A Novel Image Encryption Scheme Based on Elliptic Curves over Finite Rings

Image encryption based on elliptic curves (ECs) is emerging as a new trend in cryptography because it provides high security with a relatively smaller key size when compared with well-known cryptosystems. Recently, it has been shown that the cryptosystems based on ECs over finite rings may provide better security because they require the computational cost for solving the factorization problem and the discrete logarithm problem. Motivated by this fact, we proposed a novel image encryption scheme based on ECs over finite rings. There are three main steps in our scheme, where, in the first step, we mask the plain image using points of an EC over a finite ring. In step two, we create diffusion in the masked image with a mapping from the EC over the finite ring to the EC over the finite field. To create high confusion in the plain text, we generated a substitution box (S-box) based on the ordered EC, which is then used to permute the pixels of the diffused image to obtain a cipher image. With computational experiments, we showed that the proposed cryptosystem has higher security against linear, differential, and statistical attacks than the existing cryptosystems. Furthermore, the average encryption time for color images is lower than other existing schemes.


Introduction
In this modern era, the transmission of images over public networks is an indispensable task. Therefore, distributing secret images in a secure way is essential. Encryption schemes take plain-text data as an input and convert it into an unreadable form using secret keys. Then, an authorized person uses the secret keys to acquire the original data. Recently, S-box-based encryption algorithms have gained special attention [1]. An S-box is used to create confusion; therefore, researchers are not only trying to improve the existing S-box schemes, but are also proposing new ones. Many authors (see, for example, [2,3]) have observed that the S-box used in the well-known cryptosystem, the advanced encryption standard (AES), is vulnerable because the AES cryptosystem uses a static S-box. Furthermore, it also has low algebraic complexity.
The role of an S-box is vital in a cryptosystem. Therefore, researchers are trying to generate S-boxes which are cryptographically secure. One way is to improve the security of the AES cryptosystem. That is why Cui and Cao [4] enhanced the algebraic complexity of an AES S-box to make it secure against algebraic attacks. Similarly, Liu et al. [5] proposed an improved AES S-box that has reliable security against algebraic and differential attacks. Tran et al. [6] presented the Gray S-box for the AES, which is secure against algebraic and interpolation attacks. In addition to this, many other techniques are used to design S-boxes with the desired security. For example, Silva-Garcia et al. [7] developed a novel chaos-based cryptosystem, which generates an S-box to resist linear attacks. Ibrahim and Alhabi [1] used a Henon map to generate secure and dynamic S-boxes. Özkaynak [8] proposed robust Sboxes using different chaotic systems. Due to their higher security, EC-based cryptosystems have gained the interest of researchers. Miller [9] presented an EC-based cryptosystem with high security and a small key size. Cheon et al. [10] used hyperelliptic curves to obtain a lower bound on the nonlinearity of Boolean functions. Hayat et al. [11,12] employed ECs over finite fields and rings to design secure S-boxes. It is analyzed that the S-box generators over finite rings generate dynamic S-boxes with reasonable time complexity.
Recently, chaos-based schemes have received more attention due to their easy implementation and fast execution [26]. Similarly, chaotic maps have some unique characteristics, such as ergodicity, unpredictability, random behavior, and sensitivity to initial parameters, which are required for a good cryptosystem [27]. Therefore, a number of image encryption schemes are proposed based on sine maps [28,29], cat maps [30], and some other chaotic maps [31]. Huang et al. [32] developed an encryption scheme with better confusioncreation capability using the Rivest-Shamir-Adleman (RSA) algorithm and Arnold map. Similarly, Ye et al. [33] designed an effective and secure image cryptosystem based on the RSA technique and a fractional-order chaotic system. On the other hand, there exist chaotic encryption schemes which are not secure. Chen et al. [30] developed an image encryption algorithm using a 3D chaotic cat map, which has short period and hence, is vulnerable to the chosen plain-text attack [34]. Similarly, the scheme developed by Sui et al. [31] is based on logistic maps; however, logistic maps are insecure due to the small key space [14].
Related work: Like chaotic maps, elliptic curves (ECs) are highly sensitive to the initial parameters, and a number of EC-based algorithms have been developed for cryptographic applications [9,[35][36][37][38][39][40][41][42][43][44][45][46][47][48]. Zhang and Wang [40] used the group law for the generation of a public key and encrypted digital images by combining a chaotic system and elliptic curve cryptography (ECC). Abdelfatah [41] presented a digital signature scheme using the group law. Abbas et al. [42] proposed a chaotic encryption algorithm using an addition operator over the points of the EC. El-Latif et al. [49] developed an efficient encryption scheme using a cyclic EC and a generalized logistic map; basically, an EC-based sequence and a chaotic sequence are combined to generate a keystream for encryption. Toughi et al. [50] generated a sequence of numbers using ECs, which are then used in the generation of keys to propose an encryption algorithm. Hayat et al. [51] proposed a twofold image encryption scheme. Firstly, a plain image is masked by EC-based random numbers, and then permuted by an S-box generated using an EC. Reyad et al. [52] modulated random sequences using ECs and chaotic maps. It is experimentally proved that all the above schemes are highly secure. In addition, ECs provide more security to a cryptosystem than chaotic maps [53,54], but it is important to mention that the scheme in [49] first generates a sequence of scalars. Each scalar is then mapped to a scalar multiple of a point of a cyclic EC. To compute a scalar multiple of a point lying on an EC is not simple; it involves the group law, consisting of many complex calculations. Similarly, the scheme in [52] also uses group operations to generate random numbers from the points of ECs. Thus, the schemes of [40][41][42]44,49,52] are time-consuming due to the use of the group law. The scheme in [51] avoids the group law to generate ECs, but each plain image requires the generation of two ECs. Moreover, trials are required for the generation of ECs to ensure the encryption of an image because the said scheme does not output an S-box for all parameters. These facts slow the execution time of the scheme. The algorithm in [37] does not generate triads for all images of the same size, but generates an EC for each image, which enhances the execution time.
In all the above-discussed EC-based schemes, finite fields are used to obtain the desired security. The security of such cryptosystems based on ECs over finite fields essentially depends on the computational cost for solving the discrete logarithm problem [55]. Recently, Diaz et al. [55] pointed out that the cryptosystems based on ECs over finite rings are more secure as compared to the cryptosystems based on ECs over finite fields. Their claim follows from the fact that the computational cost of breaking such cryptosystems based on ECs over finite rings depends on solving the factorization problem [56] and the discrete logarithm problem. Our research contribution aims to develop a cryptosystem that is based on a ring of integers and that has higher resistance against modern attacks than the existing schemes of ECs over finite fields. In this work, we propose:

