Design, Implementation, and Analysis of a Block Cipher Based on a Secure Chaotic Generator

Abstract

This work proposes a new secure chaos-based encryption/decryption system, operating in cipher block chaining (CBC) mode, and analyze its performance. The cryptosystem includes a robust pseudorandom number generator of chaotic sequences (PRNG-CS). A strong chaos-based S-box is proposed to perform a circular substitution operation (confusion process). This PRNG-CS consists of four discrete 1-D chaotic maps, weakly coupled by a predefined coupling matrix M, to avoid, on the one hand, the divide-and-conquer attack and, on the other hand, to improve the generated sequence’s randomness and lengths. The noun is also used in the construction of the S-box. Moreover, a 2-D modified cat map and a horizontal addition diffusion (HAD) preceded by a vertical addition diffusion (VAD) are introduced to perform the diffusion process. The security analysis and numerous simulation results of the main components (PRNG-CS and S-box) as well as the whole cryptosystem reveal that the proposed chaos-based cryptosystem holds up against various types of statistical and cryptographic attacks.

1. Introduction

Nowadays, the necessity to protect data has become a primary challenge. The security of communication of sensitive data is not only limited to military and diplomatic information and national defense issues, but also concerns the private lives of individuals and companies. With this regard, cryptography schemes have been developed. Indeed, cryptographic techniques leads to well-ensured messages and data confidentiality. Chaos was integrated into cryptography for the first time by Matthews in the 1990s [1]. Among the existing state-of-the-art approaches, chaos-based cryptosystems have proved their efficiency in data security [2,3,4] due, on the one hand, to the powerful proprieties of chaotic sequences such as deterministic, unpredictable, random-like behavior, and high sensitivity to initial conditions and control parameters (secret key) [5,6,7] and, on the other hand, to their efficient properties of confusion and diffusion performed by chaotic maps [8,9,10,11,12].

Symmetric chaos-based encryption/decryption systems are classified under two categories: block ciphers and stream ciphers. The former is the main symmetric key cryptosystem, as their design is related to Shannon’s theory of information security based on confusion and diffusion operations [8,13]. Their security properties were well-studied, and these ciphers encrypt the plaintext on a block of bits: 128, 256, 512, 1024, etc. [14,15].

Compared to traditional symmetric cryptography, chaos-based encryption/decryption schemes are more flexible (generic design, variable block size, and secret key can be easily enlarged), easier to implement, and have intrinsic security related to the properties of chaotic sequences [14,16]. Moreover, some of them use a substitution layer based on key-dependent S-boxes and not on fixed S-boxes as used in the Advanced Encryption Standard (AES) algorithm [17].

A key element of all chaos-based cryptosystems is the chaotic generator, which provides the dynamic keys (encryption keys) for the confusion and diffusion layer. The security, as well as the efficiency of the system, largely depend on the chaotic generator used.

However, most chaos-based cryptosystems reported in the literature refer to simple chaotic maps to supply the confusion and diffusion layer [18,19]. Such cryptosystems can be destroyed by side-channel attacks [20,21].

A fast chaos-based image encryption system with a dynamic state variables selection mechanism was proposed by Chen et al. [22] and it achieved a high confusion and diffusion process. Similar to the suggested cryptosystem by Fridrich [9] and Zhang et al. [23], three prototypes of a chaos-based cryptosystem were put up by Farajallah et al. [24]. The modified 2-D cat map was used to create the confusion process and 32-bit and 8-bit logistic maps were used as the diffusion layer for the two first versions, and a modified finite skew tent map (FSTM) in the third version.

A secure cryptosystem based on chaotic components was proposed by Qiao et al. [25]. In this cryptosystem, the AES S-box was used as a confusion layer. [17]. A global diffusion operating on the entire image was established using a horizontal addition diffusion (HAD), afterward, a vertical addition diffusion (VAD), introduced by Omrani et al. [26], then a permutation operation based on the modified 2-D cat map to reinforce the diffusion effect.

Wang et al. [27] published a block cipher cryptosystem using dynamic S-boxes based on a tent map. Their system operated on blocks using different generated S-boxes and used 32 iterations of substitution and left cyclic shift. A similar cryptosystem was proposed by Zhang et al. [28] based on a circular S-box as a confusion process and a keystream buffer as a diffusion layer. The system operates on the entire plain image. Another block cipher based on the chaotic logistic map was presented by Alawida et al. [29]. To enhance the performance of the logistic map, a new chaotification approach based on a multiplicative inverse function was applied. The diffusion and confusion process required data sequences, which were created by perturbing the chaotic variables with the secret key. The confusion process was controlled by the chaotic points themselves, whereas the diffusion process was controlled by an ergodic chaotic map.

Alshammari et al. [30] developed a new lightweight block cipher to protect the security of data acquired by Internet of things (IoT) sensor. It consisted of a customized AES algorithm with a chaos-based S-box and a chaotic map. Despite having good cryptographic characteristics and a high amount of randomness, this was related primarily to the AES underlying structure and not to the modified S-box. Additionally, AES was not well recognized for its lightweight implementation and could not be appropriate for IoT devices with constrained resource in terms of computing capabilities.

In this paper, we propose an efficient encryption/decryption system based on a secure pseudorandom number generator of chaotic sequences (PRNG-CS) and a strong key-dependent S-box. The proposed chaos-based cryptosystem design takes into account the weaknesses and strengths of the systems mentioned above. The proposed PRNG-CS is able to prevent the divide-and-conquer and the SCA attacks. This PRNG-CS is used to build the key-dependent S-box. It also provides the encryption/decryption keys necessary for the substitution and permutation operation [31,32,33,34].

The remainder of this paper is organized as follows: In Section 2, we present the proposed chaos-based cryptosystem architecture with a deep insight of the PRNG-CS, the S-box with the circular substitution process, and the diffusion process, then we give the pseudocode of the encryption/decryption algorithms. In Section 3, we present the experiments results and security analysis of the proposed cryptosystem and its computing performance. Finally, Section 4 summarizes the whole paper.

2. Proposed Chaos-Based Cryptosystem

The architecture of the proposed chaos-based cryptosystem is shown in Figure 1, for the encryption process and in Figure 2, for the decryption process. This structure achieves high confusion-diffusion effects. On the encryption side, the confusion is achieved by a circular substitution layer based on a proposed strong S-box, which is the non-linear element of the cryptosystem as in the Advanced Encryption Standard (AES) algorithm. The diffusion process consists of three steps: a permutation layer based on the modified 2-D-Cat map, a horizontal addition diffusion (HAD), and a vertical addition diffusion (VAD). The confusion and diffusion layers use the proposed PRNG-CS. On the decryption side, apart from the PRNG-CS, reverse diffusion and reverse substitution are achieved by reverse processes of those used in encryption, as indicated in Figure 2.

