Cryptanalysis and Improved Image Encryption Scheme Using Elliptic Curve and Affine Hill Cipher

Abstract

In the present era of digital communication, secure data transfer is a challenging task in the case of open networks. Low-key-strength encryption techniques incur enormous security threats. Therefore, efficient cryptosystems are highly necessary for the fast and secure transmission of multimedia data. In this article, cryptanalysis is performed on an existing encryption scheme designed using elliptic curve cryptography (ECC) and a Hill cipher. The work shows that the scheme is vulnerable to brute force attacks and lacks both Shannon’s primitive operations of cryptography and Kerckchoff’s principle. To circumvent these limitations, an efficient modification to the existing scheme is proposed using an affine Hill cipher in combination with ECC and a 3D chaotic map. The efficiency of the modified scheme is demonstrated through experimental results and numerical simulations.

1. Introduction

Modern day technology is highly interlinked with digital communication over the internet, however, the privacy of data during transmission is a highly important issue. For instance, when using multimedia for e-business, military organization, medical purposes, education, meteorology, space organization, etc., privacy and security are of the utmost interest [1]. Thus, due to the immense threat posed by hackers and hacking tools, there is an ongoing need for efficient cryptographic techniques to protect sensitive information provided over open network channels. In response to this need, a number of symmetric and asymmetric cryptographic techniques are in use to safeguard sensitive information. ECC is one of the newest and most popular asymmetric approaches used to support encryption techniques. The primary advantage of ECC lies in the fact that it is hard to solve the underlying elliptic curve discrete logarithm problem (ECDLP). Furthermore, owing to its shorter key length, ECC systems are more demanding and widely applicable. It is imperative to mention that the RSA system provides security with a 1024–3072 bit-length key, whereas ECC provides the same security with only a 160–256 bit-length key [2]. ECC has gained a respectable status among cryptographic researchers due to its low memory use, bandwidth savings, and lower power consumption in hardware implementations [3,4,5]. Digital images need to be securely transferred over communication channels while considering a reliable encryption scheme. Despite several advantages of ECC in image encryption, several issues must be considered before designing a cryptosystem, viz. key size, key space, and the chosen elliptic curve. The primary focus of encryption schemes is to enhance key strength in order to resist an exhaustive key search attack. If proper attention is paid when choosing elliptic curves, then the best known attacks are considerably weaker against solving ECDLP compared to the best algorithms for solving the discrete logarithm problem [6].

Recently, Dawahdeh et al. [7] proposed an encryption scheme combining the elliptic curve and Hill cipher techniques. This scheme is mainly intended to protect image data while ensuring fast transmission of highly correlated multimedia data. The idea underlying the said scheme is to change the Hill cipher technique from symmetric to asymmetric using the generated parameters of ECC to develop the secret key. However, there is a serious loophole in the existing scheme in the form of secret keys, which makes it vulnerable to brute force attacks.

The use of ECC in combination with other symmetric techniques has been widely used in image and text encryption schemes [2,8,9,10,11,12,13]. In [8], the authors presented an efficient cryptosystem using an elliptic curve over finite rings in combination with S-boxes. The scheme in [12] proposed text encryption that could encrypt any script with defined ASCII values by making use of elliptic curves. Moreover, in [9] the authors made use of elliptic curves to simultaneously encrypt and compress multimedia data. On the other side, for instance, in Khoirom et al. [14], used cryptanalysis against the scheme in [9] to expose the secret key from the public key. Furthermore, Abd El-Latif et al. [10] presented an algorithm using a chaotic map and the elliptic curve which, while it seemed difficult to hack due to the complex structure of key generators, was broken through cryptanalysis by Hong et al. [15]. In this paper, cryptanalysis of the scheme proposed in [7] is carried out, revealing that the strength of the secret key can be easily broken through an exhaustive key search. Due to the linearity of the Hill cipher, it is vulnerable against smaller key spaces. Furthermore, the same weaker secret key is used to generated the self-invertible matrix, and is used for both encryption and decryption.