1.
A new S-box generator that can generate a good S-box based on an EC over a finite ring of integers; 2.
An image encryption algorithm using the aforementioned S-box generator.
The current work is novel in the sense that: • It is based on a ring of integers rather than on a finite field; • It avoids the traditional way (group law) of generating an EC. Furthermore, it imposes a bound on the y-coordinate of the EC, which is not the case in [12,51], and one does not have to check all the possible values over the underlying structure. So, the current S-box generator is comparatively efficient for a possible S-box; • It generates cryptographically strong S-boxes; • The time complexity of the proposed scheme is dependent on the chosen bound on the y-coordinate of the EC; • Unlike the case in [37,51,57], each input image does not need the computation of a new EC for the confusion phase; • It can encrypt a number of images with better security against differential, statistical, key and plain-text attacks; • The run-time of the proposed scheme to encrypt color images is very low.
The rest of the paper is organized as follows: Section 2 contains the related notions of ECs. In Section 3, the proposed S-box algorithm and its analysis is described. In Section 4, the proposed image encryption scheme is presented. In Section 5, the decryption of the proposed scheme is reported. The security analysis is conducted in Section 6. An application of the proposed scheme to color images is shown in Section 7. Lastly, the conclusion is drawn in Section 8.

Related Notions of ECs
Let {p i } i∈Ω be a set of primes for any indexing set Ω. Then, for k ≥ 2, n = ∏ k i=1 p i is a composite integer and, hence, Z n is a ring. As for each prime p, F p represents a finite field. Thus, for primes p i , 1 ≤ i ≤ k, we say that F p i is a finite field related to the ring Z n . For any two integers, a, b ∈ Z n , with the condition that 4a 3 + 27b 2 ∈ Z n \ {0}, the EC E n,a,b represents the set of points {(x, y) ∈ Z n × Z n |y 2 ≡ x 3 + ax + b (mod n)} ∪ {∞}, where ∞ is the neutral point lying at each vertical line passing through the EC, and 4a 3 + 27b 2 is the discriminant of E n,a,b . The condition on the discriminant is imposed so that the EC E n,a,b has no singular point. The integers n, a and b are known as the parameters of E n,a,b . For a = 0, the ECs are known as Mordell elliptic curves (MECs); we denote them by E n,b , and #E n,b denotes the number of points on the MEC E n,b . There is a bijection [56] between E n,b and Consequently, an EC E p i ,b may be deduced from E n,b by mapping (x, y) ∈ E n,b to x (mod p i ), y (mod p i ) and, hence, for each p i we have a surjective map from E n,b to E p i ,b . Let f : E n,b → E p 1 ,b × . . . × E p k ,b and g : E n,b → E p i ,b represent the former bijective and surjective maps, respectively; then, mathematically, f and g are given by: g(x, y) = x (mod p i ), y (mod p i ) .
The MECs play an important role in cryptography. Azam et al. [58] defined different total orders, named as natural ordering (≺ N ) and diffusion ordering (≺ D ), on the points of MECs. For details, the readers are referred to [58].