The block cipher operation can be repeated r times, if necessary, to obtain the final secure encrypted image.

Each component of the proposed cryptosystem is described in depth in the following sections.

2.1. Description of the Proposed Pseudorandom Number Generator of Chaotic Sequences (PRNG-CS)

The proposed PRNG-CS (see Figure 3), which is a fundamental element of any chaos-based cryptosystem, uses an initial vector $\left(IV\right)$ and a secret key $\left(K\right)$ as inputs and outputs the dynamical keys (encryption/decryption keys) Kc for the confusing process and Kd for the diffusion process. The systems’ IV supplies the initial vectors of the four chaotic maps IVP, IVS, IVL, and IVT each $N=32$ bits in size, and the secret key K gives all the initial conditions and parameters of the chaotic maps but also the initial value of the linear-feedback shift register (LFSR) and the parameters of the coupling matrix M and transient phase Tr, as summarized in

Table 1. Initial conditions and parameters that form the secret key.

Symbol	Definition
$XP0$, $XS0$, $XL0$, and $XT0$	Initial conditions of the four chaotic maps: PWLCM, skew tent, logistic, and 3-D Chebyshev in $[1,2^N-1]$.
$P_p$	PWLCM map control parameter in $[1,2^{N-1}-1]$.
$P_s$	Skew tent map control parameter in $[1,2^N-1]$.
${ϵ}_{ij}$	Coupling matrix M parameters in $[1,2^k]$ with $k\le 5$.
Q0	The initial value of the used LFSR is defined by: $Q\left(n\right)=x^{32}+x^{22}+x^2+x+1.$
$T_r$	The transient phase of 10 bits.

.

The four chaotic maps’ initial conditions, $XP\left(0\right)$, $XS\left(0\right)$, $XL\left(0\right)$, and $XT\left(0\right)$ are provided by:

$$\left\{\begin{array}{c}XP\left(0\right)=IVP+XP0\\ XS\left(0\right)=IVS+XS0\\ XL\left(0\right)=IVL+XL0\\ XT\left(0\right)=IVT+XT0\end{array}\right.$$

(1)

The output $X\left(n\right)$ is calculated by:

$$X\left(n\right)=XPC\left(n\right)\oplus XSC\left(n\right)\oplus XLC\left(n\right)\oplus XTIC\left(n\right)$$

(2)

The coupling system is defined as follows:

$$\left[\begin{array}{c}XPC\left(n\right)\\ \begin{array}{c}XSC\left(n\right)\\ XLC\left(n\right)\\ XTIC\left(n\right)\end{array}\end{array}\right]=M\times \left[\begin{array}{c}XP\left(n\right)\\ \begin{array}{c}XS\left(n\right)\\ XL\left(n\right)\\ XTI\left(n\right)\end{array}\end{array}\right]$$

(3)

where

$$M=\left[\begin{array}{c}\begin{array}{ccc}{M}_{11}& {ϵ}_{12}& \begin{array}{cc}{ϵ}_{13}& {ϵ}_{14}\end{array}\end{array}\\ \begin{array}{c}\begin{array}{ccc}{ϵ}_{21}& M_{22}& \begin{array}{cc}{ϵ}_{23}& {ϵ}_{24}\end{array}\end{array}\\ \begin{array}{ccc}{ϵ}_{31}& {ϵ}_{32}& \begin{array}{cc}{M}_{33}& {ϵ}_{34}\end{array}\end{array}\\ \begin{array}{ccc}{ϵ}_{41}& {ϵ}_{42}& \begin{array}{cc}{ϵ}_{43}& M_{44}\end{array}\end{array}\end{array}\end{array}\right]$$

(4)

with $M_{11}=(2^N-{ϵ}_{12}-{ϵ}_{13}-{ϵ}_{14})$, $M_{22}=(2^N-{ϵ}_{21}-{ϵ}_{23}-{ϵ}_{24})$, $M_{33}=(2^N-{ϵ}_{31}-{ϵ}_{32}-{ϵ}_{34})$, and $M_{44}=(2^N-{ϵ}_{41}-{ϵ}_{42}-{ϵ}_{43})$.

$XP\left(n\right)$, $XS\left(n\right)$, $XL\left(n\right)$, and $XT\left(n\right)$ are denoted as the maps’ output values at instant n of the PWLCM, skew tent, logistic, and 3-D Chebyshev maps, respectively, and defined as follows:

The first sample is given by:

$$XP\left(1\right)=PWLCM\left\{\mathrm{mod}\left(XP\left(0\right),2^N\right),P_p\right\}$$

(5)

$$XS\left(1\right)=SkewT\left\{\mathrm{mod}\left(XS\left(0\right),2^N\right),P_s\right\}$$

(6)

$$XL\left(1\right)=Logistic\left\{\mathrm{mod}\left(XL\left(0\right),2^N\right)\right\}$$

(7)

$$XT\left(1\right)=3DCh\left\{\mathrm{mod}\left(XT\left(0\right),2^N\right)\right\}$$

(8)

Then, for $2\le n\le N_s$, the samples are calculated by ($N_s$: the number of the desired samples):

$$XP\left(n\right)=PWLCM\left\{\mathrm{mod}\left(XPC(n-1),2^N\right),P_p\right\}$$

(9)

$$XS\left(n\right)=SkewT\left\{\mathrm{mod}\left(XSC(n-1),2^N\right),P_s\right\}$$

(10)

$$XL\left(n\right)=Logistic\left\{\mathrm{mod}\left(XLC(n-1),2^N\right)\right\}$$

(11)

$$\left\{\begin{array}{c}XT\left(n\right)=3DCh\left\{\mathrm{mod}\left(XTIC\left(n-1\right),2^N\right)\right\}\hfill \\ \\ XTI\left(n\right)=XT\left(n\right)\oplus Q\left(n\right)\hfill \end{array}\right.$$

(12)

The discrete equations of PWLCM, skew tent, logistic, and 3-D Chebyshev maps are reported in the literature [35,36,37,38].

