A Secure and Fast Image Encryption Scheme Based on Double Chaotic S-Boxes

In order to improve the security and efficiency of image encryption systems comprehensively, a novel chaotic S-box based image encryption scheme is proposed. Firstly, a new compound chaotic system, Sine-Tent map, is proposed to widen the chaotic range and improve the chaotic performance of 1D discrete chaotic maps. As a result, the new compound chaotic system is more suitable for cryptosystem. Secondly, an efficient and simple method for generating S-boxes is proposed, which can greatly improve the efficiency of S-box production. Thirdly, a novel double S-box based image encryption algorithm is proposed. By introducing equivalent key sequences {r, t} related with image ciphertext, the proposed cryptosystem can resist the four classical types of attacks, which is an advantage over other S-box based encryption schemes. Furthermore, it enhanced the resistance of the system to differential analysis attack by two rounds of forward and backward confusion-diffusion operation with double S-boxes. The simulation results and security analysis verify the effectiveness of the proposed scheme. The new scheme has obvious efficiency advantages, which means that it has better application potential in real-time image encryption.


Introduction
With the rapid development of network communication, image encryption has become a research hotspot in the field of image processing and information security. Since image information has the characteristics of large amounts of data, strong redundancy and high correlation between adjacent pixels, image encryption algorithms need not only high security, but also fast encryption speed. If the speed of encryption is low, the time consumed will be too long because of the large amount of image data. To encrypt multimedia information with large amounts of data, security and efficiency should be considered comprehensively [1][2][3][4][5]. Chaos-based cryptosystem just meets the need of image encryption, which leads to the research of chaos-based image encryption technology has been widely concerned by scholars. As for chaotic cryptography, a new chaotic system with better cryptographic performance deserves to be established. Some representative studies have contributed to this aspect [6][7][8][9]. How to generate key stream or encryption component with good performance is very important to the security of the image Cryptosystem [10][11][12]. How to design encryption algorithm is the core research content of the image Cryptosystem [13]. Cryptanalysis [14][15][16] is another important research direction of cryptography, which can help cryptographic designers improve the security of cryptographic algorithms.
Among many chaos-based image encryption algorithms, the permutation and diffusion (PD) pattern encryption algorithm proposed by Fridrich [17] is the most popular one. This image encryption algorithm structure consists of shuffling pixel positions and changing pixel values. The permutation

Sine Chaotic Map
The Sine map is one of the famous 1D chaotic maps. It is a simple dynamical system with complex chaotic behavior similar to the Logistic map. The mathematical model of the Sine map can be expressed as where µ is the system parameter in the range of (0, 4], x(0) is the initial state value of the system and {x(n), n = 1, 2, . . . } is the output sequence of state values. To observe the chaotic behaviors of the Sine map, its Lyapunov Exponent and bifurcation diagram are presented in Figure 1a,b.
Entropy 2019, 21, x 3 of 20 more suitable for cryptographic applications. (2) A simple and effective S-box construction method based on the new compound chaotic system is proposed, which can speed up the generation of S-boxes. (3) A double S-boxes based image encryption algorithm is designed. Double S-boxes can not only meet the security requirements of the system, but also make the time cost much lower than multiple S-boxes. The algorithm makes the parameters of the permutation and diffusion process interrelated and related with image ciphertext so that the encryption algorithm can resist chosen-ciphertext attack. Additionally, two rounds of forward and backward confusion-diffusion operation enhances the resistance of the system to the differential analysis attack. The rest of this paper is organized as follows. Section 2 introduces the new Sine-Tent system (STS) model. Section 3 describes the simple and effective S-box construction method based on the Sine-Tent system. Section 4 describes the new double S-boxes based image encryption algorithm. Section 5 presents the results of experiments and analysis of the proposed scheme. Finally, some concluding remarks are given in Section 6.

The Proposed New Chaotic System
1D discrete chaotic systems have many advantages in image encryption because of their simple structures. In this section, we firstly review two 1D chaotic maps: The Sine and Tent maps. They will be used for constructing our new chaotic system. Then, a new discrete compound chaotic system is proposed to solve the problems existing in the Sine and Tent maps.

