A Probabilistic Chaotic Image Encryption Scheme

: This paper proposes a probabilistic image encryption scheme that improves on existing deterministic schemes by using a chaining mode of chaotic maps in a permutation-masking process. Despite its simplicity, the permutation phase destroys any correlation between adjacent pixel values in a meaningful image. The masking phase, however, modiﬁes the pixel values of the image at hand using pseudorandom numbers with some other initiated random numbers so that any slight change in the plain image spreads throughout the corresponding cipher image. These random numbers ensure the generation of distinct cipher images for the same plain image encryption, even if it is encrypted multiple times with the same key, thereby adding some security features. Simulations show that the proposed scheme is robust to common statistical and security threats. Furthermore, the scheme is shown to be competitive with existing image encryption schemes.


Introduction
The privacy of multimedia data such as text, audio, video, and digital images stored in the cloud or transmitted over the internet is desirable to almost every individual user.Due to the wide use of digital images in various applications including military, governmental, and E-commerce, the protection of digital images has caught the attention of researchers and encouraged them to develop schemes that are suitable for encrypting digital images.In the last two decades, the close relation between cryptography and chaos led scientists and engineers to propose chaos-based image encryption schemes using different techniques [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17].Due to the characteristics of digital images, chaos-based image encryption schemes have been shown to have superiority over conventional encryption schemes such as RSA [18], DES [19], and AES [20].
In 1998, Fridrich [1] proposed a chaos-based image encryption scheme that consists of multiple rounds of a permutation layer and a masking layer.Despite the fact that Fridrich's scheme has been cryptanalyzed by Solak et al. [21], Fridrich's structure has become the core of most chaos-based image encryption schemes [2][3][4][5][6][7][8][9][10][11][12][13][14][15]17].Nonetheless, designing the permutation-masking mechanism of a practically secure image encryption scheme can be challenging.The target of the permutation phase is to permute the pixel values of the input plain image using some chaotic systems in order to destroy the strong correlation between adjacent pixel values in the plain image.The target of the masking phase is to modify and mix the pixel values of the shuffled image such that a tiny change in the plain image spreads across almost all the pixel values of the cipher image.Furthermore, the schemes need to be robust to the two common cryptanalysis scenarios-chosen-plain image and known-plain image attacks.
In [2], Chen et al. proposed an image encryption scheme based on a 3-dimensional cat map.However, Wang et al. [22] have shown that Chen et al.'s scheme has some security flaws.Behnia et al. [3] proposed an image encryption scheme based on composition of trigonometric chaotic maps.Li et al. [23] investigated the security of Behnia's technique and discovered that it is insecure and is vulnerable to a chosen-plain image attack.In [4], Ye proposed an image encryption scheme based on generalized Arnold map and a generalized Bernoulli shift map.In [5], Kanso and Ghebleh proposed an image encryption scheme based on 3-dimensional cat maps that consists of permutation, masking, and mixing phases.These phases provide the necessary characteristics for a practically secure image encryption algorithm including the confusion and diffusion properties.Liu et al. [6] proposed an image encryption scheme using DNA complementary rule and chaotic maps.Their scheme uses MD5 hash function to produce keys depending on the plain image, hence making the initial conditions and control parameters of the used chaotic maps change in every encryption process.In [7], an image encryption scheme based on spatiotemporal chaotic systems is proposed to overcome drawbacks that exist in some schemes based on 1-dimensional chaotic systems.Wang et al. [8] proposed a block image encryption scheme based on hybrid chaotic maps and dynamic random growth technique.However, Wang et al.'s scheme has security issues against chosen-plain image and chosen-cipher image attacks [24].In [9], Rehman et al. proposed a selective encryption scheme based on DNA complementary rules and chaotic systems for gray images.However, Rehman et al.'s scheme has drawbacks against noise as well as low efficiency that results from the calculation of new keys for each block [25].Souyah and Faraoun [10] proposed an image encryption scheme combining cellular automata and weighted histogram based on logistic tent chaotic systems.In [11], Xu et al. proposed a bit-level image encryption scheme based on cyclic shift, swapping, and piecewise linear chaotic maps.Rehman et al. [12] proposed an image encryption scheme using DNA encoding and chaotic systems.In order to defeat known-plain image and chosen-plain image attacks, Rehman et al.'s scheme computes the initial conditions and control parameters of the chaotic maps using the SHA-256 hash value of the plain image.In [13], Belazi et al. proposed an image encryption scheme based on substitutionpermutation network structure and chaotic systems with strong S-boxes.
