A Novel Chaos-Based Color Image Encryption Scheme Using Bit-Level Permutation

: To ensure the security of digital images during transmission and storage, an e ﬃ cient and secure chaos-based color image encryption scheme using bit-level permutation is proposed. Our proposed image encryption algorithm belongs to symmetric cryptography. Here, we process three color components simultaneously instead of individually, and consider the correlation between them. We propose a novel bit-level permutation algorithm that contains three parts: a plain-image related rows and columns substitution, a pixel-level roll shift part, and a bit-level cyclic shift part. In the plain-related rows and columns substitution part, we involve the plain-image information to generate a control sequence by using a skew tent system. This process ensures that the correlation between three color components can be totally broken, and our cryptosystem has enough plain-image sensitivity to resist the di ﬀ erential attack. In the pixel-level roll shift part and bit-level cyclic shift part, we have a fully bit-level permutation controlled by two sequences using a Rucklidge system. The simulation and some common security analyses are given. Test results show that our proposed scheme has good security performance and a speed advantage compared to other works.


Introduction
Color images, as a kind of multimedia format, have become the most important information carrier in digital communication, increasing the convenience of daily life. The security problem of color images in transmission and cloud storage should not be ignored; therefore, digital image encryption has become an important research topic in the field of multimedia network communication.
There are different features between image and text structure data, such as high redundancy, strong correlation among adjacent pixels, etc. Thus, many traditional text structure encryption schemes result in poor performance on image encryption [1]. Therefore, many encryption algorithms designed for image features have been proposed [2]. Previously, an image encryption scheme only used special transformation matrices (e.g., Arnold map, magic cube transformation, etc.) to change the position of pixels in the plain image, but these schemes did not meet Kerckhoffs's principle. According to Kerckhoffs' principle, a modern cryptosystem should make all details public knowledge, as the system security only depends on the key. These schemes are also unable to resist statistical attacks and known plaintext attacks [3].
According to Shannon's theory [4], a good encryption system should contain two processes: permutation and diffusion. There are two types of permutation methods: one is the pixel-level permutation, which only changes the pixels' positions; the other is the bit-level permutation, which proposed a parallel image encryption scheme implemented in OpenCL. Ouyang et al. [26] proposed a method of impulsive synchronization of coupled delayed neural networks with actuator saturation, and designed an image encryption scheme using this method. In [27], the authors proposed a compressed sensing strategy based on a semi-tensor product and designed a visual security image encryption scheme. In [28], an image encryption scheme is proposed using compressive sensing and random numbers insertion. Zhang et al. [29] proposed a plaintext-related image encryption scheme by using a perceptron-like network. In [30], the authors proposed a color image encryption scheme based on a two dimensional nonlinear coupled map lattices system. Arpacı et al. [31] gave an image cryptosystem via a modified Chua's circuit. Khan et al. [33] proposed an image encryption scheme based on Lorenz, Gingerbreadman chaotic map, and S 8 permutation.
Due to color images containing red, green, and blue color components, there is a correlation among color components. Therefore, the color image encryption algorithm does not simply encrypt each color component, because it needs to destroy the correlation among the components. Furthermore, a good color image encryption scheme should consume less time than the summation of encrypting each color component; therefore, our proposed method considers the correlation among three color-components and bit-level permutated them at the same time, resulting in higher efficiency. The main contributions of this work are as follows: (1) a cross-color-components bit-level permutation method is presented; (2) a fast and secure color image encryption scheme is proposed, and (3) some common security analyses and comparisons are given.
The organization of this paper is as follows: In Section 2, the detailed descriptions of encryption and decryption algorithms are given. In Section 3, the simulation results of our proposed scheme, some common security analyses, and a comparison are given. In the last section, the conclusions of this paper are provided.

