A Novel ECC-Based Method for Secure Image Encryption

Abstract

As the Internet of Things (IoT) expands, ensuring secure and efficient image transmission in resource-limited environments has become crucial and important. In this paper, we propose a lightweight image encryption scheme based on Elliptic Curve Cryptography (ECC), tailored for embedded and IoT applications. In this scheme, the image data blocks are mapped into elliptic curve points using a decimal embedding algorithm and shuffled to improve resistance to tampering and noise. Moreover, an OTP-like operation is applied to enhance the security while avoiding expensive point multiplications. The proposed scheme meets privacy and cybersecurity requirements with low computational costs. Classical security metrics such as entropy, correlation, NPCR, UACI, and key sensitivity confirm its strong robustness. Rather than relying solely on direct comparisons with existing benchmarks, we employ rigorous statistical analyses to objectively validate the encryption scheme’s robustness and security. Furthermore, we propose a formal security analysis that demonstrates the resistance of the new scheme to chosen-plaintext attacks and noise and cropping attacks, while the GLCM analysis confirms the visual encryption quality. Our scheme performs the encryption of a $512\times 512$ image in only 0.23 s on a 1 GB RAM virtual machine, showing its efficiency and suitability for real-time IoT systems. Our method can be easily applied to guarantee the security and the protection of lightweight data in future smart environments.

1. Introduction

In the digital era, the proliferation of image-based data in applications such as social media, surveillance, and IoT devices has amplified the need for secure and efficient encryption techniques [1]. Ensuring the confidentiality and integrity of images is essential to prevent unauthorized access, data breaches, and tampering during transmission or storage. However, image encryption presents unique challenges due to the large size and structural complexity of image data, particularly in resource-constrained environments like IoT [2].

To safeguard visual information such as image data, which is characterized by its inherent structural properties and significant redundancy (stemming from the high correlation between neighboring pixels), numerous image encryption techniques and approaches have been developed, including chaos-based encryption, elliptic curve cryptography, permutation and substitution schemes, and hybrid methods that combine traditional cryptographic algorithms with novel transformations. These methods aim to address the challenge of transforming plain images into cipher images that effectively and securely obscure all patterns and structural features. This ensures that the encrypted content remains accessible only to authorized parties, thereby maintaining confidentiality and protecting the integrity of the data [3].

Elliptic curve cryptography is widely recognized for providing strong security with smaller key sizes and reduced computational demands compared to traditional schemes such as RSA [4]. However, many ECC-based image encryption methods face challenges in balancing computational efficiency with cryptographic robustness. Increased security often leads to higher computational complexity, whereas optimizing for performance may reduce resistance to attacks, thereby limiting practical deployment. This work addresses these limitations by proposing an ECC-based image encryption method that achieves a balanced trade-off between performance and security. The method integrates a previously developed hash-based embedding technique to securely map integer blocks into elliptic curve points, which are subsequently used as keys in a lightweight one-time pad (OTP)-like encryption scheme [5]. The adoption of an OTP-like strategy is motivated by its theoretical guarantee of perfect secrecy and its demonstrated effectiveness in recent color image encryption schemes [6,7,8]. In addition, a data shuffling mechanism is employed to further enhance diffusion and resistance to statistical attacks. The proposed scheme is validated through comprehensive performance evaluations and security analyses and is expected to perform effectively in constrained environments such as IoT scenarios.

The rest of this paper is organized as follows. Section 2 introduces relevant material and reviews the limitations of current ECC-based image encryption techniques. Section 3 describes the proposed method in detail. Section 4 presents experimental results and discusses performance and security evaluations. Finally, Section 5 concludes this paper with key findings and potential future directions.

2. Preliminaries and Related Works

2.1. Common Chaotic Maps Used in Image Encryption

Chaotic maps are widely used in image encryption due to their sensitivity to initial conditions, pseudo-randomness, and deterministic dynamics.

Table 1. Overview of common chaotic maps.

Map Name	Equation	Parameters	Dim.
Baker’s Map	$\left\{\begin{array}{c}{x}^{\prime }=kx-\lfloor kx\rfloor \hfill \\ y^{\prime }={\displaystyle \frac{y+\lfloor kx\rfloor }{k}}\hfill \end{array}\right.\mathrm{with}k=1,2,\dots ,k-1$	$k\in {\mathbb{N}}^{+},i=0,1,\dots ,k-1$	2D
Logistic Map	$x_{n+1}=r{x}_n(1-x_n)$	$r\in (3.5699,4]$	1D
Tent Map	$x_{n+1}=\left\{\begin{array}{cc}\mu x_n,\hfill & x_n<0.5\hfill \\ \mu (1-x_n),\hfill & x_n\ge 0.5\hfill \end{array}\right.$	$\mu \in (0,2]$	1D
Henon Map	$\left\{\begin{array}{c}{x}_{n+1}=1-a{x}_n^2+y_n\hfill \\ y_{n+1}=b{x}_n\hfill \end{array}\right.$	$a=1.4,b=0.3$	2D
Arnold’s Cat Map	$\left(\begin{array}{c}{x}^{\prime }\\ y^{\prime }\end{array}\right)=\left(\begin{array}{cc}1& 1\\ 1& 2\end{array}\right)\left(\begin{array}{c}x\\ y\end{array}\right)modN$	Image size N	2D
Lorenz System	$\left\{\begin{array}{c}{\displaystyle \frac{dx}{dt}}=\sigma (y-x)\hfill \\ {\displaystyle \frac{dy}{dt}}=x(\rho -z)-y\hfill \\ {\displaystyle \frac{dz}{dt}}=xy-\beta z\hfill \end{array}\right.$	$\sigma =10,\rho =28,\beta =8/3$	3D

summarizes the most frequently used maps in this context.

Although chaotic maps are highly sensitive to initial conditions and control parameters, a desirable property for cryptographic applications, this same sensitivity can lead to degraded behavior under finite-precision arithmetic. For example, in digital implementations, even slight quantization errors or rounding in maps like the Logistic Map can cause the system to enter short periodic orbits or non-chaotic regimes, ultimately reducing the effective key space and compromising security [9]. Therefore, combining chaotic systems with cryptographic primitives such as elliptic curve cryptography has become a promising approach to improve security and robustness [10,11,12].

2.2. Image Shuffling and Unshuffling

Pixel shuffling is a critical pre-encryption step that aims to reduce spatial correlations within images, thereby enhancing resistance to statistical and structural attacks. In addition to its role in obscuring spatial relationships, shuffling significantly improves robustness against noise-based attacks by dispersing local distortions throughout the image, making localized tampering or degradation less effective. Furthermore, shuffling contributes to protecting the integrity of the encrypted image by diffusing the influence of each pixel, ensuring that even small changes in the plaintext image produce widespread alterations in the cipher image.

Traditional approaches to pixel shuffling often rely on chaotic maps or pseudo-random number generators. However, these methods may exhibit vulnerabilities to classical cryptanalytic techniques such as chosen-plaintext attacks (CPAs) and chosen-ciphertext attacks (CCAs). For example, Batool et al. [13] proposed a chaos-based image encryption scheme that demonstrated strong resistance to statistical attacks but was shown to be susceptible to brute-force and CPA attacks, as recently discussed in [12]. A similar cryptanalysis targeting chaos-based image encryption is presented in [11]. These weaknesses are largely attributed to the limited parameter space of chaotic maps, where improper parameter selection can lead to rapid degradation of the system’s dynamic behavior [10].

2.3. Elliptic Curve over Finite Fields

Let p be a prime number. An elliptic curve over the finite ${\mathbb{F}}_p$ is defined as the set of points $(x,y)\in {\mathbb{F}}_p^2$ satisfying the equation

$$y^2\equiv x^3+ax+b(modp),$$

(1)

where $a,b\in {\mathbb{F}}_p$ and p is a prime. The set $E\left({\mathbb{F}}_p\right)$ forms an abelian group under a well-defined addition operation. Iteratively adding a point $P\in E\left({\mathbb{F}}_p\right)$ to itself k times, yielding $kP$, defines a scalar multiplication. Determining k from $Q=kP$, given P and Q, is known as the Elliptic Curve Discrete Logarithm Problem (ECDLP), which is central to ECC’s security. However, specific attacks can exploit weaknesses in improperly selected elliptic curves, making the ECDLP solvable [14]. To address this, organizations such as NIST and SECG establish standards for secure elliptic curves, rigorously testing their resilience against known vulnerabilities. These validated curves ensure robust cryptographic security, minimize risks, and enable reliable implementations in practical systems [15,16,17]. This collaborative oversight strengthens the role of ECC as a cornerstone in modern cryptography.

