Optics and Lasers in Engineering 90 (2017) 254–274

Contents lists available at ScienceDirect

Optics and Lasers in Engineering

journal homepage: www.elsevier.com/locate/optlaseng

Joint image encryption and compression scheme based on IWT and SPIHT
⁎
crossmark
Miao Zhang, Xiaojun Tong
Harbin Institute of Technology, School of Computer Science and Technology, Weihai 264209, China

A R T I C L E I N F O A BS T RAC T

Keywords: A joint lossless image encryption and compression scheme based on integer wavelet transform (IWT) and set
Image encryption and compression partitioning in hierarchical trees (SPIHT) is proposed to achieve lossless image encryption and compression
IWT simultaneously. Making use of the properties of IWT and SPIHT, encryption and compression are combined.
SSPIHT Moreover, the proposed secure set partitioning in hierarchical trees (SSPIHT) via the addition of encryption in
Hyper-chaotic system
the SPIHT coding process has no effect on compression performance. A hyper-chaotic system, nonlinear inverse
Inverse operation
operation, Secure Hash Algorithm-256(SHA-256), and plaintext-based keystream are all used to enhance the
security. The test results indicate that the proposed methods have high security and good lossless compression
performance.

1. Introduction
Recently, the wide availability of cameras and digital scanners of
very high resolution has made the use of high-resolution digital images
a common aspect of everyday life. The increasing volume of massive
images brings great challenges for their storage and network transmis-
sion. Compression is an efficient tool for images to conserve memory
space and transmission bandwidth. Much research on image compres-
sion has been carried out [1–3], and some image compression
standards, such as JPEG, JPEG2000, and GIF, have been proposed.
Among them, discrete wavelet transform (DWT) has been widely used
in image compression. In the new image compression standard
JPEG2000, DWT has officially displaced discrete cosine transform
(DCT) as the transform compression algorithm. On some important
occasions, such as image-based evidence against crime, it is necessary
to save images in high quality by lossless compression. Lossless
compression based on the integer wavelet transform (IWT) has
received extensive attention. Interpolating the biorthogonal integer
wavelet transform (IB-IWT) is simple and easy to implement, making it
suitable for real-time lossless image compression. The 9/7-M IB-IWT
has good performance on more than 3-level wavelet decomposition [4].
Another problem associated with digital images is security. Image
encryption technology is an efficient way to solve the image security
problem.
Considering the characteristics of image data, image processing
technology, security requirements and the increasing volume of
images, a joint compression and encryption scheme that performs
compression and encryption in a single step is a promising method. By
the interaction between the compression operation and the encryption
operation, certain uncertainty is introduced to the length of the cipher-
image. That increases the difficulty faced by would-be attackers. At
present, there are two ideas for implementing joint compression and
encryption. One is seamlessly embedding the encryption into compres-
sion. The most common is embedding encryption in entropy coding,
such as arithmetic coding and Huffman coding [5–7]. However, these
schemes are all compression-oriented, and encryption is treated as an
additional feature, not the primary concern. Thus, the security is not
satisfactory. For set partitioning in hierarchical trees (SPIHT) com-
pressed images, Xiang et al. [8] proposed an algorithm of joint
compression and selective encryption. However, only scrambling is
performed, and selective encryption is performed during the coding
process. As we all known, the security of selective encryption systems is
lower when compared to full encryption. Another type of approach is
embedding the encryption into the most frequently applied image
compression techniques involving transform coding [9,10]. Most of
them perform lossy compression. The encryption is usually added after
the invertible transform of the intensity image. As the encryption has
an influence on subsequent bit-stream coding, selective encryption is
usually performed. Therefore, the security level is not satisfactory. In
addition, Bowley and Rebollo-Neira [11,12] proposed the idea of
encryption image folding. However, its security should be improved on.
In recent years, many research papers have revealed the close
relationship between a chaos system and a cryptography system. The
good cryptography properties of chaos enable a chaos-based crypto-
graphic system to possess excellent randomness in ciphers [9].
Moreover, in comparison to traditional encryption techniques, chaos

⁎
Corresponding author.
E-mail addresses: zhangmiaozm209@126.com (M. Zhang), tong_xiaojun@163.com (X. Tong).

http://dx.doi.org/10.1016/j.optlaseng.2016.10.025
Received 10 June 2016; Received in revised form 27 October 2016; Accepted 27 October 2016
Available online 11 November 2016
0143-8166/ © 2016 Elsevier Ltd. All rights reserved.
M. Zhang, X. Tong
has shown superior performance in the field of image encryption due to
the bulky data capacity and high correlation among pixels in image
files. Chaos-based image encryption methods have also been proposed
[13–25] and have developed considerably. The security of chaos-based
image encryption methods has become the focus of people's concern.
Some novel schemes to improve security have been proposed, such as
one-time keys [14], bit-level encryption [15,16], and the DNA rule
[17,18]. In Ref. [20], the generated key streams depend on the
plaintext image to resist the chosen plaintext attack. In Ref. [21],
Wang et al. proposed an enhanced sub-image encryption method
algorithm that can completely resist the chosen plaintext attack and
reduce the encryption time dramatically. In Ref. [22], the hybrid
compound of an S-box and chaotic system is designed to strengthen
the overall encryption performance and enlarge the key space.
However, none consider the compression. Another scheme to improve
security is the design of a chaotic map of good properties. Zhang et al.
[23,24] proposed new image encryption algorithms based on the
spatiotemporal non-adjacent coupled map lattices and the spatiotem-
poral chaos of the mixed linear-nonlinear coupled map lattices, which
have more outstanding cryptography features in dynamics than the
logistic map or coupled map lattices do. Liu et al. [25] designed a new
two-dimensional Sine ICMIC modulation map (2D-SIMM) to enlarge
the key space and improve complexity. Hyper-chaos has more than one
positive Lyapunov exponent, a larger key space and more complex
dynamical characteristics. It is difficult to decipher the information
encrypted with a hyper-chaotic system using the general cracking
methods, such as phase-space reconstruction and non-linear predic-
tion. Therefore, it is valuable to apply hyper-chaos to image encryption.
Some hyper-chaos-based image encryption schemes have been pro-
posed [26–29]. However, due to the failed design of the encryption
process, such as permutation or diffusion, many of these algorithms are
insecure [30,31]. In nature, there is no nonlinear operation involved in
the overall encryption scheme.
In this paper, a joint image encryption and compression scheme
based on 9/7-M IB-IWT, SPIHT and a new hyper-chaotic system is
proposed. In this scheme, compression and encryption are combined in
a single process. A new hyper-chaotic system based on a Rabinovich
system is designed to encrypt images. The complexity of the proposed
hyper-chaotic system is greater than that of some conventional hyper-
chaotic systems. As we all know, the inverse operation in a finite field,
as a nonlinear component, has many good cryptological properties
[32]. In the encryption process, a nonlinear inverse operation is
introduced to resist attacks. Moreover, the key stream used in encryp-
tion is related to the plaintext to resist attacks. Encryption and
compression are combined in three ways. First, the important wavelet
coefficients are diffused, and the overall wavelet coefficients are
permuted simultaneously using the inverse operation and hyper-
chaotic system. As SHA-256 is fast and input-sensitive, it is employed
to enhance the encryption effect. Second, encryption is added to SPIHT
coding, forming secure set partitioning in hierarchical trees (SSPIHT),
which has no effect on compression performance. Lastly, the code
stream generated after SPIHT coding is encrypted to perform the final
layer of protection. The experimental results presented in this paper
show the effectiveness of the proposed joint image encryption and
compression scheme.
The rest of this paper is organized as follows. A review of IWT and
SPIHT is given in Section 2. A new hyper-chaotic system and
pseudorandom sequence generator are presented in Section 3. In
Section 4, the proposed joint image encryption and compression
scheme is described. The experimental results and security analysis
of our new schemes are given in Section 5. Finally, the study's
conclusions are presented in Section 6.
255
Optics and Lasers in Engineering 90 (2017) 254–274
2. Research on IWT and SPIHT
2.1. Integer wavelet transform for image compression
IWT is a special realization form of DWT. As an expansion of the
wavelet analysis theory, IWT not only inherits many advantages of
DWT but also realizes some functions that DWT does not possess. Due
to the real reversibility, IWT can realize lossless image compression.
For many research methods on IWT, IWT based on a lifting scheme has
the characteristics of low computational complexity, conservation of
storage, ease of implementation in hardware, etc. The lifting scheme
includes three steps: split, predict and update. Interpolating the
biorthogonal integer wavelet transform (IB-IWT) is a group of IWT
that has the nature of a biorthogonal filter. Compared with other IWTs
based on a lifting scheme, IB-IWT only has two lift steps, reducing the
number of floating-point operations. Therefore, IB-IWT is very suitable
for real-time lossless image compression. There are six types of
common IB-IWT forms. Among them, 9/7-M IB-IWT has good
performance on more than 3-level wavelet decomposition [4]. The
form of 9/7-M IB-IWT is as follows [33]:
d [n] = d 0 [n] + ⌊1/16((s0 [n + 2] + s0 [n − 1]) − 9(s0 [n + 1] + s0 [n]))
+ 1/2⌋
s [n] = s0 [n] + ⌊1/4(d [n] + d [n − 1]) + 1/2⌋
(1)
where s0[n] represents the 2nth amplitude of the signal sequence, d0[n]
represents the (2n+1)th amplitude of the signal sequence, and s[n] and
d[n] are the nth amplitudes of the low-frequency signal and high-
frequency signal after an IWT decomposition, respectively.
2.2. SPIHT encoding
SPIHT is an improved algorithm based on the embedded zero-tree
wavelet (EZW) algorithm [34], and the encoding procedure can be
stopped at any compression ratio via the feature of progressive coding.
SPIHT is operated on the coefficients of DWT (specifically, IWT) that
are organized in a tree structure. An image transformed using the
three-level DWT (IWT) is shown in Fig. 1. There are four sub-bands:
LL, HL, LH and HH. The LL sub-band is an approximation of the
original image and will be decomposed recursively in multiple-level
decomposition, the LH sub-band preserves the horizontal edge details,
the HL sub-band preserves the vertical details, and the HH sub-band
represents the diagonal details. Then, the resulting coefficients are
grouped into a spatial orientation trees (SOT) structure of SPIHT, as
shown in Fig. 2. Each node of the tree corresponds to a wavelet
coefficient. Use the coordinate as the identification of a node. According
to the structure of SOT, there are four types of coordinates sets, O(i, j),
D(i, j), H, and L(i, j), in SPIHT. O(i, j) represents the set of coordinates
LL3 HL3
HL2
LH3 HH3
HL1
LH2 HH2
HH1
LH1
Fig. 1. The three-level DWT (IWT).
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

