S-Box Design Based on 2D Multiple Collapse Chaotic Map and Their Application in Image Encryption

As an essential part of an encryption system, the performance of a chaotic map is critical for system security. However, there are many defects for the existing chaotic maps. The low-dimension (LD) ones are easily predicted and are vulnerable to be attacked, while high-dimension (HD) ones have a low iteration speed. In this paper, a 2D multiple collapse chaotic map (2D-MCCM) was designed, which had a wide chaos interval, a high complexity, and a high iteration speed. Then, a new chaotic S-box was constructed based on 2D-MCCM, and a diffusion method was designed based on the S-box, which improved security and efficiency. Based on these, a new image encryption algorithm was proposed. Performance analysis showed that the encryption algorithm had high security to resist all kinds of attacks easily.


Introduction
With the rapid development of the network, image transmission through network has become more and more popular, contributing to higher risk of information leakage [1]. Therefore, the security of image transmission has become a research hotspot. Encryption of an image is the most direct and effective way to ensure image security [2,3]. In addition, as a large amount of information can be carried by images, higher speed of encryption algorithm is required. Because chaotic maps can quickly generate highly complex pseudorandom sequences, the combination of chaotic map and image encryption has become a focus of attention [4][5][6].
The research of image encryption algorithm based on chaotic maps is mainly focused on the optimization algorithm structure and optimization of chaotic map. For the former one, common encryption algorithms consist of two steps: scrambling and diffusion. Scrambling can not only change the pixel position in the image but also destroy the image structure. For image encryption algorithms based on chaotic maps, it is most common to directly scramble the image by using the index of chaotic sequence [7]. With further research, some other scrambling methods have been designed such as wavelet transform [8,9], cellular automata [10,11], and special matrix [12][13][14].
Diffusion is particularly important for encryption algorithms, which can extend the local changes in the image to the whole and, finally, change the pixels in the image and hide the image information. In addition to using chaotic sequences for diffusion [15], some methods in other fields, such as DNA computing [16][17][18] and Brownian motion [19,20], also help in diffusion. However, the implementation of the methods mentioned above is relatively complex. For example, encryption using DNA computing requires definitions of DNA addition and subtraction, which make the implementation far more difficult and, thus, make the speed of encryption slower. However, the substitution box (S-box), as a square matrix, becomes a key part of the block cipher, achieving a non-linear transformation of the input, and it is widely used because of high speed and security [21][22][23][24][25][26].
If f (x) and g (x) are collapsed into [c, d], where c ≥ a, d ≤ b, it can be obtained as Based on the Lyapunov exponent [32] definition equation that Presuming that f (x) ≥ g (x), so ⇒ lim ⇒ λ f ≥ λ g (2) It indicates that the larger the derivative of the map is, the more times it is collapsed and the greater the Lyapunov exponent is. Some simple one-dimensional (1D) chaotic maps can be generated by stretching and collapse. Currently, maps are collapsed mainly by adding function segments, trigonometric functions, and modular operations. For example, the Chebyshev map is achieved with the use of the cosine function to collapse the monotonic subtraction function arccos(x) to [−1, 1], resulting in chaotic behavior. Similarly, the Iterative chaotic map with infinite collapses (ICMIC) [33] is achieved with the use of sinusoidal functions to collapse the monotone decreasing function (1/x) to [−1, 1]. Additionally, Tent Map uses piecewise functions to double the range of functions before they collapse back to the original range. However, these 1D chaotic map structures are too simple, so their chaotic behavior can be easily predicted and the encryption algorithm is not secure when they are used.

Definition of 2D-MCCM
In order to solve the problems above, we designed a new 2D Multiple Collapse Chaotic Map (2D-MCCM). It has much more complex chaotic behavior and higher iteration speed than a 1D chaotic map, which is what HD chaotic maps do not have. The mathematical expression of 2D-MCCM is as follows: where, a and b are parameters, a, b ∈ (−∞, +∞). In 2D-MCCM, the arctangent function is used to collapse the map instead of the sine function. Although the sine function can collapse the map to [−1, 1] and collapse the same map several times, the arctangent function as a monotone function can make the distribution of chaotic sequence more uniform. Moreover, the chaotic map has a wider chaotic domain, which makes it more suitable for image encryption.

