Академический Документы
Профессиональный Документы
Культура Документы
Joint image encryption and compression scheme based on IWT and SPIHT
⁎
crossmark
Miao Zhang, Xiaojun Tong
Harbin Institute of Technology, School of Computer Science and Technology, Weihai 264209, China
A R T I C L E I N F O A BS T RAC T
Keywords: A joint lossless image encryption and compression scheme based on integer wavelet transform (IWT) and set
Image encryption and compression partitioning in hierarchical trees (SPIHT) is proposed to achieve lossless image encryption and compression
IWT simultaneously. Making use of the properties of IWT and SPIHT, encryption and compression are combined.
SSPIHT Moreover, the proposed secure set partitioning in hierarchical trees (SSPIHT) via the addition of encryption in
Hyper-chaotic system
the SPIHT coding process has no effect on compression performance. A hyper-chaotic system, nonlinear inverse
Inverse operation
operation, Secure Hash Algorithm-256(SHA-256), and plaintext-based keystream are all used to enhance the
security. The test results indicate that the proposed methods have high security and good lossless compression
performance.
1. Introduction the interaction between the compression operation and the encryption
operation, certain uncertainty is introduced to the length of the cipher-
Recently, the wide availability of cameras and digital scanners of image. That increases the difficulty faced by would-be attackers. At
very high resolution has made the use of high-resolution digital images present, there are two ideas for implementing joint compression and
a common aspect of everyday life. The increasing volume of massive encryption. One is seamlessly embedding the encryption into compres-
images brings great challenges for their storage and network transmis- sion. The most common is embedding encryption in entropy coding,
sion. Compression is an efficient tool for images to conserve memory such as arithmetic coding and Huffman coding [5–7]. However, these
space and transmission bandwidth. Much research on image compres- schemes are all compression-oriented, and encryption is treated as an
sion has been carried out [1–3], and some image compression additional feature, not the primary concern. Thus, the security is not
standards, such as JPEG, JPEG2000, and GIF, have been proposed. satisfactory. For set partitioning in hierarchical trees (SPIHT) com-
Among them, discrete wavelet transform (DWT) has been widely used pressed images, Xiang et al. [8] proposed an algorithm of joint
in image compression. In the new image compression standard compression and selective encryption. However, only scrambling is
JPEG2000, DWT has officially displaced discrete cosine transform performed, and selective encryption is performed during the coding
(DCT) as the transform compression algorithm. On some important process. As we all known, the security of selective encryption systems is
occasions, such as image-based evidence against crime, it is necessary lower when compared to full encryption. Another type of approach is
to save images in high quality by lossless compression. Lossless embedding the encryption into the most frequently applied image
compression based on the integer wavelet transform (IWT) has compression techniques involving transform coding [9,10]. Most of
received extensive attention. Interpolating the biorthogonal integer them perform lossy compression. The encryption is usually added after
wavelet transform (IB-IWT) is simple and easy to implement, making it the invertible transform of the intensity image. As the encryption has
suitable for real-time lossless image compression. The 9/7-M IB-IWT an influence on subsequent bit-stream coding, selective encryption is
has good performance on more than 3-level wavelet decomposition [4]. usually performed. Therefore, the security level is not satisfactory. In
Another problem associated with digital images is security. Image addition, Bowley and Rebollo-Neira [11,12] proposed the idea of
encryption technology is an efficient way to solve the image security encryption image folding. However, its security should be improved on.
problem. In recent years, many research papers have revealed the close
Considering the characteristics of image data, image processing relationship between a chaos system and a cryptography system. The
technology, security requirements and the increasing volume of good cryptography properties of chaos enable a chaos-based crypto-
images, a joint compression and encryption scheme that performs graphic system to possess excellent randomness in ciphers [9].
compression and encryption in a single step is a promising method. By Moreover, in comparison to traditional encryption techniques, chaos
⁎
Corresponding author.
E-mail addresses: zhangmiaozm209@126.com (M. Zhang), tong_xiaojun@163.com (X. Tong).
http://dx.doi.org/10.1016/j.optlaseng.2016.10.025
Received 10 June 2016; Received in revised form 27 October 2016; Accepted 27 October 2016
Available online 11 November 2016
0143-8166/ © 2016 Elsevier Ltd. All rights reserved.
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
has shown superior performance in the field of image encryption due to 2. Research on IWT and SPIHT
the bulky data capacity and high correlation among pixels in image
files. Chaos-based image encryption methods have also been proposed 2.1. Integer wavelet transform for image compression
[13–25] and have developed considerably. The security of chaos-based
image encryption methods has become the focus of people's concern. IWT is a special realization form of DWT. As an expansion of the
Some novel schemes to improve security have been proposed, such as wavelet analysis theory, IWT not only inherits many advantages of
one-time keys [14], bit-level encryption [15,16], and the DNA rule DWT but also realizes some functions that DWT does not possess. Due
[17,18]. In Ref. [20], the generated key streams depend on the to the real reversibility, IWT can realize lossless image compression.
