*Article* **Image Encryption Using Elliptic Curves and Rossby/Drift Wave Triads**

#### **Ikram Ullah 1, Umar Hayat 1,\* and Miguel D. Bustamante 2,\***


Received: 4 March 2020; Accepted: 14 April 2020; Published: 16 April 2020

**Abstract:** We propose an image encryption scheme based on quasi-resonant Rossby/drift wave triads (related to elliptic surfaces) and Mordell elliptic curves (MECs). By defining a total order on quasi-resonant triads, at a first stage we construct quasi-resonant triads using auxiliary parameters of elliptic surfaces in order to generate pseudo-random numbers. At a second stage, we employ an MEC to construct a dynamic substitution box (S-box) for the plain image. The generated pseudo-random numbers and S-box are used to provide diffusion and confusion, respectively, in the tested image. We test the proposed scheme against well-known attacks by encrypting all gray images taken from the USC-SIPI image database. Our experimental results indicate the high security of the newly developed scheme. Finally, via extensive comparisons we show that the new scheme outperforms other popular schemes.

**Keywords:** quasi-resonant Rossby/drift wave triads; Mordell elliptic curve; pseudo-random numbers; substitution box

#### **1. Introduction**

The exchange of confidential images via the internet is usual in today's life, even though the internet is an open source that is unsafe and unauthorized persons can steal useful or sensitive information. Therefore it is essential to be able to share images in a secure way. This goal is achieved by using cryptography. Traditional cryptographic techniques such as data encryption standard (DES) and advanced encryption standard (AES) are not suitable for image transmission because image pixels are usually highly correlated [1,2]. By contrast, DES and AES are ideal techniques for text encryption [3], so researchers are trying to develop such techniques to meet the demand for reliable image delivery.

A number of image encryption schemes have been developed using different approaches [4–14]. Hua et al. [12] developed a highly secure image encryption algorithm, where pixels are shuffled via the principle of the Josephus problem and diffusion is obtained by a filtering technology. Wu et al. [13] proposed a novel image encryption scheme by combining a random fractional discrete cosine transform (RFrDCT) and the chaos-based Game of Life (GoL). In their scheme, the desired level of confusion and diffusion is achieved by GoL and an XOR operation, respectively. "Confusion" entails hiding the relation between input image, secret keys and the corresponding cipher image, and "diffusion" is an alteration of the value of each pixel in an input image [1].

One of the dominant trends in encryption techniques is chaos-based encryption [15–20]. The reason for this dominance is that the chaos-based encryption schemes are highly sensitive to the initial parameters. However, there are certain chaotic cryptosystems that exhibit a lower security level due to the usage of chaotic maps with less complex behavior (see [21]). This problem is addressed in [22] by introducing a cosine-transform-based chaotic system (CTBCS) for encrypting images with higher security. Xu et al. [23] suggested an image encryption technique based on fractional chaotic systems

and verified experimentally the higher security of the underlying cryptosystem. Ahmad et al. [24] highlighted certain defects of the above-mentioned cryptosytem by recovering the plain image without the secret key. Moreover, they proposed an enhanced scheme to thwart all kinds of attacks.

The chaos-based algorithms also use pseudo-random numbers and substitution boxes (S-boxes) to create confusion and diffusion [25,26]. Cheng et al. [25] proposed an image encryption algorithm based on pseudo-random numbers and AES S-box. The pseudo-random numbers are generated using AES S-box and chaotic tent maps. The scheme is optimized by combining the permutation and diffusion phases, but the image is encrypted in rounds, which is time consuming. Belazi et al. [26] suggested an image encryption algorithm using a new chaotic map and logistic map. The new chaotic map is used to generate a sequence of pseudo-random numbers for masking phase. Then eight dynamic S-boxes are generated. The masked image is substituted in blocks via aforementioned S-boxes. The substituted image is again masked by another pseudo-random sequence generated by the logistic map. Finally, the encrypted image is obtained by permuting the masked image. The permutation is done by a sequence generated by the map function. This algorithm fulfills the security analysis but performs slowly due to the four cryptographic phases. In [27], an image encryption method based on chaotic maps and dynamic S-boxes is proposed. The chaotic maps are used to generate the pseudo-random sequences and S-boxes. To break the correlation, pixels of an input image are permuted by the pseudo-random sequences. In a second phase the permuted image is decomposed into blocks. Then blocks are encrypted by the generated S-boxes to get the cipher image. From histogram analysis it follows that the suggested technique generates cipher images with a nonuniform distribution.

Similar to the chaotic maps, elliptic curves (ECs) are sensitive to input parameters, but EC-based cryptosystems are more secure than those of chaos [28]. Toughi et al. [29] developed a hybrid encryption algorithm using elliptic curve cryptography (ECC) and AES. The points of an EC are used to generate pseudo-random numbers and keys for encryption are acquired by applying AES to the pseudo-random numbers. The proposed algorithm gets the promising security but pseudo-random numbers are generated via the group law, which is time consuming. In [3], a cyclic EC and a chaotic map are combined to design an encryption algorithm. The developed scheme overcomes the drawbacks of small key space but is unsafe to the known-plaintext/chosen-plaintext attack [30]. Similarly, Hayat et al. [31] proposed an EC-based encryption technique. The stated scheme generates pseudo-random numbers and dynamic S-boxes in two phases, where the construction of S-box is not guaranteed for each input EC. Therefore, changing of ECs to generate an S-box is a time-consuming work. Furthermore, the generation of ECs for each input image makes it insufficient.

Based on the above discussion, we propose an improved image encryption algorithm, based on quasi-resonant Rossby/drift wave triads [32,33] (triads, for short) and Mordell elliptic curves (MECs). The triads are utilized in the generation of pseudo-random numbers and MECs are employed to create dynamic S-boxes. The proposed scheme is novel in that it introduces the technique of pseudo-random numbers generation using triads, which is faster than generating pseudo-random numbers by ECs. Moreover, the scheme does not require to separately generate triads for each input image of the same size. In the present scheme, MECs are used opposite to [31], in the sense that now, for each input image, the generation of a dynamic S-box is guaranteed [34]. Finally, extensive performance analyses and comparisons reveal the efficiency of the proposed scheme.