In this work, we examine the security of the scheme in [7] and develop a corresponding efficient and improved version for greater security of image data. Keeping in mind that ECC and affine Hill ciphers are popular encryption techniques that can provide better performance and higher levels of security, we revamp the existing scheme by replacing the Hill cipher by an affine Hill cipher in the key domain of ${\mathbb{SL}}_m\left({\mathbb{F}}_p\right)$ and ${\mathbb{M}}_m\left({\mathbb{F}}_p\right)$. Furthermore, the confusion and diffusion architecture of the scheme is covered via a 3D Arnold map using ECC and bit-wise XOR operations. In addition, the chaotic behavior of this novel scheme makes it more efficient, unpredictable, and strong in resisting illicit hackers [16,17]. Thus, systems modified with chaotic maps shows more efficacy than the normal symmetric and asymmetric systems. It is appropriate to mention that higher-dimensional chaotic maps are known for their high quality of encryption. In this direction, a combination of a private and a public technique is used to design a secure algorithm for image encryption in the presence of higher-dimensional chaotic maps [18]. The numerical outcomes demonstrate the efficiency and stalwartness of the proposed scheme. Furthermore, detailed comparisons with existing schemes [7,9,10,13,19,20] serve to validate the higher efficiency and security of the proposed scheme.

The outline of the article is as follows: Section 2 presents the basic mathematical theories involved; Section 3 highlights the encryption scheme of the cryptosystem [7]; in Section 4, the cryptanalysis of the scheme [7] and its improvement are explained; and Section 5 presents a demonstration of the improved version. Finally, experimental analysis is carried out in Section 6, detailed numerical simulations are presented in Section 7, and the conclusions of the work are presented in Section 8.

2. Basic Theories

2.1. Mathematical Concept of Elliptical Curves

Let $q>3$ be a prime number, and let ${\mathbb{F}}_q$ be a field of integers modulo q. The elliptic curve $\mathbb{E}$ is an algebraic curve defined as the set of all pairs $(x,y)\in {\mathbb{F}}_q\times {\mathbb{F}}_q$ satisfying Equation (1), defined as follows:

$$\mathbb{E}:y^2=x^3+ax+b,$$

(1)

with an imaginary point at infinity denoted by $\mathcal{O}$, where, $a,b\in {\mathbb{F}}_q$ such that $4a^3+27b^2\not\equiv 0\left(\mathrm{mod}q\right)$. The discriminant condition indicates that the curve is non-singular, that is, it has no self-intersections or vertices. The set of all the points on the curve forms a finite Abelian group with $\mathcal{O}$ as an identity element. The elliptic curve over some finite field ${\mathbb{F}}_q$ is denoted by ${\mathbb{E}}_q(a,b)$ and is a special type of polynomial equation [2,6]. Elliptic curve operations such as point addition, point doubling, and point multiplication are discussed in [7], and examples of elliptic curves over $\mathbb{R}$ are shown in Figure 1.

Elliptic Curve Diffie–Hellman Key Exchange (ECDH) is an advanced analogy to Diffie–Hellman Key Exchange. In the modified proposed algorithm, the secret keys of a 3D Arnold map are shared through an ECDH scheme. The representation of key exchange can be performed similarly to the Diffie–Hellman protocol, and it is a relatively difficult task to find a suitable elliptical curve. The curve should satisfy certain conditions, as discussed above, in order achieve good security. The exchange of the key parameters between user A and user B can be achieved using the following steps ((i)–(v)):

(i)

Public element: Select an elliptic curve ${\mathbb{E}}_q(a,b)$ with the parameters $a,b\in {\mathbb{F}}_q$, with q a large prime of at least 160-bit length and a generator point G of order r, i.e., $rG=\mathcal{O}$ on the elliptic curve.

(ii)

User A Generate: Select a random private key ${\eta }_A\in [1,q-1]$ and calculate $P_A={\eta }_{A}G$

(iii)

User B Generate: Select a random private key ${\eta }_B\in [1,q-1]$ and calculate $P_B={\eta }_{B}G$

(iv)

User A calculate secret key:$K={\eta }_A\times P_B$

(v)

User B calculate secret key:$K={\eta }_B\times P_A$

2.2. Affine Hill Cipher

An affine Hill cipher is a classical symmetric cipher suitable for encryption schemes, and is defined as follows: $AX+B$, here $A\in {\mathbb{SL}}_m\left({\mathbb{F}}_p\right)$ and $B\in {\mathbb{M}}_m\left({\mathbb{F}}_p\right)$, are the secret key parameters of the same size as the generated blocks of X. The key elements of an affine Hill cipher are chosen from ${\mathbb{SL}}_m\left({\mathbb{F}}_p\right)$, called a special linear group of matrices over some finite field ${\mathbb{F}}_p$, while ${\mathbb{M}}_m\left({\mathbb{F}}_p\right)$ is called a group of matrices over some finite field ${\mathbb{F}}_p$ of order m, and is used to provide a larger key space. Mathematically, ${\mathbb{SL}}_m\left({\mathbb{F}}_p\right)$ is a subgroup of a general linear group of matrices ${\mathbb{GL}}_m\left({\mathbb{F}}_p\right)$, and is defined in Equation (2):

$${\mathbb{SL}}_m\left({\mathbb{F}}_p\right)=\{A\in {\mathbb{GL}}_m\left({\mathbb{F}}_p\right)|\det \left(A\right)=1\}.$$

