Вы находитесь на странице: 1из 9

Optics and Lasers in Engineering 51 (2013) 665–673

Contents lists available at SciVerse ScienceDirect

Optics and Lasers in Engineering

journal homepage: www.elsevier.com/locate/optlaseng

An authenticated image encryption scheme based on chaotic maps

and memory cellular automata
Atieh Bakhshandeh, Ziba Eslami n,1
Department of Computer Science, Shahid Beheshti University, G.C., Tehran, Iran

a r t i c l e i n f o abstract

Article history: This paper introduces a new image encryption scheme based on chaotic maps, cellular automata and
Received 21 August 2012 permutation–diffusion architecture. In the permutation phase, a piecewise linear chaotic map is
Received in revised form utilized to confuse the plain-image and in the diffusion phase, we employ the Logistic map as well as
21 November 2012
a reversible memory cellular automata to obtain an efficient and secure cryptosystem. The proposed
Accepted 3 January 2013
Available online 8 February 2013
method admits advantages such as highly secure diffusion mechanism, computational efficiency and
ease of implementation. A novel property of the proposed scheme is its authentication ability which
Keywords: can detect whether the image is tampered during the transmission or not. This is particularly important
Image encryption in applications where image data or part of it contains highly sensitive information. Results of various
Chaotic map
analyses manifest high security of this new method and its capability for practical image encryption.
Memory cellular automata
& 2013 Elsevier Ltd. All rights reserved.

1. Introduction which are mainly caused by an infirm diffusion architecture. Li and

Chen [12] analyze the diffusion function of the schemes of [4,13–15]
Increasing demand for the use of computer networks, such as altogether and found some problems including a serious flaw of the
the Internet, has raised the significance of digital data protection diffusion function. It is therefore required to find a chaos-based
against illegal use. To overcome the security issue in storage and cryptosystem with secure diffusion mechanism. To name a few, [16]
transmission of confidential data, cryptography has suggested can be mentioned in which Zhang et al. use the theory of DNA
many encryption algorithms. However, visual data have certain sequence operation to encrypt image information and the combined
properties (such as bulky data capacity and strong correlation chaotic maps and DNA sequence addition operation to implement
among pixels) so that the traditional encryption schemes like DES image encryption. In [17], a pseudorandom sequence S1 generated
fail to achieve efficiency. Fortunately, various image encryption from chaotic map is combinatorially extended to a relatively long
methods are applicable among which chaos-based approaches pseudorandom sequence S2 to provide sufficient security of the
have shown superior performance [1–4]. Chaos-based image encrypted image by constructing permutation matrix with sequence
encryption methods are mainly composed of two major steps: S1. In [18], in the encryption (diffusion) phase, the pixels are
confusion and diffusion. In the confusion process, the pixels of the encrypted using an iterative cipher module based feedback and
image are permuted by some chaotic map while in the diffusion data-dependent inputs mechanism for mixing the current encryption
phase, the pixel values are altered in a way that a minute change parameters with previously encrypted information.
in one pixel of the plain-image causes the corresponding cipher- It is also important for an image ctyptosystem to be fast
image to be considerably different. enough to encrypt the huge amount of image data. In this regard,
In chaos-based techniques, designing the diffusion function a good candidate that fulfils the need for speed can be Cellular
can be quite challenging. This should be done in such a way that Automata (CA) invented by Von Neumann [19] in 1996. Due to
resistance to known-plaintext and chosen-plaintext attacks are easy hardware implementation and its pseudorandom behavior,
achieved [5–8]. In [8] a preprocessed signal of Chen’s chaotic system CA has been also used in image cryptography [20–22]. In this
is used as diffusion function which is later shown to suffer from paper, we introduce the concept of using a special kind of CA
serious security flaws under known-plaintext and chosen-plaintext called reversible memory cellular automata together with chaotic
attacks in [9] so that all the secret parameters can be revealed. In [10] maps in the context of image encryption. The proposed image
the security of [11] is analyzed and some weaknesses are found encryption technique differs from other existing CA based meth-
ods since we employ reversible linear memory CA for changing the
pixel values. As a result, we obtain a powerful cryptosystem
Corresponding author. Tel.: þ98 2129903005; fax: þ 98 2122431655. which successfully conquers the aforementioned shortcomings.
E-mail addresses: atieh.bakhshandeh@gmail.com (A. Bakhshandeh),
z_eslami@sbu.ac.ir (Z. Eslami).
Furthermore, we provide authentication by means of hash func-
This paper was prepared while the second author was on a sabbatical leave tions in our scheme. The rest of the paper is organized as follows:
at Ryerson University, Canada. In Section 2, we provide a brief introduction to the kind of cellular

