Image Encryption Using Elliptic Curves and Rossby/Drift Wave Triads

Abstract

We propose an image encryption scheme based on quasi-resonant Rossby/drift wave triads (related to elliptic surfaces) and Mordell elliptic curves (MECs). By defining a total order on quasi-resonant triads, at a first stage we construct quasi-resonant triads using auxiliary parameters of elliptic surfaces in order to generate pseudo-random numbers. At a second stage, we employ an MEC to construct a dynamic substitution box (S-box) for the plain image. The generated pseudo-random numbers and S-box are used to provide diffusion and confusion, respectively, in the tested image. We test the proposed scheme against well-known attacks by encrypting all gray images taken from the USC-SIPI image database. Our experimental results indicate the high security of the newly developed scheme. Finally, via extensive comparisons we show that the new scheme outperforms other popular schemes.

1. Introduction

The exchange of confidential images via the internet is usual in today’s life, even though the internet is an open source that is unsafe and unauthorized persons can steal useful or sensitive information. Therefore it is essential to be able to share images in a secure way. This goal is achieved by using cryptography. Traditional cryptographic techniques such as data encryption standard (DES) and advanced encryption standard (AES) are not suitable for image transmission because image pixels are usually highly correlated [1,2]. By contrast, DES and AES are ideal techniques for text encryption [3], so researchers are trying to develop such techniques to meet the demand for reliable image delivery.

A number of image encryption schemes have been developed using different approaches [4,5,6,7,8,9,10,11,12,13,14]. Hua et al. [12] developed a highly secure image encryption algorithm, where pixels are shuffled via the principle of the Josephus problem and diffusion is obtained by a filtering technology. Wu et al. [13] proposed a novel image encryption scheme by combining a random fractional discrete cosine transform (RFrDCT) and the chaos-based Game of Life (GoL). In their scheme, the desired level of confusion and diffusion is achieved by GoL and an XOR operation, respectively. “Confusion” entails hiding the relation between input image, secret keys and the corresponding cipher image, and “diffusion” is an alteration of the value of each pixel in an input image [1].

One of the dominant trends in encryption techniques is chaos-based encryption [15,16,17,18,19,20]. The reason for this dominance is that the chaos-based encryption schemes are highly sensitive to the initial parameters. However, there are certain chaotic cryptosystems that exhibit a lower security level due to the usage of chaotic maps with less complex behavior (see [21]). This problem is addressed in [22] by introducing a cosine-transform-based chaotic system (CTBCS) for encrypting images with higher security. Xu et al. [23] suggested an image encryption technique based on fractional chaotic systems and verified experimentally the higher security of the underlying cryptosystem. Ahmad et al. [24] highlighted certain defects of the above-mentioned cryptosytem by recovering the plain image without the secret key. Moreover, they proposed an enhanced scheme to thwart all kinds of attacks.

The chaos-based algorithms also use pseudo-random numbers and substitution boxes (S-boxes) to create confusion and diffusion [25,26]. Cheng et al. [25] proposed an image encryption algorithm based on pseudo-random numbers and AES S-box. The pseudo-random numbers are generated using AES S-box and chaotic tent maps. The scheme is optimized by combining the permutation and diffusion phases, but the image is encrypted in rounds, which is time consuming. Belazi et al. [26] suggested an image encryption algorithm using a new chaotic map and logistic map. The new chaotic map is used to generate a sequence of pseudo-random numbers for masking phase. Then eight dynamic S-boxes are generated. The masked image is substituted in blocks via aforementioned S-boxes. The substituted image is again masked by another pseudo-random sequence generated by the logistic map. Finally, the encrypted image is obtained by permuting the masked image. The permutation is done by a sequence generated by the map function. This algorithm fulfills the security analysis but performs slowly due to the four cryptographic phases. In [27], an image encryption method based on chaotic maps and dynamic S-boxes is proposed. The chaotic maps are used to generate the pseudo-random sequences and S-boxes. To break the correlation, pixels of an input image are permuted by the pseudo-random sequences. In a second phase the permuted image is decomposed into blocks. Then blocks are encrypted by the generated S-boxes to get the cipher image. From histogram analysis it follows that the suggested technique generates cipher images with a nonuniform distribution.

Similar to the chaotic maps, elliptic curves (ECs) are sensitive to input parameters, but EC-based cryptosystems are more secure than those of chaos [28]. Toughi et al. [29] developed a hybrid encryption algorithm using elliptic curve cryptography (ECC) and AES. The points of an EC are used to generate pseudo-random numbers and keys for encryption are acquired by applying AES to the pseudo-random numbers. The proposed algorithm gets the promising security but pseudo-random numbers are generated via the group law, which is time consuming. In [3], a cyclic EC and a chaotic map are combined to design an encryption algorithm. The developed scheme overcomes the drawbacks of small key space but is unsafe to the known-plaintext/chosen-plaintext attack [30]. Similarly, Hayat et al. [31] proposed an EC-based encryption technique. The stated scheme generates pseudo-random numbers and dynamic S-boxes in two phases, where the construction of S-box is not guaranteed for each input EC. Therefore, changing of ECs to generate an S-box is a time-consuming work. Furthermore, the generation of ECs for each input image makes it insufficient.

Based on the above discussion, we propose an improved image encryption algorithm, based on quasi-resonant Rossby/drift wave triads [32,33] (triads, for short) and Mordell elliptic curves (MECs). The triads are utilized in the generation of pseudo-random numbers and MECs are employed to create dynamic S-boxes. The proposed scheme is novel in that it introduces the technique of pseudo-random numbers generation using triads, which is faster than generating pseudo-random numbers by ECs. Moreover, the scheme does not require to separately generate triads for each input image of the same size. In the present scheme, MECs are used opposite to [31], in the sense that now, for each input image, the generation of a dynamic S-box is guaranteed [34]. Finally, extensive performance analyses and comparisons reveal the efficiency of the proposed scheme.

This paper is organized as follows. Preliminaries are described in Section 2. In Section 3, the proposed encryption algorithm is explained in detail. Section 4 provides the experimental results as well as a comparison between the proposed method and other existing popular schemes. Lastly, conclusions are presented in Section 5.