plaintext image to resist the chosen plaintext attack. In Ref. [21], For many research methods on IWT, IWT based on a lifting scheme has
Wang et al. proposed an enhanced sub-image encryption method the characteristics of low computational complexity, conservation of
algorithm that can completely resist the chosen plaintext attack and storage, ease of implementation in hardware, etc. The lifting scheme
reduce the encryption time dramatically. In Ref. [22], the hybrid includes three steps: split, predict and update. Interpolating the
compound of an S-box and chaotic system is designed to strengthen biorthogonal integer wavelet transform (IB-IWT) is a group of IWT
the overall encryption performance and enlarge the key space. that has the nature of a biorthogonal filter. Compared with other IWTs
However, none consider the compression. Another scheme to improve based on a lifting scheme, IB-IWT only has two lift steps, reducing the
security is the design of a chaotic map of good properties. Zhang et al. number of floating-point operations. Therefore, IB-IWT is very suitable
[23,24] proposed new image encryption algorithms based on the for real-time lossless image compression. There are six types of
spatiotemporal non-adjacent coupled map lattices and the spatiotem- common IB-IWT forms. Among them, 9/7-M IB-IWT has good
poral chaos of the mixed linear-nonlinear coupled map lattices, which performance on more than 3-level wavelet decomposition [4]. The
have more outstanding cryptography features in dynamics than the form of 9/7-M IB-IWT is as follows [33]:
logistic map or coupled map lattices do. Liu et al. [25] designed a new
two-dimensional Sine ICMIC modulation map (2D-SIMM) to enlarge d [n] = d 0 [n] + ⌊1/16((s0 [n + 2] + s0 [n − 1]) − 9(s0 [n + 1] + s0 [n]))
the key space and improve complexity. Hyper-chaos has more than one + 1/2⌋
positive Lyapunov exponent, a larger key space and more complex s [n] = s0 [n] + ⌊1/4(d [n] + d [n − 1]) + 1/2⌋
dynamical characteristics. It is difficult to decipher the information (1)
encrypted with a hyper-chaotic system using the general cracking
methods, such as phase-space reconstruction and non-linear predic- where s0[n] represents the 2nth amplitude of the signal sequence, d0[n]
tion. Therefore, it is valuable to apply hyper-chaos to image encryption. represents the (2n+1)th amplitude of the signal sequence, and s[n] and
Some hyper-chaos-based image encryption schemes have been pro- d[n] are the nth amplitudes of the low-frequency signal and high-
posed [26–29]. However, due to the failed design of the encryption frequency signal after an IWT decomposition, respectively.
process, such as permutation or diffusion, many of these algorithms are
insecure [30,31]. In nature, there is no nonlinear operation involved in 2.2. SPIHT encoding
the overall encryption scheme.
In this paper, a joint image encryption and compression scheme SPIHT is an improved algorithm based on the embedded zero-tree
based on 9/7-M IB-IWT, SPIHT and a new hyper-chaotic system is wavelet (EZW) algorithm [34], and the encoding procedure can be
proposed. In this scheme, compression and encryption are combined in stopped at any compression ratio via the feature of progressive coding.
a single process. A new hyper-chaotic system based on a Rabinovich SPIHT is operated on the coefficients of DWT (specifically, IWT) that
system is designed to encrypt images. The complexity of the proposed are organized in a tree structure. An image transformed using the
hyper-chaotic system is greater than that of some conventional hyper- three-level DWT (IWT) is shown in Fig. 1. There are four sub-bands:
chaotic systems. As we all know, the inverse operation in a finite field, LL, HL, LH and HH. The LL sub-band is an approximation of the
as a nonlinear component, has many good cryptological properties original image and will be decomposed recursively in multiple-level
[32]. In the encryption process, a nonlinear inverse operation is decomposition, the LH sub-band preserves the horizontal edge details,
introduced to resist attacks. Moreover, the key stream used in encryp- the HL sub-band preserves the vertical details, and the HH sub-band
tion is related to the plaintext to resist attacks. Encryption and represents the diagonal details. Then, the resulting coefficients are
compression are combined in three ways. First, the important wavelet grouped into a spatial orientation trees (SOT) structure of SPIHT, as
coefficients are diffused, and the overall wavelet coefficients are shown in Fig. 2. Each node of the tree corresponds to a wavelet
permuted simultaneously using the inverse operation and hyper- coefficient. Use the coordinate as the identification of a node. According
chaotic system. As SHA-256 is fast and input-sensitive, it is employed to the structure of SOT, there are four types of coordinates sets, O(i, j),
to enhance the encryption effect. Second, encryption is added to SPIHT D(i, j), H, and L(i, j), in SPIHT. O(i, j) represents the set of coordinates
coding, forming secure set partitioning in hierarchical trees (SSPIHT),
which has no effect on compression performance. Lastly, the code LL3 HL3
stream generated after SPIHT coding is encrypted to perform the final
HL2
layer of protection. The experimental results presented in this paper
LH3 HH3
show the effectiveness of the proposed joint image encryption and HL1
compression scheme.
The rest of this paper is organized as follows. A review of IWT and LH2 HH2
SPIHT is given in Section 2. A new hyper-chaotic system and
pseudorandom sequence generator are presented in Section 3. In
Section 4, the proposed joint image encryption and compression
scheme is described. The experimental results and security analysis
of our new schemes are given in Section 5. Finally, the study's HH1
LH1
conclusions are presented in Section 6.
255
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
⎧ x ̇ = hy − ax + yz
⎪
⎪ y ̇ = hx − by − xz − u
⎨ z ̇ = −dz + xy + w 2
⎪ ẇ = −xy + cw
⎪
⎩ u ̇ = ry (3)
where x, y, z, w and u are state variables and a=10, b=−4, c=−10, d=1,
h=30 and r=1 are parameters of the new 5D hyper-chaotic Rabinovich
system in Eq. (3).
The hyper-chaotic system must satisfy the following two necessary
conditions: 1) for an autonomous system, four dimensions (4D) are
required at a minimum; 2) two or more positive Lyapunov exponents
combined with one null exponent and the sum of all the Lyapunov
exponents is less than 0.