Sine Chaotic Map
The Sine map is one of the famous 1D chaotic maps. It is a simple dynamical system with complex chaotic behavior similar to the Logistic map. The mathematical model of the Sine map can be expressed as ( +1) = / 4 sin( ( )) x n x n   (1) where μ is the system parameter in the range of (0, 4], x(0) is the initial state value of the system and {x(n), n = 1, 2, ...} is the output sequence of state values. To observe the chaotic behaviors of the Sine map, its Lyapunov Exponent and bifurcation diagram are presented in Figure 1a,b. As is well known, for a dynamical system, a positive Lyapunov Exponent means chaotic behavior occurs in the dynamical system. So, from Figure 1a, one can see that only when the parameter μ ≥ 3.57 can chaotic behavior occur in the Sine map. The bifurcation diagram depicts the possible state values of the system under each parameter. Corresponding to a value of system parameter, if there are infinite state values, the system with the parameter has chaotic behavior. Corresponding to a value of system parameter, if only one or a limited number of state values output, the system with the parameter does not have chaotic behavior. In the bifurcation diagram As is well known, for a dynamical system, a positive Lyapunov Exponent means chaotic behavior occurs in the dynamical system. So, from Figure 1a, one can see that only when the parameter µ ≥ 3.57 can chaotic behavior occur in the Sine map. The bifurcation diagram depicts the possible state values of the system under each parameter. Corresponding to a value of system parameter, if there are infinite state values, the system with the parameter has chaotic behavior. Corresponding to a value of system parameter, if only one or a limited number of state values output, the system with the parameter does not have chaotic behavior. In the bifurcation diagram shown in Figure 1b, the areas of µ with dense points shows its good chaotic behavior and the areas of µ with the solid line represents its non-chaotic property. There are two problems in the Sine map. First, the range of system parameters corresponding to chaotic phenomena is limited only within the range of [3.57, 4]. Even within this range, there are some parameters which make the Sine map have no chaotic behaviors. This is verified by its Lyapunov Exponent diagram and the blank zone in its bifurcation diagram. Second, when the system parameter value is less than four, the state values of the system output sequence are distributed in a narrower range than the [0, 1] interval. Only when the system parameter value is four, the state values of the system output sequence are distributed in the whole [0, 1] range. It shows the nonuniform distribution in the range of [0, 1]. These two problems reduce the application value of the Sine map.

Tent Chaotic Map
The name "Tent map" comes from its bifurcation diagram, which has the tent-like shape. Its mathematical model can be expressed as where µ is the system parameter in the range of (0, 4]. Its chaotic property is shown in the Lyapunov Exponent analysis in Figure 2a and bifurcation analysis in Figure 2b. Both analysis results indicate that its parameter value range with chaotic behavior is 2 ≤ µ ≤ 4. The Tent map has the same problems as the Sine map: The small parameter value range with chaotic behavior and the nonuniform distribution of the output state values. shown in Figure 1b, the areas of μ with dense points shows its good chaotic behavior and the areas of μ with the solid line represents its non-chaotic property. There are two problems in the Sine map. First, the range of system parameters corresponding to chaotic phenomena is limited only within the range of [3.57, 4]. Even within this range, there are some parameters which make the Sine map have no chaotic behaviors. This is verified by its Lyapunov Exponent diagram and the blank zone in its bifurcation diagram. Second, when the system parameter value is less than four, the state values of the system output sequence are distributed in a narrower range than the [0, 1] interval. Only when the system parameter value is four, the state values of the system output sequence are distributed in the whole [0, 1] range. It shows the nonuniform distribution in the range of [0, 1]. These two problems reduce the application value of the Sine map.

Tent Chaotic Map
The name "Tent map" comes from its bifurcation diagram, which has the tent-like shape. Its mathematical model can be expressed as where μ is the system parameter in the range of (0, 4]. Its chaotic property is shown in the Lyapunov Exponent analysis in Figure 2a and bifurcation analysis in Figure 2b. Both analysis results indicate that its parameter value range with chaotic behavior is 2 ≤ μ ≤ 4. The Tent map has the same problems as the Sine map: The small parameter value range with chaotic behavior and the nonuniform distribution of the output state values.

The Sine-Tent System
We put forward a new compound system by combining the Sine and Tent maps and called the new system the Sine-Tent system (STS). Its mathematical model is as follows: (4 ) / 4 sin( ( )) / 2 ( ) ( ) 0.5 ( +1) = (4 ) / 4 sin( ( )) / 2 (1 ( )) ( ) 0.5 x n x n x n xn x n x n x n where μ is the system parameter in the range of [0, 4]. When μ = 0, Equation (3) degenerates to the Sine map, while μ = 4, Equation (3) degenerates to the Tent map. Therefore, both the Sine map and Tent map can be regarded as special cases of the Sine-Tent system. The Lyapunov Exponent and bifurcation diagram of the STS are shown in Figure 3a,b, respectively. From Figure 3 one can see that its parameter value range with chaotic behavior is μ∈ [0, 4], which is much larger than those of the Sine or Tent maps. Its output sequences uniformly distribute within [0, 1] (see Figure 3b). Hence, the STS has better chaotic performance than the Sine and Tent maps.