2. Preliminaries

Barotropic vorticity equation: The barotropic vorticity equation (in the so-called $\beta$-plane approximation) is one of the simplest two-dimensional models of the large-scale dynamics of a shallow layer of fluid on the surface of a rotating sphere. It is described in mathematical terms by the partial differential equation

$$\frac{\partial }{\partial t}({\nabla }^2\psi -F\psi )+\left(\frac{\partial \psi }{\partial x}\frac{\partial {\nabla }^2\psi }{\partial y}-\frac{\partial \psi }{\partial y}\frac{\partial {\nabla }^2\psi }{\partial x}\right)+\gamma \frac{\partial \psi }{\partial x}=0,$$

(1)

where $\psi (x,y,t)\in \mathbb{R}$ represents the geopotential height, $\gamma$ is the Coriolis parameter, a real constant measuring the variation of the Coriolis force with latitude (x represents longitude and y represents latitude) and F is a non-negative real constant representing the inverse of the square of the deformation radius. We assume periodic boundary conditions: $\psi (x+2\pi ,y,t)=\psi (x,y+2\pi ,t)=\psi (x,y,t)$ for all $x,y,t\in \mathbb{R}$. In the literature Equation (1) is also known as the Charney–Hasegawa–Mima equation (CHM) [35,36,37,38,39]. This equation accepts harmonic solutions, known as Rossby waves, which are solutions of both the linearized form and the whole (nonlinear) form of Equation (1). A Rossby wave solution is given explicitly by the parameterized function ${\psi }_{(k,l)}(x,y,t)=\Re \left\{A{\mathrm{e}}^{i(kx+ly-\omega (k,l\left)t\right)}\right\}$, where $A\in \mathbb{C}$ is an arbitrary constant, $\omega (k,l)=-\frac{\gamma k}{k^2+l^2+F}$ is the so-called dispersion relation, and $(k,l)\in {\mathbb{Z}}^2$ is called the wave vector. For simplicity, we take $\gamma =-1$ and $F=0$ in what follows [32,33].

Resonant triads: As Equation (1) is nonlinear, modes with different wave vectors tend to couple and exchange energy. If the nonlinearity is weak, this exchange happens to be quite slow and is more efficient amongst groups of modes that are in resonance. To the lowest order of nonlinearity in Equation (1), approximate solutions known as resonant triad solutions can be constructed via linear combinations of the form

$$\psi (x,y,t)=\Re \{A_1{\mathrm{e}}^{i(k_{1}x+l_{1}y-\omega (k_1,l_1)t)}+A_2{\mathrm{e}}^{i(k_{2}x+l_{2}y-\omega (k_2,l_2)t)}+A_3{\mathrm{e}}^{i(k_{3}x+l_{3}y-\omega (k_3,l_3)t)}\},$$

where $A_1,A_2,A_3$ are slow functions of time (they satisfy a closed system of ODEs, not shown here), and the wave vectors $(k_1,l_1),(k_2,l_2)$ and $(k_3,l_3)$ satisfy the Diophantine system of equations:

$$k_1+k_2=k_3,l_1+l_2=l_3\mathrm{and}{\omega }_1+{\omega }_2={\omega }_3,$$

(2)

for ${\omega }_i=\omega (k_i,l_i),i=1,2,3$. A set of three wavevectors satisfying Equations (2) is called a resonant triad. Solutions can be found analytically via a rational transformation to elliptic surfaces (see below).

Quasi-resonant triads and detuning level: If, in (2), the equation ${\omega }_1+{\omega }_2={\omega }_3$ is replaced by the inequality $|{\omega }_1+{\omega }_2-{\omega }_3|\le {\delta }^{-1}$, for a large positive number $\delta$, then the triad becomes a quasi-resonant triad and ${\delta }^{-1}$ is known as the detuning level of the quasi-resonant triad. It is possible to construct quasi-resonant triads via downscaling of resonant triads that have very large wave vectors [32]. For simplicity, in what follows we simply call a quasi-resonant triad a triad and denote it by $\Delta$. Finally, to avoid over-counting of triads we will impose the condition $k_3>0$.

Rational transformation: In [32], wave vectors are explicitly expressed in terms of rational variables $X,Y$ and D as follows:

$$\frac{k_1}{k_3}=\frac{X}{Y^2+D^2},\frac{l_1}{k_3}=\left(\frac{X}{Y}\right)\left(1-\frac{D}{Y^2+D^2}\right),\frac{l_3}{k_3}=\frac{D-1}{Y}.$$

(3)

In the case $F=0$, the rational variables $X,Y,D$ lie on an elliptic surface. The transformation is bijective and its inverse mapping is given by:

$$X=\frac{k_3(k_1^2+l_1^2)}{k_1(k_3^2+l_3^2)},Y=\frac{k_3(k_3{l}_1-k_1{l}_3)}{k_1(k_3^2+l_3^2)},D=\frac{k_3(k_3{k}_1-l_1{l}_3)}{k_1(k_3^2+l_3^2)}.$$

(4)

New parameterization: In [40], Kopp parameterized the resonant triads and in terms of parameters u and t it follows by [40] (Equation (1.22)) that:

$$\begin{array}{cc}\hfill \frac{k_1}{k_3}=& (t^2+u^2)(t^2-2u+u^2)/(1-2u),\hfill \end{array}$$

(5)

$$\begin{array}{cc}\hfill \frac{l_3}{k_3}=& \left(u(2u-1)+(t^2+u^2)(t^2-2u+u^2)\right)/\left(t(1-2u)\right),\hfill \end{array}$$

(6)

$$\begin{array}{cc}\hfill \frac{l_1}{k_3}=& (t^2+u^2)\left((2u-1)+u(t^2-2u+u^2)\right)/\left(t(1-2u)\right).\hfill \end{array}$$

(7)

In 2019, Hayat et al. [33] found a new parameterisation of $X,Y$ and D in terms of auxiliary parameters $a,b$ and hence $\frac{k_1}{k_3},\frac{l_3}{k_3}$ and $\frac{l_1}{k_3}$ are given by:

$$\begin{array}{cc}\hfill \frac{k_1}{k_3}=& \frac{{\left(a^2+b(2-3b)+1\right)}^3}{(a^2-3b^2-2b+1)\left(2(11-3a^2)b^2+{(a^2+1)}^2-16ab+9b^4\right)},\hfill \end{array}$$

(8)

$$\begin{array}{cc}\hfill \frac{l_3}{k_3}=& \frac{6(a^2+a-1)b^2-{(a+1)}^2(a^2+1)+4ab-9b^4}{(a^2-3b^2-1)(a^2-3b^2-2b+1)},\hfill \end{array}$$

(9)

$$\begin{array}{cc}\hfill \frac{l_1}{k_3}=& \frac{\left(a^2+b(2-3b)+1\right)}{\begin{array}{c}(a^2-3b^2-1)(a^2-3b^2-2b+1)\left(2(11-2a^2)b^2+{(a^2+1)}^2-16ab+9b^4\right)\\ \times [a^6+2a^5+a^4(-9b^2-6b+3)-4a^3(3b^2+2b-1)+3a^2{(3b^2+2b-1)}^2\\ +2a(9b^4+12b^3+14b^2-4b+1)-{(3b^2+1)}^2(3b^2+6b-1)]\end{array}}.\hfill \end{array}$$

(10)

Elliptic curve (EC): Let ${\mathbb{F}}_p$ be a finite field for any prime p, then an EC $E_p$ over ${\mathbb{F}}_p$ is defined by

$$y^2\equiv x^3+bx+c(modp),$$

(11)

where $b,c\in {\mathbb{F}}_p$. The integers $b,c$ and p are called parameters of an EC. The number of all $(x,y)\in {\mathbb{F}}_p^2$ satisfying the congruence (11) is denoted by $\#E_p$.

