JPEG Images Encryption Scheme Using Elliptic Curves and A New S-Box Generated by Chaos

: This paper proposes a new symmetric encryption system based on an elliptical curve and chaos, where the encryption is done in a single block and runs for 14 rounds. Here, the 15 encryption keys have the same size as the image and are generated using a solution point of a strong elliptic curve. Using a string of random numbers obtained with a logistic map, a permutation and its inverse are generated, which improve the encryption level and add diffusion to the cryptosystem. Another important contribution to this research is the generation of a substitution box with a non-linearity of 100, which strengthens the cryptosystem against differential and linear attacks that add confusion to the scheme. Moreover, the cryptographic properties of the proposed S-Box are compared with those of the S-Box of the Advanced Encryption Standard (AES) to ascertain that it is a suitable alternative that it is resistant to differential power analysis (DPA) attacks. To verify the robustness of proposed cryptosystem against cryptanalysis and the quality of the cipher text obtained, this system is subjected to different tests, such as entropy, correlation coefﬁcient, χ 2 , Changing Pixel Rate (NPCR), and Uniﬁed Averaged Changing Intensity (UACI). The results are shown and compared with recently proposed systems.


Introduction
A large amount of sensitive information is transmitted through the internet, and such information can be easily accessed through public as well as private networks. The images, which represent an important amount of transmitted information, can be photographs, agreements, contracts, identification documents, account statements, or other kind of scanned documents, with a high intrinsic value. Any person with a mobile device and an internet connection will be able to send images through the internet and store them in physical devices or in the cloud. The security and confidentiality of such information have led to the development of several efficient cryptographic systems.
In some practical applications, involving scientific and engineering fields such as astronomy or medicine, the use of images without compression and loss information is commonly required. Among the image formats that meet these requirements, we have the Microsoft-designed Bitmap (BMP) format, which contains all the image information in a simple format operating in the spatial domain. It can be modified and easily edited because it can be debugged and viewed without special tools; besides that, it is used to display image files, including the color of each pixel, and although it was designed to be a Windows standard, it is currently supported by a variety of operating systems [1]. In several countries, such as Mexico, where this research was carried out, it is prohibited to lose information in documents with sensitive information that need to be encrypted [2]; the use of BMP or another lossless scheme is imperative when it is required to store digital documents. To encrypt the BMP images, reference [3] proposed an efficient cryptographic Despite the efficient algorithms described above, several issues remain that must be improved. To this end, this paper proposes a cryptographic algorithm for improving the above-mentioned schemes, whose main contributions are summarized as follows: (a) It uses elliptic curves with a constant l equal to zero for the generation of the set of encryption keys. (b) It proposes an algorithm to generate the elliptic curves in addition to being mandatory that they comply with certain characteristics. (c) It uses a chaotic logistic equation to generate permutations and a substitution box plus its inverse with a non-linearity level of 100. (d) It implements a fingerprint for the receiver to identify if the received file corresponds to the one sent by the issuer. (e) It encrypts the images in a single block, which allows obtaining an adequate encryption speed. On the other hand, the cryptosystem was evaluated using several tests. After analyzing the evaluation of the results reported in Section 5, it follows that the proposed structure is robust and capable of withstanding linear, differential, statistical, brute force, or modification attacks, as well as some of the better known as the discrete logarithm and the MOV.
The rest of this paper is organized as follows. In Section 2, the preliminaries of this research are stated. Section 3 describes how the encryption keys, the permutations, the substitution box, and the complete encryption algorithm are developed. Section 4 provides several essential information such as the images that are encrypted, the explanation of every test necessary to demonstrate how robust is our proposal against cryptanalysis, and the results obtained. In Section 5, the analysis of the data obtained after applying all the tests is provided. Finally, Section 6 presents the conclusions of this research.

Preliminaries
This section provides a background and a detailed explanation about the two pillars on which this research is based: the elliptic curves and chaos.

