Image encryption based on the finite field cosine transform

Signal Processing: Image Communication ] (]]]]) ]]]–]]]

Contents lists available at SciVerse ScienceDirect

Signal Processing: Image Communication journal homepage: www.elsevier.com/locate/image

Image encryption based on the finite field cosine transform J.B. Lima a,n, E.A.O. Lima b, F. Madeiro b a Department of Mathematics, Federal University of Pernambuco, Av. Jornalista Aníbal Fernandes, S/N, Cidade Universitária, CEP 50740-560, Recife/PE, Brazil b Polytechnic School of Pernambuco, University of Pernambuco, Rua Benfica, 455, Madalena, CEP 50750-470, Recife/PE, Brazil

a r t i c l e i n f o

abstract

Article history: Received 7 February 2013 Received in revised form 16 April 2013 Accepted 31 May 2013

In this paper, a novel image encryption scheme is proposed. The technique involves two steps, where the finite field cosine transform is recursively applied to blocks of a given image. In the first step, the image blocks to be transformed result from the regular partition of subimages of the original image. The transformed subimages are regrouped and an intermediate image is constructed. In the second step, a secret-key determines the positions of the intermediate image blocks to be transformed. Besides complying with the main properties required by image encryption methods, the proposed scheme provides benefits related to computational complexity and encoding of the ciphered-images. & 2013 Elsevier B.V. All rights reserved.

Keywords: Image encryption Finite field cosine transform Permutations

1. Introduction The ever-increasing multimedia communication traffic has demanded high transmission rates and security in distribution and storage of data. In manifold applications, such as medical imaging systems, military image database and television, schemes devoted to reliability and security of image and video are particularly important [1–3]. This scenario has attracted the attention of companies and academia and led to the development of techniques with different purposes and based on several principles. This paper encompasses image encryption, where visual and statistical aspects of an image are modified in order to obtain a noisy ciphered-image. In [4], for example, image encryption is done by employing chaotic sequences. In [5] and [6], image encryption schemes based on local random phase encoding in fractional Fourier transform and gyrator transform domains, respectively, are proposed; in such schemes, random phase encoding is iteratively applied to different regions of an input image. Other

n

Corresponding author. Tel.: +55 81 2126 7687; fax: +55 81 2126 8410. E-mail addresses: [email protected] (J.B. Lima), [email protected] (E.A.O. Lima), [email protected] (F. Madeiro).

encryption techniques use fractional Fourier transforms, discrete cosine transform, Arnold transform, jigsaw transform and discrete fractional random transforms in the intensity-hue-saturation space [7–11]. Furthermore, image encryption can be implemented by the means of optical systems [12–15]. Although a method for image encryption has specific theoretical foundations, it should be resistant against statistical analysis, differential attacks and other strategies that can be used by an adversary [1]. In this work, an image encryption technique based on the finite field cosine transform (FFCT) is introduced. The FFCT was first defined in [16] and corresponds to a finite field version of the discrete cosine transform (DCT). It exhibits interesting properties which are valuable for cryptographic purposes. In particular, it is possible to obtain FFCT matrices with large periods, compared to the periods of other transforms [17]. This means that the FFCT of an image block can be recursively computed a large number of times before returning to the original block. Such a property was previously explored in [18], where a simple method for uniformizing histograms of digital images was introduced (encryption was not performed in that case). The image encryption scheme proposed in this paper consists of two steps. In the first step, 64 subimages are

0923-5965/$ - see front matter & 2013 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.image.2013.05.008

Please cite this article as: J.B. Lima, et al., (2013), http://dx.doi.org/10.1016/j.image.2013.05.008i

J.B. Lima et al. / Signal Processing: Image Communication ] (]]]]) ]]]–]]]

2

generated from the original image by a systematic pixel selection procedure. Each subimage is regularly divided into non-superposed 8
8 blocks, which are submitted to the recursive application of the FFCT. An intermediate image is produced by regrouping the transformed subimages. In the second step, a permutation is used as a key to determine the position of new superposed8
8 blocks of the intermediate image. Such blocks are then sequentially processed by the FFCT also in a recursive manner. The decryption scheme consists simply in inverting the order of the operations applied to the image in the encryption process. The most attractive property of our approach is that only modular arithmetic is necessary to process the images. This means that arithmetic operations can be done with less complexity, compared to those performed using floating-point computations [19,20]. Since rounding is not needed, round-off errors are avoided and the decrypted image is rigorously equal to the original one. Moreover, due to the recursive application of the FFCT, the cipheredimage can be stored using the same encoding scheme of the original image. Such benefits are not present in image encryption schemes based on transforms defined over real (or complex) numbers [7]. Additionally, the steps which compose our approach do not depend on any iterative strategy to achieve specific security constraints. This contrasts with most image encryption methods based on pixel scrambling and chaotic sequences, which may require several rounds of iterations to give acceptable results [9,21]. This paper is organized as follows. After this introduction, the theory of the finite field cosine transform is reviewed in Section 2. We briefly discuss some important characteristics of the FFCT and give the transform matrix to be used in the proposed application. In Section 3, we introduce our image encryption scheme and explain the steps necessary to its implementation. In Section 4, we present computer simulations used to illustrate and evaluate the performance of our approach. In particular, the security of the method is analyzed by the use of some well-known metrics. Finally, in Section 5, the concluding remarks of the paper are presented. 2. The finite field cosine transform The technique proposed in this paper is based on the finite field cosine transform (FFCT), which was originally introduced in [16]. The family of finite field trigonometric transforms (FFTT), which is completely described in [22], is composed of 8 types of finite field cosine transforms and also 8 types of finite field sine transforms. The following definition related to trigonometry in finite fields is needed to introduce the FFCT [23]. Definition 1 (Finite field cosine function). Let ζ be a nonzero element in the finite field GF(p), p is an odd prime. The finite field cosine function related to ζ is computed modulo p by cos ζ ðxÞ≔