Proposed Scheme
In our proposed scheme, the image cryptosystem includes two parts: bit-level permutation and diffusion. There are two types of chaotic systems in these processes. The skew tent system, which is given in Equation (1), is used to generate two substitute control sequences which are employed in plain-related substitution. The Rucklidge system, which is given in Equation (2), is used to generate pixels' positions shift control sequences and bit cycle shift control sequences which are employed in bit-level permutation. In addition, the Rucklidge system generates the security keys for encryption or decryption.
Remark: In our proposed scheme, we use a skew tent map and Rucklidge system to control the encryption process; other chaotic systems can also be extended in our scheme, and the only difference is the size of the key space.
The skew tent map [34] is given by: where p is the parameter of the skew tent system. When p ∈ (0, 0.5) ∪ (0.5, 1), the system can generate a chaotic sequence t n ∈ (0, 1). The Rucklidge system [35] is given by: where a and b are system parameters. When a = 2 and b = 7.7, the system enters into chaos and Figure 1 shows its attractors.

Encryption Scheme
In this scheme, we used the traditional encryption architecture: permutation and diffusion. The permutation process contains three parts: plain-image related rows and columns substitution, pixellevel roll shift, and bit-level cyclic shift. Figure 2 shows the process of the encryption scheme. This process is described as follows: (1) Input an RGB color plain image and the security keys into the encryption scheme. We assume that the size of the inputted image is M × N × 3. Then the encryption process begins.
Note, inputted security keys are defined as , , … , ∈ (0,1), which are used to generate parameters and initial values of the skew tent map and Rucklidge systems. To avoid a weak key problem, we required each input key to be 15 decimal places.
(2) Reshape the inputted color image from a 3D to 2D matrix, and denote it as PI.
where Red, Green, and Blue are color components. PI is an M × 3N matrix.
(3) Add all values of matrix PI, and denote the summation as SUM.
(4) The system parameter and initial condition of the skew tent map are generated by Equations (5) and (6), respectively.
where mod (a,1) means the decimal fraction from a, and k1, k2,…, k9 are the inputted keys (similarly hereinafter). (5) Iterate Equation (1) under the system parameter and initial condition generated in Step 4, and then denote the iteration sequence (without the first 200 iterations) as T. Take the first M elements of T to generate a new sequence X1 (Equation (7)). Then, take the repeated numbers away from X1 and append the absent elements to the end for generating the rows' substitute control sequence X. In the same way, take the M + 1 to M + 3N elements to generate a new sequence Y1 (Equation (8)). Then,

Encryption Scheme
In this scheme, we used the traditional encryption architecture: permutation and diffusion. The permutation process contains three parts: plain-image related rows and columns substitution, pixel-level roll shift, and bit-level cyclic shift. Figure 2 shows the process of the encryption scheme. This process is described as follows:

Decryption Scheme
In our proposed image cryptosystem, the decryption scheme is the inverse process of encryption. The process of decryption is shown in Figure 3, and a detailed description is as follows: (1) Input a cipher image and the security keys into the decryption scheme. We assume the size of the inputted cipher image is M × N × 3. Then the encryption process begins.
(2) Change the inputted image from a 3D matrix into a 2D matrix, and denote it as D.
where Red, Green, and Blue are color components. D is an M × 3N matrix.
(3) The initial conditions of the Rucklidge system are generated using Equations (28)- (30). (1) Input an RGB color plain image and the security keys into the encryption scheme. We assume that the size of the inputted image is M × N × 3. Then the encryption process begins.
Note, inputted security keys are defined as k1, k2, . . . , k9 ∈ (0, 1), which are used to generate parameters and initial values of the skew tent map and Rucklidge systems. To avoid a weak key problem, we required each input key to be 15 decimal places.
(2) Reshape the inputted color image from a 3D to 2D matrix, and denote it as PI.