Elliptic Curves in the Field of Cryptography
The elliptic curves have been used in many fields of science and engineering since their discovery. However, they were firstly introduced in the cryptography field in 1985 and 1987 by the mathematicians, Victor S. Miller in [15] and N. Koblitz [16]. An elliptic curve E is a projective geometric shape that is defined in a field F p in which a set of solutions #E F p is constructed that has two variables that satisfy the Weierstrass' mathematical expression given by y 2 ≡ x 3 + kx + l mod p.
This set of solutions is Abelian, in which it is possible to define the addition operation (E, +). In #E F p , a cyclic subset is built, where q is a prime factor that represents the number of elements (solutions) of this and the order of the elliptic curve. The prime factor q is calculated as follows: The element of the subset that generates all other solutions is known as the generator and is denoted with the Greek letter α. The element (q − 1)α is the additive inverse of α; that satisfies (q − 1)α = (x 0 , −y 0 ). So, qα is the null element, which is written as infinity ∞ [17]. As it has already been established, with the addition of the other elements, it can be calculated-that is 2α, 3α. To calculate their coordinates (x, y), it is necessary to obtain the slope of the line and there can be three cases, which are described below. a.
In this research, we use the elliptic curves that satisfy Equation (8), whose palpable difference with (1) is that the constant l is equal to zero; thus, for practical reasons, it is omitted in the mathematical expression, The elements k, p, q are prime numbers; to ensure that they have this characteristic, it is necessary to apply a primality test such as Miller Rabin's [18]. To calculate k, Equation (9) is used in addition to complying with the characteristics described in Theorem 1 [19], which is also useful to explain how #E(F p ) is calculated, that is Theorem 1. Let p = a 2 + b 2 and p ≡ 1 mod 4; where p is a prime number, a a positive odd integer, b a positive even integer, and #E(F p ) the number of solutions of the elliptic curve shown in (8).
Then, the number of solutions is #E(F p ) = p + 1 + 2a, provided that k is not the fourth power modulo p of any element of the field F p ; however, k must be the power squared of some element of the field F p [19].
In addition to having this expression, they must meet four requirements: a.
Being Non-Singular [17]. This happens when an elliptic curve meets the condition: To be Non-Supersingular [17]. Non-Supersingular elliptic curves resist the attack designed by Menezes, Okamoto, and Vanstone [20]. They fulfill the following condition: q mod p 1. c.
Not be an Elliptic Curve of Trace One [17]. The elliptic curves of Trace One are weak. If they do not belong to this type, they must satisfy that p = q. d.
The size of q is at least 2 160 bits [17]. With this characteristic in the elliptic curves, it is impossible to solve the problem of the discrete logarithm that is capable of finding m with Q = mP when P and Q are known [6]. Even though the existence of the Pohlig-Hellman algorithm can solve this problem [21], it requires a high computational cost and exponential processing time.

Logistic Map
The Australian mathematician Robert May [18] proposed a logistic map to explain the abnormal behavior in the growth of populations; however, in the field of Cryptography, it is very useful to generate strings of pseudo-random numbers. This equation is obtained from the discrete expression shown in Equation (10), where , > 0.
The next step is to rewrite the equation as shown in Equation (12), where = 1 + ℎ and, = ℎ.

Logistic Map
The Australian mathematician Robert May [18] proposed a logistic map to explain the abnormal behavior in the growth of populations; however, in the field of Cryptography, it is very useful to generate strings of pseudo-random numbers. This equation is obtained from the discrete expression shown in Equation (10), where e, f > 0.
After this, the variable P takes discrete values in time such that P(t 0 ), P(t 1 ), P(t 2 ) . . . , P(t n ). Afterward, Euler's Algorithm is applied so that the result obtained is shown in Equation (11) [23].
The next step is to rewrite the equation as shown in Equation (12), where s = 1 + eh and, t = f h. P n+1 = sP n − tP 2 n .
Lastly, the iterative equation shown in Equation (13) is obtained. Where 0 < x n < 1 and 0 < s < 4 [24], where 0 < x n < 1 and 0 < s < 4 [24]. Two behaviors can be observed when iterating the logistic equation after 1000 cycles: a limit with a tendency to infinity (x ∞ = lim n→∞ X n ), in which case it is stated that chaos occurs, or stabilization of the digits at the right of the decimal point, which implies that chaos does not take place, since there is a pattern to follow. Both are exemplified in Table 1. This logistic equation has three main characteristics: It is deterministic; if the initial parameters are the same, the same string will be obtained. b.
It is highly sensitive to changes, as seen in Table 1; by varying one of the parameters a little, the chain obtained is different. c.
The output string is impossible to predict, since it is not the result of any algebraic equation with rational coefficients, unless the input parameters are known beforehand, in which case it might be found.

Development
In this section, we provide a complete description of how the proposed cryptosystem is developed. Firstly, the algorithm used to generate the rounds keys is explained, which is followed by the way to get permutations and the proposed S-Box, and finally, all the previous pieces are joined to explain the complete encryption scheme.