More recently, Wu et al. [14] proposed an encryption scheme based on a rectangular transform (RT)-enhanced chaotic system for color images, where the three channels of the plain image are encrypted simultaneously.Zhu and Sun [26] analyzed the security of Wu et al.'s scheme [14] and discovered that it has some security flaws and is vulnerable to a chosen-plain image attack.They further proposed an improvement of Wu et al.'s scheme that is resistant to chosen-plain image attack, in which the hash value of the plain image is used as part of the secret key.Nevertheless, the dependence of the secret key on the plain image is a serious issue in any encryption scheme.Wang et al. [15] proposed a chaotic image encryption scheme using multiple mixed hash functions and the cyclic-shift function to resist known-plain image and chosen-plain image attacks.Their scheme aims to improve the drawbacks of Baptista algorithms and its variants.In [17], Wang et al. proposed a methodology for integrating a 1-dimensional logistic map using perturbation parameters, a delayed coupling approach, and feedback control, which further deepens the unpredictability by selectively moving the chaotic sequence's position.They further proposed an image encryption scheme based on these modified chaotic sequences in conjunction with magic square and octree to increase security.Recently, some more image encryption schemes based on different techniques have appeared in the literature, such as those in [27][28][29].The secret keys in the aforementioned schemes are either dependent on or independent from the plain image.In traditional image encryption schemes, a random bit stream is typically used for generating secret keys.Thus, the secret key is independent of the plain image, such as in [14].Hence, such schemes lack the ability to resist common attacks such as chosen-plain image and chosen-cipher image attacks.In contrast, in some existing schemes, the generation of secret keys depends on the plain image.such as in [26,30].However, this is a serious issue, as secret keys must be exchanged in a secure manner prior to the encryption process.Hence, the dependence of the secret key on the plain image limits the use of the encryption scheme.
Image encryption schemes are either lossy or lossless.Lossy schemes reconstruct plain images with some distortion, whereas lossless schemes reconstruct plain images with no distortion.In some applications, the reconstruction of distorted-free plain images might be desirable.Image encryption schemes can be further categorized into deterministic schemes and probabilistic schemes.A deterministic image encryption scheme always produces the same cipher image for a given plain image and key, whereas a probabilistic image encryption scheme produces distinct cipher images when encrypting the same plain image multiple times with the same key.Most existing chaos-based image encryption schemes are classified as deterministic schemes.
In this paper, we propose a probabilistic image encryption scheme based on chained chaotic maps that is an improvement of the schemes proposed in [14,26].Depending on the application, the proposed scheme can be either lossy or lossless.Figure 1 presents an overview of the proposed scheme.The proposed scheme uses a permutation-masking mechanism.The permutation phase destroys the strong correlation in meaningful plain images through the permutation of the rows and columns of the image using chained chaotic maps and a spiral algorithm.In contrast, the masking phase splits the matrix resulting from the permutation phase into four arrays and masks the entries of each array with pseudorandom numbers generated using the chained chaotic maps.This phase further mixes the entries of the four resulting arrays initiated with four random numbers to make any tiny change in the plain image spread throughout the corresponding cipher image.Finally, a single round of the permutation phase is applied to the masked image to generate a cipher image.The lossy scheme generates cipher images of the same size as the corresponding unpadded plain image.However, the lossless scheme generates cipher images with one added column.The use of random numbers in the proposed construction ensures that distinct cipher images are produced for the same plain image encryption, even if it is encrypted multiple times with the same key.Furthermore, these cipher images are random-looking in comparison with one another.This feature increases the security level of the proposed scheme against common cryptanalytic attacks.The paper is organized as follows.Section 2 is devoted to related work.Section 3 presents the chaotic engine of the proposed image encryption scheme and demonstrates its characteristics.In Section 4, we give a detailed description of the proposed image encryption scheme and demonstrate its efficiency.Section 5 presents experimental results to showcase the performance of the proposed scheme against common statistical attacks.
In Section 6, we analyze the security of the proposed scheme against some common cryptanalytic attacks.Section 7 provides comparison with some existing schemes.Some concluding remarks are presented in Section 8.

