A Symmetric Plaintext-Related Color Image Encryption System Based on Bit Permutation

Recently, a variety of chaos-based image encryption algorithms adopting the traditional permutation-diffusion structure have been suggested. Most of these algorithms cannot resist the powerful chosen-plaintext attack and chosen-ciphertext attack efficiently for less sensitivity to plain-image. This paper presents a symmetric color image encryption system based on plaintext-related random access bit-permutation mechanism (PRRABPM). In the proposed scheme, a new random access bit-permutation mechanism is used to shuffle 3D bit matrix transformed from an original color image, making the RGB components of the color image interact with each other. Furthermore, the key streams used in random access bit-permutation mechanism operation are extremely dependent on plain image in an ingenious way. Therefore, the encryption system is sensitive to tiny differences in key and original images, which means that it can efficiently resist chosen-plaintext attack and chosen-ciphertext attack. In the diffusion stage, the previous encrypted pixel is used to encrypt the current pixel. The simulation results show that even though the permutation-diffusion operation in our encryption scheme is performed only one time, the proposed algorithm has favorable security performance. Considering real-time applications, the encryption speed can be further improved.


Introduction
With the dramatic development of Internet technology, a great deal of sensitive information conveyed by digital images has been transmitted over public networks. The security problems of image transmission have become increasingly serious, especially for those related to confidential, medical, military, or commercial affairs. However, since digital images have some inherent characteristics (e.g., high redundancy, large data capacity, and strong correlation between adjacent pixels), the traditional block ciphers like Data Encryption Standard (DES), International Data Encryption Algorithm (IDEA), Advanced Encryption Standard (AES), RSA (Rivest-Shamir-Adleman), etc. do not have high performance. In recent years, chaotic maps have been used in image encryption, which have benefited from their excellent properties, such as strong ergodicity as well as sensitivity to initial conditions and control parameters. As early as 1989, Matthew suggested the use of logistic maps to generate pseudo-random numbers, which can be used to encrypt messages [1]. In 1998, a new symmetric block encryption scheme proposed by Fridrich [2] drew a great deal of attention. The architecture is similar to the one Shannon introduced in [3], which includes a pixel-level permutation-diffusion structure. In the permutation stage, the pixel position is scrambled to disturb the strong correlation between two adjacent pixels of the original image, but the pixel's statistical Table 1. Some approaches to the cryptanalysis of permutation-diffusion structure-based image ciphers.

Schemes
Cryptanalyzed by Attacks Employed Gao et al. (2008) [4] Rhouma et al. (2014) [27] chosen plaintext and ciphertext Mirzaei et al. (2012) [5] Wang et al. (2013) [28] chosen-plaintext Parvin et al. (2016) [7] Norouzi et al. (2016) [29] chosen-plaintext Wang et al. (2012) [10] Li et al. (2012) [30] chosen-plaintext Pak et al. (2017) [17] Wang et al. (2018) [31] chosen-plaintext Zhu et al. (2011) [19] Zhang et al. (2014) [32] chosen plaintext and ciphertext Zhang et al. (2016) [26] Wu et al. (2018) [33] chosen-plaintext More recently, in order to resist the powerful chosen-plaintext and chosen-ciphertext attacks, a plaintext related image encryption scheme was proposed [12,23,[34][35][36][37][38][39][40][41]. For some algorithms, the previous encrypted pixel is used to encrypt the current pixel, and after several rounds of processing in the diffusion stage of some algorithms, so the information of one pixel in the plain-image can be spread into the entire cipher image [23,35,36]. In some other image encryption systems [12,23,[35][36][37][38][39], the key streams for encryption are related to the plain images. For instance, in [38], the initial state conditions of chaotic maps are extremely dependent on plain image, so the generated key streams are highly sensitive to the original pictures to resist known/chosen plaintext attacks. In [39], Liu et al. presented a fast image encryption algorithm. In the scheme, the iteration values of 2D-SIMM are influenced by the encrypted pixel value, and the step size of cyclic shift and the secret key for substitution will be different with different images. Therefore, the designed algorithm can resist known-plaintext and chosen-plaintext attacks. A chaos-based color image encryption algorithm was proposed in [41], in which the color image is converted into three bit-level images and combined to one bit-level image. Then, only permutation operation is performed to encrypt the integrated bit-level image to reduce the execution time. Some of the plaintext-related algorithms mentioned above present low space keys, high encryption time, or insufficient security to resist powerful known/chosen plaintext attack. For instance, the encryption algorithm presented in [34] was cryptanalyzed and broken with chosen-plaintext attack in [42].
Based on the analysis above, this paper presents a new symmetric color image encryption system based on a plaintext-related random access bit-permutation mechanism (PRRABPM). Our encryption system has the following features: (1) For color image encryption, bit-level permutation-based encryption algorithms have the advantages that they can achieve the interaction between RGB components in the scrambling phase, which can improve the security of encryption. So, this paper proposes a new random access bit-permutation mechanism in the permutation stage, which can obtain a good permutation effect and mask the statistical properties of the original image even though the diffusion key or diffusion sequence is cracked. (2) In order to obtain high plain sensitivity and key sensitivity, the key streams used in random access bit-permutation mechanism operation are extremely dependent on plain image in an ingenious way. Therefore, the encryption system is sensitive to tiny differences in key and original images, which means that it can efficiently resist chosen-plaintext and chosen-ciphertext attacks. (3) Not only color images but also gray images of any size can be encrypted by our encryption scheme. (4) For the excellent performance of PRRABPM used in the permutation stage, the permutationdiffusion operation in our encryption scheme is performed only once.
The structure of this paper is as follows. Section 2 briefly reviews the chaotic maps used in this dissertation: tent map, Chebyshev map, and piecewise linear map. Section 3 proposes a plaintext-related random access bit permutation mechanism (PRRABPM). In Section 4, we evaluate the performance of the new algorithm and show the results of simulation and analysis. The last section gives a conclusion.