Five Lyapunov exponents of the new 5D hyper-chaotic Rabinovich
Fig. 2. The SOT structure of SPIHT.
system in Eq. (3) calculated by the Wolf algorithm [35] are:
λL1 = 2.635076 , λL2 = 0.018777, λL3 = 0 ,λL4 = −7. 687620 and
λL5 = −11. 955654 . The sum of all the Lyapunov exponents is less than
of all offspring of the coefficient at (i, j). D(i, j) represents the set of
coordinates of all descendants of the coefficient at (i, j). H represents 0. These results satisfy the above two necessary conditions of the
the set of coordinates of all coefficients in the root level. L(i, j)=D(i, j)- hyper-chaotic system.
O(i, j). The larger the Lyapunov exponent is, the faster the trajectories
For coordinate sets, there is a significance test function to estimate separate and the wider the corresponding separatrix of the chaotic
the significance of the coefficients. Let X be a coordinate set and n be an region is. Therefore, a larger Lyapunov exponent shows more evident
integer, and then the significance test function Sn(X) is defined as: chaotic behavior. The five Lyapunov exponents (λ1, λ2, λ3, λ4 and λ5)
of the proposed system and of other hyper-chaotic systems are shown
⎧ max { ci, j ≥ 2n} in Table 1.
⎪1,
Sn (X ) = ⎨ (i, j )∈ X From Table 1, we can see that the maximum Lyapunov exponent λ1
⎪
⎩ 0, otherwise (2) of the proposed system is larger than that of other systems. Therefore,
the complexity of the proposed hyper-chaotic system is greater than
where ci, j denotes the coefficient at (i, j). If Sn(X)=1, the coordinate set that of some conventional hyper-chaotic systems.
X is significant at the threshold 2n.
Define three lists: a list of insignificant sets (LIS), list of insignif- 3.2. Generation of a pseudorandom sequence
icant pixels (LIP), and list of significant pixels (LSP). LIS contains two
types of entries: D(i, j) and L(i, j). If an LIS entry represents D(i, j), we In this section, a pseudorandom sequence generator is constructed
call it type D. If an LIS entry represents L(i, j), we call it type L. LIP is a based on the new hyper-chaotic Rabinovich system proposed in Section
list of insignificant coefficients that do not belong to any of the sets in 3.1. Because of the computers' finite precision, the cycle of the
LIS. LSP is a list of coefficients that have been identified as significant discretized chaotic sequence may degenerate. It has been proved that
coefficients. LFSR arrives at its longest period when the characteristic polynomial is
The main steps of SPIHT are as follows: a primitive polynomial. The sequence generated by LFSR with a
primitive polynomial is called an m-sequence. Through the long-cycle
(1) Initialization. Set the threshold T=2n, n = ⌊ log2 (max(i, j ) {|ci, j |})⌋. ci, feature of the m-sequence, we use LFSR to perturb the chaotic
j represents the wavelet coefficient at (i, j). The initialization sets sequences to improve the cryptographic properties of the chaotic
LSP as an empty list, adds all the coordinates in H to LIP, and adds sequence. The pseudorandom sequence generator is shown in Fig. 3.
only those with descendants to LIS. The generator includes three parts: the generation of the LFSR
(2) Sorting pass. Each coordinate in LIP and LIS is tested by the disturbed sequence, the hyper-chaotic Rabinovich system with pertur-
significance test function Sn(X) in Eq. (2), and the result is output bation, and discretization.
to the code stream. If the result is 1, it will be moved to LSP;
otherwise, it will be moved to the end of LIP or LIS. 3.2.1. Mixed design of LFSR and the hyper-chaotic system
(3) Refinement pass. For each entry of LSP, the nth significant bit of We select two LFSRs with primitive polynomials to generate m-
the coefficient, except the newly added ones in the sorting pass, is sequences. The two m-sequences generated by the LFSRs are operated
outputted. by a bit-wise XOR operation to generate a perturbance sequence as
(4) Quantization-step update. This subtracts one from the value of n shown in Eq. (4), which is used to perturb the chaotic sequence.
and proceeds to the next sorting pass and refining pass until the
{bn} = LFSR1 ⊕ LFSR2 (4)
threshold is 1.
In Eq. (4), LFSR1 and LFSR2 represent the m-sequences generated
by the two LFSRs, and {bn}(n = 1, 2, ... ) represents the perturbance
sequence.
The stages of the two LFSRs are m1 and m2, respectively.
3. New hyper-chaotic system and generation of a
pseudorandom sequence Table 1
Lyapunov exponents comparison.
3.1. New hyper-chaotic system
Hyperchaotic system λ1 λ2 λ3 λ4 λ5
On the basis of a Rabinovich system, by adding a nonlinear Proposed 2.635 0.019 0 −7.688 −11.956
feedback controller and a linear state feedback controller, we construct Rössler system 0.112 0.019 0 −25.188 –
Ref.[36] 0.317 0.015 0 −6.401 –
a new five-dimensional (5D) hyper-chaotic system as follows:
256
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
LFSR1 LFSR2
Moreover, stages m1 and m2 are relatively prime, namely, gcd(m1, m2) key13 = key1n ||key5n ||key2n ||key1(n +1) ||key5(n +1) ||key2(n +1) ||... ||... (11)
=1. The concrete perturbance method is: the l lowest bits of the chaotic
key2 = key1n ||key2n ||key3n ||key4n ||key5n ||key1(n +1) ||key2(n +1) ||... ||... (12)
sequences and perturbance sequence are operated on by a bit-wise
XOR operation at intervals of Δ. The interval Δ should be smaller than where “||” denotes a splitting joint of the integer sequence.
the cycle length of the case without perturbance [34].
From Eq. (3), we can obtain five sequences about the five variables 3.3. Performance analysis of the pseudorandom sequence
x, y, z, w and r. We perturb the five sequences using the above
perturbance method. Taking x as an example, the perturbance process 3.3.1. Period length analysis
is described below. To analyze the period length of the pseudorandom sequence
Iterating on Eq. (3), we can obtain the sequence about x,{x1,x2, generated in Section 3.2, we present a theorem.