The Proposed S-Box and Its Analysis
The proposed encryption scheme in Section 4 requires an S-box generator to obtain the desired level of confusion. For the construction of an S-box, we need the parameters n, b, and t. It is mentioned that n = ∏ k i=1 p i , where each p i is a prime and k is a positive integer. In principle, n may be assigned any value. We choose n as a product of primes because, in the masking phase for each prime p i , we need the EC over the related prime field F p i . The parameters n, b are used to generate the EC E n,b over the ring of integers Z n , where t is used as an upper bound on the y-coordinate of the EC E n,b . Here, upper bound t means that we compute such (x, y) ∈ E n,b for which y ≤ t. The y-coordinate is kept bounded, so that we compute (x, y) ∈ E n,b for all x ∈ Z n and particular values of y instead of all y ∈ Z n . This is conducted in order to reduce the time of execution. After the generation of the EC E n,b , the points of E n,b need to be arranged by some ordering. The points may be arranged according to any ordering, but the ordering ≺ N is capable of generating S-boxes with high cryptographic properties. Therefore, we use ≺ N to sort the points of E n,b . Then, we construct an m × m S-box σ(n, t) by extracting the first 2 m different values y i < 2 m of the y-coordinate of the ordered E n,b . Mathematically, the S-box is generated according to the following function: where (x, y i ) ∈ E n,b for some x ∈ Z n and σ(n, t)(r) = y i for r < i. The S-box construction is clearly described in the following steps: Step 1. To generate an m × m S-box, select three integers n, b, and t such that n > 2 m , 0 < b < n and 2 m ≤ t ≤ n; Step 2. Choose primes p i for a finite k ≥ 2 in such a way that n = ∏ k i=1 p i ; Step 3. For each y ∈ [0, t] and x ∈ [0, n − 1], compute all the points (x, y) such that y 2 ≡ x 3 + b (mod n); i.e., compute E n,b ; Step 4. If the set [0, 2 m − 1] is contained in the y-coordinates of the points (x, y) ∈ E n,b , then proceed to Step 5. Otherwise, change p i for some i and repeat Steps 1-3; Step 5. Arrange the points of E n,b by applying the ordering ≺ N ; Step 6. Construct the S-box σ(n, t) for some x ∈ [0, n − 1] with the constraint that y i < 2 m and σ(n, t)(j) = σ(n, t)(i) for j < i.
For parameters n = 2491, p 1 = 47, p 2 = 53, b = 716, and t = 255, an 8 × 8 S-box generated by the proposed method on an EC E 2491,716 is shown in Table 1. The cryptographic strength of the proposed S-box is analyzed by well-known tests, which are described as follows.

Linear Attacks
A cryptosystem is secure if it can strongly resist attackers to exploit the linear relations of inputs and outputs. The immunity of an n × n S-box S against linear attacks is evaluated by its non-linearity NL(S) [59], linear approximation probability LAP(S) [60], and algebraic complexity AC(S) [61].
For a chosen n, the NL(S) represents the minimum Hamming distances between the Sbox S and all the corresponding affine functions. Similarly, the LAP(S) is the approximation of the relation lying between the inputs and outputs, and the AC(S) represents the number of non-zero terms in the polynomial representation of the S-box S. Mathematically, the NL(S) and LAP(S) are computed by Equations (1) and (2), respectively: where α, β ∈ F n 2 , and "· "denotes the dot product. The resistance to linear attacks is greater if the NL(S) is close to 2 n−1 − 2 (n/2)−1 , the LAP(S) is low, and the AC(S) tends to 2 n − 1. The values of the NL, LAP, and AC for the S-box shown in Table 1 are 106, 0.0156, and 254, respectively. Moreover, from Table 2, it follows that the NL of the proposed S-box is greater than those of [51,[62][63][64][65][66] and equal to NL of the S-boxes in [8,12,37,48,58]. Similarly, the LAP of the new S-box is less than the LAP of the S-boxes in [8,12,37,48,51,58,[62][63][64][65][66]. The AC of the presented S-box is greater than the AC of the S-boxes proposed in [51,58,64,65] and equal to that of the S-boxes [37,62,63,66]. From the above discussion, it is obvious that the proposed S-box is highly secure against linear attacks, compared to the S-boxes in [37,51,58,[62][63][64][65][66], while the security of the proposed S-box against linear attacks is comparable with the S-boxes in [8,12,48]. Table 2. Comparison of the S-boxes generated by the proposed algorithm and some recent algorithms. Differential attacks are used to study the differences of outputs for the corresponding differences of inputs to obtain useful information. For an S-box S, the differential approximation probability DAP(S) [67] measures the strength of S to thwart the differential attackers. The mathematical representation of DAP(S) is given by:

