A Novel Virtual Optical Image Encryption Scheme Created by Combining Chaotic S-Box with Double Random Phase Encoding

The double random phase encoding (DRPE) system plays a significant role in encrypted systems. However, it is a linear system that leads to security holes in encrypted systems. To tackle this issue, this paper proposes a novel optical image encryption scheme that combines a chaotic S-box, DRPE, and an improved Arnold transformation (IAT). In particular, the encryption scheme designs a chaotic S-box to substitute an image. The chaotic S-box has the characteristics of high nonlinearity and low differential uniformity and is then introduced to enhance the security of the DRPE system. Chaotic S-boxes are resistant to algebraic attacks. An IAT is used to scramble an image encoded by the DRPE system. Meanwhile, three chaotic sequences are obtained by a nonlinear chaotic map in the proposed encryption scheme. One of them is used for XOR operation, and the other two chaotic sequences are explored to generate two random masks in the DRPE system. Simulation results and performance analysis show that the proposed encryption scheme is efficient and secure.


Introduction
With the rapid development of computers and the Internet, information security has received extensive attention from academia and industry, in which the security protection of image data is a significant and current research topic. To guarantee the security of images, researchers have developed many techniques including image encryption [1][2][3], watermarking [4,5], and data hiding [6,7], wherein image encryption is the most direct and effective method. Owing to the characteristics of high speed, and multi-dimensional and parallel processing of optical systems, the researcher took a keen interest in the study of optical image encryption [8,9]. For example, the double random phase encoding (DRPE) architecture based on a 4f optical system was first proposed by Refregier and Javidi [10].
Although DRPE is an effective scheme, it is a linear encryption process; as a result, DRPE-based image encryption algorithms are vulnerable to some specific attacks. To tackle this issue, many scholars have recently studied nonlinear optical image encryption. For instance, Qin et al. proposed a secure nonlinear cryptosystem based on phase truncation in the Fourier transform domain, which overcame the linear weakness of DRPE systems [17], but it was cracked by the authors of [18]. Chen et al. proposed a method to enhance the security of DRPE using phase preservation and compression and applied a nonlinear correlation algorithm to authenticate the decrypted image to improve the security of the DRPE system [19]. Wang et al. proposed an encryption-efficient asymmetric optical image encryption algorithm based on improved amplitude and phase recovery [20]. By introducing nonlinear terms, Dou et al. developed a novel DRPE system [21]; it was, however, cracked by the authors of [22]. In addition, Faragallah et al. introduced an efficient compression der a 2-D Henon-map [63]. The performance analysis showed that this algorithm achieved good confusion and diffusion capabilities. Therefore, encrypting images based on chaotic S-boxes can produce good encryption effects.
S-boxes were introduced in some algorithms to enhance DRPE [64][65][66]. Hussain et al. proposed to utilize an information-hiding technique to design an optical image encryption algorithm [64]. In the designed algorithm, the DRPE and S-box transformation were applied. They also designed an optical image encryption system based on a fractional Hartley transform and an S-box using linear fractional transform and chaotic maps [65]. Girija et al. proposed to encrypt images with DRPE and a random S-Box [66]. However, the research on the combination of DRPE and the Chaotic S-box to achieve a high degree of nonlinearity has been under-studied.
The main contributions of this work are summarized as follows: (1) Exploring a chaotic map and conducting the transformation of stretch and fold to construct an efficient and secure S-box. The cryptographic performance of the constructed S-box is testified. (2) A secure image encryption scheme is developed by integrating the chaotic S-box, DRPE, and IAT. In this scheme, the plaintext information is involved in the control parameters of IAT. All the gray pixel values are substituted by the S-box. We XOR the substituted image with a nonlinear chaotic sequence. Next, the two random-phase masks are generated by a nonlinear chaotic map. The XOR result is encoded by DRPE, and the obtained result is further confused by IAT. (3) Simulation and security analysis are conducted to verify the effectiveness of the proposed encryption scheme. Simulation results and performance analysis show that the proposed scheme is efficient and secure.
The remainder of the present paper is organized as follows. Some relevant fundamental knowledge is briefly introduced in Section 2. Section 3 presents the S-box obtained in our paper. The proposed cryptosystem approach for grayscale images is described in Section 4. Section 5 shows results and security analyses. Finally, we summarize this work in Section 6.