…,xΔ,xΔ+1,…x2Δ,…}, where Δ is the perturbance interval value. The
value to be perturbed is xkΔ, k=1,2,3,…. Taking the first value to be Theorem 1. Suppose there are two independent discrete binary
perturbed, xΔ, as an example, set the fractional part of xΔ to bexΔF , sequences f1(n) and f2(n). Their periods are T1 and T2, respectively,
which can be described as and T1 ≠ T2 . Then the period of the new sequence w(n)= f1(n)⊕f2(n) is
the least common multiple of T1 and T2, i.e., lcm(T1, T2).
xΔF = 0. xΔF,1 xΔF,2 ... xΔF, i ... xΔF, P (5)
Proof:. Let K1 and K2 both be arbitrary finite positive integers.
where xΔF, i ∈ {0, 1}(i = 1, 2, ... ,P ), and P is the computer's precision.
Because the periods of the two sequences, f1(n) and f2(n), are T1 and
The perturbance can be described as
T2, respectively, we can obtain the following:
⎧ F
⎪ xΔ, i , 1≤i≤P−l f1 (n + K1 T1) = f1 (n ) (13)
xΔF,′i = ⎨
⎪ F
⎩ Δ, i
x ⊕ bk+P−i , P−l+1 ≤i≤P (6)
f2 (n + K2 T2 ) = f2 (n ) (14)
where bk + P − i ∈ {bn}, and xΔF,′i is the fractional part of xΔ after the
The smallest integer period of w(n) should satisfy the following Eq.
perturbance. After the perturbance, the fractional part of xΔ is
substituted for xΔF,′i . Then, xΔ after the perturbance is inserted into Eq. (15):
(3) to obtain the following values. The following perturbances occur w (n + T ) = w (n ) (15)
after every Δ iteration. For other selected values xnΔ (n=2, 3, …) to be
According to w(n)= f1(n)⊕f2(n),
perturbed, the perturbance process is the same as above. The l bits
needed in the perturbance process are obtained from {bn} in turn. The w (n + T ) = f 1 (n + T ) ⊕ f2 (n + T ) (16)
chaotic sequence about x after perturbance is represented as {xn′}
Then, from Eqs. (13) and (14),
(n=1,2,3,…). The chaotic sequences about y, z, w and r are perturbed in
the same manner. Thus, we can obtain the corresponding perturbed f 1 (n ) ⊕ f2 (n ) = f1 (n + K1 T1) ⊕ f2 (n + K2 T2 ) (17)
chaotic sequences {yn′}, {zn′}, {wn′} and {rn′} (n=1,2,3,…). From Eqs. (15) and (17), we obtain the following equation:
where ⌊x ⌋ denotes the greatest integer that is less than x. For the ⎧T = K1 T1
⎨
sequences {yn′}, {zn′}, {wn′}and {rn′}, we do the same to obtain the ⎩T = K2 T2 (20)
sequences {yn″}, {zn″}, {wn″} and {rn″}.
Because T1 ≠ T2 , it is also true that K1 ≠ K2 . If T satisfies Eq. (20),
With {xn′ ′}, for example, use Eq. (8) to quantize the decimal part and
then T is the least common multiple of T1 and T2.
obtain the integers sequence key1 n. For the sequences {yn″}, {zn″}, {wn″}
In Eq. (4), the stages of the two m-sequence generators are m1 and
and {rn″}, we do the same to obtain the integers sequences key2 n,
m2, respectively. Then, their periods are 2m1−1 and 2 m2−1, respec-
key3 n, key4 n, and key5 n.
tively. According to Theorem 1, the period of the sequence generated by
keyin = mod(shiftR (⌊xn″ × 10 P⌋, 7), 256) (8) Eq. (4) is lcm (2m1 − 1, 2m2 − 1). This sequence is used to perturb the
hyper-chaotic sequence. According to Ref. [34], the lower bound of the
where P is the computer precision, shiftR(x, y) performs an unsigned
period length of the pseudorandom sequence generated in Section 3.2
right shift of the y bits on x, n=1, 2, 3, …, and i=1, 2, 3, 4, 5.
is Δ × lcm (2m1 − 1, 2m2 − 1).
Finally, four the pseudorandom sequences in Eqs. (9)–(12) are
Zheng [37] et al. proposed the BSPD(Binary Sequence's Periodic
generated for the subsequent encryption.
Detection) method to evaluate the periodicity in a binary sequence, by
key11 = key1n ||key2n ||key3n ||key1(n +1) ||key2(n +1) ||key3(n +1) ||... ||... (9) which the accurate periodic phenomena, approximate periodic phe-
nomena and local periodic phenomena can be detected. With the BSPD
key12 = key2n ||key1n ||key4n ||key2(n +1) ||key1(n +1) ||key4(n +1) ||... ||... (10) method, we test the period of the pseudorandom sequence generated in
257
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
Table 2 Section 3.2 and compare it with RC4 and a Logistic map with the same
Period analysis. discretization method. In the following tests, the characteristic poly-
nomials of the two LFSRs are selected as f1(x)=x19+x18+x17+x14+1 and
Sequence Accurate Approximate Local
period period period f2(x)= x22+ x21+x17+ x13+1. They are all primitive polynomials. The
stages of the two LFSRs are relatively prime. The results are shown in
key11 50000 bits 0 5 0 Table 2.
1000000 bits 0 5 0
From Table 2, we can see that the pseudorandom sequence using
key12 50000 bits 0 6 0 our proposed scheme has better period performance than the Logistic
1000000 bits 0 6 0 map and RC4.