(2)

with cardinality equal to

$$\begin{array}{c}\hfill |{\mathbb{SL}}_m\left({\mathbb{F}}_p\right)|=\frac{1}{p-1}\prod _{i=0}^{m-1}(p^m-p^i).\end{array}$$

Furthermore, the group of matrices over some finite field ${\mathbb{F}}_p$ is defined in Equation (3):

$${\mathbb{M}}_m\left({\mathbb{F}}_p\right)=\{A\in {\left[a_{i,j}\right]}_{m\times m}|a_{i,j}\in {\mathbb{F}}_p\},$$

(3)

with cardinality equal to

$$|{\mathbb{M}}_m\left({\mathbb{F}}_p\right)|=p^{m^2}.$$

The affine Hill cipher for block matrices of order $m\times m$ is defined in Equation (4):

$$E_{m\times m}=S_{m\times m}{B}_{m\times m}+M_{m\times m}\left(\mathrm{mod}256\right),$$

(4)

where, $S_{m\times m}\in {\mathbb{SL}}_m\left({\mathbb{F}}_p\right)$ and $M_{m\times m}\in {\mathbb{M}}_m\left({\mathbb{F}}_p\right)$ are the two key parameters, $B_{m\times m}$ is the original data block, and $E_{m\times m}$ is the encrypted block.

The 3D Arnold Map

The chaos 3D Arnold transform defined in Equation (5) is used by extending the classical 2D Arnold transform defined in Equation (6) [21]:

$$\left(\begin{array}{c}{x}^{\prime }\\ y^{\prime }\\ z^{\prime }\end{array}\right)=\left(\begin{array}{ccc}1& a_1& 0\\ a_2& a_1{a}_2+1& 0\\ a_3& a_4& 1\end{array}\right)\left(\begin{array}{c}x\\ y\\ z\end{array}\right)\mathrm{mod}\left(n\right),$$

(5)

$$\left(\begin{array}{c}{x}^{\prime }\\ y^{\prime }\end{array}\right)=\left(\begin{array}{cc}1& a_1\\ a_2& a_1{a}_2+1\end{array}\right)\left(\begin{array}{c}x\\ y\end{array}\right),$$

(6)

where, $(x^{\prime },y^{\prime },z^{\prime })$ are modified values and the parameters $a_1,a_2,a_3$ and $a_4$ are chosen from the curve ${\mathbb{E}}_p(a,b)$. The 3D Arnold map is chaotic in nature, and is one of the finest members of the higher-dimensional chaotic maps used for the scrambling process [22].

In this approach, dual encryption by Arnold transform is achieved by permutation and substitution. The transform is simplified, as defined in Equation (7):

$$\begin{gathered} \left(\begin{array}{c}{x}^{\prime }\\ y^{\prime }\end{array}\right)=\left(\begin{array}{cc}1& a_1\\ a_2& a_1{a}_2+1\end{array}\right)\left(\begin{array}{c}x\\ y\end{array}\right)\mathrm{mod}\left(n\right), \\ {z}^{\prime }=a_{3}x+a_{4}y+z\mathrm{mod}\left(m\right), \end{gathered}$$

(7)

where, n is the image size, m represents the gray levels, and $z^{\prime }$ is a one-dimensional array of length n used to further enhance the diffusion using bit-wise XOR operation.

3. Scheme Proposed by Dawahdeh et al. [7]

The scheme in [7] presents a cryptosystem designed through the ECC and Hill cipher technique. The secret key for a Hill cipher is obtained from ECC, and later an involuturay matrix is generated from the shared key to be used for both encryption and decryption [23]. Before encryption, both parties should agree on the elliptic curve parameters $\{q,a,b,G\}$, where, G is one of the generating points of the curve. The sender and receiver choose their private keys ${\eta }_A$, ${\eta }_B$ from the domain $[1,q-1]$, and can generate their corresponding public keys $P_A={\eta }_{A}G$ and $P_B={\eta }_{B}G$ over ${\mathbb{E}}_q(a,b)$, respectively. The encryption scheme in [7] is described through Algorithms 1 and 2.

Algorithm 1: Elliptic curve key generation over some ${\mathbb{E}}_q(a,b)$.