Phase Trajectory
Chaotic motion is an aperiodic reciprocating motion whose phase trajectory is a curve that never closes and is confined to a bounded region and, thus, leads to the generation of strange attractors. The dynamic characteristics of a chaos map can be preliminarily described based on its phase trajectory diagram. In general, for chaotic maps, the larger the distribution of strange attractors in the phase space is, the more uniform the distribution is, and the better randomness the chaotic sequence will have. In order to analyze the performance of 2D-MCCM, we set the initial values (x 0 , y 0 ) = (0.4, 0.6) of 2D-MCCM, and took four 2D maps as comparison and iterated them for 20,000 times. In order to obtain the chaotic sequence in stable state, only the last 15,000 terms were selected for the phase trajectory diagram, as shown in Figure 1. As shown in Figure 1, the trajectories of 2D-LICM, 2D-ICM, and 2D-MCCM all fill the whole phase space. However, it is obvious that the phase space of 2D-MCCM is larger and the trajectory distribution is more uniform. This indicates that the chaotic sequence generated by 2D-MCCM iteration has stronger randomness and its results are more difficult to be predicted, so it has higher security when used for image encryption.

Bifurcation Diagram
A bifurcation diagram can show how the variables of a chaotic system vary with bifurcation parameters, which is similar to phase trajectory diagram. The more uniform the distribution of bifurcation diagram is, the stronger the randomness of the chaotic system is. The difference is that the phase trajectory diagram only shows the trajectory of the chaotic map under certain parameter values, while the bifurcation diagram can show how the chaotic system behaves with the change of parameters. Figure 2 shows the bifurcation diagram of x component in 2D-MCCM and four 2D maps, respectively. The initial value is set as (x 0 , y 0 ) = (0.4, 0.6). Since parameter a in 2D-LICM and 2D-ICM is not equal to 0, the parameter field is set as (0, 1]. It can be seen that only the bifurcation diagrams of 2D-LICM, 2D-ICM, and 2D-MCCM cover the entire chaotic interval. In order to describe the distribution of points in the bifurcation diagram more intuitively, we proposed a method to divide the bifurcation parameter domain into five segments on average and the chaotic domain into 10 segments on average. Then, we calculated the proportion of the number of points in each segment to the total number of points, respectively. The results are shown in Figure 3. average and the chaotic domain into 10 segments on average. Then, we calculated the proportion of the number of points in each segment to the total number of points, respectively. The results are shown in Figure 3.   It can be seen from Figures 2 and 3 that 2D-LICM, 2D-ICM, and 2D-MCCM are in chaotic state in the whole parameter domain. However, it is obvious that the bifurcation graph of 2D-MCCM is more uniform, which indicates that its chaotic sequence has strong randomness. At the same time, 2D-MCCM has a larger chaotic interval, which can provide a larger key space for image encryption.

Lyapunov Exponent
The Lyapunov Exponent (LE), which is used to quantitatively describe the speed of adjacent phase points in the phase space at the time of their separation, can illustrate the sensitivity of a chaotic map to initial values. The definition of LE of a 1D discrete map is given in Equation (1) above. Generally speaking, λ > 0 means that two adjacent phase points are about to separate, and the chaotic map is in a chaotic state. The larger λ is, the faster the adjacent points in the phase space separate from each other and the higher the sensitivity of the initial value is. For an n-dimensional chaotic map, there should be n LEs. When more than one Les are larger than 0, the system is in a hyperchaotic state, which means the system has more complex dynamic behavior.
In general, a 2D chaotic map has two LEs. Figure 4 shows the LEs' comparison diagram between 2D-MCCM and the four 2D chaotic maps used as comparisons [36]. The parameter b of 2D-LICM, 2D-ICM, and 2D-MCCM is set to be 0.5, 21, and 21, respectively, denoting the larger LEs as λ 1 and the smaller LEs as λ 2 . It can be seen from Figure 4 that 2D-LICM, 2D-ICM, and 2D-MCCM are all in a hyperchaotic state where a ∈ (0, 1]. However, the values of both λ 1 and λ 2 of 2D-MCCM are the largest, indicating that their initial sensitivity is the highest. In order to further study the influence of the values of parameters a and b on λ 1 of 2D-LICM, 2D-ICM, and 2D-MCCM, we drew a chaotic graph based on λ 1 in Figure 5. The value of λ 1 is larger when the color is closer to red. The closer the color is to red, the greater the value of λ 1 is. Obviously, the red region of 2D-MCCM is the largest, and the value of λ 1 increases with parameter b. In addition, parameter a does not significantly affect the value of λ 1 , indicating that a is suitable for image encryption as a key. This shows that 2D-MCCM has the best performance compared with existing 2D chaotic maps and is also suitable for image encryption.