PI = [Red Green Blue]
(3) where Red, Green, and Blue are color components. PI is an M × 3N matrix.
(3) Add all values of matrix PI, and denote the summation as SUM.
(4) The system parameter and initial condition of the skew tent map are generated by Equations (5) and (6), respectively.
where mod (a,1) means the decimal fraction from a, and k1, k2, . . . , k9 are the inputted keys (similarly hereinafter). (5) Iterate Equation (1) under the system parameter and initial condition generated in Step 4, and then denote the iteration sequence (without the first 200 iterations) as T. Take the first M elements of T to generate a new sequence X1 (Equation (7)). Then, take the repeated numbers away from X1 and append the absent elements to the end for generating the rows' substitute control sequence X. In the same way, take the M + 1 to M + 3N elements to generate a new sequence Y1 (Equation (8)). Then, take the repeated numbers away from Y1 and append the absent elements to the end for generating the columns' substitute control sequence Y.
where mod (a, b) represents the remainder obtained on a/b, fix (a) represents the integer part of a, and T(a:b) means take the a to the b elements of T (similarly hereinafter). (6) Partition matrix P into row vectors and denote them as R t , where t = 1, 2, . . . , M. Substitute the row vectors under X sequence controlling as in Equation (9).
(7) Repartition the row substituted matrix into column vectors and denote them as C t , where t = 1, 2, . . . , 3N. Substitute the column vectors under Y sequence controlling as in Equation (10).
The initial conditions of the Rucklidge system are generated by Equations (11)- (13).
(9) Under the initial conditions generated in Step 8, iterate Equation (2) through a 0.002 step size 4th-order Runge-Kutta method. There are three sequences gained from this iteration. Discard the first Symmetry 2020, 12, 1497 6 of 17 800 iterations to eliminate the transitional state, and denote the three sequences as XS, YS, and ZS, respectively. Here, the transitional state-some states before the chaos system goes stable-may cause the bad randomness seen in the generation sequences for the cryptosystem.
(12) Partition the matrix generated in Step 7 into column vectors, and denote them as PC i ( j). Then, roll shift the pixels' position as in Equation (18).
(13) Denote the new column vectors generated in the previous step as BC i . Then, cyclic shift all elements in the column vector to the left direction under the control sequence BSC i as in Equation (19).
(14) Repartition the matrix generated in the previous step into row vectors, and denote them as PR i ( j). Then, roll shift the pixels' position as Equation (20).
(15) Denote the new row vectors generated in the previous step as BR i . Then, cyclic shift all elements in the row vector to the left direction under the control sequence BSR i as in Equation (21).

Decryption Scheme
In our proposed image cryptosystem, the decryption scheme is the inverse process of encryption. The process of decryption is shown in Figure 3, and a detailed description is as follows: and append the absent elements to the end for generating the rows' substitute control sequence X. In the same way, take the M + 1 to M + 3N elements to generate a new sequence Y1 as in Equation (48). Then, take the repeated numbers from Y1 and append the absent elements to the end for generating the columns' substitute control sequence Y.  (50).