The Sine-Tent System
We put forward a new compound system by combining the Sine and Tent maps and called the new system the Sine-Tent system (STS). Its mathematical model is as follows: where µ is the system parameter in the range of [0, 4]. When µ = 0, Equation (3) degenerates to the Sine map, while µ = 4, Equation (3) degenerates to the Tent map. Therefore, both the Sine map and Tent map can be regarded as special cases of the Sine-Tent system. The Lyapunov Exponent and bifurcation diagram of the STS are shown in Figure 3a,b, respectively. From Figure 3 one can see that its parameter value range with chaotic behavior is µ∈[0, 4], which is much larger than those of the Sine or Tent maps. Its output sequences uniformly distribute within [0, 1] (see Figure 3b). Hence, the STS has better chaotic performance than the Sine and Tent maps.  The new compound system has at least three advantages compared with the Sine and Tent maps. First, the output sequences of the new compound system spread out in the entire value range between zero and one. Second, the proposed Sine-Tent system has a wider chaotic range. The Lyapunov Exponents of the Sine-Tent system is positive in the entire range of 0 ≤ μ ≤ 4. However, the Sine map and Tent map have positive values of Lyapunov Exponents only within much smaller ranges. Thirdly, we know that a larger Lyapunov Exponent means stronger chaotic properties. From the Lyapunov Exponent diagrams, one can see that the new system has larger Lyapunov Exponents (Lyapunov Exponents is always close to 0.7) in the whole parameter range of [0, 4], while the Sine and Tent maps have large Lyapunov Exponents only when the parameter is close to four. Therefore, the chaotic characteristic of the new system is stronger, and it always maintains the invariable excellent chaotic performance in the entire parameter range of 0 ≤ μ ≤ 4. These advantages guarantee that the proposed Sine-Tent system is more suitable for information security applications such as image encryption.

An Efficient New Method for Generating S-Boxes
In Ref. [56], Belazi et al. proposed a simple yet efficient S-box generating method based on the chaotic sine map, in which a prime number p and a one to one map from the real number interval (0, 1) to the integer set {0, 1, 2, …, 255} need to be found. In this section, we present a simpler approach for designing S-boxes using the chaotic Sine-Tent map. The new method takes advantage of the excellent chaotic characteristics of the Sine-Tent map. The detailed steps of generating S-boxes are given below.
Step 1: Set parameter d as an odd positive integer and d > 0, d can be used as a secret key.
Step 3: Based on T1 and d to obtain a new array T by Equation (4) T( ) = mod( T1( ), 256) The new array T1×256 will contain 256 distinct integers in the range of [0, 255]. As long as d is a finite odd integer and T1(i) ≠ T1(j) if i ≠ j, then T(i) ≠ T(j) if i ≠ j. This conclusion is true and can be proved by experimental tests.
Step 4: Set the parameters μ, initial state value x0 of the Sine-Tent map, and an integer N0>0. Iterate Sine-Tent map (N0+256) times to generate a chaotic sequence of length (N0+256). Discard the first N0 elements of the original chaotic sequence, then we can obtain a new chaotic sequence of length 256, which is represented by X.
Step 5: Sort the chaotic sequence X, then we can get a position index array J = {J(1), J(2), ..., J(256)}, J(i)∈{1, 2, ..., 256}. As a result of the non-periodicity of the chaotic sequence, it will inevitably lead to that J(i) ≠ J(j) as long as i ≠ j. The new compound system has at least three advantages compared with the Sine and Tent maps. First, the output sequences of the new compound system spread out in the entire value range between zero and one. Second, the proposed Sine-Tent system has a wider chaotic range. The Lyapunov Exponents of the Sine-Tent system is positive in the entire range of 0 ≤ µ ≤ 4. However, the Sine map and Tent map have positive values of Lyapunov Exponents only within much smaller ranges. Thirdly, we know that a larger Lyapunov Exponent means stronger chaotic properties. From the Lyapunov Exponent diagrams, one can see that the new system has larger Lyapunov Exponents (Lyapunov Exponents is always close to 0.7) in the whole parameter range of [0, 4], while the Sine and Tent maps have large Lyapunov Exponents only when the parameter is close to four. Therefore, the chaotic characteristic of the new system is stronger, and it always maintains the invariable excellent chaotic performance in the entire parameter range of 0 ≤ µ ≤ 4. These advantages guarantee that the proposed Sine-Tent system is more suitable for information security applications such as image encryption.