2.4. Related Works

Image encryption has been a critical area of research in information security, particularly with the increasing demand for secure image transmission, storage, and sharing. Conventional encryption techniques such as AES, DES, and RSA are widely used for data protection. However, they are not optimized for image encryption because they do not handle the high redundancy and strong correlation between image pixels [18]. Recent image encryption approaches incorporate chaotic maps and/or ECC to enhance both security and efficiency. ECC is increasingly used in modern applications such as blockchain fairness protocols [19], secure e-voting [20], cloud computing [21], and secure authentication in IoT networks [22], where it enables lightweight yet robust cryptographic operations. In blockchain, ECC-based signatures (e.g., ECDSA and EdDSA) ensure transaction integrity and authentication; in e-voting, ECC supports voter privacy, ballot integrity, and verifiable tallying; in cloud computing, it provides efficient encryption for secure data storage and privacy-preserving access control; and in IoT, ECC facilitates secure and resource-efficient authentication suitable for constrained devices. For a broader overview of ECC applications in emerging technologies, see [23]. Mousavi et al. [24] reported that ECC was adopted in 42% of 67 IoT-focused papers, reinforcing its suitability for our proposed scheme.

Mondal et al. [25] proposed a chaotic image encryption scheme that combines a 2D Baker’s map for permutation with XOR-based diffusion. While the authors claim high statistical security (e.g., entropy and NPCR) and low computational cost, the scheme lacks formal analysis against advanced attack models such as chosen-plaintext attacks.

ECC has gained prominence due to its ability to provide high levels of security with smaller key sizes compared to other public-key cryptosystems like RSA. This characteristic makes ECC particularly well-suited for environments with limited computational resources, such as mobile devices and embedded systems. For example, Zhao and Zhang [26] introduced an ECC-based image encryption approach that uses code computing to encrypt image data, demonstrating its effectiveness in reducing computational overhead while maintaining strong security.

Further advances in image encryption using ECC have integrated additional mechanisms to enhance security. Hafsa et al. [27] proposed a combined method using an improved ECC and a modified AES algorithm. Their approach optimizes ECC hardware architecture, balancing area, power dissipation, and speed, which reduces the time complexity of encryption while preserving robust security features.

Recent studies have also explored the use of hybrid models, in which ECC is combined with chaotic maps or other cryptographic transformations to enhance encryption complexity. Kumar and Sharma [28] proposed a novel approach integrating Arnold’s Cat Map, first introduced by Arnold in [29], for pixel shuffling, ECC for encrypting pixel values, and a genetic algorithm for optimizing key generation. Their experiments demonstrated high levels of randomness and security, characterized by substantial entropy and minimal pixel correlation.

The use of chaotic maps in conjunction with ECC has proven to be particularly effective. For example, Hua et al. [30] utilized a 2D Logistic–Sine-coupling map combined with ECC, achieving high entropy values and strong resistance to differential attacks. This hybrid approach provides an additional layer of security by introducing non-linearity and complexity, making the encrypted images more resistant to various forms of cryptanalysis. Similarly, Tora et al. [31] developed a generalized Arnold’s Cat Map transformation to enhance security by expanding the matrix space, thereby reducing the predictability of the transformation and increasing resistance against brute-force attacks.

In [32], the authors developed a secure image encryption and authentication model using elliptic curve cryptography. The approach leverages the Elliptic Curve Diffie–Hellman Protocol (ECDHP) for key exchange and ElGamal for encryption, incorporating 3D and 4D Arnold Cat maps to enhance pixel transformation.

In [33], Khalid et al. propose an ECC-based encryption scheme that ensures secure image transmission while maintaining computational efficiency. By integrating ECC, SHA-256, and affine transformations, their approach strengthens confidentiality, authentication, and resistance to various attacks.

Ghulam and Umar [34] present an efficient image encryption algorithm that combines elliptic curve cryptography with dynamically generated S-boxes to enhance both security and computational performance. The use of dynamic S-boxes increases resistance against cryptanalytic attacks, while ECC ensures strong key management.

In [35], Ningthoukhongjam et al. propose a medical image encryption scheme that integrates chaotic systems with asymmetric cryptography, specifically combining ECC with the Blum–Goldwasser cryptosystem. A chaotic sequence is used to enhance pixel randomization before applying probabilistic encryption. The authors claim that their approach improves encryption strength, reduces the correlation among pixels, and increases robustness against differential and statistical attacks, while maintaining computational efficiency suitable for real-time medical applications.

Kumar and Goel [36] propose an adaptive encryption framework powered by machine learning to secure both text and image data in fog computing environments. Their system uses K-Nearest Neighbors (KNN) to classify data sensitivity, applying hybrid ECC-AES encryption for sensitive data and standard AES for normal data, dynamically balancing security and performance. Experimental results confirm its scalability, efficiency, and robustness against cryptographic attacks.

The proposed work addresses the critical challenge of achieving high security with low computational overhead by integrating elliptic curve cryptography with efficient key management and a strong shuffling technique. This design ensures a balanced trade-off between performance and security, making it particularly well-suited for real-time image encryption in resource-constrained environments. Furthermore, unlike many related studies that limit their security assessment to metric comparisons (e.g., entropy, NPCR, and UACI) without verifying the statistical reliability of the reported values, this paper fills this gap by incorporating formal security analysis alongside statistically validated evaluations. This dual-layered approach strengthens the credibility and robustness of the proposed encryption scheme.

3. Proposed Method

In this section, we present a new image encryption scheme. Prior to encryption, a pre-negotiation phase is conducted between the sender and receiver over a selected elliptic curve $E\left({\mathbb{F}}_p\right)$. During this phase, a shared session key $S_k$ is established using the ECDHP. To generate $S_k$, the sender randomly selects an integer $k\in \left(1,\#G\right)$, where $\#G$ denotes the order of the base point $G\in E\left({\mathbb{F}}_p\right)$. The session key is then computed as $S_k=k{P}_r$, where $P_r$ is the public key of the receiver. To delineate the entire system, this section is structured into four main parts. The first part, Key Management Considerations, briefly discusses the use of the ECDHP and the limitations regarding key lifecycle handling in IoT contexts. The second part, BytesArray Generation, details the construction of a pseudo-random bytes array designed for image encryption. The third part, Shuffling, applies a pixel permutation to introduce diffusion. The final part, Encryption, performs pixel value transformation to achieve confusion and produce the encrypted image. Figure 1 depicts the overall flowchart of the proposed image encryption scheme.

3.1. Key Management Considerations

While the proposed scheme leverages the ECDHP to establish a shared session key $S_k$ securely between communicating parties, it does not address broader aspects of key management such as initial key provisioning, key revocation, or dynamic key updates in the event of device compromise. These issues are particularly critical in large-scale and heterogeneous IoT environments, where secure, efficient, and scalable key management remains a challenge.

Given the scope of this study, we focus primarily on the session key agreement mechanism within a controlled context. We acknowledge this as a limitation and suggest that future work could extend our scheme by incorporating a comprehensive key lifecycle management framework tailored for resource-constrained and dynamic IoT deployments.