This paper is organized as follows. Preliminaries are described in Section 2. In Section 3, the proposed encryption algorithm is explained in detail. Section 4 provides the experimental results as well as a comparison between the proposed method and other existing popular schemes. Lastly, conclusions are presented in Section 5.

#### **2. Preliminaries**

**Barotropic vorticity equation:** The barotropic vorticity equation (in the so-called *β*-plane approximation) is one of the simplest two-dimensional models of the large-scale dynamics of a

shallow layer of fluid on the surface of a rotating sphere. It is described in mathematical terms by the partial differential equation

$$\frac{\partial}{\partial t}(\nabla^2 \psi - F\psi) + \left(\frac{\partial \psi}{\partial x}\frac{\partial \nabla^2 \psi}{\partial y} - \frac{\partial \psi}{\partial y}\frac{\partial \nabla^2 \psi}{\partial x}\right) + \gamma \frac{\partial \psi}{\partial x} = 0,\tag{1}$$

where *<sup>ψ</sup>*(*x*, *<sup>y</sup>*, *<sup>t</sup>*) ∈ R represents the geopotential height, *<sup>γ</sup>* is the Coriolis parameter, a real constant measuring the variation of the Coriolis force with latitude (*x* represents longitude and *y* represents latitude) and *F* is a non-negative real constant representing the inverse of the square of the deformation radius. We assume periodic boundary conditions: *ψ*(*x* + 2*π*, *y*, *t*) = *ψ*(*x*, *y* + 2*π*, *t*) = *ψ*(*x*, *y*, *t*) for all *<sup>x</sup>*, *<sup>y</sup>*, *<sup>t</sup>* ∈ R. In the literature Equation (1) is also known as the Charney–Hasegawa–Mima equation (CHM) [35–39]. This equation accepts harmonic solutions, known as Rossby waves, which are solutions of both the linearized form and the whole (nonlinear) form of Equation (1). A Rossby wave solution is given explicitly by the parameterized function *<sup>ψ</sup>*(*k*,*l*)(*x*, *<sup>y</sup>*, *<sup>t</sup>*) = {*<sup>A</sup>* <sup>e</sup>*i*(*kx*+*ly*−*ω*(*k*,*l*)*t*)}, where *<sup>A</sup>* <sup>∈</sup> <sup>C</sup> is an arbitrary constant, *<sup>ω</sup>*(*k*, *<sup>l</sup>*) = <sup>−</sup> *<sup>γ</sup> <sup>k</sup> <sup>k</sup>*2+*l*2+*<sup>F</sup>* is the so-called dispersion relation, and (*k*, *<sup>l</sup>*) <sup>∈</sup> <sup>Z</sup><sup>2</sup> is called the wave vector. For simplicity, we take *γ* = −1 and *F* = 0 in what follows [32,33].

**Resonant triads:** As Equation (1) is nonlinear, modes with different wave vectors tend to couple and exchange energy. If the nonlinearity is weak, this exchange happens to be quite slow and is more efficient amongst groups of modes that are in *resonance*. To the lowest order of nonlinearity in Equation (1), approximate solutions known as resonant triad solutions can be constructed via linear combinations of the form

$$\Psi(\mathbf{x}, y, t) = \Re \{ A\_1 \mathbf{e}^{i(k\_1 x + l\_1 y - \omega(k\_1 l\_1)t)} + A\_2 \mathbf{e}^{i(k\_2 x + l\_2 y - \omega(k\_2 l\_2)t)} + A\_3 \mathbf{e}^{i(k\_3 x + l\_3 y - \omega(k\_3 l\_3)t)} \}\_{\perp}$$

where *A*1, *A*2, *A*<sup>3</sup> are slow functions of time (they satisfy a closed system of ODEs, not shown here), and the wave vectors (*k*1, *l*1),(*k*2, *l*2) and (*k*3, *l*3) satisfy the Diophantine system of equations:

$$k\_1 + k\_2 = k\_3, \quad l\_1 + l\_2 = l\_3 \quad \text{and} \quad \omega\_1 + \omega\_2 = \omega\_{3\prime} \tag{2}$$

for *ω<sup>i</sup>* = *ω*(*ki*, *li*), *i* = 1, 2, 3. A set of three wavevectors satisfying Equations (2) is called a resonant triad. Solutions can be found analytically via a rational transformation to elliptic surfaces (see below).

**Quasi-resonant triads and detuning level:** If, in (2), the equation *ω*<sup>1</sup> + *ω*<sup>2</sup> = *ω*<sup>3</sup> is replaced by the inequality <sup>|</sup>*ω*<sup>1</sup> <sup>+</sup> *<sup>ω</sup>*<sup>2</sup> <sup>−</sup> *<sup>ω</sup>*3| ≤ *<sup>δ</sup>*−1, for a large positive number *<sup>δ</sup>*, then the triad becomes a quasi-resonant triad and *δ*−<sup>1</sup> is known as the detuning level of the quasi-resonant triad. It is possible to construct quasi-resonant triads via downscaling of resonant triads that have very large wave vectors [32]. For simplicity, in what follows we simply call a quasi-resonant triad a triad and denote it by Δ. Finally, to avoid over-counting of triads we will impose the condition *k*<sup>3</sup> > 0.

**Rational transformation:** In [32], wave vectors are explicitly expressed in terms of rational variables *X*,*Y* and *D* as follows:

$$\frac{k\_1}{k\_3} = \frac{X}{Y^2 + D^2}, \quad \frac{l\_1}{k\_3} = \left(\frac{X}{Y}\right)\left(1 - \frac{D}{Y^2 + D^2}\right), \quad \frac{l\_3}{k\_3} = \frac{D-1}{Y}.\tag{3}$$

In the case *F* = 0, the rational variables *X*,*Y*, *D* lie on an elliptic surface. The transformation is bijective and its inverse mapping is given by:

$$X = \frac{k\_3(k\_1^2 + l\_1^2)}{k\_1(k\_3^2 + l\_3^2)}, \quad Y = \frac{k\_3(k\_3l\_1 - k\_1l\_3)}{k\_1(k\_3^2 + l\_3^2)}, \quad D = \frac{k\_3(k\_3k\_1 - l\_1l\_3)}{k\_1(k\_3^2 + l\_3^2)}.\tag{4}$$