An Efficient New Method for Generating S-Boxes
In Ref. [56], Belazi et al. proposed a simple yet efficient S-box generating method based on the chaotic sine map, in which a prime number p and a one to one map from the real number interval (0, 1) to the integer set {0, 1, 2, . . . , 255} need to be found. In this section, we present a simpler approach for designing S-boxes using the chaotic Sine-Tent map. The new method takes advantage of the excellent chaotic characteristics of the Sine-Tent map. The detailed steps of generating S-boxes are given below.
Step 1: Set parameter d as an odd positive integer and d > 0, d can be used as a secret key.
Step 3: Based on T1 and d to obtain a new array T by Equation (4) The new array T 1×256 will contain 256 distinct integers in the range of [0, 255]. As long as d is a finite odd integer and T1(i) T1(j) if i j, then T(i) T(j) if i j. This conclusion is true and can be proved by experimental tests.
Step 4: Set the parameters µ, initial state value x 0 of the Sine-Tent map, and an integer N 0 > 0. Iterate Sine-Tent map (N 0 + 256) times to generate a chaotic sequence of length (N 0 + 256). Discard the first N 0 elements of the original chaotic sequence, then we can obtain a new chaotic sequence of length 256, which is represented by X. Step 5: Sort the chaotic sequence X, then we can get a position index array J = {J(1), J(2), . . . , J(256)}, J(i)∈{1, 2, . . . , 256}. As a result of the non-periodicity of the chaotic sequence, it will inevitably lead to that J(i) J(j) as long as i j.
Step 6: Calculate the 1D array S as follows: Step 7: Transform the 1D array S 1×256 into a 2D matrix S 16×16 , and this is the proposed S-box. By the above method, the length of chaotic sequences to be used in constructing a 16 × 16 sized S-box is only 256. Therefore, the time cost of this method is very low. In our experiments, double S-boxes are generated by the above S-box generation algorithm. The initial condition x 0 , system parameter µ of the Sine-Tent map and the parameters {d, N 0 } for the S-box generation are set as {x 10 and S2, respectively. The generated double S-boxes are shown in Tables 1 and 2, which are used in our proposed image encryption algorithm. Table 1. The chaotic S-box S1 generated with parameters {x 10  In the first row of Table 1, c1, c2, . . . , c16 denotes the column numbers of the S-box. Additionally, in the first column of Table 1, r1, r2, . . . , r16 denotes the row numbers of the S-box. To determine the randomness of proposed S-box method, the statistical test suite (version 2.1.1), proposed by the National Institute of Standards and Technology (NIST) NIST-800-22 is introduced. The NIST-800-22 test results are listed in Table 3. We find that the 12 tests successfully passed. Moreover, the Random Excursions Test, Random Excursions Variant Test, and Universal Statistical Test were not applicable for the proposed S-box. This is because the sequence generated by an S-box only consists of 2048 bits. However, the Random Excursions Test and Random Excursions Variant Test require a long sequence consisting of a minimum of 1,000,000 bits, and the Universal Statistical Test also requires a long sequence consisting of a minimum of 387,840 bits.

Cryptanalysis of an S-Box Based Encryption Algorithm
In Ref. [57], Çavuşoglu et al. proposed an image encryption scheme by using the S-box generated with a novel hyper-chaotic system. The sketch of the encryption scheme is shown in Figure 4. To determine the randomness of proposed S-box method, the statistical test suite (version 2.1.1), proposed by the National Institute of Standards and Technology (NIST) NIST-800-22 is introduced. The NIST-800-22 test results are listed in Table 3. We find that the 12 tests successfully passed. Moreover, the Random Excursions Test, Random Excursions Variant Test, and Universal Statistical Test were not applicable for the proposed S-box. This is because the sequence generated by an S-box only consists of 2048 bits. However, the Random Excursions Test and Random Excursions Variant Test require a long sequence consisting of a minimum of 1,000,000 bits, and the Universal Statistical Test also requires a long sequence consisting of a minimum of 387,840 bits.

Cryptanalysis of an S-Box Based Encryption Algorithm
In Ref. [57], Çavuşoğlu et al. proposed an image encryption scheme by using the S-box generated with a novel hyper-chaotic system. The sketch of the encryption scheme is shown in Figure 4.   Step 1: Generate three real value chaotic sequences x, y, and z by using a hyper-chaotic system with given parameters and initial state values as secret keys.
Step 2: Transform the three real value sequences x, y and z into three integer sequences X, Y and Z by the chaos-based pseudo random number generator (PRNG). Each element in X, Y and Z is an 8-bit integer and its decimal number is in the range of [0, 255].
The above S-box based encryption algorithm has the following potential defects: (1) The chaotic sequence Y and S-box is actually the equivalent of the secret keys, which are not related with the image to be encrypted.
(2) The algorithm has no diffusion effect. While one pixel is changed in the plain image, there is only one changed pixel in the cipher image.
(3) The sequence Y and S-box are separated in the bitwise XOR process and Sub-Byte process, and the bitwise XOR process unrelated to the Sub-Byte process.
Based on the above analysis, we find that the above encryption scheme cannot resist the chosen-plaintext attack. Suppose the target cipher image to be recovered is C = [c(1), c(2), . . . , c(L)], we This simplest attack method with Algorithm 2 requires 256 selected plaintext images. However, a more efficient chosen-plaintext method only needs to select two plain images. For details, readers can refer to Ref. [58].