Scheme NL LAP AC DAP SAC (min) SAC (max) BIC (min) BIC (max)
where ∆x, ∆y ∈ F n 2 , and "⊕" stands for the bit-wise addition in F 2 . Thus, the S-box S possesses higher security if the DAP(S) is close to 1/2 n . The DAP value of the S-box depicted in Table 1 is 0.0469. From Table 2, it is also evident that the DAP value of the proposed S-box is equal to the DAP values of the S-boxes displayed in [12,65,66], and comparable to the DAP of the S-boxes in [8,37,48,51,58,[62][63][64]. Thus, the strength of the presented S-box against differential attacks is comparable to strength of the S-boxes in [8,12,37,48,51,58,[62][63][64][65][66].

Analysis of Boolean Functions
The Boolean functions of an S-box are used to create confusion/diffusion in a cryptosystem. Two approaches, strict avalanche criterion (SAC) [68] and bit independence criterion (BIC) [68], are used to analyze the Boolean functions. The SAC calculates the change that occurred in the output bits due to the inversion of one bit in a set of input bits. The BIC determines the dependence level of a pair of output bits on inverting an input bit.
where w(y) represents the number of non-zero symbols in y, α j ∈ F n 2 with w(α j ) = 1, and S i denotes the i-th Boolean function of the S-box S. An S-box creates enough confusion/diffusion if all off-diagonal entries of M(S) and B(S) are close to 0.5. The minimum (SAC (min)) and maximum (SAC (max)) of the off-diagonal values of M(S) for the S displayed in Table 1 are 0.4063 and 0.5938, respectively. Furthermore, it follows from Table 2 that the SAC (min) value of the designed S-box is greater than the SAC (min) values of the S-boxes designed in [8,37,58], and that the SAC (max) value of the new S-box is less than or equal to that of the S-boxes in [8,12,37,58]. So, the confusion-creation capability of the S-box in Table 1 is greater than that of the S-boxes in [8,37,58]. The SAC (min) value of the presented S-box is equal to the SAC (min) values of the S-boxes in [12,62,65], and the SAC (max) value is less than that of the S-boxes in [12,62,65]. This reveals that the proposed scheme generates S-boxes with higher confusion than the schemes in [12,62,65]. The SAC values indicate that the confusion-creation capability of the new S-box is equal to the S-box in [51] and comparable to that of [48,66]. Now, the minimum (BIC (min)) and maximum (BIC (max)) of the off-diagonal values of B(S) for S in Table 1 are 0.4688 and 0.5293, respectively. Table 2 reveals that the BIC (min) of the proposed S-box is comparable with that of the S-boxes in [8,12,37,48,51,58,[62][63][64][65][66], and the BIC (max) value of the current S-box is less than that of the S-boxes in [8,12,48,51,[64][65][66]. Thus, the proposed scheme generates S-boxes with diffusion-creation capabilities comparable to the S-boxes in [8,12,37,48,51,58,[62][63][64][65][66].

The Proposed Encryption Scheme
Suppose we want to encrypt an image I of size u × v over the symbol set [0, 2 m − 1], and I(i, j) represents the pixel lying at the intersection of the i-th row and the j-th column. Furthermore, let S I denote the sum of all pixel values of I. Then, the proposed encryption scheme consists of the following steps.

Generation of Keys
To encrypt an image of size u × v, we need to generate an EC E n,b , over a ring Z n , for n = ∏ k i=1 p i . For the sake of convenience, we take k = 2 and n ≥ uv, so that we choose primes p 1 , p 2 and integers b, t ∈ Z n to generate E n,b . Thus, p 1 , p 2 , b and t are chosen in such a way that there exists at least uv points (x, y) ∈ E n,b , where y is attaining each value in the interval [0, 2 m − 1]. This condition is imposed to ensure the generation of an S-box using points of the EC E n,b . We further choose an integer value 1 as a key. The use of the key 1 is explained in Section 4.4(i). The parameters p 1 , p 2 , b, t, and 1 are all secret keys.