The size of the secret key of the proposed PRNG-SC is:

$$\left|K\right|=\left|XP0\right|+\left|XS0\right|+\left|XL0\right|+\left|XT0\right|+\left|Q0\right|+\left|P_p\right|+\left|P_s\right|+\left|T_r\right|+(9\times \left|{\epsilon }_{ij}\right|)=278bits$$

(13)

where $\left|XP0\right|=\left|XS0\right|=\left|XL0\right|=\left|XT0\right|=\left|Q0\right|=\left|P_s\right|=32bits$, $\left|P_p\right|=31bits$, $\left|T_r\right|=10bits$, and $\left|{\epsilon }_{ij}\right|=5bits$.

Therefore, the keyspace contains $2^{278}$ different values, which is large enough to make brute-force attacks infeasible.

2.2. Circular Substitution Process Based on the S-Box and Their Inverse Processes

In the following, we first describe the construction process of the S-box, then we give the equation of the circular substitution process based on this S-box. Recall that the S-box is generally the only component of a cryptosystem that gives rise to a nonlinear mapping between inputs and outputs. Its main role is to make the cryptosystem immune against differential and linear cryptanalysis, so the security of the cryptosystem is strongly increased.

2.2.1. S-Box Construction

Mathematically, an $n\times n$ S-box is a nonlinear mapping $S:{\left\{0,1\right\}}^n\to {\left\{0,1\right\}}^n$, where ${\left\{0,1\right\}}^n$ represents the vector spaces of elements from GF (2). Since the key-dependent S-boxes do not offer any specific properties to the attackers, then, they are more secure than fixed S-boxes. Therefore, many methods have been proposed to design and create key-dependent S-boxes in conventional cryptography, such as SEAL [39], which used a Secure Hash Algorithm (SHA) and especially in chaos-based cryptography [40,41,42,43,44,45,46]. All of these later methods are based on iterating discrete chaotic maps to generate a 1-D table of size 256, containing unique chaotic values belonging to 0 and 255. The proposed S-box is based on our PRNG-CS and uses the approach of Çavuşoğlu et al. [42].

The block diagram of the $8\times 8$ S-box design algorithm is given in Figure 4.

The design steps of the S-box generation algorithm are as follows:

• Specify a one-dimensional empty array called 1-D S-box $S\left[\right]$.
• The eight-bit V-value is obtained from the PRNG-CS output sequence $X\left(n\right)$.
• Check for the existence of the last obtained V-value in the content of the 1-D S-box $S\left[\right]$.
• If this value exists, it is rejected. Otherwise, it is added to the S-box 1-D $S\left[\right]$.
• Afterward, new 8-bit values are generated and the whole process is repeated until all 256 values are completed in the form of a sequence $S\left[t\right]=\left\{S\left[0\right],\dots ,S\left[255\right]\right\}$, where each value $\in \left[0,255\right]$ is unique to others in it, so the constructed $8\times 8$ S-box is obviously bijective (by construction).

The number n of needed samples to construct the S-box is the size of the dynamic key $K_c$: $\left|K_c\right|=n\times 32$-bit.

In

Table 2. An example of an S-box is obtained by the proposed algorithm.

	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	2E	3E	5D	03	7C	B7	AD	9B	E0	62	67	50	95	BC	24	83
1	A6	CB	DD	F5	BE	39	9A	C3	2C	64	EA	EC	05	3B	26	2A
2	F8	B4	D0	C5	30	FD	E6	69	70	74	7A	77	F7	1A	E5	DF
3	15	7F	8B	32	51	F1	C9	93	40	5C	48	8E	2F	65	E2	CC
4	FB	D8	BD	04	C7	0B	E1	06	90	B6	A1	EF	14	2B	D5	82
5	4B	D1	B8	59	92	E3	CD	B9	38	1F	71	73	EE	F9	46	45
6	C0	A8	00	6E	9C	6A	9F	A9	78	6F	87	5E	D9	BA	47	42
7	68	DA	F0	53	58	31	D3	36	34	20	33	8D	D4	8C	4C	3D
8	1D	4E	61	E9	5A	5F	4D	6B	AA	C4	91	3F	4A	1E	02	0F
9	09	72	88	CA	F2	85	99	9D	FF	CF	B2	2D	52	23	E4	3C
A	C8	EB	AF	81	1C	FE	9E	B5	7B	55	ED	07	41	89	94	7E
B	12	11	D7	49	AB	4F	21	DE	0C	D6	17	BF	56	6D	F3	01
C	1B	A5	3A	8A	27	E7	8F	0E	A3	75	BB	84	76	CE	25	B1
D	FA	DB	18	B0	A0	C1	44	54	A7	28	43	13	22	A2	35	FC
E	C6	C2	66	63	AC	A4	7D	F6	96	29	10	86	16	D2	37	6C
F	79	08	97	E8	DC	0A	19	0D	B3	98	80	AE	F4	57	5B	60

, we give an example of an S-box obtained by our proposed algorithm, presented in its usual form, a $16\times 16$ matrix of byte values in hexadecimal presentation.

2.2.2. Circular Substitution Equation Based on the Constructed S-Box

Once the S-box is constructed, then it is used to perform the substitution operation. Unlike the circular substitution used by Zhang et al. [28], which was performed in ECB mode on the entire plain image, we achieved here the circular substitution in CBC mode on blocks of size 1024 pixels each. The advantages of proceeding in CBC mode are, on the one hand, because it is a secure mode (ECB mode is not secure), and on the other hand, the encryption/decryption processes are carried out on blocks that can be stored and computed on IoT devices which are constrained resource in terms of computing capabilities, and also energy and memory capacities. In addition, in ECB mode, the decryption process requires receiving the entire ciphered image before decrypting it.

