Quantum Image Encryption Scheme Using Arnold Transform and S-box Scrambling

The paper proposes a lossless quantum image encryption scheme based on substitution tables (S-box) scrambling, mutation operation and general Arnold transform with keys. First, the key generator builds upon the foundation of SHA-256 hash with plain-image and a random sequence. Its output value is used to yield initial conditions and parameters of the proposed image encryption scheme. Second, the permutation and gray-level encryption architecture is built by discrete Arnold map and quantum chaotic map. Before the permutation of Arnold transform, the pixel value is modified by quantum chaos sequence. In order to get high scrambling and randomness, S-box and mutation operation are exploited in gray-level encryption stage. The combination of linear transformation and nonlinear transformation ensures the complexity of the proposed scheme and avoids harmful periodicity. The simulation shows the cipher-image has a fairly uniform histogram, low correlation coefficients closed to 0, high information entropy closed to 8. The proposed cryptosystem provides 2256 key space and performs fast computational efficiency (speed = 11.920875 Mbit/s). Theoretical analyses and experimental results prove that the proposed scheme has strong resistance to various existing attacks and high level of security.


Introduction
With the widespread application of a digital image, the security of private image information is of great concern. Various mature block encryption methods are proposed, such as advanced encryption standard (AES) [1][2][3], data encryption standard (DES) [4,5], SM4 [6][7][8] and so on. However, they are not suitable for image encryption due to its redundancy and bi-dimensionality. As a classical permutation method, the Arnold transform [9][10][11][12][13] realizes efficient position swapping, and is widely applied to image encryption field. Hariyanto [9] reveals the effect of Arnold's iteration number n and draws a conclusion that Arnold's cat map can encrypt the image without reducing the value or information of the digital image. Farwa [10] considers a combination of S-box with a certain number of iterations of the Arnold transform to create confusion and diffusion in the digital image. In the frequency domain, Singh [11] uses a fractional Hartley transform combined with an Arnold transform and singular value decomposition for phase image encryption. However, an obvious weakness is that Arnold transform has periodicity. However, a good encryption algorithm should be not of periodicity. The paper proposes a good method to solve the problem for wide acceptance. First, we calculate the new coordinates for each pixel by the Arnold transform, and then the pixel values are substituted into nonlinear transformation using S-box and linear transformation using (1) We design an efficient and lossless image encryption scheme based on novel architecture, which combines permutation with scrambling. Before the permutation of the Arnold transform, the gray-level encryption has executed by means of S-box substitution and linear transformation with quantum chaos sequence. The architecture combines permutation and gray-level encryption and eliminates the periodicity brought by the Arnold transform. (2) Traditional key generator based on SHA-256 hash gets a fixed value if the plain-image has no change. We take a string of random numbers and the plain-image into SHA-256 hash and get a flexible security key due to change in random numbers. This scheme preserves the advantages of SHA-256 hash and provides a flexible security key. (3) The algebraic transformation Equation (7) is designed to get some extremely sensitive variables to session keys for resistance against key sensitivity attacks. A slight alteration of security key can cause unpredictable changes in the initial parameters and conditions. (4) Mutation operation based on quantum random selection is presented to modify the value of diffused pixels for high randomness. The results prove that it can decrease the relationship of adjacent pixels in multiple directions. The rest of this paper is organized as follows. Section 2 introduces the basic theory of the proposed scheme. Section 3 includes encryption and decryption. Section 4 analyzes the level of security. The conclusion is drawn in Section 5.

General Arnold Transform with Keys
Arnold transform [9][10][11][12][13], also called cat map transform, is utilized as a classical tool to disturb the high correlation among pixels. The definition of general two-dimensional Arnold transform is given as follows. x where n is iteration times of the matrix A. The pixel coordinate of the N × N plain-image (x, y) T becomes (x , y ) T of the cipher-image under general Arnold transform. Considering the result that orthogonal transformation is a limited discrete set, we add secret keys (ku, kv) T to get high shuffling and enlarge the key space. The definition of general two-dimensional Arnold transform with keys is given below.
The inverse transformation of Equation (2) is shown as follows.

