Symmetric Color Image Encryption Using a Novel Cross–Plane Joint Scrambling–Diffusion Method

Abstract

Motivated by the pursuit of both encryption efficiency and security, this paper presents a symmetric color image encryption algorithm using a novel cross–plane joint scrambling–diffusion method. To provide high–strength security, the color planes are firstly spliced horizontally and then vertically to be adequately encrypted by the joint scrambling–diffusion method. Therefore, minor changes in any pixel can cross every color plane that significantly influences the final cipher image. To achieve fast encryption speed, all employed chaotic systems have simple structures but robust properties to rapidly generate high–quality pseudorandom sequences. Additionally, the joint scrambling–diffusion method is vectorized to handle pixels in parallel for satisfactory execution efficiency. Security tests demonstrate the outstanding security performance of the proposed algorithm, with correlation coefficients and entropies of cipher images being close to 0 and greater than 7.99, respectively, and results of NPCR and UACI tests being similar to ideal cipher images, which can resist statistical, differential, exhaustive, and even chosen ciphertext/plaintext attacks. Moreover, because of the O(4W + 4H) time complexity of the novel scrambling–diffusion method, even a color image with a size of 1024 × 1024 only costs 0.26 s to be encrypted. Hence, the proposed algorithm can satisfy the efficiency and security requirements of color image encryption.

1. Introduction

With the widespread adoption of mobile internet and handheld devices, we have entered a new era characterized by an information explosion. Enormous amounts of multimedia data are produced and transferred in our daily lives and the fields of industry, medical treatment, and the military. As the most commonly used information carrier, digital images occupy a crucial place in multimedia data [1,2,3]. Although watermarking techniques can assist creators in protecting their work’s copyright [4,5], a reliable method to avoid the leakage of sensitive information within images is still lacking. Modern commercial encryption algorithms, such as Triple Data Encryption Standard (3DES) [6] and Advanced Encryption Standard (AES) [7], were originally designed to manage access rights for text data. However, they may be time–consuming or even fail when dealing with image data [8,9]. Hence, the design of image–oriented cryptosystems has become a popular research topic [10,11].

Over the past few decades, chaos–based techniques have emerged as highly successful approaches in the field of image encryption. Because of its high initial condition sensitivity, strong intrinsic randomness, and unpredictable complex trajectory, it essentially satisfies the requirements of an ideal image encryption algorithm [12,13,14]. On the one hand, as proper pseudo random number generators, many novel chaotic systems have been proposed for more secure image encryption. For example, Arthi et al. [15] employed a 4D Lorenz–like hyperchaotic system to provide an extremely complex and unpredictable key stream for image encryption. Liu et al. [16] presented a novel 4D conservative chaotic system with properties of wide ergodicity and no degradation. Folifack Signing et al. [17] presented a chaotic chameleon system with self–excited and hidden attractors which can perform better in digital systems. Njitacke et al. [18] implemented a chaotic circuit exhibiting extreme multistability and periodic infinite. On the other hand, the image–oriented encryption structure is also widely investigated for real high–strength ciphers. Xian et al. [19] achieved sub–scrambling and selective diffusion for image encryption. Xu et al. [20] extended scrambling and diffusion operations to bit planes. Alexan et al. [21] introduced a single–neuron model and substitution box to provide both high security and efficiency for image encryption. Additionally, some scholars attempted to introduce other techniques, such as compressive sensing [22,23], deoxyribonucleic acid (DNA) coding [24,25], and matrix semi–tensor products [26,27] to improve chaos–based image cryptosystems. Until now, although various kinds of image encryption algorithms have emerged, scrambling and diffusion are still two basic components to protect these algorithms against modern cryptoanalysis. However, some unforeseeable challenges emerged when these algorithms are extended to color image encryption.

Although cyan–magenta–yellow (CMY), hue–saturation–value (HSV), and some newer models for representing a color image do exist, the red–green–blue (RGB) model, which consists of the R, G, and B planes, remains a universal color model in digital systems. In some studies, scholars have declared that this issue can be resolved by performing grayscale image encryption algorithms on the R, G, and B planes separately [28,29,30,31,32,33,34]. Kumar et al. [31] extracted three matrices from RGB images and employed Arnold’s and logistic maps to individually encrypt each color plane by scrambling and diffusion. Lone et al. [32] introduced an affine hill cipher to achieve sufficient diffusion after every color plane was pre–encrypted using Arnold’s map and a 3D logistic map. Yan et al. [33] applied a multiscroll hyperchaotic system to generate better–quality random numbers and applied different diffusion strategies to each color plane. Tahiri et al. [34] proposed a modified 3D fractional order Henon map and applied it to scramble and diffuse color channels for high–strength encryption. However, they may be over–optimistic because they ignored the strong correlations between each color plane. Nowadays, more and more novel algorithms have been proposed to truly satisfy color image encryption requirements [35,36].

By performing a semi–tensor product method, Chai et al. [37] successfully mixed color planes for the further encryption process but at the cost of heavy time computation. Inspired by steganography, Yang et al. [38] compressed all image information into a grayscale image in the YCbCr space to reduce the time required for color image encryption; however, the extra time of conversion between color spaces, integer wavelet transformation, and down–sampling also affected the efficiency of the proposed algorithm. Hosny et al. [39] divided each color plane into multiple sub–blocks, then employed the zigzag technique to obtain a scrambled big grayscale image for further diffusion, which may suffer from the low efficiency of the zigzag process. Wang et al. [40] utilized a zigzag to realize the complete scrambling of all color pixels, and then three new color matrices were further encrypted by a fast diffusion method. Similar schemes were presented by Zhang et al. [41], with improvements in the scrambling process using a 3D zigzag transformation. However, the absence of diffusion between each color plane renders these algorithms vulnerable to attacks. Jasra et al. [42] and Wang et al. [43] used DNA coding techniques to mix the R, G, and B components for further scrambling and diffusion. Ouyang et al. [44] employed a memristive hyperchaotic system and an additional crossover DNA coding method to further enhance encryption strength. However, although the DNA coding technique contributed to improving the security of encryption, the extra time of coding and decoding limited its application in real–time communications. Li et al. [45] accelerated their algorithm by achieving cross–plane scrambling and diffusion at the row level; however, diffusion in only one direction could not guarantee sufficient security against chosen–plaintext attacks. Zhang et al. [46] converted a color image into a 2D matrix and then applied a multithread technique to reduce the time consumption of scrambling; however, the diffusion process was still traditional and inefficient. Recently, a new approach to image encryption that simultaneously performs scrambling and diffusion has been developed. For example, Li et al. [47] and Teng et al. [48] presented a global scrambling method embedded with diffusion to strengthen the security of color image encryption. Although they claimed that this approach could also be applied to real–time situations, the experimental results are unconvincing.

In summary, although color image encryption has attracted more and more attention, there are still some problems to settle: First, three color planes must be treated as a whole to achieve total scrambling and diffusion, which protect cipher images against modern cryptoanalysis. Second, since the data size of a color image is larger than a gray image, a novel technique is needed to accelerate encryption speed. Last, an applicable algorithm should meet requirements of both security and efficiency. Inspired by the great success of vectorization techniques in accelerating digital image processing, as well as the latest developments of chaos control theory, this paper presents a novel color image encryption algorithm, which not only has high–strength security but also has fast execution speed.