▹ Input:$\{{\eta }_A,q,a,b,P_B,G\}$ ▹ Output:$(a_1,a_2,a_3,a_4)$  1. Compute $(x,y)\leftarrow {\eta }_A{P}_B$; // Elliptic curve operation  2. Compute $(a_1,a_2)\leftarrow xG=(x_1,y_1)$; // Elliptic curve operation  3. Compute $(a_3,a_4)\leftarrow yG=(x_2,y_2)$; // Elliptic curve operation  4. Generate $K=\left[\begin{array}{cc}{a}_1& a_2\\ a_3& a_4\end{array}\right]$;

Algorithm 2: Encryption algorithm of the scheme [7].

4. Cryptanalysis and Improvement

Cryptanalysis is the breakdown of codes through different cryptanalytic attacks. The hardness of ECC lies in ECDLP, as solving such an algorithm is computationally infeasible. The authors convert the Hill cipher technique from symmetric to asymmetric in order to operate the scheme using a shared secret key. The scheme in [7] suggests large primes for higher security of the shared key $(x,y)$ over ${\mathbb{E}}_q(a,b)$. The ordered pairs $xG=(x_1,y_1)$ and $yG=(x_2,y_2)$ are generated over ${\mathbb{E}}_q(a,b)$ to form the key matrix $K_m$, which is vulnerable and could be collapsed by a brute force attack.

4.1. Brute Force Attack on the Scheme in [7]

A brute force attack is a classical cryptanalysis approach which tests all the possible sets of keys by treating the encryption method as a black box [6]. The security of the scheme in [7] lies in $xG$ and $yG$. Because Equation (8) reveals the same results for large primes q,

$$\left[K_m\left(\mathrm{mod}q\right)P^i\right]\left(\mathrm{mod}256\right)\equiv K_m{P}^i\left(\mathrm{mod}256\right).$$

(8)

As $K_m$ is generated from K and $P^i$ is the plain text block, this implies that it is only necessary to to find $x_i,y_i;i=1,2$ under modulo 256. Because each parameter is eight bits, a total possible choice to find through exhaustive key search is of length $2^{32}$, i.e., only 4,294,967,296 matrices of order 2, which is vulnerable to brute force attacks through modern high-speed technology. To resist such a brute force attack, the key space of the image encryption scheme should be larger than $2^{128}$ [24,25]. Thus, the brute force attack can successfully estimate 56–64 bit length within a few hours or a day [6]. Even the COPACOBANA (Cost-Optimized Parallel Code Breaker) machine can break such an algorithm in less than a day, and its computational power is up to 64 bits [26]. Jack, in [27], breaks down the Hill cipher for $n=2$ with an IBM 650 machine, and finds it impractical and highly complex for higher values of n. The same is the case here; the only unknowns are $x_i,y_i;i=1,2$ under modulo 256 of bit length $2^{32}$, and no confusion of pixel values is present, thus, such a system can possibly hacked or collapsed through contemporary high-speed technology.

4.2. Improvement

The limitations of the scheme are that it lacks the confusion property and smaller key space. Thus, the scheme can be upgraded to include the confusion and diffusion properties with an enlarged key space in order to fill the accessible gap of the extant scheme [7].

A modified and improved version of the existing scheme is presented using ECC and an affine Hill cipher in a chaotic environment to adjust the major limitations of the scheme in [7]. To extend the key space, a group of involuntary matrices are replaced by a ${\mathbb{SL}}_m\left({\mathbb{F}}_p\right)$ and ${\mathbb{M}}_m\left({\mathbb{F}}_p\right)$ domain over some finite field ${\mathbb{F}}_p$ to achieve a higher level of diffusion in the scheme. Furthermore, a chaos map is employed in the scheme to scramble all the positions of the image by choosing the key parameters from the public domain ${\mathbb{E}}_q(a,b)$.

5. Proposed Methodology of the Improved Scheme

An improved encryption scheme is proposed to secure communication of images over public channels. In this scheme, $4\times 4$ blocks are generated from the original image matrix and then diffused by an affine Hill cipher using the key matrices chosen from ${\mathbb{SL}}_m\left({\mathbb{F}}_p\right)$ and ${\mathbb{M}}_m\left({\mathbb{F}}_p\right)$, where, $m=4$ and p are a prime number of at least 8 bits in length. Furthermore, the key parameters for the chaotic map are generated from the chosen elliptic curve ${\mathbb{E}}_q(a,b)$ over some finite field ${\mathbb{F}}_q$ to scramble the position of pixels, and over the scrambled values a bit-wise XOR operation is performed with the generated Arnold map sequence, as discussed in Algorithm 3.

Algorithm 3:Proposed encryption scheme.