Related Work
In this section, we present a brief description of Wu et al.'s scheme [14], which is related to the proposed scheme, and point out some of its drawbacks.
Wu et al.'s scheme is based on the chaotic tent map (CTM) and a rectangular transform that is an extension of the Arnold cat map.The tent map is defined by where the state x i ∈ (0, 1) and the control parameter µ ∈ (0, 2].
The rectangular transform can be used to alter the pixels positions of an image, and it is defined by where (x , y ) is the new position of the original position (x, y) in the resulting image, r m and r n are random numbers, m and n are the number of rows and columns in the image, respectively, and a, b, c, d are control parameters satisfying the following conditions: Wu et al.'s scheme consists of a rectangular transform and three chaotic tent maps.Hence, the secret key K of Wu et al.'s scheme consists of the parameters of the rectangular transform a, b, c, d, the control parameters and initial states of three chaotic tent maps µ 1 , µ 2 , µ 3 , and x 1,0 , x 2,0 , x 3,0 , and the number of rounds t.Algorithm  Consider the tent map of Equation (1) starting with x i,0 and µ i .

7
Phase out this map by 1000 iterations.

•
The scheme is insecure against chosen-plain image attack.

•
The secret key of the scheme is insensitive to all of its parameters.

•
The scheme is lossy.The first pixel of the plain image cannot be recovered because R (0), G (0), and B (0) are not part of the secret key.

•
The scheme requires the parameters a, b, c, and d to satisfy the restrictive conditions expressed in Equation (3).
The reliance of Wu et al.'s scheme [14] on the tent map makes it vulnerable to limitations of this map as studied in [31,32], such as fixed points and failure under finite numerical precision.Furthermore, the time-series values of the tent map have non-uniform distribution unless its control parameter is chosen very close to 2.
Despite the fact that Zhu and Sun [26] proposed an improvement of Wu et al.'s scheme [14], their scheme uses the hash value of the plain image as part of the secret key.This is a serious issue because the secret key can no longer be exchanged before the encryption process.In this paper, we propose a probabilistic image encryption scheme that is an improvement of the schemes proposed in [14,26].

The Chaotic Engine
Chaotic systems possess remarkable features such as high sensitive dependence on initial states and control parameters, ergodicity, unpredictability, and mixing that fulfill the confusion and diffusion properties of Shannon [33].These characteristics make chaotic systems such as the quadratic and skew-tent maps widely used in a number of security applications such as image encryption, hashing, and secret sharing [34][35][36][37][38][39][40].

The Quadratic Map
The quadratic map is one of the most studied 1-dimensional discrete-time nonlinear chaotic maps [41].It is defined by where the state x i ∈ [−2, 2] and the control parameter µ ∈ − 1 4 , 2 .Figure 2 depicts the bifurcation diagram of Equation ( 4).It also shows the Lyapunov exponents of Equation ( 4) versus its control parameters.Thus, given an initial state x 0 ∈ (−2, 2) and control parameter µ ∈ (1.401155189, 2], successive iterations of Equation ( 4) produce an infinite orbit {x i } ∞ i=0 possessing chaotic behavior (interrupted by small regions known as periodic windows where the attractor is periodic).Furthermore, when µ is close to 2, Equation ( 4

The Skew-Tent Map
The skew-tent map is a piecewise linear chaotic map (PWLCM) on the interval [0, 1] defined by where y 0 and p are the initial state and control parameter for the map, respectively.For p ∈ (0, 1), Equation ( 5) has a positive Lyapunov exponent, and hence it exhibits chaotic behavior [42,43].Figure 3 depicts the bifurcation diagram of Equation ( 5) and its Lyapunov exponents.Thus, given any initial state y 0 ∈ (0, 1) and control parameter p ∈ (0, 1), successive iterations of Equation ( 5) generate an infinite sequence {y i } ∞ i=0 of real numbers uniformly distributed in (0, 1).In this paper, we propose a probabilistic image encryption scheme based on a number of chained chaotic quadratic and skew-tent maps as its chaotic engine.The proposed chaining method increases the keyspace and hence the security level of the proposed image encryption scheme.Algorithm 2 presents the chaining algorithm.Throughout this paper, we refer to any execution of this chain as Rule C. Sequences generated according to Rule C are used to permute the rows and columns of the matrix representing the input plain image.We further use this rule to generate sequences of integers in [0, 255], obtained by mapping sequences generated by Rule C, to mask the entries of the shuffled image.Therefore, it is essential to measure the randomness of the proposed chaining algorithm.Figure 4a depicts a time series plot of a sequence s = {s i } 150 i=1 generated according to Rule C, whereas Figure 4b depicts a plot of the points (s i−1 , s i ) where 2 i 125,000.Furthermore, Figure 4c depicts the histogram of s = {s i } i=1 .It is evident that the entries of s are unpredictable and uniformly distributed in the interval (0, 1).Moreover, in this section we evaluate the randomness of sequences generated according to Rule C using the Statistical Test Suite (STS) [44] proposed by the National Institute of Standards and Technology (NIST), which is one of the most used suites for evaluating the randomness of random numbers generators.We generate one hundred sequences, each of length 125,000 with entries in (0, 1), which is equivalent to 10 6 bits.We then map each sequence s of reals in (0, 1) to a sequence b of integers in [0, 255], where b i = 256s i .Table 1 presents the results of the one hundred integer sequences.On the basis of these results, the integer sequences possess similar properties as truly random sequences.Hence, the integer sequences generated according to Rule C seem promising for use in cryptographic applications.