Masking Phase
Before masking an image I, we first arrange the points of the EC E n,b according to the ordering ≺ D . After ordering, we assume that (x i , y i ) ∈ E n,b stands for the i-th point of the EC E n,b . The reason for this is that the ≺ D diffuses the y-coordinates of the points lying on an EC, because, over a ring of integers Z n , if (x, y) ∈ E n,b , then, for such an x, there are at least two values y 1 , y 2 of y in Z n , such that (x, y 1 ), (x, y 2 ) ∈ E n,b . The masking phase of an image I takes place as follows: The purpose of constructing matrix M is to design a sequence from both coordinates of E n,b . The elements of the said sequence are used to hide the pixel values of an image I; (ii) Choose a submatrix N, which consists of the first uv entries of the matrix M because only the uv values are needed to hide the pixel values. The chosen n should not be less than uv; otherwise, in Section 4.3(i), the construction of M 2 with size u × v will not be possible; (iii) The sensitivity to the plain image is necessary for a secure cryptosystem. For this purpose, transform the entries of N by the pixel value I(1, 1) to obtain the matrix B, given by: There is no restrictions on pixel or the number of pixels. Any number of arbitrary pixels may be used for transformation. For the sake of convenience, only one pixel value I(1, 1) is fixed; (iv) For the sake of simplicity, reshape the matrix B to construct a matrix with u rows and v columns. By reshaping B, we mean that B is divided into v blocks such that each block contains u entries and the i-th block represents the i-th column of the matrix B, so that the corresponding values of both B and I are combined to hide the pixel values of the image I; (v) To obtain the masked image M I , mask the pixels of image I using Equation (7): Since there is a one-one correspondence between E n,b and E p 1 ,b × E p 2 ,b , E n,b may be mapped onto E p 1 ,b and E p 2 ,b , respectively, via the following maps: (x, y) → (x (mod p 1 ), y (mod p 1 )), (8) (x, y) → (x (mod p 2 ), y (mod p 2 )).
These two ECs, E p 1 ,b and E p 2 ,b , are used to alter the pixels of an image. The S-box generated on E n,b is used to create the confusion in the encrypted image. The steps of the said procedure are explained in the following phase.

Diffusion Phase
The steps of this phase are explained as follows: For 1 ≤ i ≤ #E n,b , construct two row matrices, M k , k = 1, 2, due to the all points (x ik , y ik ) ∈ E p k ,b for both primes p k , k = 1, 2, respectively, such that:
In fact, we want to generate two sequences using ECs E p 1 ,b and E p 2 ,b . Both sequences consist of integer values, which are further used to alter the pixel values of the masked image M I in Section 4.3(v) and to permute the image P in Section 4.4(iii), respectively; (ii) Take submatrices N k , k = 1, 2 containing the first uv entries of M k , k = 1, 2, respectively, so as to choose the sequences of length that are equal to that of the number of pixels in the image I; (iii) Modify the sizes of above constructed matrices, so that N k , k = 1, 2 has u rows and v columns. The reason for generating such matrices has been explained previously; (iv) Apply the modulo 2 m operator to N k , k = 1, 2 to generate the matrices B k , k = 1, 2, consisting of m-bit integers. Since for encrypting m-bit images, m-bit sequences are needed; (v) Convert the elements of M I and B k , k = 1, 2 into the binary format and generate the image X 1 by diffusing the pixels of M I by the following equation: where ⊕ is a logical operator (XOR operation by binary bit) known as exclusive disjunction.

Confusion Phase
For a secure cryptographic algorithm, it is necessary to have a desired level of confusion. For the current cryptosystem, the confusion phase consists of the following steps: Choose a secret key 1 to construct a shifting parameter 2 , such that 2 = S I + 1 (mod 2 m ); then, give a circular shift to the S-box σ(n, t) to design a new S-box σ(n, t, 2 ). The shifting parameter, the secret key 1 , and S I are linked in order to enhance the sensitivity to the plain image I; (ii) Permute the pixels of the image X 1 using the S-box σ(n, t, 2 ) as follows: In the coming encryption of a 4 × 4 hypothetical image , the first entry of X 1 is 2. Then, σ(n, t, 2 )(2) represents the third entry of the S-box σ(n, t, 2 ), which is 1. That is, σ(n, t, 2 )(r) stands for the (r + 1)-th element of the S-box σ(n, t, 2 ); (iii) In order to obtain the scrambled image X 2 , repeat Section 4.3(v) using P in place of M I , and replacing B 1 (i, j) with B 2 (i, j), such that: (iv) Finally, to obtain the encrypted image C with the desired level of confusion, permute the image X 2 as follows: The flowchart of the proposed encryption scheme is shown in Figure 1. We theoretically derive the time complexity of the proposed scheme in Theorem 1.
Theorem 1. Let I be a plain image of size u × v, and let n ≥ uv be a positive integer; then, the time complexity of the proposed scheme is O max{nt, (#E n,b ) log(#E n,b )} , where t ≤ n is an integer such that E n,b is computed for all x ∈ [0, n − 1] and y ≤ t.
Proof. In the key generation phase (Section 4.1), to compute all (x, y) ∈ E n,b , we need to check for each x ∈ [0, n − 1], t values of y ∈ [0, t − 1], such that y 2 ≡ x 3 + b (mod n). Thus, the computation of E n,b takes O(nt) time. Further, the ordering of the points of the EC E n,b needs O (#E n,b ) log(#E n,b ) time. In Section 4.2(i), we can see that #M = 2(#E n,b ); therefore, M can be constructed in O(n) time. As #N = #B = uv, we can design N, B by a for loop, executing uv times. Furthermore, B can be reshaped by two nested loops, such that one loop executes u times, while the other executes v times. In a similar way, we can add two matrices of the same order by two nested loops. Thus, the time complexity of Section 4.2(ii)-(v) is O(uv). From the chosen keys, we have n ≥ uv and #E n,b ≤ n, so that the complexity of the masking phase is O max{nt, (#E n,b ) log(#E n,b )} . Now, we can map the EC E n,b on the ECs E p 1 ,b , E p 2 ,b in O(n) time. In the diffusion phase (Section 4.3(i)), #M k = 2(#E n,b ) and #N k = #B k = uv for k = 1, 2. Therefore, Section 4.3(i)-(v) takes O(#E n,b ) and O(uv) time, respectively.
In the confusion phase (Section 4.4(i)), the time required to compute S I is O(uv) and 2 can be computed in constant time. Since X 1 has uv entries, we can implement Section 4.4(ii)-(iv) in O(uv) time, using two nested loops executing u and v times, respectively.
Clearly, nt > n and n ≥ uv; thus, the above discussion implies that the time complexity for the presented scheme is O max{nt, (#E n,b ) log(#E n,b )} .
As the time complexity is dependent on the parameter t, that is, the time is controllable with t, the current scheme is effective, particularly when a large dataset of images is to be encrypted.
The whole process is illustrated by the encryption of a 4-bit hypothetical image, as shown in Figure 2.