Spectral Entropy
Spectral entropy (SE) [37] can be used to quantitatively analyze the similarity between a chaotic sequence and a random sequence. The larger the SE value is, the more similar these two sequences are. The larger the SE value is, the more similar the sequence is with a random one, and the higher its security will be. According to the method in [37], the conditions of SE value of x sequence and y sequence of each 2D chaotic map are calculated with the transformation of parameter a, as shown in Figure 6. It can be seen that compared with the existing 2D chaotic maps, 2D-MCCM can generate chaotic sequences with higher Entropy 2021, 23, 1312 7 of 24 complexity in the whole parameter domain, which can reduce the security risks caused by the reduction of chaos sequence complexity under specific parameters.

Design of S-Box
In this section, we devised a simple method of producing an 8-bit S-box using 2D-MCCM and selective self-scrambling. Figure 7 briefly illustrates the generation process of an S-box, with specific steps as follows:
To set the initial values and parameters of 2D-MCCM.

2.
To iterate 2D-MCCM to generate chaotic sequences x and y.

3.
To convert x to a random sequence X from 0-255 by Equation (8).

4.
To sort y in ascending order and record its position as index sequence Y.

5.
To select the value in X according to Y and check whether the value already exists in the S-box. If not, store the value in the S-box until there are 256 non-repeated values in the S-box. 6.
Then, to randomly generate four S-boxes according to the method in Step 5. 7.
Since linear attack and differential attack are the two most common attack modes, the two S-boxes with the best performance are selected according to the average nonlinearity N avg of S-boxes and the maximum differential approximation probability DP max of the S-boxes, which are defined as S 1 and S 2, respectively. The calculation method is shown in Equation (9), and the larger the value is, the better the performance of the S-box is.
8. S 2 is used to scramble S 1 to get the final S-box. Table 1 shows an 8-bit S-box based on the method above. Since this method only uses chaotic map iteration without complex matrix row and column transformation, it has high generation efficiency. At the same time, there is a selective self-scrambling, which ensures the performance of the generated S-box.

Performance Analysis of S-Box
In order to evaluate the performance of the constructed S-box, the following five methods are used for analysis in this section. As a nonlinear calculation element, the nonlinear degree is an important index to evaluate the performance of the S-box. The expected value of the nonlinear degree is 112. Walsh spectrum [38] is usually used to calculate the nonlinearity of the S-box, which is defined as: where GF(2 n ) represents the Galois domain with space size of 2 n , and S < f > (ω) is the cyclic spectrum of function f (x), which is defined as:  In general, the higher the nonlinearity of an S-box is, the more secure it will be. The eight nonlinearity values of the constructed S-box are 108, 108, 108, 108, 106, 108, and 108, respectively, with an average of 107.75. The minimum nonlinearity of the proposed S-box is easy to be attacked. However, the minimum nonlinearity of the proposed S-box reached 106, which is even better than the average nonlinearity of some S-boxes, indicating that the S-box is capable of resisting a nonlinear cryptanalytic attack.

Strict Avalanche Criterion
The strict avalanche criterion can quantitatively analyze the avalanche effect of Boolean function, that is, when the input of one bit of Boolean function changes, half of the output value will change [39]. For the S-box, the strict avalanche criterion is usually tested by calculating its dependence matrix. If the S-box strictly satisfies the strict avalanche criterion, every element in the dependence matrix will be 0.5.
Based on the method in [40], we calculated the dependence matrix of the S-box, as shown in Table 2. Meanwhile, it can be found that the average deviation of the elements in the dependence matrix from the expected value of 0.5 is 0.0327, which tends to be close to 0 and can satisfy SAC.