6. Experimental Results

The results described in this section were obtained in Matlab 2020a with a Core-i3 supporting environment with 4 GB RAM on a Windows 7 system. The images were chosen from USC-SIPI databases. The experimental results are shown in Figure 2, Figure 3 and Figure 4.

7. Security Analysis

7.1. Key Space Analysis

The key space is the set of all possible choices that can be used to encrypt an image. Thus, schemes with a larger key space support greater robustness against exhaustive key search attacks. In the proposed scheme, factors supporting the key space are the elements of ${\mathbb{SL}}_m\left({\mathbb{F}}_p\right)$, ${\mathbb{M}}_m\left({\mathbb{F}}_p\right)$, and the parameters of the Arnold map shared through ECC. The total for the key space is summarized below:

• The choices for ${\mathbb{SL}}_m\left({\mathbb{F}}_p\right)$ during the encryption process are defined as follows:

  $$|{\mathbb{SL}}_m\left({\mathbb{F}}_p\right)|=\frac{1}{p-1}\prod _{i=0}^{m-1}(p^m-p^i).$$

  (9)
• ${\mathbb{M}}_m\left({\mathbb{F}}_p\right)$ works as an additive key element in the affine Hill cipher, with possible choices $p^{m^2}$.
• The publicly shared parameters for the Arnold map through ECC can be reduced up to ${256}^4$ choices.

Thus, the size of generalised key space is defined by Equation (10):

$$\begin{array}{c}|{\mathbb{SL}}_m\left({\mathbb{F}}_p\right)\left|\right|{\mathbb{M}}_m\left({\mathbb{F}}_p\right)|\left({256}^4\right)=\left(\frac{1}{p-1}\prod _{i=0}^{m-1}(p^m-p^i)\right)\left(p^{m^2}\right)\left({256}^4\right).\end{array}$$

(10)

The keyspace defined in Equation (10) is strong enough against brute force attacks. For experimental results, we have chosen $m=4$ and $p=223$, for an approximate key space of ${10}^{82}=2^{272}$, which is large enough to resist brute force attacks. Thus, the scheme is be appropriate for secure communication purposes.

7.2. Key Sensitivity

After achieving confusion and diffusion in a scheme, the sensitivity of keys is necessary to check the security of an algorithm. In this scheme, the sensitivity of an algorithm is checked in the worst-case scenario when parameters are 99% known with a bit change in key parameters. The sensitivity results for different cases of the algorithm are shown in Figure 5 and Figure 6, and are sufficient to support the sensitivity of the algorithm. The change in 3D Arnold key parameters at both stages of confusion through shuffling and the diffusion through XOR operation are shown in Figure 5c,d and Figure 6c,d. Furthermore, a marginal change in multiplicative parameters are shown in Figure 5e and Figure 6e and the additive parameters of the affine Hill cipher are shown in Figure 5f and Figure 6f.

7.3. Histogram Analysis

A histogram analysis is a graphical representation between pixel values and the intensity values of the data to present the frequency distribution information. A secure and good encryption scheme produces the evenly distributed data of the cipher images. The results of the test images are shown in Figure 7, Figure 8, Figure 9, Figure 10 and Figure 11. The distribution plot of the cipher images shows a uniform distribution, implying that the encrypted data are secure and that such an algorithm cannot leak information to outsiders.

Now, the uniformity of the data through the chi-square test can be ensured using Equation (11):

$${\chi }^2=\sum _{k=0}^{2^n-1}\frac{{({\mathcal{O}}_k-{\mathcal{E}}_k)}^2}{{\mathcal{E}}_k},$$

(11)

where, ${\mathcal{O}}_k$ and ${\mathcal{E}}_k=\frac{mn}{256}$ are the observed and expected frequency, respectively, of an image with size $mn$. At significance level $\alpha =1\%$ and $\alpha =5\%$ with 255 degrees of freedom, the critical chi-square values to pass the hypothesis uniformity are ${\chi }_{(0.01,255)}^2=310.4574$ and ${\chi }_{(0.05,255)}^2=293.2478$, respectively.

Table 1. ${\chi }^2$-values of the scheme.

Cipher Image	${\mathit{\chi }}^2$ Values				${\mathit{H}}_0$
	R	G	B	Average
Jet	284.2314	218.6172	232.1876	245.0120	accept
House	223.2356	286.2349	267.2496	258.9067	accept
Barbara	262.1451	258.2149	287.2350	269.1983	accept
Baboon	289.2571	267.8561	300.2225	285.7785	accept
Pepper	279.1311	297.2389	299.2314	291.8671	accept
Lady	252.1421	289.1563	301.4568	280.9184	accept

shows the chi-square values on a set of images at significance levels of 1% and 5%.