**New parameterization:** In [40], Kopp parameterized the resonant triads and in terms of parameters *u* and *t* it follows by [40] (Equation (1.22)) that:

$$\frac{k\_1}{k\_3} = (t^2 + u^2)(t^2 - 2u + u^2) / (1 - 2u),\tag{5}$$

$$\frac{l\_3}{k\_3} = \left( u(2u - 1) + (t^2 + u^2)(t^2 - 2u + u^2) \right) / \left( t(1 - 2u) \right),\tag{6}$$

$$\frac{l\_1}{k\_3} = (t^2 + u^2) \left( (2u - 1) + u(t^2 - 2u + u^2) \right) / \left( t(1 - 2u) \right). \tag{7}$$

In 2019, Hayat et al. [33] found a new parameterisation of *X*,*Y* and *D* in terms of auxiliary parameters *a*, *b* and hence *<sup>k</sup>*<sup>1</sup> *k*3 , *l*3 *<sup>k</sup>*<sup>3</sup> and *<sup>l</sup>*<sup>1</sup> *<sup>k</sup>*<sup>3</sup> are given by:

$$\frac{k\_1}{k\_3} = \frac{\left(a^2 + b(2 - 3b) + 1\right)^3}{(a^2 - 3b^2 - 2b + 1)\left(2(11 - 3a^2)b^2 + (a^2 + 1)^2 - 16ab + 9b^4\right)},\tag{8}$$

$$\frac{l\_3}{k\_3} = \frac{6(a^2 + a - 1)b^2 - (a+1)^2(a^2 + 1) + 4ab - 9b^4}{(a^2 - 3b^2 - 1)(a^2 - 3b^2 - 2b + 1)},\tag{9}$$

$$\frac{l\_1}{k\_3} = \frac{\left(a^2 + b(2 - 3b) + 1\right)}{\left(a^2 - 3b^2 - 1\right)\left(a^2 - 3b^2 - 2b + 1\right)\left(2(11 - 2a^2)b^2 + (a^2 + 1)^2 - 16ab + 9b^4\right)}.\tag{10}$$

$$\begin{array}{c} \times \left[a^6 + 2a^5 + a^4(-9b^2 - 6b + 3) - 4a^3(3b^2 + 2b - 1) + 3a^2(3b^2 + 2b - 1)^2 \\ + 2a(9b^4 + 12b^3 + 14b^2 - 4b + 1) - (3b^2 + 1)^2(3b^2 + 6b - 1) \end{array} \right.$$

**Elliptic curve (EC):** Let F*<sup>p</sup>* be a finite field for any prime *p*, then an EC *Ep* over F*<sup>p</sup>* is defined by

$$y^2 \equiv \mathbf{x}^3 + b\mathbf{x} + c \pmod{p},\tag{11}$$

where *<sup>b</sup>*, *<sup>c</sup>* <sup>∈</sup> <sup>F</sup>*p*. The integers *<sup>b</sup>*, *<sup>c</sup>* and *<sup>p</sup>* are called parameters of an EC. The number of all (*x*, *<sup>y</sup>*) <sup>∈</sup> <sup>F</sup><sup>2</sup> *p* satisfying the congruence (11) is denoted by #*Ep*.

**Mordell elliptic curve (MEC):** In the special but important case *b* = 0, the above EC is known as an MEC and is represented by

$$y^2 \equiv x^3 + c \pmod{p}.\tag{12}$$

For *<sup>p</sup>* <sup>≡</sup> <sup>2</sup> (mod <sup>3</sup>), there are exactly *<sup>p</sup>* <sup>+</sup> 1 points (*x*, *<sup>y</sup>*) <sup>∈</sup> <sup>F</sup><sup>2</sup> *<sup>p</sup>* satisfying the congruence (12), see [41] for further details.

If points on *Ep* are ordered according to some total order ≺ then *Ep* is said to be an ordered EC. Recall that total order is a binary relation which possesses the reflexive, antisymmetric and transitive properties. Azam et al. [42] introduced a total order known as a natural ordering on MECs given by

$$(\mathfrak{x}\_1, \mathfrak{y}\_1) \prec (\mathfrak{x}\_2, \mathfrak{y}\_2) \Leftrightarrow \begin{cases} \text{either } \mathfrak{x}\_1 < \mathfrak{x}\_2, \text{ or} \\ \mathfrak{x}\_1 = \mathfrak{x}\_2 \text{ and } \mathfrak{y}\_1 < \mathfrak{y}\_2. \end{cases}$$

and generated efficient S-boxes using the aforesaid ordering. We will use natural ordering to generate S-boxes. Thus from here on *Ep* stands for a naturally ordered MEC unless it is specified otherwise.

#### **3. The Proposed Encryption Scheme**

The proposed encryption scheme is based on pseudo-random numbers and S-boxes. The pseudo-random numbers are generated using quasi-resonant triads. To get an appropriate level of diffusion we need to properly order the Δs. For this purpose we define a binary relation - as follows.

#### *3.1. Ordering on Quasi-Resonant Triads*

Let Δ, Δ represent the triads (*ki*, *li*),(*k i* , *l i* ), *i* = 1, 2, 3, respectively, then

$$\Delta \lesssim \Delta' \Leftrightarrow \begin{cases} \text{either } a < a', \text{ or} \\ a = a' \text{ and } b < b', \text{ or} \\ a = a', b = b' \text{ and } k\_3 \le k'\_3. \end{cases}$$

where *a*, *b* and *a* , *b* are the corresponding auxiliary parameters of Δ and Δ , respectively.