The Proposed Scheme
The characteristics of the chained chaotic quadratic and skew-tent maps make them promising building blocks in the implementation of image encryption schemes.In this section, we propose an image encryption scheme that consists of three independent phases: (i) a preprocessing phase, (ii) a permutation phase, and (iii) a masking phase.These phases are constructed such that the proposed scheme is highly sensitive to its input plain image and secret key, whereas the decryption scheme is insensitive to its cipher image.Algorithm 3 presents the phases of the proposed construction.4 (1 + β)N 2 P ← Preprocess(P) 3 J s ← Shuffle(P , r 1 ), where r 1 is the number of rounds 4 J c ← Mask(J s , r 2 ), where r 2 is the number of rounds It is worth noting here that the secret key used for encryption and decryption needs to be communicated between the parties using the scheme.This can be achieved using a secure channel or by employing any existing key-exchange protocol, such as the wellknown Diffie-Hellman method [45].

The Preprocessing Phase
The purpose of this phase is to increase the security level of the proposed scheme against some attack models such as chosen-plain image attacks by padding the input plain image.Given a plain image P of size M × N × L, the preprocessing phase uses a randomized padding scheme to construct the padded plain image P of size M × N × L, where N = 4 (1 + β)N/4 for some random number β 0 satisfying the condition that P can be reshaped into an almost square m × n matrix I.We call an m × n matrix almost square, if m 2 n 2m.As this increased security comes at the cost of extra processing and storage needed for cipher images, the value of β should not be too large, and typically β ∈ [0.02, 0.05] would be satisfactory.

The Permutation Phase
The permutation phase uses sequences generated according to Rule C as its chaotic engine.In this phase, the rows and columns of the matrix representing the input plain image are shuffled according to output sequences from Rule C. Furthermore, the resulting matrix is traversed in a spiral order to destroy any correlation between adjacent pixels in the horizontal, vertical, and diagonal directions.Algorithm 4 presents the permutation phase.Let π and π be permutations which sort S and S , respectively.

6
Let T be the matrix obtained from T by permuting its rows according to π, and its columns according to π .

7
Populate T by elements from a spiral traversal of T .
8 Return J s obtained by reshaping T to size M × N × L.
To illustrate the permutation phase, we present a single round toy example on the 4 × 5 matrix: Let T be the matrix resulting from I after sorting the rows and columns of I according to some permutations π 1 and π 2 .

The Masking Phase
In this section, we use sequences generated using Rule C to mask the entries of the matrix resulting from the permutation phase.More precisely, we split the shuffled matrix of size m × n into four 1-dimensional arrays R, G, B, and Y of equal length, then use four sequences generated using Rule C to mask these arrays.We further apply some mixing between the entries of the four resulting arrays initiated with four random numbers to make any tiny change in the plain image spread throughout the masked matrix.Finally, we shuffle the masked matrix using the permutation phase with r 1 = 1 and reshape the resulting matrix to M × (N + 1) × L matrix representing the cipher image C. The increase in the size of the cipher image with respect to that of the padded plain image by one column results from the introduction of four random numbers in the masking phase.Even without the padding phase, these random numbers make the encryption scheme possess the property that, with the same secret key, it generates distinct cipher images for any given plain image.Furthermore, these cipher images are random-looking in comparison with one another.Algorithm 5 provides a detailed description of the lossless masking phase.Let R (0), G (0), B (0) and Y (0) be random nonzero bytes.
11 Generate a sequence V of ML − 4 random bytes.12 Construct a sequence W by concatenation of R , G , B , Y and V. 13 Return J c obtained by reshaping W to size M × (N + 1) × L.
The decryption scheme is a straightforward reverse of the encryption scheme.That is, the decryption process is as follows: (i) reverse the permutation of the given cipher image once, (ii) unmask the resulting image, and (iii) reverse the permutation of the unmasked image, unpad and reshape it to the size of the plain image.Due to the simplicity of the permutation phase, we omit the steps of the reverse permutation phase and give a detailed description of the lossless unmasking phase in Algorithm 6.The increase in the size of the cipher image with respect to that of the padded plain image by one column leads to lossless reconstruction of the plain image.Nonetheless, we can generate a cipher image of the same size as its corresponding padded plain image.However, the resulting decrypted image differs from the plain image in at most four positions, which can be negligible depending on the application.Note that, as the missing pixels can be easily located in the reconstructed image, they can be assigned to their neighboring pixels.Algorithms 7 and 8 present the masking and unmasking phases of the lossy encryption scheme, respectively.Let R (0), G (0), B (0), and Y (0) be random nonzero bytes.

Efficiency of the Proposed Scheme
To showcase the efficiency of the proposed image encryption scheme, we subject a number of test images, including a blank image, to the permutation phase and masking phase of the proposed encryption scheme with β = 0 (no padding).Figure 5 depicts the plain images and their corresponding shuffled images and cipher images.The cipher image corresponding to the blank image of size 2048 × 2048 appears random, hence we omit it.Throughout this paper the number of rounds in Algorithm 3 are r 1 = 3 and r 2 = 1.