Encryption Keys
The security of any cryptosystem relies on the encryption key; anyone with access to it will be able to decrypt the information sent. In this study, a private key cryptosystem (also called symmetric) is proposed in which the main key is private; that is, it will be exclusively known to the sender and receiver. From this one and using a keys schedule, all the round keys are generated. In this type of scheme, the set of encryption keys are the same for the encryption and the decryption process, but to decrypt, they are employed strictly in reverse order.
The proposed symmetric cryptosystem generates the main key K from a point of an elliptic curve that meets the characteristics described in section II and that must be known to all the people involved in the secure communication scheme. In total, 15 round keys are required.
To begin with, the sender and the receiver will choose an integer r, which is the private key, and which will refer to a solution point of an elliptic curve; also, it will have to fulfill with 1 < r < p − 1, and its size in the binary expression must be equal to 256 bits. From r, a new subset solution will be constructed, that is, rα = (x 0 , y 0 ) ∴ α = (x 0 , y 0 ). Starting from ∝, all the coordinates x, y of every point will be concatenated to get a string of the same size as the input image (m × n); if its length is overcome, it will be adjusted suppressing the surplus bits. For example, if the input image has the dimensions 512 × 512, that is, 262,144 pixels, the length of the array K must be 262,144 bits after any adaptation.
Once K has been obtained, the procedure to obtain the first round key k 1 will be to permute the bits of each key with the S-Box that is presented in Section 3.3 to increase its level of randomness; then, at the output obtained, a 5-bit shift is applied to the right, and Electronics 2021, 10, 413 7 of 24 this process will be repeated to obtain k 2 but this time starting from k 1 , and so on until leading to k 15 whose origin will be k 14 .
Since each coordinate of a point is considered as pseudo-random, K is considered as a pseudo-random string, too. The only way an attacker could infer K is to know the value r and the elliptic curve chosen to start the concatenation of values, which can be solved by protecting the process of sending this information through insecure means by encrypting it with some asymmetric cryptosystem. In addition, it would face the problem that an elliptic curve similar to the one proposed in this research and presented in Section 4.2 can have a solution set with an extension of at least 2 160 [12].

Permutations and the Proposed Substitution Box
One of the objectives of any cryptosystem is to obtain an encrypted text with a high level of randomness; this characteristic ensures that a scheme is resistant to differential and linear cryptanalysis. Having said the above, two techniques help to strengthen any encryption system: these are diffusion and confusion [25]. Diffusion disperses the elements of the plain text so that one may hide the relationship that exists between it and the ciphertext obtained at the output; to achieve it, permutations are used. The confusion confuses an attacker and makes it difficult for him to establish a relationship between the ciphertext and the key. Substitution boxes (S-Box) are used to achieve this. Both are used in symmetric cryptosystems that encrypt by blocks such as DES, Triple-DES, or AES, the proposal presented in this research work falls into that category, which is why they are also included.
In the proposed scheme, different permutations are performed in each execution. To build them requires a pseudo-random number obtained from Equation (13) in which it is proven that chaos has occurred. It is important to mention that for this task, only the digits to the right of the decimal point are taken into account. Then, a bijective function described in [22] is used; this algorithm adjusts to construct a permutation of N elements depending on the dimensions m × n of the input image.
The same algorithm is used to build the S-Box; however, their design is a more complex task, since it must satisfy various criteria to be considered safe and resistant to DPA (differential power analysis) attacks that use statistical techniques to obtain information that helps to infer the encryption key of a cryptosystem and are usually more efficient than linear and differential attacks [26].
Perhaps the most important parameter to consider is non-linearity, which is the number of bits that must be modified in the truth table of the Boolean function to get closer to the closest affine function [27]. The non-linearity is represented in GF 2 N , that is, N = 2 m−1 − 2 m 2 −1 , for m = 8; thus, in theory, the upper bound of N is 120 [28]. The S-Box proposed in this research work has a non-linearity of 100 equivalent to 78%, whose value is within the range of expected parameters [29], and it is measured using the Walsh function [22], which is presented in Equation (15).
where Table 2 shows a complete list of the cryptographic properties of the proposed S-Box, and they are compared with those of AES. Although our proposal only exceeds the second S-Box in two parameters-Robustness to Differential Cryptanalysis and Transparency order-the others are found within the ranges of expected values for which it is considered adequate for the research being presented and robust enough against DPA attacks. The input parameters used to build the substitution box are listed below. In addition, the proposed S-Box and its inverse are shown in Figure 2. Table 2 shows a complete list of the cryptographic properties of the proposed S-Box, and they are compared with those of AES. Although our proposal only exceeds the second S-Box in two parameters-Robustness to Differential Cryptanalysis and Transparency order-the others are found within the ranges of expected values for which it is considered adequate for the research being presented and robust enough against DPA attacks.

Cryptographic Properties
Proposed S-Box AES S-Box Expected Value (EV) [ The input parameters used to build the substitution box are listed below. In addition, the proposed S-Box and its inverse are shown in Figure 2.