ζx þ ζ −x ; 2

ð1Þ

x ¼ 0; 1; …; ordðζÞ, where ordðζÞ denotes the multiplicative order of ζ. The finite field cosine function defined above holds properties similar to those of the standard real-valued cosine function, such as unit circle and addition of arcs, for instance [23]. In the present work, we use the FFCT of type 2, which is computed according to the following definition. Definition 2. Let ζ∈GFðpÞ be an element with multiplicative order 2N. The finite field cosine transform of the vector x ¼ ½x0 ; x1 ; …; xN−1 , xi ∈GFðpÞ, is the vector X ¼ ½X 0 ; X 1 ; …; X N−1 , X k ∈GFðpÞ, of elements rffiffiffiffi   2 N−1 2i þ 1 ; ð2Þ Xk≔ ∑ γ k xi cos ζ k Ni¼0 2 where ( γr ¼

pffiffiffi 1= 2;

r ¼ 0;

1;

r ¼ 1; 2; …; N−1:

The FFCT given in Definition 2 is invertible by the formula [16,22]: rffiffiffiffi   2 N−1 1 ð3Þ xi ≔ ∑ γ i X k cos ζ k þ i : Nk¼0 2 The computation of the FFCT of a vector x can be written as X ¼ Cx, where C corresponds to the transform matrix, the elements of which are obtained directly from Eq. (2). Using such a matrix notation, the FFCT can be extended to two dimensions; the two-dimensional FFCT of a matrix m with dimensions N
N can be computed by M ¼ CmC. The period of the FFCT matrix is of great importance for the application described in this paper [17]. Such a parameter corresponds to the least integer and positive power l giving Cl ¼ I. If the matrix C is viewed as an element of the group GLðN; GFðpÞÞ, the period of C represents its multiplicative order. Differently from other transforms, whose matrices have periods well-defined and independent of their dimensions,1 the FFCT matrix defined in Eq. (2) does not present any regularity in its period [17]. With the purpose of investigating the aforementioned question, we write the matrix C as C ¼ UΛUt , where U is a unitary matrix, the columns of which are the eigenvectors of C, and Λ is a diagonal matrix, the elements of which are the eigenvalues of C. Since UUt ¼ I, then Cl ¼ UΛl Ut , where Λl is obtained by computing the l-th power of each element in the main diagonal of Λ. If l is the least common multiple of the multiplicative orders of the eigenvalues of C, then Λl ¼ I and Cl ¼ I, i.e., l is the period of C. Since the eigenvalues of the matrix C are all distinct (conjecture), it is possible to obtain FFCT matrices with large periods, compared to the periods of other transforms [17]. The use of finite field tools provides advantages with respect to computational complexity and accuracy, since rounding or truncation are not necessary [19]. In this 1 For example, the matrix of the Fourier transform always has period equals 4 [24].

Please cite this article as: J.B. Lima, et al., (2013), http://dx.doi.org/10.1016/j.image.2013.05.008i

J.B. Lima et al. / Signal Processing: Image Communication ] (]]]]) ]]]–]]]

context, the finite field GF(p), where p is a Fermat prime, i.e., a prime of the form p ¼ 2m þ 1, is a structure where the algorithm for the computation of transforms requires less computational effort, when compared to algorithms over finite fields such that p is not a Fermat prime [20]. In this paper, we consider gray scale images whose pixels have values ranging from 0 to 255. Thus, in order to avoid data loss due to the modular reduction required by the transform computation, an FFCT with p≥257 must be defined. On the other hand, the greater the prime number used to define the transform is, more bits are needed to represent the image after applying the transform. Considering these facts, we choose the Fermat prime p ¼257 to define the FFCT to be used in the application described in this paper; using the number ζ ¼ 128, with ordðζÞ ¼ 2N ¼ 16, we define the following 8
8 transform matrix: 2 3 15 15 15 15 15 15 15 15 6 137 163 98 106 151 159 94 120 7 6 7 6 7 6 160 6 251 97 97 251 6 160 7 6 7 6 163 151 120 159 98 137 106 94 7 6 7 C¼6 7: ð4Þ 6 242 15 15 242 242 15 15 242 7 6 7 6 98 120 106 163 94 151 137 159 7 6 7 6 7 4 6 97 160 251 251 160 97 6 5 106

159

163

120

137

94

98

151

Powers of the above transform matrix were calculated and the period l ¼16,974,594 was encountered for such a matrix. The application of the given transform matrix to an 8
8 gray scale image block produces a matrix (transformed version of the image block) where the elements can range from 0 to 256; this is due to the fact that a modulo 257 arithmetic is being used. If any element in a transformed block is equal to 256, such a block cannot be coded with 8 bits per pixel, which is obviously undesirable. In order to remove such a restriction, the proposed technique adopts the recursive application of the transform; whenever the FFCT of a block is computed, this is done repeatedly until the resulting block has no pixels with value equals 256 (see Fig. 1). This process is invertible by computing the inverse transform also repeatedly until encountering the original image block, which does not contain any pixel with value equals 256. 3. The encryption scheme The proposed image encryption scheme is implemented in two steps. Such steps are concisely illustrated in Fig. 2 and explained in details in the following paragraphs. In the first step, the original image I is initially divided into blocks with dimensions 8
8 pixels.2 Such blocks are taken from the left to the right and from the top to the bottom and used to create 64 subimages referred to as I i;j , i; j ¼ 1; 2; …; 8. The subimage I i;j is formed by all pixels in the i-th row and the j-th column of each 8
8 block of an image. As an example, the construction of 8
8 blocks of 2 If the input original image has dimensions which are not multiples of 8, it can be padded with columns and/or rows of pixels with arbitrary values.