Fig. 2. The SOT structure of SPIHT.
of all offspring of the coefficient at (i, j). D(i, j) represents the set of
coordinates of all descendants of the coefficient at (i, j). H represents
the set of coordinates of all coefficients in the root level. L(i, j)=D(i, j)-
O(i, j).
For coordinate sets, there is a significance test function to estimate
the significance of the coefficients. Let X be a coordinate set and n be an
integer, and then the significance test function Sn(X) is defined as:
⎧ max { ci, j ≥ 2n}
⎪1,
Sn (X ) = ⎨ (i, j )∈ X
⎪
⎩ 0, otherwise (2)
where ci, j denotes the coefficient at (i, j). If Sn(X)=1, the coordinate set
X is significant at the threshold 2n.
Define three lists: a list of insignificant sets (LIS), list of insignif-
icant pixels (LIP), and list of significant pixels (LSP). LIS contains two
types of entries: D(i, j) and L(i, j). If an LIS entry represents D(i, j), we
call it type D. If an LIS entry represents L(i, j), we call it type L. LIP is a
list of insignificant coefficients that do not belong to any of the sets in
LIS. LSP is a list of coefficients that have been identified as significant
coefficients.
The main steps of SPIHT are as follows:
(1) Initialization. Set the threshold T=2n, n = ⌊ log2 (max(i, j ) {|ci, j |})⌋. ci,
j represents the wavelet coefficient at (i, j). The initialization sets
LSP as an empty list, adds all the coordinates in H to LIP, and adds
only those with descendants to LIS.
(2) Sorting pass. Each coordinate in LIP and LIS is tested by the
significance test function Sn(X) in Eq. (2), and the result is output
to the code stream. If the result is 1, it will be moved to LSP;
otherwise, it will be moved to the end of LIP or LIS.
(3) Refinement pass. For each entry of LSP, the nth significant bit of
the coefficient, except the newly added ones in the sorting pass, is
outputted.
(4) Quantization-step update. This subtracts one from the value of n
and proceeds to the next sorting pass and refining pass until the
threshold is 1.
3. New hyper-chaotic system and generation of a
pseudorandom sequence
3.1. New hyper-chaotic system
⎧ x ̇ = hy − ax + yz
⎪
⎪ y ̇ = hx − by − xz − u
⎨ z ̇ = −dz + xy + w 2
⎪ ẇ = −xy + cw
⎪
⎩ u ̇ = ry (3)
where x, y, z, w and u are state variables and a=10, b=−4, c=−10, d=1,
h=30 and r=1 are parameters of the new 5D hyper-chaotic Rabinovich
system in Eq. (3).
The hyper-chaotic system must satisfy the following two necessary
conditions: 1) for an autonomous system, four dimensions (4D) are
required at a minimum; 2) two or more positive Lyapunov exponents
combined with one null exponent and the sum of all the Lyapunov
exponents is less than 0.
Five Lyapunov exponents of the new 5D hyper-chaotic Rabinovich
system in Eq. (3) calculated by the Wolf algorithm [35] are:
λL1 = 2.635076 , λL2 = 0.018777, λL3 = 0 ,λL4 = −7. 687620 and
λL5 = −11. 955654 . The sum of all the Lyapunov exponents is less than
0. These results satisfy the above two necessary conditions of the
hyper-chaotic system.
The larger the Lyapunov exponent is, the faster the trajectories
separate and the wider the corresponding separatrix of the chaotic
region is. Therefore, a larger Lyapunov exponent shows more evident
chaotic behavior. The five Lyapunov exponents (λ1, λ2, λ3, λ4 and λ5)
of the proposed system and of other hyper-chaotic systems are shown
in Table 1.
From Table 1, we can see that the maximum Lyapunov exponent λ1
of the proposed system is larger than that of other systems. Therefore,
the complexity of the proposed hyper-chaotic system is greater than
that of some conventional hyper-chaotic systems.
3.2. Generation of a pseudorandom sequence
In this section, a pseudorandom sequence generator is constructed
based on the new hyper-chaotic Rabinovich system proposed in Section
3.1. Because of the computers' finite precision, the cycle of the
discretized chaotic sequence may degenerate. It has been proved that
LFSR arrives at its longest period when the characteristic polynomial is
a primitive polynomial. The sequence generated by LFSR with a
primitive polynomial is called an m-sequence. Through the long-cycle
feature of the m-sequence, we use LFSR to perturb the chaotic
sequences to improve the cryptographic properties of the chaotic
sequence. The pseudorandom sequence generator is shown in Fig. 3.
The generator includes three parts: the generation of the LFSR
disturbed sequence, the hyper-chaotic Rabinovich system with pertur-
bation, and discretization.
3.2.1. Mixed design of LFSR and the hyper-chaotic system
We select two LFSRs with primitive polynomials to generate m-
sequences. The two m-sequences generated by the LFSRs are operated
by a bit-wise XOR operation to generate a perturbance sequence as
shown in Eq. (4), which is used to perturb the chaotic sequence.
{bn} = LFSR1 ⊕ LFSR2 (4)
In Eq. (4), LFSR1 and LFSR2 represent the m-sequences generated
by the two LFSRs, and {bn}(n = 1, 2, ... ) represents the perturbance
sequence.
The stages of the two LFSRs are m1 and m2, respectively.
Table 1
Lyapunov exponents comparison.
Hyperchaotic system λ1 λ2 λ3 λ4 λ5

On the basis of a Rabinovich system, by adding a nonlinear Proposed 2.635 0.019 0 −7.688 −11.956
feedback controller and a linear state feedback controller, we construct Rössler system 0.112 0.019 0 −25.188 –
Ref.[36] 0.317 0.015 0 −6.401 –
a new five-dimensional (5D) hyper-chaotic system as follows:

256
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

LFSR1 LFSR2

Hyper-chaotic Rabinovich Chaotic sequence Discretization Pseudorandom

system (perturbing l lowest bits) sequence

Fig. 3. Pseudorandom sequence generator.

Moreover, stages m1 and m2 are relatively prime, namely, gcd(m1, m2) key13 = key1n ||key5n ||key2n ||key1(n +1) ||key5(n +1) ||key2(n +1) ||... ||... (11)
=1. The concrete perturbance method is: the l lowest bits of the chaotic
key2 = key1n ||key2n ||key3n ||key4n ||key5n ||key1(n +1) ||key2(n +1) ||... ||... (12)
sequences and perturbance sequence are operated on by a bit-wise
XOR operation at intervals of Δ. The interval Δ should be smaller than where “||” denotes a splitting joint of the integer sequence.
the cycle length of the case without perturbance [34].
From Eq. (3), we can obtain five sequences about the five variables 3.3. Performance analysis of the pseudorandom sequence
x, y, z, w and r. We perturb the five sequences using the above
perturbance method. Taking x as an example, the perturbance process 3.3.1. Period length analysis
is described below. To analyze the period length of the pseudorandom sequence
Iterating on Eq. (3), we can obtain the sequence about x,{x1,x2, generated in Section 3.2, we present a theorem.
…,xΔ,xΔ+1,…x2Δ,…}, where Δ is the perturbance interval value. The
value to be perturbed is xkΔ, k=1,2,3,…. Taking the first value to be Theorem 1. Suppose there are two independent discrete binary
perturbed, xΔ, as an example, set the fractional part of xΔ to bexΔF , sequences f1(n) and f2(n). Their periods are T1 and T2, respectively,
which can be described as and T1 ≠ T2 . Then the period of the new sequence w(n)= f1(n)⊕f2(n) is
the least common multiple of T1 and T2, i.e., lcm(T1, T2).
xΔF = 0. xΔF,1 xΔF,2 ... xΔF, i ... xΔF, P (5)
Proof:. Let K1 and K2 both be arbitrary finite positive integers.
where xΔF, i ∈ {0, 1}(i = 1, 2, ... ,P ), and P is the computer's precision.
Because the periods of the two sequences, f1(n) and f2(n), are T1 and
The perturbance can be described as
T2, respectively, we can obtain the following:
⎧ F
⎪ xΔ, i , 1≤i≤P−l f1 (n + K1 T1) = f1 (n ) (13)
xΔF,′i = ⎨
⎪ F
⎩ Δ, i
x ⊕ bk+P−i , P−l+1 ≤i≤P (6)
f2 (n + K2 T2 ) = f2 (n ) (14)
where bk + P − i ∈ {bn}, and xΔF,′i is the fractional part of xΔ after the
The smallest integer period of w(n) should satisfy the following Eq.
perturbance. After the perturbance, the fractional part of xΔ is
substituted for xΔF,′i . Then, xΔ after the perturbance is inserted into Eq. (15):
(3) to obtain the following values. The following perturbances occur w (n + T ) = w (n ) (15)
after every Δ iteration. For other selected values xnΔ (n=2, 3, …) to be
According to w(n)= f1(n)⊕f2(n),
perturbed, the perturbance process is the same as above. The l bits
needed in the perturbance process are obtained from {bn} in turn. The w (n + T ) = f 1 (n + T ) ⊕ f2 (n + T ) (16)
chaotic sequence about x after perturbance is represented as {xn′}
Then, from Eqs. (13) and (14),
(n=1,2,3,…). The chaotic sequences about y, z, w and r are perturbed in
the same manner. Thus, we can obtain the corresponding perturbed f 1 (n ) ⊕ f2 (n ) = f1 (n + K1 T1) ⊕ f2 (n + K2 T2 ) (17)
chaotic sequences {yn′}, {zn′}, {wn′} and {rn′} (n=1,2,3,…). From Eqs. (15) and (17), we obtain the following equation:

