 2007(b). The value of ni in Fig. 7 is fixed to 1 for all i.
1178 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186

The following three cryptosystems are compared.

1. Pixel-level permutation (PLP)

PLP is a modified version of the proposed scheme in which bit-level permutation is replaced by the ordinary pixel-level
permutation governed by a cat map. The diffusion phase is the same as that in the proposed scheme. This architecture is
based on the one shown in Fig. 1, in which n and m are set to 4 and 1, respectively. The coefficients of the cat map are
randomly chosen as p = 150 and q = 300. The initial value of the logistic map used in the diffusion phase is set to
0.34565487923280, which is the same as that chosen in the proposed scheme.
2. Lian et al.’s encryption scheme (Lian’s) [16]
The cryptosystem of Lian et al. [16] is a typical cipher comprising pixel-level permutation and diffusion. In the confusion
phase, a random couple (rx, ry) is first selected to relocate the four parts of the image, part A, part B, part C and part D, as
shown in Fig. 8.
Fig. 8 shows that the upper left pixel is shifted from (0, 0) to (N  1, N  1), and the three outside parts (parts A, B, and C)
are moved to the corresponding positions of the image. In the second step of the confusion phase, a modified standard
map governs the pixel-level permutation. A logistic map is employed in the diffusion phase. In the simulation, the stan-
dard map coefficient k is set to 231, (rx, ry) is chosen as (175, 232), the initial value of the logistic map is set to
0.123456789123, and n and m in Fig. 1 are set to 4 and 1, respectively. The detail information can be found in [16].
3. Enhanced TDCEA (Two-Dimension Circulation Encryption Algorithm (TDCEA [4]) + Diffusion).
TDCEA is a kind of permutation-only cipher without any diffusion operations. An enhanced TDCEA is constructed by
appending the same diffusion phase of the proposed scheme so that the cipher has a confusion round followed by a dif-
fusion operation.
In the confusion phase, the original TDCEA is employed, which includes the following bit rotations, X p;r i and Y q;s
j , in two
directions:
(1) In the horizontal direction, X p;r i denotes the cyclic shift of the ith row of the matrix to the left (when p = 1) or to the
right (when p = 0) by r bits.
(2) In the vertical direction, Y q;s j means the cyclic shift of the jth column of the matrix upwards (when q = 1) or down-
wards (when q = 0) by s bits.
MN1
A two-dimensional image can be transformed to a one-dimensional array f ðlÞi¼0 , where M and N are the width and
height of the image, respectively. As eight pixels are treated as a group, the plain-image can be further divided into
MN/8 groups, i. e., ff ð8Þ ð0Þ; . . . ; f ð8Þ ðkÞ; . . . ; f ð8Þ ðMN=8  1Þg, where f (8)(k) = {f(8k + 0), . . . , f(8k + 1), . . . , f(8k + 7)} is an 8  8
P7
binary matrix, M k ¼ ½M k ði; jÞ7;7
i¼0;j¼0 , and f ð8k þ iÞ ¼
j
j¼0 M k ði; jÞ  2 . The secret key of TDCEA is composed of two integers

b and c, the initial value x(0) and the coefficient a of the logistic map. In the first encryption step, a chaotic sequence
MN=81
fxðkÞgk¼0 is generated by iterating the logistic map, and 17 bits are extracted from each x(k) to form a bit sequence
17MN=81
fbðiÞgi¼1 .
The second step is described as follows.
(1) Horizontal rotation: for i = 0  7, do M k ¼ RotateXp;r
i ðM k Þ, where p = b(17k + i) and r = b + c  b(17k + i + 1).
(2) Vertical rotation: for j = 0  7, do M 0k ¼ RotateY q;s
j M k , where q = b(17k + j + 8) and s = b + cb(17k + j + 9).
In the confusion phase, b and c are set to 3 and 4, respectively. The parameters x(0) and a of the logistic map are cho-
sen as 0.91603401000012 and 3.99999, respectively. More information can be found in [4].
The diffusion phase of the enhanced TDCEA is the same as that in the proposed scheme.

For all the simulations reported in this section, the values of n and m of the two typical pixel-level ciphers, PLP and Lian’s
schemes, are set to 4 and 1, respectively. They are both chosen set to 1 in the two bit-level permutation ciphers, the proposed
scheme and the enhanced TDCEA.