258
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
1 1
0.8 0.8
0.6 0.6
0.4 0.4
C ros s c orrelation
C ros s c orrelation
0.2 0.2
0 0
-0.2 -0.2
-0.4 -0.4
-0.6 -0.6
-0.8 -0.8
-1 -1
-1000 -800 -600 -400 -200 0 200 400 600 800 1000 -1000 -800 -600 -400 -200 0 200 400 600 800 1000
correlation interval correlation interval
The cross-correlation value of key11 The cross-correlation value of key12
1 1
0.8 0.8
0.6 0.6
0.4 0.4
C ross c orrelation
C ros s c orrelation
0.2 0.2
0 0
-0.2 -0.2
-0.4 -0.4
-0.6 -0.6
-0.8 -0.8
-1 -1
-1000 -800 -600 -400 -200 0 200 400 600 800 1000 -1000 -800 -600 -400 -200 0 200 400 600 800 1000
correlation interval correlation interval
259
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
300 300
250 250
200 200
value
value
150 150
100 100
50 50
0 0
0 10 20 30 40 50 60 70 80 90 100 100 110 120 130 140 150 160 170 180 190 200
iterations iterations
The initial value sensitivity of key11 The initial value sensitivity of key12
300 300
250 250
200 200
value
value
150 150
100 100
50 50
0 0
0 10 20 30 40 50 60 70 80 90 100 0 10 20 30 40 50 60 70 80 90 100
iterations iterations
The initial value sensitivity of key13 The initial value sensitivity of key2
Fig. 6. Initial value sensitivity.
Table 4
NIST SP800-22 tests of a pseudorandom key stream.
P-value Pass rate P-value Pass rate P-value Pass rate P-value Pass rate
4. Design of the joint image encryption and compression chaotic Rabinovich system is performed to form secure SPIHT
scheme (SSPIHT). The code stream is encrypted after the secure SPIHT to
form the last layer of protection. The specific steps are described below.
The entire compression and encryption process is shown in Fig. 7.
The 9/7-M IB-IWT and SPIHT are used in compression. The confu- Step 1: 9/7-M IB-IWT is performed on the original image.
sion-diffusion structure is used in encryption. Local diffusion and Step 2: Perform diffusion and permutation on the wavelet coeffi-
global permutation based on a hyper-chaotic Rabinovich system are cients simultaneously.
simultaneously performed on wavelet coefficients produced by the 9/7- Step 3: Perform SSPIHT encoding.
M IB-IWT. In the process of SPIHT, diffusion based on the hyper- Step 4: Perform diffusion and permutation on the code stream
260
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
Original image
9/7-M IB-IWT
Reverse permutation on
Cat map
wavelet coefficients
Reverse diffusion on
wavelet coefficients
Inverse9/7-M IB-IWT
Reconstructed image
261
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
negative integer and c < P, i.e., c∈ZP. Thus, the law of closure Step 3: Encrypt wavelet coefficients by performing diffusion and
holds. permutation simultaneously. For the selected local coefficients,
2) Associativity follows from the fact that the property holds over obtain two bytes of wavelet coefficients to perform the diffusion
the integers. operation. For all wavelet coefficients, permutation based on the cat
3) Obviously, 0 is always in ZP. For each element a in ZP, 0+a=a map is performed.
+0=a holds. Thus, 0 is the identity element of ZP.
4) For each element a in ZP, there exists the negative element –a, In diffusion, the nonlinear inverse operation is introduced to resist
and a+(-a)=(-a)+a=0 holds. attacks. The values of two-byte coefficients belong to the interval
5) Commutativity follows from the fact that the property holds [0,65535]. Thus, the two bytes of the wavelet coefficients belong to
over the integers. the residue class Z 65536 . Unfortunately, however, 65536 is not a prime
(2) Second is proving that(ZP*,×, 1) is an Abelian group. The operation number. Thus, Z 65536 is not a field. The element in Z 65536 may not have
× denotes “multiplication modulo P.” its multiplicative inverse. That will result in not being decrypted of
1) Consider a, b∈ ZP* and c=a×b mod P. Obviously, c is a non- some information. Because 65537 is the prime closest to 65536, we
negative integer and c < P, i.e., c∈ZP. Thus, the law of closure select the algebraic structure, Z 65537, to design the encryption.
holds. According to Proposition 2, Z 65537 is a field with the operations
2) Associativity follows from the fact that the property holds over “multiplication modulo 65537″ and “addition modulo 65537.” Thus
the integers. *
each element in Z 65537 has an inverse element. Then, for the two bytes
3) Obviously, a is always in ZP*. For each element a in ZP*, 1·a=a· of the wavelet coefficient m, the inverse operation can be defined as
1=a holds. Thus, 1 is the identity element of ZP*.
s = m−1 mod (216 + 1) (23)
4) For each element a in ZP*, since P is a prime, it must be true that
gcd(a, P) =1. According to Proposition 1, it can be shown that a The two bytes of the wavelet coefficients m's value is in the interval
is invertible in ZP*. [0,65535], while [m−1 mod 65537] may be in the interval [0,65536].
5) Commutativity follows from the fact that the property holds Obviously, 65536 cannot be denoted by two bytes. This may result in
over the integers. the cipher-text size increasing. However, there is
(3) Distributivity follows from the fact that the property holds over the
65536 = 65536−1 mod 65537 (24)
integers.