The Involved Chaotic Systems
One-dimensional chaotic system which has the advantages of simple structure and easy realization is an ideal choice for fast encryption of large-capacity data. In this section, three 1D chaotic maps for our new chaotic encryption scheme are briefly discussed: tent map, Chebyshev map, and piecewise linear map.

Tent Map
A chaotic tent map (CTM) is a piecewise linear map which can be defined as: where u ∈ (0, 4] and x n ∈ (0, 1) is the output chaotic sequence. The chaotic sequence generated by the chaotic map is used for confusing and diffusing the pixels or bits of the original image. To a large extent, the uniform level of the output chaotic sequence determines the security of the encryption system. Bifurcation analysis and Lyapunov exponent analysis are often used to measure the chaotic property of the chaotic system. As shown in Figure 1a, the tent map has a chaotic behavior when parameter u ∈ (2, 4].

Chebyshev Map
The Chebyshev map has similar chaotic behavior to the tent map. The expression of Chebyshev maps is shown as: x n+1 = F 2 (x n , a) = cos(a × arc cos x n ), where x n ∈ [−1, 1] is the output chaotic sequence and the a ∈ N parameter and x 0 is the initial value of the sequence which can be viewed as the secret key in our proposed algorithm. When a ≥ 2, the bifurcation behavior of the Chebyshev system enters chaotic state and the Lyapunov exponent of Chebyshev maps is positive as shown in Figure 1b.

Piecewise Linear Map
The piecewise linear chaotic map (PWLCM) is a famous 1D chaotic map composed of multiple linear segments. The PWLCM is defined by the following equation: where x n ∈ (0, 1) is the output chaotic sequence and p is the control parameter satisfying p ∈ (0, 0.5).
The parameter p can serve as a key, as the PWLCM system is chaotic and has few periodic windows in its bifurcation diagram in the whole range of the parameter [43]. For a uniform invariant distribution and excellent ergodicity, the PWLCM chaotic map is employed in the proposed algorithm with a given initial value x 0 and control parameter p. The bifurcation diagram and Lyapunov Exponent diagram of PWLCM are shown in Figure 1c.