3.2.2. Discretization method w (n + T ) = w (n ) = f 1 (n ) ⊕ f2 (n ) = f1 (n + K1 T1) ⊕ f2 (n + K2 T2 ) (18)

To encrypt an image, we need the discretize perturbed chaotic Comparing Eqs. (16) and (18), we can conclude that
sequences {xn′}, {yn′}, {zn′}, {wn′} and {rn′} (n=1,2,3,…) obtained from
Section 3.2.1. For each sequence, we obtain the fractional part. With f 1 (n + T ) ⊕ f2 (n + T ) = f1 (n + K1 T1) ⊕ f2 (n + K2 T2 ) (19)
{xn′}, for example, the fractional part is obtained as follows: Because Eq. (19) is meaningful for arbitrary integers K1 and K2, we
xn″ = xn′ − ⌊xn′⌋ (7) have:

where ⌊x ⌋ denotes the greatest integer that is less than x. For the
sequences {yn′}, {zn′}, {wn′}and {rn′}, we do the same to obtain the
sequences {yn″}, {zn″}, {wn″} and {rn″}.
With {xn′ ′}, for example, use Eq. (8) to quantize the decimal part and
obtain the integers sequence key1 n. For the sequences {yn″}, {zn″}, {wn″}
and {rn″}, we do the same to obtain the integers sequences key2 n,
key3 n, key4 n, and key5 n.
keyin = mod(shiftR (⌊xn″ × 10 P⌋, 7), 256)
where P is the computer precision, shiftR(x, y) performs an unsigned
right shift of the y bits on x, n=1, 2, 3, …, and i=1, 2, 3, 4, 5.
Finally, four the pseudorandom sequences in Eqs. (9)–(12) are
generated for the subsequent encryption.
key11 = key1n ||key2n ||key3n ||key1(n +1) ||key2(n +1) ||key3(n +1) ||... ||...
key12 = key2n ||key1n ||key4n ||key2(n +1) ||key1(n +1) ||key4(n +1) ||... ||...
⎧T = K1 T1
⎨
⎩T = K2 T2 (20)
Because T1 ≠ T2 , it is also true that K1 ≠ K2 . If T satisfies Eq. (20),
then T is the least common multiple of T1 and T2.
In Eq. (4), the stages of the two m-sequence generators are m1 and
m2, respectively. Then, their periods are 2m1−1 and 2 m2−1, respec-
tively. According to Theorem 1, the period of the sequence generated by
(8) Eq. (4) is lcm (2m1 − 1, 2m2 − 1). This sequence is used to perturb the
hyper-chaotic sequence. According to Ref. [34], the lower bound of the
period length of the pseudorandom sequence generated in Section 3.2
is Δ × lcm (2m1 − 1, 2m2 − 1).
Zheng [37] et al. proposed the BSPD(Binary Sequence's Periodic
Detection) method to evaluate the periodicity in a binary sequence, by
(9) which the accurate periodic phenomena, approximate periodic phe-
nomena and local periodic phenomena can be detected. With the BSPD
(10) method, we test the period of the pseudorandom sequence generated in

257
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

Table 2 Section 3.2 and compare it with RC4 and a Logistic map with the same
Period analysis. discretization method. In the following tests, the characteristic poly-
nomials of the two LFSRs are selected as f1(x)=x19+x18+x17+x14+1 and
Sequence Accurate Approximate Local
period period period f2(x)= x22+ x21+x17+ x13+1. They are all primitive polynomials. The
stages of the two LFSRs are relatively prime. The results are shown in
key11 50000 bits 0 5 0 Table 2.
1000000 bits 0 5 0
From Table 2, we can see that the pseudorandom sequence using
key12 50000 bits 0 6 0 our proposed scheme has better period performance than the Logistic
1000000 bits 0 6 0 map and RC4.

key13 50000 bits 0 0 0 3.3.2. Auto-correlation and cross-correlation analysis

1000000 bits 0 0 0
A good pseudorandom sequence should have good statistical
key2 50000 bits 0 9 0 properties. Auto-correlation and cross-correlation of the pseudoran-
1000000 bits 0 9 0 dom sequence are shown in Figs. 4 and 5, respectively.
From Fig. 4, the auto-correlation coefficients of the four sequences
Logistic map 50000 bits 16 177 0
are all close to 0. From Fig. 5, the cross-correlation coefficients of the
1000000 bits 16 177 0
four sequences are all close to 0. That means the randomness of the
RC4 50000 bits 0 18 0 generated sequences is good.
1000000 bits 0 18 0
3.3.3. Initial value sensitivity analysis
Initial value sensitivity analysis exploits the effect of the input pairs

Fig. 4. The auto-correlation value of a sequence.

258
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

1 1

0.8 0.8

0.6 0.6

0.4 0.4
C ros s c orrelation

C ros s c orrelation
0.2 0.2

0 0

-0.2 -0.2

-0.4 -0.4

-0.6 -0.6

-0.8 -0.8

-1 -1
-1000 -800 -600 -400 -200 0 200 400 600 800 1000 -1000 -800 -600 -400 -200 0 200 400 600 800 1000
correlation interval correlation interval
The cross-correlation value of key11 The cross-correlation value of key12

1 1

0.8 0.8

0.6 0.6

0.4 0.4
C ross c orrelation
C ros s c orrelation

0.2 0.2

0 0

-0.2 -0.2

-0.4 -0.4

-0.6 -0.6

-0.8 -0.8

-1 -1
-1000 -800 -600 -400 -200 0 200 400 600 800 1000 -1000 -800 -600 -400 -200 0 200 400 600 800 1000
correlation interval correlation interval

The cross-correlation value of key13 The cross-correlation value of key2

Fig. 5. The cross-correlation value of two sequences.

with a slight difference in the corresponding output pairs to try to find

the most probable key used to produce the pseudorandom sequence. Table 3
Given two initial values, their corresponding output sequences {kn} Initial value analysis.
and {k′n} can be obtained. The difference between {kn} and {k′n} can
sequence key11 key12 key13 key2 RC4
be measured by
r 0.000021 0.000300 −0.000056 0.000228 0.000332
N
∑i =1 (ki − k )⋅(ki′ − k ′)
r= N N
[ ∑i =1 (ki − k )2 ]1/2 ⋅[ ∑i =1 (ki′ − k ′)2 ]1/2 (21) 3.3.4. NIST SP800-22 tests of a pseudorandom key stream
NIST SP800-22 tests [38] are used to detect the deviation of a
where N is the sequence length and k and k′ are the average values of sequence from a true random sequence. For each test, if the P-value is
sequences {kn} and {k′n}, respectively. The smaller the value of r, the greater than a predefined threshold α, then the sequence is considered
better the test result. The ideal value of r is 0. The test results are to pass the test. Commonly, α is set to 0.01. We take 100 groups key
shown in Table 3. For the test, the difference between the input pairs is stream with a length of 106 to perform the SP800-22 tests. The test
1 bit. results are shown in Table 4.
Obviously, from Table 3, the results of the proposed generator are If there is more than one statistical value in a test, the P-value
better than those of RC4. denotes the average value. The test results show that the randomness of
Fig. 6 shows the two sequences, which have a 1-bit difference in the sequences generated by the generator is good.
their initial values.
From Fig. 6, the two sequences are quite far from each other, which
demonstrates that the pseudorandom key stream has good initial value
sensitivity.

259
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

300 300

250 250

200 200

value
value

150 150

100 100

50 50

0 0
0 10 20 30 40 50 60 70 80 90 100 100 110 120 130 140 150 160 170 180 190 200
iterations iterations

The initial value sensitivity of key11 The initial value sensitivity of key12
300 300

250 250

200 200
value

value
150 150

100 100

50 50

0 0
0 10 20 30 40 50 60 70 80 90 100 0 10 20 30 40 50 60 70 80 90 100
iterations iterations

The initial value sensitivity of key13 The initial value sensitivity of key2
Fig. 6. Initial value sensitivity.

Table 4
NIST SP800-22 tests of a pseudorandom key stream.

Test key2 key11 key12 key13

P-value Pass rate P-value Pass rate P-value Pass rate P-value Pass rate

Frequency 0.574903 1.00 0.452131 1.00 0.523612 1.00 0.851383 1.00

Block-frequency 0.249284 1.00 0.258427 1.00 0.012452 0.98 0.032541 0.98
Cumulative Sums 0.311438 1.00 0.401199 0.99 0.383827 1.00 0.867692 1.00
Runs 0.814248 1.00 0.759756 0.98 0.816537 0.99 0.739918 0.99
Longest Run 0.503124 1.00 0.556893 1.00 0.542312 1.00 0.153763 0.99
Rank 0.237411 1.00 0.259614 1.00 0.051942 1.00 0.429084 1.00
FFT 0.045675 1.00 0.224821 1.00 0.964295 1.00 0.964295 0.99
Overlapping templates 0.437274 0.98 0.437274 1.00 0.032923 0.99 0.010988 1.00
Non-overlapping templates (m=9,B=000010011) 0.474986 0.99 0.798139 1.00 0.924076 1.00 0.616305 1.00
Universal 0.563719 1.00 0.236810 0.98 0.423415 1.00 0.351642 1.00
Approximate entropy(m=10) 0.687563 1.00 0.512346 1.00 0.523153 1.00 0.321472 1.00
Random excursions(x=−3) 0.202268 0.99 0.574903 1.00 0.654467 1.00 0.619772 1.00
Random excursions Variant(x=5) 0.595549 0.99 0.816537 1.00 0.941144 1.00 0.452799 1.00
Serial 0.412574 1.00 0.001296 0.098 0.001628 0.97 0.352141 1.00
Linear complexity(m=1000) 0.206651 1.00 0.256472 1.00 0.341234 1.00 0.739918 1.00

4. Design of the joint image encryption and compression
scheme
The entire compression and encryption process is shown in Fig. 7.
The 9/7-M IB-IWT and SPIHT are used in compression. The confu-
sion-diffusion structure is used in encryption. Local diffusion and
global permutation based on a hyper-chaotic Rabinovich system are
simultaneously performed on wavelet coefficients produced by the 9/7-
M IB-IWT. In the process of SPIHT, diffusion based on the hyper-
chaotic Rabinovich system is performed to form secure SPIHT
(SSPIHT). The code stream is encrypted after the secure SPIHT to
form the last layer of protection. The specific steps are described below.
Step 1: 9/7-M IB-IWT is performed on the original image.
Step 2: Perform diffusion and permutation on the wavelet coeffi-
cients simultaneously.
Step 3: Perform SSPIHT encoding.
Step 4: Perform diffusion and permutation on the code stream

260
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

Original image

9/7-M IB-IWT

Diffusion and Permutation Hyper-chaotic Rabinovich syste

Cat map
simultaneously

Pseudorandom sequence generator

Secure SPIHT encoding

Diffusion and Permutation

simultaneously

Compressed and encrypted

image

Fig. 7. Image compression and encryption process.

