A Symmetric Image Encryption Algorithm Based on a Coupled Logistic–Bernoulli Map and Cellular Automata Diffusion Strategy

In this paper, the properties of the classical confusion–substitution structure and some recently proposed pseudorandom number generators using one-dimensional chaotic maps are investigated. To solve the low security problem of the original structure, a new bit-level cellular automata strategy is used to improve the sensitivity to the cryptosystem. We find that the new evolution effects among different generations of cells in cellular automata can significantly improve the diffusion effect. After this, a new one-dimensional chaotic map is proposed, which is constructed by coupling the logistic map and the Bernoulli map (LBM). The new map exhibits a much better random behavior and is more efficient than comparable ones. Due to the favorable properties of the new map and cellular automata algorithm, we propose a new image-encryption algorithm in which three-dimensional bit-level permutation with LBM is employed in the confusion phase. Simulations are carried out, and the results demonstrate the superior security and high efficiency of the proposed scheme.


Introduction
Information security plays a significant role in peoples' digital lives. With the development of network technologies and wide use of portable digital devices, information is increasingly transmitted or shared via the Internet. Meanwhile, theories and protocols have been established and applied to guarantee the security of distributed information. In recent years, increasing amounts of multimedia information are shared via the Internet, including photos, voice data, and short videos, which have different characteristic features to text information. Such information is easily understood and vividly representative. Unlike text-based information, multimedia information is always highly redundant in the time and space domains, and traditional ciphers, such as DES (Data Encryption Standard) and AES (Advanced Encryption Standard), are inefficient in dealing with multimedia information to satisfy the real-time requirements of multimedia information transmission.
To cope with this issue, researchers have proposed many ciphers based on different perspectives, which provide high security and efficiency for multimedia information. For instance, DNA coding-based ciphers [1,2], S-box-based ciphers [3], compressive sensing-based ciphers [4,5], wave function-based ciphers [6], etc. Moreover, by virtue of the similitude to pixel matrix of digital image, Sudoku matrix [7] and Latin square [8] have also been utilized in image ciphers. Originating in the late 1990s, chaos theory-based encryption algorithms have developed significantly, and most of them employ a confusion-diffusion structure, which was first proposed by Fridrich [9]. Due to their superior properties, array. Each of the elemental images contains most of the plain-image information. In the second step, encryption operations are applied on these elemental images, and in the last step, these encrypted elemental images are back-propagated by the lenslet array or reconstructed by a computational integral-imaging reconstruction algorithm to obtain the final cipher text. In [22], Li et al. proposed a new optical-based image-encryption algorithm, in which cellular automata and a chaotic system were employed to generate random sequences. One sequence was used to encrypt the pixel values in the elemental images, while another sequence was sorted and searched to generate the mapping rule for permuting each elemental image. In [23], a new multiple-image simultaneous encryption algorithm using a back-propagation neural network (BP neural network) was proposed to solve the security and interference problems.
In the fourth category, all image-encryption operations are performed in the frequency domain or transformed domain. The plain image is firstly transformed into the frequency domain, using a method such as the DCT (Discrete Cosine Transform) transform, wavelet transform, or Fourier transform. In the frequency domain, the information of the plain image is not evenly distributed, and most of the information is concentrated in a finite number of pixels. Selective encryptions are usually applied on this finite number of pixels in terms of low-frequency pixels. In [24], a new lossless image-encryption algorithm was proposed. In this cipher, the image was firstly transformed using the two-dimensional Haar wavelet transform, and the permutation operations were performed in the frequency domain. In the second step, the inverse Haar wavelet transform was applied and diffusion operations were performed in the space domain.
The image-encryption algorithms that belong to the different categories provide different ways to enhance the security of multimedia information. Most algorithms in all categories employ a permutation and diffusion architecture. However, the permutation algorithms always suffer from repeated-pattern problems for permuted images [25], which indicates that random permutation is not sufficient. In the diffusion phase, most of the algorithms choose a one-dimensional chaotic map and apply exclusive-or operations on the transformed one-dimensional pixel array. Diffusion operations of this type are classical and fast. However, they do not provide sufficient sensitivity to slight modifications of the plain image. This sensitivity is crucial for protecting against differential attacks and can be measured by NPCR (number of pixels change rate) [25], which is the different pixels' percentage in two images of the same size. In an ideal situation, a slight modification to the plain image can lead to different values of 99.6% of the pixels after one or two encryption rounds. In other words, the diffusion algorithm should spread one-bit modification to most of the remaining pixels in one diffusion round, and the classical diffusion algorithms, which are employed by most image-encryption algorithms, cannot achieve this goal, requiring more encryption rounds to diffuse the modification.
To cope with these problems, a new 3D bit-level permutation scheme was proposed to eliminate the repeated patterns in the permuted image. To further enhance the security of the random sequences used in the permutation and diffusion stages, a new chaotic map logistic-Bernoulli map (LBM) was proposed and investigated, which exhibits much better chaotic behavior than other one-dimensional chaotic maps. In the diffusion phase, a new bit-level cellular automata strategy was investigated to improve the sensitivity to the plain image modification. We found that the new evolution effects among different generations of the cells in cellular automata can significantly improve the diffusion effect of the cryptosystem.
The rest of the paper is organized as follows. In Section 2, the new chaotic map and its properties are introduced. In Section 3, a cellular automata-based diffusion strategy is described. The proposed cryptosystem is described in Section 4. In Section 5, simulation results and the performance analysis are reported, and in the last section, a conclusion is drawn.