New Image Encryption Algorithm
In this section, we propose a new image encryption algorithm. A block diagram of the proposed image encryption system is shown in Figure 2. Color images with RGB components can be viewed as a 3D matrix with size M × N × 3. Each component in RGB components can be represented by an 8-bit binary. The value of the pixel at coordinate (x, y, z) is denoted as As shown in Figure 3, color images can be transformed into a 3D bit matrix (width, height, and bit-length

Permutation Stage of the Encryption System Using PRRABPM
Step 1: Decompose the M × N original color image into 24 bit-planes with size M × N. As illustrated in Figure 3, the 24 bit-planes are transformed into a 3D bit matrix, denoted as P 24bit . The lowest bit-plane (R p 1 , G p 1 , B p 1 ) of RGB components are picked up from the 3D matrix P 24bit . The remaining bit-planes are used to form P 21bit , as illustrated in Figure 4a.
Step 2: The sequences X1, Y1, and Z1 used in PRRABPM are obtained in steps 2 and 3 by sorting and searching operations. Iterate the tent map in Equation (1), the Chebyshev map in Equation (2), and PWLCM in Equation (3) (3M/2 + N 0 ), (3N/2 + N 0 ), and (45 + N 0 ) times, respectively. The first N 0 elements are discarded to avoid the harmful effects. Then, three new sequences X 1 , Y 1 , Z 1 are obtained with sizes 3M/2, 3N/2, and 45, given as N 0 is a constant and can serve as the security key. The parameter of the three chaotic maps are defined as u = 3.999998, a = 4, and p = 0.256, respectively. Note that these three parameters are not used as security keys.
Step 3: Take the first M, N and 21 elements of the sequences X 1 , Y 1 , Z 1 to form three new sequences Then, the three sequences are sorted by ascending order to obtain the sorted sequences X 2s , Y 2s , Z 2s . By using sequence X 2s and the corresponding original sequence X 2 , the sequence X1 mapping to the width of the matrix P 21bit can be obtained. The specific approach is that if the i-th element value in X 2 is equal to the j-th element value in X 2s , the i-th element value in X1 is j. Similarly, by using sequences Y 2s , Y 2 and Z 2s , Z 2 , the other two sequences Y1, Z1 mapping to the height and bit-length of the matrix can be obtained, respectively, given by Step 4: Obtain another three sequences X2, Y2, and Z2 with the sizes M, N, and 21 used in PRRABPM in step 4 by sorting and searching operations. The generation of the sequences X2 and Y2 is extremely dependent on plain image in an ingenious way. Three sequences are mapped to the width, height, and bit-length of the permuted bit matrix P 21bit_p which is illustrated in Figure 4b. The specific approach using the plaintext-related algorithm can be described as follows: (1) Calculating the sum of the elements in R p 1 , G p 1 , B p 1 , and P 24bit , respectively, one can get (2) Calculating the value of the parameters of num1 and num2, respectively, one can get If all the values of sum R 1 , sum G 1 , and sum B 1 are zero, the values of num1 and num2 are set to M 2 and N 2 , respectively.
(3) Obtain the sequence X 3 , Y 3 , Z 3 with sizes M, N, and 21, given by: and then, by way of Step 3, the sequences X2, Y2, Z2 can be obtained using the sequences Step 5: Permute the three 2D bit matrices R p 1 , G p 1 , and B p 1 independently. The permutation equations can be described as where i = 1, 2, · · · , M; j = 1, 2, · · · , N and R p 1 , G p 1 , B p 1 are the permuted bit matrices.
Step 6: Permute the 3D bit matrix P 21bit using PRRABPM, given by where i = 1, 2, · · · , M; j = 1, 2, · · · , N; k = 1, 2, · · · , 21. According to Equation (18) and Figure 4, the sequences X1, Y1, Z1 are used to access the bit element in P 21bit randomly and the sequences X2, Y2, Z2 are used to permute the bit positions in P 21bit_p .   Step 7: In order to obtain good permutation performance and make the RGB components of the color image interact with each other more sufficiently, the permutated 2D bit matrices R The bit matrix B p 1 is added to the bit-plane between the (K1 − 1)-th and the K1-th bit-plane of P 21bit_p . Similarly, the bit matrix R p 1 is added to the bit-plane between the (K2 − 1)-th and the K2-th bit-plane, and the bit matrix G p 1 is added between the (K3 − 1)-th and the K3-th bit-planes.

