Symmetric encryption algorithms using chaotic and non-chaotic generators: A review.

This paper summarizes the symmetric image encryption results of 27 different algorithms, which include substitution-only, permutation-only or both phases. The cores of these algorithms are based on several discrete chaotic maps (Arnold's cat map and a combination of three generalized maps), one continuous chaotic system (Lorenz) and two non-chaotic generators (fractals and chess-based algorithms). Each algorithm has been analyzed by the correlation coefficients between pixels (horizontal, vertical and diagonal), differential attack measures, Mean Square Error (MSE), entropy, sensitivity analyses and the 15 standard tests of the National Institute of Standards and Technology (NIST) SP-800-22 statistical suite. The analyzed algorithms include a set of new image encryption algorithms based on non-chaotic generators, either using substitution only (using fractals) and permutation only (chess-based) or both. Moreover, two different permutation scenarios are presented where the permutation-phase has or does not have a relationship with the input image through an ON/OFF switch. Different encryption-key lengths and complexities are provided from short to long key to persist brute-force attacks. In addition, sensitivities of those different techniques to a one bit change in the input parameters of the substitution key as well as the permutation key are assessed. Finally, a comparative discussion of this work versus many recent research with respect to the used generators, type of encryption, and analyses is presented to highlight the strengths and added contribution of this paper.

Introduction

Symmetric encryption algorithms can be classified into stream ciphers and block ciphers where the image-pixels are encrypted one-by-one in stream ciphers and using blocks of bits in block ciphers. Although block ciphers require more hardware and memory, their performance is generally superior to stream ciphers since they have a permutation phase as well as a substitution phase. As suggested by Shannon, plaintext should be processed by two main substitution and permutation phases to accomplish the confusion and diffusion properties [1], [2].

The target of the permutation process is to weaken the correlations of input plaintext by spreading the plaintext bits throughout the cipher text. On the other hand, the substitution process target is to decrease the relation between the plaintext and the ciphertext through nonlinear operations and a pseudo random number generator (PRNG). PRNG’s can be designed by using chaotic systems or based on fractal shapes [3], [4], [5]. Recently, many fractional-order chaotic systems have also been introduced to increase the design flexibility by the added non-integer parameters [6], [7].

Due to the high sensitivity of chaotic systems to parameters and initial conditions as well as the availability of many circuit realizations [8], [9], chaos based algorithms are developed and studied as the core of encryption algorithms. Recently, many substitution-only encryption algorithms have been introduced based on discrete 1-D chaotic maps such as the conventional logistic map [10], [11], [12] and the conventional tent map [13], or discrete 2-D chaotic maps such as the coupled map lattice [14]. Such encryption algorithms cover the encryption of text-messages, grayscale and color images. In order to improve the encryption process, both substitution and permutation phases were used based on the conventional logistic map [15], the Gray code [16] and a 2-D hyper-chaos discrete nonlinear dynamic system with the Chinese reminder theorem [17] where compression performance was discussed. The use of conventional 1-D and 2-D discrete maps in substitution and permutation phases with noise analysis was introduced in [18], [19]. Similarly the encryption algorithm can be achieved using other higher order discrete maps such as the 3D Baker map [20] and the 3D Arnold’s cat map [21]. Zhang et al. [22] used an expand-and-shrink strategy to shuffle the image with reconstructed permuting plane. Furthermore, Sethi and Vijay [23] introduced two phases to encrypt the image, whereas in [24] four different chaotic maps were used in generating sub-keys, and the logistic map and the Arnold’s cat map were used in [25], [26], [27], [28], [29].

On the other hand, non-chaotic methods have proved their existence and importance in implementing the confusion and diffusion stages. Such methods usually increase the algorithm complexity to protect against cryptanalysis. For instance, Wu et al. [30] used the Latin squares algorithm to design a new 2D substitution–permutation network. Pareek et al. [31] divided the image into non-overlapping blocks and each block was scrambled using a zigzag-like algorithm. Furthermore, [32] divided the image into a set of k-bit vectors; each of these vectors was substituted by XORing it with the previous vector and then permuted by circularly right rotating its bits. Alternatively, Pareek et al. [33] divided the image into non-overlapping blocks and for each encryption round the size of the block changed according to the round key. Within the same block, permutation was performed using a zigzag-like algorithm.