A New One-Dimensional Chaotic Map for Image Encryption
One-dimensional (1D) maps are usually used as pseudorandom number generators in image-encryption algorithms due to their simplicity and efficiency. The logistic map, sine map,  [26] are four 1D maps that are commonly employed in cryptosystems, and their definitions are as follows. (1) However, single 1D maps suffer from the following problems [10]: (1) the chaotic behaviors are not continuous; (2) the attack on the random sequence generated by a 1D map is computationally inexpensive and fast; and (3) the output sequence is not uniformly distributed. As a consequence, many researchers focus on high-dimensional chaotic systems to facilitate image-encryption operations [24]. Although high-dimensional chaotic systems provide more complex structures and chaotic behaviors, their software or hardware implementations are complex and expensive [11], which indicates that a pseudorandom number generator that uses a high-dimensional chaotic map is inefficient. To achieve a balance between efficiency and security, in [10] and [11], Zhou and Hua suggested coupling or combining two or more 1D chaotic maps to form a new 1D or multi-dimensional chaotic system. On the one hand, a coupled high-dimensional chaotic map keeps the system computationally inexpensive and highly efficient; on the other hand, it has been demonstrated that a coupled system has better chaotic behavior and a larger Lyapunov exponent [10][11][12].
The speed of iterating the chaotic map to generate pseudorandom numbers is significant, since it constitutes a large amount of the encryption time. The logistic map, sine map, tent map, and Bernoulli map have similar chaotic behavior, especially as pseudorandom number generators in image-encryption operations. However, their speeds vary. To examine this property, we performed calculations with each chaotic map to generate 3,000,000 random numbers 10 times. The simulation environment was a personal computer with Windows 7 Ultimate, Intel 3.4 GHz Dual-core CPU, and 8 GB memory, and the compiling environment is Visual C++ 2010. The average data are listed in Table 1.  Table 1 illustrates, to generate 3,000,000 pseudorandom numbers (without quantification), the logistic map was much faster than the sine map, and a little faster than the tent map. Although the logistic map, sine map, and tent map were all very fast, the logistic map had the highest speed. This is due to its simple structure; moreover, to calculate each number, only multiplication and addition operations are required. The sine map was the slowest, due to the relatively complex trigonometric function calculation in each iteration. The tent map was relatively slow due to the condition determination for the piecewise function in each iteration.
In [10], Zhou et al. proposed a new scheme to combine two 1D chaotic maps as seed maps to form new 1D chaotic maps. The new maps were the logistic-tent system (LTS; the logistic map and tent map are the two seed maps), logistic-sine system (LSS; the logistic map and sine map are the two seed maps), and tent-sine system (TSS; the tent map and sine map are the two seed maps). Simulation results show that the new 1D chaotic maps, LTS, LSS, and TSS, have better chaotic behaviors and larger Lyapunov exponents. As Table 1 shows, the sine map and tent map are relatively slow, and provide chaotic behaviors similar to that of the logistic map. To achieve a good balance between security and efficiency for image encryption, a new one-dimensional chaotic system joint logistic map and Bernoulli map was proposed. The logistic-Bernoulli map (LBM) is defined in Equation (5).
where the parameter y ∈ (0, 4], and x 0 is the initial value of the LBM. Like its bifurcation diagram shows (Figure 1), in most of the definitional domain of the coefficient, the logistic map has no chaotic behavior. When the coefficient µ is very close to 4, the dots can spread over the full range of x n in the bifurcation diagram, which indicates good chaotic properties. However, the proposed LBM, in the entire definitional domain [0, 4] of the coefficient γ, the system is chaotic, as shown in Figure 1d. As Table 1 shows, the sine map and tent map are relatively slow, and provide chaotic behaviors similar to that of the logistic map. To achieve a good balance between security and efficiency for image encryption, a new one-dimensional chaotic system joint logistic map and Bernoulli map was proposed. The logistic-Bernoulli map (LBM) is defined in Equation (5).
where the parameter γ (0, 4], and x0 is the initial value of the LBM. Like its bifurcation diagram shows (Figure 1), in most of the definitional domain of the coefficient, the logistic map has no chaotic behavior. When the coefficient μ is very close to 4, the dots can spread over the full range of xn in the bifurcation diagram, which indicates good chaotic properties. However, the proposed LBM, in the entire definitional domain [0, 4] of the coefficient γ, the system is chaotic, as shown in Figure 1d.
The bifurcation diagrams of the logistic map, sine map, tent map, and LBM are shown in Figure  1. In [10], although the proposed 1D chaotic maps, including LTS, LSS, and TSS, can generate chaotic properties similar to that of LBM, the numbers of iterations required to calculate the random sequence with LTS, LSS, and TSS were higher than that of the proposed map. We iterate the proposed chaotic map, LTS, LSS, and TSS 10 times, and the average execution times are listed in Table 2. Table 2. Speed comparison among logistic-tent system (LTS), logistic-sine system (LSS), tent-sine system (TSS), and the proposed LBM.
In [10], although the proposed 1D chaotic maps, including LTS, LSS, and TSS, can generate chaotic properties similar to that of LBM, the numbers of iterations required to calculate the random sequence with LTS, LSS, and TSS were higher than that of the proposed map. We iterate the proposed chaotic map, LTS, LSS, and TSS 10 times, and the average execution times are listed in Table 2. Table 2. Speed comparison among logistic-tent system (LTS), logistic-sine system (LSS), tent-sine system (TSS), and the proposed LBM.