Quantum Chaotic Map
The primary question of quantum chaos is to find the relationship between quantum mechanics and classical chaos. Dissipative quantum systems are coupled to a path of harmonic oscillators to cause quantum logistic map [18][19][20][21][22] with quantum corrections α =< α > +δα, where δα shows a quantum fluctuation about <α>. Akhshani [22] proves that the very lowest-order quantum can yield a chaotic map as follows.
where x =< α >, y = <δα + δα>, z = <δα δα> and the notation < > represents the expectation value. β is the dissipation parameter and r is the control parameter. x * n is the complex conjugate of x n and similarly for z * n . The range of the parameters as follows: 4]. We set r = 3.99, β = 6 according to Reference [20] and the initial parameters to be real. Iterating Equation (4), the required pseudo-random sequences, based on the quantum chaotic map, are produced.

Mutation Operation
Genetic algorithms are commonly used to generate high-quality solutions to optimization and search problems by relying on bio-inspired operators such as mutation, crossover and selection [32,33]. In biology, mutation is the permanent alteration of the genome's nucleotide sequence in an organism, virus, or extrachromosomal DNA or other genetic elements. Mutation results in various types of change in sequences. As one of the bio-inspired operators, mutation operation changes two bits of where gm is an offspring value. bitset(pm, bt, vl) is a function to set bit position bt in pm to vl. bt = 1, 2, . . . , 8 is a pseudo-random number based on the quantum logistic map. If the value of bit position bt in pm is 1, then sets vl = 0, otherwise vl = 1.

Cryptosystem
The proposed cryptosystem includes two stages. In the first stage, keystreams are produced by the key generator based on SHA-256 hash with the input of the plain-image added a random sequence. In the second stage, the permutation and gray-level encryption structure is built by discrete Arnold map combined with S-box substitution, linear transformation and mutation operation. The architecture of the proposed cryptosystem is shown in Figure 1. types of change in sequences. As one of the bio-inspired operators, mutation operation changes two bits of each pixel at a certain rule based on the quantum logistic map. The definition of mutation operation is given below: where gm is an offspring value.
is a function to set bit position bt in pm to vl.
is a pseudo-random number based on the quantum logistic map. If the value of bit position bt in pm is 1, then sets vl = 0, otherwise vl = 1.

Cryptosystem
The proposed cryptosystem includes two stages. In the first stage, keystreams are produced by the key generator based on SHA-256 hash with the input of the plain-image added a random sequence. In the second stage, the permutation and gray-level encryption structure is built by discrete Arnold map combined with S-box substitution, linear transformation and mutation operation. The architecture of the proposed cryptosystem is shown in Figure 1.

Key Generator
Key generator based on SHA-256 hash is a tool to generate security key K, which is divided into 8-bit blocks, ki, referred to as session keys. The cryptosystem converts the plain-image to an array, which is followed by eight random integers ranging from 0 to 255. Inputting the array into SHA-256 hash, the cryptosystem gets a 256-bit binary number as a security key, which is enough large key space to resist any brute-force attack. If one bit of the plain-image toggles, the output result of the SHA-256 hash will have total changes. This approach has a strong ability to defend against known/chosen-plaintext attack. Every execution of key generator can generate different random integers, which causes the different output results of SHA-256 hash and realizes a one-time pad. The 256-bit security key is given as

Key Generator
Key generator based on SHA-256 hash is a tool to generate security key K, which is divided into 8-bit blocks, k i , referred to as session keys. The cryptosystem converts the plain-image to an array, which is followed by eight random integers ranging from 0 to 255. Inputting the array into SHA-256 hash, the cryptosystem gets a 256-bit binary number as a security key, which is enough large key space to resist any brute-force attack. If one bit of the plain-image toggles, the output result of the SHA-256 hash will have total changes. This approach has a strong ability to defend against known/chosen-plaintext attack. Every execution of key generator can generate different random integers, which causes the different output results of SHA-256 hash and realizes a one-time pad. The 256-bit security key is given as K= k 1 , k 2 , . . . , k 32 . Taking key sensitivity into consideration, the paper designs the algebraic transformation to get some extremely sensitive variables to session keys as follows.
where i = 1, 2, . . . , 8 and t i ∈ (0, 1). The variables t i consist of two terms: a variable k i k i+8 +1 + k i+8 for all parameters. When one bit of K changes, the values of and also t i will change. If k i and k i+8 both alter but the sum does The above statement shows that it is difficult to get the same t i with different security key K. Thus, we conclude that the key generator can resist any key sensitivity attack.
In order to meet the ranges, the initial parameters and conditions of the proposed cryptosystem are derived as follows.
where i = 1, 2, . . . , 4; initial parameters a, b and (ku, kv) T of general Arnold transform with keys are set equal to λ 1 , λ 2 and (λ 3 , λ 4 ) T . The initial parameters x 0 , y 0 and z 0 of the quantum chaotic map are set equal to t 5 , t 6 mod0.1 and t 7 mod0.2. In order to avoid harmful effects of the quantum chaotic system, the former m values are deserted. The initial parameter m ∈ [500, 1500) is defined as follows.