To start the substitution process, the input plain image is split into $b_l$ blocks $p_l$, each of size $\left|p_l\right|=1024$ pixels (32 × 32 bytes). Notice that the elements of the S-box are considered to be circular (the last element followed the first element) with a head pointer h initialized to a constant (or a random) value in the range of 0 to 255. Each pixel $p_l\left(k\right)$ of a given block l is substituted by an element of the S-box, $s_l\left(k\right)$, according to the pixel value $p_l\left(k\right)$, the previous substituted pixel $q_{l-1}\left(k\right)$, and the pointer h (see Equations (14)–(16)). After a pixel is substituted, the value of the pointer h is adapted to a new value using the second row of Equation (14), where $m_h\in \left[0,255\right]$ is a random value.

$$\left\{\begin{array}{c}{s}_l\left(k\right)={S[y}_l\left(k\right)+h]mod256\hfill \\ \\ h=s_l\left(k\right)\oplus m_h\hfill \end{array}\right.$$

(14)

where

$$y_l\left(k\right)=p_l\left(k\right)+q_{l-1}\left(k\right)$$

(15)

$$q_{l-1}\left(k\right)=\left\{\begin{array}{cc}ivb\hfill & ifl=0\hfill \\ \\ c_{l-1}\left(k\right)\hfill & ifl>0\hfill \end{array}\right.$$

(16)

where $c_{l-1}\left(k\right)$ is the previous ciphered pixel obtained after the horizontal and vertical addition diffusion of the block ${sp}_{l-1}$, which is the permuted of the substituted block $s_{l-1}$, $k=1,2,\dots ,\left|p_l\right|$$l=1,2,\dots ,b_l$

$b_l=\left(imagesize/blocksize\right)=\left(R\times C\times P/\left|p_l\right|\right)$ (R: number of rows, C: number of columns, and P: number of planes ($P=1$ for a grayscale image and $P=3$ for an RGB image).

From Equations (14)–(16), we can observe that all the same pixel values of the plain image are substituted by different values, and then the security is strengthened against cryptographic attacks. In addition, there is an intrinsic diffusion effect in each substituted block.

2.2.3. Inverse Substitution Process

The reverse substitution operation is carried out by first, the construction of the inverse S-box, $IS$, which is derived from the S-box $S\left(t\right)$ by a simple operation satisfying the following equation:

$$IS\left[S\left(t\right)\right]=t$$

(17)

used during the inverse substitution process, then, performing the inverse substitution itself using the following formula to recover each plain pixel $p_l\left(k\right)$:

$$\left\{\begin{array}{c}{p}_l\left(k\right)={\left(IS\right[s}_l\left(k\right)]+256-h)mod256\hfill \\ \\ h=s_l\left(k\right)\oplus m_h\hfill \end{array}\right.$$

(18)

2.3. Diffusion Process and Its Inverse

A permutation layer based on a modified 2-D cat map followed by a horizontal addition diffusion (HAD) and a vertical addition diffusion (VAD) is used to achieve the diffusion process of the proposed cryptosystem (VAD).

2.3.1. Permutation Layer Based on the Modified 2-D Cat Map and Its Reverse

To permute a substituted block $s_l\left(k\right)$, utilizing the improved 2-D cat map, we transform it to a matrix form $s_l\left(i,j\right)$ such that [24]:

$$s_l\left(i,j\right)=s_l\left(k\right),k=\left(i-1\right)\times M+j;i=1,\dots M;j=1,\dots M$$

(19)

The equation of the modified 2-D cat map [47] and its optimized implementation [24] are given below:

$$\left[\begin{array}{c}{i}_n\hfill \\ \\ j_n\hfill \end{array}\right]=Mod\left(\left[\begin{array}{cc}1\hfill & u_d\hfill \\ \\ v_d\hfill & \left(1+u_d{v}_d\right)\hfill \end{array}\right]\left[\begin{array}{c}i\hfill \\ \\ j\hfill \end{array}\right]+\left[\begin{array}{c}{r}_{id}+r_{jd}\hfill \\ \\ r_{jd}\hfill \end{array}\right],\left[\begin{array}{c}M\hfill \\ \\ M\hfill \end{array}\right]\right)$$

(20)

$$\left\{\begin{array}{c}{i}_n=Mod\left(\left(i+u_d\times j+Z_1\right),M\right)\hfill \\ \\ j_n=Mod\left(\left(Z_3+Z_2\times j\right),M\right)\hfill \end{array}\right.$$

(21)

with $Z_1=r_{id}+r_{jd}$, $Z_2=u_d\times v_d+1$, and $Z_3=v_d\times i+r_{jd}$.

The values of $Z_1$ and $Z_2$ are calculated once per round and the value of $Z_3$ is calculated M times per round $(withM=\sqrt{\left|p_l\right|}=32=2^q-1)$.

The 2-D cat map is bijective since each permuted element’s ($i_n$, $j_n$) position is unique. Despite it being reversible, the modulo operation on the cat map prevents it from being an invertible function. Thus, the same following relation can be used to perform the permutation and the reverse permutation:

$${sp}_l\left(i_n,j_n\right)=s_l\left(i,j\right),i=1,\dots M,j=1,\dots M$$

(22)

The dynamic key $Kd$ is formed by four elements $Kd=\left\{u_d,v_d,r_{id},r_{jd}\right\},each\in \left[1,M-1\right]$ and it is fed by the PRNG-CS. The size $Kd$ is $\left|Kd\right|=4\times q=20$-bit.

2.3.2. Horizontal and Vertical Addition Diffusion HAD and VAD and Their Inverses

The operations of horizontal and vertical addition diffusion [26] on a given permuted block ${sp}_l\left(i,j\right)$ are described by the following mathematical model, and shown in Figure 5:

$${sph}_l\left(i,j\right)=HAD\left[{sp}_l\left(i,j\right)\right]=\left\{\begin{array}{cc}{sp}_l\left(i,j\right)+{sp}_l\left(i,j-1\right)mod256\hfill & for1\le i\le Mand1<j\le M\hfill \\ \\ {sp}_l\left(i,j\right)+{sp}_l\left(i-1,M\right)mod256\hfill & for1<i\le Mandj=1\hfill \\ \\ {sp}_l\left(i,j\right)+{sp}_l\left(M,M\right)mod256\hfill & fori=j=1\hfill \end{array}\right.$$

(23)

$$c_l\left(i,j\right)=VAD\left[{sph}_l\left(i,j\right)\right]=\left\{\begin{array}{cc}{sph}_l\left(i,j\right)+{sph}_l\left(i-1,j\right)mod256\hfill & for1<i\le Mand1\le j\le M\hfill \\ \\ {sph}_l\left(i,j\right)+{sph}_l\left(M,j-1\right)mod256\hfill & fori=1and1<j\le M\hfill \\ \\ {sph}_l\left(i,j\right)+{sph}_l\left(M,M\right)mod256\hfill & fori=j=1\hfill \end{array}\right.$$

(24)