Mordell elliptic curve (MEC): In the special but important case $b=0$, the above EC is known as an MEC and is represented by

$$y^2\equiv x^3+c(modp).$$

(12)

For $p\equiv 2(mod3)$, there are exactly $p+1$ points $(x,y)\in {\mathbb{F}}_p^2$ satisfying the congruence (12), see [41] for further details.

If points on $E_p$ are ordered according to some total order ≺ then $E_p$ is said to be an ordered EC. Recall that total order is a binary relation which possesses the reflexive, antisymmetric and transitive properties. Azam et al. [42] introduced a total order known as a natural ordering on MECs given by

$$(x_1,y_1)\prec (x_2,y_2)\iff \left\{\begin{array}{c}\mathrm{either}{x}_1<x_2,\mathrm{or}\hfill \\ x_1=x_2\mathrm{and}{y}_1<y_2,\hfill \end{array}\right.$$

and generated efficient S-boxes using the aforesaid ordering. We will use natural ordering to generate S-boxes. Thus from here on $E_p$ stands for a naturally ordered MEC unless it is specified otherwise.

3. The Proposed Encryption Scheme

The proposed encryption scheme is based on pseudo-random numbers and S-boxes. The pseudo-random numbers are generated using quasi-resonant triads. To get an appropriate level of diffusion we need to properly order the $\Delta$s. For this purpose we define a binary relation ≲ as follows.

3.1. Ordering on Quasi-Resonant Triads

Let $\Delta ,{\Delta }^{\prime }$ represent the triads $(k_i,l_i),(k_i^{\prime },l_i^{\prime }),i=1,2,3$, respectively, then

$$\Delta \lesssim {\Delta }^{\prime }\iff \left\{\begin{array}{c}\mathrm{either}a<a^{\prime },\mathrm{or}\hfill \\ a=a^{\prime }\mathrm{and}b<b^{\prime },\mathrm{or}\hfill \\ a=a^{\prime },b=b^{\prime }\mathrm{and}{k}_3\le k_3^{\prime },\hfill \end{array}\right.$$

where $a,b$ and $a^{\prime },b^{\prime }$ are the corresponding auxiliary parameters of $\Delta$ and ${\Delta }^{\prime }$, respectively.

Lemma 1.

If T denotes the set of Δs in a box of size L, then ≲ is a total order on T.

Proof. 

The reflexivity of ≲ follows from $a=a,b=b$ and $k_3=k_3$ and hence $\Delta \lesssim \Delta .$ As for antisymmetry we suppose $\Delta \lesssim {\Delta }^{\prime }$ and ${\Delta }^{\prime }\lesssim \Delta$. Then, by definition $a\le a^{\prime }$ and $a^{\prime }\le a$, which imply $a=a^{\prime }$. Thus we are left with two results: $b\le b^{\prime }$ and $b^{\prime }\le b$, which imply $b=b^{\prime }$. Thus, we obtain the results $k_3\le k_3^{\prime }$ and $k_3^{\prime }\le k_3$, which ultimately give $k_3=k_3^{\prime }$. Solving Equations (8)–(10) for the obtained values, we get $k_1=k_1^{\prime },l_3=l_3^{\prime }$ and from Equation (2) it follows that $l_2=l_2^{\prime }$. Consequently $\Delta ={\Delta }^{\prime }$ and ≲ is antisymmetric. As for transitivity, let us assume $\Delta \lesssim {\Delta }^{\prime }$ and ${\Delta }^{\prime }\lesssim {\Delta }^{″}$. Then $a\le a^{\prime }$ and $a^{\prime }\le a^{″}$, implying $a\le a^{″}$. If $a<a^{″}$, then transitivity follows. If $a=a^{″}$, then $a^{\prime }=a^{″}$ too. Thus, $b\le b^{\prime }$ and $b^{\prime }\le b^{″}$, so $b\le b^{″}$. If $b<b^{″}$, then transitivity follows. If $b=b^{″}$, then $b^{\prime }=b^{″}$ too. Thus, $k_3\le k_3^{\prime }$ and $k_3^{\prime }\le k_3^{″}$, implying $k_3\le k_3^{″}$ and hence transitivity follows: $\Delta \lesssim {\Delta }^{″}$. □

Let $\stackrel{*}{T}$ stand for the set of $\Delta$s ordered with respect to the order ≲. The main steps of the proposed scheme are explained as follows.

3.2. Encryption

A. Public parameters: In order to exchange the useful information the sender and receiver should agree on the public parameters described as below:

(1)

Three sets: choose three sets ${\mathcal{A}}_i=[A_i,B_i],i=1,2,3$ of consecutive numbers with unknown step sizes, where the end points $A_i,B_i,i=1,2,3$ are rational numbers.

(2)

A total order: select a total order ≺ so that the triads generated by the above-mentioned sets may be arranged with respect to that order.

Suppose that P represents an image of size $m\times n$ to be encrypted, and the pixels of P are arranged in column-wise linear ordering. Thus, for positive integer $i\le mn$, $P\left(i\right)$ represents the i-th pixel value in linear ordering. Define $S_{\mathrm{P}}$ as the sum of all pixel values of the image P. Then the proposed scheme chooses the secret keys in the following ways.

B. Secret keys: To generate confusion and diffusion in an image, the sender chooses the secret keys as follows.

(1)

Step size: select positive integers $a_i,b_i$ to construct the step sizes ${\alpha }_i=\frac{a_i}{b_i}$ of ${\mathcal{A}}_i,i=1,2$. Additionally, choose a non-negative integer $a_3$ as a step size of ${\mathcal{A}}_3$ in such a way that ${\prod }_{i=1}^3{n}_i\ge mn$, where $\#{\mathcal{A}}_i=n_i$ represents the number of elements in ${\mathcal{A}}_i$.

(2)

Detuning level: fix some posive integer $\delta$ to find the detuning level ${\delta }^{-1}$ allowed for the triads.

(3)

Bound: select a positive integer L such that $|k_i|,|l_i|\le L$ for $i=1,2,3.$ This condition is imposed in order to bound the components of the triad wave vectors. Furthermore, choose an integer t to find $r=\lfloor S_{\mathrm{P}}/t\rceil$, where $\lfloor ·\rceil$ gives the nearest integer when $S_{\mathrm{P}}$ is divided by t. The reason for choosing such a t is to generate key-dependent S-boxes and the integer r is used to diffuse the components of triads.

(4)

A prime: select a prime $p\ge 257$ such that $p\equiv 2(mod3)$ as a secret key for computing nonzero $c\equiv S_{\mathrm{P}}+t(modp)$ to generate an S-box ${\zeta }_{E_p}(p,t,S_{\mathrm{P}})$ on the $E_p$. The S-box construction technique is made clear in Algorithm 1, and the S-box generated for $p=1607,t=182$ and $S=0$ by Algorithm 1 is shown in Table 1. Furthermore, the cryptographic properties of the said S-box are evaluated in Section 4.1 and Section 4.2.