Complete Cryptosystem
This cryptosystem is symmetric; it is of the Substitution Permutation Network type, since the image encryption process is carried out through several encryption rounds, using XOR bitwise operations, a permutation, and the substitution box proposed in Section 3.2 [25]. Symmetric cryptosystems usually perform block encryption as with Triple-DES or AES [30,31], whose characteristic consists of dividing the information into blocks of fixed size (64 or 128). However, in this proposal, the encryption is carried out in one whose size is determined by the dimensions of the image, as already explained in Section 3.1. It was also explained that using a solution point of an Elliptic Curve, 15 encryption keys are generated, which will be applied one at a time for each of the 14 rounds of this proposal, except for the last one, which needs two. Starting from the fact that rounds 1 and 14 are the only different ones and rounds 2 to 13 are identical, we proceed to explain the complete operation of the algorithm. To describe the encryption and decryption process, the following nomenclature is used: for the permutations that modify the previous output.
for the replacement box that modifies the previous output.

Encryption Process
Step 1. Reading and Modifying the input image. An input image I of dimensions m × n is read. If m = n = 512, the dimension m is made to grow by one whereby m = 513 and n = 512. Then, the pixel values of the new row from position 0 to 255 will match with every bit of the integer r used to generate the main key; that is, if r = 1110 . . . 0101, pp (pixel in position) 0 = 1, pp 1 = 1, pp 2 = 1, pp 3 = 0, . . . , pp 252 = 0, pp 253 = 1, pp 254 = 0, pp 255 = 1. It is important to mention that these additional 256 pixels can serve as a fingerprint that verifies the origin of the received image in the decryption process. The pixels from position 256 to the last one can be filled with pseudo-random values.
Step 2. Round one of encryption. The operations carried out are summarized as follows: Step 3. Rounds two through thirteen of encryption. The operations carried out are summarized as follows, and since all these rounds are the same, only two are described: Step 4. Round fourteen of encryption. The operations carried out are summarized as follows:

Decryption Process
Step 1. Round one of decryption. IC is read, and the operations carried out are summarized as follows: Step 2. Rounds two through thirteen of decryption. The operations carried out are summarized as follows, and since all these rounds are the same, only two are described: Step 3. Round fourteen of decryption. The operations carried out are summarized as follows: Step 4. Reading and Modifying the output image. ID is read; thus, the last row of pixels is deleted; in this case, the final dimensions of ID will be m = 512 and n = 512. Finally, it is easy to conclude that ID = I.

Experiments and Security Analysis
In this section, we carry out all the required experiments to prove if this cryptosystem is resistant against the main types of cryptanalysis and modifications. Another piece of essential important information is provided, too. To facilitate understanding, graphs and tables are added.

Images for Experiments
The proposed cryptosystem has undergone several tests to demonstrate its robustness to the differential, lineal, and differential attacks. To carry out each experiment, JPEG images of different sizes have been chosen; these are: Security.jpeg, with dimensions of 4900 × 3464 pixels. The first four images are commonly used in peer-reviewed papers, and the others are proposed in this research. The desktop application in which the proposed algorithm was implemented in Java programming language and the BufferedImage library was used to support certain tasks such as the reading of the pixels of each image [32]. All pictures are shown in Figure 3.

Elliptic Curve to Generate the Encryption Keys
To perform all the experiments, the elliptic curve has been chosen with the following data: House.jpeg, with dimensions of 1920 × 1080.  Security.jpeg, with dimensions of 4900 × 3464 pixels.
The first four images are commonly used in peer-reviewed papers, and the others are proposed in this research. The desktop application in which the proposed algorithm was implemented in Java programming language and the BufferedImage library was used to support certain tasks such as the reading of the pixels of each image [32]. All pictures are shown in Figure 3.

Elliptic Curve to Generate the Encryption Keys
To perform all the experiments, the elliptic curve has been chosen with the following data: Next, fast analysis of the chosen elliptic curve is conducted:

•
If the calculation 4(−k) 3 mod p is performed, the result obtained will be: 5a67ecc091bc 618e74d07f4905361dd6c7e67fc44d6d26c76fbfbd9625a8b43a4eddb4fee4a; therefore, it is shown that this is a Non-Singular Curve. • Later, if the calculation q mod p is performed, the result obtained will be: 179d2aa8f4823 4714c8bbd308c9fe9f88c50eb8285ae4ae46740e766125f66f46313fd78995; therefore, it is verified that this elliptic curve is not Supersingular.
On the other hand, it is easy to observe that p and q are different; in this way, it is stated that this elliptic curve is not of Trace One.

•
Finally, this elliptic curve has a solution set q of a size of 2 256 .
Thus, it is concluded that the chosen elliptic curve fulfills the four requirements described in Section 2.1 and is safe and suitable to generate the set of round keys. Figure 4 shows the encrypted results of images shown in Figure 3. They prove that it is visibly impossible to find a pattern that allows inferring its origin. Nevertheless, it is important to understand that a visual inspection is not enough to demonstrate the cipher text is impossible to reverse; for that reason, in the next sections, several tests will be applied to ascertain it mathematically.