Decryption
The decryption process takes place by reversing all the steps of the encryption process. The receiver will need the keys p 1 , p 2 , b, t, and 1 to generate the inverse S-box σ −1 (n, t, 2 ) and the matrices B k , k = 1, 2. Then, by the use of Equations (6), (7), and (10)- (13), one can obtain the original image I.

Security Analysis
In this section, some well-known metrics are described, which are generally used to measure the security level of new algorithms. The security of the proposed encryption scheme is evaluated by performing experiments on all-gray images of different sizes, taken from the USC-SIPI database [69]. The database consists of square images of size w × w, w = 256, 512, 1024. The plain images of Lena and Clock, along with their encrypted images, are shown in Figure 3. The experiments are performed by taking the parameters p 1 = p 2 = 1031, b = 7, t = 1031 2 and 1 = 80 − S I , using MATLAB 2016a on a personnel machine equipped with a 1.8 GHz processor, 6 GB RAM, and Windows 10 operating system. The security strength of the encryption algorithm is analyzed in the following subsections.

Differential Attacks Analysis
The cryptographic strength of an encryption scheme against differential attacks is analyzed by two measures: the number of pixels' change rate (NPCR) and the unified average changing intensity (UACI). In an encryption algorithm, the change of one pixel of a plain image has an influence on the encrypted image. The NPCR is a criterion used to measure the influence of a change in a plain image on the ciphers. The UACI criterion measures the average intensity difference between two different images. If I and I are any two plain images of the same dimension u × v, and C I and C I are the respective cipher images of I and I , then NPCR and UACI are calculated by Equations (14) and (15), as given by: where τ(i, j) = 0 if C I (i, j) = C I (i, j), and τ(i, j) = 1, otherwise.  33.5088], respectively [18]. We randomly choose i and j, and a random value is assigned to the pixel I(i, j) for each image I of the database. The random values of i, j and I(i, j) for images of size w = 256 are shown in Figure 4a. Then, the NPCR and UACI results for the current scheme are computed for each image of the database for a randomly chosen pixel value I(i, j); the graphical results are shown in Figure 4b,c, where the average values of NPCR and UACI are 99.60 and 33.32, respectively, which are close enough to the expected values. Moreover, we randomly changed one pixel value of some images, and compared the results of the NPCR and UACI tests with the results of the recent schemes in [14][15][16][17][18]28,51,57,70,71], as shown in Tables 3 and 4, respectively. The pass ratio for the proposed scheme in Table 3 is higher than that of the schemes in [14,15,17,28,51], and equal to that of the schemes in [16,18,57,70,71]. Similarly, the pass ratio for the proposed scheme in Table 4 is higher than that of the schemes in [15][16][17]51,57,70] and equal to that of the schemes in [14,18,28,71]. It follows that the proposed scheme has better performance against differential attacks than the schemes in [14][15][16][17]28,51,57], and has comparable performance to the schemes in [18,71].  Pass/All 9/9 9/9 8/9 8/9 2/9 9/9 7/9 9/9 9/9 8/9 9/9 Pass/All 9/9 9/9 9/9 9/9 1/9 6/9 2/9 9/9 6/9 3/9 2/9