The major contributions of the proposed algorithm are as follows:

• A novel cross–plane joint scrambling–diffusion method is proposed for color image encryption that simultaneously satisfies security and efficiency requirements.
• By splicing horizontally and vertically, the R, G, and B color planes serve as a whole so that the encryption effect of any color plane cross–influences others, overcoming the potential drawbacks of encrypting each color plane separately.
• The joint scrambling–diffusion method embeds the scrambling process with diffusion to singularly complicate the relationship between plain and cipher images and has a satisfactory execution speed optimized by the vectorization technique.
• The key streams for the encryption process are generated using enhanced 1D chaotic maps and 2D hyperchaotic systems, which can balance the iteration speed and random properties for fast and high–strength encryption.
• The session key of the proposed algorithm consists of both hash value of plain image and a dynamic true random number, which not only achieves high plaintext sensitivity but also ensure forced update for every encryption task.
• The outstanding performance of the proposed algorithm was verified through numerous experiments and analyses using standard test color images.

The remainder of this paper is organized as follows. Section 2 describes the roles of the chaotic systems employed and the vectorization technique. In Section 3, all the modules of the proposed algorithm are described in detail. Section 4 presents the experimental results and comparisons with those of previous studies. Finally, Section 5 presents the conclusion.

2. Preliminaries

The properties and roles of the employed chaotic systems are described in this section, and the feasibility of the vectorization technique for accelerating image encryption is discussed.

2.1. Employed 2D Hyperchaotic Systems

Good–quality chaotic sequences are imperative for successful image encryption. As low–dimensional chaotic systems suffer from the degeneration of digital systems, hyperchaotic systems have received considerable attention. However, the more complex the system, the heavier the time consumption of the iteration. Recent research indicates that a 2D hyperchaotic system can serve as a suitable random number generator owing to its faster iteration speed than high–order systems but equivalent robustness against degeneration [48,49,50,51,52]. Moreover, this paper combines two 2D hyperchaotic systems to generate a key stream with improved statistical and random performances.

The first employed 2D–LSM (logistic–sine map) system [51] is as follows:

$$\left\{\begin{array}{l}{x}_1(i+1)=\cos \left(4a{x}_1(i)(1-x_1(i))+b\sin (\pi y_1(i))+1\right)\\ y_1(i+1)=\sin \left(4a{y}_1(i)(1-y_1(i))+b\cos (\pi x_1(i))+1\right)\end{array}\right.$$

(1)

where a and b ∈ [1, 100] are two control parameters. As shown in Figure 1, if a and b are both set to 100, there are two positive Lyapunov exponents (LEs), meaning that the 2D–LSM can be involved in a hyperchaotic state. Thus, it can be employed to generate a sufficiently long pseudorandom sequence with strong unpredictability for image encryption.

Another employed 2D–CLSS (chaotic–logistic–sin–sine) system [52] is given by

$$\left\{\begin{array}{l}{x}_2(i+1)=\sin \left(\pi (p{y}_2(i)(1-y_2(i)))\right)\\ y_2(i+1)=\sin \left(\pi (x_2(i)+y_2(i))\right)\end{array}\right.$$

(2)

where p ∈ [1, +∈] denotes the control parameter. As shown in Figure 2, when p = 1024, the 2D–CLSS contains two positive LEs that exhibit a hyperchaotic orbit. Hence, this method was used to produce another pseudorandom sequence.

2.2. Employed 1D Chaotic Systems

1D chaotic systems are suitable for fast scrambling of pixel positions but are unreliable. Employing the cascade method, numerous higher robust 1D chaotic systems have been proposed for fast and sufficiently scrambled pixel positions. In this paper, the pseudo–random sequence for scrambling was generated by a 1D–IST (improved sine–tangent) chaotic system [53] and defined as follows:

$$x_3(i+1)=\sin (\alpha \tan (3x_3{(i)}^2-1.5))$$

(3)

where the control parameter α is in the range of 0–8. As illustrated in Figure 3, when α = 8, 1D–IST obtains the largest LE and uniform distribution, and thus it can supply random sufficient initial vectors.

Moreover, to initialize the vectorized encryption process, we employ a 1D–SAS (sine–arcsine) chaotic system [54] to provide the initial vector.

$$x_4(i+1)=\left|\sin (\frac{100\mu }{\arcsin (x_4(i))})\right|$$

(4)

where the control parameter μ is a positive real number. Figure 4 demonstrates its changes in LE and bifurcation with μ. Consequently, we can safely set μ to 1 to rapidly produce a random sequence for scrambling pixel positions.

2.3. Vectorization Technique

Vectorization is widely used in scientific computing as an edge tool to improve execution performance. As shown in Figure 5, a vectorized algorithm can maximize the advantages of sing–instruction multidata. This algorithm is widely supported by Intel, AMD, and ARM to accelerate its running speed and mitigate the difficulties of programming and maintenance. It is well known that a digital image, which is stored as a 2D matrix, is intrinsically suitable for a processing algorithm using a vectorization technique [55,56,57]. For fast image encryption, we virtually vectorize every module in the proposed algorithm.

3. Proposed Color Image Encryption Algorithm

Referring to Figure 6, details of the proposed algorithm are presented in this section. Assume a plain image P consists of R, G, and B color planes with width W and height H, then the detailed steps of all modules are illustrated below.

3.1. Creation and Extraction of the Session Key

Generally, the session key is the only sensitive information in a cryptosystem; therefore, an unpredictable random number is a universal choice. Moreover, to further enhance the encryption intensity, establishing a correlation between the plain image and session key is a common approach. Hence, this paper creates a session key (SK) by performing a 256–bit secure hash function (SHA–256) on both plain images and a 256–bit dynamic random external key (K_e), which is sensitive to plain images and also achieves forced session key updates. Subsequently, all initial conditions for each chaotic system were extracted from the session key. The detailed steps are as follows:

-

Step A1: Arrange P and K_e into a sequence, and then input them into SHA–256 so that we can obtain a 256–bit SK for post–processing, which is also transmitted to the receiver on a secure channel (protected by a low–capacity public key cryptosystem) for decryption.

-

Step A2: First, extract initial values for the employed chaotic systems by the following method, where the operator ⊕ represents a bit–level exclusive or operation:

$$\left\{\begin{array}{l}{x}_1(1)=(\mathit{S}\mathit{K}(1:40)\oplus \mathit{S}\mathit{K}(241:244))/2^{40}\\ y_1(1)=(\mathit{S}\mathit{K}(41:80)\oplus \mathit{S}\mathit{K}(241:244))/2^{40}\\ x_2(1)=(\mathit{S}\mathit{K}(81:120)\oplus \mathit{S}\mathit{K}(245:248))/2^{40}\\ y_2(1)=(\mathit{S}\mathit{K}(121:160)\oplus \mathit{S}\mathit{K}(245:248))/2^{40}\\ x_3(1)=(\mathit{S}\mathit{K}(161:200)\oplus \mathit{S}\mathit{K}(249:252))/2^{40}\\ x_4(1)=(\mathit{S}\mathit{K}(201:240)\oplus \mathit{S}\mathit{K}(253:256))/2^{40}\end{array}\right.$$

(5)

After converting all the above binary values into double precision floating point numbers, we then obtain the initial values x₁(1) and y₁(1) for 2D–LSM, x₂(1) and y₂(1) for 2D–CLSS, x₃(1) for 1D–IST, and x₄(1) for 1D–SAS.