0143-8166/$ - see front matter & 2013 Elsevier Ltd. All rights reserved.
666 A. Bakhshandeh, Z. Eslami / Optics and Lasers in Engineering 51 (2013) 665–673

þ 1Þ þ 1Þ
automata used in this paper. Section 3 is devoted to our proposed Proposition 1. If f t ðNðTt
i Þ ¼ aðTt
i , then the LMCA given by (5)
method. In Section 4, the security analysis is provided. Finally, is reversible and its inverse is another LMCA with the following local
Section 5 concludes the paper. transition function:

þ 1Þ
2. One-dimensional linear memory cellular automata aðT
¼ f tm1 ðNTm
i Þ þ aTt
ðmod 2Þ, 0 r ir N1: ð6Þ

One-dimensional finite boolean cellular automata (CA) are

We also need the following proposition from [23] which states
discrete dynamical systems composed of a finite array of N identical
that to invert an LMCA of order t, we require exactly t configurations.
objects called cells, where each cell can hold a state s A f0,1g,
updated synchronously in discrete time steps according to a local Proposition 2. Let M denotes a tth order LMCA. Then, in order to
transition function. The updated state of each cell depends on the compute C j þ 1 for some j Z t, exactly t configurations C j ,C j1 , . . . ,C jt þ 1
inputs of this function which are the previous states of a set of cells, are needed.
including the cell itself, and some of its adjacent cells that are
altogether called the neighborhood. For the ith cell, denoted by /iS, 3. The proposed scheme
we consider the symmetric neighborhood of radius r which is
defined as N i ¼ f/irS, . . . ,/iS, . . . ,/iþ rSg. Let aðTÞ
denotes the In this section, we propose a new image encryption scheme based
state of /iS at time T. Then, the local transition function of the on chaotic maps and one dimensional LMCA. The secret keys are the
cellular automata with radius r has the following form: initial conditions of the chaotic maps used in the scheme. The rule
aðT þ 1Þ
¼ f ðaðTÞ ðTÞ ðTÞ
0 r i rN1, numbers of the LMCA can be announced publicly or can be reckoned
i ðirÞ , . . . ,ai , . . . ,ai þ r Þ, ð1Þ
as part of the secret key. The scheme consists of four phases: (1) the
or equivalently, permutation phase in which the pixels of the plain-image are
þ 1Þ
shuffled using a chaotic map, (2) the encryption phase which
i ¼ f ðN ðTÞ
i Þ, 0 r ir N1, ð2Þ employs an LMCA for diffusing the pixels of the shuffled image, (3)
where NðTÞ  ðZ2 Þ 2r þ 1
stands for the states of the neighbor cells of the decryption phase in which the plain-image is recovered from the
/iS at time T. Furthermore, if i  jðmod NÞ, then it is assumed that cipher-image and (4) the data integrity validation phase intended to
aðTÞ ¼ aðTÞ to ensure well-defined dynamics of the CA. detect any interference during the transmission.
i j
The vector C T ¼ ðaT0 , . . . ,aðTÞ
N1 Þ is called the configuration of CA at
time T and C ð0Þ is the initial configuration. Moreover, the sequence 3.1. The permutation phase
fC ðTÞ g0 r T r k is called the evolution of order k of the CA and the set
of all possible configurations of the CA is denoted by C. Input: The plain-image P.
The global function of the CA is a linear transformation, Output: The shuffled image P 0 .
F : C-C, which determines the configuration at the next time step
during the evolution of the CA, that is, C ðT þ 1Þ ¼ FðC ðTÞ Þ. For a CA In the permutation process, we use a piecewise linear chaotic
with bijective F, there exists another cellular automaton, called map which is defined as follows:
its inverse, with global function F1 , and the CA itself is called 8
reversible. In such CAs the evolution backward is possible [23]. < x=p
> if x A ½0,pÞ
The local transition function of a linear cellular automaton f ðxÞ ¼ ðxpÞ=ð0:5pÞ if x A ½p,0:5Þ , ð7Þ
: f ð1x,pÞ
(LCA) with radius r is of the following form: if x A ½0:5,1Þ