LTS [10] LSS [10] TSS [10] LBM (Proposed)
Generating 3,000,000 random numbers 81.5 ms 128.2 ms 143.9 ms 53.0 ms To further investigate the chaotic properties of the proposed 1D chaotic map, we calculated and plotted the Lyapunov exponents of the proposed 1D chaotic map and comparison maps. A positive Lyapunov exponent indicates chaotic behavior, while a negative exponent indicates that there are no chaotic properties. A larger Lyapunov exponent indicates better chaotic properties. The maximum Lyapunov exponents for different parameters of the chaotic maps are plotted in Figure 2. As Figure 2 shows, the Lyapunov exponents of the logistic map, sine map, and tent map are larger than 0 when the parameter is very close to 4, and in most of domains of the parameter, there is no chaotic behavior at all. When the parameters of LSS, LTS, and TSS fall into [0, 4], the Lyapunov exponents are all larger than 0, indicating that over the entire parameter domain, these dynamical systems are chaotic. The Lyapunov exponents obtained by LBM were also larger than 0 over its entire parameter domain, and the Lyapunov exponents of LBM fall in the value range [1, 1.4] in all parameter domains. This range is higher than the range [0.7, 1] of LSS, LTS, TSS, which indicates that the proposed LBM system exhibits much better chaotic behavior.
To further test the randomness of the proposed LBM, the NIST (National Institute of Standards and Technology) SP800-22 test was performed on 300 random binary sequences generated by LBM, and the simulation results are shown in Table 3. This indicates that the random sequences have high randomness.