Bit Independence Criterion
Bit independence criterion (BIC) is a desirable feature for cipher transformation. For the Boolean functions f i and f j with two output bits of the S-box, if f i ⊕f j is highly nonlinear and satisfies SAC as much as possible, then the S-box satisfies the BIC.

Differential Approximation Probability
Differential approximation probability (DP) can be used to quantitatively analyze the crypt function's resistance to differential attack. It represents the maximum probability of the output, which will be ∆y in a given Boolean function when the input difference is ∆x, and the expected value of DP is 0.0156. For an 8-bit S-box, the calculation formula of DP is as follows: where X = {0, 1, · · · , 255}. For the S-box, the less the maximum DP value, the stronger is the ability to resist a differential cipher attack. Table 5 shows the differential approximation matrix of the proposed S-box, and the maximum value is 10. In addition, the maximum DP value of the proposed S-box can be calculated from Equation (12) to be 0.0391, which is close to the expected value, indicating its strong resistance to differential attacks.

Linear Probability
Linear Probability (LP) can be used to quantitatively analyze the cryptographic function's ability to resist a linear attack, and the expected value of LP is 0.0625. As a nonlinear element, the S-box can realize the nonlinear map between input and output, and its ability to resist nonlinear attacks is very important. For an 8-bit S-box, the formula of LP is as follows: where X = {0, 1, · · · , 255}, a x and b x are input and output masks, respectively. In general, A lower LP value shows a stronger S-box of resisting the linear cryptanalysis attacks. Based on equation (13), we calculated the LP value of the proposed S-box to be 0.125, which is around the expected value, indicating its strong resistance to linear cryptanalysis attacks.

Performance Comparison
In order to better demonstrate the performance of the proposed S-box, the S-box generated by several recently proposed representative algorithms was analyzed [21][22][23][24][25][26], and the results are shown in Table 6. It can be seen that the proposed S-box was distinguished in all aspect. In addition, it can be concluded that AES S-box was not optimal on BIC-SAC and SAC, indicating that it is very difficult to design an S-box that is optimal in all indicators.

Image Encryption Algorithm
In this section, an image encryption algorithm based on 2D-MCCM and a new S-box is proposed. The 2D-MCCM was used to process the key and generate the initial value, and a "diffusion-scrambling-diffusion" framework was used to improve security. Diffusion and scrambling are based on the random sequence generated by 2D-MCCM with both efficiency and security. The proposed S-box was used for the second diffusions, and its nonlinear characteristics were utilized to enhance the sensitivity of the algorithm to small changes in pixels. The algorithm structure is shown in Figure 8.

Initial Value Generation
The selection of the key affects the security of the whole encryption algorithm. In this section, we set the key K of the encryption algorithm as 32 random integers of 8 bits with a value range of [0, 255]. At this time, the length of the key K reached 256 bits, which is enough to resist violent attacks. For easy calculation, K is divided into three parts, such that K = [a 1 , · · · , a 4 , b 1 , · · · , b 4 , k 1 , · · · , k 24 ]. In addition, in order to enhance the key sensitivity of the algorithm, we used 2D-MCCM in the process of generating initial values from the key. The specific steps are shown in Algorithm 1.

S-Box-Based Diffusion
We designed a novel diffusion method based on 2D-MCCM and S-box, which can magnify small changes in pixels and quickly expand to the entire image. The diffusion algorithm has two steps: forward diffusion and reverse diffusion. Two diffusions in the opposite direction can make the diffusion more sufficient and improve the stability of the algorithm. Forward diffusion and reverse diffusion change the first pixel and the last pixel of the image, respectively, and then spread the transformation to the whole image to change the value of each pixel in the image. The specific process is shown in Algorithms 2 and 3.

Global Scrambling
A scrambling process can effectively reduce the correlation between pixels and reduce the redundant information in the image. The traditional scrambling method usually scrambles the index matrix of the pseudo-random sequence generated by the chaotic system once, but sometimes it cannot have a good scrambling effect because of the uncertainty of the pseudo-random sequence. For this reason, a new global scrambling method was designed, which gradually scrambles the image from local to global. The specific steps are shown in Algorithm 4. For a more intuitive explanation of the proposed global scrambling method, a numerical illustration for a 4 × 4 image is given in Figure 9. The 4 × 4 plaintext image was evenly divided into four parts for scrambling with a good scrambling effect. Considering safety and efficiency comprehensively, the image was divided into 256 parts for scrambling in practical use.