Compressed and encrypted

image

Reverse permutation Hyper-chaotic Rabinovich syste

Reverse diffusion Pseudorandom sequence generator

Decoding and decrypting

SPIHT

Reverse permutation on
Cat map
wavelet coefficients

Reverse diffusion on
wavelet coefficients

Inverse9/7-M IB-IWT

Reconstructed image

Fig. 8. Image decompression and decryption process.

simultaneously. Proposition 1. In ZN, an element a is invertible if and only if gcd(a,

Finally, the compressed and encrypted image is obtained.
The decompression and decryption is shown in Fig. 8. It is the
inverse process of the compression and encryption.
4.1. Inverse operation in Zp
As a nonlinear component, the inverse operation in a finite field has
many good cryptological properties. In the encryption process, the
inverse operation is introduced to resist attacks. Some basic definitions
and propositions [39,40] are presented here.
Let ZN ={0, 1, …, N-1} be a residue class with the following
properties.
Definition 1. In the residue class ZN, if for a given integer a there
exists an integer, denoted by a−1, such that aa−1=1 mod N, then a−1 is
called a multiplicative inverse of a modulo N.
Obviously, “0” is never invertible.
N) =1.
Definition 2. A field F is a set, together with two binary operations “+”
and “×” that combine any two elements a and b to form another
element, denoted a+b and a×b. 0 and 1 are elements of F. Moreover,
(F,+, ×,0,1) must meet the following conditions:
(1) (F,+, 0) is an Abelian group.
(2) (F*,×, 1) is an Abelian group. F*= F-0.
(3) a×(b + c) =(a×b) +(a×c), a, b, c∈F.
Proposition 2. If P is a prime number, then the residue class ZP is a
Field with the operations “multiplication modulo P” and “addition
modulo P”.
Proof:
(1) First of all is proving that (ZP,+, 0) is an Abelian group. The
operation + denotes “addition modulo P.”
1) Consider a, b∈ ZP and c=a+b mod P. Obviously, c is a non-

261
M. Zhang, X. Tong
negative integer and c < P, i.e., c∈ZP. Thus, the law of closure
holds.
2) Associativity follows from the fact that the property holds over
the integers.
3) Obviously, 0 is always in ZP. For each element a in ZP, 0+a=a
+0=a holds. Thus, 0 is the identity element of ZP.
4) For each element a in ZP, there exists the negative element –a,
and a+(-a)=(-a)+a=0 holds.
5) Commutativity follows from the fact that the property holds
over the integers.
(2) Second is proving that(ZP*,×, 1) is an Abelian group. The operation
× denotes “multiplication modulo P.”
1) Consider a, b∈ ZP* and c=a×b mod P. Obviously, c is a non-
negative integer and c < P, i.e., c∈ZP. Thus, the law of closure
holds.
2) Associativity follows from the fact that the property holds over
the integers.
3) Obviously, a is always in ZP*. For each element a in ZP*, 1·a=a·
1=a holds. Thus, 1 is the identity element of ZP*.
4) For each element a in ZP*, since P is a prime, it must be true that
gcd(a, P) =1. According to Proposition 1, it can be shown that a
is invertible in ZP*.
5) Commutativity follows from the fact that the property holds
over the integers.
(3) Distributivity follows from the fact that the property holds over the
integers.
4.2. Permutation and diffusion scheme on wavelet coefficients
The original image is first decomposed with six-level 9/7-M IB-
IWT, and then the wavelet coefficients can be obtained. The selected
local coefficients are diffused by the hyper-chaotic Rabinovich system.
The total set of wavelet coefficients is permutated by the hyper-chaotic
Rabinovich system and cat map. The diffusion and permutation are
performed simultaneously. The specific steps are described in detail
below.
Step 1: Apply the 9/7-M IB-IWT to the original image and obtain the
wavelet coefficients.
Step 2: Produce a key stream according to sub-bands HH1, HL1 and
LH1 of the first layer. Five groups of coefficients (HH1 and HL1, LH1
and HL1, HL1, LH1, and HH1) form the five inputs to the SHA-256
hash function to produce five 256-bit hash values. SHA-256 is one of
the existing SHA hash functions developed by the National Security
Agency (NSA). It takes a message with a maximum of (264-1) bits
and returns a message digest of 256 bits. As SHA-256 is fast and
sensitive to the input message, it is employed in our design to
partially determine the initial condition of the hyper-chaotic system.
The returned 256-bit SHA-256 hash value of each group is divided
into eight 32-bit sequences di(i=0,1,2,…,7). They are used to perturb
the initial values of the hyper-chaotic system.
mi′0 = (di 0 ⊕ di1 ⊕ ... ⊕ di 7)/232 + mi 0 (i = 1, 2, ... ,5) (22)
where mi0 is the initial value that users enter and mi0′ is the perturbed
initial value used for the initial value (x0, y0, z0, w0, u0) of the hyper-
chaotic system. Use the pseudorandom sequence generator proposed in
Section3.2 and the perturbed initial value mi0′ to produce the key
streams key11, key12, key13 and key2.
A plain image is input to SHA-256 to partially determine the initial
condition of the hyper-chaotic system, and a small change in the plain
image affects the initial condition of the hyper-chaotic system. As a
result, the change will effectively spread to the entire cipher-text.
262
Optics and Lasers in Engineering 90 (2017) 254–274
Step 3: Encrypt wavelet coefficients by performing diffusion and
permutation simultaneously. For the selected local coefficients,
obtain two bytes of wavelet coefficients to perform the diffusion
operation. For all wavelet coefficients, permutation based on the cat
map is performed.
In diffusion, the nonlinear inverse operation is introduced to resist
attacks. The values of two-byte coefficients belong to the interval
[0,65535]. Thus, the two bytes of the wavelet coefficients belong to
the residue class Z 65536 . Unfortunately, however, 65536 is not a prime
number. Thus, Z 65536 is not a field. The element in Z 65536 may not have
its multiplicative inverse. That will result in not being decrypted of
some information. Because 65537 is the prime closest to 65536, we
select the algebraic structure, Z 65537, to design the encryption.
According to Proposition 2, Z 65537 is a field with the operations
“multiplication modulo 65537″ and “addition modulo 65537.” Thus
*
each element in Z 65537 has an inverse element. Then, for the two bytes
of the wavelet coefficient m, the inverse operation can be defined as
s = m−1 mod (216 + 1) (23)
The two bytes of the wavelet coefficients m's value is in the interval
[0,65535], while [m−1 mod 65537] may be in the interval [0,65536].
Obviously, 65536 cannot be denoted by two bytes. This may result in
the cipher-text size increasing. However, there is
65536 = 65536−1 mod 65537 (24)
−1
Thus, if m∈[0,65535], then [m mod 65537]∈[0,65535]. This
means that the inverse of a two-byte coefficient can still be denoted by
two bytes. Thus, Eq. (23) is reasonable.
Encryption is performed from the sixth layer to the first layer. For
each layer, encryption is performed in order of sub-band LL, HL, LH
and HH. For each sub-band, encryption is performed from top to
bottom and then from left to right. Choose the current two-byte wavelet
coefficient of the selected local coefficients to carry out diffusion. The
diffusion of encryption can be expressed as Eq. (25).
⎧C0 = key11 (0)
⎨ −1 16
⎩Ci = (mi × key1j )mod(2 + 1) ⊕ key2 ⊕ Ci −1 (i ≥ 1)
⎪
(25)
where mi is the two bytes of the wavelet coefficients in the selected local
coefficients. mi−1represents performing the inverse operation on mi. Ci
is the cipher text after diffusion. key11(0) is the first two bytes’ value for
the key key11. key1j (j=1,2,3) is selected according to Eq. (26). This
makes the keystream used in the encryption related to the plaintext and
enhances security.
j = (mi−1) mod 3 (26)
m0 is the second two-byte value for the key key11.
According to Eqs. (25) and (26), the encryption is related to the
plaintext.
In decryption, the inverse of diffusion is described as:
mi = key1j × (Ci ⊕ key2 ⊕ Ci−1 )−1 mod(216 + 1) (i ≥ 1) (27)
Place each byte of the current two bytes of the wavelet coefficient in
the new position (x′, y′) based on the cat map.
⎛ x′⎞ ⎛ pq + 1 p ⎞ ⎛ x ⎞
⎜ ⎟=⎜ ⎟ ⎜ ⎟ (mod N )
⎝ y′⎠ ⎝ q 1 ⎠⎝ y⎠ (28)
where N is the weight and height of the image. The controlled
parameters p and q are controlled by the hyper-chaotic Rabinovich
system.
p = (fabs (w1001) × 1014)mod(N ) (29)
q = (fabs (r1001) × 1014)mod(N ) (30)
where w1001 and r1001 are the values of the 1001th iteration for w and
r, respectively.
M. Zhang, X. Tong
One characteristic of the cat map is that the value of the first
position in the top-left corner will not be changed during the
scrambling. To increase the security of the encryption system, we need
to change the value of the first position. We swap the value of the first
position with that of position (t, s). Position (t, s) is calculated by Eq.
(31).
⎧ t = (fabs (w1002 ) × 1014) mod N
⎨ which is the last bit of the array OUTPUT that is written in every type-D
⎩ s = (fabs (r1002 ) × 1014) mod N (31)
where w1002 and r1002 are the values of the 1002th iteration for w and
r, respectively.
4.3. Secure SPIHT encoding
Encryption is embedded in the process of SPIHT compression to
form SSPIHT encoding. The wavelet coefficients matrix after diffusion
and permutation is processed using SSPIHT. The SSPIHT is described
below, and the encryption is embedded in the sorting pass.
Step 1: Initialize LSP, LIP and LIS. Set the threshold T=2n.
Step 2: Test each coordinate in LIP via the significance test function
Sn(X); the important factor judgment and the sign bit are output to
the code stream.
Step 3: Test the type-D entry in LIS via the significance test function
Sn(X). The significant coefficients are put into LSP, and L entries are
put into the tail of LIS. Output the processing information of the
coordinates to the code stream.
Step 4: Encrypt the current code stream as follows.
⎧C0 = key2(0)
⎨ diffusion. key13(0) is the value of the first two bytes for the key key13.
⎩Ci = (Si + Ci −1 + key1j ) mod 256 (32)
where Si is the current output code stream. Ci is the encrypted code
stream. key2(0) is the first byte value for the key key2. key1j (j=1,2,3)
is selected according to Eq. (33), which makes the keystream used in
the encryption related to the plaintext to resist attacks.
j = (Si−1) mod 3 (33)
S0 is the second byte value for the key key2.
The decryption is described as:
Si = (Ci−Ci −1−key1j ) mod 256 (34)
Step 5: Test the type-L entry in LIS via the significance test function
Sn(X). D entries are put into the tail of LIS. Output the processing
information of the coordinates to the code stream.
Step 6: Encrypt the current code stream using Eq. (32).
Step 7: For each entry of LSP, output the nth significant bit of the
coefficient except the newly added ones in the sorting pass.
Step 8: Subtract one from the value n and go to step 2 until the
Encryption(1) Encryption(2)
Compression code stream output
l0 l1 l2
Basic
information
Fig. 9. SSPIHT principle.
Optics and Lasers in Engineering 90 (2017) 254–274
threshold is 1.
Step 9: Output the encrypted and compressed bitstream.
An array named OUTPUT is used to store the SPIHT bitstream. To
decode, the basic information of compression, such as the wavelet
decomposition level, cannot be encrypted. The basic information is
recorded in OUTPUT [1] through OUTPUT [5]. Record the location l,
sorting pass and type-L sorting pass. Encrypt the bitstream from
OUTPUT [6+li-1] to OUTPUT [li]. For the first encryption, l0=0. The
principle is shown in Fig. 9.
4.4. Permutation and diffusion scheme on the code stream
The code stream is encrypted after the secure SPIHT to form the
last layer of protection. The diffusion and permutation are performed
simultaneously.
The code stream is divided into n segments after the secure SPIHT,
and each segment includes 256 bytes. The encryption procedure is
described in detail below.
Step 1: Choose the current segment to carry out diffusion. The
diffusion of encryption can be expressed as Eq. (35).
⎧C0 = key13 (0)
⎨ −1 16
⎩Ci = (si × key1j )mod(2 + 1) ⊕ key2 ⊕ Ci −1 (i ≥ 1)
⎪
(35)
where si is the two bytes of data of the current segment. si−1 represents
performing the inverse operation on si. Ci is the cipher text after
Key1j (j=1,2,3) is selected according to Eq. (36). Thus, the keystream
used in the encryption is related to the plaintext, which enhances the
security.
j = (si−1) mod 3 (36)
s0 is the value of the second two bytes for the key key13.
According to Eqs. (35) and (36), the encryption is related to the
plaintext.
In decryption, the inverse of diffusion is described as:
si = key1j × (Ci ⊕ key2 ⊕ Ci−1 )−1 mod(216 + 1) (i ≥ 1) (37)
Step 2: Place the current segment in the new position based on the
hyper-chaotic Rabinovich system.
Given the initial value (x0, y0, z0, w0, u0) of the hyper-chaotic
Rabinovich system, iterate on Eq. (3) to obtain the chaotic sequence
R={ri,i=1,2,…,n}. Sort the chaotic sequence to obtain the sorted chaotic
sequence S={si, i=1, 2,…, n}. Find the transformation sequence
T={t(i),i=1, 2,…,n} such that si is exactly the value of rt(i). Move the
Encryption(3) Encryption(n)
…
l3 ln-1
263
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