The Novel Double S-Boxes Based Image Encryption Algorithm
To eliminate the security defects that exist in some S-box based encryption algorithms, a novel double S-boxes based image encryption algorithm is proposed. The main innovations of the new scheme lie in the following three aspects: Firstly, the new Sine-Tent compound chaotic system is used to generate double S-boxes, which are used in the two rounds of the encryption process of the new scheme. Secondly, the first S-box is used to realize pixel confusion and substitution simultaneously. Thirdly, two rounds of the encryption process are correlated and the diffusion mechanism is introduced. The main steps of the novel double S-boxes based image encryption algorithm is described as follows: Step 1: Input the secret parameters {x 10  Step 2: Generate the first S-box S1 by using the new S-box generation algorithm with parameters {x 10 , µ 1 , d 1 }.
Step 3: Generate the second S-box S2 by using the new S-box generation algorithm with parameters {x 20 , µ 2 , d 2 }.
Step 4: Perform the first round of encryption on array P with the first S-box S1, and obtain the temporary cipher image pixel array where, sub_byte[S1, x] denotes byte substitution for x using S-box S1. The first round of encryption is the forward confusion-diffusion operation, in which permutation and diffusion are implemented simultaneously by introducing the location index j. Step where, sub_byte[S2, x] denotes byte substitution for x using S-box S2. The second round of encryption is the backward diffusion operation.
Step 6: Transform the 1D vector C into a 2D matrix with size of M × N, then the cipher image CI is obtained.
The decryption process is the inverse operation of the encryption process. To recover the plain image P from the cipher image CI, the operating steps are as follows.
Step 2: Generate the first S-box S1. The operation is exactly the same as Step 2 of the encryption process.
Step 3: Generate the second S-box S2. The operation is exactly the same as Step 3 of the encryption process. Step where, sub_byte_1[S2, ·] denotes the inverse operation of sub_byte[S2, ·] using S-box S2.
Step 6: Transform P into an M × N matrix, then the decrypted image PI is obtained.

Experimental Results and Security Analyses
To examine the security and efficiency of the proposed cryptosystem, we carry out some simulation experiments. All the algorithms are implemented with MATLAB R2016b run on a Microsoft Windows 7 operating system. The hardware environment is a PC with 3.3 GHz CPU, and 4 GB memory. Without losing generality, we adopted the public test images come from the USC-SIPI Image Database. Test

Experimental Results
The original plain images and their corresponding cipher-images are shown in Figures 5 and 6, respectively. While the decrypted images are identical to the corresponding original ones. As can be seen, the cipher-images are completely disordered and unrecognizable. Therefore, our proposed algorithm has a good encryption effect.

Key Space Analyses
A secure encryption scheme should have a large key space so as to resist brute-force attack. In our proposed encryption scheme, the secret keys include {x10, μ1, d1, x20, μ2, d2, r0, t0, m}. Among them, {x10, μ1, x20, μ2} are four double-precision real numbers, each of them can reach the accuracy of 15 decimal places. d1 and d2 are two odd integers, each of them can have 10 4 different values. r0 and t0 are two integers, each of them has 255 different values. m is an integer range from 1 to L, where L = 65536. So, the key space of our proposed encryption scheme is (10 15×4+4×2 ) × 255 × 255 × 65536 ≈ 2 258 , which is a key equivalent to 258 bits in length. Therefore, the key space is large enough to resist brute-force attack.

Histogram Analysis
A histogram of an image demonstrates the distribution of the image pixel values, and it exposes the pixel distribution characteristics of the image. The more uniform the distribution of the pixel values, the closer the image is to the random signal image. Figure 7 shows the histograms of the above test plain images and cipher images encrypted by our proposed algorithm (the histograms of the all-white and all-black plain images are omitted). It can be seen from Figure 7

Key Space Analyses
A secure encryption scheme should have a large key space so as to resist brute-force attack. In our proposed encryption scheme, the secret keys include {x10, μ1, d1, x20, μ2, d2, r0, t0, m}. Among them, {x10, μ1, x20, μ2} are four double-precision real numbers, each of them can reach the accuracy of 15 decimal places. d1 and d2 are two odd integers, each of them can have 10 4 different values. r0 and t0 are two integers, each of them has 255 different values. m is an integer range from 1 to L, where L = 65536. So, the key space of our proposed encryption scheme is (10 15×4+4×2 ) × 255 × 255 × 65536 ≈ 2 258 , which is a key equivalent to 258 bits in length. Therefore, the key space is large enough to resist brute-force attack.