The inverse relations of the vertical and horizontal addition diffusion are given by:

$${sph}_l\left(i,j\right)=InvVAD\left[c_l\left(i,j\right)\right]=\left\{\begin{array}{cc}{c}_l\left(i,j\right)-c_l\left(i-1,j\right)mod256\hfill & for1<i\le Mand1\le j\le M\hfill \\ \\ c_l\left(i,j\right)-c_l\left(M,j-1\right)mod256\hfill & fori=1and1<j\le M\hfill \\ \\ c_l\left(i,j\right)-c_l\left(M,M\right)mod256\hfill & fori=j=1\hfill \end{array}\right.$$

(25)

$${sp}_l\left(i,j\right)=InvHAD\left[{sph}_l\left(i,j\right)\right]=\left\{\begin{array}{cc}{sph}_l\left(i,j\right)-{sph}_l\left(i,j-1\right)mod256\hfill & for1\le i\le Mand1<j\le M\hfill \\ \\ {sph}_l\left(i,j\right)-{sph}_l\left(i-1,M\right)mod256\hfill & for1<i\le Mandj=1andj=1\hfill \\ \\ {sph}_l\left(i,j\right)-{sph}_l\left(M,M\right)mod256\hfill & fori=j=1\hfill \end{array}\right.$$

(26)

Finally, we summarize in Algorithms 1 and 2, the full operation of encryption and decryption process of the proposed chaos-based cryptosystem, respectively.

Algorithm 1 Encryption process.

Algorithm 2 Decryption process.

3. Experiments Results and Security Analysis

Hereafter, we evaluate the proposed chaos-based cryptosystem’s performance. First, we estimate the number $r$ of rounds required to have a secure system, then we assess the performance of the proposed chaotic generator, histogram chi-square, NIST tests on the generated sequences, and finally, we examine the security of the cryptosystem up against the usual cryptographic attacks.

All the simulations were implemented using MATLAB (R2016b) on a PC with a 2.5 GHz processor Intel Core i5-7300HQ CPU, 16 GB RAM, under Windows 10 Professional, and a 64-bit operating system.

3.1. Estimation of the Number of Rounds Required

In this section, we provide the number r of rounds that was used in the chaos-based cryptosystem implementation. For this, we determined the average Hamming distance (HD) between two ciphered images $C_1$, using 100 secret keys, and $C_2$ using the same secret keys, each with a different LSB-bit. This test was applied to 10 different plain images. The $HD(C_1,C_2)$ was defined by the following equation:

$$HD\left(C_1,C_2\right)=\frac{1}{Nb}\sum _{i=1}^{Nb}\left(C_1\left(i\right)\oplus C_2\left(i\right)\right)$$

(27)

where $Nb$ was the number of bits in an ciphered image. In

Table 3. HD versus the round times in the encryption process.

Image	Size	HD (%)
		$\mathit{r}=\mathbf{1}$	$\mathit{r}=\mathbf{2}$	$\mathit{r}=\mathbf{3}$
Airplane	512 × 512 × 3	50.0010	49.9974	49.9998
Black	256 × 256 × 1	50.0027	50.0050	49.9977
Bridge	512 × 512 × 1	50.0039	49.9962	50.0021
Cameraman	256 × 256 × 1	49.9936	50.0018	50.0000
Flowers	256 × 256 × 3	49.9993	50.0034	49.9955
Goldhill	512 × 512 × 3	49.9999	49.9988	49.9996
Kiel	512 × 512 × 1	50.0010	49.9989	50.0036
Lena	512 × 512 × 3	50.0001	49.9997	49.9972
Sailboat	512 × 512 × 3	49.9961	50.0050	50.0000
White	256 × 256 × 1	50.0107	49.9948	50.0009

, a list of the Hamming distance outcomes for $r=1,2,$ and 3 is provided.

It is noteworthy from Table 3 that for $r\ge 1$, the HDs for the various plain images encrypted by the proposed encryption algorithm were close to the optimal value of $50\%$. Therefore, for all subsequent tests, we used $r=1$.

This result was also confirmed by the plaintext sensitivity test carried out in Section 3.3.3.

3.2. Performance Analysis of the Proposed PRNG-CS

We give below the performance obtained by the proposed chaotic generator.

3.2.1. Histogram and Chi-Square Test

A histogram describes the distribution of numerical data in the form of a graph. It forms an estimation of the probability distribution of a random or pseudorandom variable.

The distribution uniformity of the generated sequences was examined. A uniform distribution over the whole phase space must be provided by the proposed PRNG-CS. Figure 6 shows an example of a histogram of a produced sequence, formed by 3,125,100 samples, in which the first 100 samples were not used (the transient regime).

Visually, we observe that the generated sequence is nearly uniformly distributed.

Then, to assert the uniformity of this sequence, we applied the chi-square test. The experimental chi-square ${\chi }^2$ value was given by:

$${\chi }_{exp}^2=\sum _{i=0}^{N_c-1}\frac{{\left(O_i-E_i\right)}^2}{E_i}$$

(28)

where $N_c=1000$, $O_i$, and $E_i=Ns/Nc$ are the number of classes, the number of calculated samples in the ith class $E_i$, and the anticipated number of samples of a uniform distribution.

Table 4. Chi-square results on the tested histograms.

Chi-Square Test	PRNG-CS
${\chi }_{ex}^2$	967.700
${\chi }_{th}^2$ (1000, 0.05)	1073.642

shows the experimental and theoretical values for the chi-square values obtained. The theoretical value of the chi-square was greater than the obtained experimental one, which proved that the sequence generated by the proposed PRNG-CS was uniform.

Note that this test was repeated on one hundred various sequences, each was generated using a different secret key. All the sequences passed the chi-square test.

3.2.2. NIST

The NIST Test Suite [48] is a statistical package consisting of 15 tests that were developed to test the randomness of binary sequences produced by PRNGs. Some tests are decomposable into a variety of subtests. To determine the result of each test, a p-value is computed. A p-value $\ge 0.01$ means that the sequence is considered to be random with a confidence of $99\%$. A p-value $\le 0.01$ means that the sequence is nonrandom with a confidence of $99\%$.

To carry out the NIST test, we produced 100 different sequences of 3,125,100 32-bit samples each, using 100 random secret keys. Only 3,125,000 samples per sequence (i.e., ${10}^8$ bits) were used (the first 100 samples for each sequence, corresponding to the transient regime, were not useful for the various robustness tests).

We give in

Table 5. P-values and proportion results of NIST tests.