Encryption Approach
The permutation and gray-level encryption structure is built in the encryption stage. First, the new pixel coordinate is calculated by the general Arnold transform with keys. And then the pixel value is modified by S-box substitution combined with linear transform and mutation operation. Finally, the pixel is permuted to the new pixel coordinate. Iterating the process for each pixel, we get the final cipher-image. The encryption algorithm is described as follows.
Step 1. Setting L = N × N and substituting the initial parameters x 0 , y 0 and z 0 of the quantum chaotic map. Iterating Equation (4) m + L times and discard the former m values to avoid harmful effects. The following equation is applied to get three vectors Qx, Qy and Qz with highly chaotic characteristics.
Implementing the following XOR operation and get a vector Qm.
Step 2. Substituting the initial parameters a, b and (ku, kv) T of general Arnold transform with keys. Executing Equation (2), the pixel coordinate (x, y) T of the plain-image becomes (x , y ) T of the cipher-image.
Step 4. Two mutation bits of each pixel are pseudo-random based on the quantum matrix Qm. The protocol of mutation-selection is given below.
where mb 1 and mb 2 are mutation bits of the variable tempe. Equation (13) is designed for the purpose that two mutation bits are four bits apart. Setting pm = tempe and substituting mutation bits mb 1 and mb 2 into bt respectively. Executing Equation (5), the cryptosystem gets an offspring tempe'.
Step 5. The offspring tempe' is assigned to an N × N matrix C(x , y ).
Step 6. Iterating Steps 2-5 for each pixel of plain-image, we get the cipher-image C.

Decryption Approach
Decryption approach is easily derived from the encryption routine. First, the inverse transformation of the general Arnold transform with keys is utilized to compute the coordinates. And then the inverse transformation of the gray-level encryption and the same mutation operation are executed to get the pixel value of the plain-image. Finally, the cryptosystem permutes the pixel values to the original coordinate. Iterating the process for each pixel, the cryptosystem realizes the decryption. The decryption algorithm is described as follows.
Step 1. The 256-bit security key K is substituted into Equations (7)-(9) for the initial parameters and conditions according to Section 3.1.
Step 2. By Executing Step 1 in Section 3.2, we obtain four N × N matrices Qtx, Qty, Qtz and Qm with highly chaotic characteristics.
Step 3. Substituting the initial parameters a, b and (ku, kv) T to Equation (3) and executing Equation (3), the pixel coordinate (x , y ) T of the cipher-image C becomes (x, y) T .
Step 4. The same protocol of mutation selection is given in Equation (13). Setting pm = C(x , y ) and substituting mutation bits mb 1 , mb 2 into bt respectively, the cryptosystem executes Equation (5) for the offspring tempd.
Step 5. The decryption method of Equation (14) is shown as follows.
Step 6. The result tempe' of Equation (14) is assigned to an N × N matrix I(x, y).
Step 7. Iterating Steps 3-6 for each pixel of the cipher-image, we get decrypted matrix I, which is the same as the plain-image P.

Security Analysis
In this section, several experiments are conducted to check the security of the proposed cryptosystem, including histogram analysis, correlation coefficients, information entropy, differential analysis, key sensitivity analysis and key space analysis. The paper selects four standard gray-level images (256 × 256 Lena, 256 × 256 Cameraman, 512 × 512 Baboon and 512 × 512 Boats) from CVG-UGR image database for tests.

Histogram Analysis
Histogram reveals the distribution of pixel intensity values in an image. An ideal cipher-image is of a uniform frequency distribution that does not provide attack opponents with any useful statistical information. It is obvious that the distributions of plain-images are concentrated on some values while those of cipher-images are fairly uniform in Figure 2. In this section, several experiments are conducted to check the security of the proposed cryptosystem, including histogram analysis, correlation coefficients, information entropy, differential analysis, key sensitivity analysis and key space analysis. The paper selects four standard gray-level images (256 × 256 Lena, 256 × 256 Cameraman, 512 × 512 Baboon and 512 × 512 Boats) from CVG-UGR image database for tests.