**Lemma 1.** *If T denotes the set of* Δ*s in a box of size L, then is a total order on T.*

**Proof.** The reflexivity of follows from *a* = *a*, *b* = *b* and *k*<sup>3</sup> = *k*<sup>3</sup> and hence Δ - Δ. As for antisymmetry we suppose Δ - Δ and Δ - Δ. Then, by definition *a* ≤ *a* and *a* ≤ *a*, which imply *a* = *a* . Thus we are left with two results: *b* ≤ *b* and *b* ≤ *b*, which imply *b* = *b* . Thus, we obtain the results *k*<sup>3</sup> ≤ *k* <sup>3</sup> and *k* <sup>3</sup> ≤ *k*3, which ultimately give *k*<sup>3</sup> = *k* <sup>3</sup>. Solving Equations (8)–(10) for the obtained values, we get *k*<sup>1</sup> = *k* <sup>1</sup>, *l*<sup>3</sup> = *l* <sup>3</sup> and from Equation (2) it follows that *l*<sup>2</sup> = *l* <sup>2</sup>. Consequently Δ = Δ and is antisymmetric. As for transitivity, let us assume Δ - Δ and Δ - Δ. Then *a* ≤ *a* and *a* ≤ *a*, implying *a* ≤ *a*. If *a* < *a*, then transitivity follows. If *a* = *a*, then *a* = *a* too. Thus, *b* ≤ *b* and *b* ≤ *b*, so *b* ≤ *b*. If *b* < *b*, then transitivity follows. If *b* = *b*, then *b* = *b* too. Thus, *k*<sup>3</sup> ≤ *k* <sup>3</sup> and *k* <sup>3</sup> ≤ *k* <sup>3</sup> , implying *k*<sup>3</sup> ≤ *k* <sup>3</sup> and hence transitivity follows: Δ -Δ.

Let <sup>∗</sup> *T* stand for the set of Δs ordered with respect to the order -. The main steps of the proposed scheme are explained as follows.

#### *3.2. Encryption*

**A. Public parameters:** In order to exchange the useful information the sender and receiver should agree on the public parameters described as below:


Suppose that *P* represents an image of size *m* × *n* to be encrypted, and the pixels of *P* are arranged in column-wise linear ordering. Thus, for positive integer *i* ≤ *mn*, *P*(*i*) represents the *i*-th pixel value in linear ordering. Define *S*<sup>P</sup> as the sum of all pixel values of the image *P*. Then the proposed scheme chooses the secret keys in the following ways.

**B. Secret keys:** To generate confusion and diffusion in an image, the sender chooses the secret keys as follows.


by Algorithm 1 is shown in Table 1. Furthermore, the cryptographic properties of the said S-box are evaluated in Sections 4.1 and 4.2.

**Algorithm 1:** Construction of 8 × 8 S-box.

/\* *B* is a set of points (*x*, *y*) satisfying *Ep*, *B*(*i*) is *i*-th point of *B* and *yi* stands for *y*-component of point *B*(*i*). \*/ **Input :**A prime *p* ≡ 2 (mod 3) and two integers *t* and *S* such that *c* = *S* + *t* and *S* + *t* ≡ 0 (mod *p*). **Output:**An S-box *ζEp* (*p*, *t*, *S*). **<sup>1</sup>** *B* := ∅; **<sup>2</sup>** *Y* := [0,(*p* − 1)/2]; **<sup>3</sup>** *i* ← 0; **<sup>4</sup> for** *x* ∈ [0, *p* − 1] **do <sup>5</sup> for** *y* ∈ *Y* **do <sup>6</sup> if** *<sup>y</sup>*<sup>2</sup> <sup>≡</sup> *<sup>x</sup>*<sup>3</sup> <sup>+</sup> *<sup>c</sup>* (mod *<sup>p</sup>*) **then <sup>7</sup>** *i* ← *i* + 1; *B*(*i*) := (*x*, *y*); **<sup>8</sup> if** *y* = 0 **then <sup>9</sup>** *i* ← *i* + 1; *B*(*i*) := (*x*, *p* − *y*); **<sup>10</sup>** break; **<sup>11</sup>** *Y* = *Y* − {*y*}; **<sup>12</sup>** *ζEp* (*p*, *t*, *S*) = {*yi* ∈ *B*(*i*) : 0 ≤ *yi* < 256}.


The positive integers *a*1, *b*1, *a*2, *b*2, *a*3, *δ*, *L*, *S*P, *t* and *p* are secret keys. Here it is mentioned that the parameters *a*1, *b*1, *a*2, *b*2, *a*3, *δ* and *L* are used to generate *mn* triads in a box of size *L*. The generation of triads is explained step by step in Algorithm 2. These triads along with keys *S*<sup>P</sup> and *t* are used to generate the sequence *β* <sup>∗</sup> *T* (*t*, *S*P) of pseudo-random numbers.

**Algorithm 2:** Generating quasi-resonant triads.

/\* T is a set containing the Quasi-resonant triads, while *m* and *n* are the dimensions of an input image. \*/ **Input :**Three sets A*i*, *i* = 1, 2, 3, inverse detuning level *δ*, bound *L*, two positive integers *m* and *n*. **Output:**Quasi-resonant triads **<sup>1</sup>** *T* := ∅; **<sup>2</sup>** *c*<sup>1</sup> ← 0, *c*<sup>2</sup> ← 1 ; **<sup>3</sup> for** *a* ∈ A<sup>1</sup> **do <sup>4</sup> for** *b* ∈ A<sup>2</sup> **do <sup>5</sup>** *c*<sup>1</sup> ← *c*<sup>1</sup> + 1; **<sup>6</sup>** Calculate and store the values of *k* <sup>1</sup>(*c*1), *l* <sup>3</sup>(*c*1), and *l* <sup>1</sup>(*c*1) for each pair (*a*, *b*) using Equations (8)–(10). **<sup>7</sup> for** *c*<sup>2</sup> ∈ [1, *c*1] **do <sup>8</sup> for** *k*<sup>3</sup> ∈ A<sup>3</sup> **do <sup>9</sup>** *k*<sup>1</sup> = (*k* <sup>1</sup>(*c*2) ∗ *k*3), *l*<sup>3</sup> = (*l* <sup>3</sup>(*c*2) ∗ *k*3) and *l*<sup>1</sup> = (*l* <sup>1</sup>(*c*2) ∗ *k*3); **<sup>10</sup>** *<sup>k</sup>*<sup>2</sup> <sup>=</sup> *<sup>k</sup>*<sup>3</sup> <sup>−</sup> *<sup>k</sup>*1, *<sup>l</sup>*<sup>2</sup> <sup>=</sup> *<sup>l</sup>*<sup>3</sup> <sup>−</sup> *<sup>l</sup>*<sup>1</sup> and *<sup>ω</sup><sup>i</sup>* <sup>=</sup> *ki*/(*k*<sup>2</sup> *<sup>i</sup>* + *l* 2 *<sup>i</sup>* ), *i* = 1, 2, 3; **<sup>11</sup>** *ω*<sup>4</sup> = *ω*<sup>3</sup> − *ω*<sup>2</sup> − *ω*1; **<sup>12</sup> if** <sup>|</sup>*ω*4<sup>|</sup> <sup>&</sup>lt; *<sup>δ</sup>*−<sup>1</sup> *and* <sup>0</sup> <sup>&</sup>lt; <sup>|</sup>*ki*|, <sup>|</sup>*li*<sup>|</sup> <sup>&</sup>lt; *<sup>L</sup>*, *<sup>i</sup>* <sup>=</sup> 1, 2, 3 **then <sup>13</sup>** *T* := *T* ∪ {Δ}; **<sup>14</sup> if** *#T=mn* **then <sup>15</sup>** break; **<sup>16</sup>** break; **<sup>17</sup>** Sort *T* with respect to the ordering to get <sup>∗</sup> *T*.