Histogram Analysis
A histogram of an image demonstrates the distribution of the image pixel values, and it exposes the pixel distribution characteristics of the image. The more uniform the distribution of the pixel values, the closer the image is to the random signal image. Figure 7 shows the histograms of the above test plain images and cipher images encrypted by our proposed algorithm (the histograms of the all-white and all-black plain images are omitted). It can be seen from Figure 7

Key Space Analyses
A secure encryption scheme should have a large key space so as to resist brute-force attack. In our proposed encryption scheme, the secret keys include {x 10 , µ 1 , d 1 , x 20 , µ 2 , d 2 , r 0 , t 0 , m}. Among them, {x 10 , µ 1 , x 20 , µ 2 } are four double-precision real numbers, each of them can reach the accuracy of 15 decimal places. d 1 and d 2 are two odd integers, each of them can have 10 4 different values. r 0 and t 0 are two integers, each of them has 255 different values. m is an integer range from 1 to L, where L = 65536. So, the key space of our proposed encryption scheme is (10 15×4+4×2 ) × 255 × 255 × 65536 ≈ 2 258 , which is a key equivalent to 258 bits in length. Therefore, the key space is large enough to resist brute-force attack.

Histogram Analysis
A histogram of an image demonstrates the distribution of the image pixel values, and it exposes the pixel distribution characteristics of the image. The more uniform the distribution of the pixel values, the closer the image is to the random signal image. Figure 7 shows the histograms of the above test plain images and cipher images encrypted by our proposed algorithm (the histograms of the all-white and all-black plain images are omitted). It can be seen from Figure 7 that the distributions of pixel values in plain images are clearly not uniform but in cipher images are very uniform.
A histogram of an image demonstrates the distribution of the image pixel values, and it exposes the pixel distribution characteristics of the image. The more uniform the distribution of the pixel values, the closer the image is to the random signal image. Figure 7 shows the histograms of the above test plain images and cipher images encrypted by our proposed algorithm (the histograms of the all-white and all-black plain images are omitted). It can be seen from Figure 7  The distribution characteristics of a histogram can also be described quantitatively with the variance of a histogram, which is calculated by [16]   The distribution characteristics of a histogram can also be described quantitatively with the variance of a histogram, which is calculated by [16] var(Z) = 1 n 2 where, n is the number of gray levels of an image, and n = 256 for 8-bit gray images. Z is a vector and Z = {z 1 , z 2 , . . . , z n }, z i and z j are the numbers of pixels with gray values equal to (i − 1) and (j − 1) respectively. The lower value of variance indicates the higher uniformity of an image. In order to detect the variance values of the above test images and their cipher images, the variances of histograms of the plain images (size of 256 × 256) and their cipher images are calculated by using Equation (16).
The results are listed in Table 4. Table 4 also lists the results obtained by the algorithm in References [39] and [40]. The average variance of five cipher images obtained with our proposed algorithm is 256.7125, which is much less than that of Zhang's algorithm [39], Wang's algorithm [40], and Çavuşoglu's algorithm [57]. Thus, our proposed image encryption algorithm has better performance in resisting statistical attacks.

Correlation Analysis
Natural images usually have a strong correlation with adjacent pixels. An efficient encryption algorithm should reduce the correlation in cipher images. In order to exhibit the correlation strength intuitively, we randomly selected 2000 pairs of pixel along a certain direction (horizontal or vertical or diagonal) from an image to draw the correlation distribution diagram. Figure 8 shows the correlation distribution diagrams of the Lena plain and cipher image encrypted by our encryption algorithm. The abscissa and ordinate values at any point in the graph represent the values of a pair of neighbor pixels, respectively. For plaintext images, most of the points in the graph are distributed near a straight line with an inclination of 45 degrees. That is to say, the abscissa and ordinate coordinates of most points are basically equal, indicating that the pixel values of neighboring points in plaintext images are basically equal. However, the pixel values of each group of neighbor points in ciphertext images are not equal. The results confirm that the correlation among the adjacent pixels is reduced greatly by our proposed encryption algorithm.
To illustrate quantitatively the correlation of adjacent pixels in an image, we can calculate the correlation coefficient r XY by using N pairs of an adjacent pixel. r XY is defined as where, X = {x 1 , x 2 , . . . , x N } and Y = {y 1 , y 2 , . . . , y N }, (x i , y i ) is the i-th pairs of the adjacent pixel gray-scale values, and Three types of correlation coefficients of adjacent pixels in the Lena plain and cipher image are calculated, respectively. Correlation coefficients of the Lena plain images are as: 0.9567 (horizontal direction), 0.9239 (vertical direction), 0.8888 (diagonal direction), showing that correlation coefficients of adjacent pixels in the Lena plain image are very high (all close to one). Results of the Lena cipher image are listed in Table 5. From Table 5, we can see that the correlation coefficients of adjacent pixels in the Lena cipher image are very low (all close to zero). Table 5 also lists the correlation coefficients of the Lena cipher image encrypted with Zhang's algorithm, Wang's algorithm and Çavuşoglu's algorithm.
The experimental results show that our proposed algorithm has the smallest absolute values of the correlation coefficient among the three algorithms, showing the best scrambling effect.