-

Step A3: Because the pre–iteration of chaotic systems avoids the insecurity of the transient effect and may lead to entirely different encryption results, we employ the remaining bits of SK to determine the pre–iteration times of each chaotic system using the following equation.

$$\left\{\begin{array}{l}pr{e}_1=\mathit{S}\mathit{K}(241:244)\oplus \mathit{S}\mathit{K}(245:248)\\ pr{e}_2=\mathit{S}\mathit{K}(245:248)\oplus \mathit{S}\mathit{K}(249:252)\\ pr{e}_3=\mathit{S}\mathit{K}(249:252)\oplus \mathit{S}\mathit{K}(253:256)\\ pr{e}_4=\mathit{S}\mathit{K}(253:256)\oplus \mathit{S}\mathit{K}(241:244)\end{array}\right.$$

(6)

Finally, after converting all the above binary values into unsigned integers and being plus 20 (a secure minimum pre–iteration times), we obtained the pre–iterations pre₁, pre₂, pre₃, and pre₄ for 2D–LSM, 2D–CLSS, 1D–SAS, and 1D–IST.

3.2. Generation and Schedule of the Key Stream for Diffusion

Although the intrinsic randomness of both 2D–LSM and 2D–CLSS is strong, the statistical properties of the sequences they produce are insufficient. Thus, we depend on the following steps to rapidly create the three key diffusion matrices with improved statistical properties for the subsequent encryption process.

-

Step B1: Input x₁(1) and y₁(1) into 2D–LSM, and x₂(1) and y₂(1) into 2D–CLSS, and then separately pre–iterate the 2D–LSM and 2D–CLSS pre₁ and pre₂ times.

-

Step B2: Update x₁(1), y₁(1), x₂(1), and y₂(1) to the final state values of the pre–iterations.

-

Step B3: Initialize four empty sequences S₁, S₂, S₃, and S₄.

-

Step B4: Iterate the 2D–LSM and 2D–CLSS W × H times using new x₁(1), y₁(1), x₂(1), and y₂(1), and fill S₁, S₂, S₃, and S₄ with

$$\left\{\begin{array}{l}{\mathit{S}}_1=\{{\mathit{S}}_1,x_1(i)\}, {\mathit{S}}_2=\{{\mathit{S}}_2,y_1(i)\}\\ {\mathit{S}}_3=\{{\mathit{S}}_3,x_2(i)\}, {\mathit{S}}_4=\{{\mathit{S}}_4,y_2(i)\}\\ i=1,2,\cdots ,W\times H-1,W\times H\end{array}\right.$$

(7)

-

Step B5: Convert all the elements of S₁, S₂, S₃, and S₄ into integers in the range [0, 255] using

$$\left\{\begin{array}{l}{\mathit{S}}_1=⌊(\left|{\mathit{S}}_1\right|-⌊\left|{\mathit{S}}_1\right|⌋)\times {10}^{15}⌋\%256\\ {\mathit{S}}_2=⌊(\left|{\mathit{S}}_2\right|-⌊\left|{\mathit{S}}_2\right|⌋)\times {10}^{15}⌋\%256\\ {\mathit{S}}_3=⌊(\left|{\mathit{S}}_3\right|-⌊\left|{\mathit{S}}_3\right|⌋)\times {10}^{15}⌋\%256\\ {\mathit{S}}_4=⌊(\left|{\mathit{S}}_4\right|-⌊\left|{\mathit{S}}_4\right|⌋)\times {10}^{15}⌋\%256\end{array}\right.$$

(8)

-

Step B6: Initialize three empty sequences DK_R, DK_G, and DK_B.

-

Step B7: Fill DK_R, DK_G, and DK_B by

$$\left\{\begin{array}{l}\mathit{D}{\mathit{K}}_{\mathrm{R}}={\mathit{S}}_1\oplus {\mathit{S}}_3\\ \mathit{D}{\mathit{K}}_{\mathrm{G}}={\mathit{S}}_2\oplus {\mathit{S}}_4\\ \mathit{D}{\mathit{K}}_{\mathrm{B}}={\mathit{S}}_1\oplus {\mathit{S}}_4\end{array}\right.$$

(9)

-

Step B8: Finally, reshape DK_R, DK_G, and DK_B into three W × H matrices of random numbers for subsequent diffusion and delete S₁, S₂, S₃, and S₄.

3.3. Generation and Schedule of the Key Stream for Scrambling

To achieve joint scrambling–diffusion, we randomly chose circularly shifted pixels in a row or column during the diffusion process. The key stream for scrambling is rapidly generated by 1D–IST and is further scheduled by the following steps:

-

Step C1: Input x₃(1) into the 1D–IST and pre–iterate the 1D–IST pre₃ times.

-

Step C2: Update x₃(1) to the last state value of the pre–iteration.

-

Step C3: Initialize an empty sequence S.

-

Step C4: Iterate 1D–IST 4W + 4H times using the new x₃(1), and fill S with S = {S, x₃(i)}, i = 1, 2, …, 4W + 4H − 1, 4W + 4H.

-

Step C5: Initialize four empty sequences SK₁, SK₂, SK₃, and SK₄.

-

Step C6: Fill SK₁, SK₂, SK₃, and SK₄ for subsequent scrambling by

$$\left\{\begin{array}{l}\mathit{S}{\mathit{K}}_1=⌊\mathit{S}(1:H)\times {10}^{15}⌋\%3W\\ \mathit{S}{\mathit{K}}_2=⌊\mathit{S}(H+1:H+3W)\times {10}^{15}⌋\%H\\ \mathit{S}{\mathit{K}}_3=⌊\mathit{S}(H+3W+1:H+4W)\times {10}^{15}⌋\%3H\\ \mathit{S}{\mathit{K}}_4=⌊\mathit{S}(H+4W+1:4H+4W)\times {10}^{15}⌋\%W\end{array}\right.$$

(10)

-

Step C7: Finally, delete S.

3.4. Generation and Schedule of the Key Stream Initial Vector

An initial vector that affects the encryption result is indispensable for initiating a CBC–based diffusion process. In this paper, the vectorized diffusion process led to a greater need for random numbers than the traditional diffusion processes. Hence, we depend on 1D–SAS to provide an initial vector with sufficient length based on the image size. The steps for generating the initial vector are as follows.

-

Step D1: Input x₄(1) into the 1D–SAS and pre–iterate the 1D–SAS pre₄ times.

-

Step D2: Update x₄(1) to the last state value of the pre–iteration.

-

Step D3: Initialize an empty sequence, S.

-

Step D4: Iterate 1D–SAS 3W times using the new x₄(1), and fill S with S = {S, x₄(i)}, i = 1, 2, …, 3W − 1, 3W.

-

Step D5: Initialize an empty sequence, IV.

-

Step D6: Fill IV to commence the subsequent diffusion process by

$$\mathit{I}\mathit{V}=⌊\mathit{S}\times {10}^{15}⌋\%256$$

(11)

-

Step D7: Finally, delete S.