7.4. Correlation Analysis

Correlation refers to the relationship between adjacent pixels. Thus, in plain images a strong correlation among the pixels is found with a dense correlation graph, while in cipher images a low correlation among the adjacent pixels with an evenly distributed graph is found. The correlation for input and cipher images in the horizontal (H), vertical (V) and diagonal (D) directions is presented in Figure 12.

Furthermore, the correlation graphs of the images and their corresponding cipher images in different directions are shown in Figure 12. From Figure 12, it can be seen that the correlation graph of cipher images is uniformly distributed throughout the domain, with an ideal value of correlation coefficient in all directions shown in

Table 2. Correlation results for the input and cipher images.

Images	Input			Cipher
	H	V	D	H	V	D
Jet	0.9231	0.9568	0.9425	0.0002	−0.0024	0.0026
House	0.9654	0.9452	0.9624	−0.0019	0.0001	0.0029
Barbara	0.9568	0.9214	0.8745	0.0017	−0.0020	0.0047
Baboon	0.8469	0.8456	0.8989	0.0021	0.0011	0.0011
pepper	0.8548	0.8791	0.9399	0.0004	0.0019	0.0003
Lady	0.9269	0.9765	0.9578	0.0023	0.0041	0.0014

and

Table 3. Comparison results of the correlation coefficient with existing techniques.

Methods	Input			Cipher
	H	V	D	H	V	D
Proposed	0.9123	0.9207	0.9293	0.0008	0.0004	0.0021
Ref. [10]	0.9473	0.9544	0.9122	0.0010	0.0017	0.0125
Ref. [13]	0.9326	0.9624	0.9097	0.0035	−0.0040	−0.0410
Ref. [19]	0.9487	0.8994	0.8734	0.0000	0.0004	−0.0009
Ref. [20]	0.9677	0.9829	0.9532	0.0719	−0.3188	−0.0017

. The equation used to calculate the correlation coefficient value is taken as given in Equation (12).

$$r_{xy}=\frac{\mathrm{cov}(x,y)}{\frac{1}{N}\sqrt{{\sum }_{i=1}^N{[x_i-E\left(x\right)]}^2{\sum }_{i=1}^N{[y_i-E\left(y\right)]}^2}},$$

(12)

where,

$$\mathrm{cov}(x,y)=\frac{1}{N}\sum _{i=1}^N[x_i-E\left(x\right)][(y_i-E\left(y\right)],$$

(13)

and

$$E\left(x\right)=\frac{1}{N}\sum _{i=1}^N{x}_i,$$

(14)

where, N is number of pixels, $E\left(x\right)$ is the expectation, and $D\left(x\right)$ is the variance.

7.5. Quality Measure

The parameters used to measure the quality between plain images and cipher images are as follows [19].

7.5.1. Mean Square Error (MSE)

The MSE is calculated between the input and the output image using Equation (15). The results shown in

Table 4. Quality measures between input images and output images.

Images	MSE			PSNR			SSIM
	R	G	B	R	G	B	R	G	B
Jet	$4.192\times {10}^4$	$7.180\times {10}^4$	$8.993\times {10}^3$	8.145	7.547	7.128	0.002	0.005	0.005
House	$9.941\times {10}^3$	$6.120\times {10}^4$	$8.973\times {10}^3$	8.254	8.548	8.489	0.001	0.000	0.001
Barbara	$1.257\times {10}^4$	$9.180\times {10}^3$	$7.257\times {10}^4$	8.189	9.512	8.178	0.009	0.006	0.008
Baboon	$9.256\times {10}^3$	$8.595\times {10}^3$	$8.980\times {10}^4$	6.235	7.249	6.954	0.006	0.001	0.003
Pepper	$8.120\times {10}^4$	$1.235\times {10}^4$	$4.985\times {10}^3$	9.517	8.865	8.562	0.002	0.000	0.002
Baboon	$9.456\times {10}^3$	$8.156\times {10}^3$	$9.562\times {10}^3$	7.214	9.121	8.128	0.001	0.002	0.001

support the robustness of the proposed algorithm:

$$\mathrm{MSE}=\frac{1}{NM}\sum _i^N\sum _j^M(I_p(i,j)-I_c(i,j)),$$

(15)

where, $I_p$ and $I_c$ are the input and output image, respectively, of size $NM$.