Test	p-Value	Proportion (%)
Frequency test	0.494	98.000
Block-frequency test	0.514	99.000
Cumulative sums test	0.504	98.000
Runs test	0.494	99.000
Longest-run test	0.262	97.000
Rank test	0.868	99.000
FFT test	0.384	99.000
Nonperiodic templates	0.482	99.061
Overlapping templates	0.596	98.000
Universal	0.946	99.000
Approximate entropy	0.419	100.000
Random excursions	0.439	98.214
Random excursion variant	0.488	98.651
Serial test	0.415	100.000
Linear complexity	0.817	97.000

the p-values obtained for the 15 tests by the proposed PRNG-SC. All p-values were distinctly larger than the critical value 0.01, which proved the high degree of randomness of the generated sequences. Therefore, from the statistical results obtained previously, we could confirm that the proposed PRNG-CS was robust against statistical attacks.

3.3. Security Analysis of the Proposed Chaos-Based Cryptosystem

In this section, we first give the performance of the proposed S-box, then we evaluate the security of the proposed chaotic encryption system regarding statistical attacks and a cryptanalytic analysis. Eventually, we estimate the computing performance.

3.3.1. Performance Analysis of the Proposed Key-Dependent S-Box

A strong S-box should have some important properties, based on an information theory analysis. The main properties, besides the bijectivity, are nonlinearity, strict avalanche criterion (SAC), output bits independence criterion (BIC), equiprobable input/output XOR distribution, differential approximation probability (DP), and linear approximation probability (LP). To demonstrate the performance of the proposed S-box, we quantified these properties and compared the results obtained with those obtained from several S-boxes in the literature.

From

Table 6. Performance comparison of different S-boxes.

S-Box	Nonlinearity			SAC			BIC-SAC	BIC Nonlinearity	DP	LP
	Min	Avg	Max	Min	Avg	Max
Proposed S-box	102	104	108	0.4375	0.4948	0.5625	0.4991	103.4286	10	0.1094
Çavuşoğlu et al. [42]	104	106	110	0.4218	0.5039	0.5937	0.5058	103.40	10	0.1406
Lambić et al. [43]	106	106.75	108	-	0.5034	-	0.5014	103.78	10	0.1328
Ahmed et al. [44]	106	107.5	108	-	0.4943	-	0.4982	104.35	10	0.1250
Lai et al. [49]	104	105	110	0.3906	0.5014	0.5937	0.5028	102.75	10	0.1250
Al Solami et al. [50]	106	108.5	110	-	0.5017	-	0.5026	104	10	0.1094

, we can observe that the constructed S-box met all the requirements of a robust S-box and the performance obtained were close to those obtained by [42,43,44,49,50].

You can see from Table 2 that the constructed S-box had all the different output values of the interval $[0,255]$, so it satisfied the requirement of bijectivity.

By comparing the properties of our S-box with other S-boxes, we can claim that the proposed chaos-based S-box was better than others in some measures. Therefore, the proposed S-box was suitable for use in the proposed encryption scheme.

3.3.2. Statistical Analysis

To prove the robustness of the proposed chaos-based cryptosystem against statistical attacks, we performed the following experiments on various plain images: histogram, chi-square test, correlation, and entropy analysis.

Histograms of encrypted images

The ciphered image must have a uniform distribution and this is a basic condition for any cryptosystem to be strong against statistical attacks. We encrypted 10 color and gray plain images with varying features and sizes and then we deducted the histograms of the plain images and corresponding ciphered images. The obtained results are given in Figure 7, Figure 8, Figure 9, Figure 10, Figure 11, Figure 12, Figure 13, Figure 14, Figure 15 and Figure 16, and on each figure, we show: (a) the plain image, (b) the histogram of the plain image, (c) the corresponding ciphered image, and (d) the histogram of the ciphered image.

Note that visually the histograms of the encrypted images appeared to have a uniform distribution and were very different from those of the single images. Therefore, no visual information could be detected from the encrypted images by the proposed chaos-based cryptosystem.

To check the uniformity of the histogram, we applied the chi-square test (using Equation (28)) to statistically confirm it. However, here, $N_c$ was the number of values (256), $O_i$ were the detected occurrence frequencies of each color value $\in \left[0,255\right]$ in the histogram of the encrypted image, and $E_i$ was the anticipated occurrence frequency of the uniform distribution, provided by $E_i=\left(L\times C\times P\right)/N_c.$ The distribution of the tested histogram was uniform if it met the following condition: ${\chi }_{exp}^2<{\chi }_{th}^2\left(N_c-1,\alpha \right)=293.2478$ (for $N_c=256$ and $\alpha =0.05$) [12].

In

Table 7. Chi-square test.

Image	Size	Chi-Square Test
Airplane	512 × 512 × 3	256.7715
Black	256 × 256 × 1	234.0391
Bridge	512 × 512 × 1	256.6113
Cameraman	256 × 256 × 1	275.5625
Flowers	256 × 256 × 3	236.6458
Goldhill	512 × 512 × 3	239.6576
Kiel	512 × 512 × 1	243.4629
Lena	512 × 512 × 3	249.1270
Sailboat	512 × 512 × 3	242.1380
White	256 × 256 × 1	273.6641

, we reported the experimental values of the chi-square test for the 10 ciphered images. The values of the experimental chi-square obtained confirmed the uniformity of the histograms of the tested encrypted images.

Correlation Analysis

Another key property of a secure cryptosystem is that the correlation of the encrypted image should be close to zero and very different from the correlation of the plain image, which is generally close to one. To measure this property, $N=8000$ pairs of two adjacent pixels in the horizontal (HC), vertical (VC), and diagonal (DC) directions from the original and the ciphered images were randomly selected. Then, the correlation coefficients were calculated using the following equation:

$${\rho }_{xy}=\frac{cov(x,y)}{\sqrt{D\left(x\right)}\sqrt{D\left(y\right)}}$$

(29)

with:

$$cov\left(x,y\right)=\frac{1}{N}\sum _{i=1}^N\left(\left[x_i-E\left(x\right)\right]\left[y_i-E\left(y\right)\right]\right)$$

(30)

$$E\left(x\right)=\frac{1}{N}\sum _{i=1}^N{x}_i$$

(31)

$$D\left(x\right)=\frac{1}{N}\sum _{i=1}^N{\left(x_i-E\left(x\right)\right)}^2$$

(32)

Furthermore, x and y were the gray-level values of two adjacent pixels in the image.

In

Table 8. The correlation coefficient of 8000 pairs of two adjacent pixels of the plain and ciphered images.