. Correlation Analysis
Natural images usually have a strong correlation with adjacent pixels. An efficient encryption algorithm should reduce the correlation in cipher images. In order to exhibit the correlation strength intuitively, we randomly selected 2000 pairs of pixel along a certain direction (horizontal or vertical or diagonal) from an image to draw the correlation distribution diagram. Figure 8

Information Entropy Analysis
Information entropy can be used to describe the degree of randomness or uncertainty of signals.

The information entropy H(m) of an image is calculated by
where P(m i ) denotes the occurrence probability of the gray level i, and i = 0, 1, 2, . . . , 2 n . Here, 2 n is the number of grayscale levels of an image. If each m i has the same occurrence probability in an image, then P(m i ) = 1/2 n , then the image is completely random with H(m) = n. For an image with 256 gray-scale levels, n = 8, so, the information entropy of a completely random 8-bit gray image is eight. A good encryption algorithm should make the information entropy of its cipher image close to eight. We calculated the information entropy values of several cipher images obtained by four different encryption algorithms. The results are listed in Table 6. All the images have the same size of 256 × 256. From Table 6, one can see that all the entropy values are significantly closer to eight, so the randomness is satisfactory. Among these four algorithms, our proposed algorithm has the largest average entropy value, showing the best randomness of the cipher image encrypted by our proposed algorithm.

Sensitivity Analysis
(1) Sensitivity to plain images A secure encryption algorithm should be sensitive to the change of the plain image so as to resist the differential attack. To measure the sensitivity of an algorithm to tiny changes in a plain image, the number of pixels changing rate (NPCR) and the unified average changing intensity (UACI) are introduced. The NPCR and UACI are calculated by Equations (22)- (24).
where, M, N represent the number of rows and columns of an image, respectively. C 1 = [c 1 (i, j)] and C 2 = [c 2 (i, j)] express two encrypted images corresponding to two plain images with a tiny difference, and δ(i, j) is computed by The larger the values of NPCR and UACI, the stronger the sensitivity of the algorithm to plaintext. For the best case, the ideal average value of NPCR is about 99.61%, and the ideal average value of UACI is about 33.46% [16].
To measure the sensitivity of our improved algorithm to the plain image, the original Lena gray image (size of 256 × 256) is adopted as the first plain image, and the second plain image is obtained by changing only one pixel of the first plain image. To obtain two cipher images C 1 and C 2 by executing the proposed encryption algorithm with the same secret keys, respectively. Then NPCR and UACI are computed with two cipher images, and the results are listed in Table 7. Table 7 also lists the results obtained by using the Zhang's, Wang's and Çavuşoglu's algorithm. The results indicate that our proposed encryption algorithm is very sensitive to the plain image, and its sensitivity is better than those of Zhang's and Wang's algorithm. (2) Sensitivity to Secret Keys A secure encryption algorithm should also be sensitive to the change of secret keys. That is to say, when secret keys change slightly, the cipher image should change dramatically. NPCR and UACI can also be used to measure the sensitivity of an encryption algorithm to secret keys. In our simulation tests, two groups of secret keys with a tiny difference are used to encrypt the same plain image Lena and two cipher images, C 1 and C 2 , are obtained. The tiny change (to a float number is 10 −15 , or to an integer number is one) is introduced to one of the secret keys (x 10 , µ 1 , d 1 , x 20 , µ 2 , d 2 , r 0 , t 0 , m) while keeping all the others unchanged. The NPCR and UACI of the cipher images C 1 and C 2 are calculated and listed in Table 8. The experimental results indicate that our proposed algorithm is very sensitive to a slight change in any secret key.