−1
Thus, if m∈[0,65535], then [m mod 65537]∈[0,65535]. This
means that the inverse of a two-byte coefficient can still be denoted by
4.2. Permutation and diffusion scheme on wavelet coefficients two bytes. Thus, Eq. (23) is reasonable.
Encryption is performed from the sixth layer to the first layer. For
The original image is first decomposed with six-level 9/7-M IB- each layer, encryption is performed in order of sub-band LL, HL, LH
IWT, and then the wavelet coefficients can be obtained. The selected and HH. For each sub-band, encryption is performed from top to
local coefficients are diffused by the hyper-chaotic Rabinovich system. bottom and then from left to right. Choose the current two-byte wavelet
The total set of wavelet coefficients is permutated by the hyper-chaotic coefficient of the selected local coefficients to carry out diffusion. The
Rabinovich system and cat map. The diffusion and permutation are diffusion of encryption can be expressed as Eq. (25).
performed simultaneously. The specific steps are described in detail
⎧C0 = key11 (0)
below. ⎨ −1 16
⎩Ci = (mi × key1j )mod(2 + 1) ⊕ key2 ⊕ Ci −1 (i ≥ 1)
⎪
(25)
Step 1: Apply the 9/7-M IB-IWT to the original image and obtain the
where mi is the two bytes of the wavelet coefficients in the selected local
wavelet coefficients.
coefficients. mi−1represents performing the inverse operation on mi. Ci
Step 2: Produce a key stream according to sub-bands HH1, HL1 and
is the cipher text after diffusion. key11(0) is the first two bytes’ value for
LH1 of the first layer. Five groups of coefficients (HH1 and HL1, LH1
the key key11. key1j (j=1,2,3) is selected according to Eq. (26). This
and HL1, HL1, LH1, and HH1) form the five inputs to the SHA-256
makes the keystream used in the encryption related to the plaintext and
hash function to produce five 256-bit hash values. SHA-256 is one of
enhances security.
the existing SHA hash functions developed by the National Security
Agency (NSA). It takes a message with a maximum of (264-1) bits j = (mi−1) mod 3 (26)
and returns a message digest of 256 bits. As SHA-256 is fast and m0 is the second two-byte value for the key key11.
sensitive to the input message, it is employed in our design to According to Eqs. (25) and (26), the encryption is related to the
partially determine the initial condition of the hyper-chaotic system. plaintext.
The returned 256-bit SHA-256 hash value of each group is divided In decryption, the inverse of diffusion is described as:
into eight 32-bit sequences di(i=0,1,2,…,7). They are used to perturb
the initial values of the hyper-chaotic system. mi = key1j × (Ci ⊕ key2 ⊕ Ci−1 )−1 mod(216 + 1) (i ≥ 1) (27)
Place each byte of the current two bytes of the wavelet coefficient in
mi′0 = (di 0 ⊕ di1 ⊕ ... ⊕ di 7)/232 + mi 0 (i = 1, 2, ... ,5) (22) the new position (x′, y′) based on the cat map.
⎛ x′⎞ ⎛ pq + 1 p ⎞ ⎛ x ⎞
⎜ ⎟=⎜ ⎟ ⎜ ⎟ (mod N )
where mi0 is the initial value that users enter and mi0′ is the perturbed ⎝ y′⎠ ⎝ q 1 ⎠⎝ y⎠ (28)
initial value used for the initial value (x0, y0, z0, w0, u0) of the hyper- where N is the weight and height of the image. The controlled
chaotic system. Use the pseudorandom sequence generator proposed in parameters p and q are controlled by the hyper-chaotic Rabinovich
Section3.2 and the perturbed initial value mi0′ to produce the key system.
streams key11, key12, key13 and key2.
p = (fabs (w1001) × 1014)mod(N ) (29)
A plain image is input to SHA-256 to partially determine the initial
q = (fabs (r1001) × 1014)mod(N ) (30)
condition of the hyper-chaotic system, and a small change in the plain
image affects the initial condition of the hyper-chaotic system. As a where w1001 and r1001 are the values of the 1001th iteration for w and
result, the change will effectively spread to the entire cipher-text. r, respectively.
262
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
One characteristic of the cat map is that the value of the first threshold is 1.
position in the top-left corner will not be changed during the Step 9: Output the encrypted and compressed bitstream.
scrambling. To increase the security of the encryption system, we need
to change the value of the first position. We swap the value of the first An array named OUTPUT is used to store the SPIHT bitstream. To
position with that of position (t, s). Position (t, s) is calculated by Eq. decode, the basic information of compression, such as the wavelet
(31). decomposition level, cannot be encrypted. The basic information is
⎧ t = (fabs (w1002 ) × 1014) mod N recorded in OUTPUT [1] through OUTPUT [5]. Record the location l,
⎨ which is the last bit of the array OUTPUT that is written in every type-D
⎩ s = (fabs (r1002 ) × 1014) mod N (31) sorting pass and type-L sorting pass. Encrypt the bitstream from
where w1002 and r1002 are the values of the 1002th iteration for w and OUTPUT [6+li-1] to OUTPUT [li]. For the first encryption, l0=0. The
r, respectively. principle is shown in Fig. 9.
4.3. Secure SPIHT encoding 4.4. Permutation and diffusion scheme on the code stream
Encryption is embedded in the process of SPIHT compression to The code stream is encrypted after the secure SPIHT to form the
form SSPIHT encoding. The wavelet coefficients matrix after diffusion last layer of protection. The diffusion and permutation are performed
and permutation is processed using SSPIHT. The SSPIHT is described simultaneously.
below, and the encryption is embedded in the sorting pass. The code stream is divided into n segments after the secure SPIHT,
and each segment includes 256 bytes. The encryption procedure is
Step 1: Initialize LSP, LIP and LIS. Set the threshold T=2n. described in detail below.
Step 2: Test each coordinate in LIP via the significance test function
Sn(X); the important factor judgment and the sign bit are output to Step 1: Choose the current segment to carry out diffusion. The
the code stream. diffusion of encryption can be expressed as Eq. (35).