Table 1. The obtained S-box ${\zeta }_{E_{1607}}(1607,182,0)$.

220	118	17	158	25	138	33	196	247	252	15	226	135	177	232	83
161	70	107	186	137	236	21	142	131	103	54	58	217	181	201	172
91	84	223	89	29	156	136	14	69	99	164	171	35	188	76	139
153	16	198	227	32	10	115	122	184	61	208	225	213	106	94	56
165	40	245	189	163	239	193	194	129	175	241	141	130	231	215	127
151	199	105	22	148	39	179	173	78	248	81	23	75	55	146	109
195	251	178	170	162	206	228	169	147	28	210	221	80	121	202	77
9	74	197	31	26	154	145	44	47	82	43	60	117	250	88	191
67	8	174	93	1	20	128	53	218	237	96	72	3	65	6	253
150	101	119	87	160	133	108	57	41	64	51	49	185	243	2	249
167	50	205	183	97	114	48	27	246	254	124	92	19	134	159	95
24	224	111	62	116	168	200	86	79	143	126	112	45	71	125	13
5	216	187	222	7	113	238	36	204	52	140	46	240	85	207	4
152	104	235	190	242	68	63	203	230	176	180	59	157	244	66	212
34	90	120	0	30	166	37	255	38	110	211	233	11	155	209	219
192	12	144	73	182	132	98	214	42	102	18	149	123	229	100	234

Algorithm 1: Construction of $8\times 8$ S-box.

The positive integers $a_1,b_1,a_2,b_2,a_3,\delta ,L,S_{\mathrm{P}},t$ and p are secret keys. Here it is mentioned that the parameters $a_1,b_1,a_2,b_2,a_3,\delta$ and L are used to generate $mn$ triads in a box of size L. The generation of triads is explained step by step in Algorithm 2. These triads along with keys $S_{\mathrm{P}}$ and t are used to generate the sequence ${\beta }_{\stackrel{*}{T}}(t,S_{\mathrm{P}})$ of pseudo-random numbers.

Algorithm 2: Generating quasi-resonant triads.

Thus ${\Delta }_{\mathrm{j}}$ represents the j-th triad in ordered set $\stackrel{*}{T}$. Moreover, $(k_{ji},l_{ji}),i=1,2,3$ are the components of ${\Delta }_{\mathrm{j}}$. In Algorithm 3, the generation of ${\beta }_{\stackrel{*}{T}}(t,S_{\mathrm{P}})$ is interpreted.

Algorithm 3: Generating the proposed pseudo-random sequence.

Input: An ordered set $\stackrel{*}{T}$, an integer t and a plain image P.

Output: Random numbers sequence ${\beta }_{\stackrel{*}{T}}(t,S_{\mathrm{P}})$.

1  $Tr\left(j\right):=|r{k}_{j1}|+|l_{j1}|+|k_{j2}|$;

2  ${\beta }_{\stackrel{*}{T}}(t,S_{\mathrm{P}})\left(j\right)=(Tr\left(j\right)+S_{\mathrm{P}})(mod256)$;

The proposed sequence ${\beta }_{\stackrel{*}{T}}(t,S_{\mathrm{P}})$ is cryptographically a good source of pseudo-randomness because triads are highly sensitive to the auxiliary parameters $(a,b)$ [33] and inverse detuning level $\delta$. It is shown in [32] that the intricate structure of clusters formed by triads depends on the chosen $\delta$, and the size of the clusters increases as the inverse detuning level increases. Moreover, the generation of triads is rapid due to the absence of modular operation.

C. Performing diffusion. To change the statistical properties of an input image, a diffusion process is performed. While performing the diffusion, the pixel values are changed using the sequence ${\beta }_{\stackrel{*}{T}}(t,S_{\mathrm{P}})$. Let $M_{\mathrm{P}}$ denote the diffused image for a plain image P. The proposed scheme alters the pixels of P according to:

$$M_{\mathrm{P}}\left(i\right)={\beta }_{\stackrel{*}{T}}(t,S_{\mathrm{P}})\left(i\right)+P\left(i\right)(mod256).$$

(13)

D. Performing confusion. A nonlinear function causes confusion in a cryptosystem, and nonlinear components are necessary for a secure data encryption scheme. The current scheme uses the dynamic S-boxes to produce the confusion in an encrypted image. If $C_{\mathrm{P}}$ stands for the encrypted image of P, then confusion is performed as follows:

$$C_{\mathrm{P}}\left(i\right)={\zeta }_{E_p}(p,t,S_{\mathrm{P}})\left(M_{\mathrm{P}}\left(i\right)\right).$$

(14)

Lemma 2.

If $\#{\mathcal{A}}_i=n_i,i=1,2,3$ and p is a prime chosen for the generation of an S-box, then the time complexity of the proposed encryption scheme is max$\{\mathcal{O}\left(n_1{n}_2{n}_3\right),p^2\}$.

Proof. 

The computation of all possible values of $k_1^{\prime },l_3^{\prime }$ and $l_1^{\prime }$ in Algorithm 2 takes $\mathcal{O}\left(n_1{n}_2\right)$ time. Similarly the time complexity for generating $\stackrel{*}{T}$ is $\mathcal{O}\left(c_1{n}_3\right)$ but $c_1$ executes $n_1{n}_2$ times. Thus the time required by $\stackrel{*}{T}$ and hence by ${\beta }_{\stackrel{*}{T}}(t,S_{\mathrm{P}})$ is $\mathcal{O}\left(n_1{n}_2{n}_3\right)$. Additionally, Algorithm 1 shows that the proposed S-box can be constructed in $\mathcal{O}\left(p^2\right)$ time. Thus the time complexity of the proposed scheme is max$\{\mathcal{O}\left(n_1{n}_2{n}_3\right),p^2\}$. □

Example 1.

In order to have a clear picture of the proposed cryptosystem, we explain the whole procedure using the following hypothetical $4\times 4$ image. For example, let I represent the plain image of Lena${}_{256\times 256}$, and let P be the subimage of I consisting of the intersection of the first four rows and the first four columns of I as shown in Table 2, whereas the column-wise linearly ordered image P is shown in Table 3.

Table 2. Plain image P.

162	162	162	163
162	162	162	163
162	162	162	163
160	163	160	159

Table 3. Linear ordering of image P.

$\mathit{P}\left(1\right)$	$\mathit{P}\left(5\right)$	$\mathit{P}\left(9\right)$	$\mathit{P}\left(13\right)$
$P\left(2\right)$	$P\left(6\right)$	$P\left(10\right)$	$P\left(14\right)$
$P\left(3\right)$	$P\left(7\right)$	$P\left(11\right)$	$P\left(15\right)$
$P\left(4\right)$	$P\left(8\right)$	$P\left(12\right)$	$P\left(16\right)$

We have $S_{\mathrm{P}}=2589$ and $c=247$ and the values of other parameters are described in Section 4.3. The corresponding 16 triads are obtained by Algorithm 2 as shown in Table 4.