Input 8 x 8 image block

3 Is the maximum pixel value less or equal to 255? Yes

FFCT

Output 8 x 8 recursively transformed image block

No

Fig. 1. Recursive computation of the finite field cosine transform of an 8
8 image block.

subimages I 1;2 and I 5;4 from a 64
64 block of an image is illustrated in Fig. 3. Each subimage just created is then divided again into 8
8 blocks, which are submitted to the recursive application of the FFCT. There is no superposition among such blocks. The transform matrix is given by Eq. (4) and the recursive application procedure is explained in the last paragraph of Section 2. The transformed blocks substitute the corresponding original blocks in each subimage and the subimages I~ i;j , i; j ¼ 1; 2; …; 8, are obtained. An intermediate image Iint is then constructed from such transformed subimages, by reversing the procedure used to construct the initial subimages I i;j from the original image I. In the second step, blocks of the intermediate image Iint are selected according to a key. Such blocks are then submitted to a new recursive application of the FFCT. After two rounds of this step, the encrypted image Ie is obtained. In order to explain the block selection performed in the second step of the proposed encryption scheme, we consider an intermediate image Iint with dimensions l
c. Initially, the image is divided into blocks with dimensions bl
bc , such that both l=bl and c=bc are integer numbers. Naturally, N b ¼ l=bl
c=bc blocks are created. The blocks are sorted in a manner such that the k-th block, k ¼ 1; 2; …; Nb , is composed by the pixels in the positions (i,j), where i ¼ ðα−1Þbc þ 1; ðα−1Þbc þ 2; …; ðα−1Þbc þ bc and j ¼ βbl þ 1; βbl þ 2; …; βbl þ bl ; for β ¼ ⌈kbc =c⌉−1 and α ¼ k−βðc=bc Þ. We use as encryption key a permutation in the set f1; 2; …; bl
bc g. Such a key is denoted by s∈Sn , where Sn is the permutation group of n ¼ bl
bc symbols. We observe that the key space, the details of which are discussed in a future section of this paper, has size ðbl
bc Þ!. The permutation-key s acts on the first image block by choosing, from such a block, the sð1Þth pixel; from the second image block, the sð2Þth pixel is chosen; from the third image block, the sð3Þth pixel is chosen and so on. For a given block, the pixels are sorted from the pixel on the top left corner to the pixel on the bottom right corner, from the left to right and from the top to the bottom. If Nb exceeds n, after selecting the sðnÞth pixel from the n-th image block, we simply return to sð1Þ and repeat the process of pixel selection for the subsequent image blocks. The pixels chosen by employing the described procedure are used as the top left corner of new 8
8 image blocks to which the FFCT is applied again. We consider that the image is periodically extended in both dimensions,

Please cite this article as: J.B. Lima, et al., (2013), http://dx.doi.org/10.1016/j.image.2013.05.008i

4

J.B. Lima et al. / Signal Processing: Image Communication ] (]]]]) ]]]–]]]

Fig. 2. Image encryption scheme.

Fig. 3. Construction of 8
8 blocks of subimages I1;2 and I 5;4 from a 64
64 block of an image. This procedure is used in the first step of the proposed encryption scheme.

in order to form blocks with pixels which would be located outside the image limits (this detail will be clarified by an example). The original block in the intermediate image Iint must be substituted by its transformed version before the next block being considered. This is necessary because, depending of our choices for the parameters bl and bc, there is superposition among the blocks. Actually, such a superposition is desired, once it provides diffusion among the encrypted image blocks. In other words, this means that the computation of the FFCT of a block defined from an incorrect pixel affects several other blocks. Additionally, we observe that there may be pixels of the intermediate image which are not contained in any new image block. However, once all pixels are processed by the FFCT in the first step of the encryption scheme, there is no risk that some pixel of the original image remains unchanged. In Fig. 4, an example of the block selection procedure applied to the intermediate image Iint in the second step of the proposed encryption scheme is illustrated. The image, which has dimensions l
c¼32
32, is divided into blocks with dimensions bl
bc ¼ 4
8. Once n ¼ bl
bc ¼ 32, the key s must be chosen from the permutation group S32. In the example, we use the permutation s ¼ ð2; 1; 4; 3; 6; 5; 8; 7; 10; 9; 12; 11; 14; 13; 16; 15; 18; 17; 20; 19; 22; 21; 24; 23; 26; 25; 28; 27; 30; 29; 32; 31Þ. In the figure, the

Fig. 4. Image block selection in the second step of the proposed encryption scheme. An intermediate image Iint with dimensions l
c ¼32
32 is considered. The pixels chosen by the key are black. The 8
8 blocks, defined by the pixels chosen from the 1st, the 5th and the 28th bl
bc ¼4
8 blocks and to which the FFCT will be applied, are emphasized (groups of gray pixels delimited by dashed lines).

enumeration of the pixels inside a 4
8 image block is shown. We also show the pixels determined by the key on each 4
8 image block (black pixels). The 8
8 blocks, defined by the pixels chosen from the 1st, the 5th and the 28th 4
8 blocks and to which the FFCT will be applied, are emphasized (groups of gray pixels delimited by dashed

Please cite this article as: J.B. Lima, et al., (2013), http://dx.doi.org/10.1016/j.image.2013.05.008i

J.B. Lima et al. / Signal Processing: Image Communication ] (]]]]) ]]]–]]]

5

Fig. 5. Original and encrypted gray scale images used in the simulations. (a), (g) peppers.bmp; (b), (h) mandril.bmp; (c), (i) lake.bmp; (d), (j) jetplane.bmp; (e), (k) lena.bmp; and (f), (l) camera.bmp. All images have dimensions 512
512 pixels.

lines). Dark gray pixels indicate the region of superposition between such blocks. It is important to remark that the security of the proposed method does not rely on permutation of rows and columns; here, the only purpose of the permutation is the choice of a pixel to mark a block. That choice could be carried out by any scheme for generating pseudo-random sequences. In this sense, our approach is not susceptible to the weakness pointed out by Hermassi et al. in [25]. The decryption scheme consists simply in inverting the order of the operations applied to the image in the encryption process. In the first step of the decryption scheme, the inverse FFCT is recursively applied to the 8
8 blocks selected by using the same encryption key; here, the blocks are taken in the reverse order (the last encrypted block is the first decrypted block and so on) and the intermediate image is obtained. The inverse FFCT is recursively applied to each 8
8 block of the subimages obtained from the intermediate image. Finally, if the key is correct, the original image is recovered. 4. Simulations and security analysis In this section, we describe the simulations carried out to evaluate the proposed scheme and discuss their result. s The experiments run in Matlab , where programs to implement the encryption technique, presented in Section 3, were developed. The evaluation of the simulation results is based on metrics which allow a security analysis of the proposed scheme. Particularly, in Section 4.7, a speed analysis of the encryption/decryption procedure is done and some aspects related to the complexity of the technique are considered. We consider the images presented in the first row of Fig. 5 in our simulations. All images have dimensions 512
512 pixels and are in gray scale. We employ the FFCT defined over GF(257) and the matrix of which is given by Eq. (4); for the second step of the encryption scheme, the intermediate images are divided into blocks