Running Speed
This section reports the running speed of the proposed image encryption scheme.Table 2 reports the running times for generating cipher images corresponding to plain images of different sizes.These results are obtained using MATLAB R2021b on a desktop machine with an Intel ® Core™ i5-8500 processor and 8 GB of memory, running Windows 10.Furthermore, Figure 6 depicts the running times for encrypting plain images of different sizes using the proposed scheme.The processing time of the proposed scheme can be improved if implemented using a lower level programming language such as assembly and machine code.

Statistical Analysis
This section evaluates the efficiency of the proposed image encryption scheme through the following statistical tests: histogram analysis, correlation of adjacent pixels analysis, and entropy measure analysis.We further subject resulting cipher images to the Statistical Test Suite (STS) [44] proposed by the National Institute of Standards and Technology (NIST), which is one of the most used suites for evaluating the randomness of random numbers generators.Moreover, the security of the proposed image encryption scheme is demonstrated through the following security tests: keyspace analysis, key sensitivity analysis, differential analysis, chosen-plain image analysis, data loss analysis, and additive noise analysis.To make a fair judgment on the performance of the proposed scheme against statistical and security tests, cipher images generated in these sections correspond to unpadded plain images (i.e., with β = 0).

Histogram Analysis
The aim of this test is to demonstrate that the pixel values of cipher images generated by the proposed scheme are uniformly distributed in the interval [0, 255].Hence, they do not reveal any useful information about their corresponding plain images.Figure 7 depicts the histograms of the two grayscale plain images Lena and Elaine and their corresponding cipher images.It is evident that the histogram of each cipher image is almost flat (i.e., similar to that of a truly random image).The histograms of the remaining cipher images, including the cipher image corresponding to the blank image, show similar behavior.Hence, we omit them.

Correlation Analysis
Meaningful images usually possess high correlation between adjacent pixels in all three directions (horizontal, vertical, and diagonal).Hence, one can gain some information about their contents.The purpose of this test is to show that the proposed image encryption scheme destroys any correlation between adjacent pixels in all three directions.We consider the plain test images and their corresponding shuffled and cipher images.We then randomly choose = 10,000 pairs of adjacent pixels x and y in the horizontal, vertical, and diagonal directions from each image, respectively.The correlation coefficient between {x i } i=1 and {y i } i=1 is defined as where µ x and µ y are the mean values of x and y, respectively; σ x and σ y are their standard deviations, and E[•] is the expected value.
It is evident from Table 3 that cipher images (as well as shuffled images) generated by the proposed scheme are almost free of any correlation between adjacent pixels in all three directions (horizontal, vertical, and diagonal).The correlation of adjacent pixels in each of the three directions (horizontal, vertical, and diagonal) in the plain images and their corresponding shuffled and cipher images can be visualized by plotting randomly chosen pairs of adjacent pixels (x, y) in the horizontal, vertical, and diagonal directions in each image.Figure 8 shows plots of = 10,000 randomly chosen adjacent pixels (x, y) in the horizontal, vertical, and diagonal directions of the grayscale plain image Lena, its shuffled image, and the cipher image.It is evident that the plain image is highly correlated (i.e, most points are clustered along the line y = x), whereas the shuffled and cipher images are almost free of any correlation (i.e., the points are uniformly distributed in [0, 255] × [0, 255]).The plots of the remaining test images show similar behavior.Hence they are omitted.

Entropy Analysis
Entropy, which was introduced by Shannon [46], is the most significant measure of unpredictability.The entropy H(s) for a source s emitting k = 2 8 different symbols s 1 , s 2 , . . ., s k is given by where P(s i ) represents the probability of occurrence of s i in s.For a truly random image, the ideal value is H(s) = 8.Thus, if H(s) is not close to the ideal value 8, a certain degree of predictability exists.The purpose of this test is to show that cipher images generated by the proposed scheme have entropy measures very close to 8. Hence, they do not leak any information about the contents of their corresponding plain images.
Table 4 presents the entropy measures of the test images and their corresponding cipher images as well as those for a random image of size 512 × 512.It is evident that the entropy measures are very close to the ideal value.Furthermore, Table 4 presents the average entropy measure of B × B blocks of the plain images and their corresponding cipher images, where B = 32, 64, and 128.Despite the low entropy measures values, which are due to the small block size of the sources, the obtained measures of cipher images are similar to those of truly random images.Figure 9 depicts histograms of the entropy measures of 64 × 64 blocks of a cipher image generated using the proposed scheme from a 4096 × 4096 black plain image.Based on the obtained results, we conclude that the proposed scheme is robust against entropy analysis attacks.

Randomness Analysis
In this section, we use the statistical test suite released by NIST [44] to demonstrate that cipher images generated by the proposed scheme possess very good randomness properties and cannot be distinguished from truly random images.Table 5 presents the test results for two 2048 × 2048 × 3 cipher images corresponding to a meaningful image and a blank image, where each image is processed as one hundred sequences of length exceeding 10 6 bits.It is evident that the pass rate for each test is greater than the minimum pass rate of 96%.