Table 4. The corresponding set $\stackrel{*}{T}$ for image P.

${\mathbf{\Delta }}_{\mathit{j}}$	${\mathit{k}}_1$	${\mathit{l}}_1$	${\mathit{k}}_2$	${\mathit{l}}_2$	${\mathit{k}}_3$	${\mathit{l}}_3$	${\mathbf{\Delta }}_{\mathit{j}}$	${\mathit{k}}_1$	${\mathit{l}}_1$	${\mathit{k}}_2$	${\mathit{l}}_2$	${\mathit{k}}_3$	${\mathit{l}}_3$
${\Delta }_1$	−1128	1152	1529	668	401	1820	${\Delta }_9$	−1240	1267	1681	735	441	2002
${\Delta }_2$	−1142	1167	1548	676	406	1843	${\Delta }_{10}$	−1254	1282	1700	743	446	2025
${\Delta }_3$	−1156	1181	1567	685	411	1866	${\Delta }_{11}$	−1268	1296	1719	751	451	2047
${\Delta }_4$	−1170	1195	1586	694	416	1889	${\Delta }_{12}$	−1282	1310	1738	760	456	2070
${\Delta }_5$	−1184	1210	1605	701	421	1911	${\Delta }_{13}$	−1296	1325	1757	768	461	2093
${\Delta }_6$	−1198	1224	1624	710	426	1934	${\Delta }_{14}$	−1310	1339	1776	776	466	2115
${\Delta }_7$	−1212	1238	1643	719	431	1957	${\Delta }_{15}$	−1325	1353	1796	785	471	2138
${\Delta }_8$	−1226	1253	1662	726	436	1979	${\Delta }_{16}$	−1339	1368	1815	793	476	2161

From $S_{\mathrm{P}}=2589$ and $t=2$, it follows that $r=1295$ and hence by application of Algorithm 3 the terms of ${\beta }_{\stackrel{*}{T}}(2,2589)$ are listed in Table 5. Moreover, the S-box ${\zeta }_{E_{293}}(293,2,2589)$ is constructed by Algorithm 1, giving the mapping ${\zeta }_{E_{293}}(293,2,2589):\{0,1,\dots ,255\}\to \{0,1,\dots ,255\}$, which maps the list $(0,\dots ,255)$ to the list $(80,213,29,113,180,2,119,174,10,103,190,120,173,99,194,126,167,42,251,78,215,84,209,93,200,130,$ $163,32,17,117,176,62,231,110,183,56,237,75,218,127,166,73,220,13,91,202,28,129,164,118,175,69,$ $224,50,243,100,193,137,156,89,204,12,63,230,74,219,4,131,162,134,159,123,170,90,203,70,223,87,$ $206,59,234,145,148,58,235,57,236,65,228,15,112,181,52,241,76,217,60,233,121,172,68,225,51,242,$ $135,158,41,252,21,142,151,26,25,40,253,96,197,136,157,9,116,177,122,171,45,248,115,178,102,191,$ $67,226,95,198,143,150,133,160,98,195,3,94,199,30,104,189,132,161,8,64,229,144,149,140,153,14,$ $85,208,20,6,109,184,125,168,92,201,19,53,240,31,66,227,35,82,211,108,185,139,154,33,16,86,207,$ $128,165,5,71,222,38,255,23,0,81,212,1,141,152,111,182,138,155,49,244,22,106,187,105,188,36,54,$ $239,46,247,43,250,97,196,27,11,24,44,249,83,210,61,232,39,254,7,72,221,77,216,47,246,107,186,$ $48,245,55,238,124169,34,79,214,88,205,114,179,37,18,146,147,101,192)$.

Table 5. Pseudo-random sequence for plain image $P.$

${\beta }_{\stackrel{*}{T}}(2,2589)\left(1\right)=188$	${\beta }_{\stackrel{*}{T}}(2,2589)\left(5\right)=126$	${\beta }_{\stackrel{*}{T}}(2,2589)\left(9\right)=65$	${\beta }_{\stackrel{*}{T}}(2,2589)\left(13\right)=3$
${\beta }_{\stackrel{*}{T}}(2,2589)\left(2\right)=108$	${\beta }_{\stackrel{*}{T}}(2,2589)\left(6\right)=47$	${\beta }_{\stackrel{*}{T}}(2,2589)\left(10\right)=241$	${\beta }_{\stackrel{*}{T}}(2,2589)\left(14\right)=180$
${\beta }_{\stackrel{*}{T}}(2,2589)\left(3\right)=29$	${\beta }_{\stackrel{*}{T}}(2,2589)\left(7\right)=224$	${\beta }_{\stackrel{*}{T}}(2,2589)\left(11\right)=162$	${\beta }_{\stackrel{*}{T}}(2,2589)\left(15\right)=115$
${\beta }_{\stackrel{*}{T}}(2,2589)\left(4\right)=206$	${\beta }_{\stackrel{*}{T}}(2,2589)\left(8\right)=144$	${\beta }_{\stackrel{*}{T}}(2,2589)\left(12\right)=83$	${\beta }_{\stackrel{*}{T}}(2,2589)\left(16\right)=35$

Hence by the respective application of Equation (13) and the S-box ${\zeta }_{E_{293}}(293,2,2589)$, the pixel values of diffused image $M_{\mathrm{P}}$ and encrypted image $C_{\mathrm{P}}$ are shown in Table 6 and Table 7, respectively.

Table 6. Diffused image $M_{\mathrm{P}}.$

94	32	227	166
14	209	147	87
191	130	68	22
110	51	243	194

Table 7. Encrypted image $C_{\mathrm{P}}.$

76	231	254	19
194	54	161	65
0	67	162	209
151	69	34	1

3.3. Decryption

In our scheme the decryption process can take place by reversing the operations of the encryption process. One should know the inverse S-box ${\zeta }_{E_p}^{-1}(n,t,S_{\mathrm{P}})$ and the pseudo-random numbers ${\beta }_{\stackrel{*}{T}}(t,S_{\mathrm{P}})$. Assume the situation when the secret keys $a_1,b_1,a_2,b_2,a_3,\delta$, $L,S_{\mathrm{P}},t$ and p are transmitted by a secure channel, so that the set $\stackrel{*}{T}$ is obtained using keys $a_1,b_1,a_2,b_2,a_3,\delta$ and L, and hence the S-box ${\zeta }_{E_p}^{-1}(p,t,S_{\mathrm{P}})$ and the pseudo-random numbers ${\beta }_{\stackrel{*}{T}}(t,S_{\mathrm{P}})$ can be computed by $S_{\mathrm{P}},t$ and p. Finally, the receiver gets the original image P by applying the following equations:

$$\begin{array}{cc}\hfill & M_{\mathrm{P}}\left(i\right)={\zeta }_{E_p}^{-1}(p,t,S_{\mathrm{P}})\left(C_{\mathrm{P}}\left(i\right)\right),\hfill \end{array}$$

(15)

$$\begin{array}{c}\hfill \begin{array}{c}\hfill P\left(i\right)=M_{\mathrm{P}}\left(i\right)-{\beta }_{\stackrel{*}{T}}(t,S_{\mathrm{P}})\left(i\right)(mod256).\end{array}\end{array}$$

(16)

4. Security Analysis

In this section the cryptographic strength of both the S-box construction technique and encryption scheme are analyzed in detail.