3.2. BytesArray Generation for Image Encryption

To prepare an image of size $M\times N$ for encryption, a pseudo-random bytes array, denoted as BytesArray, of the same dimensions as the original image is first generated. This array serves to reorganize the image data into a format suitable for secure processing. The generation process integrates our previously proposed mapping algorithm, adapted here for image encryption, as a core component, which is detailed in Algorithm 1. This algorithm maps a given integer $m\in {\mathbb{F}}_p$ to a point $P_m=(x_m,y_m)=\mathrm{Mapp}(m,S_k)$ on the elliptic curve $E\left({\mathbb{F}}_p\right)$, where $S_k=(x_s,y_s)$ is a shared secret point between the sender and receiver. The mapping is performed by computing the intersection of the curve with a line passing through $S_k$ and having slope $\lambda \equiv (y_s-m)x_s^{-1}(modp)$, derived from m. If the resulting point satisfies $P_m\ne \pm S_k$, it is accepted; otherwise, m is incremented until a valid point is found. This condition, equivalent to $x_m\ne x_s$, is explicitly enforced to prevent potential leakage of the shared secret. The coordinates of $P_m$ must satisfy Equation (1) and also lie on the line $y\equiv \lambda x+m(modp)$, which simplifies to Equation (2):

$$x^2+(x_s-{\lambda }^2)x+x_s^{-1}(-b+m)\equiv 0(modp)$$

(2)

The mapping algorithm has been thoroughly evaluated, successfully locating a valid point in an average of two iterations. Its computational complexity increases gradually with higher security levels while maintaining efficiency. Additional security and performance analyses are provided in [5]. The construction of the BytesArray follows an iterative procedure, similar in principle to the Cipher Block Chaining (CBC) mode used in symmetric encryption.

• The sender selects an initialization value $IV\in {\mathbb{F}}_p$, defined as $m_0=IV$, which serves as the initial input to the iterative procedure.
• For next iteration $i\ge 1$, the mapping function $\mathrm{Mapp}(m_{i-1},S_k)$ is applied to the value $m_{i-1}$ from the previous step, along with the session key $S_k$, generating a new point $P_i=(x_i,y_i)$ on the elliptic curve.
• The coordinates $x_i$ and $y_i$ of the generated point $P_i$ are used to compute the subsequent value $m_i=x_i\oplus y_i$, where ⊕ denotes the bitwise XOR operation.
• The byte representations of $x_i^2\oplus y_i^2$ are sequentially appended to a growing byte sequence, denoted as $\mathtt{BytesSequence}$.

This iterative process continues, producing new and appending byte representations of $x_i^2\oplus y_i^2$ until the BytesSequence reaches a length that exceeds $M\times N$ bytes, corresponding to the total size of the image to be encrypted. Figure 2 illustrates the overall bytes array generation process. The resulting BytesArray is not the encrypted image itself but a critical intermediate data structure that ensures the image data is properly formatted for subsequent encryption, aligning with the requirements of the ECC-based encryption algorithm to guarantee both security and efficiency.

Algorithm 1 Mapping algorithm.

Require: An elliptic curve $E\left({\mathbb{F}}_p\right):y^2\equiv x^3+ax+b(modp)$, the session key $S_k=(x_s,y_s)$, and an integer block m. Ensure: The mapping point $P_m=(x_m,y_m)$ 1: $x_m\leftarrow$ None 2: while  $x_m=\mathbf{None}$  do 3:     $\lambda \leftarrow (y_s-m)x_s^{-1}$ 4:     if the equation $x^2+(x_s-{\lambda }^2)x+x_s^{-1}(-b+m)\equiv 0(modp)$ has a solution $x_m\ne x_s$ in ${\mathbb{F}}_p$ then 5:         Compute $y_m\equiv \lambda x_m+m(modp)$ 6:         $P_m\leftarrow (x_m,y_m)$ 7:     else 8:         $m\leftarrow m+1$ 9:     end if 10: end while 11: return  $P_m$

3.3. Image Shuffling and Unshuffling

In our approach, a random-like byte matrix $B\in {\{0,\dots ,255\}}^{M\times N}$ is generated using elliptic curve cryptography, as detailed in Section 3.2. This matrix is used once to define a deterministic permutation of the pixel positions. Let $I\in {\{0,\dots ,255\}}^{M\times N}$ be the original grayscale image, and let $\mathcal{C}=\left\{\right(i,j)\mid 0\le i<M,0\le j<N\}$ denote the set of pixel coordinates. We define a bijective permutation

$$\pi :\mathcal{C}\to \mathcal{C}$$

(3)

such that for all $(i,j),(i^{\prime },j^{\prime })\in \mathcal{C}$, the following holds:

$$\left[(i<i^{\prime })\mathrm{or}(i=i^{\prime }\mathrm{and}j\le j^{\prime })\right]\Rightarrow B\left(\pi (i,j)\right)\le B\left(\pi (i^{\prime },j^{\prime })\right)$$

(4)

The shuffled image $I^{\left(\pi \right)}$ is defined by

$$I^{\left(\pi \right)}(i,j)=I\left(\pi (i,j)\right)\mathrm{for}\mathrm{all}(i,j)\in \mathcal{C}.$$

(5)

The complete procedure is described in Algorithm 2. To recover the original image from the shuffled one, the receiver can simply apply the inverse permutation ${\pi }^{-1}$ to $I^{\left(\pi \right)}$, effectively interchanging the roles of $I^{\left(\pi \right)}$ and I in Equation (5).

Algorithm 2 Two-dimensional image shuffling using permutation.

Require: Byte matrix $B\in {\{0,\dots ,255\}}^{M\times N}$, original image $I\in {\{0,\dots ,255\}}^{M\times N}$ Ensure: Shuffled image $I^{\left(\pi \right)}$ 1: Let $\mathcal{C}\leftarrow \left\{\right(i,j)\mid 0\le i<M,0\le j<N\}$ 2: Sort $\mathcal{C}$ in ascending order of $B(i,j)$ to define bijection $\pi :\mathcal{C}\to \mathcal{C}$ 3: Initialize $I^{\left(\pi \right)}$ as a zero matrix of size $M\times N$ 4: for all  $(i,j)\in \mathcal{C}$  do 5:     $I^{\left(\pi \right)}(i,j)\leftarrow I\left(\pi (i,j)\right)$ 6: end for 7: return  $I^{\left(\pi \right)}$

The security and unpredictability of the shuffling process are directly tied to the cryptographic strength of the underlying $\mathtt{BytesArray}$. Since this array is deterministically generated using a session key $S_k$ and an initialization vector $\mathsf{IV}$, each encryption attempt produces a unique and key-dependent permutation. This ensures that even identical images result in distinct shuffled outputs when encrypted with different $(IV,S_k)$ pairs.

3.4. Encryption Process

Following the shuffling phase, the encryption process (Figure 3) performs a byte-wise XOR between the shuffled image $\mathtt{ShuffledBytesArray}$ and the elliptic curve-generated $\mathtt{BytesArray}$, both of size $M\times N$. The $\mathtt{BytesArray}$, derived from a key-dependent source, acts as a one-time pad and introduces strong confusion. This operation produces the encrypted image $\mathtt{CipherBytesArray}$, effectively combining permutation and secure masking to ensure data confidentiality.

As shown in Figure 4, the process begins with the original grayscale image (a). A pseudo-random byte array is then generated (b), which is used to shuffle the pixel positions, resulting in the intermediate image (c). The shuffled image is subsequently XORed with the byte array to produce the encrypted (cipher) image (d), which appears noise-like. Finally, the decryption process reverses these steps to recover the original image (e), confirming the correctness and reversibility of the proposed scheme.

4. Security and Performance Analysis

This section presents a comprehensive evaluation of the proposed image encryption scheme in terms of both security and performance. Formal analyses are conducted, including key space estimation, key sensitivity, and security against chosen-plaintext and resistance to chosen-ciphertext attacks. Empirical and statistical assessments are also performed to verify the effectiveness of the scheme in eliminating inherent patterns and resisting attacks. These include histogram uniformity and statistical analysis, correlation coefficient analysis, entropy measurement (local and global), differential analysis (NPCR and UACI), texture analysis using GLCM, and robustness tests against noise and cropping. The randomness of the encrypted output is further validated using the NIST statistical test suite. Finally, execution time analysis is carried out to assess the computational efficiency of the scheme, particularly in resource-constrained environments.

4.1. Key Space Analysis

A robust encryption scheme must provide a sufficiently large key space to resist brute-force attacks. Specifically, the key space should be at least $2^{100}$ to ensure practical resistance against exhaustive search [9,37]. According to the NIST recommendations [38], cryptographic systems intended to remain secure through at least 2030 should offer a minimum of 112-bit security strength. In the context of elliptic curve cryptography, this requirement translates to using curves with base point orders of at least 224 bits, since achieving n-bit security generally requires a key space of approximately $2^{2n}$ [16].