þ 1Þ
r where x A ½0,1 and p A ½0,0:5 are considered as secret keys. The
¼ aj aðTÞ
ðmod 2Þ, 0 ri rN1, ð3Þ permutation process based on this map is composed of the
j ¼ r
following steps (see Fig. 1):
where aj A Z2 for every j. Since there are 2r þ 1 neighbor cells for
/iS, there exist 22r þ 1 LCAs and each of them can be specified by Step 1 Iterate the piecewise linear map M  N times to get the
an integer w called rule number which is defined as follows: values fx1 , . . . ,xMN g, where M and N are the number of
r the rows and columns of the plain-image P, respectively.
w¼ aj 2r þ j , ð4Þ Step 2 Sort the above values increasingly and take out the
j ¼ r values fx 1 , . . . ,x MN g.
Step 3 Find the position of values fx 1 , . . . ,x MN g in fx1 , . . . ,xMN g
where 0 rw r 22r þ 1 1.
and form the position set S ¼ fs1 ,s2 , . . . ,sMN g, where x i is
The CAs considered so far are memoryless, i.e., the updated state
the value of xsi .
of a cell depends on its neighborhood configuration only at the
Step 4 Shuffle the pixels of the plain-image P using the set S to
preceding time step. Nevertheless, one can consider cellular auto-
get the shuffled image P 0 .
mata for which the states of neighboring cells at time T as well as
T1,T2,y contribute to determine the state at time T þ 1. This is
the concept of the memory cellular automata (MCA). Hereafter, by a
3.2. Image encrypting phase
CA, we mean a particular type of MCA called the tth order linear MCA
(LMCA) whose local transition function takes the following form:

þ 1Þ
¼ f 1 ðN iðTÞ Þ þf 2 ðN ðT1Þ
Þ þ . . . þ f t ðN ðTt
þ 1Þ
Þðmod 2Þ, 0 r i rN1, Input: The shuffled image P0 .
ð5Þ Output: The encrypted image c.

where fi is the local transition function of a particular LCA with radius

This phase is intended to provide security against statistical
r, for 1 r ir t. In this case, we require t initial configurations
attacks and the differential attack. The keystream in this phase
C ð0Þ , . . . ,C ðt1Þ to start the evolution of LMCA. Furthermore, in order
for this cellular automaton to be reversible, we have the following is not only related to the secret key, but also to the plain-image,
proposition [23]. making the known-plaintext and chosen-plaintext attacks
A. Bakhshandeh, Z. Eslami / Optics and Lasers in Engineering 51 (2013) 665–673 667

Plain-image P

Shuffle the plain P by Divide P’ into nb m {B1,…,Bnb }

P’ i ←1
the piecewise linear pixel blocks

Put all the nb cipher

blocks together and No
form the cipher i<=nb
Cipher-image ψ
is i=1?
D ← rand (0,255)


D ← Bi −1 (1) ⊕ ... ⊕ Bi −1 (m)

H i = f h ( Bi (1),..., Bi (m))

Encrypt A m+1 {A 1,…,A m,A m+1,A m+2} Construct LMCA of order (m+2) with
i ← i +1 using the logistic initial configurations {Bi(1),…,Bi(m),Hi,D}
chaotic map and evolve it.

Fig. 1. Diagram of permutation and encryption procedures.