Simulation and Security Analysis
Our proposed scheme is evaluated by software simulation in this section, and the software environment was MATLAB 2015b in MacOS High Sierra (10.13.1). The system parameters of the Rucklidge system, given by Equation (2), were a = 2 and b = 7.7, and the security inputted keys were k1 = 0.596345821685246, k2 = 0.521468245214562, k3 = 0.987412563548541, k4 = 0.536958542152365, k5 = 0.987452153255425, k6 = 0.665489221351221, k7 = 0.145851325412545, k8 = 0.325632541251254, and k9 = 0.285696325412524. The test images were 512 × 512 × 3-pixel RGB color images, and the (1) Input a cipher image and the security keys into the decryption scheme. We assume the size of the inputted cipher image is M × N × 3. Then the encryption process begins.
(2) Change the inputted image from a 3D matrix into a 2D matrix, and denote it as D.
where Red, Green, and Blue are color components. D is an M × 3N matrix.
(4) Under the initial conditions generated in Step 3, iterate Equation (2) through a 0.002 step size 4th-order Runge-Kutta method. There are three sequences gained from this iteration. Discard the first 800 iterations to eliminate the transitional state, and denote the sequences as XS, YS, and ZS, respectively.
(5) Generate key sequences from the iteration sequences generated in the previous step using Equations (31)- (34).
(10) Repartition the matrix generated from Step 7 into row vectors, and denote them as DBR i . Then, cyclic shift all elements in the row vector to the right direction under the control sequence BSR i as in Equation (40).
(11) Denote the new row vectors generated in the previous step as DPR i ( j). Then, roll shift the pixels position as in Equation (41).
where i = 1, 2, . . . , M, and j = 1, 2, . . . , 3N. (12) Partition the matrix generated in the previous step into column vectors and denote them as DBC i . Then, cyclic shift all elements in the column vector to the right direction under the control sequence BSC i as in Equation (42).
(13) Denote the new column vectors generated in the previous step as DPC i ( j). Then, roll shift the pixels position as in Equation (43).
Add all values of matrix DP generated in the previous step, and denote the summation as SUM.
(16) Iterate Equation (1) under the system parameter and initial condition generated in Step 15, and denote the iteration sequence (without the first 200 iterations) as T. Take the first M elements of T to generate a new sequence X1 as in Equation (47). Then, take the repeated numbers away from X1, and append the absent elements to the end for generating the rows' substitute control sequence X. In the same way, take the M + 1 to M + 3N elements to generate a new sequence Y1 as in Equation (48). Then, take the repeated numbers from Y1 and append the absent elements to the end for generating the columns' substitute control sequence Y.  (49).
(18) Repartition the column substituted matrix into row vectors, and denote them as RR t , where t = 1, 2, . . . , M. Substitute the row vectors under X sequence controlling as in Equation (50). (19) Reshape the result of Step 18 into an M × N × 3 matrix. Output the plain image, and the decryption process is finished.

Simulation and Security Analysis
Our proposed scheme is evaluated by software simulation in this section, and the software environment was MATLAB 2015b in MacOS High Sierra (10.13.1). The system parameters of the Rucklidge system, given by Equation (2), were a = 2 and b = 7.7, and the security inputted keys were k1 = 0.596345821685246, k2 = 0.521468245214562, k3 = 0.987412563548541, k4 = 0.536958542152365, k5 = 0.987452153255425, k6 = 0.665489221351221, k7 = 0.145851325412545, k8 = 0.325632541251254, and k9 = 0.285696325412524. The test images were 512 × 512 × 3-pixel RGB color images, and the simulation results are shown in Figure 4. Furthermore, many commonly used security analyses are given in the following subsections. simulation results are shown in Figure 4. Furthermore, many commonly used security analyses are given in the following subsections.

Key Space Analysis
In our proposed scheme, the chaotic parameter and initial data are generated by the nine input keys k1,…, k9; therefore, the real keys of our proposed image encryption algorithm are those chaotic parameters and initial data. There are a chaotic parameter p ∈ (0,0.5) ∪ (0.5,1) and initial data 0 ∈ (0,1) of the skew tent map, and three initial data 0 ∈ (−11,11), 0 ∈ (−6,6), and 0 ∈ (1,17) for the Rucklidge system. If we suppose that the change step of keys is 10 −15 , which is limited by computer accuracy, then the key space can be calculated as S = (10 15 ) 2 × 2.2 × 10 16 × 1.2 × 10 16 × 1.6 × 10 16 = 4.224 × 10 78 ≈ 2 261 . For a cryptosystem to resist the brute-force attack, the key space needs to be at least 2 100 [2,19]. Therefore, our proposed cryptosystem has a large enough key space to resist the brute-force attack.