Statistical Cryptanalysis
An important aspect in any cryptosystem is to quantify the quality of the encryption, that is, the level of randomness, which will determine its resistance to statistical attacks that can determine the encryption key or the plaintext through existing biases or patterns in the ciphertext. Statistical tests such as those presented below are useful for this purpose. Figure 4 shows the encrypted results of images shown in Figure 3. They prove that it is visibly impossible to find a pattern that allows inferring its origin. Nevertheless, it is important to understand that a visual inspection is not enough to demonstrate the cipher text is impossible to reverse; for that reason, in the next sections, several tests will be applied to ascertain it mathematically.

Statistical Cryptanalysis
An important aspect in any cryptosystem is to quantify the quality of the encryption, that is, the level of randomness, which will determine its resistance to statistical attacks that can determine the encryption key or the plaintext through existing biases or patterns in the ciphertext. Statistical tests such as those presented below are useful for this purpose.

Entropy
Entropy is one of the most important works of the French mathematician Claude E. Shannon [33]. In an image, it must be applied in each band of this depending on its type of color space. This test analyzes the histogram of the figure after it has been coded and determines if its frequency distribution is much more uniform than that of the original image. It is known that 255 is the maximum value of a pixel, and for its binary expression, it requires 8 bits; this implies that the perfect distribution of an image after being encrypted must be 8, which is unlikely to happen in practice. Therefore, any value greater than 7.9 indicates a high entropy level [15]. Equation (17) is used to calculate entropy.
The results obtained in this test are shown in Table 3. The evaluation results show that the entropy provided by the proposed scheme is quite close to 8, which is the maximum theoretical value. Moreover, Figure 5 shows the histograms per every RGB channel of the Lena image used in the experiments to visualize its distribution before and after encryption. Here, it can be shown that after encryption, the estimated histogram is almost flat, independently of the histogram shape of the image before encryption. These types of graphs are widely used to carry out a visual inspection in this test.

Correlation Coefficient
The correlation coefficient is based on the problem of analyzing the relationship between two variables x, y [34]. In the specific case of image encryption, it analyzes whether the position of two contiguous pixels x, y is determined by some given pattern or if there is a dependency between two pixels in each image. Otherwise, it is said that there is no correlation, and both are randomly positioned. This measure is obtained with Equation (18).
If the measurement yields a 0, it is said that both images are completely different, and if a 1 or −1 is obtained, the conclusion would be that both images are equal. In practical terms, it is almost impossible to get zero, but anything value close to this indicates a high level of randomness between the pixels of an encrypted image. The most appropriate way to carry out this measurement is in three directions: Horizontal, that is, a pixel x and its neighbour to the right; Vertical, that is, a pixel x and its neighbor below; and Diagonal, that is, a pixel x and its neighbor to below shifted by one space to the right. Tables 4-6 show the correlation coefficients obtained; only absolute values are registered. The evaluation results show that the values of horizontal, vertical, and diagonal cross-correlation of the images under analysis closely approach zero, which means that it is not possible to infer one pixel of the image under analysis. Thus, if the correlation between the pixels of the encrypted image approach to zero, it is not possible to infer the original image using only information of the encrypted one. In addition to the experimental data given in Tables 2-6, Figure 6 shows the scatter plot per every RGB channel of one of the images used in the experiments to visualize the position of all the pixels before and after encryption; these types of graphs are widely used to carry out a visual inspection in this test. From this figure, it follows that in the encrypted image, it is not possible to estimate the value of pixel (x, y) using the value of pixel on the other locations of the same image.

2 Test
This statistical test is based on the statement of two hypotheses: the first of them is known as null and is identified as 0 [35]; in this case, its role is to affirm that the pixels of an image after being encrypted have a random distribution. The second one is known as the alternative and is called 1 ; its function is to reject the assertion proposed by the null. Using Equation (19), 2 is calculated, and it determines which of the two hypotheses is accepted and which is rejected.
refers to the observed frequencies, that is, those of the

χ 2 Test
This statistical test is based on the statement of two hypotheses: the first of them is known as null and is identified as H 0 [35]; in this case, its role is to affirm that the pixels of an image after being encrypted have a random distribution. The second one is known as the alternative and is called H 1 ; its function is to reject the assertion proposed by the null. Using Equation (19), χ 2 is calculated, and it determines which of the two hypotheses is accepted and which is rejected. f o refers to the observed frequencies, that is, those of the encrypted image, and f e talks about the number of expected frequencies, which in this case is 256.
It is known that in tests based on hypotheses, there are two errors: a type I error that is the most important, that is, unequivocally rejecting, H 0 ; and, type II, that is, accepting H 0 wrongly. For this research work, the type I error is used, whose value is α = 0.01. In practice, any threshold (χ 2 ) less than 308 is enough for H 0 to be accepted [36]. Table 7 shows the results obtained from the test after the experiments.