difficult tasks. In this phase, the key is the initial condition of the where fh is a collision-resistant hash function and
logistic chaotic map, defined according to the following formula: Bi(k) denotes the kth pixel of the ith block. Note that
the collision resistance of fh makes it hard to find
yn þ 1 ¼ 4yn  ð1yn Þ yn A ½0,1: ð8Þ
two distinct values x and x0 such that f h ðxÞ ¼ f h ðx0 Þ.
In contrast to most image encryption techniques that are cipher 2.2 Construct L that is a reversible LMCA of order m þ 2
by computing the m þ 2 initial configurations
streams, our image encryption method is a block encryption
fC ð1Þ , . . . ,C ðm þ 2Þ g as follows:
algorithm in which the image is divided into n blocks and each  Set C ð1Þ ¼ Bi ð1Þ,C ð2Þ ¼ Bi ð2Þ, . . . ,C ðmÞ ¼ Bi ðmÞ.
block will be handled separately. The exact procedure is as  Set C ðm þ 1Þ ¼ Hi in which Hi is the hash value of
follows and a graphical representation is depicted in Fig. 1: the block, computed by (9).
 If i¼1, i.e. this block is the first block being
processed, assign C m þ 2 to an arbitrary number
Step 1 Divide the shuffled image P0 into nb m-pixel blocks, where between 0 and 255, otherwise assign C ðm þ 2Þ to
nb ¼ ½M  N=m. The value of m is arbitrary; however, the value D ¼ Bi1 ð1Þ  Bi1 ð2Þ . . .  Bi1 ðmÞ that
note that choosing greater values results in less compu- is the XOR of the pixels of the previous block.
tations while choosing smaller values for m leads to more 2.3 Evolve L for w times, starting from the initial con-
precision in data integrity verification phase. Thus, one figurations fC ð1Þ , . . . ,C ðm þ 2Þ g to obtain the new con-
should make a trade-off between two mentioned proper- figurations fAi ð1Þ,Ai ð2Þ, . . . ,Ai ðm þ 2Þg where w can be
ties while choosing the value of m. announced publicly or can be part of the key.
Step 2 For each block Bi, 1 ri rnb , perform the following steps: 2.4 Encrypt the (m þ1)th configuration of the evolved
block, i.e. Ai ðm þ 1Þ as follows:
2.1 Compute the hash value for the block according to
the following formula:  Compute K ¼ 1 þ modðAi ð1Þ,4Þ.
 Iterate the Logistic chaotic map K times to obtain
Hi ¼ f h ðBi ð1Þ, . . . ,Bi ðmÞÞ, ð9Þ the value y.
668 A. Bakhshandeh, Z. Eslami / Optics and Lasers in Engineering 51 (2013) 665–673

Fig. 2. Histograms of plain-image Boat and its corresponding cipher-image (x ¼0.123456789, p ¼ 0.2, y¼0.5671). (a) Original Boat image. (b) Encrypted Boat image.
(c) Histogram of (a). (d) Histogram of (b).

 Compute the value d ¼ floorðmodðy  106 Þ,256Þ. Table 1

 Calculate the new value A0i ðm þ 1Þ ¼ Ai ðm þ1Þ Key-sensitivity test results, K¼ 0.123456789, Dd ¼ 1015 .
modðd þ Ai ðm þ 2Þ,256Þ.
Image Ps (K)
2.5 Set the corresponding cipher-block ci to the values
Boat 0.9966
fAi ð1Þ,Ai ð2Þ, . . . ,A0i ðm þ1Þ,Ai ðm þ 2Þg. Lake 0.9959
Lena 0.9967
The cipher-image c consists of the cipher-blocks ci , 1 r ir nb , Pepper 0.9962
computed by the above procedure.
3.3. The decrypting phase

is obtained by iterating the logistic map. Note that

Input: The cipher-image c. this is possible only if the receiver has the secret key.
Output: The plain-image P. Step 2 Construct L~ that is the inverse of L with initial
~ ~ ~
configurations fC ð1Þ ¼ Ai ð1Þ, C ð2Þ ¼ Ai ð2Þ, . . . , C ðm þ 1Þ ¼
The decryption algorithm is similar to that of encryption in the ðm~þ 2Þ
Ai ðm þ1Þ, C ¼ Ai ðmþ 2Þg and evolve it w times to
reverse order. Since our LMCA (L) is of order m þ2, Proposition 2 obtain the values fBi ð1Þ, . . . ,Bi ðmÞg and also the value
states that in order to evolve it backward, exactly m þ2 last Hi which will be used later to verify the image
configurations are needed. Thus, it is not possible to decrypt the integrity.
cipher-image without the key and that is because in every
encrypted block ci ¼ fAi ð1Þ,Ai ð2Þ, . . . ,A0i ðmþ 1Þ,Ai ðm þ2Þg, one con-
figuration (A0i ðm þ 1Þ) is encrypted using the key. The exact After recovering all the blocks, the receiver obtains the shuffled
procedure is as follows: image P 0 . Now the reverse operation of the permutation should be
At the receiver side, for each encrypted block ci ¼ fAi ð1Þ,Ai ð2Þ, performed to get the original image P.
. . . ,A0i ðmþ 1Þ,Ai ðm þ2Þg, 1 r ir nb , the following steps should be
performed: 3.4. Data integrity validation phase