4.1. Histogram analysis

In his masterpiece [18], Shannon pointed out that it is possible to break many kinds of ciphers by a statistical analysis on
the histogram and the correlation of adjacent pixels in the cipher-image. The histogram reveals the distribution of pixel

(0,0) (0,N-1) (0,0) (0,N-1)

A C

(rx , ry )
B D B

(N-1,N-1)
(N-1,0) (N-1,N-1) (N-1,0)
C A

Fig. 8. Relocation of the four parts of the plain-image determined by (rx, ry).
 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186 1179

values within an image. An ideal cipher-image should have a uniform histogram to prevent the opponent from extracting
any meaningful information from the fluctuating histograms of the cipher-image. Fig. 9(a) and (b) depict the original Lena
image and its histogram, respectively. Fig. 9(c) and (d) show the cipher-image obtained by the proposed scheme and its his-
togram, respectively. The two histograms indicate the uniform distribution of the pixel values after encryption.
The simulation results show that the histograms of the cipher-images generated by PLP, Enhanced TDCEA and Lian’s cryp-
tosystems are all quite uniform. However, the performance of the original TDCEA [4] is not good when there are a lot of pix-
els with the same value within a subregion [12].

4.2. Correlation analysis

The correlation between adjacent pixels is always high for a meaningful image because the values of adjacent pixels are
close to each other. To test this correlation and to investigate the confusion effect of the encryption, the following procedures
are carried out:

1. Two thousand pixels are selected randomly as samples.

2. Two vertically adjacent pixels, two horizontally adjacent pixels and two diagonally adjacent pixels are evaluated using
Eqs. (14)–(16).

Ef½x  EðxÞ½y  EðyÞg

rx;y ¼ pffiffiffiffiffiffiffiffiffiffipffiffiffiffiffiffiffiffiffiffi ; ð14Þ
DðxÞ DðyÞ

1X S
EðxÞ ¼ xi ; ð15Þ
S i¼1

1X S
DðxÞ ¼ ½xi  EðxÞ2 : ð16Þ
S i¼1

Fig. 9. (a) Original Lena image, (b) histogram of the plain-image, (c) cipher-image of the proposed scheme, (d) histogram of the cipher-image.
1180 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186

In Eqs. (14)–(16), x and y are the values of two adjacent pixels in the image, E(x) is the expectation of x, and D(x) is the var-
iance. S denotes the total number of samples. The calculated correlation coefficients of the cipher-images of the proposed
cryptosystem and the three comparable schemes using three different test images are listed in Tables 2–4. The average coef-
ficients for the test images are calculated using Eq. (17), and the corresponding values can be found in Table 5.
jaj þ jbj þ jcj
av erage coefficient ¼ ; ð17Þ
3
where a, b, and c are the 3 correlation coefficients along the same direction for 3 different test images.
Table 5 shows that among the nine correlation coefficients of the three comparable cryptosystems, only the diagonal cor-
relation coefficients of Lian’s and PLP are smaller than the corresponding coefficients of the proposed scheme.
The correlation coefficients are close to 1 for the plain-image, whereas they are approximately zero for the cipher-image
of the proposed scheme. To illustrate this property graphically, the correlation distributions are plotted in Fig. 10. The high
correlation of adjacent plain-image pixels in the three directions can be observed in Fig. 10(a), (c) and (e), as the dots are
located along the diagonal. They are scattered over the entire plane in Fig. 10(b), (d) and (f). Therefore, one can conclude that
the correlation between adjacent pixels is greatly reduced in the cipher-image.

4.3. Differential attack analysis

In general, the relationship between the plain-image and the cipher-image can be traced by the difference caused by a
specific change in the plain-image. Two performance indices are usually used to test the effect of a 1-bit change in the
plain-image on the corresponding cipher-image. They are the number of pixels change rate(NPCR) and the unified average
changing intensity(UACI). NPCR is calculated by
P
i;j Dði; jÞ
NPCR ¼  100%; ð18Þ
MN

Table 2
Correlation coefficients of the original image Elain and the cipher-images obtained by the proposed scheme and the three comparable cryptosystems after the
first encryption round.