with dimensions bc
bl ¼ 8
4 ¼ 32 and the key is s ¼ ð2,1,4,3,6,5,8,7,10,9,12,11,14,13,16,15,18,17,20,19,22,21,24, 23,26,25,28,27,30,29,32,31). The encrypted images are shown in the second row of Fig. 5. 4.1. Key space analysis The key space size is the amount of permutations with n ¼ bl
bc symbols, i.e., n!. Considering the parameters used in our simulations (n¼ 32), we have a key space with size 32! ¼ 263; 130; 836; 933; 693; 530; 167; 218; 012; 160; 000; 000≅2:6
1035 or, approximately, some value between 2117 and 2118. We will show that we need exactly 118 bits to encode the key.3 In a first scheme of key encoding, we could use ω bits to encode each one of the n integer numbers which constitute the permutation, which is in fact the key. For example, to encode the key s ¼ ð2; 1; 4; 3; 6; 5; 8; 7; 10; 9; 12; 11; 14; 13; 16; 15; 18; 17; 20; 19; 22; 21; 24; 23; 26; 25; 28; 27; 30; 29; 32; 31Þ, we use ω ¼ 5 bits per number, once we need to encode 32 ¼25 integer numbers. The code uses the numbers from 0 to 2ω −1. To obtain the original key, we add one to each integer number in the key encoded by such a scheme. The last component of a permutation can always be inferred from the others, such that the total amount of bits used in this code is ðn−1Þ
ω. This strategy demands 31
5 ¼155 bits; the key s ¼ ð2; 1; 4; 3; ⋯; 32; 31Þ is encoded by the 155 bits sequence scod ¼ ½00001; 00000; 00011; 00010; ⋯; 11111; –; where the symbol “–” at the end of the code means that the bits corresponding to the last integer number of the 3 We may compare this number with the 3-DES key, which requires 168 bits, and the AES key, which requires 128 to 256 bits. For practical purposes, the RSA employs keys with sizes starting from 128 bits [26].

Please cite this article as: J.B. Lima, et al., (2013), http://dx.doi.org/10.1016/j.image.2013.05.008i

J.B. Lima et al. / Signal Processing: Image Communication ] (]]]]) ]]]–]]]

6

component equals to 31 at the end of the key, which would be encoded by the sequence 11110, is not necessary. In fact, the described scheme is inefficient, once it uses a set of bits larger than the key space, which represents some redundancy. A more efficient scheme would be achieved by encoding the key using an integer number between 0 and 32!. This requires exactly the same amount of bits related to the key space size. Such encoding assumes that the set of all permutations with n symbols Sn has their elements sorted in the lexicographic order. In a sequence starting from zero, we take integer numbers and associate them to each one of the elements of Sn. Given any number m between 0 and n!−1, we can recover the corresponding permutation by the following recursive procedure: 1. Start:  s←∅ an empty sorted list of symbols  L←f1; 2; 3; …; ng a sorted list of symbols  r←m  s←n−1 2. If s≠0, then  s←r%ðs!Þ (r becomes the rest of the division of r by s!)  If q is the quotient of the last division, i.e., the division of r by s!, remove the k+1-th symbol in L and insert it at the end of the list s.  Do s←s−1 and repeat item 2. 3. Otherwise, stop and return s, the permutation the code of which is the number m. Observe that the last symbol in s is inferred (in fact, the last symbol in s is the symbol remanescent in L). We emphasize that the key space size of our method depends uniquely on the parameters bl and bc. If we choose, for example, bl
bc ¼40, one has keys of order 40! 42159 ; this would suffice for making the scheme completely secure against brute-force attacks [26]. As previously mentioned, the main step of the proposed method is the finite field cosine transform. As a consequence, the choices for bl and bc are flexible and different combinations of such parameters can be used. 4.2. Recursive application of the FFCT The FFCT is recursively applied in a block-based manner in both first and second steps of the proposed image

encryption technique. Since the computation of the transforms represents the most part of the computational cost of the image processing during the encryption/decryption, it is important to measure the number of times the FFCT has to be applied to the image blocks in order to keep the range of the pixels values from 0 to 255. This metric is also important because the number of recursive applications of the FFCT to an image block must be as less as possible than the period of the matrix C. Otherwise, security problems may exist. Such a measurement is done by computing the percentage of image blocks submitted to a given number of recursive applications of the FFCT. Such results, for the first and the second steps of the encryption scheme, are shown separately in Table 1. In all images, almost 80% of the blocks had to be transformed only once. A rather small percentage of blocks had to be transformed more than twice. This indicates that the extra computational effort due to the recursive application of the FFCT is reasonable. We also observe that the largest number of rounds necessary for a block was 8. Since the transform matrix we have used has a large period, there is no practical risk of returning the transformed block to the respective original block by the FFCT recursive computation. Other aspects related to the computational complexity of the proposed encryption scheme are addressed in Section 4.7. 4.3. Statistical analysis The statistical analysis of the proposed method is based on the histograms and the correlation of adjacent pixels of encrypted images. Explanations concerning the effects of the FFCT application on the histogram of an image can be carried out by considering aspects of modular arithmetic. If the value of each pixel of a gray scale (8 bits) image is multiplied by a constant K (modulo p), the frequencies of occurrence of the symbols of this image (integer numbers from 0 to 255) are displaced. If K ¼3 and p ¼257, for example, after the modular multiplication, the frequency of occurrence of the symbol 150 will be associated to the symbol 193. When the product between the pixels and the constant K is substituted by a linear combination which involves a block of pixels (transform application), the process becomes more complex. However, the effect described in the situation presented as an example is also verified. Although the difference among the frequency of occurrence

Table 1 Percentages of blocks of test images submitted to recursive applications of the FFCT, in the first and the second steps of the encryption scheme. #App.