Cellular Automata-Based Diffusion Structure
The cellular automata algorithm provides a mechanism in which a slight change to the state of one cell in the current generation will lead to modification of all the cells' states in the next generation. In an image-encryption algorithm, this feature makes cellular automata an ideal algorithm for the diffusion stage, as one main goal for diffusion is to spread a single slight modification of one pixel to all ciphered pixels. However, in previous cellular automata-based ciphers, cellular automata were employed only as a pseudorandom number generators, while neglecting the connection between diffusion effects and the intrinsic feature of cellular automata.
The idea of cellular automata was proposed by Stephen Wolfram in 1984 [27], and after that, a series of pseudorandom number generators using cellular automata were proposed [28]. A cellular automaton (CA) is a discrete model in the time and space domains, and each unit, which is called a cell, has a finite number of states. In the discrete time domain, each cell can evolve into any predefined state based on the neighboring cells' states in a previous time slice, as defined in Equation (6) [28].
where i ∈ [0, M − 1], a i is the current state between 0 and k − 1, and r is the number of neighbors in each direction that determine the current cell's value. δ is the update rule of the CA. a i ' is the cell value in the next generation. For a pseudorandom number-generation case, k = 2 and r = 1 are suggested in [28], and Equation (6) is transformed to Equation (7). The first number and the last number are calculated in a circular way, as shown in Equation (8) and Equation (9).
In this case, rules δ 90 and δ 150 are usually employed, as shown in Equations (10) and (11) [28]. Rule When k = 2, the sequences generated by Equations (8) and (9) contain binary values. According to Equation (6), a CA with different generations can be defined by Equation (12).
where t is the generation number. Equation (12) illustrates that the state of cell a i in generation t + 1 is determined by three factors: the state of a i in generation t; the states of the r neighboring cells of a i in generation t; and the states of the r neighboring cells of a i . r is the radius of the influence range. As mentioned above, spreading the slight modification of one or several pixels to all the ciphered pixels is one significant characteristic for a diffusion algorithm. In a classical diffusion algorithm, this spreading mechanism is achieved in a linear way. The two-dimensional pixel array is firstly transformed into a one-dimensional array. The spreading starts at the modified pixel and ends at an unpredictable pixel, governed by the "stop-point mechanism", which is discussed in our previous paper [29]; the end pixel is always not the last one. The finite number of influenced pixels can be treated as the seeds for the next round of diffusion, to influence more pixels in a backward manner (one direction).
Between generations, a CA can diffuse one cell's modification to neighboring pixels in two directions within its influence region of predefined size. In an ideal situation, a CA has the ability to influence all the cells' states in one round of evolution or diffusion. The mechanisms of classical diffusion and CA-based diffusion are shown in Figure 3. In Figure 3, the red pixel indicates the modified pixel and the spreading starts at this pixel. The black pixel is the last pixel that the spreading reaches when classical diffusion is performed, and all white pixels are unchanged. All blue pixels are modified or influenced by the spreading. Figure 3 shows that a diffusion algorithm with CA can spread the modification in two directions, and in each In Figure 3, the red pixel indicates the modified pixel and the spreading starts at this pixel. The black pixel is the last pixel that the spreading reaches when classical diffusion is performed, and all white pixels are unchanged. All blue pixels are modified or influenced by the spreading. Figure 3 shows that a diffusion algorithm with CA can spread the modification in two directions, and in each influence calculation, more pixels are affected according to Equation (12). Therefore, in the proposed scheme, we investigate if a new CA-based diffusion algorithm will lead to better spreading effects and make the system more sensitive.