(a)Original Airplane (b)Airplane upper left (c)Airplane encrypted (d)Reconstructed

image 128×128 block wavelet image on wavelet Airplane image
coefficients diffusion image coefficients

(e)Original Lena image (f)Lena upper left 128×128 (g)Lena encrypted (h)Reconstructed
block wavelet coefficients image on wavelet Lena image
diffusion image coefficients

(i)Original House image (j)House upper left 128×128 (k)House encrypted (l)Reconstructed
block wavelet coefficients image on wavelet House image
diffusion image coefficients

(m)Original Peppers (n)Peppers upper left (o)Peppers encrypted (p)Reconstructed

image 128×128 block wavelet image on wavelet Peppers image
coefficients diffusion image coefficients

(q)Original Barbara (r)Barbara upper left 128×128 (s)Barbara encrypted (t)Reconstructed

image block wavelet coefficients image on wavelet Barbara image
diffusion image coefficients

(u)Original Baboon (v)Baboon upper left 128×128 (w)Baboon encrypted (x)Reconstructed

image block wavelet coefficients image on wavelet Baboon image
diffusion image coefficients
Fig. 10. Original and reconstructed images.

264
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

(a) Encrypted Lena image for (b) Encrypted Lena image for (c) Encrypted Lena image for
the wavelet coefficients the wavelet coefficients when the wavelet coefficients
when diffusion performed diffusion performed on 8×8 when diffusion performed on
on 0×0 block block 16×16 block

(d) Encrypted Lena image for (e) Encrypted Lena image for (e) Encrypted Lena image for
the wavelet coefficients the wavelet coefficients the wavelet coefficients
when diffusion performed on when diffusion performed when diffusion performed
32×32 block on 64×64 block on 256×256 block
Fig. 11. Encrypted Lena image for the wavelet coefficients.

Fig. 12. Reconstructed Lena image by wrong key.

5. Experimental results and security analysis

Table 5
the compression performance for different image.
For the new compression and encryption scheme, we conducted a
Image Lena Baboon Barbara Airplane House Peppers security test and compression performance test. The compression and
encryption are implemented in MATLAB 2012R running on a personal
CR(bpp) 6.222713 7.569092 7.120461 6.388039 6.671848 6.698654
computer with an Intel dual-core 3.19-GHz processor and 1.96 GB of
memory.
current i-th segment to the t(i)-th position.

Step 3: Do steps 1–2 until all segments are dealt with.

265
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

Fig. 13. The compression ratio, CR, of six images with different diffusion block sizes.

5.1. Experimental results Table 6

The compression performance test.

The experiment is performed on six standard 512 × 512 grayscale Block Size of diffusion CR (bpp)
images. The images are titled Airplane, Lena, House, Peppers, Barbara
and Baboon. For the Airplane, Lena, House, Peppers, Barbara, and no encryption 4.526412
only SSPIHT 4.526412
Baboon images, the diffusion results for wavelet coefficients, encrypted
0× 0 block 5.115620
results for wavelet coefficients and reconstructed images are shown in Upper left 8×8 block 5.115643
Figs. 10. Fig. 11 shows Lena's encrypted results for the wavelet Upper left 16×16 block 5.117134
coefficients under different sizes of diffusion. Fig. 12 shows the Upper left 32× 32 block 5.123795
reconstructed Lena image via a 1-bit-difference wrong key. Upper left 64× 64 block 5.158768
Upper left 128× 128 block 6.222713
Upper left 256× 256 block 7.729794
5.2. Compression performance
Table 7
In this paper, lossless compression is performed. Table 5 lists the Comparison of compression ratio.
compression ratio, CR, of six images when the diffusion block size is
128×128. Fig. 13 shows the CR of six images with different diffusion Proposed scheme Proposed scheme Ref.[41] LZW RLE Huffman
(Upper left (Upper left
block sizes. Here, the unit of the CR is bpp (bits per pixel), which
128× 128 block) 256× 256 block)
means the required number of bits for each pixel. For different block
sizes of diffusion, the compression performance on the Lena image is 5.513646 7.729794 7.0000 7.6000 7.9000 7.8000
listed in Table 6.
From Table 6 and Fig. 13, the wavelet coefficients block size of
diffusion has a significant effect on the compression ratio. The smaller key, and code stream permutation key. The wavelet coefficient diffusion
the block size of diffusion, the larger the compression ratio. That is key and SPIHT encryption key contain 10 real numbers. The code
because some insignificant coefficients become significant ones in the stream permutation key contains 5 real numbers. To avoid the negative
process of SPIHT encoding after the wavelet coefficients block is effects caused by discretization, the real numbers should be stored and
encrypted. The increase of significant coefficients will lead to the transmitted using a real data type with high precision. If the imple-
growth of a longer code stream. Therefore, the compression ratio will mentation language complies with IEEE Standard 754-2008, then it is
decrease. Table 6 also shows the compression performance under only recommended to use the double data type. The double data type stores
SSPIHT, without wavelet coefficient encryption and code stream real numbers in 8 bytes with an accuracy of 15 decimals. Thus, the
encryption. The compression ratio with only SSPIHT is the same as length of the key will be of 960 bits, which means the size of the key
no encryption, which demonstrates that adding encryption in the space will be equal to 2960. That is large enough to resist brute force
SPIHT coding process has no effect on compression performance. attacks.
A comparison with various lossless image compression algorithms
is shown in Table 7.
5.4. Resistance to statistical attack
From Table 7, when the encrypted wavelet coefficients block is
smaller than 256× 256, the compression ratio is better than that of
To prevent an attacker from obtaining the characteristics pixels of
other lossless compression schemes. The impact of encryption on
the image, resistance to statistical analysis is the most basic principle of
compression is not significant.
an image encryption algorithm. Shannon suggested that diffusion and
confusion should be employed in a cryptosystem [42] for the purpose
5.3. Key space analysis of frustrating powerful statistical analysis. In the proposed encryption
scheme, diffusion is performed based on a pseudorandom key stream
The key space of a good image encryption algorithm should be large in three locations. Permutation is carried out based on the cat map and
enough to make an exhaustive attack infeasible. In our algorithm, there the hyper-chaotic Rabinovich system in two locations, which can be
are three keys: the wavelet coefficient diffusion key, SPIHT encryption considered the confusion process. Therefore, the cipher-image is

266
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

Fig. 14. Histogram of images.

randomly distributed. This is shown by a test on the histograms of the 5.4.1. Histogram analysis
cipher-text, the correlations of adjacent pixels in the cipher-text and Fig. 14 depicts the histograms of the six standard grayscale images
the information entropy of the cipher-text. and the corresponding cipher-texts. Fig. 15 shows the histograms of

267
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

(a)Histogram of Lena’s (b)Histogram of Lena’s

encrypted code stream encrypted code stream
matrix on 0×0 block matrix on 8×8 block
coefficients diffusion coefficients diffusion

(c)Histogram of Lena’s (d)Histogram of Lena’s

encrypted code stream encrypted code stream
matrix on 16×16 block matrix on 32×32 block
coefficients diffusion coefficients diffusion

(e)Histogram of Lena’s (f)Histogram of Lena’s (g)Histogram of Lena’s

encrypted code stream encrypted code stream encrypted code stream
matrix on 64×64 block matrix on 128×128 block matrix on 256×256 block
coefficients diffusion coefficients diffusion coefficients diffusion
Fig. 15. Histogram of Lena.