In our proposed scheme, key generation is based on elliptic curve cryptographic principles defined over large prime fields, using NIST-recommended curves such as P-256, P-384, and P-521. These curves provide key spaces of size $2^{256}$, $2^{384}$, and $2^{521}$, respectively. In particular, curves such as P-256 and above offer at least 128-bit security strength, which exceeds the 112-bit minimum benchmark recommended by NIST for systems intended to remain secure through 2030. Consequently, the adoption of these curves ensures that the key space is sufficiently large and cryptographically robust to withstand exhaustive search attacks in practice.

4.2. Key Sensitivity Analysis

A secure image encryption scheme must be highly sensitive to small changes in the secret key. In our ECC-based scheme, a change in the private key k directly leads to a corresponding change in the session key $S_k=k·P_r$. This variation in $S_k$ subsequently causes a significant alteration in the output of the mapping function $\mathrm{Mapp}(m,S_k)$. As demonstrated in [5], even a single-bit modification in k results in approximately 50% of the bits in $\mathrm{Mapp}(m,S_k)$ differing. This effect is reinforced by the use of a fresh initialization vector ($IV$) for each encryption attempt, which generates a new byte array B and consequently a unique permutation and masking for every cipher image. The robustness of this key sensitivity is supported by the NPCR and UACI results shown in

Table 2. NPCR and UACI for cipher images using keys k and $k+\delta$.

Image	Key Pair	NPCR (%)	UACI (%)
Lena (256 × 256)	$k,k+1$	99.62	33.41
	$k,k+2$	99.61	33.45
Lena (512 × 512)	$k,k+1$	99.60	33.42
	$k,k+2$	99.63	33.43

, which reflect the degree of pixel-level change induced by slight key variations. While detailed definitions and interpretations of these metrics are provided later in the Section 4.8, they are used here as quantitative indicators of sensitivity.

These results confirm that small variations in the key lead to drastically different ciphertexts, providing strong resistance against differential and key-related attacks.

4.3. Security Against Chosen-Plaintext Attack (CPA)

In the CPA game, the adversary $\mathcal{A}$ may adaptively query the encryption oracle with plaintext images of their choice, possibly modifying bits to analyze the scheme’s behavior or infer parts of the key. During the challenge phase, $\mathcal{A}$ submits two images $M_0$ and $M_1$ and receives a challenge ciphertext:

$$C^{*}={\pi }_{B^{*}}\left(M_b\right)\oplus B^{*}$$

where $b\in \{0,1\}$, and $B^{*}$ is a pseudo-random byte array generated via ECC-based mapping and CBC-like chaining, influenced by a fresh $IV$. The permutation ${\pi }_{B^{*}}$ depends on $B^{*}$ and is unknown to the adversary.

Even if $\mathcal{A}$ submits the same image multiple times, the resulting ciphertexts will differ, since the IV changes with every encryption, leading to a new B. This randomness prevents the adversary from linking ciphertexts or gaining information through repeated or slightly modified plaintexts. Therefore, the scheme achieves CPA security, as the ciphertext remains indistinguishable from random under adaptive queries, and the adversary’s advantage $\left|Pr[b^{\prime }=b]-{\displaystyle \frac{1}{2}}\right|$ is negligible.

4.4. Resistance to Chosen-Ciphertext Attacks (CCAs)

To further strengthen the scheme’s robustness, a fresh $IV$ is employed for each encryption attempt. This $IV$ governs the generation of the pseudo-random byte array B used for both pixel shuffling and ECC-based masking. As a result, even when encrypting the same original image multiple times, the output ciphertexts differ significantly due to distinct shuffling patterns and masking values. This ensures semantic security and prevents an adversary from learning meaningful information from repeated ciphertexts, even under adaptive query conditions. While this approach does not constitute formal CCA security, it significantly complicates chosen ciphertext attacks by eliminating ciphertext determinism and reducing the feasibility of exploiting ciphertext structure for decryption oracle abuse. Integrating authenticated encryption and formal proofs remains a direction for future enhancement.

4.5. Correlation Coefficients

In image encryption, evaluating correlations among neighboring pixels is essential to measure how well an algorithm disrupts inherent patterns in digital images, caused by smooth transitions and repetition. The correlation coefficient, ranging from −1 to 1, quantifies the relationship between pixels, with 0 indicating no correlation [2,39]. Figure 5 illustrates this coefficient at different levels. To assess encryption effectiveness, correlation coefficients are calculated in horizontal, vertical, and diagonal directions for adjacent pixels in the cipher image and between the plaintext and ciphertext. This metric ensures that the encryption process removes correlations, a key feature of secure schemes, where coefficients must approach zero to prevent statistical analysis.

The correlation coefficient CC between the plaintext image P and the cipher image C is defined as follows:

$$\mathrm{CC}={\displaystyle \frac{{\displaystyle \sum _{i=1}^M}{\displaystyle \sum _{j=1}^N}(P_{(i,j)}-\overline{P})(C_{(i,j)}-\overline{C})}{\sqrt{\left({\displaystyle \sum _{i=1}^M}{\displaystyle \sum _{j=1}^N}{(P_{(i,j)}-\overline{P})}^2\right)\left({\displaystyle \sum _{i=1}^M}{\displaystyle \sum _{j=1}^N}{(C_{(i,j)}-\overline{C})}^2\right)}}}$$

(6)

As shown in

Table 3. Correlation coefficients between original and encrypted images.

Test Case	Original Image	Cipher Image	Original ⊕ Cipher	Correlation Coefficient
Peppers				−0.0009
Cameraman				0.0007
Baboon				−0.0030

, the correlation coefficients for various test images range from $-0.0030$ to $0.0007$, indicating a negligible linear relationship between the original and encrypted images. This statistical decorrelation, further supported by the XOR (original and cipher) results that reveal no visible patterns, confirms the effectiveness of the encryption in disrupting pixel dependencies and resisting statistical inference attacks.

The adjacent pixel correlation coefficient, denoted as ${\mathrm{CC}}_x$, measures the linear dependency between neighboring pixels and is defined by

$${\mathrm{CC}}_x={\displaystyle \frac{{\displaystyle \sum _{i=1}^{M-1}\sum _{j=1}^{N-1}}(I_{i,j}-\overline{I})(I_{x(i,j)}-\overline{I})}{\sqrt{\left({\displaystyle \sum _{i=1}^{M-1}\sum _{j=1}^{N-1}}{(I_{i,j}-\overline{I})}^2\right)\left({\displaystyle \sum _{i=1}^{M-1}\sum _{j=1}^{N-1}}{(I_{x(i,j)}-\overline{I})}^2\right)}}}$$

(7)

Here, $\overline{I}$ denotes the mean intensity of the image and $x(i,j)$ corresponds to the coordinates of a neighboring pixel. Depending on the chosen direction, $x(i,j)$ can represent horizontal $(i+1,j)$, vertical $(i,j+1)$, or diagonal $(i+1,j+1)$ adjacency.

Table 4. Correlation coefficients of adjacent pixels for various cipher images.

Image	Horizontal ${\mathrm{CC}}_{\mathit{h}}$	Vertical ${\mathrm{CC}}_{\mathit{v}}$	Diagonal $\mathrm{CC}$d1
Lena	0.00094	−0.00115	−0.00022
Peppers	0.0035	−0.00059	−0.004
Baboon	−0.0012	−0.00073	−0.0021
Cameraman	−0.0026	−0.0008	−0.0055

presents the correlation coefficients of adjacent pixels for various cipher images encrypted using our algorithm. These coefficients are very close to 0, indicating that the encryption effectively reduces the correlation between neighboring pixels, which enhances the security by making it more difficult for attackers to predict the pixel values.

Figure 6 and Figure 7 show the visual correlation assessments of the plain image and the cipher image of Lena (256 × 256). These illustrate how our proposed scheme effectively removes the neighboring pixels’ correlation that is clearly present in the original image.

4.6. Histogram Uniformity and Statistical Analysis

A uniform histogram in a cipher image indicates that pixel intensity values are evenly distributed, eliminating visual clues and minimizing statistical predictability. Figure 8 shows the transformation of an edge-based binary image into a cipher image with a near-uniform histogram, highlighting the obfuscation effect of the encryption algorithm.