Information Entropy
Information entropy is used to measure disorder in an image. Equation (16) is used to determine the randomness of an image I: where p(x i ) represents the probability of a pixel value x i , and k is the total number of gray values in an image I. For an 8-bit encrypted image, the ideal value of entropy is 8, which corresponds to the highest level of uncertainity. Thus, for a cryptographically strong encryption scheme, the value of H(I) should be close to 8. The entropy results for the current scheme are computed for each image of the database as shown in Figure 4d. The entropy for images of size w = 256, 512, 1024 are lying in the ranges [7.9966, 7.9977], [7.9991, 7.9995], and [7.9998, 7.99987], respectively. In all cases, the entropy approaches the optimal value. Consequently, the proposed encryption scheme is capable of providing high randomness in a cipher. The comparison of the entropy results is carried out in Table 5. It is clear from Table 5 that the information entropy for the presented scheme is higher than that of [15][16][17]19,20,28,46,51,57] and comparable to that of the schemes in [14,18,41,72]. Thus, our scheme generates encrypted images having more randomness than the techniques in [15][16][17]19,20,28,46,51,57].

Histogram
A histogram of an image represents the frequency distribution of the gray values. If each pixel value occurs with almost equal frequency in an image, then the histogram of that image is said to be uniform. The histogram of an ordinary image is always highly nonuniform, while a properly encrypted image has a uniform histogram. Figure 5a,c depicts the histograms of the plain images in Figure 3a,e, repectively, and Figure 5b,d shows the histograms of the cipher images in Figure 3d,h, respectively. It is evident from the histograms that the proposed scheme encrypts an image in such a way that it does not reveal any secret information of the former.

Correlation
A pixel of an ordinary image has high correlation with adjacent pixels. A good encryption scheme breaks the correlation among the pixels of an encrypted image. The correlation coefficient between datasets x and y of the same size M is determined by: In addition, a random sample of 2560 pairs of pixels is selected along the horizontal, diagonal, off-diagonal, and vertical directions from both the plain image and the cipher image of Lena 512×512 . The correlation distribution between the adjacent gray values before and after encryption is shown in Figure 7.
It follows From Figure 7a-d that adjacent pixels of the plain image are in high correlation, but Figure 7e-h indicates that the proposed scheme successfully weakens the correlation of the pixels.

Key Space
Key space is a set consisting of the all possible secret keys for a cryptosystem. Generally, for a good cryptosystem, the size of a key space should be at least 2 128 . The five keys p 1 , p 2 , b, t, and 1 are introduced by the proposed scheme. The least number of bits to store a key required by the proposed algorithm is 29. Thus, the size of our key space is 2 145 , which is much larger than 2 128 . Hence, the described scheme has the capability to resist brute-force attacks in an efficient way.

Key Sensitivity
This is an important feature of a cryptographically strong cryptosystem. Key sensitivity is also necessary to resist brute-force attacks. If a small change in a key leads to a significant change in the cipher, then the cryptosystem is said to be sensitive to the keys. For this purpose, we decrypted the Lena image by changing a single key; the results are shown in Figure 8b-d. Moreover, slightly changing the keys b and p change the coordinates of the ECs E 257,1 , E 257,2 , and E 257,1 , E 263,1 ; these are shown in Figure 9a,b, respectively. Figure 9 shows the sensitivity of the masking phase to the parameters of the ECs. From Figures 8 and 9, it follows that slight changes in a key lead to very different results. Hence, our proposed scheme is highly sensitive to the keys.

Plain-Text Attacks
There are two types of plain-text attacks, i.e., known plain-text attacks and chosen plain-text attacks. In known plain-text attacks, the attacker knows about a string of the plain text, along with the relevant string of the cipher text. In chosen plain-text attacks, the adversary has a partial access to the encryption scheme. That is, the adversary can obtain the ciphered string for a chosen plain-text string. For this purpose, attackers use all-black or all-white images to obtain information about the encryption scheme [50], so that a secure encryption scheme encrypts all-black and all-white images with optimal results. The efficiency of the current scheme is visible from Table 7 and Figure 10.    Figure 10 indicate that the current scheme not only randomizes the allwhite and all-black images, but also weakens the pixels' correlation and makes the pixels' distribution uniform in the encrypted images. Thus, the proposed scheme is highly secure against both kinds of plain-text attacks.