7.5.2. Peak Signal to Noise Ratio (PSNR)

PSNR is a quality measure between input and output images using Equation (16). A good level of encryption is identified when PSNR is less than 10 db. The calculated test values of PSNR are demonstrated in Table 4:

$$\mathrm{PSNR}=10{log}_{10}\left(\frac{2^n-1}{\mathrm{MSE}}\right),$$

(16)

where, n is the bits per pixel and MSE is as defined in Equation (15).

7.5.3. Structural Similarity Index (SSIM)

The SSIM is a measure of the input and output image that checks the quality of the encryption algorithm. The SSIM values should be approximate to zero for the output images for a secure algorithm, and can be calculated using Equation (17), defined below:

$$\mathrm{SSIM}(\mathrm{p},\mathrm{c})=\frac{(2{\mu }_p{\mu }_c+c)(2{\sigma }_{pc}+c^{\prime })}{({\mu }_p^2+{\mu }_c^2+c)({\sigma }_p^2+{\sigma }_c^2+c^{\prime })}),$$

(17)

where, ${\sigma }_{pc},({\mu }_p,{\mu }_c)$, and $({\sigma }_p,{\sigma }_c)$ are the covariance, mean, and standard deviation of the plain and cipher images, respectively. Moreover, c and $c^{\prime }$ are the variables to be stabilized.

The experimental values are provided in Table 4, and are close to the ideal value of zero.

7.6. Differential Attack Analysis

A differential attack is a type of cryptanalysis used to analyze secret keys through different cipher images. In this approach, a small modification is carried out on the pixel intensity values of the original images to attempt to find the difference between the corresponding cipher images in order to observe the relationship between the plain and cipher images. The differential measurements used to find the resilience of the system through the number of the pixel change rate (NPCR) and unified average changing intensity (UACI) are defined in Equations (18) and (19):

$$\mathrm{NPCR}=\frac{{\sum }_{i,j}D(i,j)}{\mathrm{T}}\times 100\%,$$

(18)

$$\mathrm{UACI}=\frac{1}{\mathrm{T}}\sum _{i,j}\left(\frac{C_1(i,j)-C_2(i,j)}{255}\right)\times 100\%,$$

(19)

where, T is the total size of the image, $C_1$ and $C_2$ are cipher images differing by a single pixel value, and $D(i,j)$ is defined as

$$D(i,j)=\left\{\begin{array}{cc}\hfill 1,& if{C}_1(i,j)\ne C_2(i,j),\hfill \\ \hfill 0,& \mathrm{elsewere},\hfill \end{array}\right.$$

For analysis, the computed results are provided in

Table 5. NPCR and UACI results for the color plane the of cipher image.

Images	NPCR				UACI
	R Layer	G Layer	B Layer	Average	R Layer	G Layer	B Layer	Average
Jet	99.5832	99.6321	99.6154	99.6102	33.4425	33.3901	33.3956	33.4049
House	99.6039	99.6412	99.6423	99.6294	33.4213	33.3452	33.2845	33.3503
Barbara	99.6234	99.6481	99.6321	99.6345	33.3425	33.3614	33.3329	33.3456
Baboon	99.6231	99.5931	99.6548	99.6236	33.2956	33.2814	33.3621	33.3130
Pepper	99.6513	99.6059	99.6623	99.6398	33.2956	33.3521	33.3089	33.3188
Lady	99.5956	99.5759	99.5973	99.5896	33.4732	33.4623	33.3993	33.4449

and compared in

Table 6. Comparison of NPCR and UACI results.

Methods	Image	NPCR	UACI
Proposed	Barbara	99.6345	33.3456
Ref. [7]	$(256\times 256)$	–	30.4814
Ref. [9]	$(256\times 256)$	99.2996	33.5844
Ref. [19]	$(256\times 256)$	99.6220	33.5268
Ref. [10]	$(256\times 256)$	99.5	33.3

. The test values approximate the ideal values of NPCR $(99.6094\%)$ and UACI $(33.4635\%)$, demonstrating that the improved algorithm is robust against such attacks.

7.7. Shannon’s Entropy Analysis

The Shannon’s entropy is proportional to the measure of uncertainty. The ideal entropy value of random data is 8 [28]. Thus, an efficient encryption scheme has an entropy value that approximates the ideal value and is uniform with the gray values of the image. In

Table 7. Entropy value of cipher images.