Thus <sup>Δ</sup><sup>j</sup> represents the *<sup>j</sup>*-th triad in ordered set <sup>∗</sup> *T*. Moreover, (*kji*, *lji*), *i* = 1, 2, 3 are the components of Δ<sup>j</sup> . In Algorithm 3, the generation of *β* <sup>∗</sup> *T* (*t*, *S*P) is interpreted.

**Algorithm 3:** Generating the proposed pseudo-random sequence.

**Input :**An ordered set <sup>∗</sup> *T*, an integer *t* and a plain image *P*.

**Output:**Random numbers sequence *β* <sup>∗</sup> *T* (*t*, *S*P).


The proposed sequence *β* <sup>∗</sup> *T* (*t*, *S*P) is cryptographically a good source of pseudo-randomness because triads are highly sensitive to the auxiliary parameters (*a*, *b*) [33] and inverse detuning level *δ*. It is shown in [32] that the intricate structure of clusters formed by triads depends on the chosen *δ*, and the size of the clusters increases as the inverse detuning level increases. Moreover, the generation of triads is rapid due to the absence of modular operation.

**C. Performing diffusion.** To change the statistical properties of an input image, a diffusion process is performed. While performing the diffusion, the pixel values are changed using the sequence *β* <sup>∗</sup> *T* (*t*, *S*P). Let *M*<sup>P</sup> denote the diffused image for a plain image *P*. The proposed scheme alters the pixels of *P* according to:

$$M\_{\mathcal{P}}(i) = \beta\_{\frac{\nu}{T}}(t, \mathcal{S}\_{\mathcal{P}})(i) + P(i) \pmod{256}.\tag{13}$$

**D. Performing confusion.** A nonlinear function causes confusion in a cryptosystem, and nonlinear components are necessary for a secure data encryption scheme. The current scheme uses the dynamic S-boxes to produce the confusion in an encrypted image. If *C*<sup>P</sup> stands for the encrypted image of *P*, then confusion is performed as follows:

$$\mathbb{C}\_{\mathbf{P}}(i) = \mathbb{Z}\_{\mathbf{P}\_p}(p\_\prime t, \mathbf{S}\_\mathbf{P}) (M\_\mathbf{P}(i)). \tag{14}$$

**Lemma 2.** *If* #A*<sup>i</sup>* = *ni*, *i* = 1, 2, 3 *and p is a prime chosen for the generation of an S-box, then the time complexity of the proposed encryption scheme is max*{O(*n*1*n*2*n*3), *<sup>p</sup>*2}*.*

**Proof.** The computation of all possible values of *k* 1, *l* <sup>3</sup> and *l* <sup>1</sup> in Algorithm 2 takes O(*n*1*n*2) time. Similarly the time complexity for generating <sup>∗</sup> *T* is O(*c*1*n*3) but *c*<sup>1</sup> executes *n*1*n*<sup>2</sup> times. Thus the time required by <sup>∗</sup> *T* and hence by *β* <sup>∗</sup> *T* (*t*, *S*P) is O(*n*1*n*2*n*3). Additionally, Algorithm 1 shows that the proposed S-box can be constructed in <sup>O</sup>(*p*2) time. Thus the time complexity of the proposed scheme is max{O(*n*1*n*2*n*3), *<sup>p</sup>*2}.

**Example 1.** *In order to have a clear picture of the proposed cryptosystem, we explain the whole procedure using the following hypothetical* 4 × 4 *image. For example, let I represent the plain image of Lena*256×256*, and let P be the subimage of I consisting of the intersection of the first four rows and the first four columns of I as shown in Table 2, whereas the column-wise linearly ordered image P is shown in Table 3.*

**Table 2.** Plain image *P*.


**Table 3.** Linear ordering of image *P*.


We have *S*<sup>P</sup> = 2589 and *c* = 247 and the values of other parameters are described in Section 4.3. The corresponding 16 triads are obtained by Algorithm 2 as shown in Table 4.

**Table 4.** The corresponding set <sup>∗</sup> *T* for image *P*.


From *S*<sup>P</sup> = 2589 and *t* = 2, it follows that *r* = 1295 and hence by application of Algorithm 3 the terms of *β* <sup>∗</sup> *T* (2, 2589) are listed in Table 5. Moreover, the S-box *ζE*<sup>293</sup> (293, 2, 2589) is constructed by Algorithm 1, giving the mapping *ζE*<sup>293</sup> (293, 2, 2589) : {0, 1, ... , 255}→{0, 1, ... , 255}, which maps the list (0, ... , 255) to the list