The combination of both chaotic and non-chaotic algorithms showed some advantages in many cryptosystems. For example, Li and Liu [34] used the 3D Arnold map and a Laplace-like equation to perform permutations and substitutions, respectively. Wang and Yang [35] used the water drop motion and a dynamic lookup table with the help of the logistic map to perform the diffusion and confusion processes. Furthermore, Fouda et al. [36] used a piecewise linear chaotic map to generate pseudo random numbers and these numbers were used in generating the coefficients of the Linear Diophantine Equation (LDE). By sorting the solutions of LDE, large permutations were created and used in scrambling the image pixels. Whereas Zhang and Zhou [37] used compressive sensing along with Arnold’s map in order to encrypt color images into gray images, Zhang and Xiao [38] used a coupled logistic map, self-adaptive permutation, substitution-boxes and combined global diffusion to perform the encryption. Finally, AbdElHaleem et al. [39] used a chess-based algorithm to perform the permutation process and the Lorenz system to perform the substitution process. In summary, permutations and substitutions can be performed using chaotic systems, non-chaotic algorithms or a combination of both.

Although many encryption algorithms have been published during the last few decades but, up till now, there is no completely non-chaotic image encryption algorithm that can pass all NIST-tests and produce good analysis results. Therefore, three different algorithms (discrete chaos, continuous chaos and non-chaotic algorithms) have been selected for the substitution phase and another three algorithms (discrete chaos, continuous chaos and non-chaotic algorithms) for the permutation phase. The effect of the input image on all encryption algorithms has been investigated by adding a switch that affects the permutation phase. Complete analyses of 27 encryption algorithms are presented with their sensitivity analyses and comparisons with recent papers.

Section ‘Encryption key and evaluation criteria’ of this paper describes the fundamentals of the encryption key and the standard statistical and sensitivity evaluation criteria. In section ‘Substitution-only encryption algorithm’, three substitution methods are discussed, based on discrete chaotic maps, a continuous chaotic system and fractals, along with their encryption outputs and evaluations. Section ‘Comparison of permutation techniques’ introduces five different methods for the generation of a permutation matrix based on chaotic and non-chaotic procedures. In section ‘Mixed permutation–substitution image encryption algorithms’, a complete encryption algorithm with permutation–substitution phases is discussed for all possible combinations with their evaluation criteria and a comparison between 27 encrypted images. Moreover a comparison with eleven recent papers is presented. Finally, section ‘Conclusions and recommendations’ provides conclusions and future work directions.

Encryption key and evaluation criteria

The encryption key is a representation of specific information that is needed for the successful operation of a cryptosystem. It usually consists of several parameters that are used to initialize and operate the cryptosystem. Modern cryptography concentrates on cryptosystems that are computationally secured against different attacks. One of the most common attacks is the brute-force attack in which all possible combinations of the encryption key are tried. Therefore, an encryption key of length 128 bits or more is considered secure against brute force attacks since it is considered to be computationally infeasible.

Encryption evaluation criteria can be divided into two main categories; the first group includes the statistical tests (pixel correlation coefficients, histogram analysis, entropy values and the NIST statistical test suite) [40], [41] and the second group includes the sensitivity tests (differential attack measures, one bit change in the encryption key and the mean square error) [37], [42].

Statistical tests

Pixel correlation coefficients

Since the adjacent pixel values of the original image are very close in horizontal, vertical and diagonal directions, the correlation coefficients will be close to 1 in all these directions. The correlation coefficient can be calculated as follow [40]:where n is the number of elements in the two adjacent vectors and y. For strongly encrypted images, the correlation coefficients approach zero.