An Application to Encryption of Color Images
In this section, we apply the proposed scheme to the color images. We encrypted images of Female 256×256 , Lena 512×512 , and San Francisco 1024×1024 using the parameters p 1 = p 2 = 1031, b = 7, t = 1031 2 , and 1 = 80 − S I , where I stands for the R (Red), G (Green), and B (Blue) components of an image, respectively. The plain and encrypted images of Female 256×256 , Lena 512×512 , and San Francisco 1024×1024 are shown in Figure 11.
The NPCR and UACI results are computed by randomly changing a pixel value in each channel. It can be observed from Table 8 that the NPCR and UACI results of each channel for the tested color images lie in the expected range. Similarly, the entropy results of the R, G, and B components also belong to the expected ranges for each of the color images. The experimental results of the color Lena 512×512 are compared with the results of the schemes in [7,28,29,[73][74][75][76][77][78], as shown in Tables 9 and 10.  The results in Table 9 reveal that the NPCR values for the R, G, and B components of Lena 512×512 are greater than the theoretical value (99.5893). Apart from this, the R component's NPCR value is greater than the values of the schemes in [29,75], equal to that of [7,77], and comparable with [28,74,76]. The NPCR value of the G plane is greater than all the NPCR results of to the schemes in [7,28,29,[73][74][75][76][77]. Similarly, the NPCR results of the B component is better than the results of [7,28,29,[74][75][76][77][78]. In addition, the average NPCR value resulting from the current scheme is greater than the NPCR results of all the listed schemes in Table 9. The UACI results of the R, G, and B components of the current scheme lie in the expected range. Furthermore, the UACI results of the new scheme for all the three components are better than the results of the schemes in [7,73,75,78] and comparable to that of the schemes in [28,29,74,76,77]. It follows that the proposed scheme is better in performance against the differential attacks than the schemes in [7,28,70,[73][74][75][76][77][78].

Scheme
Image Entropy

R G B Average
Proposed Lena Table 10 reveals that the entropy value of the R component is greater than that in [74,75,77] and equal to the values of [76,78]. The entropy value of the G component is also greater than that in [74,75,77] and equal to the value of [29]. Similarly, the entropy result of the B component is greater than the results of [28,29,43,[73][74][75]77,78] and equal to that of [7,76]. In addition, the average entropy value resulting from the current scheme is better than that of the schemes in [73][74][75]77] and equal to that of the results of [28,29,43,76,78]. This discussion indicates that the current scheme generates encrypted color images with higher randomness than the schemes in [74,75,77], and the randomness of the encrypted images in current scheme and the schemes in [29,78] is comparable.
The histograms of the channels of the plain Lena 512×512 and the encrypted Lena 512×512 are shown in Figure 12a-f, respectively. Figure 12 confirms that the histograms of the encrypted channels are uniform and, hence, the presented scheme encrypts color images having high resistance against the statistical attacks. (d-f) histogram of the encrypted R, G, and B channels of the color Lena 512×512 , respectively.
In Table 11, the correlation of the adjacent pixels of three different encrypted images with different sizes is shown. It is evident that the proposed scheme encrypts any image in such a way that it weakens the correlation between two adjacent pixels of any channel. Along with other properties, a good encryption scheme should be highly efficient. Different color images with different sizes are encrypted using the current scheme. To demonstrate the efficiency of the current scheme, the encryption times (sec) for the said three images are computed, since we use a pre-computed EC over the ring of integers as an input for all input images. While computing the encryption time, the time taken by the inputs is not taken under the consideration. The encryption time of the current scheme is compared with the time of some recent schemes [28,78,79], as shown in Figure 13. The results for the schemes in [28,78,79] are available in Table 3 of [80]. For images of size w = 256,512, the performance of our scheme is comparable with that of [28], and for w = 1024, the new scheme is highly efficient, compared to the scheme of [28]. Similarly, in Figure 13, the plots of [78,79] are overlapping, but our scheme is more efficient than [78,79] for images of all sizes.
Thus, the presented scheme is capable of efficiently encrypting color images as well, and can be used for the good encryption of color images.

Conclusions
We proposed a new S-box generator and an image encryption algorithm. We employed an EC over a ring of integers instead of a finite field. The presented S-box is highly resistive against linear attacks when compared to the S-boxes generated by the ECs over finite fields in [37,51,58] and the S-boxes of [62][63][64][65][66]. The confusion-creation capability of the proposed S-box is higher than that of the S-boxes in [8,37,58].
Furthermore, our encryption scheme has better performance against differential attacks than that of the EC-based schemes [51,57] and the schemes in [14][15][16][17]28], and provides encrypted images with higher randomness than the schemes in [15][16][17]19,20,28,51,57]. The current scheme is also used for different color images. The presented scheme is able to encrypt color images with low run-times and higher security when compared with [78,79], while the scheme in [51] discusses the novelty regarding only gray images. Furthermore, for relatively large images, the run-time of the current scheme is very low, compared to the schemes in [28,78,79]. The future directions consist of the following works: (i) To improve the current scheme for the simultaneous encryption of all channels of a color image; (ii) To optimize the current scheme for a text-encryption algorithm; (iii) To generate random numbers based on ECs over rings and employ the sequence of random numbers in text encryption; (iv) To generate random binary sequences using ECs over a ring of integers and experimentally prove their cryptographic strength.

Conflicts of Interest:
The authors declare no conflict of interest.