1 2 3 4 5 6 7 8

peppers

mandril

lake

jetplane

lena

camera

1st

2nd

1st

2nd

1st

2nd

1st

2nd

1st

2nd

1st

2nd

78.1982 16.9678 3.5889 0.9033 0.2441 0.0732 0.0244 0.0000

78.2593 16.7725 3.7964 0.9521 0.1709 0.0427 0.0061 0.0000

76.6602 18.8477 3.6621 0.6836 0.1465 0.0244 0.0000 0.0000

77.6978 17.5476 3.7231 0.8118 0.1770 0.0244 0.0183 0.0000

78.8086 16.2842 3.6865 0.9277 0.2441 0.0244 0.0244 0.0000

77.8748 17.2547 3.6926 0.9155 0.1892 0.0610 0.0122 0.0000

77.1240 18.2129 3.8574 0.6104 0.1465 0.0244 0.0244 0.0000

77.9968 16.9617 4.0527 0.7202 0.1892 0.0793 0.0000 0.0000

78.0518 16.7480 4.2480 0.7568 0.1465 0.0488 0.0122 0.0000

77.9968 17.1631 3.7964 0.7691 0.2136 0.0488 0.0122 0.0000

77.8076 17.2119 4.1016 0.7080 0.1465 0.0244 0.0122 0.0000

77.9358 17.5659 3.5523 0.7202 0.1953 0.0183 0.0061 0.0061

Please cite this article as: J.B. Lima, et al., (2013), http://dx.doi.org/10.1016/j.image.2013.05.008i

J.B. Lima et al. / Signal Processing: Image Communication ] (]]]]) ]]]–]]]

7

Fig. 6. Histograms of original and encrypted gray scale images used in the simulations. (a), (g) peppers.bmp; (b), (h) mandril.bmp; (c), (i) lake.bmp; (d), (j) jetplane.bmp; (e), (k) lena.bmp; and (f), (l) camera.bmp.

of the symbols is large, the tendency is that the application of the FFCT produces transformed blocks composed by uniformly distributed symbols. In Fig. 6, we present the histograms of the original and the encrypted test images. From such a figure, we verify that the visual information of the images is completely damaged and a noisy aspect is observed. With respect to the new histograms, we observe that their distributions appear to be uniform, which suggests that a statistical analysis would not be effective for the evaluation of the original image content. The correlation between two adjacent pixels of an image (the adjacency can be horizontal, vertical or diagonal) [4] can be considered as an objective metric to evaluate the effect of the encryption process. By selecting arbitrarily P pixels of the image, the correlation coefficient is computed by

Table 2 Correlation coefficients of the original (rxy) and encrypted test images ðr~ xy Þ; (v), (h) and (d) are related to vertical, horizontal and diagonal correlation, respectively.

covðx; yÞ r xy ¼ pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ; DðxÞDðyÞ

HðmÞ ¼ ∑ pðmi Þlog2

Metric peppers rxy(v) r~ xy ðvÞ rxy(h) r~ xy ðhÞ rxy(d) r~ xy ðdÞ

where covðx; yÞ ¼ ð1=PÞ∑Pi¼ 1 ðxi −EðxÞÞðyi −EðyÞÞ, DðxÞ ¼ ð1=PÞ ∑Pi¼ 1 ðxi −EðxÞÞ2 and EðxÞ ¼ ð1=PÞ∑Pi¼ 1 xi ; xi is the value of the i-th selected pixel and yi is the value of the correspondent adjacent pixel. It is expected that an image, before being submitted to the encryption procedure, has correlation coefficient close to 1; it is desirable that the correlation coefficient of the encrypted image be as close to 0 as possible. The values we have encountered for the correlation coefficients in vertical, horizontal and diagonal directions for all test images are shown in Table 2; rxy and r~ xy denote the correlation coefficient of an image before and after the encryption, respectively. As expected, while rxy is considerably close to 1 for all images, r~ xy is close to 0. This indicates the low level of correlation between two adjacent pixels in the encrypted images. With the purpose of illustrating this result, correlation distributions of original and encrypted image lena.bmp are shown in Fig. 7. In this figure, randomly chosen pixels and corresponding horizontal adjacent pixels are considered. Similar distributions are obtained for other images and directions in pixel adjacency.

lake

jetplane

lena

camera

0.9805 0.9125 0.9756 0.9710 0.9852 0.9894 0.0000 0.0005 −0.0045 −0.0062 0.0026 0.0026 0.9794 0.9332 0.9757 0.9732 0.9725 0.9832 0.0016 −0.0114 −0.0013 0.0022 −0.0038 −0.0012 0.9705 0.8666 0.9606 0.9510 0.9603 0.9726 −0.0086 0.0055 −0.0086 0.0050 0.0093 0.0038

4.4. Information entropy analysis The entropy H(m) of a message source m can be measured by M−1

ð5Þ

mandril

i¼0

1 ; pðmi Þ

ð6Þ

where M is the total number of symbols mi ∈m and p(mi) represents the probability of occurrence of symbol mi [27]. For a random source emitting 256 equiprobable symbols, one has H(m)¼ 8 bits. For all images used in our simulations, after the encryption procedure, the entropy has assumed values varying from 7.9992 to 7.9994. This means that the ciphered-images are close to a random source and the proposed algorithm is secure against the entropy attack. Additionally, such a result ratifies the uniformity of the histograms shown in the second row of Fig. 6. 4.5. Resistance to differential attack The resistance of the proposed technique to differential attack is evaluated by comparing ciphered-images obtained by the encryption of two minimally different plain-images. It is desired that such ciphered-images are substantially different. This is measured by the number of pixels change rate (NPCR) and the unified average changing intensity (UACI), which are defined by [27,28] NPCR ¼

∑i;j Dði; jÞ
100% W
H

Please cite this article as: J.B. Lima, et al., (2013), http://dx.doi.org/10.1016/j.image.2013.05.008i

ð7Þ

J.B. Lima et al. / Signal Processing: Image Communication ] (]]]]) ]]]–]]]

8

300 Pixel gray value on location (x+1,y)

Pixel gray value on location (x+1,y)

250

200

150

100

50

0

0

50

100

150

200

250

250 200 150 100 50 0

0

50

Pixel gray value on location (x,y)

100

150

200

250

300

Pixel gray value on location (x,y)

Fig. 7. Correlation distributions in original and encrypted image lena.bmp. Randomly chosen pixels and corresponding horizontal adjacent pixels are considered.

and

# 1 jC 1 ði; jÞ−C 2 ði; jÞj ∑ UACI ¼ : W
H i;j 255

Table 3 Maximum, minimum and average NPCR and UACI values.