Classical Types of Attacks
According to Kerchoff's hypothesis, it is usually assumed that the cryptanalysts or opponents know the cryptosystem, and the security entirely depends on the secret key. A secure cryptosystem should resist all kinds of attacks; otherwise, the cryptosystem is insecure. Generally speaking, there are four classical types of attacks to break a cryptosystem, and their orders from the hardest types to the easiest types are listed as follows.
(2) Known-plaintext attack: The cryptanalyst has some plaintexts and the corresponding ciphertexts.
(3) Chosen-plaintext attack: The cryptanalyst has the opportunity to use the encryption machinery, so he or she can choose some plaintext and generate ciphertext.
(4) Chosen-ciphertext attack: The cryptanalyst has the opportunity to use the cryptograph, so he or she can choose some ciphertexts and generate plaintexts.
Among the four classical attack types mentioned above, the chosen-ciphertext attack is the most powerful attack. If a cryptosystem can resist this attack, it can resist other types of attacks.
In our proposed scheme, {S1, S2, r, t} become the equivalent keys to the original keys. It is not difficult to understand the following conclusions from the encryption formulas of Equations (8)- (11). First, it is difficult for an attacker to decipher the above equivalent keys even if he or she obtains known plaintext-ciphertext pairs (p(i), c(i)). Second, the equivalent keys r and t are updated before encrypting the i-th pixel and they are related with the intermediate ciphertext b(i−1) or the final ciphertext c(i+1). It means that a different cipher image will yield different sequences of {r, t}. Even if the attacker cracked the key sequences of {r, t} with some specially chosen-ciphertext, the key streams of {r, t} cannot be used to decrypt the target cipher image due to the key streams of the target cipher image that are different from the cracked key streams. Moreover, it is difficult to decipher the key streams {r, t} directly by using the chosen-ciphertext attack. Therefore, the proposed scheme can well resist the chosen-ciphertext attack and can resist the four classical types of attacks.

Analysis of Robustness against Noise and Occlusion
In order to resist the differential cryptanalysis attack brought by the opponent, a strong diffusion mechanism is introduced into the proposed encryption algorithm. As a result, the ciphertext is sensitive to the noise of the transmission channel, so the algorithm lacks robustness to noise and occlusion. However, the lack of such robustness also makes it impossible for the opponent to decipher the plaintext accurately, which can ensure that the confidentiality of the image content is protected. As for how to make the encrypted image not only resist differential attack, but also withstand a certain degree of noise, we consider introducing an error correction mechanism in channel coding and decoding. This is worthy of further study in the future.

Analysis of Speed
In addition to security performance, a practical cryptosystem should also have faster encryption speed. To evaluate the encryption efficiency of the proposed algorithm, the 8-bit greyscale images with a size of 256 × 256 and 512 × 512 are encrypted. And the same type of S-box based image encryption algorithms proposed by Zhang [39], Wang [40], and Çavuşoglu [57] are also implemented on the same hardware and software platform mentioned at the beginning of Section 5. The average values of the encryption/decryption time taken by Zhang's algorithm, Wang's algorithm, Çavuşoglu's algorithm and our proposed algorithm are shown in Table 9, respectively. The experimental results show the advantages of the proposed algorithm in time efficiency. Our proposed algorithm has an execution time that includes: Two S-boxes generated by a novel simple method using the 1D discrete chaotic map, 2L times of byte substitution and 2L times mod 256 addition operations. Zhang's algorithm execution time include: Two S-boxes generated by an ordinary method using the 1D discrete chaotic map, 2L times of byte substitution, L times mod 256 addition operations and L times bitXor operations. Wang's algorithm has an execution time that includes: Three S-boxes generated by an ordinary method using the 3D continuous-time chaotic system, L times of byte substitution, L times mod 3 addition operations and L times bitXor operations. Çavuşoglu's algorithm has an execution time that includes: One S-box generated by an ordinary method using the 3D continuous-time chaotic system, L times of byte substitution and L times bitXor operations. The mod addition operation has a less execution time than the bitXor operation, and the bitXor operation has a less execution time than the byte substitution operation. Our algorithm to generate the S-box has the least execution time among the four algorithms. As the result, the total execution time of our algorithm is the smallest one among the four algorithms.

Conclusions
In this paper, an efficient and secure image encryption scheme is presented. The main contributions of this paper are as follows: First, a new compound chaotic system, the Sine-Tent map, is proposed, which has wider chaotic range and better chaotic performance than any of the old one. And the new compound chaotic system is more suitable for cryptosystem. Second, an efficient and secure method for generating S-boxes is proposed, which has less execution time than the other ones. Third, a novel double S-boxes based image encryption algorithm is proposed. By introducing equivalent key sequences {r, t} related with image ciphertext, the proposed cryptosystem can resist the four classical types of attacks, which is an advantage over other S-box based encryption schemes. It overcomes the security defects of some old S-box based encryption algorithms. In addition, two rounds of forward and backward confusion-diffusion operation enhance the sensitivity of the algorithm. The simulation results and security analysis verify the effectiveness of the proposed scheme. The new scheme has obvious efficiency advantages, which means that it has better application potential in real-time image encryption. The proposed scheme is also suitable to color images by connecting three color channels of color image into gray image.
As for the research of the chaotic image encryption, there are two aspects worthy of further study in the future. First, we need to explore new security evaluation criteria to make up for the shortcomings of empirical security standards. Second, in order to ensure that the encryption system is not only resistant to differential cryptanalysis attacks, but also robust to noise, it may be an effective solution to introduce error-correcting codes in the process of cryptography and decoding.