Plain-image Enhanced TDCEA Lian’s PLP Proposed scheme

Horizontal 0.975483 0.0021972 0.0955045 0.00146587 0.000550055
Vertical 0.972884 0.00622483 0.00415236 0.000916172 0.00165017
Diagonal 0.970997 0.00293497 0.000798215 0.00495276 0.00459011

Table 3
Correlation coefficients of the original image Lena and the cipher-images obtained by the proposed scheme and the three comparable cryptosystems after the
first encryption round.

Plain-image Enhanced TDCEA Lian’s PLP Proposed scheme

Horizontal 0.971715 0.00182565 0.019732 0.00220002 0.00201613
Vertical 0.984769 0.00237335 0.0024667 0.00201669 0.000916425
Diagonal 0.968669 0.00494506 0.00443823 0.00403115 0.00165094

Table 4
Correlation coefficients of the original image Frog and the cipher-images obtained by the proposed scheme and the three comparable cryptosystems after the
first encryption round.

Plain-image Enhanced TDCEA Lian’s PLP Proposed scheme

Horizontal 0.829697 0.00293767 0.0710957 0.00164396 0.00012824
Vertical 0.849404 0.000550816 0.00284383 0.00255684 0.0010992
Diagonal 0.799816 0.0040297 0.00252593 0.000182549 0.00477722

Table 5
Average correlation coefficients of the three cipher-images obtained by the proposed scheme and the three comparable cryptosystems after the first encryption
round.

Enhanced TDCEA Lian’s PLP Proposed scheme

Horizontal 0.0023201733 0.0621107333 0.0017699500 0.00089814167
Vertical 0.0030496653 0.0031542967 0.0018299007 0.00122193167
Diagonal 0.0039699100 0.0025874583 0.0030554863 0.00367275667
 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186 1181

Fig. 10. Correlation plot of two adjacent plain-image pixels in (a) horizontal, (c) vertical, (e) diagonal directions. Correlation plot of two adjacent pixels of
the cipher-image obtained by the proposed scheme in (b) horizontal, (d) vertical, (f) diagonal directions.

where D(i, j) is defined as

1; c1 ði; jÞ – c2 ði; jÞ;
Dði; jÞ ¼ ð19Þ
0; otherwise;
and c1 and c2 are the two cipher-images. UACI is defined by Eq. (20).
" #
1 X jc1 ði; jÞ  c2 ði; jÞj
UACI ¼  100%: ð20Þ
M  N i;j 255

Two plain-images are used in the tests. The first image is the original plain-image, and the other is obtained by changing the
lower-right pixel a[511][511] from ‘‘01101100’’ to ‘‘01101101’’. Then the two images are encrypted with the same key for a
few rounds to generate the corresponding cipher-images c1 and c2.
The NPCR and UACI data of the proposed scheme, PLP, Lian’s and Enhanced TDCEA schemes are listed in Tables 6 and 7,
respectively. In the permutation stage of Enhanced TDCEA, every 8 pixels are treated as a confusion unit, and there is no per-
mutation effect among all the pixels. When the lower-right pixel a[511][511] is modified, this change only spreads out to the
last 8 pixels (the last permutation unit) of the image even after 5 encryption rounds. Thus, the NPCR of Enhanced TDCEA is 8/
(512  512) = 3.05176  105. However, the operations in the confusion phase of the proposed scheme are based on all the
pixels at bit-level; thus, it is more sensitive to this kind of pixel difference.
The simulation results show that the NPCR and UACI performance of the proposed scheme can reach 99.6051788% and
33.3999634% in the third round, respectively. These values are much better than those of PLP, Lian’s and Enhanced TDCEA.

Table 6
NPCR performance.

Round Proposed scheme PLP Lian’s Enhanced TDCEA

1 0.004222870 0.000190735 0.000335693 1.52588  105
2 0.811958313 0.0686569 0.0332832 2.67029  105
3 0.996051788 0.586079 0.79929 3.05176  105
4 0.995933533 0.986431 0.995064 3.05176  105
5 0.996273041 0.99612 0.995914 3.05176  105
1182 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186

Table 7
UACI performance.