Overview of Optical DRPE Cryptosystem
The following encryption processes are performed on the original image: (1) modulate the original image with the first random phase mask placed in front of the input plane; (2) modulate the obtained result with the second random phase mask placed in front of the output plane to obtain an encrypted image [9]. After that, the encrypted image becomes stationary white noise of complex amplitude. Figure 1 depicts the principle of the optical DRPE cryptosystem. The process of encryption and decryption is given by Equations (1) and (2): where F(x, y) and G(x, y) denote plain and cipher images, respectively; FT{·} indicates the FT, and FT −1 {·} represents the IFT. Two random phase masks m(x, y) and n(u, v) with exp[i2πm(x, y)] and exp[i2πn(u, v)] are uniformly distributed between 0 and 1.
The architecture of the optical DRPE cryptosystem.

Nonlinear Chaotic Map
The formulas of a nonlinear chaotic map are given by Equation (3) Figure  2a-d, respectively. When 1 = 32.5, 2 = 34.3, 3 =28.1, and = 3.999, the chaotic attractor of this system is shown in Figure 2e.
The architecture of the optical DRPE cryptosystem.

Nonlinear Chaotic Map
The formulas of a nonlinear chaotic map are given by Equation (3) Figure  2a-d, respectively. When 1 = 32.5, 2 = 34.3, 3 =28.1, and = 3.999, the chaotic attractor of this system is shown in Figure 2e.

Improved Arnold Transformation
In the 1960s, Vladimir Arnold discovered the Arnold map (AM), which has no attractor and is used to scramble images [68].
AT can be described as the following Equation (4): where the four parameters a, b, c, and d are all positive integers in AT, and gcd(ad − bc, N) = 1. The Equation (4) can be further transformed as follows: x n+1 = (ax n + by n ) mod N y n+1 = (cx n + dy n ) mod N To improve the performance of AT, we should use Equation (6) rather than Equation (5) [69].

Transform of Stretch and Fold
a.
The stretch transform of nonadjacent rows and columns The procedure of stretch transform of nonadjacent rows and columns [70] is as follows: insert the pixels of a row or column of the image pixel matrix into other adjacent rows or columns of pixels, stretch the obtained pixels into 1-D series, and then fold them to the same size as the original image matrix. This will guarantee efficient scrambling of the original adjacent pixels (not at the original positions). Figures 3 and 4a,b illustrate the detailed process.
In the 1960s, Vladimir Arnold discovered the Arnold map (AM), which has no attractor and is used to scramble images [68].
AT can be described as the following Equation (4): The nonlinear term makes the improved AT change the deficiency of quasi-affine transform and enhances the ability and security of AT against differential attacks.

Transform of Stretch and Fold
a. The stretch transform of nonadjacent rows and columns The procedure of stretch transform of nonadjacent rows and columns [70] is as follows: insert the pixels of a row or column of the image pixel matrix into other adjacent rows or columns of pixels, stretch the obtained pixels into 1-D series, and then fold them to the same size as the original image matrix. This will guarantee efficient scrambling of the original adjacent pixels (not at the original positions). Figures 3 and 4a,b illustrate the detailed process. b. The fold transform of a snake line The process of fold transform of a snake line can be described as the following: arrange the pixels in the image matrix in an order of a snake line, put the obtained pixels into 1-D series, and then fold them to the same size as the original image matrix [70].      The process of fold transform of a snake line can be described as the following: arrange the pixels in the image matrix in an order of a snake line, put the obtained pixels into 1-D series, and then fold them to the same size as the original image matrix [70]. Figures 3 and 4c show the detailed process.

The Proposed S-Box Generation Scheme
Step 1: We iterate the chaotic system Equation (3) with initial values x 0 , y 0 , z 0 . For the N 0 th iteration,x 1 , y 1 , z 1 can be obtained. Then, S is defined as an array of 256 integers.
Step 2: We take x 1 , y 1 , z 1 as initial values to avoid the transient effect; then to obtain three chaotic sequences from the N 0 + 1-th value, ( Step 3: An integer sequence t i ranging from [0,2] is calculated by using Equation (7): Step 4: Substitute y i 1 , and z i 1 into Equations (8) and (9) to obtain an integer sequence Y i and Z i ranging from [0,255], respectively.
Step 5: The array S can be calculated by the following Equation (10). The number stored in S is not repeated. When array S is filled, the S-box is obtained.
Step 6: The integer sequence S is arranged into a 16 × 16 table to obtain an initial prototype S-box.
The minimum, maximum, and average nonlinearities of the obtained S-box are 104, 110, and 107, respectively, as shown in Table 2. Thus, the obtained S-box is resistant to differential linear attacks.