(80, 213, 29, 113, 180, 2, 119, 174, 10, 103, 190, 120, 173, 99, 194, 126, 167, 42, 251, 78, 215, 84, 209, 93, 200, 130, 163, 32, 17, 117, 176, 62, 231, 110, 183, 56, 237, 75, 218, 127, 166, 73, 220, 13, 91, 202, 28, 129, 164, 118, 175, 69, 224, 50, 243, 100, 193, 137, 156, 89, 204, 12, 63, 230, 74, 219, 4, 131, 162, 134, 159, 123, 170, 90, 203, 70, 223, 87, 206, 59, 234, 145, 148, 58, 235, 57, 236, 65, 228, 15, 112, 181, 52, 241, 76, 217, 60, 233, 121, 172, 68, 225, 51, 242, 135, 158, 41, 252, 21, 142, 151, 26, 25, 40, 253, 96, 197, 136, 157, 9, 116, 177, 122, 171, 45, 248, 115, 178, 102, 191, 67, 226, 95, 198, 143, 150, 133, 160, 98, 195, 3, 94, 199, 30, 104, 189, 132, 161, 8, 64, 229, 144, 149, 140, 153, 14, 85, 208, 20, 6, 109, 184, 125, 168, 92, 201, 19, 53, 240, 31, 66, 227, 35, 82, 211, 108, 185, 139, 154, 33, 16, 86, 207, 128, 165, 5, 71, 222, 38, 255, 23, 0, 81, 212, 1, 141, 152, 111, 182, 138, 155, 49, 244, 22, 106, 187, 105, 188, 36, 54, 239, 46, 247, 43, 250, 97, 196, 27, 11, 24, 44, 249, 83, 210, 61, 232, 39, 254, 7, 72, 221, 77, 216, 47, 246, 107, 186, 48, 245, 55, 238, 124169, 34, 79, 214, 88, 205, 114, 179, 37, 18, 146, 147, 101, 192).


**Table 5.** Pseudo-random sequence for plain image *P*.

Hence by the respective application of Equation (13) and the S-box *ζE*<sup>293</sup> (293, 2, 2589), the pixel values of diffused image *M*<sup>P</sup> and encrypted image *C*<sup>P</sup> are shown in Tables 6 and 7, respectively.

**Table 6.** Diffused image *M*P.



#### *3.3. Decryption*

In our scheme the decryption process can take place by reversing the operations of the encryption process. One should know the inverse S-box *ζ*−<sup>1</sup> *Ep* (*n*, *t*, *S*P) and the pseudo-random numbers *β* <sup>∗</sup> *T* (*t*, *S*P). Assume the situation when the secret keys *a*1, *b*1, *a*2, *b*2, *a*3, *δ*, *L*, *S*P, *t* and *p* are transmitted by a secure channel, so that the set <sup>∗</sup> *T* is obtained using keys *a*1, *b*1, *a*2, *b*2, *a*3, *δ* and *L*, and hence the S-box *ζ*−<sup>1</sup> *Ep* (*p*, *t*, *S*P) and the pseudo-random numbers *β* <sup>∗</sup> *T* (*t*, *S*P) can be computed by *S*P, *t* and *p*. Finally, the receiver gets the original image *P* by applying the following equations:

$$M\_{\rm P}(i) = \mathbb{Z}\_{E\_p}^{-1}(p, t, \mathbf{S}\_{\rm P}) (\mathbb{C}\_{\rm P}(i)),\tag{15}$$

$$P(i) = M\_P(i) - \beta\_{\frac{\nu}{T}}(t, S\_P)(i) \pmod{256}.\tag{16}$$

#### **4. Security Analysis**

In this section the cryptographic strength of both the S-box construction technique and encryption scheme are analyzed in detail.

#### *4.1. Evaluation of the Designed S-Box*

An S-box with good cryptographic properties ensures the quality of an encryption technique. Generally, some standard tests such as nonlinearity (NL), linear approximation probability (LAP), strict avalanche criterion (SAC), bit independence criterion (BIC) and differential approximation probability (DAP) are used to evaluate the cryptographic strength of an S-box.

The NL [43] and the LAP [44] are outstanding features of an S-box, used to measure the resistance against linear attacks. The NL measures the level of nonlinearity and the LAP finds the maximum imbalance value of an S-box. The optimal value of the nonlinearity is 112. A low value of LAP corresponds to a high resistance. The minimum NL and the LAP values for the displayed S-box are 106 and 0.1484, respectively. This ensures that the proposed S-box is immune to linear attacks. Webster and Tavares [45] developed the concepts of the SAC and the BIC, which are used to find the confusion and diffusion creation potential of an S-box. In other words, the SAC criterion measures the change in output bits when an input bit is altered. Similarly, the BIC criterion explores the correlation in output bits when change in a single input bit occurs. The average values of the SAC and the BIC for the constructed S-box are 0.4951 and 0.4988, respectively, which are close to the optimal value 0.5. Thus, both tests are satisfied by the suggested S-box. The DAP [46] is another important feature used to analyze the capability of an S-box against differential attacks. The lowest value of DAP for an S-box implies the highest security to the differential attacks. Our DAP result is 0.0234, which is good enough to resist differential cryptanalysts.

#### *4.2. Performance Comparison of the S-Box Generation Algorithm*

After performing the rigorous analyses, the S-box constructed by the current algorithm is compared with some cryptographically strong S-boxes developed by recent schemes, as shown in Table 8.


**Table 8.** Comparison table of the proposed S-box *ζE*<sup>1607</sup> (1607, 182, 0).

From Table 8 it follows that the NL of *ζE*<sup>1607</sup> (1607, 182, 0) is greater than the S-boxes in [31,47–50,52–54], equal to that of [51] and less than the S-box developed in [55], which indicates that *ζE*<sup>1607</sup> (1607, 182, 0) is highly nonlinear in comparison to the S-boxes in [31,47–50,52–54]. Additionally, the LAP of *ζE*<sup>1607</sup> (1607, 182, 0) is comparable to all the S-boxes in Table 8. The SAC (average) value of *ζE*<sup>1607</sup> (1607, 182, 0) is greater than the S-boxes in [51,54], and the SAC (max) value is less than or equal to the S-boxes in [31,47,50–53]. Similarly the BIC (min) value of *ζE*<sup>1607</sup> (1607, 182, 0) is closer to the optimal value 0.5 than that of [31,47,48,50,51,53–55], and the BIC (max) value of the new S-box is better than that of the S-boxes in [31,49–55]. Thus the confusion/diffusion creation capability of *ζE*<sup>1607</sup> (1607, 182, 0) is better than [31,50–53,55]. The DAP value of our suggested S-box *ζE*<sup>1607</sup> (1607, 182, 0) is lower than the DAP of the S-boxes presented in [31,48,50,53,54] and equal to that of [47,49,51,52,55]. Thus from the above discussion it follows that the newly designed S-box shows high resistance to linear as well as differential attacks.