Step 3: Test the type-D entry in LIS via the significance test function
Sn(X). The significant coefficients are put into LSP, and L entries are ⎧C0 = key13 (0)
put into the tail of LIS. Output the processing information of the ⎨ −1 16
⎩Ci = (si × key1j )mod(2 + 1) ⊕ key2 ⊕ Ci −1 (i ≥ 1)
⎪
s0 is the value of the second two bytes for the key key13.
j = (Si−1) mod 3 (33)
According to Eqs. (35) and (36), the encryption is related to the
plaintext.
S0 is the second byte value for the key key2. In decryption, the inverse of diffusion is described as:
The decryption is described as:
si = key1j × (Ci ⊕ key2 ⊕ Ci−1 )−1 mod(216 + 1) (i ≥ 1) (37)
Si = (Ci−Ci −1−key1j ) mod 256 (34)
Step 2: Place the current segment in the new position based on the
Step 5: Test the type-L entry in LIS via the significance test function hyper-chaotic Rabinovich system.
Sn(X). D entries are put into the tail of LIS. Output the processing
information of the coordinates to the code stream. Given the initial value (x0, y0, z0, w0, u0) of the hyper-chaotic
Step 6: Encrypt the current code stream using Eq. (32). Rabinovich system, iterate on Eq. (3) to obtain the chaotic sequence
Step 7: For each entry of LSP, output the nth significant bit of the R={ri,i=1,2,…,n}. Sort the chaotic sequence to obtain the sorted chaotic
coefficient except the newly added ones in the sorting pass. sequence S={si, i=1, 2,…, n}. Find the transformation sequence
Step 8: Subtract one from the value n and go to step 2 until the T={t(i),i=1, 2,…,n} such that si is exactly the value of rt(i). Move the
l0 l1 l2 l3 ln-1
Basic
information
Fig. 9. SSPIHT principle.
263
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
(e)Original Lena image (f)Lena upper left 128×128 (g)Lena encrypted (h)Reconstructed
block wavelet coefficients image on wavelet Lena image
diffusion image coefficients
(i)Original House image (j)House upper left 128×128 (k)House encrypted (l)Reconstructed
block wavelet coefficients image on wavelet House image
diffusion image coefficients
264
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
(a) Encrypted Lena image for (b) Encrypted Lena image for (c) Encrypted Lena image for
the wavelet coefficients the wavelet coefficients when the wavelet coefficients
when diffusion performed diffusion performed on 8×8 when diffusion performed on
on 0×0 block block 16×16 block
(d) Encrypted Lena image for (e) Encrypted Lena image for (e) Encrypted Lena image for
the wavelet coefficients the wavelet coefficients the wavelet coefficients
when diffusion performed on when diffusion performed when diffusion performed
32×32 block on 64×64 block on 256×256 block
Fig. 11. Encrypted Lena image for the wavelet coefficients.
265
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
Fig. 13. The compression ratio, CR, of six images with different diffusion block sizes.
The experiment is performed on six standard 512 × 512 grayscale Block Size of diffusion CR (bpp)
images. The images are titled Airplane, Lena, House, Peppers, Barbara
and Baboon. For the Airplane, Lena, House, Peppers, Barbara, and no encryption 4.526412
only SSPIHT 4.526412
Baboon images, the diffusion results for wavelet coefficients, encrypted
0× 0 block 5.115620
results for wavelet coefficients and reconstructed images are shown in Upper left 8×8 block 5.115643
Figs. 10. Fig. 11 shows Lena's encrypted results for the wavelet Upper left 16×16 block 5.117134
coefficients under different sizes of diffusion. Fig. 12 shows the Upper left 32× 32 block 5.123795
reconstructed Lena image via a 1-bit-difference wrong key. Upper left 64× 64 block 5.158768
Upper left 128× 128 block 6.222713
Upper left 256× 256 block 7.729794
5.2. Compression performance
Table 7
In this paper, lossless compression is performed. Table 5 lists the Comparison of compression ratio.
compression ratio, CR, of six images when the diffusion block size is
128×128. Fig. 13 shows the CR of six images with different diffusion Proposed scheme Proposed scheme Ref.[41] LZW RLE Huffman
(Upper left (Upper left
block sizes. Here, the unit of the CR is bpp (bits per pixel), which
128× 128 block) 256× 256 block)
means the required number of bits for each pixel. For different block
sizes of diffusion, the compression performance on the Lena image is 5.513646 7.729794 7.0000 7.6000 7.9000 7.8000
listed in Table 6.
From Table 6 and Fig. 13, the wavelet coefficients block size of
diffusion has a significant effect on the compression ratio. The smaller key, and code stream permutation key. The wavelet coefficient diffusion
the block size of diffusion, the larger the compression ratio. That is key and SPIHT encryption key contain 10 real numbers. The code
because some insignificant coefficients become significant ones in the stream permutation key contains 5 real numbers. To avoid the negative
process of SPIHT encoding after the wavelet coefficients block is effects caused by discretization, the real numbers should be stored and
encrypted. The increase of significant coefficients will lead to the transmitted using a real data type with high precision. If the imple-
growth of a longer code stream. Therefore, the compression ratio will mentation language complies with IEEE Standard 754-2008, then it is
decrease. Table 6 also shows the compression performance under only recommended to use the double data type. The double data type stores
SSPIHT, without wavelet coefficient encryption and code stream real numbers in 8 bytes with an accuracy of 15 decimals. Thus, the
encryption. The compression ratio with only SSPIHT is the same as length of the key will be of 960 bits, which means the size of the key
no encryption, which demonstrates that adding encryption in the space will be equal to 2960. That is large enough to resist brute force
SPIHT coding process has no effect on compression performance. attacks.