Step 1 Calculate Ai ðm þ 1Þ using the formula Ai ðm þ 1Þ ¼ Input: The recovered shuffled image P0
A0i ðm þ1Þ  modðd þ Ai ðmþ 2Þ,256Þ, where the value d Output: Detecting whether the image is tampered or not.
A. Bakhshandeh, Z. Eslami / Optics and Lasers in Engineering 51 (2013) 665–673 669

The algorithm to verify the image integrity (in case of a 4.1. Key analysis
required authentication) is as follows:
4.1.1. Key space
Step 1 Divide P0 (recovered according to the Section 3.3) into m A good image cryptosystem should provide a fairly large key
pixel blocks fB1 ,B2 , . . . ,Bnb g. For each block Bi, 1 r i rnb , space to resist brute-force attacks. The size of the key space is
perform the following steps: equal to the total number of different keys that can be used in the
scheme. In our scheme, the secret keys are the initial condition of
(a) Compute the value hi ¼ f h ðBi ð1Þ, . . . ,Bi ðmÞÞ where fh is the piecewise linear map ðx A ½0,1Þ, the control parameter of the
the same hash function as in (9) and Bi(k) denotes piecewise linear map ðp A ½0,0:5Þ and the initial condition of the
the kth pixel of the ith block. logistic map ðy A ½0,1Þ. To achieve more security, we recommend
(b) If the value Hi, recovered in Step 2 of the decryption to consider the rule numbers of the LMCA as part of the secret key
procedure, is equal to the value hi, then this block is too, but here, we do not take them into account. Therefore, the
not tampered. secret key includes two floating point numbers of precision 1015
in interval ½0,1 and one floating point number of precision 1015
Note that we employed a collision resistant hash function to in interval ½0,0:5 which causes the key space to be equal to 1015 
compute the hash value of the blocks Bi, 1 ri rnb (see Eq. (9)). 1015  1014  5 ¼ 1044  5 that is large enough to make brute-
Therefore, to verify if the image is intact or not, we only need to force attacks infeasible [24].
check if hi equals Hi for every block.
4.1.2. Key sensitivity
A good image encryption scheme should be sensitive to the
secret key, meaning that a slight change in the secret key should
4. Security analysis cause a substantial change in the corresponding cipher-image. To
test the sensitivity of a key parameter K, the plain-image is
In this section, we first provide key analysis of the proposed encrypted with K ¼p, K ¼ pDd and K ¼ p þ Dd, while keeping
cryptosystem. We then consider the behavior of the scheme the other key parameters unchanged. Here Dd is a very small
against statistical attacks and differential attack. Resistance to value and is called the perturbing value. The corresponding
known-plaintext and chosen-plaintext attacks are discussed as encrypted images are denoted by I1, I2 and I3, respectively. The
well. Finally, we analyze the performance of the scheme. sensitivity coefficient for the parameter K is denoted by the

Fig. 3. Histograms of plain-image Lake and its corresponding cipher-image (x¼ 0.123456789, p ¼ 0.2, y¼ 0.5671). (a) Original Lake image. (b) Encrypted Lake image.
(c) Histogram of (a). (d) Histogram of (b).
670 A. Bakhshandeh, Z. Eslami / Optics and Lasers in Engineering 51 (2013) 665–673