Diffusion Stage of the Encryption System
Note that the diffusion operation is performed at the pixel-level.
Step 1: Firstly, the matrix P 24bit_p is converted into the color image P p with size M × N × 3, and then the image P p can be divided into RGB components. Secondly, three gray images are transformed into 1D pixel arrays (P R_p , P G_p , P B_p ), respectively. One can get Step 2: Obtain the diffusion matrix where i = 1, 2, · · · , M; j = 1, 2, · · · , N; k = i × j.
Step 3: Obtain the encrypted image pixel arrays C R , C G , C B using the 1D pixel arrays P R_p , P G_p , P B_p and the diffusion matrix D, given by where i = 1, 2, · · · , M × N, and symbol "⊗" represents bitwise exclusive or operator.
Step 4: Treat the encrypted image pixel arrays C R , C G , C B as RGB components of a color image so that an encrypted color image with size M × N × 3 can be obtained.

Decryption Process
The decryption procedure is the inverse process of encryption. The flowchart of the decryption process is shown in Figure 5. The diffusion equation used in decryption is given as where P R_p , P G_p , P B_p are 1D pixel arrays.
where A is the 2D bit matrix which is permuted independently in the encryption process and A p is the corresponding permuted 2D bit matrix. The permutation equation used in decryption is given as where P 21bit is the 3D bit matrix which is permuted using PRRABPM in the encryption process and P 21bit_p is the corresponding permuted 3D bit matrix. Three permuted gray images Confusion key Diffusion key Convert the permuted image into 3D bit matrix M×N×24 Figure 5. Flowchart of the decryption process.

Simulation Results
In this section, we evaluate the performance of the proposed scheme. The initial values of the tent map, the Chebyshev map, and the piecewise linear map are chosen as key _x0 = 0.22521231547896; key _y0 = 0.58749654123587; and key _z0 = 0.98564123475621, respectively, and N 0 = 2000. A baboon is used as the testing plain-image. The plain-image, the results of encryption-decryption images, and their corresponding distribution histograms are shown in Figure 6.

Security Key Space
For a security encryption algorithm, its key space should be larger than 2 100 [44]. There are four secret keys in the proposed encryption algorithm, including the initial values (key _x0 , key _y0 , key _z0 ) of the three chaotic maps and the iteration times N 0 . For these four secret keys, key _x0 belongs to (0, 1), key _y0 belongs to (−1, 1), key _z0 belongs to (0, 1), and N 0 belongs to (1000, 2500]. As the computational precision of double-precision numbers is taken as 10 16 , the key space is key total = 10 16 × 10 16 × 10 16 × 1500 ≈ 2 170 . So, the key space of the proposed cryptosystem is large enough to resist brute force attack. In Table 2, the comparison between our method and similar image encryption algorithms is given, showing that the key space size of the proposed algorithm is larger than most of the similar algorithms.

Histogram Analysis
The histogram of the encrypted image is often used to measure the security of the encryption system. For a secure encryption system, the histogram of the encrypted image should be flat, which can resist statistical attacks. The histograms of the plain-images and the corresponding cipher-images are shown in Figure 6a,c. As shown in Figure 6c, the encrypted image is completely scrambled and its histogram has a good uniform distribution, so it can resist statistical attacks. Furthermore, the histogram of the permuted image shown in Figure 6b is different from the histogram of the original image to some extent, so even though the diffusion key or diffusion sequence is cracked, the statistical information of the original image can be masked.

Correlation Analysis
The correlation coefficient of the pixels of the plain-image is always high because the adjacent pixels in the plain-image have a high correlation which can be used by attackers. So, the correlation coefficients of the pixels should be significantly reduced after the plain-image is encrypted. According to Equation (26), we calculate the correlation coefficients of the four directions, including the vertical, horizontal, diagonal, and anti-diagonal directions.
where cov(x, y) = 1 are two adjacent pixel values from four directions as mentioned above, and N is the number of image pixels. The correlation coefficients of plain-images and the corresponding cipher-images are provided in Table 3, including the vertical (V), horizontal (H), diagonal (D), and anti-diagonal (A) directions. As shown in Table 3, the correlation coefficients of the plain-images are close to 1, but the correlation coefficients of the cipher-images are close to 0. This indicates that the proposed algorithm can resist a statistical attack. Detailed results compared with some related references are given in Table 4.  In order to evaluate the correlation property of images, we randomly select 2000 pixels from the plain-image or their corresponding cipher-image. The correlation diagram among adjacent pixels at vertical, horizontal, diagonal, and anti-diagonal directions of the R channel are shown in Figure 7. As shown in Figure 7, the values of the adjacent pixels of the cipher-image are completely different.