The Proposed Scheme
In his masterpiece, Fridrich firstly proposed an image-encryption algorithm based on chaotic systems considering the similarities between cryptography and chaotic dynamic systems [9]. Two stages, confusion and diffusion, constitute one encryption round. Both stages are performed at the pixel level. Confusion operations aim to change each pixel's location, while in diffusion stages, pixel values are modified.
In [19], bit-level permutation is firstly proposed. In this permutation algorithm, the basic permuting unit is the bit, rather than the pixel, in the image. Each pixel contains eight bits of information. When the bit locations are changed, not only the pixel values but also the pixel locations are modified. When applying bit-level permutation, the plain image is firstly divided into eight-bit planes, and the eight-bit planes are permuted independently. After that, the eight permuted bit planes are joined together to generate the permuted cipher image.
In most bit-level image ciphers, only confusion operations are performed on bit level, while in the diffusion phase, the calculations are performed on the pixel level [19,25,30]. Between the two phases, a transformation is required. In [20], the bit-level properties of digital images are investigated, and the following suggestions are provided. (1) The bit-level permutation algorithm should allow each bit to freely move to any position in any bit plane of any color channel. (2) From the perspective of the bit constitution of an image, the bit distributions (the numbers of 0 s or 1 s) of the plain image and cipher image do not significantly change. On average, only 3.3% of the bits of a plain image are modified during the encryption operations, and most of them only change locations. According to these suggestions, we design a new image-encryption algorithm using lightweight bit-level permutation and bit-level diffusion based on the cellular automata strategy to achieve a balance between efficiency and security.

Confusion of the Proposed Scheme
In the confusion stage, bit-level permutations are employed due to their superior features to relocate bit information of plain images. During the confusion operations, the LBM system defined by Equation (5) is used as the pseudorandom number generator.
At the bit level, the image can be considered as a natural three-dimensional matrix, and the three dimensions are the width, height, and bit length, as shown in Figure 4.
As Figure 4 shows, in the first step, the pixel-level image is transformed into a three-dimensional (3D) matrix, on which the bit-level permutations are performed. The x and y coordinates of the 3D bit matrix correspond to the width and height of the plain image, respectively, while the z coordinate is the bit length of each pixel. Here, the width, height, and bit length are denoted by w 1 , w 2 , and w 3 .
In the confusion stage, bit-level permutations are employed due to their superior features to relocate bit information of plain images. During the confusion operations, the LBM system defined by Equation (5) is used as the pseudorandom number generator.
At the bit level, the image can be considered as a natural three-dimensional matrix, and the three dimensions are the width, height, and bit length, as shown in Figure 4. As Figure 4 shows, in the first step, the pixel-level image is transformed into a three-dimensional (3D) matrix, on which the bit-level permutations are performed. The x and y coordinates of the 3D bit matrix correspond to the width and height of the plain image, respectively, while the z coordinate is the bit length of each pixel. Here, the width, height, and bit length are denoted by w1, w2, and w3.
In the second step, three random sequences are generated by LBM. When iterating the chaotic system, the generated random numbers are further quantified by Equation (13), and if the output random number is the same as a previously generated one, the number will be discarded.
In the third step, the three random sequences obtained in Step 2 are sorted, and the three sorted sequences are denoted as sx', sy', and sz', as shown in Equation (14). sx sort x sy sort y sz sort z In the second step, three random sequences are generated by LBM. When iterating the chaotic system, the generated random numbers are further quantified by Equation (13), and if the output random number is the same as a previously generated one, the number will be discarded.
In the third step, the three random sequences obtained in Step 2 are sorted, and the three sorted sequences are denoted as sx', sy', and sz', as shown in Equation (14).
By comparing x' with its sorted sequence sx', y' with sy', z' with sz', the three mapping rules can be obtained and applied on the three-dimensional bit matrix, as shown in Figure 7, and the permuted 3D bit matrix can be obtained.