Histogram Analysis
Histogram reveals the distribution of pixel intensity values in an image. An ideal cipher-image is of a uniform frequency distribution that does not provide attack opponents with any useful statistical information. It is obvious that the distributions of plain-images are concentrated on some values while those of cipher-images are fairly uniform in Figure 2. The variance of the histogram is an important parameter to measure the uniformity of the distribution of pixel values. The lower variance means the higher uniformity of histogram. The variance [35] of the histogram is defined as follows: where Z is the vector of the histogram values and Z = {z1, z2, …, z256}. zi and zj are the numbers of pixels which values are equal to i and j respectively. Table 1 shows the variances of plain-images and The variance of the histogram is an important parameter to measure the uniformity of the distribution of pixel values. The lower variance means the higher uniformity of histogram. The variance [35] of the histogram is defined as follows: where Z is the vector of the histogram values and Z = {z 1 , z 2 , . . . , z 256 }. z i and z j are the numbers of pixels which values are equal to i and j respectively. Table 1 shows the variances of plain-images and cipher-images. By comparing results in Table 1, we can see that variances of cipher-images are much smaller than those of plain-images. Thus, we can conclude that the proposed algorithm has the ability to defend the histogram analysis.

Correlation Coefficients
One of the most important differences between the image and the text is the correlation of two adjacent digital information. Considering the two-dimensional nature of the image, the correlation comes from horizontal, vertical and diagonal directions. The normal image is of high correlation and the cipher-image encrypted by good encryption schemes should have low correlation. The paper randomly selects 5000 pairs of two adjacent pixels from the plain-image 256 × 256 Lena and its cipher-image for simulation tests and calculates the correlation coefficients as follows.
where w, z are gray values of adjacent pixels. r wz is correlation coefficients of the image. Figure 3 shows distributions of correlation along horizontal, vertical and diagonal directions for 256 × 256 Lena. Correlation coefficients along horizontal, vertical and diagonal direction are reported in Table 2. cipher-images. By comparing results in Table 1, we can see that variances of cipher-images are much smaller than those of plain-images. Thus, we can conclude that the proposed algorithm has the ability to defend the histogram analysis.

Correlation Coefficients
One of the most important differences between the image and the text is the correlation of two adjacent digital information. Considering the two-dimensional nature of the image, the correlation comes from horizontal, vertical and diagonal directions. The normal image is of high correlation and the cipher-image encrypted by good encryption schemes should have low correlation. The paper randomly selects 5000 pairs of two adjacent pixels from the plain-image 256 × 256 Lena and its cipher-image for simulation tests and calculates the correlation coefficients as follows.
where w, z are gray values of adjacent pixels. rwz is correlation coefficients of the image. Figure 3 shows distributions of correlation along horizontal, vertical and diagonal directions for 256 × 256 Lena. Correlation coefficients along horizontal, vertical and diagonal direction are reported in Table 2.

Information Entropy
Information entropy describes the average rate at which information is produced by a stochastic source of data. It is applied to evaluate the uncertainty and degree of ambiguity in the image. The mathematical definition of entropy is given below.
where s is the amount of gray level in the image and p(s i ) is the probability of the symbol s i . The ideal value of information entropy is very close to 8 for the cipher-image with 2 8 gray-levels. Table 3 reports entropy values of four standard images and their cipher-images using the proposed scheme. Table 4 shows the comparison of information entropy for the proposed scheme and different schemes in the 256 × 256 image Lena. The results of information entropy are very close to the ideal value 8 and manifest better randomness and uncertainty than other algorithms.  Table 4. Comparison of information entropy for the proposed scheme and different schemes.

Differential Analysis
Differential analysis is a method to assess sensitivity to the plain-image. An ability to resist differential attack means that a slight change in the plain-image causes significant changes in the cipher-image. There are two scales for measuring the differences between two cipher-images: number of pixels change rate (NPCR) using Equation (19) and unified average changing intensity (UACI) using Equation (20).
where N × N cipher-images C and C' are results of the proposed scheme with different plain-images in only one pixel. Under ideal conditions, NPCR = 99.609375% and U ACI = 33.463542%. One bit is added to a random pixel value of the plain-image. Results of NPCR and UACI are calculated for four standard images and reported in Table 5. Table 6 reports NPCR and UACI for 1-bit change of the plain-image Lena in different pixels and Table 7 compares the proposed scheme with other schemes for the plain-image sensitivity test. The results show that the proposed scheme has a strong ability to resist known/chosen-plaintext attack.  [20] 0.996012 0.335376 [24] 0.996074 0.309976 [36] 0.996124 0.334591

Mean Squared Error
Mean squared error (MSE) reflects the degree of difference between the two variables. The paper uses MSE to measure the differences between the N × N plain-image P(i, j) and its cipher-image C(i, j). MSE is calculated using the following equation [37].