following formula [25]: 4.2.1. Histogram

The histograms of the two images Boat and Lake, are depicted
1 X
P s ðKÞ ¼ ½N s ðI1 ði,jÞ,I2 ði,jÞÞ þN s ðI1 ði,jÞ,I3 ði,jÞÞ, ð10Þ in Figs. 2 and 3, respectively. These figures illustrate that the
2HW i,j histograms of the encrypted images are fairly uniform. Thus, they
do not provide any useful information for the attacker.
where Ns ðx,yÞ ¼ 1 if x ay and Ns ðx,yÞ ¼ 0 otherwise. Greater values
of Ps(K) indicate more sensitivity for the parameter K.
We run a test on four images Boat, Lake, Lena and Pepper 4.2.2. Correlation of adjacent pixels
where the parameter K is set to the initial condition for the There is usually a strong correlation between adjacent pixels in
piecewise linear map, the perturbing value is set to 1015 and all the image data. A secure image cryptosystem should remove this
other keys are unchanged. The results are summarized in Table 1 correlation to make statistical attacks infeasible. To test the correla-
and show the high level of key-sensitivity of the proposed tion between two adjacent pixels, we select 1000 random pair of
scheme. adjacent pixels (in horizontal, vertical and diagonal direction) and
calculate the correlation coefficient of each pair before and after
encryption, using the following equations:
4.2. Statistical analysis covðx,yÞ
r xy ¼ pffiffiffiffiffiffiffiffiffipffiffiffiffiffiffiffiffiffiffi , ð11Þ
DðxÞ DðyÞ
Statistical analysis on our proposed scheme indicates great con-
fusion and diffusion making the cipher-image strongly robust against
related attacks. This is shown by a test on the histogram, a test on the covðx,yÞ ¼ ðx EðxÞÞðyi EðyÞÞ, ð12Þ
Ni¼1 i
correlation of adjacent pixels and a test on image entropy.

Fig. 4. Correlations of two adjacent pixels in the plain-image and in the cipher-image: (a), (c) and (e) corresponds to the plain-image Boat; (b), (d) and (f) corresponds to
the cipher-image Boat.
A. Bakhshandeh, Z. Eslami / Optics and Lasers in Engineering 51 (2013) 665–673 671

Fig. 5. Correlations of two adjacent pixels in the plain-image and in the cipher-image: (a), (c) and (e) corresponds to the plain-image Lake; (b), (d) and (f) corresponds to
the cipher-image Lake.

Table 2 Table 3
Correlation coefficients of two adjacent pixels in the plain-image and the correspond- Information entropy test results.
ing cipher image.
Image H (m)
Plain-image Cipher-image Plain-image Cipher-image
‘‘boat’’ ‘‘boat’’ ‘‘lake’’ ‘‘lake’’ Boat 7.9706
Lake 7.9730
Horizontal 0.9189  0.0063 0.9283  0.0035 Lena 7.9696
Vertical 0.9028 0.0095 0.9444 0.0089 Pepper 7.9717
Diagonal 0.9266 0.0089 0.8927  0.0011

4.2.3. Information entropy attack
DðxÞ ¼ ðx EðxÞÞ2 , ð13Þ
Ni¼1 i The information entropy is the most significant feature of
randomness. The information entropy H(m) of a message source
m can be measured by the following formula [26]:
EðxÞ ¼ x, ð14Þ
Ni¼1 i X
HðmÞ ¼  pðmi Þlog2 ðpðmi ÞÞ, ð15Þ
where x and y are gray-scale values of two adjacent pixels of the
image. The correlation coefficients of the plain-images and cipher- where L is the total number of symbols in m and pðmi Þ represents
images of Boat and Lake are illustrated in Figs. 4 and 5, respectively. the probability of occurrence of symbol mi. Assuming there are
Also, Table 2 summarizes the results corresponding to these images. 256 symbols with the same probability, we get the ‘‘true random’’
672 A. Bakhshandeh, Z. Eslami / Optics and Lasers in Engineering 51 (2013) 665–673