Bit-Level Diffusion Using Cellular Automata
In our cryptosystem, Rule 90 is used due to its simple structure and high efficiency when updating the random sequence. When calculating the first and last numbers, Equations (8) and (9) are employed.
In the first step of the diffusion stage, the permuted 3D bit matrix is divided into several diffusion bit planes for further diffusion operations. Let the size of the permuted 3D bit matrix be m × n × l, where m and n are the width and height of the image and l is the bit length of each pixel; l equals 24 when the plain image is an RGB color image. Since the diffusion bit planes have the same width and height as the plain image, the size of each can be defined as m × n × sl, where sl is the bit length of each unit (or pixel) in the diffusion bit plane. For example, if sl equals 1, there are 24 diffusion planes. The variable pn is the number of diffusion planes, which is defined by Equation (15).
As Equation (15) shows, if each unit or pixel in a diffusion plane has 4 bits (sl = 4), the number of diffusion planes is 6. In the diffusion phase of the cryptosystem, sl can be randomly selected from among 1, 2, 4, 8, and 12.
In the second step of the diffusion process, the proposed LBM defined in Equation (5) is used to generate two random sequences f 1 (x) and f 2 (x), where x ∈ [0, N × N − 1]. The two sequences are further quantified by Equations (16) and (17).
The diffusion operations are shown in Figure 5 and defined by Equation (18).
In Equation (18), dp s (i) is the ith pixel in the sth diffusion plane of the permuted image, while rdmf s (i) is the ith random number in the sth random sequence, where s ∈ 1, 2, . . . , pn . cp s (i) denotes the ith pixel in the ciphered sth plane. t s is a temporary value sequence. In the 3rd and 4th equations of (18), we evolve the states of cells from t s (i) i ∈ [0, N × N − 1] to rdm f s+1 (i) i ∈ [0, N × N − 1] , and from rdm s (i) i ∈ [0, N × N − 1] to rdm s+1 (i) i ∈ [0, N × N − 1] , respectively, according to CA rule 90, as shown in Equation (10).
In the diffusion phase, different diffusion planes are treated as different generations for CA, and the bit-level diffusion structure is as shown in Figure 5.
In Figure 5, if we consider each row of quadrangles (including two XOR (exclusive-OR) operations and two CA δ 90 updating operations) as one step in the diffusion phase and let sl equal 1, there are a total of 24 diffusion planes and 24 steps in the diffusion phase. If sl equals 12, there are three steps in the diffusion phase. In Figure 5, the ciphered bit planes are marked by blue quadrangles. Taking the 2nd diffusion plane dp 2 as an example, dp 2 is firstly XORed with a random bit plane rdmf 2 , which is obtained by cellular automata with 90 update rules applied on t 1 , as shown in Figure 5. After that, the corresponding cipher diffusion plane cp 2 is obtained. To calculate t 2 for the next step of the diffusion phase, the obtained cp 2 is further XORed with another random plane rdm 2 . rdm 2 is calculated by cellular automata with 90 update rules applied on rdm 1 . With the help of t i , rdm i , rdmf i , and the δ 90 updating rule, the current ciphered plane cp i has a strong relation with the previous encrypted cipher plane cp i−1 , which makes the cryptosystem more sensitive and secure to the slight modification of the plain image during a differential attack. In Figure 5, if we consider each row of quadrangles (including two XOR (exclusive-OR) operations and two CA 90 δ updating operations) as one step in the diffusion phase and let sl equal 1, there are a total of 24 diffusion planes and 24 steps in the diffusion phase. If sl equals 12, there are three steps in the diffusion phase. In Figure 5, the ciphered bit planes are marked by blue quadrangles. Taking the 2 nd diffusion plane dp2 as an example, dp2 is firstly XORed with a random bit plane rdmf2, which is obtained by cellular automata with 90 update rules applied on t1, as shown in Figure 5. After that, the corresponding cipher diffusion plane cp2 is obtained. To calculate t2 for the next step of the diffusion phase, the obtained cp2 is further XORed with another random plane rdm2. rdm2 is calculated by cellular automata with 90 update rules applied on rdm1. With the help of ti, rdmi, rdmfi, and the 90 δ updating rule, the current ciphered plane cpi has a strong relation with the previous encrypted cipher plane cpi-1, which makes the cryptosystem more sensitive and secure to the slight modification of the plain image during a differential attack.