3.5. Encryption Process

Currently, the RGB color image P can be encrypted by the Algorithm 1 using the keys obtained above; the specific steps and descriptions are as follows:

Algorithm 1 Cross–plane Joint Scrambling–diffusion Method

Input: P, IV, DKR, DKG, DKB, SK1, SK2, SK3, SK4

Output: C

1: Extract three color planes from plain image by PR = P(:, :, 1), PG = P(:, :, 2), PB = P(:, :, 3)

2: Splice three color planes and diffusion key matrixes horizontally by M1 = {PR, PG, PB} and K1 = {DKR, DKG, DKB}.

//Use IV, K1(1, :), and SK1(1) to start diffusion from first row of M1 and circular shift (>>) it

3: Temp ← (IV + M1(1, :))%256 4: Temp ← K1(1, :)⊕Temp 5: TC(1, :) ←Temp >> SK1(1)

//Continue to encryption the remainder of rows of M1

6: for i from 2 to H − 1 7:  Temp ← (TC(i − 1, :) + M1(i, :))%256 8:  Temp ← K1(i, :)⊕Temp 9:  TC(i, :) ← Temp >> SK1(i)) 10: end for

//Update IV and use K1(:, 1), and SK2(1) to start diffusion from the first column of TC and circular shift it

11: IV ← TC(:, 3W) 12: Temp ← (IV + TC(:, 1))%256 13: Temp ← K1(:, 1)⊕Temp 14: TC(:, 1) ← Temp >> SK2(1)

//Continue to encryption the remainder columns of TC

15: for i from 2 to 3W 16:   Temp ← (TC(:, i − 1) + TC(:, i))%256 17:   Temp ← K1(:, i)⊕Temp 18:   TC(:, i) ← Temp >> SK2(i) 19: end for

20: Cut the TC and resplice it in vertical by M2 = {TC(1:W, :); TC(W + 1:2W, :), TC(2W + 1:3W, :)} and also resplice three key matrixes in vertical by K2 = {DKR; DKG; DKB}

//Update IV and use K2(:, 1), and SK3(1) to start diffusion from first column of M2 and circular shift it

21: IV ← M2(:, W) 22: Temp ← (IV+ M2(:, 1))%256 23: Temp ← K2(:, 1)⊕Temp 24: TC(:, 1) ← Temp >> SK3(1)

//Continue to encryption the remainder columns of TC

25: for i from 2 to W 26:   Temp ← (TC(:, i − 1)+ M2(:, i))%256 27:   Temp ← K2(:, i)⊕Temp 28:   TC(:, i) ← Temp >> SK3(i) 29: end for

//Update IV and use K2(1, :), and SK4(1) to start diffusion from the first row of TC and circular shift it

30: IV ← TC(3H, :) 31: Temp ← (IV + TC(1, :))%256 32: Temp ← K2(1, :)⊕Temp 33: TC(1, :) ← Temp >> SK4(1)

//Continue to encryption the remainder of rows of TC

34: for i from 2 to 3H 35:   Temp ← (TC(i−1, :)+ TC (i, :))%256 36:   Temp ← K2(i, :)⊕Temp 37:   TC(i, :) ← Temp >> SK4(i) 38: end for

39: Obtain the final cipher color image by C(:, :, 1) = TC(1:H, :), C(:, :, 2) = TC(H + 1:2H, :), C(:, :, 3) = TC(2H + 1:3H, :)

Assisted by the demo drawn in Figure 7, explanations of our algorithm are presented to clarify the entire encryption process. As shown in Figure 7a, the R, G, B planes are firstly extracted from original color images and horizontally spliced in 2D space to achieve high–strength encryption by performing the cross–plane joint scrambling–diffusion method four times.

In stage one, as shown in Figure 7a,b, the three diffusion key matrices are also spliced horizontally. Diffusion works in parallel on pixels of a row from top to bottom, which employs both diffusion keys and previously encrypted pixels to achieve the avalanche effect of the encryption requirements. After a row is handled by diffusion, it is immediately scrambled using a random circular shift operation across the spliced color planes, which realizes cross–plane diffusion in the subsequent encryption process. Additionally, the initial vector is used as the previously encrypted pixels at the start of this stage.

In stage two, as shown in Figure 7b,c, the joint scrambling–diffusion works from left to right using the above spliced diffusion key matrix so that pixels in a column are encrypted in parallel by both diffusion keys and previous pixels. Similar to stage one, the pixel positions undergo a random circular shift during diffusion, which results in the scrambling of each color plane in the vertical direction. Moreover, to allow any minor change in the pixels to influence the final cipher image against differential attacks, the initial vector is updated to the last column of the temporary cipher image generated in stage one.

Subsequently, the temporary cipher image is split into three matrices of the same size (as shown in Figure 7d); they are then spliced vertically into a large matrix (as shown in Figure 7e), and the three diffusion key matrices are treated similarly. As shown in Figure 7e,f, stage three achieves scrambling in the vertical direction and diffusion in the horizontal direction, which can further strengthen the avalanche effect and exchange pixel positions between color planes. Finally, as shown in Figure 7f,g, the cross–plane scrambling–diffusion method is simultaneously performed in the vertical and horizontal directions in stage four.

The four stages realize the scrambling of the pixel position inside and between every color plane, whereas vectorized diffusion executes quickly to magnify any minor changes in a plain image. Thus, the proposed encryption process can minimize the relationship between plain and ciphered images against common attacks and has a complexity of only O(4W + 4H).

3.6. Decryption Process

A practical encryption algorithm must include a decryption algorithm to recover the cipher image at the receiver end. In this paper, because each operation has a corresponding inverse operation (because the pixel value of an 8–bit digital image is in the range 0–255), the decryption of a cipher image is an inverse encryption process, as shown in Figure 8.

4. Experimental Results and Analyses

In this section, the proposed algorithm is comprehensively assessed based on security and execution performance. All tests were implemented in MATLAB R2021b running on a workstation equipped with a 12th Generation Intel(R) Core(TM) i7–12700H 2.30 GHz, 32 GB of DDR5 memory, and the Windows 11 Home Edition operating system. Moreover, we acquired K_e, as listed in

Table 1. Value of the external key K_e.

External Key	Ke
Value	b3659e41054ea5afd76c1c988c91ac1985abcbe4d0196af2c1393d35ba7032a3

, from Random.org [58] (a provider of true random numbers) for the subsequent tests.

Standard color images from the USC–SIPI database were used. Figure 9 shows the effects of encryption and correct decryption. Figure 9a,b are ‘House’ and Lena’ with a size of 256 × 256; Figure 9c,d are ‘Mandrill’ and ‘Peppers’ with a size of 512 × 512; Figure 9e,f are ‘Oakland’ and ‘San Diego’ with a size of 1024 × 1024. Their encrypted images and decrypted images are listed in the second and third columns, respectively. Hence, the proposed algorithm can handle colored images of any size.

4.1. Histogram Analysis

The histogram test visually reveals the pixel distribution in a plain image. Through encryption, the histogram of the image should be converted from undulating to flat so that the frequency of pixel values can be hidden to resist statistical attacks. As shown in Figure 10g–l, the histogram of each plain image fluctuated. However, after encryption by the proposed algorithm, each pixel value has a similar proportion in the cipher image, as shown in Figure 10s–x. Thus, attackers cannot depend on histogram tests to achieve frequent attacks and extract useful information.