Image Decryption Algorithm
In simple terms, the decryption process and the encryption process are mutually inverse ones, which mainly include generating initial value from the correct key, finding inverse S-box, inverse backward diffusion, inverse global scrambling, and inverse forward diffusion. For the decryption algorithm proposed, a solution to inverse S-box is a vital step, which remarkably affects the efficiency of the decryption algorithm. The specific generation method is shown in Algorithm 5. Since the S-box contains 0 rather than 256, regarding 0 as an index is meaningless. Therefore, before the S-box is used to generate the inverse S-box, 0 is replaced with 256. In this way, pixels with a value of 0 in the ciphertext image can be replaced with 256 to restore the image using the inverse S-box before decryption.

Simulation Results and Security Analysis
Security is the most important indicator to evaluate the image encryption algorithm. Therefore, the security of the proposed encryption algorithm is evaluated in many perspectives, and comparison with other representative encryption algorithms is made.

Encryption Result and Histogram Analysis
A histogram of the image can intuitively show the distribution of the pixels. As pixel distribution of each plaintext image is regulated by certain law, the purpose of encryption is to destroy the law, preventing the attacker from acquiring the information in the image histogram, and the pixels should be evenly distributed.
In this section, five 512 × 512 images were used for the experiment. The color images were Earth and Splash, and the gray images were Lena, Black, and White. The results are shown in Figure 10. The histograms of five plaintext images had their own features. After encryption, both grayscale and color images turned into noise-like ciphers. They can only be distinguished by their ciphertext and histogram, and no more useful information can be obtained. This showed that the proposed algorithm can resist the attack of statistical analysis based on pixel distribution. Since the histogram can only demonstrate pixel distribution, when it comes to the similarity of histograms of the five ciphertext images in Figure 10, it failed to describe their differences accurately. Therefore, the χ 2 statistics [41] is usually used to quantitatively analyze the uniform distribution of pixels in the image, which is defined as: where fi is the frequency distribution of pixel values in the image and g is its theoretical frequency distribution. When the significance level is 0.05, the pixels of the image are considered to be evenly distributed, where point χ 2 0.05(255) = 293.2478. In general, the smaller the χ 2 value of an image, the more uniform the pixel distribution is. Table 7 shows the χ 2 Since the histogram can only demonstrate pixel distribution, when it comes to the similarity of histograms of the five ciphertext images in Figure 10, it failed to describe their differences accurately. Therefore, the χ 2 statistics [41] is usually used to quantitatively analyze the uniform distribution of pixels in the image, which is defined as: where f i is the frequency distribution of pixel values in the image and g is its theoretical frequency distribution. When the significance level is 0.05, the pixels of the image are considered to be evenly distributed, where point χ 2 0.05(255) = 293.2478. In general, the smaller the χ 2 value of an image, the more uniform the pixel distribution is. Table 7 shows the χ 2 test results of the five test images after encryption. It can be seen that the χ 2 value of all ciphertext images was less than 293.2478, indicating that the proposed encryption algorithm had good encryption effect for both color images and grayscale images.