Round Proposed scheme PLP Lian’s Enhanced TDCEA

1 0.001365662 0.0000457764 0.000087738 0
2 0.273860931 0.0231628 0.00798416 7.62939  106
3 0.333999634 0.197453 0.218563 1.14441  105
4 0.334793091 0.3316 0.322368 7.62939  106
5 0.334815979 0.334827 0.333359 7.62939  106

The NPCR and UACI values at different rounds are plotted in Figs. 11 and 12, respectively. The graphs show that NPCR and
UACI rise rapidly in our scheme, indicating a good diffusion effect.

4.4. Key sensitivity analysis

(1) Key sensitivity analysis in encryption phase

The three initial values of the logistic map (two in the confusion phase and one in the diffusion phase) and the
parameter a are considered as the secret key of our scheme. In the key sensitivity test, the key is slightly modified
by adding 1 to the 14 th digit after the decimal point of the first initial value, i. e., changing (0.12345678912342,
0.87865765433212, 0.34565487923280, and 3.99999) to (0.12345678912343, 0.87865765433212, 0.34565487923280,
and 3.99999), and the difference between the two corresponding cipher-images is calculated. The original Lena image
is shown in Fig. 13(a), and the two cipher-images are depicted in Figs. 13(b) and (c), respectively. Fig. 13(d) is a plot of
the difference between the two cipher-images. Considering the pixel values of the difference image fall in the range
[255, 255], a mapping is applied to all pixels of the difference images to transform them to the range [0, 255] to
display the difference in a grey-level image. The difference is 99.6124268%, which justifies the high sensitivity of
the cipher-image to the key.
(2) Key sensitivity analysis in decryption phase
In a good cryptosystem, a tiny modification of the decryption key results in a totally different decrypted image. In this
simulation, the following steps are performed:
1. The plain-image is encrypted with the original key, and the cipher-image is obtained.
2. The original key is modified slightly by adding 1 to the 14th digit, i. e., 1014 after the decimal point of the third
initial value. The original key is (0.12345678912342, 0.87865765433212, 0.34565487923280, and 3.99999) and
the modified key is (0.12345678912342, 0.87865765433212, 0.34565487923281, and 3.99999).
3. The cipher-image obtained in Step 1 is decrypted with the modified key.

Fig. 11. NPCR analysis.

 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186 1183

Fig. 12. UACI analysis.

Fig. 13. Key sensitivity analysis. (a) Original Lena image, (b) Cipher-image using the original key (0.12345678912342, 0.87865765433212,
0.34565487923280, and 3.99999), (c) Cipher-image using the key (0.12345678912343, 0.87865765433212, 0.34565487923280, and 3.99999), (d)
difference between (b) and (c).

The results are plotted in Fig. 14. Fig. 14(d) shows that the reconstructed image is noisy even when the key is only mod-
ified slightly.
1184 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186

Fig. 14. Key sensitivity analysis. (a) Original Lena image, (b) Cipher-image using the original key (0.12345678912342, 0.87865765433212, 0.34565487923280,
and 3.99999), (c) decrypted image with the correct key, (d) decrypted image with wrong key (0.12345678912342, 0.87865765433212, 0.34565487923281,
and 3.99999).

4.5. Speed performance

Apart from the security consideration, other issues, such as computational efficiency, are also significant. To evaluate the
running speed, the image ‘‘Lena’’ is encrypted by each cryptosystem ten times, and the average execution times can be found
in Table 8. The data show that the proposed scheme runs slightly more slowly than PLP but much faster than Enhanced
TDCEA and Lian’s schemes. The average encryption time of our scheme is 36.1 ms for the 512  512 image with 256 grey
levels. The encryption speed can reach 7.15 MB/s.
The speed of TDCEA reported in [4] is much faster than the values listed in Table 8. This is because the experiment in [4]
was based on hardware simulation, whereas our tests on the Visual C++ 6.0 compilation platform are software simulations.

4.6. Key space analysis

In the proposed cryptosystem, the three initial values and the coefficient a are used as the secret keys. If the three initial
values all have a precision of 1014, the key space can reach 1042, which is larger than 2100. In [1], Alvarez and Li suggested
that the key space should be at least 2100 for a sufficient security level against brute-force search attacks. Our cryptosystem
has fulfilled this requirement.

Table 8
Speed performance.

Scheme Average confusion Average diffusion Average total

time (ms) time (ms) time (ms)
Proposed Scheme 20.4 15.7 36.1
PLP 17.2 15.7 32.9
Lian’s 179.6 170.4 350.0
Enhanced TDCEA 734.0 15.7 749.7
 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186 1185

Table 9
Information entropy of the cipher-images obtained by the proposed, PLP, Lian’s and Enhanced TDCEA schemes after the first encryption round for 11 different
test images.