Furthermore, chi–square (χ²) tests [10,34,36] are often performed on histograms to verify the capability of image encryption against frequency attacks. The equation of the χ² test is defined as

$${\chi }^2={\displaystyle \sum _{i=1}^L\frac{{(f_i-p_i)}^2}{p_i}}$$

(12)

where L ∈ [1, 256] is the possible level of an 8–bit unsigned integer pixel, f_i and p_i are the actual proportion of a pixel in an image and the expected proportion of a pixel in an ideal cipher image, respectively. If the significance level α = 0.05, then the expectancy value of χ² for each color plane of a W × H × 3 color image should be 293.24783, which indicates that the cipher image has the strongest resistance to frequency attacks. As listed in

Table 2. Results of χ² test.

Image	Color Plane	Plain	Cipher	p-Value	Result
House	R	2.5858 × 105	261.5078	0.9088	Pass
	G	2.9916 × 105	225.7969	0.9987
	B	3.9404 × 105	279.1328	0.9702
Lena	R	5.9307 × 104	237.2422	0.9929	Pass
	G	3.1305 × 104	237.5078	0.9926
	B	8.0949 × 104	239.3438	0.9903
Mandrill	R	8.2840 × 104	253.6230	0.9543	Pass
	G	1.4281 × 105	236.1797	0.9938
	B	7.9943 × 104	253.4082	0.9553
Peppers	R	2.1319 × 105	231.9101	0.9966	Pass
	G	3.1838 × 105	254.3223	0.9512
	B	4.9143 × 105	267.7500	0.8548
Oakland	R	1.7335 × 106	271.7480	0.8113	Pass
	G	3.5513 × 106	218.3091	0.9996
	B	9.2953 × 106	240.4688	0.9892
San Diego	R	2.8155 × 105	248.0635	0.9740	Pass
	G	1.4036 × 106	267.9277	0.8530
	B	1.5631 × 1046	264.8472	0.8820

, regardless of how high the χ² value of a plain image is, our algorithm can reduce it to a near–expected value, with its p-value being higher than the significance level indicating its robustness against frequency attacks in practice.

4.2. Randomness Analysis

Sufficient randomness is essential when ciphering images to avoid statistical attacks. To evaluate the effect of the statistical information protection provided by the proposed algorithm, we applied randomness tests to both the cipher images and diffusion/scrambling keys. The employed SP 800–22 test suit was powered by NIST [59] and consisted of 15 independent tests to thoroughly verify the randomness of a sequence, as listed in

Table 3. List of SP 800–22 test suit.

No.	01	02	03	04	05
Test	Frequency	Block Frequency	Cumulative Sums	Runs	Longest Runs of Ones
No.	06	07	08	09	10
Test	Rank	Spectral DFT	Nonperiodic Template Matchings	Overlapping Template Matchings	Universal Statistical
No.	11	12	13	14	15
Test	Approximate Entropy	Random Excursions	Random Excursions Variant	Serial	Linear Complexity

.

Subsequently, after all under test objects were converted into binary sequence and the significance level α is set as 0.01, the above 15 tests are performed. As illustrated in

Table 4. Results of the SP 800–22 test suit (set α = 0.01).

Test	p-Value
	DK	SK	House	Lena	Mandrill	Peppers	Oakland	San Diego
01	0.1489	0.5804	0.5812	0.9255	0.2884	0.9448	0.9343	0.1917
02	0.8324	0.6731	0.3556	0.1999	0.3948	0.4201	0.1900	0.9025
03	0.7625	0.2767	0.2546	0.0676	0.6383	0.5122	0.3610	0.4484
04	0.2953	0.6168	0.3007	0.2520	0.3483	0.8983	0.7339	0.3003
05	0.5049	0.2370	0.8657	0.0461	0.0976	0.2630	0.4957	0.9579
06	0.9685	0.7866	0.7766	0.5413	0.4749	0.7779	0.1998	0.7498
07	0.6763	0.7967	0.3500	0.7289	0.9643	0.8084	0.7782	0.3455
08	0.4701	0.2660	0.8263	0.0470	0.7748	0.8770	0.2951	0.9938
09	0.4711	0.4672	0.6833	0.9006	0.9355	0.9641	0.5907	0.3607
10	0.0505	0.1085	0.3930	0.1791	0.5405	0.6017	0.7792	0.6711
11	0.9567	0.8608	0.2240	0.7519	0.2587	0.3205	0.6995	0.0711
12	0.4899	0.0106	0.9687	0.7757	0.3329	0.1835	0.7780	0.1406
13	0.0809	0.4519	0.3803	0.6973	0.0573	0.4034	0.2162	0.5365
14	0.6794	0.7734	0.8624	0.4620	0.6705	0.2373	0.8090	0.8095
15	0.6932	0.8696	0.2014	0.8432	0.7316	0.8360	0.5135	0.9171
Result	Pass	Pass	Pass	Pass	Pass	Pass	Pass	Pass

, because all p-values are considerably larger than the significance level, the diffusion or scrambling keys and cipher images can be regarded as totally random with a confidence of 99%. In conclusion, the proposed algorithm protects images from statistical attacks.

4.3. Correlation Analysis between Adjacent Pixels

The main challenge in image encryption is the high similarity between adjacent pixels. Considering image ‘House’ as an example, the first row of Figure 11 shows that the strong correlations (pixels in any direction) constrain the majority of pixels into a particular area. Subsequently, as shown in row two of Figure 11, by applying the proposed algorithm, the strong inner relations of the image are destroyed, leading to pixels randomly scattered anywhere.

Subsequently, the γ_xy (correlation coefficient) test, as expressed in Equation (13), is employed to quantitatively evaluate the extent of the inner correlations of the image. Specifically, the lower the γ_xy value is, the more secure the cipher image is.

$$\begin{array}{c}\overline{x}=\frac{1}{N}{\displaystyle \sum _{i=1}^N{x}_i},\overline{y}=\frac{1}{N}{\displaystyle \sum _{i=1}^N{y}_i}\\ {\gamma }_{xy}=\frac{{\displaystyle \sum _{i=1}^N(x_i-\overline{x})(y_i-\overline{y})}}{\sqrt{\left({\displaystyle \sum _{i=1}^N{(x_i-\overline{x})}^2}\right)\left({\displaystyle \sum _{i=1}^N{(y_i-\overline{y})}^2}\right)}}\end{array}$$

(13)

In this test, we randomly select N = 10,000 pairs of adjacent pixels x_i, y_i from three directions of both the plain and cipher images and presented the results in

Table 5. Results of γ_xy tests.