To quantitatively assess histogram uniformity, we employ two complementary metrics: the Deviation from Uniform Histogram and the Chi-Square test. The former measures the absolute deviation of observed histogram frequencies from the ideal uniform case, while the latter statistically tests whether the observed distribution matches the uniform model.

The Deviation from Uniform Histogram, $D_{\mathrm{uniform}}$, quantifies how closely a cipher image’s histogram approximates a uniform distribution [40]:

$$D_{\mathrm{uniform}}={\displaystyle \frac{1}{MN}}\sum _{i=0}^{255}\left|H_{C_i}-H_{U_i}\right|$$

(8)

where $H_{C_i}$ is the observed frequency of intensity i and $H_{U_i}={\displaystyle \frac{MN}{256}}$ is the expected uniform count for an image of size $M\times N$. The metric ranges from 0 (perfect uniformity) to a theoretical maximum of 1.9922.

Table 5. Deviation from uniform histogram.

Image	Original	Cipher
Lena	0.9372	0.0272
Peppers	0.5542	0.0264
Baboon	0.7571	0.0235
Cameraman	0.9789	0.0242
Edge Noisy Image	1.9844	0.0271

shows that original images have large deviations, while cipher images exhibit values close to zero, confirming the uniformity induced by encryption.

The Chi-Square test rigorously assesses whether the pixel distribution of the cipher image significantly deviates from a uniform distribution [41]. In this context, the null hypothesis ($H_0$) asserts that the pixel intensity distribution in the cipher image follows a uniform pattern, while the alternative hypothesis ($H_1$) contends that the distribution is not uniform. The test statistic is then defined as follows:

$${\chi }^2=\sum _{i=0}^{255}{\displaystyle \frac{{(O_i-E_i)}^2}{E_i}}$$

(9)

where $O_i$ and $E_i={\displaystyle \frac{MN}{256}}$ are the observed and expected frequencies for intensity i, respectively. We compute the p-value under the Chi-Square distribution with 255 degrees of freedom. Using a significance level of $\alpha$, a p-value exceeding $\alpha$ indicates that the null hypothesis of uniformity cannot be rejected.

Results across various image sizes presented in

Table 6. Chi-Square test results for cipher images with different sizes.

Cipher Image	Size	Chi-Square (${\mathit{\chi }}^2$)	p-Value	Assessment
Lena	256 × 256	261.9375	0.3692	Pass
	512 × 512	284.2070	0.1009	Pass
	1024 × 1024	259.4951	0.4100	Pass
Peper	256 × 256	249.7734	0.5806	Pass
	512 × 512	272.9180	0.2104	Pass
	1024 × 1024	234.9663	0.8110	Pass
Baboon	256 × 256	264.7734	0.3239	Pass
	512 × 512	226.2910	0.9019	Pass
	1024 × 1024	215.3920	0.9659	Pass
Cameraman	256 × 256	263.8750	0.3380	Pass
	512 × 512	244.5117	0.6705	Pass
	1024 × 1024	283.0888	0.1093	Pass
Edge Noisy Image	256 × 256	222.7422	0.9284	Pass
	512 × 512	283.9414	0.1029	Pass
	1024 × 1024	259.2016	0.4150	Pass

demonstrate that the encrypted images consistently produce p-values greater than $\alpha =0.001$, indicating strong adherence to a uniform distribution and validating the robustness of the encryption scheme against histogram-based attacks.

4.7. Entropy Analysis

Entropy is a fundamental metric in evaluating the effectiveness of image encryption, as it quantifies the degree of randomness or unpredictability in pixel intensity distributions. For an 8-bit grayscale image, the ideal entropy is 8, corresponding to a perfectly uniform distribution where all intensity levels are equally likely.

The global entropy of an image is calculated using Shannon’s formula:

$$H=-\sum _{i=0}^{L-1}P\left(i\right){log}_{2}P\left(i\right),$$

(10)

where $L=256$ denotes the number of gray levels and $P\left(i\right)$ is the probability of occurrence of the i-th intensity value.

While global entropy reflects the overall uncertainty in the image, it does not capture localized irregularities or structural non-randomness. An encrypted image could exhibit a near-optimal global entropy yet still contain predictable patterns in small regions. This limitation is clearly illustrated in Figure 9, where the global entropy reaches $7.99838$, yet visible traces of the original image persist in certain regions. To address this limitation, local entropy is introduced by dividing the image into non-overlapping blocks and computing the entropy for each block [42]. The average of these values represents the local entropy:

$$H_{\mathrm{local}}={\displaystyle \frac{1}{K}}\sum _{j=1}^K{H}_j,$$

(11)

where K is the number of blocks and $H_j$ is the entropy of the j-th block.

Local entropy analysis enhances security evaluation by detecting residual patterns that may compromise confidentiality, especially in images with strong local structures. Following the method by Wu et al. [43], 100 random $16\times 16$ blocks are selected from each encrypted image, and their average entropy is compared against theoretical thresholds. As shown in

Table 7. Global and local entropy of encrypted images.

Cipher Image	Global Entropy	Local Entropy	Theoretical Block Entropy
			$\mathbf{\alpha }=\mathbf{0}.\mathbf{05}$	$\mathbf{\alpha }=\mathbf{0}.\mathbf{01}$	$\mathbf{\alpha }=\mathbf{0}.\mathbf{001}$
			$\mathbf{\mu }=\mathbf{7}.\mathbf{16634107}$	$\mathbf{\mu }=\mathbf{7}.\mathbf{16276745}$	$\mathbf{\mu }=\mathbf{7}.\mathbf{15876179}$
Lena	7.99986	7.19389	Pass	Pass	Pass
Peppers	7.99929	7.17146	Pass	Pass	Pass
Baboon	7.99943	7.17335	Pass	Pass	Pass
Cameraman	7.99937	7.18702	Pass	Pass	Pass

, all encrypted images achieve global entropy values near the theoretical maximum of 8, indicating a uniform distribution of pixel intensities. Furthermore, the local entropy values for all images exceed the strictest theoretical thresholds (at significance level $\alpha =0.001$), confirming that the encryption process effectively removes local statistical patterns. These results demonstrate that the proposed scheme ensures high randomness both globally and locally, making it resilient against entropy-based and visual cryptanalysis.

4.8. Differential Analysis

Differential analysis assesses the sensitivity of an encryption algorithm to minor changes in the plaintext image, typically using metrics such as the Number of Pixels Change Rate (NPCR) and the Unified Average Changing Intensity (UACI). These metrics are essential for evaluating the robustness of an encryption scheme against differential attacks, where an attacker may attempt to exploit small differences between two plaintext images and their corresponding ciphertexts [44]. Ideally, an encryption algorithm should achieve an NPCR close to 100% and a UACI near 33.4635%, indicating high sensitivity to input variations. However, the exact thresholds for acceptable values remain ambiguous, as NPCR values like 99% or 99.9%, and UACI values slightly deviating from the target, may not guarantee sufficient security [45]. For instance, refs. [25,46] report UACI values exceeding 34% for most images and claim strong resistance to differential attacks. Yet, a few months later, refs. [47,48] demonstrated vulnerabilities to chosen-plaintext attacks—scenarios that inherently exploit systematic input–output differences. This discrepancy highlights the necessity of statistical testing at a specified significance level $\alpha$ for both NPCR and UACI values. Such testing enables rigorous evaluation of whether the observed metrics are statistically consistent with ideal benchmarks, thus providing a more reliable assessment of the encryption scheme’s differential robustness. In this context, M and N denote the image dimensions, $C_1$ and $C_2$ represent ciphertexts derived from plaintexts differing by a single pixel, ${\Phi }^{-1}\left(·\right)$ is the inverse cumulative distribution function (CDF) of the standard normal distribution $\mathbb{N}(0,1)$, and F is the maximum supported intensity value based on the ciphertext format.