Image	Size		Plain Image			Encrypted Image
			HC	VC	DC	HC	VC	DC
Airplane	512 × 512 × 3	R	0.97191	0.96051	0.93848	0.00006	−0.00153	0.00024
		G	0.95150	0.96915	0.92863	−0.00154	−0.00041	−0.00098
		B	0.96226	0.94538	0.92419	−0.00033	−0.00056	−0.00004
Black	256 × 256 × 1		-	-	-	−0.00167	−0.00044	−0.00074
Bridge	512 × 512 × 1		0.93981	0.92720	0.89716	−0.00130	0.00172	0.00084
Cameraman	256 × 256 × 1		0.92013	0.95496	0.89590	0.00110	0.00193	0.00028
Flowers	256 × 256 × 3	R	0.95049	0.96800	0.93340	0.00197	−0.00128	0.00153
		G	0.91532	0.94200	0.88863	−0.00082	−0.00019	0.00071
		B	0.92085	0.94834	0.89510	−0.00092	0.00009	0.00182
Goldhill	512 × 512 × 3	R	0.97767	0.97649	0.95975	0.00039	0.00052	−0.00058
		G	0.98180	0.98496	0.96998	−0.00047	0.00028	0.00148
		B	0.98453	0.98641	0.97339	−0.00140	0.00084	−0.00024
Kiel	512 × 512 × 1		0.90591	0.82571	0.78020	0.00168	−0.00127	−0.00044
Lena	512 × 512 × 3	R	0.97529	0.98540	0.96464	0.00055	−0.00041	0.00001
		G	0.96666	0.98011	0.95321	−0.00162	0.00049	−0.00023
		B	0.93357	0.95552	0.91819	0.00077	−0.00006	0.00042
Sailboat	512 × 512 × 3	R	0.95595	0.95302	0.94030	−0.00041	0.00070	−0.00001
		G	0.97088	0.96404	0.95027	−0.00096	0.00038	−0.00015
		B	0.97054	0.96872	0.95208	−0.00164	0.00048	−0.00018
White	256 × 256 × 1		-	-	-	−0.00165	0.00025	0.00036

, we give the mean correlation coefficient value based on 10 images ciphered by 100 different secret keys. From this table, the correlation coefficients in all directions of the plain images were close to one, indicating that the pixels were highly correlated, while those of encrypted images were near to zero, which proved that there was no correlation between the plain and ciphered images.

These results can be observed visually in Figure 17, in which we show the correlation of adjacent pixels of the Goldhill (512 × 512 × 3) and encrypted Goldhill images in the three directions: horizontal, vertical, and diagonal, respectively.

Entropy Analysis

The random behavior of the encrypted image can also be evaluated using the entropy information defined by:

$$H\left(C\right)=\sum _{i=0}^{N_c-1}P\left(c_i\right)\times {log}_2\frac{1}{P\left(c_i\right)}$$

(33)

where $H\left(C\right)$ is the entropy of the encrypted image C, $P\left(c_i\right)$ is the occurrence value of each level ($i=0,1,2,...,255$). In the condition of equal probability levels $(P\left(c_i\right)=2^{-8}$), the entropy is maximum, $H\left(C\right)=8$.

We show in

Table 9. Entropy test results.

Image	Size	Plain	Encrypted
Airplane	512 × 512 × 3	6.6639	7.9997
Black	256 × 256 × 1	0.0000	7.9974
Bridge	512 × 512 × 1	5.7056	7.9992
Cameraman	256 × 256 × 1	6.9046	7.9977
Flowers	256 × 256 × 3	7.5434	7.9991
Goldhill	512 × 512 × 3	7.6220	7.9997
Kiel	512 × 512 × 1	6.9589	7.9994
Lena	512 × 512 × 3	5.6822	7.9998
Sailboat	512 × 512 × 3	7.7632	7.9998
White	256 × 256 × 1	0.0000	7.9968

the entropy test results of the original and encrypted images. It is clear that the results for the encrypted images were close to the optimal value. Based on these results, the proposed chaos-based cryptosystem had a high degree level of resilience.

Based on all of these results of the histogram, chi-square, correlation, and information entropy analysis, the proposed chaos-based cryptosystem was secure against statistical attacks.

3.3.3. Cryptanalytic Analysis

In the following part, we perform some habitual cryptanalytic analyses such as the key sensitivity and the plaintext sensitivity test.

Key Sensitivity

A secure encryption/decryption system should be very sensitive to the secret key, i.e., even a one-bit change in the secret key should produce a completely different encrypted image. The testing scenario of the key sensitivity was as follows: first, a plain-image I was encrypted using a secret key $K_1$ to obtain $C_1$, then the same plain-image $I$ was encrypted using a secret key $K_2$ different from $K_1$ by just a one bit LSB to obtain $C_2$. Three parameters, namely the number of pixels change rate (NPCR), the unified average changing intensity (UACI) [51], and the Hamming distance (see Equation (27)) were used to evaluate the key sensitivity and were defined as follows:

$$NPCR=\frac{1}{R\times C\times P}\sum _{i=1}^R\sum _{j=1}^C\sum _{p=1}^{P}D\left(i,j,p\right)\times 100\%$$

(34)

$$D\left(i,j,p\right)=\left\{\begin{array}{cc}0\hfill & if{C}_1\left(i,j,p\right)=C_2\left(i,j,p\right)\hfill \\ \\ 1\hfill & if{C}_1\left(i,j,p\right)\ne C_2\left(i,j,p\right)\hfill \end{array}\right.$$

(35)

$$UACI=\frac{1}{R\times C\times P\times 255}\sum _{i=1}^R\sum _{j=1}^C\sum _{p=1}^P\left|C_1-C_2\right|\times 100\%$$

(36)

In the above relation, i, j, and p were, respectively, the row, column, and plane indexes of the image. R, C, and P were its length, width, and plane sizes.

This test was repeated over 100 different secret keys.

Table 10. Average NPCR, UACI, and HD key sensitivity tests.

Image	Size	Key Sensitivity Test
		NPCR (%)	UACI (%)	HD (%)
Airplane	512 × 512 × 3	99.6065	33.4666	50.0052
Black	256 × 256 × 1	99.6099	33.4323	50.0094
Bridge	512 × 512 × 1	99.6098	33.5052	50.0019
Cameraman	256 × 256 × 1	99.5992	33.4234	49.9844
Flowers	256 × 256 × 3	99.6040	33.4772	49.9941
Goldhill	512 × 512 × 3	99.6069	33.4464	49.9942
Kiel	512 × 512 × 1	99.6042	33.4650	49.9976
Lena	512 × 512 × 3	99.6088	33.4664	49.9907
Sailboat	512 × 512 × 3	99.6077	33.4680	50.0090
White	256 × 256 × 1	99.6231	33.5524	50.0000

presents the average results obtained for the NPCR, UACI, and HD.