Differential and Linear Cryptanalysis
Cryptanalysis is the antagonistic science of cryptography whose objective is to develop attacks capable of compromising or breaking encryption algorithms. Symmetric and block encryption cryptosystems must be robust to at least two types of cryptanalysis, differential and linear [37].
The differential attacks were first proposed by Eli Biham and Adi Shamir with the aim of breaking the DES cryptosystem [7]. Attacks of this type exploit the high probability of the existence of differences in the plain text ∆X and differences in the last round of encryption ∆Y, which is known as the differential. This attack selects inputs and analyzes outputs to find the encryption key.
The linear attack was proposed for the first time by Mitsuru Matsui, who sought to exploit the DES cryptosystem through the known plaintext at entry [6]. This attack works considering the linear correlations between some of the plaintext bits (input block) and the output bits (cipher block) to infer the cipher key. There are various tests that a cryptosystem must undergo to verify that it is not vulnerable to the attacks described above; this process is carried out below.

NPCR and UACI
Both standards serve to test the resistance of any cryptosystem against differential cryptanalysis; they function as follows. Starting from the fact that there are two encrypted images, C 1 and C 2 , which come from two images whose only difference is a pixel, and the encryption process has been carried out with the same keys. If the proposed cryptosystem is robust, images C 1 and C 2 must be practically different, which can be measured with the NPCR and UACI standards [38]. The first is defined by Equation (20) and the second is defined by (21) where, C 1 and C 2 refer to the images, T refers to the number of pixels in each image (n × m × number of planes), and D is defined in Equation (22).
In the case of this experiment, both images are encrypted with the set of encryption keys, which are generated from the K corresponding to the SHA-1 of both. In all the images used, pixel 3750 of the blue channel has been modified. In practical terms, in these tests, it is expected to obtain percentages between the range of 99.5% and 99.6% for the NPCR and between 33.4% and 33.5% for the UACI. The results obtained in this test are shown in Table 8.

Avalanche Effect
The avalanche effect, also known as avalanche attack, is another important manner to test the resistance of any cryptosystem against differential attacks [39]. This standard works with the same principle that was observed in NPCR and UACI tests, where a tiny change made in an image will produce a practically different ciphered image, although in this case, the change is made on a bit level. Having said that, let I 1 and I 2 be two plain images with only one different bit; then, they are ciphered using a group of round keys generated from a main key K with just a distinct bit among each other. Thus, the resulting images C 1 and C 2 must be shown a bit rate of changing approached to 50% [40]. Using Equations (22) and (23), it is possible to obtain such a measure.
The results obtained in the avalanche test are given in Table 9.
The evaluation results show that the avalanche effect resulting from the proposed scheme is quite close to the ideal value, which is equal to 50%.

Chosen/Known Plain-Text Attacks
These types of attacks fit into the category of linear cryptanalysis, and there four of them in total, which are the known-plaintext attack, the chosen-plaintext attack, the ciphertext-only attack, and the chosen-ciphertext attack; the first two are the most important, and it is stated that any cryptosystem capable of supporting them will do the same with the last two [39]. The procedure to test if a cryptosystem can resist them consists of encrypting two images: one white and one black, and then measuring their entropies and correlation coefficients and verifying if they fall within the parameters described in Sections 4.4.1 and 4.4.2. In this experiment, five images of each are used, corresponding to the dimensions of those chosen for the experimentation stage. Table 10 shows the average results obtained in this test.

Key Sensitivity Test
The objective of this test is to analyze the percentage of different pixels between two equal images, C 1 and C 2 . Both will be encrypted with a set of encryption keys generated from a specific K, and in the case of the second image, the same K will be used as for C 1 but with a small modification that could be the change of one bit. If we want to decrypt C 1 with the keys of C 2 , it must be impossible, and vice versa. The percentage of change is calculated with Equation (24), and in practical terms, it is expected that minimum values of DiffImg equal to 99% will be obtained.

Keyspace Analysis
The brute force attack on an encryption key is inescapable, where its objective is to try all possible combinations until finding the one that matches. In this case, the keys are generated from a solution point of an elliptic curve, which implies that there are q different possibilities, because q is a prime number. Furthermore, for a key to be secure, it must have a minimum size of 2 100 bits. Since the keys depend on the integer r which is 256 bits, the size of the keys used in this proposal is about 2 256 , which is far beyond the minimum required.