Simulation Results and Security Analysis
The proposed image-encryption algorithm can be applied on both color images and grey-level images. When encrypting a grey-level image, it can be considered as one color channel of the color image. In this section, results of the simulations and security analysis are reported. All experiments are performed on a personal computer with Windows 7 Ultimate, Intel 3.4 GHz Dual-core CPU, and 8 GB memory, and the compiling environment is Visual C++ 2010. Some graphics are plotted in MATLAB 2009a. In this section, sl in Equation (15) is set to 8.

Simulation Results and Security Analysis
The proposed image-encryption algorithm can be applied on both color images and grey-level images. When encrypting a grey-level image, it can be considered as one color channel of the color image. In this section, results of the simulations and security analysis are reported. All experiments are performed on a personal computer with Windows 7 Ultimate, Intel 3.4 GHz Dual-core CPU, and 8 GB memory, and the compiling environment is Visual C++ 2010. Some graphics are plotted in MATLAB 2009a. In this section, sl in Equation (15) is set to 8.

Simulation Results and Statistical Data Analysis
The cipher images obtained by the proposed cryptosystem and their corresponding histograms are as shown in Figure 6.

Simulation Results and Statistical Data Analysis
The cipher images obtained by the proposed cryptosystem and their corresponding histograms are as shown in Figure 6.  The histogram of an image illustrates the pixel-value distribution information. For a meaningful image, the histogram always fluctuates and exhibits some gathering effects in some domains, while in a cipher image, all pixel values should be evenly distributed and completely different from those of the plain image. As Figure 6 shows, three test images, namely Lena, a house, and peppers, are encrypted by the proposed scheme, and their cipher images are shown in Figure 6b. We can see that the cipher image and the three corresponding color channels are all noisy, and the histograms of the three color channels in the cipher images are all in ideal situations, which indicates the high security of the proposed scheme through the statistical analysis.
In his masterpiece, Shannon noted that many ciphers can be cryptoanalyzed using statistical information, including histograms and correlation analysis [30]. For a good cipher, not only should the histogram of the cipher image be in the ideal situation, but the correlation coefficients of the cipher image should also be significantly reduced. Therefore, an important part of the statistical analysis is the correlation analysis.
The adjacent pixel values in the plain image are quite similar, and the correlation coefficients in any direction are all very close to 1. However, in the cipher image, there is no meaningful pattern and the correlation among adjacent pixels should be significantly reduced. In an ideal situation, the correlation coefficients should be close to 0. The correlation coefficients are calculated according to Equations (19)- (21). The correlation coefficients of the cipher image obtained by the proposed scheme are listed in Table 4. The histogram of an image illustrates the pixel-value distribution information. For a meaningful image, the histogram always fluctuates and exhibits some gathering effects in some domains, while in a cipher image, all pixel values should be evenly distributed and completely different from those of the plain image. As Figure 6 shows, three test images, namely Lena, a house, and peppers, are encrypted by the proposed scheme, and their cipher images are shown in Figure 6b. We can see that the cipher image and the three corresponding color channels are all noisy, and the histograms of the three color channels in the cipher images are all in ideal situations, which indicates the high security of the proposed scheme through the statistical analysis.
In his masterpiece, Shannon noted that many ciphers can be cryptoanalyzed using statistical information, including histograms and correlation analysis [30]. For a good cipher, not only should the histogram of the cipher image be in the ideal situation, but the correlation coefficients of the cipher image should also be significantly reduced. Therefore, an important part of the statistical analysis is the correlation analysis.
The adjacent pixel values in the plain image are quite similar, and the correlation coefficients in any direction are all very close to 1. However, in the cipher image, there is no meaningful pattern and the correlation among adjacent pixels should be significantly reduced. In an ideal situation, the correlation coefficients should be close to 0. The correlation coefficients are calculated according to Equations (19)- (21). The correlation coefficients of the cipher image obtained by the proposed scheme are listed in Table 4.
In Table 4, the correlation coefficients in the horizontal, vertical, and diagonal directions of Lena, house, and peppers are very close to 1, indicating high correlations between the adjacent pixels in the plain image. However, the correlation coefficients of the cipher image are all close to 0; thus, the encryption operations have significantly reduced the correlation relationships. In Table 4, the correlation coefficients of the cipher image obtained by the proposed scheme are compared with those obtained by [10]; better values are marked in bold. The average absolute value of the correlation coefficients of the cipher image obtained by the proposed scheme is 0.002405, while the average absolute value for the comparison scheme is 0.005851. To graphically illustrate that the encryption operations significantly reduced the correlation relationships, the correlation distributions are plotted in Figure 7. To graphically illustrate that the encryption operations significantly reduced the correlation relationships, the correlation distributions are plotted in Figure 7.