Histogram analysis

Histogram analysis shows the distribution of pixel color values across the whole image where curves and peaks for some specific colors appear. For strongly encrypted images this distribution should be flat.

Entropy

The entropy of a specific image measures the randomness of the image-pixels, which enables avoiding any predictability. For a binary source producing symbols of equal probabilities (each symbol is 8 bits long), the entropy of this source is given by [37]:where the optimal entropy value is 8 for a perfectly encrypted image.

NIST statistical test suite

NIST SP-800-22 statistical test suite is a group of 15 different tests designed to examine the randomness characteristics of a sequence of bits by evaluating the P-value distribution (PV) and the proportion of passing sequences (PP) [41]. If a P-value for a test is 1, then this means the sequence is considered as a truly random sequence.

Sensitivity tests

Differential attack measures

Strong encryption algorithms should be sensitive to any small change in the input image and produce a totally different output. Quantitatively, different measures are defined for evaluating the protection levels against differential attacks [42]. Let E1 and be the encrypted images corresponding to the original image without changes and with only one pixel change, respectively.

The Mean Absolute Error (MAE) measures the absolute change between the encrypted image and the source image P. Let and be the width and height of the source image, respectively, then:The Number of Pixels Change Rate (NPCR) measures the percentage of different pixels between E1 and E2 and it is calculated by the following:The Unified Average Changing Intensity (UACI) measures the average intensity of differences between and and it is calculated by the following:

Sensitivity to one bit change in the encryption key

A good encryption process should also be sensitive to any slight change in any of its parameters and, hence, one bit change in the encryption key should lead to a totally different behavior in the encryption process [37]. This sensitivity is evaluated using the Mean Square Error (MSE) which indicates how far the wrong decrypted image is from the original image. The encryption algorithm becomes better as this value gets larger. MSE is calculated as follows.where W and are the width and height of the image respectively, is the original pixel value at location and is the encrypted pixel value at the same location.

The previous evaluation criteria are used to evaluate 27 different simple encryption algorithms by selecting three different substitution techniques as well as three different permutation techniques. The first three encryption algorithms are based only on substitution techniques, and the outputs of another six encryption algorithms are based on three permutation techniques under two different cases when the permutation key is independent of (fixed) or dependent on (dynamic) the input image. Moreover, the outputs of 18 cases, with all possible combinations of mixed permutations (three techniques) and substitutions (three techniques), are investigated under either fixed or dynamic permutation key.

Substitution-only encryption algorithm

The simplest encryption algorithm is described by a delay element, a multiplexer and a PRNG, previously discussed [7], [43]. Table 1 shows three different substitution encryption algorithms where the PRNG is based on continuous Lorenz discretization using Euler method [44], a combination of generalized discrete (sine, tent and logistic) maps [43], [45] and fractals [7]. It is worthy to note that the multiplexer adds the required nonlinearity and the delay element improves the encryption statistics because each pixel affects all upcoming encrypted pixels.

Table 1

Correlation coefficients and differential attack measures for three different substitution only encryption algorithms.

PRNG based on Lorenz chaotic system

The continuous differential equations of Lorenz system are given by the following:where , and β are the system parameters and the key consists of these parameters as well as the initial conditions , , and [46], which guarantee chaotic behavior. There are many hardware realizations for the above system based on current/voltage active blocks or based on transistors [8]. The major problem of such analog circuits is how to control the initial conditions as well as the system parameters precisely. Another methodology to overcome this issue is to discretize this system where the state variables and parameters are represented by registers [47]. The effect of the discretization techniques on the output behavior was discussed [44] where the Euler-formula gives the highest value of Maximum Lyapunov Exponent (MLE). The Euler formula is given in Table 1, where should be small enough and equal to in digital realization to model its multiplication effect as shift left by h1 bits. Many encryption algorithms were introduced based on the Lorenz chaotic system [39], [48].