Proposed Encryption and Decryption Framework Encryption Scheme
The encryption scheme is presented in Figure 5. We suppose the grey plaintext image P is of size M × N, and the pixel value ranges from 0 to 255. The detailed description is presented as below.

Encryption Scheme
The encryption scheme is presented in Figure 5. We suppose the grey plaintext image P is of size MN  , and the pixel value ranges from 0 to 255. The detailed description is presented as below. Step 1: Substituting the initial values 0 x , 0 y , 0 z into Equation (3), we can obtain 1 x , 1 y , 1 z after N0 iterations.
Step 2: Consider 1 x , 1 y , 1 z as initial values; then to obtain three chaotic sequences from the N0 + 1-th value, ( Step Step 4: For the plain image P, use a binary value w = b7 b6 b5 b4 b3 b2 b1 b0 to represent a pixel of it. Denote i = b7 b6 b5 b4 by a binary representation of a row index value, and convert it to a decimal value s. Denote j = b3 b2 b1 b0 by a binary representation of a column index Step 1: Substituting the initial values x 0 , y 0 , z 0 into Equation (3), we can obtain x 1 , y 1 , z 1 after N 0 iterations.
Step 3: Substitute x i , y i and z i into Equations (11)-(13) to obtain an integer sequence xx i , yy i and zz i ranging from [0,255], respectively.
Step 4: For the plain image P, use a binary value w = b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 to represent a pixel of it. Denote i = b 7 b 6 b 5 b 4 by a binary representation of a row index value, and convert it to a decimal value s. Denote j = b 3 b 2 b 1 b 0 by a binary representation of a column index value, and convert into a decimal value t. Replace the elements of the s +1th row of the S-box and that of the t +1th column to obtain the plain image P .
Step 5: Arrange the pixels of P into a 1-D sequence B = {b 1 , b 2 , . . . , b M×N } in left-toright and top-to-bottom order.
Step 6: Calculate c i by Equation (14): where ⊕ is the XOR operation, and c i is the output pixel data.
Step 8: Perform FT and IFT according to Equation (1), and then to obtain an image D.
Step 9: The average value of the plaintext P is calculated by Equation (15): Step 10: The parameter k is calculated by Equation (16): Step 11: Substitute k into Equation (6); that is IAT. Then scramble the complex-valued image D; finally, encrypted image E can be obtained. It is noteworthy that the encrypted image E is a complex-valued distribution.
In our paper, the proposed scheme is symmetric. The decryption process will not be repeated here.

Key Space Analysis
In the proposed scheme, the initial values x 0 , y 0 , z 0 and the parameters k 1 , k 2 , k 3 , µ of a chaotic system are used as the secret keys. If the precision is set to 10 −14 , the key space of this scheme is 10 14 × 7 = 10 112 ≈ 2 372 >> 2 100 [77], which can resist brute-force attacks effectively.

Key Sensitivity Analysis
The key is sensitive if a slight change in the key with other keys remaining unchanged will result in a completely different decryption result. Figure 7 shows sensitivity analysis results of security keys. Figure 7a-c show the decrypted images corresponding to the encrypted image Figure 6b with the keys x 0 = 0.16 + 10 −14 , k 1 = 32.5 + 10 −14 , µ = 3.999 + 10 −14 , respectively. Therefore, the proposed algorithm scheme exhibits high key sensitivity.

Key Space Analysis
In the proposed scheme, the initial values 0 x , 0 y , 0 z and the parameters 1, 2, 3, of a chaotic system are used as the secret keys. If the precision is set to 10 −14 , the key space of this scheme is 10 14 × 7 = 10 112 ≈ 2 372 >> 2 100 [77], which can resist brute-force attacks effectively.

Key Sensitivity Analysis
The key is sensitive if a slight change in the key with other keys remaining unchanged will result in a completely different decryption result. Figure 7 shows sensitivity analysis results of security keys. Figure 7a-

Histogram Analysis
The histogram of an excellent encryption image should be uniformly distributed [56]. The histograms of the plaintext images are shown in Figure 8a,c,e,g,i,k,m,o, respectively. The histograms of the corresponding encrypted images are shown in Figure  8b,d,f,h,j,l,n,p, respectively.

Histogram Analysis
The histogram of an excellent encryption image should be uniformly distributed [56]. The histograms of the plaintext images are shown in Figure 8a,c,e,g,i,k,m and o, respectively. The histograms of the corresponding encrypted images are shown in Figure 8b,d,f,h,j,l,n and p, respectively.