4.1. Evaluation of the Designed S-Box

An S-box with good cryptographic properties ensures the quality of an encryption technique. Generally, some standard tests such as nonlinearity (NL), linear approximation probability (LAP), strict avalanche criterion (SAC), bit independence criterion (BIC) and differential approximation probability (DAP) are used to evaluate the cryptographic strength of an S-box.

The NL [43] and the LAP [44] are outstanding features of an S-box, used to measure the resistance against linear attacks. The NL measures the level of nonlinearity and the LAP finds the maximum imbalance value of an S-box. The optimal value of the nonlinearity is 112. A low value of LAP corresponds to a high resistance. The minimum NL and the LAP values for the displayed S-box are 106 and $0.1484$, respectively. This ensures that the proposed S-box is immune to linear attacks. Webster and Tavares [45] developed the concepts of the SAC and the BIC, which are used to find the confusion and diffusion creation potential of an S-box. In other words, the SAC criterion measures the change in output bits when an input bit is altered. Similarly, the BIC criterion explores the correlation in output bits when change in a single input bit occurs. The average values of the SAC and the BIC for the constructed S-box are $0.4951$ and $0.4988$, respectively, which are close to the optimal value $0.5$. Thus, both tests are satisfied by the suggested S-box. The DAP [46] is another important feature used to analyze the capability of an S-box against differential attacks. The lowest value of DAP for an S-box implies the highest security to the differential attacks. Our DAP result is $0.0234$, which is good enough to resist differential cryptanalysts.

4.2. Performance Comparison of the S-Box Generation Algorithm

After performing the rigorous analyses, the S-box constructed by the current algorithm is compared with some cryptographically strong S-boxes developed by recent schemes, as shown in Table 8.

Table 8. Comparison table of the proposed S-box ${\zeta }_{E_{1607}}(1607,182,0)$.

S-Boxes	NL	LAP	SAC			BIC			DAP
			(min)	(avg)	(max)	(min)	(avg)	(max)
Ours	106	0.1484375	0.390625	0.49511719	0.609375	0.47265625	0.49888393	0.52539063	0.0234375
Ref. [31]	104	0.1484375	0.421900	-	0.6094	0.4629	-	0.5430	0.0469
Ref. [47]	104	0.1328125	0.40625	0.49755859	0.625	0.46679688	0.50223214	0.5234375	0.0234375
Ref. [48]	101	0.140625	0.421875	0.49633789	0.578125	0.46679688	0.49379185	0.51953125	0.03125
Ref. [49]	104	0.140625	0.421875	0.50390625	0.59375	0.4765625	0.50585938	0.5390625	0.0234375
Ref. [50]	100	0.140625	0.40625	0.50097656	0.609375	0.44726563	0.50634766	0.53320313	0.03125
Ref. [51]	106	0.140625	0.390625	0.49414063	0.609375	0.47070313	0.50132533	0.53320313	0.0234375
Ref. [52]	102	0.140625	0.421875	0.49804688	0.640625	0.4765625	0.50746373	0.53320313	0.0234375
Ref. [53]	104	0.0391	0.3906	-	0.6250	0.4707	-	0.53125	0.0391
Ref. [54]	104	0.0547000	0.4018	0.4946	0.5781	0.4667969	0.4988839	0.5332031	0.0391
Ref. [55]	108	0.1328	0.40625	0.4985352	0.59375	0.46484375	0.5020229	0.52734375	0.0234375

From Table 8 it follows that the NL of ${\zeta }_{E_{1607}}(1607,182,0)$ is greater than the S-boxes in [31,47,48,49,50,52,53,54], equal to that of [51] and less than the S-box developed in [55], which indicates that ${\zeta }_{E_{1607}}(1607,182,0)$ is highly nonlinear in comparison to the S-boxes in [31,47,48,49,50,52,53,54]. Additionally, the LAP of ${\zeta }_{E_{1607}}(1607,182,0)$ is comparable to all the S-boxes in Table 8. The SAC (average) value of ${\zeta }_{E_{1607}}(1607,182,0)$ is greater than the S-boxes in [51,54], and the SAC (max) value is less than or equal to the S-boxes in [31,47,50,51,52,53]. Similarly the BIC (min) value of ${\zeta }_{E_{1607}}(1607,182,0)$ is closer to the optimal value $0.5$ than that of [31,47,48,50,51,53,54,55], and the BIC (max) value of the new S-box is better than that of the S-boxes in [31,49,50,51,52,53,54,55]. Thus the confusion/diffusion creation capability of ${\zeta }_{E_{1607}}(1607,182,0)$ is better than [31,50,51,52,53,55]. The DAP value of our suggested S-box ${\zeta }_{E_{1607}}(1607,182,0)$ is lower than the DAP of the S-boxes presented in [31,48,50,53,54] and equal to that of [47,49,51,52,55]. Thus from the above discussion it follows that the newly designed S-box shows high resistance to linear as well as differential attacks.

4.3. Evaluation of the Proposed Encryption Technique

In this section the current scheme is implemented on all gray images of the USC-SIPI Image Database [56]. The USC-SIPI database contains images of size $m\times m$, m = 256,512,1024. Furthermore, some security analyses that are explained one by one in the associated subsections are presented. To validate the quality of the proposed scheme, the experimental results are compared with some other encryption schemes. The parameters used for the experiments are $A_1=A_2=-1.0541,A_3=401,B_1=B_2=-0.8514$ and $B_3=691,3036,5071$ for m = 256,512,1024, respectively; $a_1=2,b_1=1000,a_2=19,b_2=1000,a_3=5,\delta =1000,t=2,p=293,L$ = 90,000 and $S_{\mathrm{P}}$ varies for each P. The experiments were performed using Matlab R2016a on a personal computer with a $1.8$ GHz Processor and 6 GB RAM. All encrypted images of the database along with histograms are available at [57]. Some plain images, House${}_{256\times 256}$, Stream${}_{512\times 512}$, Boat${}_{512\times 512}$ and Male${}_{1024\times 1024}$ and their cipher images are displayed in Figure 1.

Figure 1. (a–d) Plain images House, Stream, Boat and Male; (e–h) cipher images of the plain images (a–d), respectively.

4.3.1. Statistical Attack

A cryptosystem is said to be secure if it has high resistance against statistical attacks. The strength of resistance against statistical attacks is measured by entropy, correlation and histogram tests. All of these tests are applied to evaluate the performance of the discussed scheme.