Lena with different diffusion block sizes. Furthermore, we use the χ 2 −test to analyze the distribution of pixel
From Figs. 14 and 15, we can see that the histograms of the cipher- values for encrypted images [17,26]. The value of the χ 2 −test for the
texts are nearly uniformly distributed, which can well protect the encrypted image of dimension m × n is as follows [17,26]:
information of the image from statistical attack.

268
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

255
(vi − v0 )2 Table 8
χ2 = ∑ Results of the histograms’ uniformity χ 2 −test .
i =0
v0 (38)
Image χ 2 −test
where vi is the observed frequency of a pixel value i (0 ≤ i ≤ 255) and
v0 is the expected frequency of a pixel value i, v0 = (m × n )/256 . Plain image Encrypted image
The result of the χ 2 −test for the 6 pairs of plain/encrypted test
images are presented in Table 8: Lena 260041.039 282.039
House 980954.229 282.634
From Table 8, for the six images, the values of the χ 2 −test are all
2 Peppers 138836.174 278.064
lower than the critical value χ255,0.05 = 293.25. Thus, we can conclude Baboon 187598.908 271.860
that the distribution of pixel values in the encrypted image is uniform. Barbara 95548.875 269.477
That means that the proposed scheme can resist statistical attacks. Airplane 728692.240 276.294

5.4.2. Correlation of two adjacent pixels

For image data, there is a strong correlation between adjacent Table 9
Correlation coefficient of adjacent pixels.
pixels. Therefore, a good encryption algorithm should remove it to
improve the resistance against statistical analysis. The calculation of Image (Upper left 64×64 block) Orientation
correlation is as follows.
Horizontal Vertical Diagonal
N N N
N ∑ j =1 (xj yj ) − ( ∑ j =1 xj )( ∑ j =1 yj )
Cr = N N N N Original Lena 0.9722500 0.9851710 0.9608346
(N ∑ j =1 xj2 − ( ∑ j =1 xj )2)(N ∑ j =1 yj2 − ( ∑ j =1 yj )2) (39) Encrypted Lena −0.0009732 −0.0048559 0.0003075
Original Baboon 0.8689048 0.7629870 0.7403367
Test results of the encrypted code stream matrix and original image Encrypted Baboon −0.0164067 −0.0315024 0.0145476
for our test images are shown in Table 9. Original Barbara 0.8963211 0.9592384 0.8862025
The data in Table 9 illustrates that the encryption algorithm can Encrypted Barbara 0.0397879 −0.0194876 0.0015839
Original Airplane 0.9686150 0.9639137 0.9424902
effectively destroy the correlation of pixels. Encrypted Airplane −0.0387106 −0.0483708 −0.0144322
Fig. 16 shows the pixel distribution of the six standard grayscale Original House 0.9427460 0.9373779 0.8945336
images and the corresponding cipher-texts with a 64×64 diffusion Encrypted House 0.0056231 0.0053004 −0.0039994
block size. Original Peppers 0.9793076 0.9827495 0.9685862
Encrypted House 0.0120812 −0.0241054 0.0065046
From Fig. 16, we can see that the pixels distribution of the original
image is uneven, and there is a strong correlation between pixels.
However, the correlation between pixels is completely destroyed in the with TB pixels within a test image S of L intensity scales. H(Si) are
cipher-text, and we cannot obtain the pixels information via the computed using information entropy in Eq. (40).
adjacent pixels. For the six images, we randomly selected k=30 non-overlapping
image blocks with TB =1936 pixels to test the local Shannon entropy.
5.4.3. Information entropy analysis From Ref. [19,43], the observed value of (30,1936)-local Shannon
Information entropy is the most important feature of randomness. entropy should lie in the confidence inter-
The information entropy of a random sequence is as follows. val[7.901901305,7.903037329], with respect to an α -level confidence
1 equal to 0.05. Table 12 gives the result.
H (S ) = ∑ P (Si )log2 bits From Table 12, the local entropies of the images show that the
S
P (Si ) (40)
proposed scheme provides random-like encrypted images.
In Eq. (40), P (Si ) denotes the probability of symbol Si . Taking 8
bytes as a unit, if the probability of every symbol in accordance with a
5.5. Resistance to differential attack
uniform distribution would be 1/8, the entropy should be 8. However,
because the actual probability is not the same, a good encryption
The attacker may observe the change of decryption by a tiny change
scheme should make the entropy approach 8. The entropy of six images
of plaintext to find the correlation between the plain image and cipher-
when the diffusion block size is 64×64 is shown in Table 10. Table 11
text. If a tiny change of the original image can yield a great change in
shows the entropy of Lena with different diffusion block sizes.
the cipher-text, the effect of a differential attack will be reduced.
As seen in Tables 10, 11, the information entropy of our scheme is
To test the influence of a one-pixel change in the plain image on the
good. From Table 11, the wavelet coefficients block size of diffusion has
cipher-text, the Number of Pixels Change Rate (NPCR) and Unified
a significant effect on encryption. The larger the block size of diffusion,
Average Changing Intensity (UACI) [29,44,45] are used.
the larger the information entropy, which means a better encryption
NPCR is used to obtain the difference between two images by
result. According to Section 5.2, a smaller block size of diffusion yields
evaluating the number of pixel differences. It is defined as follows [44]:
a larger compression ratio. There is always a trade-off between the
degree of uncertainty for security purposes and the length of the ∑i, j D (i , j )
cipher-text. NPCR = × 100%
W×H (42)
Ref. [43] proposed a new image randomness measure using the
information entropy over local image blocks. If some image blocks D(i, j) is the difference value of the corresponding pixel of the two
contained in an encrypted image have low information entropy, then images. It is defined as:
the encryption scheme is not good, even if the information entropy is
⎧ 1 C1 (i , j ) ≠ C2 (i , j )
high [43]. D (i , j ) = ⎨
The (k,TB)-local Shannon entropy is defined as [43]: ⎩ 0 C1 (i , j ) = C2 (i , j ) (43)
k where C1 and C2 are two encrypted images, whose corresponding
H (Si )
H(k , TB) (s ) = ∑ original images have only a one-pixel difference.
i =1
k (41)
UACI is used to obtain the difference between two images by
where S1, S2,…, Sk are randomly selected non-overlapping image blocks evaluating the change of visual effect. It is defined as follows [44]:

269
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

Fig. 16. The pixel distributions of images.

⎡ ⎤ Table 13 shows the NPCR and UACI results.

1 ⎢ C1 (i , j ) − C2 (i , j ) ⎥
UACI = ∑ × 100% Table 13's results show that our schemes can resist differential
W × H ⎢⎣ i, j 255 ⎥⎦
(44) attacks.

270
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

Table 10 Table 15
Information entropy of the encrypted code stream matrix for the six images. PSNR and MSSIM of the failure image for 1-bit-difference wrong key.

Image (Upper left 64×64 block) Information entropy Image 1-bit-difference 1-bit-difference 1-bit-difference
wrong key of wavelet wrong key of wrong key of
Lena 7.99294 coefficients SPIHT encoding code stream
Baboon 7.99272 encryption encryption encryption
Barbara 7.99173 performed on
Airplane 7.99310 8×8blocks
House 7.99305
Peppers 7.99290 Lena PSNR 9.8362 5.4905 5.6714
MSSIM 0.1801 0.0137 0.0019

Table 11 Airplane PSNR 8.4057 4.4079 2.2822

Information entropy of Lena's encrypted code stream matrix. MSSIM 0.1545 0.0163 0.0002

Block Size of diffusion Information entropy House PSNR 7.7057 5.6026 9.8611
MSSIM 0.1361 0.0117 0.0110
0× 0 block 7.99238
Upper left 8 ×8 block 7.99242 Baboon PSNR 8.1241 5.5808 5.4778
Upper left 16 ×16 block 7.99249 MSSIM 0.0574 0.0173 0.0011
Upper left 32 × 32 block 7.99286
Upper left 64× 64 block 7.99294 Barbara PSNR 9.8952 5.3527 5.8358
Upper left 128× 128 block 7.99324 MSSIM 0.1223 0.0163 0.0062
Upper left 256× 256 block 7.99325
Peppers PSNR 8.7316 5.2507 6.6269
MSSIM 0.1449 0.0112 0.0050
Table 12
Local Shannon entropy test for encrypted images (k=30, TB=1936, α =0.05).
(48) to evaluate the quality of the failure images for a 1-bit-difference
Encrypted image Local Shannon entropy Result
wrong key. Table 15 lists the results.
Lena 7.9026 SUCCESS 2
House 7.9027 SUCCESS xpeak
PSNR=10 × log10 ( )
Peppers 7.9021 SUCCESS MSE (45)
Baboon 7.9025 SUCCESS
Barbara 7.9026 SUCCESS where xpeak represents the signal peak value.
Airplane 7.9019 SUCCESS
M N
Mean ± Std. 7.9023 ± 0.0004 1
Number of images passing theα -level test 6 MSE = ∑ ∑ (fˆ (i, j ) − f (i, j ))2
M×N i =1 j =1 (46)