Security Analysis
This section evaluates the security of the proposed image encryption scheme through the following security tests: keyspace analysis, key sensitivity analysis, differential analysis, chosen-plain image analysis, data loss analysis, and additive noise analysis.

Key Space
The proposed image encryption scheme consists of three rounds of the permutation phase and one round of the masking phase followed by one round of the permutation phase.Each round of the permutation phase and masking phase requires two double precision numbers for the initial conditions of the two chaotic maps and two more for their control parameters.Hence, if different initial conditions and control parameters are used for each round, we require 20 double precision numbers.When 64-bit doubles are used, under the assumption that the computational precision for the 64-bit doubles is approximately 10 −14 , the keyspace of the proposed scheme has size approximately (10 14 ) 20 = 10 280 > 2 1289 .Thus, the keyspace is large enough to render brute-force attacks infeasible.

Differential Analysis
An image encryption scheme is considered robust against differential attacks if it is sensitive to its input image.That is, two cipher images corresponding to two plain images with slight difference appear to be random in comparison.This property is sought after in the design of image encryption schemes as a crucial security requirement.In this section, we evaluate the strength of the proposed image encryption scheme against differential attacks using two common similarity measures in image encryption, namely, the number of pixels change rate (NPCR) and unified average changing intensity (UACI) [47].Given two M × N × L images C 1 and C 2 , their NPCR and UACI measures are given by where The ideal NPCR and UACI measures [47] are × 100% ≈ 99.6094%, and Furthermore, Wu et al. [47] provide acceptance intervals for the null hypothesis with significance level α = 0.001 for both measures.These intervals are presented in Table 6.We evaluate the strength of the proposed image encryption scheme against differential attacks by measuring the impact of a single least significant bit in the input plain image on the generated cipher image.More specifically, using the same secret key, let C 1 and C 2 denote cipher images corresponding to two plain images P 1 and P 2 differing in a single least significant bit.Our target is to show that the NPCR and UACI measures are within the acceptance intervals presented in Table 6.For each test image, we repeat this test 100 times, where in each time we flip the least significant bit of a randomly chosen pixel of the original image P 1 to get a modified image P 2 .Among the randomly chosen pixels are the first and the last pixels.Figure 10 depicts the resulting NPCR and UACI measures for the three test images color Lena, Lena, and Elaine as well as a Blank image of size 512 × 512.Furthermore, Table 7 reports the mean of the 100 NPCR measures and that of the 100 UACI measures for each test image.On the basis of the obtained measures, we conclude that the generated cipher images are random-like in comparison.Hence, the proposed image encryption scheme has a strong ability against differential attacks.

Key Sensitivity Analysis
This section demonstrates the high sensitivity of the proposed image encryption scheme on its secret key.This sensitivity is inherited from that of the chaotic quadratic map and skew-tent map.
Suppose C 1 and C 2 are two cipher images resulting from encrypting the plain image Lena using secret keys K 1 and K 2 that differ slightly.Figure 11 depicts the bitwise XOR of C 1 and C 2 with K 1 and K 2 differing by 10 −14 in one initial condition of its chaotic engine and those encrypted with K 1 and K 2 differing by 10 −14 in one control parameter of its chaotic engine.Furthermore, Table 8 presents the NPCR measures and UACI measures between the encryption of Lena by K 1 (i.e., C 1 ) and each of those encrypted using K 2 and K 2 , which we refer to by C 2 and C 2 , respectively.These results demonstrate the high sensitivity of the proposed image encryption scheme to its secret key.Furthermore, we demonstrate that even with the exact secret key, cipher images generated by the proposed scheme are random-looking in comparison with one another.Figure 12 reports the NPCR and UACI measures for all possible pairs of 50 cipher images corresponding to the plain image Lena generated by the proposed scheme.Based on the reported results, we conclude that the cipher images look random in comparison with each other.

Robustness to Common Attacks
A chosen-plain image attack is one of the common attacks on image encryption schemes.In this attack, the cryptanalyst is assumed to have access to the encryption scheme and can obtain the corresponding cipher image for any plain image.His goal is to derive information about the secret key or derive information on a targeted plain image from its corresponding cipher image without knowing the secret key.In this scenario, the cryptanalyst may choose a blank (all black or all white) image and attempt to recover the generated pseudorandom sequences used in the encryption process.In existing image encryption schemes, there is a trade-off between robustness to chosen-plain image attack and common image processing operations.Because the proposed scheme generates different random-looking cipher images for the same plain image and secret key, chosen-plain image attacks become ineffective.Even for an all zero image, the amount of padding with random numbers makes the proposed scheme robust to the attack proposed in [26].Hence, the proposed scheme is robust to chosen-plain image and known-plain image attacks.

Robustness against Common Image Processing Operations
In this section, we study the robustness of the proposed image encryption scheme against common image processing operations such as cropping and noise.