#### *4.3. Evaluation of the Proposed Encryption Technique*

In this section the current scheme is implemented on all gray images of the USC-SIPI Image Database [56]. The USC-SIPI database contains images of size *m* × *m*, *m* = 256,512,1024. Furthermore, some security analyses that are explained one by one in the associated subsections are presented. To validate the quality of the proposed scheme, the experimental results are compared with some other encryption schemes. The parameters used for the experiments are *A*<sup>1</sup> = *A*<sup>2</sup> = −1.0541, *A*<sup>3</sup> = 401, *B*<sup>1</sup> = *B*<sup>2</sup> = −0.8514 and *B*<sup>3</sup> = 691, 3036, 5071 for *m* = 256,512,1024, respectively; *a*<sup>1</sup> = 2, *b*<sup>1</sup> = 1000, *a*<sup>2</sup> = 19, *b*<sup>2</sup> = 1000, *a*<sup>3</sup> = 5, *δ* = 1000,*t* = 2, *p* = 293, *L* = 90,000 and *S*<sup>P</sup> varies for each *P*. The experiments were performed using Matlab R2016a on a personal computer with a 1.8 GHz Processor and 6 GB RAM. All encrypted images of the database along with histograms are available at [57]. Some plain images, House256×256, Stream512×512, Boat512×<sup>512</sup> and Male1024×<sup>1024</sup> and their cipher images are displayed in Figure 1.

(**e**) (**f**) (**g**) (**h**) **Figure 1.** (**a**–**d**) Plain images House, Stream, Boat and Male; (**e**–**h**) cipher images of the plain images (**a**–**d**), respectively.

4.3.1. Statistical Attack

A cryptosystem is said to be secure if it has high resistance against statistical attacks. The strength of resistance against statistical attacks is measured by entropy, correlation and histogram tests. All of these tests are applied to evaluate the performance of the discussed scheme.

(1) Histogram. A histogram is a graphical way to display the frequency distribution of pixel values of an image. A secure cryptosystem generates cipher images with uniform histograms. The histograms of the encrypted images using the proposed method are available at [57]. However, the respective histograms for the images in Figure 1 are shown in Figure 2. The histograms of the encrypted images are almost uniform. Moreover, the histogram of an encrypted image is totally different from that of the respective plain image, so that it does not allow useful information to the adversaries, and the proposed algorithm can resist any statistical attack.

(2) Entropy. Entropy is a standout feature to measure the disorder. Let *I* be a source of information over a set of symbols *N*. Then the entropy of *I* is defined by:

$$\mathcal{H}(I) = \sum\_{i=1}^{\#N} p(I\_i) \log\_2 \frac{1}{p(I\_i)},\tag{17}$$

where *p*(*Ii*) is the probability of occurrence of symbol *i*. The ideal value of H(*I*) is log2(#*N*), if all symbols of *N* occur in *I* with the same probability. Thus, an image *I* emanating 256 gray levels is highly random if H(*I*) is close to 8 (notice, however, that this definition of entropy does not take into account pixel correlations). The entropy results for all images encrypted by the suggested technique are shown in Figure 3, where the minimum, average and maximum values are 7.9966, 7.9986 and 7.9999, respectively. These results are close to 8, and hence the developed mechanism is secure against entropy attacks.

(3) Pixel correlation. A meaningful image has strong correlation among the adjacent pixels. In fact, a good cryptosystem has the ability to break the pixel correlation and bring it close to zero. For any two gray values *x* and *y*, the pixel correlation can be computed as:

$$C\_{xy} = \frac{E\left[ (\mathbf{x} - E[\mathbf{x}])(y - E[y]) \right]}{\sqrt{K[\mathbf{x}]K[y]}},\tag{18}$$

where *E*[*x*] and *K*[*x*] denote expectation and variance of *x*, respectively. The range of *Cxy* is −1 to 1. The gray values *x* and *y* are in low correlation if *Cxy* is close to zero. As the pixels may be adjacent in horizontal, diagonal and vertical directions, the correlation coefficients of all encrypted images along all three directions are shown in Figure 3, where the respective ranges of *Cxy* are [−0.0078, 0.0131], [−0.0092,0.0080] and [−0.0100,0.0513]. These results show that the presented method is capable of reducing the pixel correlation near to zero.

In addition, 2000 pairs of adjacent pixels of the plain image and cipher image of Lena512×<sup>512</sup> are randomly selected. Then correlation distributions of the adjacent pixels in all three directions are shown in Figure 4, which reveals the strong pixel correlation in the plain image but a weak pixel correlation in the cipher image generated by the current scheme.

**Figure 3.** (**a**–**c**) The horizontal, diagonal and vertical correlations among pixels of each image in USC-SIPI database; (**d**) the entropy of each image in USC-SIPI database.

**Figure 4.** (**b**–**d**) The distribution of pixels of the plane image (**a**) in the horizontal, diagonal and vertical directions; (**f**–**h**) the distribution of pixels of the cipher image (**e**) in the horizontal, diagonal and vertical directions.

#### 4.3.2. Differential Attack

In differential attacks the opponents try to get the secret keys by studying the relation between the plain image and cipher image. Normally attackers encrypt two images by applying a small change to these images, then compare the properties of the corresponding cipher images. If a minor change in the original image can cause a significant change in the encrypted image, then the cryptosystem has a high security level. The two tests NPCR (number of pixels change rate) and UACI (unified average changing intensity) are usually used to describe the security level against differential attacks. For two plain images *P* and *P* different at only one pixel value, let *C*<sup>P</sup> and *C*P be the cipher images of *P* and *P* , respectively, then NPCR and UACI are calculated as:

$$\text{NPCR} = \sum\_{u=1}^{m} \sum\_{v=1}^{n} \frac{\tau(u, v)}{m \times n},\tag{19}$$

$$\text{UACI} = \sum\_{\boldsymbol{\nu}=1}^{m} \sum\_{\boldsymbol{\nu}=1}^{n} \frac{|\mathbb{C}\_{\mathbb{P}}(\boldsymbol{\mu}, \boldsymbol{\upsilon}) - \mathbb{C}\_{\mathbb{P}'}(\boldsymbol{\mu}, \boldsymbol{\upsilon})|}{255 \times m \times n},\tag{20}$$

where *τ*(*u*, *v*) = 0 if *C*P(*u*, *v*) = *C*P(*u*, *v*) and *τ*(*u*, *v*) = 1, otherwise. The expected values of NPCR and UACI for 8-bit images are 0.996094 and 0.334635, respectively [13]. We applied the above two tests to each image of the database by randomly changing the pixel value of each image. The experimental results are shown in Figure 5, giving average values of NPCR and UACI of 0.9961 and 0.3334, respectively. It follows from the obtained results that our scheme is capable of resisting a differential attack.