Direction	Color Plane		Image
			House	Lena	Mandrill	Peppers	Oakland	San Diego
Vertical	R	P	0.9326	0.9683	0.8624	0.9639	0.9218	0.9216
		C	−0.0001	−0.0017	−0.0013	0.0004	0.0017	0.0002
	G	P	0.9409	0.9709	0.7591	0.9771	0.8512	0.9139
		C	0.0036	−0.0007	0.0027	0.0006	−0.0001	−0.0001
	B	P	0.9668	0.9423	0.8782	0.9619	0.6958	0.8941
		C	−0.0042	0.0024	−0.0024	−0.0008	0.0001	−0.0017
Horizontal	R	P	0.9642	0.9393	0.9218	0.9618	0.9331	0.9245
		C	0.0055	−0.0015	0.0024	0.0003	0.0009	−0.0009
	G	P	0.9760	0.9398	0.8643	0.9777	0.8672	0.9169
		C	0.0035	−0.0013	−0.0003	0.0033	0.0003	0.0002
	B	P	0.9777	0.8911	0.9071	0.9628	0.7111	0.8975
		C	−0.0007	−0.0016	0.0020	−0.0001	0.0004	−0.0001
Diagonal	R	P	0.9126	0.9306	0.8531	0.9575	0.8933	0.9027
		C	−0.0004	0.0024	−0.0010	0.0002	−0.0007	−0.0010
	G	P	0.9317	0.9327	0.7299	0.9698	0.8056	0.8952
		C	−0.0031	0.0015	−0.0017	0.0005	0.0001	−0.0005
	B	P	0.9627	0.8712	0.8411	0.9478	0.6554	0.8717
		C	−0.0020	−0.0005	0.0012	−0.0004	−0.0013	0.0005

. Evidently, even though all the γ_xy values of the plain images are near the maximum, the γ_xy values of the cipher images in any direction decrease to near the minimum. Thus, it can be confirmed that our algorithm ultimately achieves the goal of reducing the strong inner correlations in a plain image.

Considering the image ‘Lena’ as a benchmark, we further make a comparison to some typical algorithms. As presented in

Table 6. Comparison of correlation coefficients.

Algorithm	Color Plane	Ours	Ref. [43]	Ref. [45]	Ref. [46]	Ref. [47]
Vertical	R	−0.0017	−0.0096	0.0012	−0.0046	−0.0013
	G	−0.0007	−0.0032	0.0019	−0.0166	0.0020
	B	0.0024	−0.0023	0.0025	−0.0042	0.0001
Horizontal	R	−0.0024	−0.0050	−0.0012	−0.0057	0.0033
	G	−0.0015	0.0025	0.0025	−0.0032	0.0001
	B	−0.0016	0.0035	0.0003	0.0044	0.0001
Diagonal	R	0.0024	0.0018	−0.0011	0.0091	−0.0003
	G	0.0015	0.0015	−0.0011	−0.0050	−0.0012
	B	−0.0005	−0.0042	−0.0004	−0.0044	0.0004

, our algorithm provides equivalent or better security in image encryption against correlation analysis attacks.

4.4. Information Entropy

Shannon information entropy (SIE) was established in 1948 to verify the uncertainty of information and is defined as

$$H(g)=-{\displaystyle \sum _{i=1}^{L}p(g_i){\log }_{2}p(g_i)}$$

(14)

where p(g_i) represents the probability of every element, and its sum is 1. For an 8–bit image (the color image consists of three 8–bit color planes), there are L = 256 possible values for a pixel. Thus, the maximum SIE of an ideal cipher image should be 8.

Table 7. Results of the SIE test.

Image		House	Lena	Mandrill	Peppers	Oakland	San Diego
R	P	6.43105	7.29199	7.70667	7.33883	6.74584	7.72290
	C	7.99723	7.99739	7.99930	7.99936	7.99981	7.99983
G	P	6.53893	7.56580	7.47443	7.49625	6.06775	7.52891
	C	7.99751	7.99738	7.99935	7.99930	7.99985	7.99982
B	P	6.23204	7.05309	7.75222	7.05831	4.94606	6.83176
	C	7.99741	7.99736	7.99930	7.99926	7.99984	7.99982

and

Table 8. Comparisons of SIE to other works.

Image Size	Ours	Ref. [43]	Ref. [45]	Ref. [46]	Ref. [47]
256 × 256	7.9974	7.9974	–	–	–
512 × 512	7.9993	7.9993	7.9993	7.9993	7.9993

present the results of this scheme and comparisons with other algorithms, respectively. Evidently, all the values of the SIE test are larger than 7.99, which means any after encrypted plain image is approximately equivalent to an ideal cipher image. Thus, our algorithm can resist SIE analysis–based attacks, similar to other algorithms.

Recently, a more rigorous test called the local information entropy (LIE) [60] was introduced to evaluate the entropy of a cipher image at the micro level, which is given by

$${\overline{H}}_{k,Tb}(S)={\displaystyle \sum _{i=1}^k\frac{H(S_i)}{k}}$$

(15)

where S_i represents k image blocks with T_b pixels being non–overlapping, and its LIE is H(S_i). When k = 30 and T_b = 1936, the theoretical LIE is 7.902469317. However, with the significance level α being 0.05, the test could be considered pass if the result locates in the range from 7.901901305 to 7.903037329. Because all the results in

Table 9. Results of the LSE.

Image	House	Lena	Mandrill	Peppers	Oakland	San Diego
R	7.902887399	7.902315714	7.902342208	7.902749564	7.902603517	7.902773850
G	7.902361871	7.902867975	7.901948419	7.902590272	7.902464163	7.902046266
B	7.902284269	7.902686604	7.902843902	7.902353755	7.902219158	7.902947226
Result	Pass	Pass	Pass	Pass	Pass	Pass

fall within the confidence interval, we can assert that the proposed algorithm can resist powerful LIE analysis attacks.

4.5. Plaintext Sensitivity Analysis

Differential analysis is an essential tool for implementing powerful chosen plaintext/ciphertext attacks (CPA/CCA). However, strong plaintext sensitivity, which means that any minor changes lead to significant changes in the ciphertext, can prevent these attacks. To judge the degree of sensitivity to plaintext changes, two indicators are used: the number of pixels change rate (NPCR) and the unified average changing intensity (UACI), which are defined as follows:

$$\left\{\begin{array}{l}\mathrm{Define}: D(i,j)=\left\{\begin{array}{l}0,{\mathit{C}}_1(i,j)={\mathit{C}}_2(i,j)\\ 1,{\mathit{C}}_1(i,j)\ne {\mathit{C}}_2(i,j)\end{array}\right.\\ \mathrm{NPCR}=\frac{{\displaystyle \sum _{i=1}^H{\displaystyle \sum _{j=1}^W\mathit{D}(i,j)\times 100\%}}}{H\times W}\\ \mathrm{UACI}=\frac{{\displaystyle \sum _{i=1}^H{\displaystyle \sum _{j=1}^W\frac{\left|{\mathit{C}}_1(i,j)-{\mathit{C}}_2(i,j)\right|}{255}}}}{H\times W}\times 100\%\end{array}\right.$$

(16)

where C₁ and C₂ are two cipher images obtained from two plain images with a difference of only one pixel.

To exclude the position effect, the pixel used for making a change was randomly selected from any position and color plane of the plain image. After modifying the least significant bit of the pixel value, the average results of the 100 tests are presented in

Table 10. Results of NPCR and UACI tests (Unit: %).

Image	NPCR			UACI
	R	G	B	R	G	B
House	99.6105	99.6077	99.6076	33.4547	33.4681	33.4735
Lena	99.6082	99.6106	99.6098	33.4699	33.4574	33.4673
Mandrill	99.6081	99.6101	99.6076	33.4594	33.4537	33.4747
Peppers	99.6095	99.6092	99.6091	33.4878	33.4648	33.4501
Oakland	99.6078	99.6088	99.6086	33.4693	33.4614	33.4680
San Diego	99.6083	99.6092	99.6100	33.4636	33.4725	33.4715

. Because all results are close to the expected NPCR_E = 99.6094% and UACI_E = 33.4635%, we can confirm the robust differential attack resistance of the proposed algorithm. Furthermore, by comparison with different algorithms, as presented in

Table 11. Comparisons with other algorithms using ‘Lena’ (Unit: %).