Key Space Analysis
In the proposed scheme, the initial values 0 x , 0 y , 0 z and the parameters 1, 2, 3, of a chaotic system are used as the secret keys. If the precision is set to 10 −14 , the key space of this scheme is 10 14 × 7 = 10 112 ≈ 2 372 >> 2 100 [77], which can resist brute-force attacks effectively.

Key Sensitivity Analysis
The key is sensitive if a slight change in the key with other keys remaining unchanged will result in a completely different decryption result. Figure 7 shows sensitivity analysis results of security keys. Figure 7a-

Histogram Analysis
The histogram of an excellent encryption image should be uniformly distributed [56]. The histograms of the plaintext images are shown in Figure 8a,c,e,g,i,k,m,o, respectively. The histograms of the corresponding encrypted images are shown in Figure  8b,d,f,h,j,l,n,p, respectively. We can observe that the image information distribution of ciphertext encrypted with different plaintext is uniform. Therefore, the scheme proposed can resist statistical attacks. We can observe that the image information distribution of ciphertext encrypted with different plaintext is uniform. Therefore, the scheme proposed can resist statistical attacks.

Chi-Square Test Analysis
To analyze the distribution of the encrypted image histogram intuitively, we perform a Chi-square test. The more uniform the encrypted image pixels are, the lower the Chi-square value is.
The encrypted Chi-square test can be calculated by Equation (17) [56]: where q i is the number of pixels i, and M × N the size of a cipher image.
The Chi-square test results of the encrypted images are given in Table 3. At the 5% significance level, the Chi-square value χ 2 0.05 = 293.2478. Table 3 shows that the test results of cipher images are not greater than 293.2478. Thus, the proposed scheme has the ability of resisting statistical attacks.

Mean Squared Error and Peak Signal-To-Noise Ratio Analysis
The mean square error (MSE) and Peak Signal-to-Noise Ratio (PSNR) are explored to assess the difference between two images [78].
The MSE and PSNR can be computed by Equations (18) and (19), respectively: PSNR = 10 log 10 ( 255 2 MSE ) (19) where M × N is the size of an image, and C(·) and D(·) are the corresponding pixel values of two comparison images. The smaller the PSNR between the original image and the encrypted one, the better the encryption effect. If the PSNR value equals infinity, then the two images are the same. The test results in Table 4 show that the proposed scheme can achieve a good encryption effect. "∞" denotes "infinity" in the related study.

Correlation Analysis
To resist statistical analysis attacks, the encryption scheme should reduce the correlation of adjacent pixels of the encrypted image.
We calculate the correlation coefficients of the plain image and the cipher image according to Equations (20)-(23) [57]: cov In this paper, we randomly chose 3000 pairs of adjacent pixels from a plaintext image "Lena" and its corresponding ciphertext image, and calculated their correction coefficients in horizontal, vertical, and diagonal directions. The adjacent pixel correlation distributions of Lena's plaintext image in each direction are shown in Figure 9a-c, respectively. The adjacent pixel correlation distributions of the magnitude of Lena's encrypted image in each direction are shown in Figure 9d-f, respectively. The correlation coefficients of Lena in each direction are shown in Table 5. The comparison results also reflect that our scheme indicates a negligible correlation. Thus, our scheme can resist statistical attacks effectively.  "∞" denotes "infinity" in the related study.

Correlation Analysis
To resist statistical analysis attacks, the encryption scheme should reduce the correlation of adjacent pixels of the encrypted image.
We calculate the correlation coefficients of the plain image and the cipher image according to Equations (20)-(23) [57]: x E x N    (23) In this paper, we randomly chose 3000 pairs of adjacent pixels from a plaintext image "Lena" and its corresponding ciphertext image, and calculated their correction coefficients in horizontal, vertical, and diagonal directions. The adjacent pixel correlation distributions of Lena's plaintext image in each direction are shown in Figure 9a-c, respectively. The adjacent pixel correlation distributions of the magnitude of Lena's encrypted image in each direction are shown in Figure 9d-f, respectively. The correlation coefficients of Lena in each direction are shown in Table 5. The comparison results also reflect that our scheme indicates a negligible correlation. Thus, our scheme can resist statistical attacks effectively.