"

ð8Þ

C1 and C2 are the two ciphered-images whose plainimages have only one-pixel difference; the gray scale values of the pixels at position (i,j) of C1 and C2 are, respectively, denoted as C1(i,j) and C2(i,j); W and H correspond to the width and the height of the cipheredimage, respectively; D(i,j) is determined according to the rule ( 1; C 1 ði; jÞ≠C 2 ði; jÞ; Dði; jÞ ¼ 0; otherwise: In our experiments, we consider a plain-image and randomly choose one of its pixels. The least significant bit of such a pixel is inverted and a modified image is obtained. Both images are encrypted using the same key and two ciphered-images, C1 and C2, are generated. The values for NPCR and UACI are then computed. This procedure is performed 100 times for each test image. The resulting maximum, minimum and average NPCR and UACI values are listed in Table 3. The obtained results show that a slightly change in an original test image leads to a considerable change in the ciphered-image. This conclusion is indicated by NPCR values close to 100% and UACI values greater than or equal to 33.3% [28]. 4.6. Key sensitivity The key sensitivity of the proposed encryption scheme is evaluated by ciphering a plain-image with a given secret-key and attempting to decrypt the corresponding ciphered-image with a key minimally different from the correct one. Since the key is a permutation, in order to obtain the wrong key, we simply permute two arbitrary positions of the key used in the encryption. The difference between the original plain-image and that recovered with the wrong key is measured by the number of pixels change rate (NPCR), which was introduced in Section 4.5. We have performed the described test for the images presented in the first row of Fig. 5. All obtained NPCR were greater than 99.5%, which indicates that the proposed

Image name peppers NPCR UACI mandril NPCR UACI lake NPCR UACI jetplane NPCR UACI lena NPCR UACI camera NPCR UACI

Max (%)

Min (%)

Average (%)

99.6361 33.6021

99.5750 33.3494

99.6084 33.4525

99.6353 33.5908

99.5800 33.3817

99.6066 33.4758

99.6387 33.5620

99.5857 33.3291

99.6120 33.4653

99.6376 33.5784

99.5739 33.2941

99.6063 33.4556

99.6510 33.5604

99.5716 33.3049

99.6098 33.4366

99.6452 33.5506

99.5834 33.3488

99.6113 33.4469

scheme is highly sensitive to small changes in the key. In order to illustrate the visual effect of the key sensitivity, Fig. 8 shows the result of the decryption of the image peppers.bmp using the key s′ ¼ ð2; 1; 4; 3; 6; 5; 8; 7; 10; 9; 12; 11; 14; 13; 31; 15, 18, 17, 20, 19, 22, 21, 24, 23, 26, 25, 28; 27; 30; 29; 32; 16Þ; the underlined numbers in s′ indicate the positions which have been permuted in the correct key s. As expected, we observe in the figure the noisy aspect of the wrongly decrypted image. Additionally, we have generated other 30 arbitrary wrong keys; each one of such keys differs from the correct key s in 3–32 positions. Such wrong keys, together with the wrong key s′ given in the last paragraph, were used to decrypt the image peppers.bmp. The differences between the original plain-image and those recovered with each wrong key were measured by the NPCR and the curve shown in Fig. 9 was obtained. This result allows us to generalize our previous conclusion, in the sense that it indicates that the degradation observed in the decrypted images independs on the “proximity” between a wrong key and the correct key s. This behavior is also observed for other test images.

Please cite this article as: J.B. Lima, et al., (2013), http://dx.doi.org/10.1016/j.image.2013.05.008i

J.B. Lima et al. / Signal Processing: Image Communication ] (]]]]) ]]]–]]]

9

M
M image has to be recursively transformed at most 8 times, the time t1(M) spent in the first step of the encryption scheme ranges according to 8
t block ≤ t 1 ðMÞ≤1:25
ðM=8Þ2
t block . The lower bound of t1(M) is given by considering that all blocks are processed in parallel; the upper bound of t1(M) is given by considering that all blocks are processed in a serial manner. In the second step of the proposed scheme, there is superposition among the blocks and parallel computations cannot be carried out. Using parameters bl ¼4 and bc ¼ 8 (see Fig. 4), the number of blocks processed in each round of the second step has to be multiplied by two. Therefore, the time t2(M) spent in the second step of the encryption scheme is t 2 ðMÞ ¼ 1:25
2
2
ðM=8Þ2
t block . Using t1(M) and t2(M), the estimated total time t total ðMÞ ¼ 2
½t 1 ðMÞ þ t 2 ðMÞ required to perform encryption/decryption ranges according to "  2 #  2 M M
7:5 8þ5

1:2
10−5 ≤t total ðMÞ≤ 8 8
10−5 : Fig. 8. Image peppers.bmp after being decrypted with a key slightly different from the key used in its encryption.

99.65 99.64

NPCR (%)

99.63 99.62 99.61 99.60 99.59 99.58 99.57

2

8

14

20

26

32

Number of positions where the wrong key differs from de correct key

Fig. 9. Differences between the original plain-image peppers.bmp and those recovered with wrong keys.