Occlusion and Noise Attacks
When an encrypted image is transmitted over an insecure medium, it takes the risk of being intentionally or incidentally modified or distorted by an attacker. Any clipping, obstruction, or change in pixels that can be interpreted as added noise implies information that has been lost and is impossible to recover. Nevertheless, if the image encryption quality of the image is high and all the pixels have been perfectly distributed in a way considered as random, when the image is decrypted, much of the original information will still be possible to display. Therefore, it is very important to measure the resistance of any cryptosystem, mainly to two attacks: that is the occlusion and the added noise.
Furthermore, in this test, an image that displays a written message is used, which is shown in Figure 7. Sometimes, these types of pictures are sent to share notes or news and, commonly, attackers can try to interfere or damage them to avoid that the communication can be completed.
Regarding the first attack, Lena.jpeg and Text.jpeg are encrypted, and then, various sections of an amplitude of 25%, 50%, and 75% of the total surface are intentionally cut out. Thus, when the image is deciphered, it is visually analyzed if the pixels remaining rearranged are enough to be able to infer which was the original image. The second attack consists of adding salt and pepper noise to the encrypted image, which in practice consists of scattering black or white pixels pseudo-randomly on the surface; for this case, the noise is added in densities of 25%, 50%, and 75%, and then, the same visual analysis is done as in the first one. The obtained results are shown in Figures 8-13. that has been lost and is impossible to recover. Nevertheless, if the image encryption quality of the image is high and all the pixels have been perfectly distributed in a way considered as random, when the image is decrypted, much of the original information will still be possible to display. Therefore, it is very important to measure the resistance of any cryptosystem, mainly to two attacks: that is the occlusion and the added noise. Furthermore, in this test, an image that displays a written message is used, which is shown in Figure 7. Sometimes, these types of pictures are sent to share notes or news and, commonly, attackers can try to interfere or damage them to avoid that the communication can be completed.
Regarding the first attack, Lena.jpeg and Text.jpeg are encrypted, and then, various sections of an amplitude of 25%, 50%, and 75% of the total surface are intentionally cut out. Thus, when the image is deciphered, it is visually analyzed if the pixels remaining rearranged are enough to be able to infer which was the original image. The second attack consists of adding salt and pepper noise to the encrypted image, which in practice consists of scattering black or white pixels pseudo-randomly on the surface; for this case, the noise is added in densities of 25%, 50%, and 75%, and then, the same visual analysis is done as in the first one. The obtained results are shown in Figures 8-13.  that has been lost and is impossible to recover. Nevertheless, if the image encryption quality of the image is high and all the pixels have been perfectly distributed in a way considered as random, when the image is decrypted, much of the original information will still be possible to display. Therefore, it is very important to measure the resistance of any cryptosystem, mainly to two attacks: that is the occlusion and the added noise. Furthermore, in this test, an image that displays a written message is used, which is shown in Figure 7. Sometimes, these types of pictures are sent to share notes or news and, commonly, attackers can try to interfere or damage them to avoid that the communication can be completed.
Regarding the first attack, Lena.jpeg and Text.jpeg are encrypted, and then, various sections of an amplitude of 25%, 50%, and 75% of the total surface are intentionally cut out. Thus, when the image is deciphered, it is visually analyzed if the pixels remaining rearranged are enough to be able to infer which was the original image. The second attack consists of adding salt and pepper noise to the encrypted image, which in practice consists of scattering black or white pixels pseudo-randomly on the surface; for this case, the noise is added in densities of 25%, 50%, and 75%, and then, the same visual analysis is done as in the first one. The obtained results are shown in Figures 8-13.

Time Encryption
The computer used for all the tests had the next hardware resources: Processor: Intel Core 13 7350k, 4.00 GHz, dual-core. Having explained this, the speed encryption was measured five times for every image; thus, in Table 12 shows the average speed calculated.  Table 13 shows the average results obtained in this research in four tests for entropy and correlation coefficient, while Table 14 shows a comparison of the NPCR, UACI, and the avalanche obtained by proposed scheme compared with those obtained using other similar papers recently published in the literature.

Time Encryption
The computer used for all the tests had the next hardware resources: Having explained this, the speed encryption was measured five times for every image; thus, in Table 12 shows the average speed calculated.  Table 13 shows the average results obtained in this research in four tests for entropy and correlation coefficient, while Table 14 shows a comparison of the NPCR, UACI, and the avalanche obtained by proposed scheme compared with those obtained using other similar papers recently published in the literature.  Tables 13 and 14 shows that the evaluation results provided by the proposed are quite competitive with other previously proposed schemes.