Differential Attack Analysis
The number of pixels change rate (NPCR) and unified average changing intensity (UACI) can be utilized to analyze the differential attack performance of an encryption algorithm scheme. NPCR is often utilized to measure the absolute number of valuechanged pixels in differential attacks, and UACI is often utilized to measure the averaged difference between two paired ciphertext images. They are computed by Equations (24) and (25), respectively [58]: The ideal value of NPCR is 99.6093%, and the ideal value of UACI is 33.4635% [61]. The NPCR and UACI values of ciphertexts of different images obtained by our scheme are shown in Table 6. The simulation results show that the NPCR and UACI values of the proposed scheme are close to the ideal values. Therefore, our scheme can resist differential attacks effectively.  The number of pixels change rate (NPCR) and unified average changing intensity (UACI) can be utilized to analyze the differential attack performance of an encryption algorithm scheme. NPCR is often utilized to measure the absolute number of valuechanged pixels in differential attacks, and UACI is often utilized to measure the averaged difference between two paired ciphertext images. They are computed by Equations (24) and (25), respectively [58]: where C 1 (i, j), C 2 (i, j) denote two different encrypted images. M × N represents the size of an image. If C 1 (i, j) = C 2 (i, j), then D(i, j) = 1, otherwise, D(i, j) = 0. The ideal value of NPCR is 99.6093%, and the ideal value of UACI is 33.4635% [61]. The NPCR and UACI values of ciphertexts of different images obtained by our scheme are shown in Table 6. The simulation results show that the NPCR and UACI values of the proposed scheme are close to the ideal values. Therefore, our scheme can resist differential attacks effectively. We utilize data loss attacks and noise attacks to evaluate our scheme robustness.

a. Data loss attack
To evaluate the performance of our scheme in resisting data loss attacks [60], the encryption images with 1/16, 1/8, 1/4, and 1/2 data loss are shown in Figure 10a,c,e and g, and the corresponding decryption images are shown in Figure 10b,d,f and h, respectively. The simulation results show that our proposed scheme can resist loss attacks effectively in both Table 7 and Figure 10.  We utilize data loss attacks and noise attacks to evaluate our scheme robustness.
a. Data loss attack To evaluate the performance of our scheme in resisting data loss attacks [60], the encryption images with 1/16, 1/8, 1/4, and 1/2 data loss are shown in Figure 10a,c,e,g, and the corresponding decryption images are shown in Figure 10b,d,f,h, respectively. The simulation results show that our proposed scheme can resist loss attacks effectively in both Table 7 and Figure 10.    To evaluate the scheme performance, we added salt-and-pepper noise with different intensities and Gauss noise with diverse variances to a cipher image and then decrypted the noise-added cipher images [62]. The Gauss noise variances were 0.2, 0.3, 0.4 and 0.5, and the salt-and-pepper noise intensities were 0.001, 0.01, 0.05, and 0.1. In Table 6, the noise intensity and the values of the corresponding PSNR and MES are shown. Obviously, the proposed scheme can resist noise attacks effectively, as shown in both Table 8 and Figure 11. To evaluate the scheme performance, we added salt-and-pepper noise with different intensities and Gauss noise with diverse variances to a cipher image and then decrypted the noise-added cipher images [62]. The Gauss noise variances were 0.2, 0.3, 0.4 and 0.5, and the salt-and-pepper noise intensities were 0.001, 0.01, 0.05, and 0.1. In Table 6, the noise intensity and the values of the corresponding PSNR and MES are shown. Obviously, the proposed scheme can resist noise attacks effectively, as shown in both Table 8 and Figure 11.

Entropy Analysis
The information entropy is used to reflect the randomness of the result of the encrypted image. The information source is denoted by t, and the entropy value is calculated by Equation (26) [63]: where () i pt is the probability of the occurrence of pixel gray value ti.
The closer it is to 8, the more disordered the information. Table 9 lists the entropy values of ciphertexts of different images encrypted by our scheme. The entropy values of the encrypted Lena image by the proposed scheme in refs. [56,58,59] is depicted in Table

Entropy Analysis
The information entropy is used to reflect the randomness of the result of the encrypted image. The information source is denoted by t, and the entropy value is calculated by Equation (26) [63]: where p(t i ) is the probability of the occurrence of pixel gray value t i . The closer it is to 8, the more disordered the information. Table 9 lists the entropy values of ciphertexts of different images encrypted by our scheme. The entropy values of the encrypted Lena image by the proposed scheme in refs. [56,58,59] is depicted in Table 10. The entropy value of our scheme is closer to 8, as shown in Tables 9 and 10, which demonstrates that the scheme proposed is effective. Table 9. Entropy values of different images.

Test Image
Plaintext Image Encrypted Image