(1)

Histogram. A histogram is a graphical way to display the frequency distribution of pixel values of an image. A secure cryptosystem generates cipher images with uniform histograms. The histograms of the encrypted images using the proposed method are available at [57]. However, the respective histograms for the images in Figure 1 are shown in Figure 2. The histograms of the encrypted images are almost uniform. Moreover, the histogram of an encrypted image is totally different from that of the respective plain image, so that it does not allow useful information to the adversaries, and the proposed algorithm can resist any statistical attack.

Figure 2. (a–d) Histograms of Figure 1a–d; (e–h) histograms of Figure 1e–h.

(2)

Entropy. Entropy is a standout feature to measure the disorder. Let I be a source of information over a set of symbols N. Then the entropy of I is defined by:

$$\mathrm{H}\left(I\right)=\sum _{i=1}^{\#N}p\left(I_i\right){\log }_2\frac{1}{p\left(I_i\right)},$$

(17)

where $p\left(I_i\right)$ is the probability of occurrence of symbol $i.$ The ideal value of $\mathrm{H}\left(I\right)$ is ${\log }_2(\#N)$, if all symbols of N occur in I with the same probability. Thus, an image I emanating 256 gray levels is highly random if $\mathrm{H}\left(I\right)$ is close to 8 (notice, however, that this definition of entropy does not take into account pixel correlations). The entropy results for all images encrypted by the suggested technique are shown in Figure 3, where the minimum, average and maximum values are $7.9966,7.9986$ and $7.9999$, respectively. These results are close to 8, and hence the developed mechanism is secure against entropy attacks.

Figure 3. (a–c) The horizontal, diagonal and vertical correlations among pixels of each image in USC-SIPI database; (d) the entropy of each image in USC-SIPI database.

(3)

Pixel correlation. A meaningful image has strong correlation among the adjacent pixels. In fact, a good cryptosystem has the ability to break the pixel correlation and bring it close to zero. For any two gray values x and y, the pixel correlation can be computed as:

$$C_{xy}=\frac{E\left[(x-E[x\left]\right)(y-E[y\left]\right)\right]}{\sqrt{K\left[x\right]K\left[y\right]}},$$

(18)

where $E\left[x\right]$ and $K\left[x\right]$ denote expectation and variance of x, respectively. The range of $C_{xy}$ is $-1$ to 1. The gray values x and y are in low correlation if $C_{xy}$ is close to zero. As the pixels may be adjacent in horizontal, diagonal and vertical directions, the correlation coefficients of all encrypted images along all three directions are shown in Figure 3, where the respective ranges of $C_{xy}$ are [$-0.0078$, $0.0131$], [$-0.0092$,$0.0080$] and [$-0.0100$,$0.0513$]. These results show that the presented method is capable of reducing the pixel correlation near to zero.

In addition, 2000 pairs of adjacent pixels of the plain image and cipher image of Lena${}_{512\times 512}$ are randomly selected. Then correlation distributions of the adjacent pixels in all three directions are shown in Figure 4, which reveals the strong pixel correlation in the plain image but a weak pixel correlation in the cipher image generated by the current scheme.

Figure 4. (b–d) The distribution of pixels of the plane image (a) in the horizontal, diagonal and vertical directions; (f–h) the distribution of pixels of the cipher image (e) in the horizontal, diagonal and vertical directions.

4.3.2. Differential Attack

In differential attacks the opponents try to get the secret keys by studying the relation between the plain image and cipher image. Normally attackers encrypt two images by applying a small change to these images, then compare the properties of the corresponding cipher images. If a minor change in the original image can cause a significant change in the encrypted image, then the cryptosystem has a high security level. The two tests NPCR (number of pixels change rate) and UACI (unified average changing intensity) are usually used to describe the security level against differential attacks. For two plain images P and $P^{{}^{\prime }}$ different at only one pixel value, let $C_{\mathrm{P}}$ and $C_{{\mathrm{P}}^{{}^{\prime }}}$ be the cipher images of P and $P^{{}^{\prime }}$, respectively, then NPCR and UACI are calculated as:

$$\begin{array}{cc}\hfill \mathrm{NPCR}& =\sum _{u=1}^m\sum _{v=1}^n\frac{\tau (u,v)}{m\times n},\hfill \end{array}$$

(19)

$$\begin{array}{cc}\hfill \mathrm{UACI}& =\sum _{u=1}^m\sum _{v=1}^n\frac{|C_{\mathrm{P}}(u,v)-C_{{\mathrm{P}}^{{}^{\prime }}}(u,v)|}{255\times m\times n},\hfill \end{array}$$

(20)

where $\tau (u,v)=0$ if $C_{\mathrm{P}}(u,v)=C_{{\mathrm{P}}^{{}^{\prime }}}(u,v)$ and $\tau (u,v)=1,$ otherwise. The expected values of NPCR and UACI for 8-bit images are $0.996094$ and $0.334635$, respectively [13]. We applied the above two tests to each image of the database by randomly changing the pixel value of each image. The experimental results are shown in Figure 5, giving average values of NPCR and UACI of $0.9961$ and $0.3334$, respectively. It follows from the obtained results that our scheme is capable of resisting a differential attack.

Figure 5. (a,b) The NPCR and UACI results for each image in the USC-SIPI database; (c) First 256 pseudo-random numbers and (d) two S-boxes generated for Lena_512×512 with a small change in an input key t.

4.3.3. Key Analysis

For a secure cryptosystem it is essential to perform well against key attacks. A cryptosystem is highly secure against key attacks if it has key sensitivity and large key space and strongly opposes the known-plaintext/chosen-plaintext attack. The proposed scheme is analyzed against key attacks as follows.

(1)

Key sensitivity. Attackers usually use slightly different keys to encrypt a plain image and then compare the obtained cipher image with the original cipher image to get the actual keys. Thus, high key sensitivity is essential for higher security. That is, cipher images of a plain image generated by two slightly different keys should be entirely different. The difference of the cipher images is quantified by Equations (19) and (20). In experiments we encrypted the whole database by changing only one key, while other keys remain unchanged. The key sensitivity results are shown in Table 9, where the average values of NPCR and UACI are $0.9960$ and $0.3341$, respectively, which specify the remarkable difference in the cipher images. Moreover, our cryptosytem is based on the pseudo-random numbers and S-boxes. The sensitivity of pseudo-random numbers sequences ${\beta }_{\stackrel{*}{T}}(2,S_{\mathrm{P}})$ and ${\beta }_{\stackrel{*}{T}}(1,S_{\mathrm{P}})$ and S-boxes ${\zeta }_{E_p}(p,2,S_{\mathrm{P}})$ and ${\zeta }_{E_p}(p,1,S_{\mathrm{P}})$ for Lena${}_{512\times 512}$ is shown in Figure 5.

Table 9. Difference between two encrypted images when key $t=2$ is changed to $t=1$. NPCR: number of pixels change rate; UACI: unified average changing intensity.