For the substitution phase using Lorenz attractor, the attractor output is XORed with the current pixel from the scrambled image and the last encrypted pixel after being multiplexed as shown in Table 1. To ensure that the chosen bits of Lorenz are chaotic, it is recommended to choose 8 bits from the least significant part of each output. Then, the output from the Lorenz attractor is mapped to the range from 0 to 255 as follows:where and z are the outputs from the Lorenz attractor, sf is a scaling factor chosen as 1012, int returns the integer part of a number, abs returns the absolute value of a number and mod returns the remainder. It should be pointed out that the scaling factor sf is chosen such that the selected bits are highly chaotic.

PRNG based on generalized discrete maps

Due to the fact that integer-order continuous chaotic systems can only be achieved with third or higher order differential equations having nonlinear element(s) [46], then discrete chaotic maps are used in most encryption algorithms due to their simple realizations. However, the encryption keys for such algorithms are limited to two or three parameters, which limit the encryption performance. Recently, there have been many efforts to increase the complexity of such maps by generalizing their recurrence relations [43], [45] where the generalized sine, tent and logistic maps are introduced, respectively, as follows:

It is clear that the number of parameters increases by two or three for each map separately. The effect of these new parameters on the chaotic behavior is discussed in detail by the calculation of the MLE for each parameter individually [43], [45]. Due to the huge number of design parameters and initial values, a special mixed-parameters key is designed to enhance the sensitivity of each parameter and initial value of all used maps as shown in Table 1 (refer to [43] for more details).

PRNG based on fractals

A fractal object is self-similar at numerous scales of magnification and can be represented as a mathematical equation that is iterated for a finite number of times. Hence, a fractal image has many variations in details and colors at all scales. The third PRNG is based on the detailed complexity, self-similarity, and fine structure of fractal images as well as the Substitution Permutation Network (SPN) and a delay element [7], [49]. The relationships between the inputs and outputs of the SPN of Table 1 are shifted XOR-functions as follows:where , and are three channels selected from the RGB channels of the chosen fractals [49]. The key of this PRNG consists of the available number of fractals, and the numbers of the four used fractals .

To validate the performance of these encryption algorithms, Fig. 1 shows the encrypted images and the correct decrypted images when the Lena image is used [50]. It should be mentioned here that the decryption process is the reverse of the encryption process. As shown in Table 1, the encryption quality is measured using standard evaluation criteria, which include pixel correlation coefficients [40] and differential attack measures [42]. The differential attack measures evaluate the sensitivity of the encryption algorithm to one-pixel change in the input plain image. They are calculated by taking the average of running the algorithm for 50 times, where in each time a random pixel from the original image is selected and changed. The average RGB correlation coefficients and differential attack measures are reported in Table 1 for the three algorithms, where the correlation coefficients are very good but the average values of differential attack measures are poor, especially and . To discuss the encryption-key sensitivity, the Least-Significant-Bit (LSB) of the parameters , and is changed in the decryption process for the Lorenz, generalized maps and fractals algorithms, respectively. Fig. 1 shows the wrongly decrypted images, which look random as clear from the values of the MSE and entropy.

Fig. 1

The encrypted images and their correctly and wrongly decrypted images for the three substitution algorithms.

Comparison of permutation techniques

The objective of the permutation phase is to randomize the pixels’ positions within a specific block. This phase increases the complexity of the encryption algorithm and improves the differential attack measures. This section gives a comparative study of five different permutation matrix generation techniques using discrete chaos, permutation vectors, Arnold’s cat map, continuous chaos and chess-based horse move where the permutation phase related to each of the aforementioned techniques is described briefly. Let us divide the input image into blocks where each block is of size . Then, the objective of each technique is to generate a permutation matrix that defines the new position of each pixel instead of its old position. Different permutation matrices are generated for each block and they should be independent.

Permutation based on logistic map

The first technique is based on the conventional logistic map given by the following:For each block of size, the map is calculated for iterations. Then, the output is sorted in ascending order to constitute the permutation matrix for this block. Only one parameter exists for this logistic map which is but x0 is the initial value as shown in Table 2. Fig. 2(a) shows a simple example with N = 3, which shows the original and modified locations of the pixels. In this case, the permutation matrix is given by, which means that the pixel with indices (1, 1) will be transferred to location, 9, i.e., indices (3, 3). The problem in this permutation technique is that the sorting time increases nonlinearly as the block size increases.