Cropping
To investigate the robustness of the proposed scheme against cropping attacks, we consider a cipher image corresponding to the plain image Lena of size 512 × 512.We crop part of the cipher image and attempt to reconstruct the plain image.Figure 13 presents reconstructed plain images (after median filtering) resulting from cipher images cropped by 10% and 25%, as well as at scattered positions.The PSNR values between the plain image are 26.3605,17.0204, and 29.2497, respectively.

Noise Addition
To evaluate the robustness of the proposed scheme against common noise attacks, we subject a cipher image corresponding to the plain image Lena to various levels of image noise such as salt and pepper noise, speckle noise, Gaussian noise, and Poisson noise.Figure 14 presents reconstructed image resulting from subjecting cipher images of Lena to different types of noise.Furthermore, Table 9 reports the PSNR values between the original image Lena and the reconstructed images.

JEPG Compression
In this section, we compress a cipher image corresponding to the plain image Lena and attempt to reconstruct it with the decryption scheme .Figure 15 presents reconstructed images corresponding to cipher images compressed with different quality factors.Furthermore, Table 10 presents the PSNR values between the original image Lena and the reconstructed ones.It is evident that the reconstructed images are recognizable.It can also be shown that the scheme is robust against histogram equalization.The PSNR value between the original image Lena and its corresponding attacked cipher image is 33.3843.Hence, one cannot distinguish between the original image and the reconstructed one by the naked eye.
On the basis of the obtained results, the proposed image encryption scheme is robust against common image processing operations.

Comparison with Existing Work
In this section, we compare the performance of the proposed scheme with state of the art image encryption schemes [4,[6][7][8][9][10][11][12][13]15,16].Table 11 reports correlation coefficients, entropy, NPCR, and UACI measures of cipher images generated by the proposed image encryption scheme and existing schemes using the 256 × 256 grayscale Lena as the plain image.The running speed of any encryption scheme depends on many factors, including the CPU, memory size, operating system, programming language, and compiler.Therefore, it is unfair to make a comparison between different image encryption schemes under different environments.Nonetheless, to get insight about the time complexity of the proposed scheme with respect to existing schemes, we compare the performance of the proposed scheme with existing ones using the encryption throughput (ET) and number of cycles per bytes (NCB) defined in [48]  Table 12 reports the running speed of the schemes under comparison.On the basis of the reported results in Tables 11 and 12, it is evident that the proposed scheme has superiority over existing schemes and is competitive with others.In particular, it is evident in Table 12 that, in addition to security improvements, the proposed scheme has much better running speed among its peers.Although the proposed scheme seems slow for encrypting 4K video streams (for example), it is understood that the level of security provided here is much higher than what is required of a video streaming service.

Conclusions
In this paper, we propose a probabilistic lossy or lossless image encryption scheme based on a chaining mode of chaotic maps in a permutation-masking mechanism.The scheme improves existing image encryption schemes by using random numbers in its masking phase so that any slight change in the plain image spreads throughout the corresponding cipher image.Furthermore, with the same secret key, the scheme generates distinct cipher images for any given plain image.Moreover, these cipher images are random-looking in comparison with one another.Simulation results confirm that the proposed scheme is robust to common statistical and security attacks.In comparison with existing work, the scheme is shown to be competitive with state of the art image encryption schemes.

Figure 1 .
Figure 1.Overview of the proposed image encryption scheme.

Figure 2 .
Figure 2. The bifurcation diagram of the quadratic map (left), and its Lyapunov exponents (right).

Figure 3 .
Figure 3.The bifurcation diagram of the skew-tent map (left), and its Lyapunov exponents (right).

Algorithm 3 :
The (lossless) encryption scheme Data: Plain image P of size M × N × L Data: Secret key K Data: Random number β Result: Cipher image C 1 N ← 4 1

Algorithm 4 :
The permutation phase of the proposed scheme Data: Padded input image P of size M × N × L Data: Number of rounds r 1 Data: Initial states x 0 , y 0 and control parameters µ, p from secret key K Result: Shuffled image J s 1 Reshape P to an almost square m × n matrix I. 2 T ← I 3 for i = 1 to r 1 do 4 Using Rule C, generate two sequences S and S of lengths m and n, respectively.