4.7. Speed analysis and complexity We have analyzed the speed of the proposed image encryption/decryption technique on an Intel Core i5 2.5 GHz CPU with 4 GB RAM running on Mac OS X and s using Matlab . Since the encryption scheme is implemented in separated steps, in order to estimate the total time required to encrypt/decrypt an image, we first estimate the time required to compute the 8
8 FFCT of a gray scale image block using the matrix given by Eq. (4). The average time obtained in our simulations was t block ¼ 6
10−6 s. Using the results shown in Table 1, we compute the number of extra FFCT computations due to the recursive application explained in Section 3. The average number of extra FFCT computations is about 25% of the total number of processed blocks. Since there is no superposition among the blocks processed in the first step of the proposed scheme, the FFCT computed in such a step can be carried out in parallel. Therefore, considering that a block of an

ð9Þ

Using Eq. (9), we compute 0:0615≤t total ð256Þ≤0:0768, 0:2459≤t total ð512Þ≤0:3072 and 0:9831≤t total ð1024Þ≤1:2288 (all values are given in seconds). Such values are acceptable for most application scenarios and similar to the values achieved by other image encryption schemes. In particular, the values we have obtained are smaller than those reported in [9,29], but greater than those presented s in [8,27]. It is important to remark that Matlab is considerably slow, in comparison to other programming languages extensively used. This means that the speed of the proposed encryption scheme can be significantly increased, if it is implemented in C++, for instance. The speed of the proposed encryption technique can also be increased by the use of fast algorithms to compute the FFCT. In this context, we use as reference the asymptotic notation OðN2 Þ, which indicates the number of additions and multiplications needed to compute an N-length FFCT by a direct matrix product. The fast computation of the FFCT can be carried out by using most fast algorithms to compute the DCT; such algorithms are usually based on the symmetries of the corresponding transform matrix, which are preserved in the finite field framework [22]. This is the case of the fast algorithm derived from the radix-2 fast Fourier transform, which involves OðN log2 NÞ additions and multiplications [30–32]. This allows us to see that, in the computation of an 8-length FFCT, for example, more than 60% of the arithmetic operations can be saved by using a fast transform. Naturally, such a complexity reduction implies a time reduction in the encryption/ decryption procedure. Finally, we note that the speed performance of our approach can be further improved by taking advantage of computing in a field whose characteristic is a Fermat prime. Modular reduction by a Fermat prime can be performed by simple addition/subtraction and shift operations; multiplications by powers of 2 can be achieved by shift operations [20,33]. These facts can be used in the computation of the FFCT defined over GF(257) and the matrix of which, given by Eq. (4), is constructed from

Please cite this article as: J.B. Lima, et al., (2013), http://dx.doi.org/10.1016/j.image.2013.05.008i

10

J.B. Lima et al. / Signal Processing: Image Communication ] (]]]]) ]]]–]]]

powers of ζ ¼ 128 ¼ 27 . This means that the multiplicative complexity of the proposed encryption scheme can be led to zero.

to other digital media, such as audio and video, are also being developed.

5. Concluding remarks In this paper, a procedure to encrypt digital images based on the finite field cosine transform was introduced. In the first step of the proposed technique, 64 subimages are constructed from the original image. Such subimages are then regularly divided into 8
8 blocks to which the FFCT is recursively applied. The transformed subimages are regrouped in order to produce an intermediate image, with the same dimensions of the original image. In the second step, a permutation is used as a secret-key. The key has the purpose of defining positions of image blocks which are submitted to new transform rounds. After such steps, the encrypted image is obtained. The decryption process is implemented by using the encryption steps in a reverse order. Several metrics were considered to evaluate the robustness of the proposed method against the main cryptographic attacks. Computer simulations were carried out and their results have shown that our approach has a satisfactory performance under statistical and differential attacks, for example. The key space is adequate and the key can be encoded using an efficient strategy. Besides complying with mandatory security requirements, the proposed technique has advantages directly related to the finite field arithmetic, such as the avoidance of rounding-off errors and the possibility of using the same encoding scheme for original and ciphered-images. We emphasize that the FFCT can be computed using standard fast algorithms, which are implemented in a simpler manner in fields whose characteristic is a Fermat prime number. We also remember that, in the first step of the algorithm, the FFCT of each block can be computed in paralell which allows more flexible implementations. Since the proposed encryption method does not introduce rounding-off errors, it is highly suitable for applications where such errors must be avoided. This is the case, for example, of the encryption of medical images [34]; in some of these images, few changes can lead to incorrect diagnoses. Our scheme can be used in the transmission and storage of these images. The aspects we have discussed in Section 4.7 indicate that the proposed technique can be used in real-time applications, specially in scenarios where uncompressed images must be transmitted securely. It is also relevant to mention that the proposed scheme can be implemented using programming languages which produce user-friendly interfaces, such as those employed in the development of smartphones and tablets apps. In this manner, the scheme could be used to protect images stored on these devices, for instance. Currently, several aspects concerning the improvement of the proposed method are under investigation. Specifically, we are studying other approaches for the secret-key used in the second step of the encryption scheme. Additionally, we are investigating other finite field transforms which could be used in the proposed technique [35]. Extensions of our encryption method to color images and