Images	Entropy			Average
	R	G	B
Jet	7.9978	7.9979	7.9978	7.9978
Home	7.9979	7.9977	7.9979	7.9978
Barbara	7.9979	7.9979	7.9979	7.9979
Baboon	7.9979	7.9978	7.9978	7.9978
Pepper	7.9976	7.9975	7.9977	7.9976
Lady	7.9975	7.9978	7.9975	7.9976

, entropy values are shown for different images as calculated by Equation (20):

$$\mathrm{Entropy}=\sum _{i=0}^{2^n-1}p\left(m_i\right){log}_2\left(\frac{1}{p\left(m_i\right)}\right),$$

(20)

where, $p\left(m_i\right)$ is the probability of source $m_i$.

Table 7 and Figure 13 show the calculated entropy values of the input and output images; the values approximate the ideal value, which is a strong indication of the randomness and security of the data. Thus, the improved version of the scheme achieves a perfect level of permutation to secure the secret information. Furthermore,

Table 8. Comparison of entropy results.

Method	Image	Entropy
Ref. [7]	$(256\times 256)$	7.9970
Ref. [9]	$(256\times 256)$	7.9969
Ref. [10]	$(512\times 512)$	7.9973
Ref. [19]	$(256\times 256)$	7.9974
Ref. [20]	$(512\times 512)$	5.3390
Proposed	Barbara (256 × 256)	7.9979

and

Table 9. Statistical measures of grayscale cipher images.

Images (256 × 256)	Entropy	PSNR	UACI
Home	7.9982	7.4523	33.1245
Barbara	7.9979	7.1133	33.2814
Baboon	7.9979	6.1576	33.7852
Pepper	7.9983	7.4121	33.3089
Average	7.9983	7.4121	33.3089
Ref. [7]	7.9970	8.5777	30.4817
Ref. [11]	–	7.6568	34.0998

compare the entropy results with existing several schemes, and the results justify the security of the proposed scheme against entropy attacks.

7.8. Noise Attacks

Due to effects from the transmission channels, the data may be affected by noise signals.

To check the effect of noise on the sensitivity of information, different noise effects on the data can be used to check the resistance of the algorithm against noise attacks. A number of noise techniques are available to check this, such as salt and pepper and Gaussian noise in different proportions. Thus, Figure 14 and Figure 15 show the noise-affected images by salt and pepper and Gaussian noise in a visible form, respectively. It can be seen in

Table 10. Quality measure of affected decrypted images.

Attacks	Image	PSNR	SSIM
Salt & pepper
Intensity = 0.01	Baboon	24.2459	0.8756
Intensity = 0.02	–	21.2134	0.7245
Intensity = 0.01	Lady	22.5689	0.7423
Intensity = 0.02	–	17.6542	0.6359
Gaussian
Variance = 0.001	Baboon	17.1245	0.6235
Variance = 0.002	–	15.5478	0.5932
Variance = 0.001	Lady	14.5687	0.4851
Variance = 0.002	–	12.5645	0.4315
Occlusion attack
Occlude = 9%	Lena	28.1214	0.8932
Occlude = 20%	–	22.2547	0.7532
Occlude = 18%	–	23.3265	0.7589
Occlude = 25%	–	18.6549	0.6489

and Figure 15 that maximum information can be retrieved, which is a good indication of the scheme’s performance.

7.9. Occlusion Attack

The durability of the system was checked against data loss through malicious destruction or deliberate attempts to damage image integrity. Occlusion attack analysis checks the recovery rate of damaged data. Thus, the encrypted baboon.jpeg image was subjected to different portions of data loss to check the data recovery rate. Figure 16a–d show the cropped images, and Figure 16e–h show the recovered images used to check the data integrity. From the recovered images, it can be seen they are visually acceptable.

The quality measures for checking the recovery rate of the affected images are provided in Table 10 and Figure 17. The results indicate that the images can be visualized, and are able to be successfully recovered against such attacks.

8. Conclusions

In the present paper, a serious loophole in the grayscale image encryption scheme proposed in [7] based on ECC and a Hill cipher is highlighted. The performed analysis demonstrates that the existing scheme is vulnerable and can be collapsed by a brute force attack. The competence of the scheme is in its 32-bit key length, which can be hacked using contemporary technology. To circumvent these limitations, a modified and improved version of the scheme is proposed using the classical affine Hill cipher in combination with ECC and a chaotic map for color images. The numerical and statistical results presented in Table 5, Table 6, Table 7, Table 8 and Table 9, the uniformity of the histogram in Figure 9, and the uniform distribution of the adjacent pixels in Figure 12 in the cipher images are enough to infer the reliability of the newly proposed method. Nevertheless, the present article lays the foundations for future work on mapping the pixel values onto ${\mathbb{E}}_q(a,b)$ to remove the maximum use limitation of ECDLP, and the scheme could potentially be optimized for text encryption.