Root Mean Squared Error
In order to discover the precision of the encryption scheme, root mean squared error (RMSE) is applied to compute the error between the plain-image and its cipher-image [38].
where P(i, j) is the pixel intensity of the N × N plain-image and the C(i, j) is the pixel intensity of the N × N cipher-image.

Mean Absolute Error
Mean absolute error (MAE) is a parameter to measure the differences between two continuous variables in statistics. MAE is figured to evaluate how the cipher-image C(i, j) is not the same as the plain-image P(i, j). MAE is defined as [36,37].
The larger MAE indicates the higher security level. The paper calculates MSE, RMSE and MAE values for four standard images and shows in Table 9.

Mean Squared Error
Mean squared error (MSE) reflects the degree of difference between the two variables. The paper uses MSE to measure the differences between the N × N plain-image P(i, j) and its cipher-image C(i, j). MSE is calculated using the following equation [37].

Root Mean Squared Error
In order to discover the precision of the encryption scheme, root mean squared error (RMSE) is applied to compute the error between the plain-image and its cipher-image [38].
where P(i, j) is the pixel intensity of the N × N plain-image and the C(i, j) is the pixel intensity of the N × N cipher-image.

Mean Absolute Error
Mean absolute error (MAE) is a parameter to measure the differences between two continuous variables in statistics. MAE is figured to evaluate how the cipher-image C(i, j) is not the same as the plain-image P(i, j). MAE is defined as [36,37].
The larger MAE indicates the higher security level. The paper calculates MSE, RMSE and MAE values for four standard images and shows in Table 9.

Key Space Analysis
Brute-force attack consists of an attacker trying all possible security keys by an exhaustive key search until the correct one is found. Therefore, small key space cannot resist brute-force attack. For achieving high resistance against a brute-force attack, the size of the key space should be larger than 2 128 [39,40]. Security key of the proposed algorithm is generated by SHA-256 hash, whose output result is 256-bit long. The size of the key space is 2 256 > 2 128 . So we claim that key space is enough large to resist all kinds of brute-force.

Running Performance
Apart from security considerations, efficiency is also an important parameter for a cryptosystem. The actual execution time depends on many factors including CPU performance, memory size, programming skill. The simulation is implemented on MATLAB R2015b in a computer of an Intel Core I3 CPU 2.30 GHz and 4 GB of RAM. We execute the encryption process for 512 × 512 images 500 times and calculate the total time 83.886457 s. Thus, the real encryption efficiency is e f f iciency = 512×512×8×500 2 20 ×83.886457 Mbit/s = 11.920875Mbit/s. The result shows the proposed cryptosystem has fast running performance.

Conclusions
The paper designs a novel image encryption scheme based on general Arnold transform with keys combined with S-box and mutation operation. Key generator using SHA-256 hash aims to generate security key and the initial parameters of Arnold map and quantum chaotic map. SHA-256 hash with the plain-image and random numbers can yield a 256-bit output as a security key. If the plain-image is altered, security key changes corresponding. So the proposed scheme can resist differential attack and known/chosen-plaintext attack. When we encrypt the same plain-image more than once, the change of random numbers will affect the output result of SHA-256 hash. The classical Arnold map is a practical tool to permute the pixel. The paper applies general Arnold transform with keys for the higher scrambling. In order to get high complexity and randomness, the paper proposes a more complicated architecture, which combines permutation with gray-level encryption. S-box is introduced into the encryption scheme as a nonlinear transformation and integrated with linear transformation and mutation operation to decrease the correlation of two adjacent pixels. The cipher-image from the proposed cryptosystem has fairly uniform histogram, low correlation coefficients closed to 0, high information entropy closed to 8. The proposed cryptosystem provides 2 256 key space and performs fast computational speed (efficiency = 11.920875 Mbit/s). The experimental results demonstrate that the proposed scheme achieves high sensitivity to security key and the plain-image, low correlation coefficients, ideal information entropy, large key space and strong resistance against all kinds of attacks.

Conflicts of Interest:
The authors declare no conflict of interest.