Acknowledgments This research was supported by Fundação de Amparo à Ciência e Tecnologia do Estado de Pernambuco – FACEPE – under Grant APQ 1196-3.04/10, and by Conselho Nacional de Desenvolvimento Científico e Tecnológico – CNPq. References [1] S. Cimato, C.N. Yang, Visual Cryptography and Secret Image Sharing, 1st Edition, CRC Press, 2011. [2] I.J. Cox, M.L. Miller, J.A. Bloom, Digital Watermarking and Steganography, 2nd Edition, Morgan Kaufmann, 2007. [3] J. Fridrich, Steganography in Digital Media: Principles, Algorithms, and Applications, 1st Edition, Cambridge University Press, 2009. [4] G. Ye, Image scrambling encryption algorithm of pixel bit based on chaos map, Pattern Recognition Letters 31 (5) (2010) 347–354. [5] Z. Liu, L. Xu, J. Dai, S. Liu, Image encryption by using local random phase encoding in fractional Fourier transform domains, Optik— International Journal for Light and Electron Optics 123 (5) (2012) 428–432. [6] Z. Liu, M. Yang, W. Liu, S. Li, M. Gong, W. Liu, S. Liu, Image encryption algorithm based on the random local phase encoding in gyrator transform domains, Optics Communications 285 (19) (2012) 3921–3925. [7] Z. Liu, J. Dai, X. Sun, S. Liu, Triple image encryption scheme in fractional Fourier transform domains, Optics Communications 282 (4) (2009) 518–522. [8] C.-H. Yuen, K.-W. Wong, A chaos-based joint image compression and encryption scheme using DCT and SHA-1, Applied Soft Computing 11 (8) (2011) 5092–5098. [9] G. Chen, Y. Mao, C.K. Chui, A symmetric image encryption scheme based on 3D chaotic cat maps, Chaos, Solitons & Fractals 21 (3) (2004) 749–761. [10] B. Hennelly, J.T. Sheridan, Optical image encryption by random shifting in fractional Fourier domains, Optics Letters 28 (4) (2003) 269–271. [11] Q. Guo, Z. Liu, S. Liu, Color image encryption by using Arnold and discrete fractional random transforms in IHS space, Optics and Lasers in Engineering 48 (12) (2010) 1174–1181. [12] P. Refregier, B. Javidi, Optical image encryption based on input plane and Fourier plane random encoding, Optics Letters 20 (7) (1995) 767–769. [13] G. Unnikrishnan, J. Joseph, K. Singh, Optical encryption by doublerandom phase encoding in the fractional Fourier domain, Optics Letters 25 (12) (2000) 887–889. [14] G.H. Situ, J.J. Zhang, Double random phase encoding in the Fresnel domain, Optics Letters 29 (14) (2004) 1584–1586. [15] L.F. Chen, D.M. Zhao, Gray images embedded in a color image and encrypted with FRFT and region shift encoding methods, Optics Communications 283 (10) (2010) 2043–2049. [16] M.M. Campello de Souza, H.M. de Oliveira, R.M. Campello de Souza, M.M. Vasconcelos, The discrete cosine transform over prime finite fields, in: J.N. de Souza, P. Dini, P. Lorenz (Eds.), International Conference on Telecommunications, Lecture Notes in Computer Science, Springer, Berlin, 2004, pp. 482–487. [17] J.B. Lima, R.M. Campello de Souza, D. Panario, The eigenstructure of finite fields trigonometric transforms, Linear Algebra and its Applications 435 (8) (2011) 1956–1971. [18] J.B. Lima, R.M. Campello de Souza, Histogram uniformization for digital image encryption, in: Proceedings of the XXV Conference on Graphics, Patterns and Images (SIBGRAPI), 2012, pp. 55–62. [19] T. Toivonen, J. Heikkilä, Video filtering with Fermat number theoretic transforms using residue number system, IEEE Transactions on Circuits and Systems for Video Technology 16 (1) (2006) 92–101. [20] R.E. Blahut, Fast Algorithms for Signal Processing, Cambridge University Press, 2010. [21] L. Zhang, X. Liao, X. Wang, An image encryption approach based on chaotic maps, Chaos, Solitons & Fractals 24 (3) (2005) 759–765.

Please cite this article as: J.B. Lima, et al., (2013), http://dx.doi.org/10.1016/j.image.2013.05.008i

J.B. Lima et al. / Signal Processing: Image Communication ] (]]]]) ]]]–]]] [22] J.B. Lima, R.M. Campello de Souza, Finite field trigonometric transforms, Applicable Algebra in Engineering, Communication and Computing 22 (2011) 393–411. [23] R.M. Campello de Souza, H.M. de Oliveira, A. Kauffman, A.J.A. Paschoal, Trigonometry in finite fields and a new Hartley transform, in: Proceedings of the IEEE International Symposium of Information Theory (ISIT'98), IEEE, 1998, p. 293. [24] D.T. Birtwistle, The eigenstructure of the number theoretic transforms, Signal Processing 4 (4) (1982) 287–294. [25] H. Hermassi, R. Rhouma, S. Belghith, Security analysis of image cryptosystems only or partially based on a chaotic permutation, Journal of Systems and Software 85 (9) (2012) 2133–2144. [26] N. Smart, ECRYPT II Yearly Report on Algorithms and Keysizes (2010–2011), Technical Report, European Network of Excellence in Cryptology II, 2011. [27] A. Akhshani, S. Behnia, A. Akhavan, H. Abu Hassan, Z. Hassan, A novel scheme for image encryption based on 2D piecewise chaotic maps, Optics Communications 283 (17) (2010) 3259–3266. [28] Y. Wang, K.-W. Wong, X. Liao, G. Chen, A new chaos-based fast image encryption algorithm, Applied Soft Computing 11 (1) (2011) 514–522.

11

[29] S. Behnia, A. Akhshani, S. Ahadpour, H. Mahmodi, A. Akhavan, A fast chaotic encryption scheme based on piecewise nonlinear chaotic maps, Physics Letters A 366 (4–5) (2007) 391–396. [30] S.C. Chan, K.L. Ho, Direct method for computing sinusoidal transforms, IEE Proceedings 137 (6) (1990) 433–442. [31] E. Feig, S. Winograd, Fast algorithms for the discrete cosine transform, IEEE Transactions on Signal Processing 40 (9) (1992) 2174–2193. [32] G. Bi, Y. Zeng, Transforms and Fast Algorithms for Signal Analysis and Representations, Birkhäusen, Boston, 2003. [33] S. Baktir, B. Sunar, Achieving efficient polynomial multiplication in Fermat fields using the fast Fourier transform, in: Proceedings of the 44th ACM Southeast Conference, Melbourne, FL, 2006, pp. 549–554. [34] D. Bouslimi, G. Coatrieux, M. Cozic, C. Roux, A joint encryption/ watermarking system for verifying the reliability of medical images, IEEE Transactions on Information Technology in Biomedicine 16 (5) (2012) 891–899. [35] J.B. Lima, R.M. Campello de Souza, The fractional Fourier transform over finite fields, Signal Processing 92 (2) (2012) 465–476.

Please cite this article as: J.B. Lima, et al., (2013), http://dx.doi.org/10.1016/j.image.2013.05.008i