Table 2

Brief description and comparison of the five different permutation techniques.

Fig. 2

Illustration of the five different permutation techniques and how they permute a block of size .

Permutation based on indices vectors

To minimize the sorting time of the previous technique, another permutation technique can be used based on sorting the row and column indices separately as shown in Fig. 2(b). Therefore, to permute a block size using the logistic map, iterations are required from the map (see Table 2), where every N outputs are sorted to represent the new row and column indices such as (3 1 2) and (2 3 1) in Fig. 2(b). While the sorting time is linear in this technique, the permutation efficiency may be poor relative to the previous logistic map technique.

Permutation based on Arnold’s cat map

One of the most used permutation algorithms, which does not require sorting, is based on the Arnold’s cat map [25], [26], [27], [28], [29] where the new location is a function of the old one as follows:Table 2 shows a comparison with the previous techniques and Fig. 2(c) shows an example using this technique.

Permutation based on Lorenz system

The fourth common permutation technique is based on continuous chaotic differential equations such as the Lorenz equations given by (7a), (7b), (7c) [46], [8]. In this technique, the three outputs are collected and the first N2 values are sorted to identify the permutation matrix as shown in Fig. 2(d). One of the major problems in this technique is the time required for solving the differential equations.

Permutation based on chess-algorithm

While all the previous techniques are based on chaotic systems, either discrete or continuous, this permutation technique is based on the chess horse-move. The general block diagram of the proposed encryption algorithm was previously discussed [51], where the next position is generated in a cyclic way based on the horse-move and available locations as shown in Fig. 2(e).

Table 2 and Fig. 2 show a comparison and process evaluation of each technique. Because we chose three different substitution techniques, let us similarly choose three different permutation techniques. The Arnold’s cat map, Lorenz system and the chess-based algorithms are chosen as they represent discrete chaotic maps, continuous chaotic maps and non-chaotic systems, respectively.

Mixed permutation–substitution image encryption algorithms

This section investigates the encryption response of 24 different algorithms where Fig. 3(a) shows a complete block diagram for these encryption algorithms based on both permutation and substitution phases. In these algorithms, the permutation phase block represents one of the selected permutation techniques (Lorenz chaotic system, Arnold’s cat map and chess-based algorithm) and the substitution phase block represents one of the selected substitution techniques (Lorenz chaotic system, generalized discrete maps and the fractal-based algorithm). Therefore, nine different cases are investigated to cover all possible permutation–substitution combinations. It is to be noted that the output of each permutation phase is stored as a scrambled image as shown in Fig. 3(a), which represents the effect of permutation-only encryption algorithms and, thus, a total of twelve cases are evaluated. Moreover, there is a switch in the encryption block diagram which relates the permutation key to the input image. Hence, these outputs will be repeated when and , which correspond to static permutation key (independent of the input image) and dynamic permutation key (dependent on the input image).

Fig. 3

(a) Block diagrams of encryption algorithm and (b) block diagrams of decryption algorithm.

In this section, the color version of the “Lena” image (512 × 512) is encrypted. In this symmetric-key cryptosystem, the decryption process is the inverse of the encryption process as shown in Fig. 3(b). To encrypt a source image, the whole image is first scrambled using the chosen permutation algorithm. The permutation parameters are extracted from the encryption key and the switch S controls their dependence on the source image. If the switch S is disconnected (S = 0), the parameters are calculated from the key only. If S is connected (), the source image contributes to the calculation of the permutation parameters. When, the algebraic sum of the input image three color channels is calculated by the following:where , and are the sums of the red, green and blue channels of the input image, respectively.