Algorithm 5 :1
The masking phase of the lossless encryption scheme Data: Shuffled image J s of size M × N × L Data: Initial states x 0 , y 0 and control parameters µ , p from secret key K Data: Number of rounds r 2 Result: Masked image J c Generate a sequence S of length t = MN L using Rule C. 2 Populate sequences S 1 , S 2 , S 3 and S 4 each of length η = t/4 by elements of 256S .3 Populate sequences R, G, B and Y each of length η by elements of J s .4 for j = 1 to r 2 do 5

Algorithm 6 :1
The unmasking phase of the lossless decryption scheme Data: Masked image J c of size M × (N + 1) × L Data: Initial states x 0 , y 0 and control parameters µ , p from secret key K Data: Number of rounds r 2 Result: Unmasked image J d Generate a sequence S of length t = MN L using Rule C. 2 Populate sequences S 1 , S 2 , S 3 and S 4 each of length η = t/4 by elements of 256S .3 Populate sequences R , G , B and Y each of length η + 1 by elements of J c . 4 for j = 1 to r 2 do 5 for i = η down to 1 do 6

10
Construct a sequence W by concatenation of R, G, B and Y. 11 Return J d obtained by reshaping W to size M × N × L.

Algorithm 7 :1
The masking phase of the lossy encryption scheme Data: Shuffled image J s of size M × N × L Data: Initial states x 0 , y 0 and control parameters µ , p from secret key K Data: Number of rounds r 2 Result: Masked image J c Generate a sequence S of length t = MN L using Rule C. 2 Populate sequences S 1 , S 2 , S 3 and S 4 each of length η = t/4 by elements of 256S .3 Populate sequences R, G, B and Y each of length η by elements of J s .4 for j = 1 to r 2 do 5

ηAlgorithm 8 :1
i=1 , and {Y (i)} η i=1 to construct a sequence W. 12 Return J c obtained by reshaping W to size M × N × L. The unmasking phase of the lossy decryption scheme Data: Masked image J c of size M × N × L Data: Initial states x 0 , y 0 and control parameters µ , p from secret key K Data: Number of rounds r 2 Result: Unmasked image J d Generate a sequence S of length t = MN L using Rule C. 2 Populate sequences S 1 , S 2 , S 3 and S 4 each of length η = t/4 by elements of 256S .3 Populate sequences R , G , B and Y each of length η by elements of J c . 4 for j = 1 to r 2 do 5 for i = η down to 2 do 6 10 R(1) ← 128 11 G(1) ← 128 12 B(1) ← 128 13 Y(1) ← 128 14 Construct a sequence W by concatenation of R, G, B, and Y. 15 Return J d obtained by reshaping W to size M × N × L.

Figure 5 .
Figure 5. Test images of different sizes and their corresponding shuffled and cipher images.

Figure 8 .
Figure 8. Point plots of = 10,000 adjacent pairs of pixels chosen randomly in the horizontal (left), vertical (middle), and diagonal (right) directions in the grayscale plain image Lena (top), shuffled image (middle), and cipher image (bottom).

Figure 11 .
Figure 11.Bitwise XOR between two cipher images C 1 and C 2 resulting from encrypting the Lena image using the proposed scheme with keys K 1 and K 2 (left) and K 1 and K 2 (right).

Algorithm 1: Wu et al.'s encryption scheme Data: Color plain image P of size m × n × 3 Data: Secret key K Result: Cipher image J c 1 Let R 0 , G 0 , B 0 denote the red, green and blue channels of P. 2 Stitch R 0 , G 0 , B 0 together to form a grayscale image P of size m × 3n. 3 Shuffle P using Equation (2) for t rounds. 4 Split the resulting shuffled image into three sequences R, G, and B. 5 for i ∈ {1, 2, 3} do 6
1 presents Wu et al.'s encryption scheme.Throughout the paper, ⊕ denotes bitwise XOR operation, and all calculations are carried out in Z 256 .
19n matrices R e , G e and B e , respectively.19Return the cipher image J c formed with R e , G e and B e as its RGB channels.

Table 1 .
STS results for 100 sequences of integers in [0, 255], each of length 10 6 bits, generated using the chaining rule in Algorithm 2. According to the STS documentation, a minimum pass rate for each statistical test is 96%.

Table 2 .
The running times for generating cipher images using the proposed scheme.

Table 3 .
Correlation coefficients of adjacent pixels in different test images and their corresponding shuffled and cipher images.

Table 4 .
Average block entropy of various plain images and their corresponding cipher images.Entropy histogram of 64 × 64 blocks of a cipher image generated using the proposed scheme from a 4096 × 4096 black plain image.

Table 5 .
[44]results of the STS[44]for two 2048 × 2048 × 3 cipher images corresponding to a meaningful image and a blank image generated by the proposed scheme.

Table 7 .
Plots of the NPCR and UACI measures between cipher images corresponding to plain images differing in one least significant bit.Means of the NPCR and UACI measures.

Table 8 .
NPCR and UACI measures between the cipher images resulting from different keys.
The NPCR and UACI measures of pairs of cipher images corresponding to the Lena image generated by the proposed scheme using the same secret key.

Table 9 .
PSNR values between the plain image Lena and the reconstructed image after noise attacks on corresponding cipher images.

Table 10 .
PSNR values between the plain image Lena and the reconstructed images after JPEG compression with different quality factors.

Table 11 .
Comparison with existing schemes.

Table 12 .
Comparison with existing schemes based on time complexity.