Test image Proposed scheme Enhanced TDCEA PLP Lian’s

1 Lena 7.999309751798578 7.999256669185360 7.999181154465778 7.978040456491172
2 Aerial 7.999438973542095 7.999211839407917 7.999326410679270 7.990014173002224
3 Baboon 7.999265834428869 7.999280623673213 7.999259245612358 7.961297925807104
4 Frog 7.999266873219920 7.999341033554546 7.999169138031778 7.942889121621977
5 Goldhill 7.999375834523065 7.999145504973766 7.999277104738035 7.967945690881609
6 Zelda 7.999321128915190 7.999321165381952 7.999306677541929 7.972057531928584
7 Elain 7.999344149532969 7.999283807493514 7.999358532807079 7.968133361453950
8 Couple 7.999375252287485 7.999201804233240 7.999275580698287 7.967125270749710
9 Clown 7.999354368103111 7.999352659164715 7.999338708791904 7.936131820610983
10 Girlface 7.999312599164439 7.999299431409339 7.999243373399651 7.978025376464305
11 Truck 7.999397133081422 7.999243290997103 7.999316081013328 7.892484625255127
Total 87.992761898597138 87.991937829474665 87.992052007779407 87.554145354266737
Average 7.999341990781558 7.999267075406788 7.999277455252673 7.959467759478795

4.7. Information entropy analysis

In symmetric cryptosystems, the information entropy is one of the criteria to measure the strength of the cryptosystem.
The entropy H(m) of a message source m is calculated by the following formula:
N
2X 1
1
HðmÞ ¼ pðmi Þlog ; ð21Þ
i¼0
pðmi Þ

where p(mi) represents the probability of occurrence of mi, and log denotes the base 2 logarithm.
If there are 256 possible outcomes of the 8-bit message m with equal probability, the message source is considered to be
random. In this case, H(m) is equal to 8, which is the ideal situation.
The information entropy of the cipher-images obtained after the first encryption round using the proposed scheme, PLP,
Lian’s and Enhanced TDCEA schemes are calculated. Eleven different images are used, and the results are listed in Table 9.
The highest entropy for each test image is shown in bold. Our scheme leads to the highest entropy in 7 out of 11 cases. The
average information entropy of our scheme is 7.999341990781558, which is the largest among those of all four schemes. It is
very close to the ideal value 8. This means that the information leakage during the encryption process is negligible and that
the cryptosystem is secure against entropy attacks.

5. Conclusions

A chaos-based image cryptosystem with a well-studied confusion-diffusion architecture has been proposed. In our cryp-
tosystem, the pixel-level permutation is replaced by a bit-level permutation. When a bit in one pixel is exchanged with a bit
in another pixel, the information in the two pixels is exchanged and their values are modified. As a result, the bit-level per-
mutation has the effects of both confusion and diffusion. The new cryptosystem employs the Arnold cat map for permutation
and the logistic map for diffusion. Simulations have been carried out to compare its performance with that of two existing
pixel-level ciphers and one bit-level cipher. The results show that the proposed scheme leads to the highest security level in
terms of the NPCR, UACI and entropy of the cipher-images. It is more computationally efficient than the Enhanced TDCEA
and Lian’s schemes but slightly less than the PLP scheme. These results justify the superior security and computational effi-
ciency of our cryptosystem.

Acknowledgements

The work described in this paper was supported by the National Natural Science Foundation of China (Grant No.
60872040), the Program for Liaoning Excellent Talents in University and the Natural Science Foundation of Liaoning Prov-
ince, China (Grant No. 20082037).