Test	Color Plane	Ours	Ref. [43]	Ref. [45]	Ref. [46]	Ref. [47]
NPCR	R	99.6082	99.6155	99.61	99.6048	99.5943
	G	99.6106	99.6017	99.61	99.5979	99.6113
	B	99.6098	99.6048	99.62	99.6166	99.6052
UACI	R	33.4699	33.4371	33.47	33.4810	33.4866
	G	33.4574	33.5437	33.46	33.4913	33.4360
	B	33.4673	33.4260	33.48	33.4971	33.4773

, our algorithm exhibits outstanding performance.

4.6. Key Sensitivity Analysis

The session key must be the only secret information in a cryptosystem. Thus, sufficient sensitivity to changes in the session key can protect the cryptosystem from information leakage during collision attacks. Specifically, minor changes in the session key magnify the entire cipher image during encryption, and minor changes in the session key result in complete failure during decryption.

Considering image ‘Peppers’ as a test object, we obtain its SK = {7f90e746976ca763cca52557001ffff394bd518b05c007d747172c065c5e23e0}. Subsequently, based on its characteristic as presented in Section 3.1, we further split it into ten parts (SK(1:40), SK(41:80), SK(81:120), SK(121:160), SK(161:200), SK(201:240), SK(241:244), SK(245:248), SK(249:252), and SK(253:256), which are all represented as hexadecimal numbers) for the following tests.

First, the ten parts are modified to the lowest significant bit to perform ten times encryption. Subsequently, NPCR and UACI were employed again to compare their outputs with the cipher image using the original session key. As presented in

Table 12. Encryption difference between modified and original session keys (Unit: %).

Part	Original	Modified	NPCR			UACI
			R	G	B	R	G	B
1	7f90e74697	7f90e74696	99.6169	99.6155	99.6041	33.4744	33.4592	33.4821
2	6ca763cca5	6ca763cca4	99.5964	99.6029	99.6144	33.4724	33.4533	33.4794
3	2557001fff	2557001ffe	99.6107	99.6288	99.5975	33.4677	33.4578	33.4751
4	f394bd518b	f394bd518a	99.6201	99.6074	99.6231	33.4697	33.4595	33.4892
5	05c007d747	05c007d746	99.6147	99.6277	99.6044	33.4522	33.4617	33.4663
6	172c065c5e	172c065c5f	99.6078	99.6071	99.6048	33.4501	33.4752	33.4904
7	2	3	99.6101	99.6217	99.6098	33.4836	33.4522	33.4651
8	3	2	99.6052	99.6101	99.5949	33.4589	33.4903	33.4547
9	e	F	99.6089	99.5979	99.6021	33.4539	33.6217	33.4587
10	0	1	99.6036	99.6117	99.6052	33.4578	33.4706	33.4509

, even with minor changes in any part of the session key, the two contrastive cipher images are significantly different, indicating satisfactory sensitivity to the session key during encryption.

Second, we serve the above–modified session key as the wrong decryption key to decrypt the cipher image; the results are shown in Figure 12c–l, which cannot help attackers obtain any useful information at the visual level.

Additionally, NPCR and UACI tests are utilized to further evaluate the difference between the plain image and each incorrectly decrypted image. The results in

Table 13. NPCR and UACI values of decryption key sensitivity test (Unit: %).

Part	Correct	Wrong	NPCR			UACI
			R	G	B	R	G	B
1	7f90e74697	7f90e74696	99.5945	99.6037	99.6149	33.4678	33.5018	33.4714
2	6ca763cca5	6ca763cca4	99.6151	99.6127	99.6086	33.4818	33.4621	33.4613
3	2557001fff	2557001ffe	99.6056	99.6212	99.6052	33.4603	33.4519	33.4892
4	f394bd518b	f394bd518a	99.5972	99.6204	99.6101	33.4729	33.5009	33.4722
5	05c007d747	05c007d746	99.5953	99.5949	99.6170	33.5025	33.4921	33.4688
6	172c065c5e	172c065c5f	99.5968	99.5991	99.6216	33.4714	33.4657	33.4543
7	2	3	99.6251	99.6117	99.6204	33.4975	33.4869	33.4587
8	3	2	99.6166	99.6006	99.6201	33.4809	33.4504	33.5059
9	e	F	99.6258	99.6117	99.6208	33.5024	33.47.9	33.4579
10	0	1	99.6056	99.6132	99.5956	33.4560	33.4615	33.4627

illustrate that the proposed algorithm’s sufficient decryption key sensitivity can prevent any leakage of useful information when facing key collision attacks.

4.7. Key Space Analysis

In this paper, all the initial conditions of the chaotic systems were extracted from the compound of the hash value of the plain image and a 256–bit true random sequence. In the previous section, we verified the sensitivity of encryption and decryption to every bit change in the session key. Thus, the proposed algorithm can provide a 256–bit key space. Generally, the larger the key space, the safer the cryptosystem. However, an overly large key space also consumes more resources for transfer. Because the key space in this work is considerably larger than the assumed key space of 128 bits [61], we can confirm that our algorithm can resist exhaustive attacks that balance the consumption of session key transmission.

4.8. Resistance against CPA/CCA Analysis

Theoretically, an encryption algorithm can be considered adequately secure only if it can resist CPA or CCA attacks. The key point is to make the relationship between plain and cipher images as complex as possible; thus, attackers cannot obtain useful information using various tools. Images consisting of pixels with all values 0 (named ‘Black’) or 255 (named ‘White’) are always the best carriers to achieve CPA or CCA.

Figure 13 and

Table 14. Results of secure tests on images ‘Black’ and ‘White’.

Image	Color Plane	χ2 Test	NPCR(%)		UACI(%)		Entropy		Correlation Coefficient
			Plaintext	Key	Plaintext	Key	SIE	LIE	Horizontal	Vertical	Diagonal
Black	R	0.9998	99.6109	99.6151	33.4737	33.4762	7.999	7.9026	0.0002	−0.0001	−0.0014
	G	0.9885	99.6083	99.5968	33.4543	33.4553	7.999	7.9019	0.0001	−0.0018	−0.0009
	B	0.9342	99.6112	99.6120	33.4679	33.4709	7.999	7.9030	0.0008	0.0017	−0.0002
White	R	0.9980	99.6113	99.6071	33.4507	33.4591	7.999	7.9022	−0.0003	0.0023	0.0019
	G	0.9961	99.6091	99.5946	33.4876	33.4871	7.999	7.9020	−0.0024	0.0006	0.0022
	B	0.7211	99.6069	99.6094	33.4713	33.4583	7.999	7.9028	−0.0009	−0.0018	−0.0009

present the effects of all the above secure tests on images ‘Black’ and ‘White.’ As shown, after encryption by the proposed algorithm, the characteristics of the two special cipher images are the same as those of the other cipher images in every aspect. Hence, attackers have no way to achieve CPA or CCA to crack our algorithm.

Moreover, as listed in

Table 15. Comparisons of resistance against CPA/CCA.