4.8.1. Unified Average Changing Intensity

UACI quantifies the average intensity of the differences between two ciphered images $C_1$ and $C_2$ and is defined as follows:

$$\mathcal{U}(C_1,C_2)={\displaystyle \frac{1}{M\times N}}\sum _{i=1}^M\sum _{j=1}^N{\displaystyle \frac{|C_1(i,j)-C_2(i,j)|}{255}}\times 100\%$$

(12)

For a gray image, $F=255$ is the maximum possible intensity. In this configuration, we test the null hypothesis $H_0$ that the UACI value is equal to its expected mean value ${\mu }_{\mathcal{U}}=(F+2)/3(F+1)\approx 33.4635\%$. The alternative hypothesis $H_1$ is that the UACI value differs from the mean.

$$\begin{array}{cc}\hfill & H_0:\mathcal{U}(C_1,C_2)={\mu }_{\mathcal{U}}\hfill \end{array}$$

(13)

$$\begin{array}{cc}\hfill & H_1:\mathcal{U}(C_1,C_2)\ne {\mu }_{\mathcal{U}}\hfill \end{array}$$

(14)

With a significance level $\alpha$, the critical values ${\mathcal{U}}_{\alpha }^{-*}$ and ${\mathcal{U}}_{\alpha }^{+*}$ are calculated as follows:

$${\mathcal{U}}_{\alpha }^{-*}={\mu }_{\mathcal{U}}-{\Phi }^{-1}(\alpha /2)·{\sigma }_{\mathcal{U}}$$

(15)

$${\mathcal{U}}_{\alpha }^{+*}={\mu }_{\mathcal{U}}+{\Phi }^{-1}(\alpha /2)·{\sigma }_{\mathcal{U}}$$

(16)

where ${\sigma }_{\mathcal{U}}=\sqrt{{\displaystyle \frac{(F+2)(F^2+2F+3)}{18(F+1)MNF}}}$. If the computed UACI value lies within $[{\mathcal{U}}_{\alpha }^{-*},{\mathcal{U}}_{\alpha }^{+*}]$, we accept the null hypothesis, indicating that the encryption scheme meets the expected robustness. If the UACI value falls outside this range, we reject the null hypothesis, suggesting potential weaknesses in the encryption scheme.

Table 8. UACI test results for different cipher images.

Tested Image Size 512 × 512		Theoretical UACI Critical Values
		${\mathcal{U}}_{\mathbf{0}.\mathbf{05}}^{*-}=\mathbf{33}.\mathbf{3730}\%$	${\mathcal{U}}_{\mathbf{0}.\mathbf{01}}^{*-}=\mathbf{33}.\mathbf{3445}\%$	${\mathcal{U}}_{\mathbf{0}.\mathbf{001}}^{*-}=\mathbf{33}.\mathbf{3115}\%$
		${\mathcal{U}}_{\mathbf{0}.\mathbf{05}}^{*+}=\mathbf{33}.\mathbf{5541}\%$	${\mathcal{U}}_{\mathbf{0}.\mathbf{01}}^{*+}=\mathbf{33}.\mathbf{5826}\%$	${\mathcal{U}}_{\mathbf{0}.\mathbf{001}}^{*+}=\mathbf{33}.\mathbf{6156}\%$
Cipher Image	UACI Value (s)	UACI Test Results
		0.05-Level	0.01-Level	0.001-Level
Lena	33.4756%	Pass	Pass	Pass
Baboon	33.4561%	Pass	Pass	Pass
Peppers	33.4885%	Pass	Pass	Pass
Cameraman	33.4507%	Pass	Pass	Pass
Edge Noisy Image	33.4009%	Pass	Pass	Pass

shows the results of the UACI test for the $512\times 512$ cipher images, comparing the UACI values with theoretical critical values at significance levels of 0.05, 0.01, and 0.001. All images (Lena, Baboon, Peppers, Cameraman, and Edge Noisy Image) fall within the critical value ranges, indicating that a single pixel intensity change can significantly alter the ciphered image. These results confirm that the encryption method effectively causes substantial pixel intensity changes, enhancing resistance to differential attacks and improving image security.

4.8.2. Number of Pixels Change Rate

NPCR measures the percentage of differing pixels between two ciphered images $C_1$ and $C_2$, defined as follows:

$$\mathcal{N}(C_1,C_2)={\displaystyle \frac{1}{M\times N}}\sum _{i=1}^M\sum _{j=1}^{N}D(i,j)\times 100\%$$

(17)

where $D(i,j)$ is defined as follows:

$$D(i,j)=\left\{\begin{array}{cc}0,\hfill & \mathrm{if}{C}_1(i,j)=C_2(i,j)\hfill \\ 1,\hfill & \mathrm{if}{C}_1(i,j)\ne C_2(i,j)\hfill \end{array}\right.$$

(18)

To evaluate the encryption scheme’s sensitivity, we test the null hypothesis $H_0$ that the NPCR value equals the expected mean ${\mu }_{\mathcal{N}}=F/(F+1)\approx 99.6094\%$ using the following hypotheses:

$$\begin{array}{cc}\hfill & H_0:\mathcal{N}(C_1,C_2)={\mu }_{\mathcal{N}}\hfill \end{array}$$

(19)

$$\begin{array}{cc}\hfill & H_1:\mathcal{N}(C_1,C_2)<{\mu }_{\mathcal{N}}\hfill \end{array}$$

(20)

The critical value ${\mathcal{N}}_{\alpha }^{*}$ is determined by

$${\mathcal{N}}_{\alpha }^{*}={\mu }_{\mathcal{N}}-{\Phi }^{-1}\left(\alpha \right)·{\sigma }_{\mathcal{N}}$$

(21)

where ${\sigma }_{\mathcal{N}}={\displaystyle \frac{\sqrt{F}}{(F+1)\sqrt{MN}}}$. The null hypothesis is accepted if $\mathcal{N}(C_1,C_2)\ge {\mathcal{N}}_{\alpha }^{*}$, indicating sufficient sensitivity to changes in the plaintext.

Table 9. NPCR test results for different cipher images.

Tested Image Size 512 × 512		Theoretical NPCR Critical Values
		${\mathcal{N}}_{\mathbf{0}.\mathbf{05}}^{*}=\mathbf{99}.\mathbf{5990}\%$	${\mathcal{N}}_{\mathbf{0}.\mathbf{01}}^{*}=\mathbf{99}.\mathbf{5940}\%$	${\mathcal{N}}_{\mathbf{0}.\mathbf{001}}^{*}=\mathbf{99}.\mathbf{5900}\%$
Cipher Image	NPCR Value (s)	NPCR Test Results
		0.05-Leve	0.01-Level	0.001-Level
Lena	99.6216%	Pass	Pass	Pass
Baboon	99.6201%	Pass	Pass	Pass
Peppers	99.6193%	Pass	Pass	Pass
Cameraman	99.6214%	Pass	Pass	Pass
Edge Noisy Image	99.6207%	Pass	Pass	Pass

presents the NPCR test results for different cipher images, compared to the critical value at significance levels of 0.05, 0.01, and 0.001.

The table shows that all NPCR values exceed the critical values at all tested significance levels, demonstrating the encryption scheme’s high sensitivity to plaintext changes, which is crucial for resisting differential attacks.

The NPCR and UACI values were computed for various cipher images, including Lena, Baboon, Peppers, and Cameraman, at different image sizes (256 × 256 and 512 × 512). Figure 10 and Figure 11 show the NPCR values for 256 × 256 and 512 × 512 images, respectively. All NPCR values exceed the lower bound, confirming that the encryption scheme achieves high sensitivity to pixel changes. Similarly, Figure 12 and Figure 13 present the UACI values, which also lie within the critical boundaries, highlighting the scheme’s robustness against differential attacks.

4.9. Gray Level Co-Occurrence Matrix

Gray Level Co-Occurrence Matrix (GLCM) analysis is utilized to examine the impact of the encryption scheme on the textural features of the images. The GLCM provides a statistical measure of pixel intensity variations by calculating how often pairs of pixels with specific values and in a specified spatial relationship occur in an image. The key metrics used in this analysis are contrast, energy, and homogeneity.

4.9.1. Contrast

Contrast measures the intensity difference between a pixel and its neighbor throughout the image. It highlights variations in texture and edges, defined by

$$\mathrm{Contrast}=\sum _{i=0}^{N-1}\sum _{j=0}^{N-1}{(i-j)}^2·p(i,j)$$

where $p(i,j)$ represents the GLCM value at coordinates $(i,j)$. Higher contrast values indicate greater differences between neighboring pixel intensities.