Differential-Attack Analysis
In a differential attack, the opponent will perform a series of encryption rounds with different plain images. In each round of the attack, the plain image will be slightly modified by one bit or one pixel, and after encryption, one pair consisting of the modified plain image and corresponding cipher image can be obtained. By analyzing several pairs of modified plain image with the corresponding cipher image, the equivalent key of the cryptosystem can be obtained. Therefore, to resist a differential attack, the cryptosystem should provide sufficient sensitivity to tiny modifications of the plain image. In other words, one slight modification to the plain image should lead to a completely different cipher image. Two measures are usually used in differential-attack analysis. They are NPCR (number of pixels change rate) and UACI (unified average changing intensity). NPCR and UACI are defined by Equations (22) and (23). In the simulations, the last pixel of the G channel of the plain image is modified. The NPCR and UACI data are listed in Tables 5 and  6.
where D(i, j) is defined as

Differential-Attack Analysis
In a differential attack, the opponent will perform a series of encryption rounds with different plain images. In each round of the attack, the plain image will be slightly modified by one bit or one pixel, and after encryption, one pair consisting of the modified plain image and corresponding cipher image can be obtained. By analyzing several pairs of modified plain image with the corresponding cipher image, the equivalent key of the cryptosystem can be obtained. Therefore, to resist a differential attack, the cryptosystem should provide sufficient sensitivity to tiny modifications of the plain image. In other words, one slight modification to the plain image should lead to a completely different cipher image. Two measures are usually used in differential-attack analysis. They are NPCR (number of pixels change rate) and UACI (unified average changing intensity). NPCR and UACI are defined by Equations (22) and (23). In the simulations, the last pixel of the G channel of the plain image is modified. The NPCR and UACI data are listed in Tables 5 and 6.
where D(i, j) is defined as D(i, j) = 1, c 1 (i, j) c 2 (i, j) 0, otherwise , and c 1 and c 2 are the two cipher images.

Information-Entropy Analysis
Information entropy is a significant criterion for measuring the security strength of a symmetric cryptosystem. The definition of the information entropy H(m) of a source m is given in Equation (24).
In Equation (24), p(m i ) is the probability of symbol m i and log denotes the base 2 logarithm. If each symbol in the message source m is an eight-bit symbol and the 256 possible outcomes each have equal probability, the message can be considered random information, and in this case, the information entropy should be 8, which is the ideal situation of a cipher text obtained by a cryptosystem.
The information entropies of the proposed scheme and a comparable scheme are reported in Table 7.  Table 7 shows that the information entropies of the cipher image obtained by the proposed scheme are larger than those of the comparison scheme, and are very close to the ideal value of 8. This indicates that the cipher image does not leak any of the information in the original plain image.

Speed Test
Computational efficiency is another significant issue for a cryptosystem. To evaluate the encryption speed of the proposed scheme, the test image "Lena" is encrypted 10 times, and the average encryption times are listed in Table 8. As there are no apparent confusion and diffusion stages in [10], only the total time of the encryption algorithm in [10] is provided in Table 8. The results show that our scheme is faster than the comparable one.

Conclusions
A new one-dimensional chaotic logistic-Bernoulli map is proposed and investigated. The new map shows superior features in chaotic behavior and efficiency. In addition, a new diffusion structure using a cellular automata strategy is proposed. Based on the new chaotic map and diffusion structure, a new image-encryption algorithm is proposed. Simulation results show that the proposed scheme leads to a higher level of security and is computationally efficient.