Analysis and Results
This section provides an analysis of the evaluation results obtained by every test performed in a strictly sequential order as they were performed. The first evaluated parameter is the Entropy; according to the results of Section 4.4.1, this test seeks to find a value that means that the encrypted image has almost a uniform frequency distribution. If a value greater than 7.9 is obtained, the entropy is high and complies with the previous approach. It can be seen from Table 3 that the lowest calculated value is 7.9992, which is very close to the ideal value for which an image encoded with 8 bit/pixel is equal to 8. The next evaluated parameter is the Correlation coefficient. In Section 4.4.2, it was explained that this test seeks to measure the level of dependence between the contiguous pixels of an image encrypted in three directions: horizontal, vertical, and diagonal. There is a high non-linearity when the values approach zero, which happens in all cases. It should be remembered that the results of Tables 4-6 are expressed in absolute values. These tables show that the cross-correlation values of encrypted signals approach zero, which means that the knowledge of some pixel values does not allow the estimate the encrypted images. The χ 2 Test proposed in Section 4.4.3 is based on the proposition of two hypotheses; the first indicates that the encryption carried out is random, and the second contradicts it; the acceptance of each one depends on a threshold (χ 2 ) that must be less than 308. It is observed that all the values recorded in Table 7 are less than 300 in all cases. The resistance to differential and linear cryptoanalysis was also evaluated. To this end, the NPCR and UACI were estimated. As mentioned in Section 4.5.1, this test seeks to measure using both standards of the quantity and percentage of different pixels between two images whose only difference is one pixel. It was also explained that for the NPCR, minimum values of 99.5% are expected, and for the UACI, we expect values not less than 33.4%; as seen in Table 8, the lowest value of the first case is 99.60%, and for the second, it is 33.44%. Other test is the avalanche test, in which is evaluated that a tiny change made in an image will produce a practically different ciphered image. The evaluation results shown in Table 9 show that the obtained results are very close to 50%, which is the ideal value. The Chosen/Known plain-text attacks are the other recommended evaluation. In this test, black and white images of different dimensions are coded, and subsequently, their entropies and correlation coefficients are measured, which are recorded in Table 10. All measurements obtained are within the ranges specified in Sections 4.5.1 and 4.5.2.
The Keyspace and key sensitivity was also evaluated. In the case of the first, it was already explained in Section 4.7 that the minimum size for a key to be considered secure is 2 100 , which is far exceeded, since in our proposal, it is 2 256 . On the other hand, the second test measures the percentage of distinct pixels when an image is encrypted with two keys with minimal variation. Table 11 shows percentages greater than 99% that correspond to what is expected in practice. Another evaluated attack is the Occlusion and noise attacks. The objective of both is to determine with a visual inspection how much information is recovered from an encrypted image that is covered or cropped to a certain extent as in the occlusion attack, or when it is randomly covered with white or black pixels after adding salt and pepper noise. For both cases, it is carried out in extensions or intensities of 25%, 50%, and 75%. Figures 8-13 show that although the level of visibility after decryption is lower with higher intensities, it is possible to perceive the message. Following the foregoing, it is determined that the results obtained are good and all the tests have been satisfactorily passed.
Finally, Tables 13 and 14 compare the results of the entropy, correlation coefficient, NPCI, UACI, and avalanche tests of the proposal presented with other articles of the state of the art. It is easy to see that the results obtained are close to those reported by other recently proposed papers. In some of the cases, they are equal or slightly lower, and in others, better measurements are obtained; therefore, it can be said that the system proposed in this research is competitive concerning the existing state of the art.
Finally, the future works that can be carried out for enhancing the performance of this research work are mentioned as follows. Researchers could develop substitution boxes with a higher level of non-linearity and better cryptography properties or use other logistic equations such as Lawrence's equation. The authors consider that it would also be of great value to verify the effectiveness of this proposal or others in the encryption of audio or video. Finally, the introduction of a steganography scheme could increase the security of the system and propose a scheme that includes a key distribution system.

Conclusions
In this article, an original symmetric cryptosystem has been presented whose purpose is the encryption of images in JPEG format, which stands out for its high quality, its lightness, and its ease of transmission, which makes it one of the most used at present. The contributions of this work that make it different from others that were mentioned in the state of the art are summarized as follows. Firstly, the use of elliptic curves with a constant l equal to zero for the generation of the set of encryption keys. Next, an algorithm is proposed to generate the elliptic curves in addition to being mandatory that they comply with certain characteristics. The proposed scheme uses a chaotic logistic equation to generate permutations and a substitution box plus its inverse with a non-linearity level of 100. This algorithm also proposes the implementation of a fingerprint for the receiver to identify if the file received corresponds to the one sent by the issuer. The proposed algorithm carries out the encryption of the images in a single block, obtaining an adequate encryption speed. On the other hand, the cryptosystem has been subjected to several tests; after analyzing the results obtained, it is stated that this proposal is robust and capable of withstanding linear, differential, statistical, brute force, or modification attacks, as well as some of the better known as the discrete logarithm and the MOV. The proposed scheme provides quite competitive results compared with other previously proposed schemes.