Key Sensitivity and Plaintext Sensitivity Analysis
A differential attack is usually used to break a cryptosystem. For a secure encryption system to effectively resist such an attack, it should be sensitive to any tiny modification in the keys or the original image. The NPCR (number of pixels change rate) and UACI (unified average changing intensity) are usually used to evaluate the sensitivity of the key and plain-image. NPCR and UACI are expressed in the following equation: where c 1 , c 2 are encrypted images, and . In this simulation, four plain-images were used to evaluate the key sensitivity. The proposed algorithm has four secret keys (key _x0 , key _y0 , key _z0 , N 0 ). For example, the sensitivity of key x0 is evaluated here. First, we selected 200 key groups k ey (i) = (key _x0 (i), key _y0 (i), key _z0 (i), N 0 (i))(i = 1, 2, 3 · · · 200) from the security key space randomly and then we used every key group to encrypt the plain-images. Then, the corresponding cipher-images C 1 (i)(i = 1, 2, 3 · · · 200) could be obtained. Secondly, a slight change 10 −15 was added into the secret key key _x0 (i) of the key group. The values of the remaining three keys (key _y0 (i), key _z0 (i), N 0 (i)) were unchanged. Then, the key group containing the modified key was used to encrypt the plain-images again to obtain corresponding cipher-images C 2 (i)(i = 1, 2, 3 · · · 200). According to Equation (27), 200 pairs of NPCR and UACI could be calculated.
The average values of NPCR and UACI are shown in Table 5. It should be noted that the key sensitivity of key _y0 , key _z0 , N 0 was evaluated in the same way. As shown in Table 5, the NPCR and UACI values were very close to the ideal values(NPCR:99.6094 and UACI:33.4635), indicating that the encryption system is sensitive to any tiny modifications in keys.
Another key sensitivity test is shown in Figure 8. Firstly, a key set was chosen from the security key space denoted as k ey (1) = (0.2252123154789600, 0.5874965412358700, 0.9856412347562100, 2000). To evaluate the sensitivity of key _x0 , a slight change 10 −16 is added into the secret key key _x0 (1) while the others were unchanged. Then the key denoted as k ey (2) = (0.2252123154789601, 0.5874965412358700, 0.9856412347562100, 2000) could be obtained. After that, we used k ey (1) and k ey (2) to encrypt the same original image as shown in Figure 8a to obtain two corresponding cipher-images denoted as E1 and E2, shown in Figure 8b,c. The image of pixel-to-pixel difference |E1 − E2| is shown in Figure 8d, and its histogram is shown in Figure 8h, which can prove that a tiny change 10 −16 in the security key will result in a significant change in cipher-image. Finally, we used k ey (1) to decrypt the cipher images E1 and E2 individually, and the decryption results are shown in Figure 8i,j. As can be seen, only the correct key can completely reconstruct the original image. Thus, the proposed algorithm has high key sensitivity. In order to evaluate the sensitivity to small changes in the plain-image, we selected 200 key groups k ey (i) = (key _x0 (i), key _y0 (i), key _z0 (i), N 0 (i))(i = 1, 2, 3 · · · 200) from the security key space and selected 200 pixels denoted as P ixel_i (x, y, z)(i = 1, 2, 3 · · · 200) from the original color images at random location (x, y, z). For instance, the cipher image C 1 can be obtained by using key k ey (1) to encrypt the plain-image. Then, we modified the value of pixel P ixel_1 (x, y, z) in the plain-image slightly, as shown in Equation (28).
The plain-image containing the modified pixel P ixel_1 (x, y, z) was encrypted with the same key k ey (1), so that the corresponding cipher image C 2 could be obtained. According to Equation (27), NPCR and UACI were calculated using C 1 and C 2 . Finally, by using different keys in key groups and slightly changed plain-images, a total of 200 pairs of NPCR and UACI were calculated. The average of the NPCR and UACI is shown in Table 6. Through Table 6, we can see that the NPCR and UACI values were very close to the ideal values, indicating that the encryption system is sensitive to any little change in plain-image.As shown in Tables 7 and 8, our NPCR and UACI mean values passed the randomness test, compared with the expected values [45].