where fˆ (i , j ) and f (i , j ) represent the original image and testing image,

Table 13 respectively. M and N represent the height of the image and the width
NPCR and UACI results. of the image, respectively.
A structural similarity (SSIM) index [46] is a novel method for
Image Lena Baboon Barbara Airplane House Peppers
measuring the similarity between two images with the goal of improv-
NPCR 0.9959 0.9963 0.9957 0.9956 0.9955 0.9961 ing traditional metrics, such as PSNR, by considering the human visual
UACI 0.3342 0.3345 0.3329 0.3346 0.3332 0.3347 system (HVS).
(2μx μy + c1)(2σxy + c2 )
SSIM (x, y ) =
(μx2 + μy2 + c1)(σx2 + σy2 + c2 ) (47)
Table 14
Plaintext sensitivity result.
where x and y are the windows of two images with size m × m ; μx and μy
Image Lena Baboon Barbara Airplane House Peppers are the averages of x and y, respectively; σx2 and σy2 denote the variance
of x and y, respectively; σxy is the covariance of x and y;
Plaintext sensitivity 0.496 0.500 0.495 0.500 0.496 0.501 c1 = (k1 L )2 , c2 = (k2 L )2 , k1 = 0.01, k2 = 0.03, and L is the gray level of
the pixel value.
The mean SSIM (MSSIM) [46] is as follows.
A pixel value change is introduced at different positions of the plain
n
image while the key remains unchanged. Each bit in the resultant 1
cipher-text is compared with the corresponding bit in the original MSSIM (X , Y ) = ∑ SSIM (xi , yi )
n i =1 (48)
cipher-text. The total number of unequal bits is then counted. The
plaintext sensitivity result is shown in Table 14. where X and Y are the original image and encrypted image, respec-
From Table 14, the average value is 50%, which indicates that the tively; xi and yi are the image contents at the ith local window; and n is
cipher-text is sensitive to the plaintext. Table 14's results further show the number of local windows. The smaller the MSSIM, the greater the
that our schemes can resist differential attacks. difference of the two images.
Table 15 shows that the failure images from a 1-bit-difference
5.6. Key sensitivity wrong key have low PSNR value and MSSIM values.
Table 15's results indicate that the proposed scheme is sensitive to
A good encryption scheme should be sensitive to the key. If it is the key.
sensitive to the key, a small change of the key will lead to a large The tiny modification of 1 bit to the different keys is used to encrypt
difference in the cipher-text. Fig. 12 shows that a tiny modification of the image. Each bit in the resultant cipher-text is compared with the
1 bit to the key will lead to decryption failure. We use the peak signal- corresponding bit in the original cipher-text. The total number of
to-noise ratio (PSNR) in Eq. (45) and the mean SSIM (MSSIM) in Eq. unequal bits is then counted. The key sensitivity mean value of the

271
M. Zhang, X. Tong Optics and Lasers in Engineering 90 (2017) 254–274

Table 16 performed simultaneously. The coefficients need to be processed only

Key sensitivity result. once. The time consumption includes diffusion and permutation. For
execution time in permutation, the time-consuming computation is the
Image Lena Baboon Barbara Airplane House Peppers
coefficient moving operations. Our proposed algorithm needs Θ (n /2)
Key sensitivity 0.496 0.500 0.495 0.500 0.496 0.501 iterations of coefficient moving operations. For execution time in
diffusion, the time-consuming computation is producing Θ (size) values
using the hyper-chaotic system. Here, size(size < n) is the diffusion size
for wavelet coefficients.
Table 17 For the SPIHT encoding encryption scheme, the time consumption
Computational complexity. is diffusion. For the execution time of diffusion, the time-consuming
computation is producing Θ (n /8) values using the hyper-chaotic
Encryption scheme Wavelet SPIHT encoding Code stream
coefficients encryption encryption scheme system.
encryption scheme For code stream encryption, diffusion and permutation are per-
scheme formed simultaneously. The coefficients need to be processed only
once. The time consumption includes diffusion and permutation. For
Computational O(n) O(n) O (n × log(n ))
complexity the execution time of permutation, the time-consuming computation
isΘ ((n × CR /8)/256 × log((n × CR /8)/256)) for quicksort of the chaotic
sequence. CR is the compression ratio with units of bpp. For the
different key is shown in Table 16. execution time of diffusion, the time-consuming computations produce
From Table 16, the average value is 50%, which indicates that the Θ (n × CR /8) values using the hyper chaotic system.
cipher text is sensitive to the key. Tables 18, 19 list the average encryption times and encryption
speeds.
5.7. Classical types of attacks Table 18 shows that the percentage of encryption is smaller than
50%, which indicates that the encryption time is no more than the
Suppose the cryptanalyst knows exactly the design and workings of compression time.
the cryptosystem, i.e., he knows everything about the cryptosystem
except the secret key. According to the cryptanalyst's mastery of
5.9. Lossless recovery test
plaintext and cipher-text, there are four classical types of attacks [47]:

To prove the lossless property of the proposed image encryption

(1) Cipher-text only: the opponent possesses some cipher-text.
and compression scheme, i.e., that the reconstructed image is the same
(2) Known plaintext: the opponent possesses some plaintext, and the
as the original image, we use MSE in Eq. (46) to evaluate the
corresponding cipher-text.
differences between an original image fˆ (i , j ) and the corresponding
(3) Chosen plaintext: the opponent has obtained temporary access to
reconstructed image f (i , j ).
the encryption machinery. Thus, he can choose some plaintext and
construct the corresponding cipher-text.
Table 19
(4) Chosen cipher-text: the opponent has obtained temporary access Encryption speed.
to the decryption machinery. Thus, he can choose some cipher-text
and construct the corresponding plaintext. Image Wavelet SPIHT Code stream Encryption
coefficients encryption encryption total speed
encryption speed speed (MB/s) speed (MB/s) (MB/s)
The above attack strength is increasing. According to Section 5.6,
(MB/s)
the proposed algorithm is sensitive to the initial values. Furthermore,
in the diffusion stage of wavelet coefficient encryption and code stream Lena 0.071 0.301 0.040 0.024
encryption, the encrypted value is related to the key, plaintext, former Airplane 0.083 0.368 0.042 0.026
House 0.078 0.313 0.040 0.025
plaintext and former cipher-text. Therefore, the proposed algorithm
Baboon 0.078 0.313 0.040 0.024
can resist the chosen plaintext/ cipher-text attack. Barbara 0.086 0.255 0.042 0.025
Peppers 0.066 0.278 0.040 0.021
5.8. Computational complexity and speed analysis

Table 20
For an image with n pixels, the computational complexity of our
The value of MSE for the six images.
scheme is listed in Table 17.
Table 17 shows that the scheme is widely applicable. Image Lena Baboon Barbara Airplane House Peppers
According to Ref. [24], the most time-consuming parts of the entire
MSE 0 0 0 0 0 0
process can exhibit the computational complexity of the scheme well.
For wavelet coefficient encryption, diffusion and permutation are

Table 18
Encryption and compression time.

Image Wavelet coefficients encryption SPIHT encryption time Code stream encryption Encryption total time Compression time Encryption time/total time
time time

Lena 3.5 s 0.83 s 6.2 s 10.53 s 18.47 s 0.363

Airplane 3.0 s 0.68 s 6s 9.68 s 16.32 0.372
House 3.2 s 0.80 s 6.2 s 10.2 s 17.3 s 0.371
Baboon 3.2 s 0.80 s 6.3 s 10.3 s 20.1 s 0.339
Barbara 2.9 s 0.98 s 6.0 s 9.88 s 17.32 s 0.363
Peppers 3.8 s 0.90 s 6.2 s 11.9 s 19.1 s 0.384