Table 4 time. We have already manifested the good performance of the

NPCR and UACI between cipher-images with slightly different plain-images after proposed scheme against different types of attacks in previous
one round of encryption.
sections. In this section, we discuss the computational complexity
Plain-image NPCR (%) NPCR (%) UACI (%) UACI (%) as well as the speed of the proposed scheme. The operations
(Ours) (Zhang and Liu) (Ours) (Zhang and Liu) employed in different phases of the proposed scheme consist of
generating random sequences, computing evolutions of a linear
Boat 99.1025 65.2120 33.1600 21.9768 cellular automata and bitwise XORing. All of these operations
Lake 99.1220 65.3616 33.6064 22.1871
Lena 99.4602 37.6389 33.2161 12.7034
have straightforward implementations. These factors make the
Pepper 99.5643 65.5177 33.5724 22.2955 proposed cryptosystem an efficient scheme in terms of computa-
tional complexity. The proposed encryption scheme is within
block encryption techniques. In general, block encryption techni-
ques are slow in comparison with stream ciphers [29]. We
source in which HðmÞ ¼ 8. Hence, the information entropy must compare the speed of our scheme with another block encryption
be close to 8 after encryption process. The entropy value for four technique proposed in [30]. We implement both schemes on a
images, encrypted by our method, are presented in Table 3 that personal computer with 2.26 GHz core 2 Duo CPU, having 4 GBs of
indicates they are close to a random source and the proposed RAM. The operating system is Windows Vista and the program-
scheme is robust against entropy attack. ming environment is MATLAB 7.12. The size of the image is
124  124 in this test. In [30], in order to get acceptable perfor-
4.3. The differential attack mance such as NPCR 499% and UACI 4 33%, the algorithm needs
to be performed 18 times (3 rounds of permutation and 6 rounds
Differential attack is a type of attack in which the attackers of diffusion) which leads to encryption time of about 98 ms.
make a tiny change in the plain-image (e.g. modify only one pixel) In our proposed method, it suffices to evolve the LMCA for once
to obtain some meaningful information between the plain-image (i.e. W¼1) to get the mentioned high performance. This results in
and the cipher-image. To test how one pixel change in the plain- time consumption of about 90 ms. Therefore, the encryption
image affects the corresponding cipher-image, two common speed of the proposed method is satisfactory.
measures are calculated: number of pixels change rate (NPCR)
and unified average changing intensity (UACI), defined in the
following equations for images C1 and C2 of size ðM  NÞ: 5. Conclusion
i,j Dði,jÞ
NPCR ¼  100, ð16Þ In this paper, an efficient image encryption method based on
2 3 chaotic maps and reversible memory cellular automata is pro-
1 4X c1 ði,jÞc2 ði,jÞ5 posed. In the confusion phase, we use a piecewise linear chaotic
UACI ¼  100, ð17Þ map and in the diffusion phase, a special kind of CA and the
W  H i,j 255
logistic chaotic map are employed. A notable feature of the
where cl ði,jÞ denotes the pixel in C l ðl ¼ 1,2Þ at position (i, j). If proposed method is its ability to check data integrity at block
c1 ði,jÞ ¼ c2 ði,jÞ then Dði,jÞ ¼ 0, otherwise Dði,jÞ ¼ 1. As Table 4 level. This is particularly important in applications where image
represents, our results show superior performance in comparison data or part of it contain highly sensitive information and
with scheme proposed in [28]. authentication is required. The proposed scheme fulfils all the
desired properties of a secure cryptosystem including large key
space, resistance to entropy, differential, known-plaintext and
4.4. Resistance to known-plaintext and chosen-plaintext attacks
chosen-plaintext attacks. Here, we implement the scheme on
gray-scale images, but it can be applied to efficiently encrypt
In known-plaintext attack, the adversary knows some plain-
color images as well. These properties make the proposed scheme
text/cipher-text pairs all encrypted with the same key. The goal of
a good candidate for being used in practical image encryption.
the adversary is to determine the plain-text that was encrypted in
some other cipher-text. In chosen-plaintext attack, the adversary
has the ability to obtain the encryption of the plain-texts of its References
choice. It then attempts to determine the plain-text that was
encrypted in some other cipher text [27]. In our scheme, in the
[1] Fridrich J. Symmetric ciphers based on two-dimensional chaotic maps. Int
diffusion phase, a feedback from the cipher-image is employed to J Bifurcat Chaos 1998;8:1259–84.
change the number of iterations of the logistic map according to [2] Sun F, Liu S, Li Z, Lu Z. A novel image encryption scheme based on spatial
chaos map. Chaos Solitons Fractals 2008;38:631–40.
the formula K ¼ 1 þ modðAi ð1Þ,4Þ, where Ai ð1Þ is the feedback from
[3] Liu Z, Guo Q, Xu L, Ahmad MA, Liu S. Double image encryption by using
cipher image and K is the number of iterations of the logistic map. iterative random binary encoding in gyrator domains. Opt Exp
Since the key stream is related to the corresponding cipher- 2010;18:12033–43.
images, therefore, when different plain-images are encrypted, [4] Chen G, Mao Y, Chui CK. A symmetric image encryption scheme based on 3D
chaotic cat maps. Chaos Solitons Fractals 2004;21:749–61.
the corresponding key stream would be different. The adversary [5] Alvarez G, Montoya F, Romera M, Pastor G. Cryptanalysis of a discrete chaotic
cannot obtain useful information by encrypting some special cryptosystem using external key. Phys Lett A 2003;319:334–9.
images, since the resultant information is related to those [6] Arroyo D, Alvarez G, Li Sh, Li Ch, Nunez J. Cryptanalysis of a discrete-time
synchronous chaotic encryption system. Phys Lett A 2008;372:1034–9.
chosen-images. This indicates that our scheme is highly secure [7] Li C, Li S, Chen G, Halang WA. Cryptanalysis of an image encryption scheme
against known-plaintext and chosen-plaintext attacks. based on a compound chaotic sequence. Image Vision Comput 2009;27:1035–9.
[8] Guan Z, Huang F, Guan W. Chaos-based image encryption algorithm. Phys
Lett A 2005;346:153–7.
4.5. Performance analysis [9] Cokal C, Solak E. Cryptanalysis of a chaos-based image encryption algorithm.
Phys Lett A 2009;373:1357–60.
The performance of a cryptographic system is measured based [10] Li C, Li S, Asim M, Nunez J, Alvarez G, Chen G. On the security defects of an
image encryption scheme. Image Vision Comput 2009;27:1371–81.
on different factors such as reliability regarding different types of [11] Pareek N, Patidar V, Sud K. Discrete chaotic cryptography using external key.
attacks, computational complexity and encryption/decryption Phys Lett A 2003;309:75–82.
A. Bakhshandeh, Z. Eslami / Optics and Lasers in Engineering 51 (2013) 665–673 673