**Figure 5.** (**a**,**b**) The NPCR and UACI results for each image in the USC-SIPI database; (**c**) First 256 pseudo-random numbers and (**d**) two S-boxes generated for Lena512×<sup>512</sup> with a small change in an input key *t*.

4.3.3. Key Analysis

For a secure cryptosystem it is essential to perform well against key attacks. A cryptosystem is highly secure against key attacks if it has key sensitivity and large key space and strongly opposes the known-plaintext/chosen-plaintext attack. The proposed scheme is analyzed against key attacks as follows.

(1) Key sensitivity. Attackers usually use slightly different keys to encrypt a plain image and then compare the obtained cipher image with the original cipher image to get the actual keys. Thus, high key sensitivity is essential for higher security. That is, cipher images of a plain image generated by two slightly different keys should be entirely different. The difference of the cipher images is quantified by Equations (19) and (20). In experiments we encrypted the whole database by changing only one key, while other keys remain unchanged. The key sensitivity results are shown in Table 9, where the average values of NPCR and UACI are 0.9960 and 0.3341, respectively, which specify the remarkable difference in the cipher images. Moreover, our cryptosytem is based on the pseudo-random numbers and S-boxes. The sensitivity of pseudo-random numbers sequences *β* <sup>∗</sup> *T* (2, *S*P) and *β* <sup>∗</sup> *T* (1, *S*P) and S-boxes *ζEp* (*p*, 2, *S*P) and *ζEp* (*p*, 1, *S*P) for Lena512×<sup>512</sup> is shown in Figure 5.

**Table 9.** Difference between two encrypted images when key *t* = 2 is changed to *t* = 1. NPCR: number of pixels change rate; UACI: unified average changing intensity.



images are significantly randomized. Thus the proposed system is capable of preventing the above mentioned attacks.

**Table 10.** Security analysis of all-white/black encrypted images by the proposed encryption technique.


#### *4.4. Comparison and Discussion*

Apart from security analyses, the proposed scheme is compared with some well-known image encryption techniques. The gray scale images of Lena256×<sup>256</sup> and Lena512×<sup>512</sup> are encrypted using the presented method, and experimental results are listed in Table 11.

**Table 11.** Comparison of the proposed encryption scheme with several existing cryptosystems for image Lena*m*×*m*, *m* = 256,512.


It is deduced that our scheme generates cipher images with comparable security. Furthermore, we remark that the scheme in [29] generates pseudo-random numbers using group law on EC, while the proposed method generates pseudo-random numbers by constructing triads using auxiliary parameters of elliptic surfaces. Group law consists of many operations, which makes the pseudo-random number generation process slower than the one we present here. The scheme in [26] decomposes an image to eight blocks and uses dynamic S-boxes for encryption purposes. The computation of multiple S-boxes takes more time than computing only one S-box. Similarly the techniques in [2,27] use a set of S-boxes and encrypt an image in blocks, while our newly developed scheme encrypts the whole image using only one dynamic S-box. Thus, our scheme is faster than the schemes in [2,27]. The security system in [61] uses a chaotic system to encrypt blocks of an image. The results in Table 11 reveal that our proposed system is cryptographically stronger than

the scheme in [61]. The algorithms in [3,59] combine chaotic systems and different ECs to encrypt images. It follows from Table 11 that the security level of our scheme is comparable to that of the schemes in [3,59]. The technique in [60] uses double chaos along with DNA coding to get good results, as shown in Table 11, but the results obtained by the new scheme are better than that of [60]. Similarly the technique in [31] encrypts images using ECs but does not guarantee an S-box for each set of input parameters, thus making our scheme faster and more robust than the scheme developed in [31].

Furthermore, the following facts put our scheme in a favorable position:


#### **5. Conclusions**

An image encryption scheme based on quasi-resonant triads and MECs was introduced. The proposed technique constructs triads to generate pseudo-random numbers and computes an MEC to construct an S-box for each input image. The pseudo-random numbers and S-box are then used for altering and scrambling the pixels of the plain image, respectively. As for the advantages of our proposed method, firstly triads are based on auxiliary parameters of elliptic surfaces, and thus pseudo-random numbers and S-boxes generated by our method are highly sensitive to the plain image, which prevents adversaries from initiating any successful attack. Secondly, generation of triads using auxiliary parameters of elliptic surfaces consumes less time than computing points on ECs (we find a 4x speed increase for a range of image resolutions *m* ∈ [128, 512]), which makes the new encryption system relatively faster. Thirdly, our algorithm generates the cipher images with an appropriate security level.

In summary, all of the above analyses imply that the presented scheme is able to resist all attacks. It has high encryption efficiency and less time complexity than some of the existing techniques. In the future, the current scheme will be further optimized by means of new ideas to construct the S-boxes using the constructed triads, so that we will not need to compute an MEC for each input image.

**Author Contributions:** All authors contributed equally to this work. All authors have read and agree to the published version of the manuscript.

**Funding:** This research is funded through the HEC project NRPU-7433.

**Acknowledgments:** We thank Gene Kopp for useful comments and suggestions.

**Conflicts of Interest:** The authors declare no conflict of interest. The funding sponsors had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript, and in the decision to publish the results.

#### **Abbreviations**

The following abbreviations are used in this manuscript:

MEC Mordell elliptic curve S-box Substitution box

EC Elliptic curves

#### **References**

1. Mahmud, M.; Lee, M.; Choi, J.Y. Evolutionary-Based Image Encryption using RNA Codons Truth Table. *Optics Laser Technol.* **2020**, *121*, 105818. [CrossRef]


c 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