Information Entropy Analysis
Information entropy is an important performance index which can be used to measure the randomness and unpredictability of an information source. So, it is usually used to measure the strength of a cryptosystem, given by where m denotes an information source, and 2 N denotes the number of all possible pixel values. If m has 2 N possible values, the corresponding theoretical value should be H(m) = N. So, for a cipher-image with 256 gray levels, the ideal value for the information entropy is 8. According to Equation (29), the information entropy of seven plain-images and their corresponding cipher-images-which were encrypted by our algorithm and other recent algorithms in the literature-were calculated as shown in Table 9. From this table, we can see that the information entropies of the cipher-images (RGB components) were all close to the ideal value. In other words, the cipher-images had a good property of randomness and the unpredictability. In practice, quick running speed is also significant for a good cryptosystem. The experimental environment was MATLAB R2014b with Intel Core i7-7500U CPU@ 3.5 GHz and 4.0 GB RAM on Windows 10 OS. Because the proposed scheme is bit-level permutation-based and related to plain images, encrypted time analysis was performed in comparison with similar algorithms for references [25,37,40]. Murillo-Escobar et al. presented a plaintext-related color image encryption algorithm based on total plain image characteristics and chaos in [37], in which the chaotic sequence used in permutation and diffusion is related to the total plain image characteristics. Then, the Z value needs to be inserted into the encrypted image, as it cannot be calculated from the encrypted image during the decryption process. In [40], a novel image encryption algorithm is proposed, in which the plain image is permuted by using the 2D rectangular transform. Then, in the diffusion stage, the previous encrypted pixel is used to encrypt the current pixel, while the first encrypted pixel in the chipper is related to all the pixels in the plain image. In [25], Xu et al. presented a novel bit-level image encryption algorithm that is based on piecewise linear chaotic maps (PWLCM). In the diffusion phase, the cycle shift operation is controlled by the sum of the binary sequence transformed from the plain image. In the confusion phase, the initial value of the chaotic map is determined by the permuted binary sequence.
The execution times for the proposed and comparable schemes including the time consumption in all of the encryption operations and key-stream generations are listed in Table 10. Encryption throughput (ET) in megabytes per second (MBps) and the number of cycles needed to encrypt one byte are also used to evaluate cryptosystem performance, and are given by Equations (30) and (31):   Table 11 presents a comparison of ET and number of cycles needed to encrypt performance of the proposed cryptosystem with some recent cryptosystems. As shown in Tables 10 and 11, the execution speed of the proposed scheme was slower than Murillo-Escobar's algorithm, but more efficient than algorithms in [25,40]. There are three reasons for the relatively slower encryption speed compared to Murillo-Escobar's algorithm. (1) Since the original color image has to be decomposed into 24 bit-planes in the permutation stage and then the permuted bit-planes are transformed into a color image, it will take more time than pixel-level permutation-based algorithms like [37]; (2) The image data to be processed in the permutation stage of bit-level permutation-based algorithms is eight times compared with pixel-level permutation-based algorithms; (3) The use of the sorting and searching operations in key-stream generation in our algorithms are particularly time-consuming. Considering its high level of security, the running speed is acceptable.

Conclusions
In contrast with the similar studies, a plaintext-related random access bit-permutation mechanism (PRRABPM) is presented in this paper. This method is used in the permutation stage to shuffle the RGB components of a color image at the same time, making these three components interact with each other. Furthermore, the key streams used in random access bit-permutation mechanism operation is extremely dependent on plain image in an ingenious way, which makes the encryption system sensitive to key and original images. Thus, the proposed encryption system can efficiently resist the chosen-plaintext and chosen-ciphertext attacks. Experimental results analysis including key space, histogram, correlation, sensitivity, information entropy, and speed are also given, showing that the proposed algorithm has a good security performance.
The proposed method may be used for image security communication applications. According to simulation results, the proposed algorithm is not suitable for real-time applications. Now, our main concern is the strength of the encryption algorithm and its ability to work with the limitations of security communication systems, which require further study. In our future work, we will consider this part in detail and improve the encryption speed. It may also be considered to integrate the image encryption with an image compression algorithm so as to enhance security for image transmission over communication systems.