272
M. Zhang, X. Tong
Table 21
Performance comparison.
Scheme Indicator
Correlation coefficient of adjacent pixels for Lena
Horizontal Vertical
Our scheme −0.0009732 −0.0048559
Ref. [48] 0.0056 −0.0876
Ref. [49] −0.097360 0.048440
Ref. [50] −0.0065 0.0006
Ref. [51] 0.0112 −0.0099
Ref. [52] N/A N/A
Ref. [53] N/A N/A
Obviously, the value of MSE equaling 0 indicates lossless property.
Table 20 lists the value of MSE for the six images.
Table 20 shows that the values of MSE are 0 for all the six images.
This means that the original image and reconstructed image are the
same. The proposed image encryption and compression scheme is thus
lossless.
5.10. Performance comparison with other schemes
In this section, we provide performance comparisons with some of
the recent works [48–53]. Table 21 shows the comparison results for
the correlation coefficient of adjacent pixels, key sensitivity and
percentage of encryption time.
Refs. [48–50] are image encryption schemes. Compared with the
results of the correlation coefficient of adjacent pixels in Refs. [48–50],
our scheme shows superior performance. Ref. [51] proposed an
algorithm combining SPIHT compression and encryption. Compared
with Ref. [51], our proposed joint image encryption and compression
scheme shows superior performance regarding the correlation coeffi-
cient of adjacent pixels.
In key sensitivity, the bit stream change rate of our scheme is
0.495–0.501. In comparison, the bit stream change rate of the scheme
in Ref. [52] is 0.4760–0.4773, which indicates that our encryption
algorithm has better key sensitivity than that of Ref. [52].
Ref. [53] proposed a lossy compression algorithm with embedded
encryption, and the encryption time of different bit rates/total time of
compression encryption is 42.5–44.9%. This indicates that the encryp-
tion time in our proposed scheme has little effect on the run time of the
entire algorithm.
6. Conclusions
In this paper, a joint lossless image compression and encryption
scheme based on 9/7-M IB-IWT, SPIHT and a new hyper-chaotic
system was proposed. Compression is carried out by 9/7-M IB-IWT
and SPIHT. Confusion and diffusion based on the new hyper-chaotic
system and Cat map are performed in encryption. As SHA-256 is fast
and input-sensitive, it is employed to enhance the encryption effect.
The keystream used in the encryption is related to the plaintext.
Moreover, a nonlinear inverse operation is introduced to resist attacks.
In the process of the compression, the image is encrypted via three
aspects. Firstly, the important wavelet coefficients are diffused and the
whole wavelet coefficients are permuted simultaneously. The key
stream used in the diffusion is related to the plaintext. Then, the
encryption is embedded in the sorting pass of SPIHT. Finally, diffusion
and permutation for the code stream is proposed to encrypt the final
data. The key space is large enough to resist brute-force attacks. The
test results show that the proposed compression and encryption
algorithm has high security and good performance in lossless compres-
sion.
Optics and Lasers in Engineering 90 (2017) 254–274
Key sensitivity Percentage of encryption time
Diagonal
0.0003075 0.495–0.501 35.17%
N/A N/A N/A
−0.070690 N/A N/A
0.0054 N/A N/A
−0.0086 N/A N/A
N/A 0.4760–0.4773 N/A
N/A N/A 42.5–44.9%
Acknowledgements
This work was supported by the National Natural Science
Foundation of China (60973162), the Natural Science Foundation of
Shandong Province of China (ZR2014FM026, ZR2009GM037), the
Science and Technology of Shandong Province, China
(2013GGX10129, 2010GGX10132, 2012GGX10110), the National
Cryptology Development Foundation of China (No.
MMJJ201301006), Foundation of Science and Technology on
Information Assurance Laboratory (No. KJ-14-005) and the
Engineering Technology and Research Center of Weihai Information
Security.
References
[1] Rema NR, Oommen Binu Ani, Mythili P. Image compression using SPIHT with
modified spatial orientation trees. Procedia Comput Sci 2015;46:1732–8.
[2] Kingston A, Autrusseau F. Lossless image compression via predictive coding of
discrete Radon projections. Signal Process: Image Commun 2008;23(4):313–24.
[3] Parmar Himanshu M. Comparison of DCT and wavelet based image compression
techniques. Int J Eng Dev Res 2014;2(1):664–9.
[4] Rui Luo. Design and analysis of remote sensing image information system [Doctoral
Dissertation]. In: Zheng Zhou, editor. The PLA Information Engineering University,
China; 2001: 93
[5] Qiuzhen Lin, Kwok-Wo Wong, Jianyong Chen. Generalized arithmetic coding using
discrete chaotic maps. Int J Bifurc Chaos 2012;22(10):1250256.
[6] Hermassi Houcemeddine, Rhouma Rhouma, Belghith Safya. Joint compression and
encryption using chaotically mutated Huffman trees. Commun Nonlinear Sci
Numer Simul 2010;15(10):2987–99.
[7] Zhanga Yushu, Xiao Di, Wen Wenying, Nanb Hai, Su Moting. Secure binary
arithmetic coding based on digitalized modified logistic map and linear feedback
shift register. Commun Nonlinear Sci Numer Simula 2015;27:22–9.
[8] Xiang Tao, Qu Jinyu, Xiao Di. Joint SPIHT compression and selective encryption.
Appl Soft Comput 2014;21:159–70.
[9] Yuen CH, Wong KW. A chaos-based joint image compression and encryption
scheme using DCT and SHA-1. Appl Soft Comput 2011;11:5092–8.
[10] Hua-Qian Yang, Xiao-Feng Liao, et al. SPIHT-based joint image compression and
encryption. Acta Phys Sin 2012;61(4):040505.
[11] Bowley J, Rebollo-Neira L. Sparsity and “Something Else”: an approach to
encrypted image folding. IEEE Signal Process Lett 2011;18(3):189–92.
[12] Rebollo-Neira L, Bowley J, Constantinides AG, et al. Self contained encrypted
image folding. Physica A: Stat Mech its Appl 2012:5858–70.
[13] Kwok HS, Tang WKS. A fast image encryption system based on chaotic maps with
finite precision representation. Chaos Solitons Fractals 2007;32(4):1518–29.
[14] Hongjun Liu, Xingyuan Wang. Color image encryption based on one-time keys and
robust chaotic maps. Comput Math Appl 2010;59:3320–7.
[15] Liu Hongjun, Wang Xingyuan. Color image encryption using spatial bit-level
permutation and high-dimension chaotic system. Opt Commun
2011;284:3895–903.
[16] Xu Lu, Li Zhi, Li Jian, Hua Wei. A novel bit-level image encryption algorithm based
on chaotic maps. Opt Lasers Eng 2016;78:17–25.
[17] Liu Hongjun, Wang Xingyuan, kadir Abdurahman. Image encryption using DNA
complementary rule and chaotic maps. Appl Soft Comput 2012;12:1457–66.
[18] Chai Xiuli, Chen Yiran, Broyde Lucie. A novel chaos-based image encryption
algorithm using DNA sequence operations. Opt Lasers Eng 2017;88:197–213.
[19] BORIGA Radu Eugen, Dăscălescu Ana Cristina, DIACONU Adrian Viorel. A new
fast Image Encryption Scheme Based on 2D chaotic Maps. Int J Comput Sci
2014;41(4):249–58.
[20] Wang Xingyuan, Liu Lintao, Zhang Yingqian. A novel chaotic block image
encryption algorithm based on dynamic random growth technique. Opt Lasers Eng
2015;66:10–8.
[21] Wang Xing-Yuan, Zhang Ying-Qian, Liu Lin-Tao. An enhanced sub-image en-
273
M. Zhang, X. Tong
cryption method. Opt Lasers Eng 2016;86:248–54.
[22] Belazi Akram, AbdEl-Latif Ahmed A, Diaconu Adrian-Viorel, Rhouma Rhouma,
Belghith Safya. Chaos-based partial image encryption scheme based on linear
fractional and lifting wavelet transforms. Opt Lasers Eng 2017;88:37–50.
[23] Ying-Qian Zhang, Xing-Yuan Wang. A new image encryption algorithm based on
non-adjacent coupled map lattices. Appl Soft Comput 2015;26:10–20.
[24] Ying-Qian Zhang, Xing-Yuan Wang. A symmetric image encryption algorithm
based on mixed linear–nonlinear coupled map lattice. Inf Sci 2014;273:329–51.
[25] Liu Wenhao, Sun Kehui, Zhu Congxu. A fast image encryption algorithm based on
chaotic map. Opt Lasers Eng 2016;84:26–36.
[26] Norouzi Benyamin, Mirzakuchaki Sattar. A fast color image encryption algorithm
based on hyper-chaotic systems. Nonlinear Dyn 2014;78:995–1015.
[27] Norouzi B, Mirzakuchaki S, Seyedzadeh SM, Mosavi MR. A simple, sensitive and
secure image encryption algorithm based on hyper-chaotic system with only one
round diffusion. Multimed Tools Appl 2014;73(3):1469–97.
[28] Tong Xiao-Jun, Zhang Miao, et al. An image encryption scheme based on a new
hyperchaotic finance system. OPTIK 2015;126(20):2445–52.
[29] Boriga Radu, Dăscălescu Ana Cristina, Priescu Iustin. A new hyperchaotic map and
its application in an image encryption scheme. Signal Process Image Commun
2014;29(8):887–901.
[30] Zhang Yushu, Xiao Di, Wen Wenying, Li Ming. Breaking an image encryption
algorithm based on hyper-chaotic system with only one round diffusion process.
Nonlinear Dyn 2014;76:1645–50.
[31] Jeng FG, Huang WL, Chen TH. Cryptanalysis and improvement of two hyper-
chaos-based image encryption schemes. Signal Process-Image 2015;34:45–51.
[32] Liao XF, Xiao D, Chen Y, Xiang T. Theory and Application of Chaotic Cryptography,
1st ed.. Beijing: Science Press; 2009. p. 50–9.
[33] Shapiro JM. Embedded image coding using zero trees of wavelet coefficients. IEEE
Trans Signal 1993;41(12):3445–62.
[34] Sang T, Wang RL, Yan YX. Perturbance-based algorithm to expand cycle length of
chaotic key stream. Electron Lett 1998;34(9):873–4.
[35] Wolf A, Swift JB, Swinney HL, Vastano JA. Determining Lyapunov exponents from
a time series. Physica D: Nonlinear Phenom 1985;16(3):285–317.
[36] Yongjian Liu. Hyperchaotic system from controlled Rabinovich system. Control
Theory Appl 2011;28(11):1671–8.
[37] Yan-Bin Zheng, Yu Song, et al. A novel detection of periodic phenomena of binary
chaotic sequences. Acta Phys Sin 2012;61(23):230501.
274
Optics and Lasers in Engineering 90 (2017) 254–274
[38] 〈http://csrc.nist.gov/publications/nistpubs/800-22-rev1a/SP800-22rev1a.pdf〉 [16
April 2014].
[39] Katz J, Lindell Y. Introduction to Modern Cryptography, 1st ed.. Taylor &
FrancisGroup; 2008. p. 234–56.
[40] Paar Christof, Pelzl Jan. Understanding cryptography: a textbook for students and
practitioners. Berlin Heidelberh: Spring-Verlag; 2010. p. 87–9.
[41] Xie Yaohua, Tang Xiao’an, Sun Maoyin, Zhang ongliang. Image lossless compres-
sion algorithm based on classification of LZW. J Image Graph 2010;15(2):236–41.
[42] Shnnon CE. Communication theory of secrecy systems. Bell Syst Tech J
1949;28:656–715.
[43] Wu Yue, Zhou Yicong, Saveriades George, et al. Local Shannon entropy measure
with statistical tests for image randomness. Inf Sci 2013;222:323–42.
[44] Wu Y, Noonan JP, Agaian S. NPCR and UACI randomness tests for image
encryption. Cyber J: Multidiscip J Sci Technol, J Sel Areas Telecommun
2011;2:31–8.
[45] Kwok HS, Tang WKS. A fast image encryption system based on chaotic maps with
finite precision representation. Chaos, Solitons Fractals 2007;32(4):1518–29.
[46] Wang Z, Bovik AC, Sheikh HR, Simoncelli EP. Image quality assessment: from
error visibility to structural similarity. IEEE Trans Image Process
2004;13(4):600–12.
[47] Wang Xingyuan, Teng Lin, Qin Xue. A novel colour image encryption algorithm
based on chaos. Signal Process 2012;92:1101–8.
[48] Wang XY, Yang L, Liu R, Abdurahman Kadir. A chaotic image encryption algorithm
based on perceptron model. Nonlinear Dyn 2010;62:615–21.
[49] Huang X. Image encryption algorithm using chaotic Chebyshev generator.
Nonlinear Dyn 2011;67:2411–7.
[50] Wu Xiangjun, Wang Dawei, Kurths Jürgen, Kan Haibin. A novel lossless color
image encryption scheme using 2D DWT and 6D hyperchaotic system. Inf Sci
2016;349–350:137–53.
[51] Hadjem T, Azzaz MS, Tanougast C, Sadoudi S. A new image crypto-compression
system SPIHT-PSCS. In: Proceedings of the 2014 International Conference on
Control, Decision and Information Technologies (CoDIT), Metz; 2014: 706-11.
[52] Yuanyuan Li, Shaowu Zhang. Image compression and encryption based on DWT
and SHA-1. J Image Graph 2013;18(4):376–81.
[53] Wang Bin, Zheng Xuedong, Zhou Shihua, et al. Encrypting the compressed image
by chaotic map and arithmetic coding. Optik 2014;125:6117–22.