The resulting values obtained were near the optimal values of NPCR, UACI, and HD which were 99.6094%, 33.4635%, and 50%, respectively. Therefore, the proposed scheme was very sensitive to small changes in the secret key.

Plaintext sensitivity test

To resist known and chosen plaintext attacks, which are related to the differential attack, the cryptosystem must be sensitive to a single bit change in the plaintext. The plaintext sensitivity attack test case is almost identical to the key sensitivity attack. Indeed, after having encrypted a plain image, we chose 21-pixel positions [26] and we changed, in turn, their LSB bit, then we encrypted them and calculate the 21 HDs.

In Figure 18, we show for each position the HDs of the 10 test images (red dots) as well as their average values (green line). As we can see, for each position, the average HD was close to the optimal value of 50%. Furthermore, the maximum value of the HD was equal to 50.1602% and the minimum value was equal to 49.8039% which was close to the optimal value.

Moreover, in

Table 11. NPCR, UACI, and HD of the plaintext sensitivity test.

Image	Size	Plaintext Sensitivity
		NPCR (%)	UACI (%)	HD (%)
Airplane	512 × 512 × 3	99.6102	33.4659	49.9972
Black	256 × 256 × 1	99.6067	33.4840	50.0143
Bridge	512 × 512 × 1	99.6114	33.4960	50.0060
Cameraman	256 × 256 × 1	99.6068	33.4616	49.9907
Flowers	256 × 256 × 3	99.6016	33.4563	49.9954
Goldhill	512 × 512 × 3	99.6081	33.4460	50.0003
Kiel	512 × 512 × 1	99.6075	33.4658	49.9974
Lena	512 × 512 × 3	99.6092	33.4669	50.0028
Sailboat	512 × 512 × 3	99.6058	33.4837	50.0062
White	256 × 256 × 1	99.6008	33.5139	49.9981

, we give the average NPCR, UACI, and HD on 21 positions for each image. According to these results, the average values of the obtained NPCR, UACI, and HD were almost equal to their optimal value. These values proved that the proposed chaos-based cryptosystem was highly sensitive to small changes in the plaintext.

3.3.4. Robustness against Noise and Occlusion

Encrypted images transmitted may be affected by channel noise and data loss. In this paragraph, we study the resistance capacity of the proposed cryptosystem against noise and occlusion. We utilized salt and pepper noise and an occlusion attack [25].

We added salt and pepper noise with different intensities (0.01, 0.02, 0.05, and 0.1) to the encrypted Cameraman image (see Figure 10c), as shown in Figure 19a–d, respectively, and then we decrypted them. The recovered images are shown in Figure 19e–h, respectively. It can be seen that under limited noise, the decrypted images were always identified. Thus, our proposed decryption system had good robustness against noise attacks.

Another kind of attack is occlusion. To assess the robustness of the cryptosystem against such an attack, first, we occluded the Cameraman encrypted image (see Figure 10c) with different data loss sizes and positions: 1/16, 1/8, 1/4, and 1/2, as shown in Figure 20a–d, respectively, then, we decrypted and shown them in Figure 20e–h. We can observe that all the recovered images were recognized but their qualities decreased with the increase of the occlusion size. Therefore, the proposed cryptosystem had a high level of robustness against occlusion attacks.

3.3.5. The Speed Performance of the Proposed Chaos-Based Cryptosystem

Computing performance is an important issue for practical applications and largely depends on the programming languages used. The Matlab language is not a good candidate to achieve high computing performance compared to C language, VHDL description language, etc. However, with Matlab, we can design and realize cryptosystems faster than the other languages mentioned.

We evaluated the computational performance: average encryption time, average encryption throughput (ET), and average number of needed cycles per bytes (NCpB) of the proposed cryptosystem and we compared its performance (NCpB) with other cryptosystems designed in the Matlab language.

The ET and NCpB are given by the following equation:

$$ET=\frac{ImageSize\left(Bytes\right)}{AverageEncryptionTime\left(second\right)}$$

(37)

$$NCpB=\frac{CPUSpeed\left(Hertz\right)}{ET(Bytes/s)}$$

(38)

In

Table 12. The proposed encryption system’s computing performance.

Image	Size	Encryption Time (Milliseconds)	ET (Mbps)	NCpB (Cycles/Byte)
Cameraman	256 × 256 × 1	39.3	1.589	1501
Flowers	256 × 256 × 3	119.2	1.5726	1516
Kiel	512 × 512 × 1	163.9	1.5249	1564
Lena	512 × 512 × 3	602.3	1.2451	1915

, we give the computing performance obtained by the proposed encryption system using 100 different secret keys, for four plain images.

In

Table 13. Comparison of NCpBs from different encryption schemes.

Cryptosystem	NCpB
Proposed	1568
Qiao et al. [25]	77,386
Luo et al. [52]	95,368
Huang et al. [53]	15,642

, we compare the NCpB of our algorithm for the Lena image of size 512 × 512 × 1 with the NCpBs of other chaos-based encryption algorithms.

As Table 13 shows, the proposed encryption system had higher computational performance efficiency than the others.

4. Conclusions

This paper proposed a new secure chaos-based cryptosystem system for a block cipher in CBC mode and evaluated its performance. The proposed cryptosystem achieved high confusion diffusion effects thanks to a robust pseudorandom number generator of chaotic sequences, a strong circular substitution based on the proposed S-box, and a solid diffusion layer. The proposed PRNG-CS was formed by four discrete 1-D chaotic maps weakly coupled by a predefined coupling matrix M, to avoid the divide-and-conquer attack, and to increase the randomness of the sequences produced as well as their lengths. The diffusion layer was performed by a 2-D modified cat map and a horizontal addition diffusion (HAD) followed by a vertical addition diffusion (VAD). The experimental results and the security analysis demonstrated that the proposed cryptosystem could successfully resist various attacks known in the literature, such as statistical attacks, brute force attacks, noise attacks, and occlusion attacks, and therefore could be used to secure sensitive data. In a future study, we plan to address the hardware implementation of the system.