4.9.2. Energy

Energy, also known as Angular Second Moment, quantifies the uniformity of the GLCM, calculated as follows:

$$\mathrm{Energy}=\sum _{i=0}^{N-1}\sum _{j=0}^{N-1}P{(i,j)}^2$$

The energy values range from 0 to 1, with higher values signifying less randomness. Lower energy values in ciphertext images suggest successful encryption through increased randomness.

4.9.3. Homogeneity

Homogeneity assesses the similarity of pixel values within local regions, defined by

$$\mathrm{Homogeneity}=\sum _{i=0}^{N-1}\sum _{j=0}^{N-1}{\displaystyle \frac{p(i,j)}{1+|i-j|}}$$

Higher homogeneity values indicate more similarity among neighboring pixels, whereas lower values point to greater variability, a desired trait in encrypted images.

Table 10. GLCM metric comparison for plaintext image (PI) and ciphertext image (CI).

Image	Contrast		Energy		Homogeneity
	PI	CI	PI	CI	PI	CI
Lena	98.58	10,895.98	0.00036	1.71 × 10−5	0.31943	0.03631
Peppers	127.77	10,871.49	0.00026	1.72 × 10−5	0.27398	0.03669
Cameraman	103.27	10,885.65	0.00188	1.72 × 10−5	0.46849	0.03640
Baboon	668.67	10,900.02	0.00012	1.73 × 10−5	0.15748	0.03616

presents the GLCM metrics for plaintext and ciphertext images, highlighting the impact of the encryption scheme on textural properties. The data shows that encrypted images exhibit significantly higher contrast, indicating increased intensity variations and disrupted uniformity compared to the original images. The low energy values suggest a high level of randomness, with pixel intensities well-dispersed and devoid of predictable patterns. Similarly, the reduced homogeneity values reflect a substantial decrease in local uniformity. These results collectively demonstrate that the encryption scheme effectively obscures the textural features of the images, enhancing their security and resistance to texture-based analysis or attacks.

4.10. Robustness Against Noise and Cropping Attacks

To assess the robustness of the proposed encryption scheme under real-world disturbances such as croppingand salt-and-pepper noise, we use the Peak Signal-to-Noise Ratio (PSNR) as an objective image quality metric. PSNR quantifies the similarity between the original image I and the decrypted image $I^{\prime }$ and is defined as follows:

$$\mathrm{MSE}={\displaystyle \frac{1}{MN}}\sum _{i=1}^M\sum _{j=1}^N{[I(i,j)-I^{\prime }(i,j)]}^2$$

(22)

$$\mathrm{PSNR}=10·{log}_{10}\left({\displaystyle \frac{{255}^2}{\mathrm{MSE}}}\right)$$

(23)

where $M\times N$ is the image size and 255 is the maximum pixel value for 8-bit grayscale images. A higher PSNR indicates better reconstruction quality after decryption.

Let $\Omega$ denote the full set of pixel indices of the image, and let ${\Omega }_c\subset \Omega$ represent the indices of corrupted pixels (due to cropping or noise), while ${\Omega }_u=\Omega \setminus {\Omega }_c$ represents the uncorrupted pixels that remain intact. In corrupted regions $(i,j)\in {\Omega }_c$, the decrypted values $I^{\prime }(i,j)$ are assumed to be statistically independent of the original $I(i,j)$ due to the avalanche effect inherent in secure encryption. These values are modeled as uniformly distributed random variables over $[0,255]$, i.e., $I^{\prime }(i,j)\sim \mathcal{U}(0,255)$. In uncorrupted regions $(i,j)\in {\Omega }_u$, perfect reconstruction is assumed: $I^{\prime }(i,j)=I(i,j)$. Under this model, the expected Mean Squared Error (MSE) becomes

$$\begin{array}{cc}\hfill {\mathrm{MSE}}_{\mathrm{expected}}& ={\displaystyle \frac{1}{|\Omega |}}\sum _{(i,j)\in {\Omega }_c}\mathbb{E}\left[{(I(i,j)-I^{\prime }(i,j))}^2\right]\hfill \\ \hfill & =\rho ·\left(\mathbb{E}\left[I^2\right]+\mathbb{E}\left[I^{\prime 2}\right]-2\mathbb{E}\left[I\right]·\mathbb{E}\left[I^{\prime }\right]\right)\hfill \end{array}$$

(24)

where $\rho ={\displaystyle \frac{|{\Omega }_c|}{|\Omega |}}$ is the corruption ratio and $\mathbb{E}\left[I\right]$ and $\mathbb{E}\left[I^2\right]$ are, respectively, the empirical mean and second moment of the original image over ${\Omega }_c$. Using these, we compute the expected PSNR:

$${\mathrm{PSNR}}_{\mathrm{expected}}=10·{log}_{10}\left({\displaystyle \frac{{255}^2}{{\mathrm{MSE}}_{\mathrm{expected}}}}\right)$$

(25)

This provides an analytical estimation of the PSNR under known corruption ratios. Comparing these theoretical values with the experimentally observed PSNRs helps assess the reliability and consistency of the encryption scheme. When the observed PSNR values are close to or slightly exceed the theoretical expectations, it indicates good resilience of the scheme to partial data loss and image degradation. However, significantly higher PSNR values, without the presence of any error-tolerant mechanisms such as redundancy or correction codes, may point to a potential security vulnerability. For instance, in [41], using the Boat.512 image from the USC SIPI dataset [49], the authors report PSNR values of 44.348, 41.496, and 34.678 for salt-and-pepper noise densities of 0.005, 0.01, and 0.05, respectively, while the corresponding expected PSNR values are only 32.307, 29.297, and 22.307. In such cases, the unexpectedly high similarity between the original and partially corrupted images could leak structural information, thereby undermining the confidentiality of the encryption process.

4.10.1. Noise Attack Analysis

To evaluate the scheme’s resilience against noise, salt-and-pepper noise at densities of 0.005, 0.05, and 0.1 was applied to encrypted images.

Table 11. Observed and expected PSNR (dB) after salt-and-pepper noise at various densities.

Image	$\mathit{\rho }$ = 0.005		$\mathit{\rho }$ = 0.01		$\mathit{\rho }$ = 0.05
	Obs.	Exp.	Obs.	Exp.	Obs.	Exp.
Lena	32.30	32.24	22.36	22.24	19.46	19.23
Peppers	32.02	31.89	22.04	21.89	19.14	18.88
Baboon	32.49	32.53	22.64	22.53	19.72	19.52
Cameraman	31.09	31.41	21.50	21.41	18.58	18.40
Boat.512	32.63	32.31	22.37	22.31	19.46	19.30

reports both observed and expected PSNR values. For instance, the Lena image yields observed PSNRs of 32.30, 22.36, and 19.46 dB, closely matching the expected values of 32.24, 22.24, and 19.23 dB, respectively. This consistency confirms that the proposed scheme maintains high reconstruction quality despite noise. The strong agreement with theoretical expectations also indicates that no unintended structure is preserved during encryption, supporting both robustness and security under degradation.

Figure 14 illustrates the impact of noise on the encrypted Peppers images and the corresponding recovered images, showcasing the scheme’s ability to mitigate noise effects while preserving the integrity of the recovered images.

4.10.2. Cropping Attack Analysis

To assess the robustness of the proposed encryption scheme against cropping attacks, encrypted images were partially cropped at ratios of 1/16, 1/4, and 1/2, simulating varying levels of data loss. As shown in

Table 12. Observed and expected PSNR (dB) after cropping at various ratios.