A comparison with various lossless image compression algorithms
is shown in Table 7.
5.4. Resistance to statistical attack
From Table 7, when the encrypted wavelet coefficients block is
smaller than 256× 256, the compression ratio is better than that of
To prevent an attacker from obtaining the characteristics pixels of
other lossless compression schemes. The impact of encryption on
the image, resistance to statistical analysis is the most basic principle of
compression is not significant.
an image encryption algorithm. Shannon suggested that diffusion and
confusion should be employed in a cryptosystem [42] for the purpose
5.3. Key space analysis of frustrating powerful statistical analysis. In the proposed encryption
scheme, diffusion is performed based on a pseudorandom key stream
The key space of a good image encryption algorithm should be large in three locations. Permutation is carried out based on the cat map and
enough to make an exhaustive attack infeasible. In our algorithm, there the hyper-chaotic Rabinovich system in two locations, which can be
are three keys: the wavelet coefficient diffusion key, SPIHT encryption considered the confusion process. Therefore, the cipher-image is
266
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
randomly distributed. This is shown by a test on the histograms of the 5.4.1. Histogram analysis
cipher-text, the correlations of adjacent pixels in the cipher-text and Fig. 14 depicts the histograms of the six standard grayscale images
the information entropy of the cipher-text. and the corresponding cipher-texts. Fig. 15 shows the histograms of
267
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
Lena with different diffusion block sizes. Furthermore, we use the χ 2 −test to analyze the distribution of pixel
From Figs. 14 and 15, we can see that the histograms of the cipher- values for encrypted images [17,26]. The value of the χ 2 −test for the
texts are nearly uniformly distributed, which can well protect the encrypted image of dimension m × n is as follows [17,26]:
information of the image from statistical attack.
268
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
255
(vi − v0 )2 Table 8
χ2 = ∑ Results of the histograms’ uniformity χ 2 −test .
i =0
v0 (38)
Image χ 2 −test
where vi is the observed frequency of a pixel value i (0 ≤ i ≤ 255) and
v0 is the expected frequency of a pixel value i, v0 = (m × n )/256 . Plain image Encrypted image
The result of the χ 2 −test for the 6 pairs of plain/encrypted test
images are presented in Table 8: Lena 260041.039 282.039
House 980954.229 282.634
From Table 8, for the six images, the values of the χ 2 −test are all
2 Peppers 138836.174 278.064
lower than the critical value χ255,0.05 = 293.25. Thus, we can conclude Baboon 187598.908 271.860
that the distribution of pixel values in the encrypted image is uniform. Barbara 95548.875 269.477
That means that the proposed scheme can resist statistical attacks. Airplane 728692.240 276.294
269
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
270
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
Table 10 Table 15
Information entropy of the encrypted code stream matrix for the six images. PSNR and MSSIM of the failure image for 1-bit-difference wrong key.
Image (Upper left 64×64 block) Information entropy Image 1-bit-difference 1-bit-difference 1-bit-difference
wrong key of wavelet wrong key of wrong key of
Lena 7.99294 coefficients SPIHT encoding code stream
Baboon 7.99272 encryption encryption encryption
Barbara 7.99173 performed on
Airplane 7.99310 8×8blocks
House 7.99305
Peppers 7.99290 Lena PSNR 9.8362 5.4905 5.6714
MSSIM 0.1801 0.0137 0.0019
Block Size of diffusion Information entropy House PSNR 7.7057 5.6026 9.8611
MSSIM 0.1361 0.0117 0.0110
0× 0 block 7.99238
Upper left 8 ×8 block 7.99242 Baboon PSNR 8.1241 5.5808 5.4778
Upper left 16 ×16 block 7.99249 MSSIM 0.0574 0.0173 0.0011
Upper left 32 × 32 block 7.99286
Upper left 64× 64 block 7.99294 Barbara PSNR 9.8952 5.3527 5.8358
Upper left 128× 128 block 7.99324 MSSIM 0.1223 0.0163 0.0062
Upper left 256× 256 block 7.99325
Peppers PSNR 8.7316 5.2507 6.6269
MSSIM 0.1449 0.0112 0.0050
Table 12
Local Shannon entropy test for encrypted images (k=30, TB=1936, α =0.05).
(48) to evaluate the quality of the failure images for a 1-bit-difference
Encrypted image Local Shannon entropy Result
wrong key. Table 15 lists the results.
Lena 7.9026 SUCCESS 2
House 7.9027 SUCCESS xpeak
PSNR=10 × log10 ( )
Peppers 7.9021 SUCCESS MSE (45)
Baboon 7.9025 SUCCESS
Barbara 7.9026 SUCCESS where xpeak represents the signal peak value.
Airplane 7.9019 SUCCESS
M N
Mean ± Std. 7.9023 ± 0.0004 1
Number of images passing theα -level test 6 MSE = ∑ ∑ (fˆ (i, j ) − f (i, j ))2
M×N i =1 j =1 (46)
271
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
Table 20
For an image with n pixels, the computational complexity of our
The value of MSE for the six images.
scheme is listed in Table 17.
Table 17 shows that the scheme is widely applicable. Image Lena Baboon Barbara Airplane House Peppers
According to Ref. [24], the most time-consuming parts of the entire
MSE 0 0 0 0 0 0
process can exhibit the computational complexity of the scheme well.
For wavelet coefficient encryption, diffusion and permutation are
Table 18
Encryption and compression time.
Image Wavelet coefficients encryption SPIHT encryption time Code stream encryption Encryption total time Compression time Encryption time/total time
time time
272
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
Table 21
Performance comparison.
Scheme Indicator
Correlation coefficient of adjacent pixels for Lena Key sensitivity Percentage of encryption time
273
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274
274