Shannon Entropy Analysis
Shannon entropy can be used to describe the randomness of pixels in an image. The larger its value is, the more similar the image is with a random image. Its calculation method is as follows: where x is pixel, p i is probability of taking each pixel, i = 1, 2, · · · , n, 0 < p i < 1, and p 1 + p 2 + · · · + p n = 1. Shannon entropy for the 8-bit sequences is 8 when all pixels are equally probable. For image encryption, it is desirable to encrypt the image into a random image. Therefore, the closer the Shannon entropy of the ciphertext image is to 8, the better the encryption effect of the algorithm will be. Table 8 shows the comparison of Shannon entropy of the three gray images before and after encryption. It can be seen that the Shannon entropy of the three ciphertext images was very close to the expected value. For Black and White, although the Shannon entropy was 0 because the pixels in the images were exactly the same, the proposed algorithm still had a good encryption effect after encryption. Since Shannon entropy is calculated based on the global image, its accuracy and calculation efficiency are easily affected by the image size; thus, it fails to be used as a general test standard. In order to analyze the proposed encryption algorithm more comprehensiv-ely, the local Shannon entropy (LSE) calculation method proposed in [42] was adopted. The LSE is obtained by randomly selecting k blocks of the same size from an image and calculating the average entropy of each of them as follows: where L i is the blocks picked and k and N are the number of pixels and number of blocks, respectively. In order to facilitate the analysis, the significance level is set at 0.05 and (k, N) = (30,1936) during the experiment. At this point, when LSE is within the interval of [7.901901, 7.903037], the image is considered to have passed the test and is close to random distribution. Twenty-five standard images from the USC-SIPI image database were selected for several experiments. The average was taken as the final result, and the experimental results were compared with three typical algorithms [12,15,30]. The experimental results are shown in Table 9. It can be seen that after encrypting 25 images, 23 ciphertext images of the proposed algorithm passed the LSE test, indicating that the proposed encryption algorithm can encrypt images into ciphertext images with high randomness. Table 9. Comparison of local Shannon entropy of different encryption algorithms.

Image
Size LSE

Adjacent Pixel Correlation Analysis
The correlation of adjacent pixels is an important index to evaluate the redundant information in the image, and encryption is to remove the redundant information. The lower the correlation of the adjacent pixels of the ciphertext image is, the less redundant information there is, and the better encryption effect algorithm has. Supposing that N adjacent pixels (x i , y i ) are randomly selected from the image, the calculation method of the correlation of adjacent pixels is as follows: where σ x and σ y are the standard deviations of x and y, respectively. When the correlation between adjacent pixels in the image is at a low level, its correlation value is close to 0, otherwise it is close to 1. The value of correlation between adjacent pixels can be negative.
In this Section, 25 standard images for encryption and 5000 pairs of adjacent pixels were selected for calculation of the correlation coefficients of the Horizontal, Vertical, and Diagonal diagonals of the ciphertext images. The absolute value of the correlation coefficient was taken, which was convenient for observation, and the results are shown in Figure 11. It can be seen that after the encryption of the 25 standard images, the correlation coefficients of the adjacent pixel points of the ciphertext images in all directions dropped to around 0 and were all less than 0.006, which is approximately no correlation. This shows that the proposed algorithm can significantly disrupt the correlation of adjacent pixels of an image and encrypt arbitrary images of different sizes with excellent results. In addition to the correlation coefficient of the image, we can also analyze the encryption effect of the algorithm using the correlation graph of the adjacent pixels of the image. Figure 12 shows the correlation diagram of adjacent pixels before and after Lena encryption. It can be seen that the pixel pairs of plaintext images were clustered near x = y and had a strong correlation; however, after encryption, the pixel pairs were evenly distributed and the correlation was greatly reduced. It shows that the proposed algorithm can destroy the correlation between pixels well and has the ability to resist anti-statistics attack.

Robustness to Noise and Data Loss
Due to human or non-human factors, loss and destruction of data may occur in information transmission. An encryption algorithm is considered to be effective if it can recover the plaintext image from the ciphertext image under shear attack or noise attack.
In this section, we made preliminary analysis of the ability of the proposed encryption algorithm to resist shear attack. We cut down 1/256, 1/16, and 1/4 of the pixels in Lena ciphertext images, respectively, and then decrypted them. The results are shown in Figure 13. It can be seen that even if the ratio of data loss reached 1/4, most information of the image can still be recovered, indicating that the proposed algorithm can resist shear attack.
Subsequently, in order to analyze the robustness of the proposed encryption algorithm to noise attack, we added 1%, 5%, and 10% impulse noise in the ciphertext images of Lena, respectively, and then decrypted them. The results are shown in Figure 14. It can be seen that, although the recovered image information became less and less with the increase of noise ratio, the decrypted images can still be distinguished, indicating that the proposed algorithm is able to resist noise.