Image	$\mathit{\rho }$ = 1/16		$\mathit{\rho }$ = 1/4		$\mathit{\rho }$ = 1/2
	Obs.	Exp.	Obs.	Exp.	Obs.	Exp.
Lena	21.27	21.27	15.25	15.25	12.23	12.24
Peppers	21.11	20.92	14.99	14.90	11.88	11.89
Baboon	21.52	21.56	15.53	15.54	12.54	12.53
Cameraman	20.43	20.45	14.43	14.43	11.41	11.41
Boat.512	21.67	21.34	15.57	15.32	12.28	12.31

, the PSNR values between the original and recovered images remain within acceptable ranges, reflecting the scheme’s ability to preserve essential visual information. For example, the Lena image yielded PSNR values of 21.27, 15.25, and 12.23 for 1/16, 1/4, and 1/2 cropping, respectively, closely matching the theoretical expectations. These results confirm the scheme’s resilience under partial data loss, making it suitable for real-world environments where transmission degradation may occur.

Figure 15 shows the cropped Peppers ciphertext images at various scales and the corresponding recovered images, simulating a cropping attack scenario. This highlights the encryption scheme’s ability to preserve sufficient image quality even when significant portions of the data are intentionally removed, demonstrating resilience against cropping attacks.

Overall, the PSNR values indicate that the proposed encryption scheme effectively recovers images with moderate quality compared to the original, even in the presence of noise and cropping attacks. This resilience is critical for applications where maintaining some level of image integrity is necessary despite adverse conditions.

4.11. NIST Statistical Tests

To evaluate the security of the proposed image encryption algorithm, the NIST SP 800-22 statistical test suite was utilized. This suite is widely recognized for assessing the randomness of binary sequences generated by cryptographic algorithms, ensuring that the encrypted output lacks any discernible patterns that could be exploited by attackers.

In this evaluation, a total of 100 binary sequences were tested, each consisting of 100,000 bits in length. An exception is made for the Universal Test, where 10 sequences were tested, each with a length of 1,004,882 bits. These sequences were generated by repeatedly encrypting a diverse set of images, including Lena, Peppers, Baboon, and Cameraman, to comprehensively assess the performance of the proposed encryption algorithm across different types of visual data.

As shown in

Table 13. NIST SP 800-22 results.

Type of Test	p-Value	Conclusion
Frequency	0.275709	Pass
BlockFrequency	0.289667	Pass
Cumulative Sums	0.213309	Pass
Cumulative Sums	0.534146	Pass
Runs	0.137282	Pass
Longest Run	0.816537	Pass
Rank	0.474986	Pass
FFT	0.171867	Pass
Non-Overlapping Template	0.249284	Pass
Overlapping Template	0.883171	Pass
Universal	0.739918	Pass
Approximate Entropy	0.236810	Pass
Random Excursions	0.275709	Pass
Random Excursions Variant	0.437274	Pass
Serial	0.739918	Pass
Linear Complexity	0.924076	Pass

, the proposed encryption algorithm successfully passes all the tests in the suite, including those with strict randomness criteria, such as the Universal Test and the Approximate Entropy Test. This indicates that the ciphertexts generated from the encrypted images are random and unpredictable, effectively safeguarding the image content against statistical attacks.

These results demonstrate the robustness and effectiveness of the proposed encryption method, confirming its suitability for secure image transmission in constrained environments like the IoT.

4.12. Execution Time at Varying Image Sizes

To evaluate the scalability and performance of the proposed encryption scheme, experiments were conducted on the Lena image resized to four dimensions: 64 × 64, 128 × 128, 256 × 256, and 512 × 512 pixels. For each image size, encryption and decryption times were measured on a virtual machine configured with 1 GB of RAM and a single CPU core.

Table 14. Encryption and decryption times for Lena image at different sizes.

Image Size (px)	Encryption Time (s)	Decryption Time (s)
64 × 64	0.012157	0.012158
128 × 128	0.020061	0.018328
256 × 256	0.068099	0.074834
512 × 512	0.213090	0.229283

summarizes the execution times for each scale. As expected, the computational cost increases with image size, demonstrating the impact of data volume on processing time. The results remain within acceptable bounds for lightweight environments at lower resolutions.

4.13. Comparison with State-of-the-Art Schemes

The comparison presented in

Table 15. Comparison of image encryption schemes across statistical metrics.

Evaluation Metric	Ref. [25]	Ref. [28]	Ref. [32]	Ref. [33]	Ref. [35]	Proposed
Correlation (${\mathit{CC}}_{\mathit{h}}$)	0.0031	−0.0075	−0.0022	0.0009	−0.0007	0.00016
Correlation (${\mathit{CC}}_{\mathit{v}}$)	0.0063	−0.0070	0.0047	0.0007	−0.0007	−0.0008
Correlation (${\mathit{CC}}_{\mathit{d}}$)	0.003	0.0041	0.0013	0.0007	−0.001	−0.0029
Global Entropy	7.998075	7.9987	7.9993	7.9991	7.9997	7.9995
NPCR (%)	99.6355	99.574	99.62	99.69	99.69	99.62
UACI (%)	39.80515	33.39	33.336	33.4	33.52	33.4543

evaluates the average values of key statistical metrics computed over 512 × 512 grayscale images across various state-of-the-art encryption schemes. For correlation, all schemes including the proposed one achieve near-zero values across all directions, which indicates effective decorrelation of adjacent pixels. The proposed method shows well-balanced results ($C{C}_h=0.00016$, $C{C}_h=-0.0008$, and $C{C}_d=-0.0029$), confirming secure pixel independence without instability. Regarding global entropy, the ideal value is 8 for grayscale images; while Ningthoukhongjam et al. [35] report the highest (7.9997), the proposed method (7.9995) is statistically equivalent, indicating strong randomness. However, as shown in Figure 9, global entropy alone may mask local regions with residual patterns; thus, local entropy analysis is crucial for credibility—an aspect often overlooked in related works and not reflected in the comparison. For differential attack resistance, NPCR and UACI are evaluated against critical thresholds for image size 512 × 512; specifically, NPCR must exceed 99.5893 at the 0.05 significance level, and UACI must lie within the interval $[33.3730,33.5541]$. Most schemes satisfy these bounds, although Kumar and Sharma [28] slightly underperform with $\mathrm{NPCR}=99.574\%$ (below the 0.05 threshold) and Parida et al. [32] report a borderline $\mathrm{UACI}=33.336\%$, marginally below the critical minimum. Mondal et al. [25], on the other hand, report an unusually high UACI value of 39.8051%, which significantly exceeds the theoretical upper bound and may reflect uncontrolled diffusion. Notably, this same scheme was later cryptanalyzed [47], indicating that such extreme metric deviations, while seemingly favorable, can be symptomatic of internal structural weaknesses rather than genuine robustness against differential attacks. In contrast, the proposed scheme maintains both $\mathrm{NPCR}=99.62\%$ and $\mathrm{UACI}=33.4543\%$, which lie comfortably within the accepted critical intervals, demonstrating secure and consistent diffusion behavior. Overall, the proposed scheme meets all critical security criteria without exceeding statistical bounds and aligns more closely with expected values compared to some prior works. This reinforces the core aim of this study: to deliver an objective evaluation based on statistically sound rather than subjective benchmarks.

5. Conclusions

This paper presents a novel lightweight image encryption scheme based on elliptic curve cryptography, specifically designed for resource-constrained IoT environments. The proposed approach embeds image data blocks into elliptic curve points using a secure mapping algorithm, combined with pixel shuffling and an OTP-like XOR operation, to achieve a strong balance between security and computational efficiency. To rigorously validate its effectiveness, a comprehensive set of formal, statistical, and empirical analyses is conducted. These include key space estimation, key sensitivity, resistance to chosen-plaintext attacks, histogram uniformity and statistical analysis, correlation coefficient evaluation, local and global entropy measurement, differential analysis (NPCR and UACI), and Gray Level Co-occurrence Matrix analysis. The scheme’s robustness is further confirmed through resistance to noise and cropping attacks, while its randomness is validated using the NIST statistical test suite. Execution time analysis also demonstrates the scheme’s low computational overhead, reinforcing its practicality for real-time use in constrained environments. Unlike many previous studies that rely on limited or subjective benchmarks, this work adopts a statistically grounded methodology to deliver an objective and reliable assessment.

To further enhance its applicability, future work will focus on extending the evaluation to color images and compressed formats, aiming to validate the scheme’s versatility across broader multimedia contexts. Overall, the proposed scheme offers a secure, efficient, and thoroughly validated cryptographic solution tailored to the evolving demands of IoT and Net-Living ecosystems.