References

[1] G. Alvarez, S.J. Li, Some basic cryptographic requirements for chaos-based cryptosystem, Int. J. Bifurcat. Chaos 16 (8) (2006) 2129–2151.
[2] T.Y. Chang, A convertible multi-authenticated encryption scheme for group communications, Information Sci. 178 (2008) 3426–3434.
[3] G. Chen, Y. Mao, C.K. Chui, A symmetric image encryption based on 3D chaotic cat maps, Chaos, Solitons Fractals 21 (2004) 749–761.
[4] H.C. Chen, J.I. Guo, L.C. Huang, J.C. Yen, Design and realization of a new signal security system for multimedia data transmission, EURASIP J. Appl. Signal
Process. 13 (2003) 1291–1305.
[5] T.H. Chen, C.S. Wu, Compression-unimpaired batch-image encryption combining vector quantization and index compression, Information Sci. 180
(2010) 1690–1701.
1186 Z.-l. Zhu et al. / Information Sciences 181 (2011) 1171–1186

[6] Y. Feng, L.J. Li, F. Huang, A symmetric image encryption approach based on line maps, in: Proc. ISSCAA 2006, Jan 2006, pp. 1362–1367.
[7] J. Fridrich, Symmetric ciphers based on two-dimensional chaotic maps, Int. J. Bifurcat. Chaos 8 (6) (1998) 1259–1284.
[8] H. Gao, Y. Zhang, S. Liang, D. Li, A new chaotic algorithm for image encryption, Chaos, Solitons Fractals 29 (2006) 393–399.
[9] Z. Guan, F. Huang, W. Guan, Chaos-based image encryption algorithm, Phys. Lett. A 346 (2005) 153–157.
[10] H. Kwok, W. Tang, A fast image encryption system based on chaotic maps with finite precision representation, Chaos, Solitons Fractals 32 (2007)
1518–1529.
[11] C.K. Li, D.S. Wong, Signcryption from randomness recoverable public key encryption, Information Sci. 180 (2010) 549–559.
[12] C.Q. Li, S.J. Li, G.R. Chen, G. Chen, L. Hu, Cryptanalysis of a new signal security system for multimedia data transmission, EURASIP J. Appl. Signal Process.
8 (2005) 1277–1288.
[13] S.J. Li, C.Q. Li, G.R. Chen, N.G. Bourbakis, K.T. Lo, A general quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks,
Signal Process.: Image Commun. 23 (2008) 212–223.
[14] S. Li, X. Zheng, On the security of an image encryption method, in: Proc. IEEE Int. Conf. Image Process. (ICIP ’02), Rochester, NY, USA, September 2002,
vol.2, pp. 925–928.
[15] S.G. Lian, J. Sun, Z. Wang, Security analysis of a chaos-based image encryption algorithm, Physica A 351 (2005) 645–661.
[16] S.G. Lian, J. Sun, Z. Wang, A block cipher based on a suitable use of the chaotic standard map, Chaos, Solitons Fractals 26 (1) (2005) 117–129.
[17] Y.B. Mao, G. Chen, S.G. Lian, A novel fast image encryption scheme based on the 3D chaotic baker map, Int. J. Bifuract. Chaos 13 (10) (2004) 3613–3624.
[18] C.E. Shannon, Communication theory of secrecy system, Bell. Syst. Tech. J. 28 (1949) 656–715.
[19] C.H. Tan, Secure public-key encryption scheme without random oracles, Information Sci. 178 (2008) 3435–3442.
[20] K. Wang, W. Pei, L. Zou, A. Song, Z. He, On the security of 3D Cat map based symmetric image encryption scheme, Phys. Lett. A 343 (2005) 432–439.
[21] K.W. Wong, B. Kwok, W.S. Law, A fast image encryption scheme based on chaotic standard map, Phys. Lett. A 372 (15) (2008) 2645–2652.
[22] T. Xiang, K.W. Wong, X.F. Liao, Selective image encryption using a spatiotemporal chaotic system, Chaos 17 (2007) 023115.
[23] D. Xiao, X.F. Liao, S.J. Deng, A novel key agreement protocol based on chaotic maps, Information Sci. 177 (2007) 1136–1142.
[24] D. Xiao, X.F. Liao, P.C. Wei, Analysis and improvement of a chaos-based image encryption algorithm, Chaos, Solitons Fractals 40 (5) (2009) 2191–2199.
[25] J.C. Yen, J.I. Guo, Design of a new signal security system, in: Proc. IEEE Int. Symp. Circuits Syst. (SiPs’2002), Scottsdale, Ariz, USA, May 2002, vol.4,
pp.121–124.
[26] L. Zhang, X. Liao, X. Wang, An image encryption approach based on chaotic maps, Chaos, Solitons Fractals 24 (2005) 759–765.