Robustness to Noise and Data Loss
Due to human or non-human factors, loss and destruction of data may occur in information transmission. An encryption algorithm is considered to be effective if it can recover the plaintext image from the ciphertext image under shear attack or noise attack.
In this section, we made preliminary analysis of the ability of the proposed encryption algorithm to resist shear attack. We cut down 1/256, 1/16, and 1/4 of the pixels in Lena ciphertext images, respectively, and then decrypted them. The results are shown in Figure  13. It can be seen that even if the ratio of data loss reached 1/4, most information of the image can still be recovered, indicating that the proposed algorithm can resist shear attack.

Key Sensitivity Analysis
Key sensitivity analysis is an important index to evaluate the security of an encryption algorithm and decryption algorithm, and aims to compare two images obtained by encryption or decryption before and after the slight change of key. The more different they are, the higher the sensitivity of key will be. In practical application, the difference between the two images can be quantitatively analyzed by calculating the rate of change of pixel number (NPCR) and the normalized mean intensity of change (UACI) [43], as shown below. where where P 1 and P 2 are the two images used for comparison, M × N is the size of the image, and F is the maximum pixel value allowed in the image. In general, the expected values of NPCR and UACI are 99.6094% and 33.4635%, respectively. However, a more rigorous discrimination method is proposed in [43]. That is, when the significance level is α, the two images could be considered completely different if the NPCR of the two images is greater than N * α or the UNCI is among the range of [U * − α , U * + α ]. N * α , U * − α , and U * + α can be obtained by the following equations: At the same time, U * + α denotes the inverse cumulative density function. In Table 10, the significance level was set at 0. 05 to obtain the expected values of NPCR and UACI for images of different sizes. In the test of the encryption algorithm, the NPCR value and UACI value between the ciphertext images were obtained after randomly changing the key 1 bit twice. For the decryption algorithm, the correct key was first used for encryption, and then the wrong key was used for decryption. After randomly changing the key 1 bit, the decryption was carried out again, and the image obtained by two decryptions was used for calculation. In order to make the experimental results more accurate and intuitive, we carried out several experiments and took the average values as the final results, as shown in Figures 15 and 16. It can be seen that both the encryption algorithm and the decryption algorithm passed the tests of all 25 images, indicating that they have good key sensitivity.

Difference Analysis
For the encryption algorithm with poor diffusion performance, the attacker can break the encryption algorithm by constructing a specific plaintext image and analyzing the ciphertext image. This attack method is called a differential attack, also known as a selective row plaintext attack. Therefore, it is very important for an encryption algorithm to resist a differential attack.
In general, the stronger the diffusion performance of the encryption algorithm is, the better it is to resist differential attack. Two slightly different plaintext images were encrypted using the algorithm with the same key and then these two ciphertext images obtained were compared to analyze the algorithm's ability to resist a differential attack, which is called a plaintext sensitivity test.
Based on the analysis above, NPCR and UNCI introduced in the previous section were used for the test. Different from the sensitivity of the test key, the 256-bit key K was randomly generated firstly, and K was used to encrypt the test image. Then, a pixel in the test image was randomly changed by 1, and then K was used to encrypt the changed image. Finally, the NPCR value and UACI value of the ciphertext image obtained by two encryptions were calculated and compared with the algorithms in [31,35,44], as shown in Figures 17 and 18. It can be seen that the proposed algorithm passed the NPCR and UACI tests of all 25 images, indicating that the proposed algorithm is superior in resisting a differential attack.

Conclusions
In this paper, a new 2D chaotic map (2D-MCCM) was proposed. The results of the experiment showed that, compared with existing 2D chaotic maps, 2D-MCCM is very suitable for image encryption due to its advantages in fast iteration speed, large chaotic range, high randomness, stable initial sensitivity, and complexity. Then, we designed a new S-box, which was obtained by selective self-scrambling of multiple initial S-boxes generated by the chaotic sequence of 2D-MCCM. The analysis of the performance of the S-box showed that it has the ability to resist all kinds of security attacks.
Based on 2D-MCCM and the proposed S-box, we designed a new image encryption algorithm, with a main structure of forward diffusion, scrambling, and backward diffusion. The two diffusion processes are based on the nonlinear transformation characteristics of S-box and the chaotic characteristics of 2D-MCCM, which has a good diffusion effect. In addition, scrambling from local to global can effectively reduce the correlation between pixels. Simulation results showed that the algorithm can encrypt various images safely, is superior to several existing algorithms, and has a wide application prospect.