Encryption key design

Fig. 4 shows the structure of the encryption key. It consists of two sets of parameters for each technique: the substitution parameters and the permutation parameters. Since the switch S affects the permutation parameters only, then the new parameters can be calculated from the following equations:

Fig. 4

Design of the encryption key for each of the chosen substitution and permutation techniques.

Lorenz permutation parameterswhere F is an integer value, which reflects the effective precision of on the initial conditions.

Arnolds’ Cat map permutation parametersChess-based permutation parameterswhere the value of depends on the switch S and (13) as follows:

For the color version of Lena ; i.e. , , so it requires 4 bits to store L. Then, the total encryption key length can be calculated from both the substitution and permutation key lengths as shown in Fig. 4. It is to be noted that some of the substitution parameters are chosen to enhance the sensitivity to any bit change in that key. For example, although the generalized discrete chaotic maps have 10 parameters and 3 initial values as shown in Table 1, they are merged into only 4 key parameters as shown in Fig. 4. In the substitution phase, the substitution-key length can be controlled as in the case of fractals-based substitution,  bits, or fixed as in the two other cases (96 and 128 bits for the Lorenz and generalized maps, respectively). Similarly for the permutation phase, the key length can be controlled for the two cases of Arnold’s cat map and chess-based algorithm with and  bits, respectively. In the Lorenz-based permutation technique, the key length is fixed and equals 100 bits. For example, let us assume that the Lorenz technique is selected for both substitution and permutation then the key length will be 96 bits for the substitution phase and 100 bits for the permutation phase. This gives a total key length of 196 bits, which is large enough to resist brute-force attacks.

Permutation-only encryption algorithm

The output of the scrambled images of Lena is shown in Fig. 5 for six different cases: three permutations with and three with . These outputs represent the permutation-only encryption algorithm, where the encrypted images are visually more random in chaotic generators than in the chess-based algorithm. The average correlation coefficients of the three channels are shown in Fig. 5 where the effect of continuous Lorenz is better than that of the discrete chaos. It is clear that (dynamic permutation key) does not highly affect the continuous permutation because the correlation coefficients are already in the good range. However, it enhances the correlation coefficients of the discrete permutation such that the horizontal correlation coefficients are divided by 5, which decreases the gaps between the correlation coefficients in different directions. Regarding the chess-based algorithm shown in Fig. 5(c) and (f), the encrypted image is visually not good as clear from the average correlation coefficients, especially the vertical measure, which reflects the vertical lines in the encrypted images either with or . Note that, in the permutation algorithms, the pixels RGB values do not change but the locations of the pixels do change. Therefore, the histograms of all six cases are identical to those of the original image, which makes all these algorithms unsecured. Moreover, the differential attack measures and other evaluation techniques will fail for these outputs, which clarifies the need for permutation–substitution encryption algorithms.

Fig. 5

The scrambled image and its adjacent pixel correlation coefficients where (a–c) and (d–f) are for the continuous chaos, discrete chaos and chess-based algorithm when and , respectively.

Permutation–substitution encryption algorithms

Two sets of results have been tested based on the switch , where 9 cases are discussed in each scenario showing all possible combinations of the selected substitution and permutation techniques. When the input image channels are processed using (13) to calculate , then, the permutation parameters obtained from the encryption key are further modified using as in (14a), (14b), (14c), (15a), (15b), (16a), (16b), (17).

Table 3 shows the average correlation coefficients of the RGB channels and the differential attack measures for 18 different encrypted outputs (9 cases for both and . Moreover, the MSE and entropy are also added in Table 3 for the 18 encryption algorithms under two different wrong decryption processes when the LSB of the substitution and permutation keys is changed.

Table 3

Average encryption measures over the three RGB channels as well as mean square error and entropy results for images with resolution 512 × 512.