Image	NPCR(%)	UACI(%)	Image	NPCR(%)	UACI(%)	Image	NPCR(%)	UACI(%)
Female	99.62	33.39	House	99.62	33.23	Couple	99.56	33.30
Tree	99.59	33.35	Beans	99.64	33.23	Splash	99.60	33.97

(2)

Key space. In order to resist a brute force attack, key space should be sufficiently large. For any cryptosystem, key space represents the set of all possible keys required for the encryption process. Generally, the size of the key space should be greater than $2^{128}.$ In the present scheme the parameters $a_1,b_1,a_2,b_2,a_3,\delta ,L,S_{\mathrm{P}},t$ and p are used as secret keys, and we store each of them in 28 bits. Thus the key space of the proposed cryptosystem is $2^{280}$ which is larger than $2^{128}$ and hence capable to resist a brute force attack.

(3)

Known-plaintext/chosen-plaintext attack. In a known-plaintext attack, the attacker has partial knowledge about the plain image and cipher image, and tries to break the cryptosystem, while in a chosen-plaintext attack the attacker encrypts an arbitrary image to get the encryption keys. An all-white/black image is usually encrypted to test the performance of a scheme against these powerful attacks [29,58]. We analyzed our scheme by encrypting an all-white/black image of size $256\times 256$. The results are shown in Figure 6 and Table 10, revealing that the encrypted images are significantly randomized. Thus the proposed system is capable of preventing the above mentioned attacks.

Figure 6. (a) All-white; (b) all-black; (c,d) cipher images of (a,b); (e,f) histograms of (c,d).

Table 10. Security analysis of all-white/black encrypted images by the proposed encryption technique.

Plain Image	Entropy	Correlation of Plain Image			NPCR (%)	UACI (%)
		Hori.	Diag.	Ver.
All-white	7.9969	0.0027	0.0020	−0.0090	99.60	33.45
All-black	7.9969	−0.0080	0.0035	0.0057	99.62	33.41

4.4. Comparison and Discussion

Apart from security analyses, the proposed scheme is compared with some well-known image encryption techniques. The gray scale images of Lena${}_{256\times 256}$ and Lena${}_{512\times 512}$ are encrypted using the presented method, and experimental results are listed in Table 11.

Table 11. Comparison of the proposed encryption scheme with several existing cryptosystems for image Lena${}_{m\times m}$, m = 256,512.

Size m	Algorithm	Entropy	Correlation			NPCR (%)	UACI(%)	#	Dynamic
			Hori.	Diag.	Ver.			S-Boxes	S-Boxes
256	Ours	7.9974	0.0001	−0.0007	−0.0001	99.91	33.27	1	Yes
	Ref. [31]	7.9993	0.0012	0.0003	0.0010	99.60	33.50	1	Yes
	Ref. [3]	7.9973	-	-	-	99.50	33.30	0	-
	Ref. [27]	7.9046	0.0164	−0.0098	0.0324	98.92	32.79	>1<50	Yes
	Ref. [26]	7.9963	−0.0048	−0.0045	−0.0112	99.62	33.70	8	Yes
	Ref. [59]	7.9912	−0.0001	0.0091	0.0089	100	33.47	0	-
	Ref. [60]	7.9974	0.0020	0.0020	0.0105	99.59	33.52	0	-
512	Ours	7.9993	0.0001	0.0042	0.0021	99.61	33.36	1	Yes
	Ref. [25]	7.9992	0.0075	0.0016	0.0057	99.61	33.38	1	No
	Ref. [29]	7.9993	−0.0004	0.0001	−0.0018	99.60	33.48	1	No
-	Ref. [61]	7.9970	−0.0029	0.0135	0.0126	99.60	33.48	0	-
	Ref. [62]	7.9994	0.0018	−0.0012	0.0011	99.62	33.44	>1	Yes
	Ref. [2]	7.9993	0.0032	0.0011	−0.0002	99.60	33.47	>1	Yes

It is deduced that our scheme generates cipher images with comparable security. Furthermore, we remark that the scheme in [29] generates pseudo-random numbers using group law on EC, while the proposed method generates pseudo-random numbers by constructing triads using auxiliary parameters of elliptic surfaces. Group law consists of many operations, which makes the pseudo-random number generation process slower than the one we present here. The scheme in [26] decomposes an image to eight blocks and uses dynamic S-boxes for encryption purposes. The computation of multiple S-boxes takes more time than computing only one S-box. Similarly the techniques in [2,27] use a set of S-boxes and encrypt an image in blocks, while our newly developed scheme encrypts the whole image using only one dynamic S-box. Thus, our scheme is faster than the schemes in [2,27]. The security system in [61] uses a chaotic system to encrypt blocks of an image. The results in Table 11 reveal that our proposed system is cryptographically stronger than the scheme in [61]. The algorithms in [3,59] combine chaotic systems and different ECs to encrypt images. It follows from Table 11 that the security level of our scheme is comparable to that of the schemes in [3,59]. The technique in [60] uses double chaos along with DNA coding to get good results, as shown in Table 11, but the results obtained by the new scheme are better than that of [60]. Similarly the technique in [31] encrypts images using ECs but does not guarantee an S-box for each set of input parameters, thus making our scheme faster and more robust than the scheme developed in [31].

Furthermore, the following facts put our scheme in a favorable position:

(i)

Our scheme uses a dynamic S-box for each input image while the S-box used in [29] is a static one, which is vulnerable [63] and less secure than a dynamic one [64].

(ii)

The presented scheme guarantees an S-box for each image, which is not the case in [31].

(iii)

To get random numbers, the described scheme generates triads for all images of the same size, while in [31] the computation of an EC for each input image is necessary, which is time consuming.

(iv)

The scheme in [26] uses eight dynamic S-boxes for a plain image, while the current scheme uses only one dynamic S-box for each image to get the desired cryptographic security.

5. Conclusions

An image encryption scheme based on quasi-resonant triads and MECs was introduced. The proposed technique constructs triads to generate pseudo-random numbers and computes an MEC to construct an S-box for each input image. The pseudo-random numbers and S-box are then used for altering and scrambling the pixels of the plain image, respectively. As for the advantages of our proposed method, firstly triads are based on auxiliary parameters of elliptic surfaces, and thus pseudo-random numbers and S-boxes generated by our method are highly sensitive to the plain image, which prevents adversaries from initiating any successful attack. Secondly, generation of triads using auxiliary parameters of elliptic surfaces consumes less time than computing points on ECs (we find a 4x speed increase for a range of image resolutions $m\in [128,512]$), which makes the new encryption system relatively faster. Thirdly, our algorithm generates the cipher images with an appropriate security level.

In summary, all of the above analyses imply that the presented scheme is able to resist all attacks. It has high encryption efficiency and less time complexity than some of the existing techniques. In the future, the current scheme will be further optimized by means of new ideas to construct the S-boxes using the constructed triads, so that we will not need to compute an MEC for each input image.