Image	Algorithm	SIE	Correlation Coefficient
			Horizontal	Vertical	Diagonal
Black	Ours	7.9999	0.0004	−0.0001	−0.0008
	Ref. [16]	7.9993	−0.0050	−0.0019	−0.0036
	Ref. [37]	7.9972	0.1483	0.0059	0.0078
	Ref. [44]	7.9998	−0.0031	−0.0022	−0.0009
White	Ours	7.9999	−0.0012	0.0004	0.0011
	Ref. [16]	7.9994	0.0025	0.0016	−0.0057
	Ref. [37]	7.9972	0.1474	−0.0068	0.0038
	Ref. [44]	7.998	−0.0016	0.0064	0.0038

, the proposed algorithm can perform equivalently or better to resist CPA/CCA attacks by comparison with some existing algorithms.

4.9. Time Complexity Analysis

Encryption is a tradeoff between speed and security. Under normal conditions, high–strength encryption typically requires a long running time. In this paper, to resolve this paradox, we employed a vectorization technique to accelerate all the modules of the proposed algorithm except for the session key generation process. However, the session key is generally created before encryption, and its time consumption is typically not included in the overhead of a running cryptosystem.

Subsequently, the time complexities of other modules are discussed: as presented in Section 3.2, the time complexity of diffusion key generation is O(WH/2); the time complexity of scrambling key generation should be O(4W + 4H) by analyzing Section 3.3; in Section 3.4, the time complexity of the initial vector is O(3W); and, as demonstrated in Section 3.5 and Section 3.6, the time complexity of the encryption/decryption process will be only O(4W + 4H). Evidently, besides the generation of the diffusion key, every other module has a linear time complexity. Particularly because of the low time complexity of the encryption/decryption processes, our algorithm executes significantly faster than most existing algorithms, as illustrated in

Table 16. Encryption efficiency of different algorithms (Units: s).

Size	Image	Ours	Ref. [42]	Ref. [45]	Ref. [46]	Ref. [47]	Ref. [48]
256 × 256	House	0.0105	–	0.077	–	–	0.4598
	Lena	0.0113
512 × 512	Mandrill	0.0569	0.328	0.281	–	2.1274	1.7697
	Peppers	0.0571
1024 × 1024	Oakland	0.2572	–	0.944	–	–	–
	San Diego	0.2581
Time complexity of encryption process		O(4W + 4H)	O(WH)	O(2WH)	O(3WH)	O(WH)	O(WH)

, while providing sufficiently high security for digital images.

4.10. Robustness Analysis

Public communication channels often suffer from disturbances such as noise and data loss. However, unlike text data, images are still usable even with a certain degree of pollution during daily use. Therefore, the ability of an image cryptosystem to decrypt polluted cipher images is important.

Considering image ‘Lena’ as an example, we cropped 1/16, 1/8, 1/4, and 1/2 of it and then decrypted them using the correct session key. As shown in Figure 14, although some data losses occurred in the decrypted images, we can still vaguely identify them as the image ‘Lena’. The more data lost during transmission, the harder it is for the decrypted image to be recognized. Therefore, the proposed algorithm is robust to data loss during transmission on an unstable channel.

We add salt and pepper noise and Gaussian noise to image ‘Lena’ (which are two common types of noise), then decrypt them using the correct session key. As illustrated in Figure 15, the proposed algorithm can successfully recover a recognizable image regardless of whether it is polluted by different types of noise to a certain degree. Thus, we conclude that the proposed algorithm can resist slight noise pollution in vulnerable channels.

Furthermore, take image ‘Lena’ as a benchmark, PSNR (peak signal–to–noise ratio), as presented in Equation (17), of decrypted images with noise pollution or data loss are calculated to evaluate their quality.

$$\mathrm{PSNR}=10\lg \frac{255\times 255}{(1/W\times H){\displaystyle \sum _{i=1}^W{\displaystyle \sum _{j=1}^H{(\mathit{P}(i,j)-\mathit{D}(i,j))}^2}}}$$

(17)

As shown in

Table 17. PSNR results of decrypted images.

Algorithm	Lena Cipher Image Polluted by
	Salt&Peppers with Intensity of			Gaussian with Variance of			Data Loss of
	0.001	0.003	0.005	0.001	0.003	0.005	1/16	1/8	1/4	1/2
Ours	20.46	16.01	14.09	15.29	13.29	12.73	21.54	18.21	15.37	12.73
Ref. [16]	17.97	14.55	11.99	–	–	–	–	–	–	–
Ref. [28]	14.76	13.42	11.98	16.89	–	13.68	–	20.01	14.19	11.19

, the robustness of our algorithm can be compared with or is even better than previous works.

5. Conclusions

This paper presents a color–image encryption algorithm that uses a novel cross–plane joint scrambling–diffusion method. First, based on the SHA–256 function and a 256–bit external true random sequence, the session key of the proposed algorithm is sensitive to both plaintext and dynamic updates with unpredictability, and its 256–bit key space can sufficiently resist brute–force attacks. Second, two 2D hyperchaotic systems (2D–LSM and 2D–CLSS) are employed to generate the diffusion key streams. Their simple structure and strong chaotic properties can provide a fast iteration speed for producing high–quality pseudo–random sequences. However, a bitwise exclusive OR operation between two chaotic sequences can further enhance the anti–attack and statistical performances of the required diffusion key matrices. Third, the scrambling key stream and initial vector are created using 1D–SAS and 1D–IST, respectively, and are utilized to achieve and commence the joint scrambling–diffusion method. Thus, in 2D space, a vectorized diffusion process embedded with a scrambling operation can achieve fast and sufficient color–image encryption. In stage one, the three color planes of a color image are spliced in the horizontal direction. Pixels are encrypted, which are initialized by the initial vector, from the first row to the last row based on the CBC mode to accomplish diffusion, and the embedded circular shift operations on the row realize pixel scrambling between the color planes to influence the diffusion process across each color plane. After the encryption process completes the joint scrambling–diffusion method from left to right in stage two, the temporary cipher image is divided and re–spliced in the vertical direction to repeat the joint scrambling–diffusion method twice to further confuse and diffuse between each color plane. Moreover, the last row or column of the temporary cipher image servers is used as a new initial vector to begin the next encryption stage. Therefore, the final cipher image implements adequate diffusion and scrambling, whether in or between color planes, which can resist common attacks, as illustrated in the experimental results of all security tests: p-values of χ² and randomness tests are significantly higher than the significant level 0.01, results of γ_xy tests on all color planes are very close to 0, results of SIE and LIE approximate the theoretical values 8 and 7.902469317, and results of plaintext and session key sensitivity tests based on NPCR and UACI indicators are in the range of the confidence interval. Moreover, benefiting from the acceleration of the vectorization technique, almost all modules of the proposed algorithm require only linear time complexity, particularly the time complexity of O(4W + 4H) for encryption or decryption processes. Considering that our algorithm only costs 0.01 s, 0.06 s, or 0.26 s even on the MATLAB platform to encrypt a color image with a size of 256 × 256, 512 × 512, or 1024 × 1024, respectively, it can be deployed on real–time communication occasions. Finally, we believe that a continuous paper on the proposed algorithm on parallel computing systems, such as FPGAs and GPUs, will further tap its application potential in more scenarios.