It is worth noting that the average correlation coefficients for all algorithms are in the order of , which reflects that the pixels are almost uncorrelated in all directions. Table 4 shows the 18 encrypted images and Fig. 6 illustrates the horizontal correlation distributions in the RGB channels for the original Lena image and four different encrypted outputs. The first observation from this figure is that the influences of all permutation-only algorithms are limited and their effect exists in similar regions related to the original distribution and they do not cover the whole domain. However, the horizontal distribution of the correlations in the RGB channels becomes similar in the 18 mixed permutation–substitution algorithms as shown in the last column, where uniform distributions are obtained in all channels. The minimum correlation values from these 18 outputs are in the order of when using the chess-algorithm for permutation, generalized discrete maps for substitution and .

Table 4

Encrypted and wrong decrypted images.

Fig. 6

The horizontal pixel correlation distribution for the RGB channels.

The differential attack measures are among the main requirements for secure encryption. From the previous studies and Table 3, the effect of different substitution techniques for one permutation technique is minor and can be neglected in both and . Nevertheless, the main objective of the switch is to improve the differential attack measures and, especially, the NPCR and UACI measures as shown in Table 3. The NPCR measures jump from 46%, 33%, 49% at to 99.6%, 99.6%, 99.6% at corresponding to Lorenz, Arnold and chess-algorithm permutation techniques, respectively. Similarly, the UACI measures jump from 15%, 11%, 16% at to 33.4%, 33.4%, 33.4% at corresponding to Lorenz, Arnold and chess-algorithm permutation techniques, respectively. These NPCR and UACI values are in the good ranges as reported before [42].

The sensitivity analyses for two different cases are shown in Table 4 for each encryption algorithm and their RMS and entropy values are given in Table 3. The first case is when wrong decryption is applied after changing a single LSB of one parameter from the permutation key with a subscript . The second case is when the LSB is chosen from the substitution key with a subscript . Based on the results of Table 3 for all encryption algorithms, the wrong decryption permutation-key gives the best performance using the Lorenz permutation algorithm. In the chess-based algorithm, the cyclic rotation effect of the horse-move is illustrated in Table 4. The main disadvantage of using Arnold’s cat map is that the wrong decrypted images are very bad as all the details of the original image exist as shown in Table 4. However, the second wrong decryption case for all 18 algorithms illustrates a great response as evident from the higher values of the RMS and the entropy, which are very close to 8. Therefore, the key design should focus on the substitution case to improve the sensitivity analysis and the Arnold’s cat map is not recommended for secure encryption.

Table 5 shows the results of the 15 NIST tests [41] performed on Lena where seven cases are discussed: three permuted images and four fractal-based substitution cases having Lorenz and chess permutation techniques with and . It is clear from these results that the permutation only techniques are not enough to pass all tests but the mixed techniques succeed in all tests based on chaotic/non-chaotic systems such as in the Lorenz/fractals case or even non-chaotic/non-chaotic algorithms as in the chess/fractals results. Those results further assert the randomness of the encrypted images.

Table 5

Sample NIST results for encrypted Lena ().

Because it is difficult to simultaneously achieve the best encryption execution time and high security, the objective of this review article is not to provide the best execution time but to provide good encryption quality with nonconventional algorithms. The encryption time for the studied cases can be estimated from the times of the substitution and permutation phases. Using a computer with 2.2 GHz processor, 4G RAM, and for the Lena color image, the substitution-only times are 1.149, 3.78 and 0.782 s for the Lorenz, generalized maps and fractals, respectively. Although substitution based on generalized discrete maps has the largest execution time, its complexity and security are high due to the number of parameters and calculations of the generalized maps. Regarding the permutation phase times, they are 0.017, 0.005 and 8.85 s for the Lorenz, Arnold and chess based algorithms, respectively.

The comparison results of the recent publications drawn from 11 sources are presented in Table 6 with respect to the used PRNG’s (chaotic and non-chaotic), basic idea of the encryption algorithm, the input data, the applied encryption analyses and some additional details. It is clear that all these papers are based on chaotic generators in the substitution phase and some of them focus only on substitution encryption algorithms [10], [11], [12], [13], [14]. The permutation phase of the other papers is related to the conventional discrete chaotic maps except for Zanin and Pisarchik [16], which is based on the Gray code (linear matrices) but without any analysis. Some analyses were not reported and some results are not in the good ranges such as UACI [13], which is 20%, and the NPCR [11]. Some papers reported the execution time for grayscale images and three papers [11], [13], [18] for color-images. In addition, some analyses such as the NIST statistical tests are not performed. Additional features, which are not covered in this review article, have been introduced in some of these references such as the FPGA hardware design and post-processing [2], data loss and noise attacks [18], and the compression performance [17].