[12] Li C, Chen G. On the security of a class of image encryption schemes. IEEE [21] Chen RJ, Lai JL. Image security system using recursive cellular automata
Symp Circuits Syst 2008:3290–3. substitution. Pattern Recognition 2007;40:1621–31.
[13] Mao Y, Chen G, Lian S. A novel fast image encryption scheme based on 3D [22] Jin J. An image encryption based on elementary cellular automata. Opt Laser
chaotic baker maps. Int J Bifurcat Chaos 2004;14:3613–24. Eng 2012;50:1836–43.
[14] Shen J, Jin X, Zhou C. A color image encryption algorithm based on magic [23] Eslami Z, Zarepour Ahmadabadi J. A verifiable multi-secret sharing scheme
cube transformation and modular arithmetic operation. Lect Notes Comput based on cellular automata. Inf Sci 2010;180:2889–94.
Sci 2005;3768:270–80. [24] Stinson D. Cryptography: theory and practice. 2nd ed.CRC/C&H; 2002.
[15] He X, Zhu Q, Gu P. A new chaos-based encryption method for color image. [25] Lian S, Sun J, Wang Z. A block cipher based on a suitable use of the chaotic
Lect Notes Artif Int 2006;4062:671–8. standard map. Chaos Solitons Fractals 2005;26:117–29.
[16] Zhang Q, Guo L, Wei X. Image encryption using DNA addition combining with [26] Ye R. A novel chaos-based image encryption scheme with an efficient
chaotic maps. Math Comput Model 2010;52:2028–35. permutation–diffusion mechanism. Opt Commun 2011;284:5290–8.
[17] Yoon JW, Kim H. An image encryption scheme with a pseudorandom permu- [27] Katz J, Lindell Y. Introduction to modern cryptography. CRC/C&H; 2008.
taion based on chaotic maps. Commun Nonlinear Sci 2010;15:3998–4006. [28] Zhang G, Liu Q. A novel image encryption method based on total shuffling
[18] Ismail IA, Amin M, Diab H. A digital image encryption algorithm based a scheme. Opt Commun 2011;284:2775–80.
composition of two chaotic Logistic maps. Int J Network Secur 2010;11:1–10. [29] Philip M, das A. Survey: image encryption using chaotic cryptography
[19] Neumann John Von, Burks AW, editors. Theory of self-reproducing automata.
schemes. In: IJCA Special Issue on Computational Science—New Dimensions
Champaign, IL, USA: University of Illinois Press; 1966.
& Perspectives, vol. 1; 2011. p. 1–4.
[20] Maleki F, Mohades A, Mehdi Hashemi S, Shiri ME. An image encryption
[30] Lian S, Sun J, Wang Z. A block cipher based on a suitable use of the chaotic
system by cellular automata with memory. In: The Third International
standard map. Chaos Solitons Fractals 2005;26:117–29.
Conference on Availability, Reliability and Security. IEEE; 2008. p. 1266–71.