Differential Attack
The plaintext sensitivity is an indicator to show whether an image cryptosystem can resist a differential attack. We measure plaintext sensitivity by quantizing the difference between images that are generated by encrypting two plain images with a one-bit difference. There are two indictors to measure the difference between images: number of pixels change rate (NPCR) and unified average changing intensity (UACI) [9][10][11][12][13].
NPCR and UACI are given by:

Key Space Analysis
In our proposed scheme, the chaotic parameter and initial data are generated by the nine input keys k1, . . . , k9; therefore, the real keys of our proposed image encryption algorithm are those chaotic parameters and initial data. There are a chaotic parameter p ∈ (0, 0.5) ∪ (0.5, 1) and initial data t 0 ∈ (0, 1) of the skew tent map, and three initial data x 0 ∈ (−11, 11), y 0 ∈ (−6, 6), and z 0 ∈ (1, 17) for the Rucklidge system. If we suppose that the change step of keys is 10 −15 , which is limited by computer accuracy, then the key space can be calculated as S = 10 15 2 × 2.2 × 10 16 × 1.2 × 10 16 × 1.6 × 10 16 = 4.224 × 10 78 ≈ 2 261 . For a cryptosystem to resist the brute-force attack, the key space needs to be at least 2 100 [2,19]. Therefore, our proposed cryptosystem has a large enough key space to resist the brute-force attack.

Differential Attack
The plaintext sensitivity is an indicator to show whether an image cryptosystem can resist a differential attack. We measure plaintext sensitivity by quantizing the difference between images that are generated by encrypting two plain images with a one-bit difference. There are two indictors to measure the difference between images: number of pixels change rate (NPCR) and unified average changing intensity (UACI) [9][10][11][12][13].
NPCR and UACI are given by: where C 1 (i, j) and C 2 (i, j) are cipher images that are generated from two plain-images that have only a one-pixel difference. M and N are the height and width of each image color component, respectively.
We obtain a new image by changing the one-bit pixel value in any one color component of the plain image, and then encrypt these two images. The NPCR reflects the percentage of different values of two pixels, which are selected in the same location and same color component of two cipher images. The UACI is the average intensity of the difference between two pixels which are in the same position of two cipher images.
In this section, we randomly change the one-bit value of a pixel in any one color component, and then calculate NPCR and UACI in the red, green, and blue color components, separately. The NPCR and UACI results are shown in Table 1. According to the results of the NPCR and UACI, our proposed cryptosystem has enough plaintext sensitivity to resist the differential attack.

Histogram Analysis
It is important to ensure that the cipher image shows the uniform distribution in histogram analysis, or it is not able to resist the statistical attack. In this section, we test three group histograms: histograms of image pepper, whole black image, whole white image, and their corresponding cipher images. The test results are shown in Figure 5. The histogram analysis results showed that the proposed cryptosystem has an outstanding diffusion property and statistical attack resistance.

Histogram Analysis
It is important to ensure that the cipher image shows the uniform distribution in histogram analysis, or it is not able to resist the statistical attack. In this section, we test three group histograms: histograms of image pepper, whole black image, whole white image, and their corresponding cipher images. The test results are shown in Figure 5. The histogram analysis results showed that the proposed cryptosystem has an outstanding diffusion property and statistical attack resistance.

Correlation Coefficient
The correlation coefficient of adjacent pixels in the cipher image is an important indictor to judge the performance of an image encryption scheme. Adjacent pixels in a plain image always have a strong correlation; therefore, image encryption processes must destroy this correlation [14][15][16].
The correlation coefficient is given by: where a and b represent color values of adjacent pixels, and In this test, 10,000 pairs of adjacent pixels were randomly selected in the cipher image. Table 2 shows the results of the correlation coefficient calculation, and Figure 6 shows the distribution of pepper.   Columns (2) and (6) are the red component, columns (3) and (7) are the green component, and columns (4) and (8) are the blue component.

Key Sensitivity Analysis
An image cryptosystem requires a good key sensitivity to ensure the key and plaintext are fully confused. There are nine security keys in our scheme, and the change step of each key is 10 −15 . In this section, we encrypt the plain-image pepper by some keys that only change 10 −15 , and calculate the NPCR and UACI to assess the difference between ciphers. Therefore, we encrypt the plain-image pepper using the keys, which were assigned at the beginning of Section 3, and we denote the cipher image as C1. We then encrypt the plain-image pepper two times with the modified keys k1′ = k1 + 10 −15 and k2′ = k2 + 10 −15 , and we denote the two generated ciphers as C2 and C3, respectively. The test results are shown in Figure 7, and the NPCR and UACI between ciphers generated by different keys are shown in Table 3. The results clearly show that the proposed image cryptosystem has enough key sensitivity and has an exhaustive attack resistance.