Table 6

Comparison between this review article and eleven recent books and papers. (See below-mentioned reference for further information.)

Conclusions and recommendations

This paper covered both substitution and permutation phases, where different techniques were discussed such as discrete chaotic maps (the conventional Arnold’s cat map and a combination of three generalized maps), a continuous chaotic system (Lorenz) and non-chaotic algorithms (fractals-based and chess-based horse movement). Complete analyses of 27 different encryption algorithms were summarized in which substitution-only, permutation-only and permutation–substitution phases are discussed with and without dependency on the input image. Therefore, several complete encryption algorithms were provided and compared using miscellaneous analyses, which include the NIST statistical tests, key-sensitivity tests and execution times. A comparison with eleven recent publications is provided in Table 6, which illustrates the advantages and wide scope of this review article.

Based on the presented analyses and comparisons, the following recommendations, on how to design a secure image encryption algorithm, can be given. Even though some of these recommendations can be considered as common rules in modern symmetric encryption algorithms, they have not been widely followed. Finally, some future research directions are also provided.

Permutation-only image encryption schemes are generally insecure: A permutation-only encryption algorithm reallocates the pixels so that the correlation coefficients may be improved but the encrypted image still has the same histogram. Such histograms can reveal some useful information about the plain images. For example, images of human faces usually have narrower histograms than images of natural scenes. In addition to revealing such information, permutation-only encryption schemes usually fail in key sensitivity analysis and NIST results and have poor differential attack measures.

Substitution-only image encryption schemes are generally more secure than permutation-only schemes: Whether the substitution algorithm is based on discrete chaotic, continuous chaotic or non-chaotic (e.g., fractals) generators, it improves the correlation coefficients, flattens the histograms and can pass the key sensitivity and NIST tests. However, the differential attack results are not good enough since there are no changes in the pixels’ positions.

Permutation–substitution encryption algorithms generally have the best security: A substitution phase can make the cipher-image look random and pass many evaluation criteria. A permutation phase can improve the differential attack measures and is useful in increasing the computational complexity of a potential attack and in making the cryptanalysis of the encryption scheme more complicated or impractical. Hence, permutation–substitution encryption algorithms usually improve all the encryption evaluation criteria and will, most probably, pass the NIST tests.

Cipher-image feedback with multiplexing is very useful for enhancing the security: The multiplexer adds nonlinearity and the delay element improves the encryption statistics because each pixel affects all upcoming encrypted pixels.

Permutation phases which are dependent on the input image enhance the security: When the permutation parameters are dynamic, the permutation–substitution encryption algorithm becomes sensitive to any small change in the input image, produce a totally different output and, hence, the differential attack measures are improved.

Key sensitivity results may not be satisfactory for some permutation techniques: A one bit change in the encryption-key should lead to a totally different behavior in the encryption process. The substitution parameters are usually sensitive to such small changes. However, care should be taken when including the permutation parameters in the encryption-key design.

Combining chaotic and non-chaotic generators can yield a fast and secure encryption algorithm: For the studied algorithms, performing substitutions using fractals and permutations using a chaotic generator represents a good encryption choice. In addition to security, which was the main objective of this review article, focusing on the speed of the encryption algorithm should be the target of future research so that video encryption can be performed.

Additional features can enhance the utilization of an image encryption algorithm: For instance, image compression can be performed along with image encryption. Implementing an FPGA hardware design that corresponds to the software design is also needed.

Conflict of Interest

The authors have declared no conflict of interest.

Compliance with Ethics Requirements

This article does not contain any studies with human or animal subjects.