Key Sensitivity Analysis
An image cryptosystem requires a good key sensitivity to ensure the key and plaintext are fully confused. There are nine security keys in our scheme, and the change step of each key is 10 −15 . In this section, we encrypt the plain-image pepper by some keys that only change 10 −15 , and calculate the NPCR and UACI to assess the difference between ciphers. Therefore, we encrypt the plain-image pepper using the keys, which were assigned at the beginning of Section 3, and we denote the cipher image as C1. We then encrypt the plain-image pepper two times with the modified keys k1 = k1 + 10 −15 and k2 = k2 + 10 −15 , and we denote the two generated ciphers as C2 and C3, respectively. The test results are shown in Figure 7, and the NPCR and UACI between ciphers generated by different keys are shown in Table 3. The results clearly show that the proposed image cryptosystem has enough key sensitivity and has an exhaustive attack resistance.

Information Entropy Analysis
Here, we use the information entropy to indicate the uncertainty degree of a cipher image [9,22], and the information entropy is calculated by: where L is the bit depth of each color component of the image, e.g., L = 8 for one color component of a 24-bit RGB color image, and ( ) is the probability of . The ideal information entropy of an 8-bit color component is ( ) = 8 bits. The entropy test of each color component is shown in Table 4. According to the test results, our entropies of each color component were close to 8, which is the ideal case for an 8-bit image. Therefore, this cryptosystem performs well for resisting an entropy attack.

Speed Analysis and Comparisons
All of the simulations and tests in this paper were implemented in MATLAB R2015b on a MacBook with Intel® Core i7, CPU 1.4GHz, and 16GB memory, and the software was run on macOS. The speed analysis results are shown in Table 5, and the comparison with others are shown in Table  6. From tests and comparisons, our method has good encryption speed performance.

Information Entropy Analysis
Here, we use the information entropy to indicate the uncertainty degree of a cipher image [9,22], and the information entropy is calculated by: where L is the bit depth of each color component of the image, e.g., L = 8 for one color component of a 24-bit RGB color image, and P(s i ) is the probability of s i . The ideal information entropy of an 8-bit color component is H(s) = 8 bits. The entropy test of each color component is shown in Table 4. According to the test results, our entropies of each color component were close to 8, which is the ideal case for an 8-bit image. Therefore, this cryptosystem performs well for resisting an entropy attack.

Speed Analysis and Comparisons
All of the simulations and tests in this paper were implemented in MATLAB R2015b on a MacBook with Intel®Core i7, CPU 1.4GHz, and 16GB memory, and the software was run on macOS. The speed analysis results are shown in Table 5, and the comparison with others are shown in Table 6. From tests and comparisons, our method has good encryption speed performance.

Conclusions
In this paper, we proposed an efficiency and secure color image encryption scheme based on a chaotic system. The proposed cryptosystem contains two parts: bit-level permutation and diffusion. The bit-level permutation algorithm contains three parts: A plain-image related rows and columns substitution, a pixel-level roll shift part, and a bit-level cyclic shift part. In the plain-related rows and columns substitution part, we involved the plain-image information to generate a control sequence by using a skew tent system. This part ensures that the correlation between the three color-components is broken, and our cryptosystem has enough plain-image sensitivity to resist the differential attack. In the pixel-level roll shift part and bit-level cyclic shift part, we produced a fully bit-level permutation controlled by two sequences using a Rucklidge system. In this paper, we considered the correlation between the three color-components; thus, we processed the three color-components simultaneously, and not individually, in permutation and diffusion. Finally, the results of the security analyses and comparisons showed that our proposed scheme not only has good security performance, but also has a speed advantage compared to other works.