Gray code permutation algorithm for high-dimensional data encryption

Information Sciences 270 (2014) 288–297

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

Gray code permutation algorithm for high-dimensional data encryption Massimiliano Zanin a,⇑, Alexander N. Pisarchik b,c a

INNAXIS Foundation & Research Institute, 28006 Madrid, Spain Centro de Investigaciones en Optica, Loma del Bosque 115, Lomas del Campestre, 37150 Leon, Guanajuato, Mexico c Centre for Biomedical Technology, Technical University of Madrid, Campus Montegancedo, 28223 Pozuelo de Alarcón, Madrid, Spain b

a r t i c l e

i n f o

Article history: Received 21 July 2009 Received in revised form 5 January 2011 Accepted 15 February 2014 Available online 4 March 2014 Keywords: Image encryption Chaotic cryptosystem Permutation box Gray code

a b s t r a c t We present a novel permutation algorithm for fast encryption of a large amount of data, such as 3D images and real-time videos. The proposed P-Box algorithm takes advantage of Gray code properties and allows fast encryption with high information diffusion. The algorithm is optimized for integer q-bit operations (q ¼ 8; 16; 32; . . .), allowing a direct implementation in almost any hardware platform, while avoiding rounding errors of floating-point operations. By combining the P-Box with chaotic S-Box based on the logistic map, we design a complete, highly secure and fast cryptosystem. Ó 2014 Elsevier Inc. All rights reserved.

1. Introduction In recent years, the volume of information that needs to be transmitted through any communication media has gone up very rapidly; and while security still remains a serious problem, speed is becoming another important issue. There is an evident relationship between the encryption/decryption time (EDT) and the quantity of information to be transmitted; the larger the data size, the longer the EDT. New multimedia have to show off the limitations of standard encryption schemes [22,5], since they require very large computational time, restricting their implementation for real-time signal transmission. To increase security, some algorithms use several encryption loops (see, e.g., [13]) calling for larger EDT. The challenge of modern cryptography is to optimize the balance between security and encryption speed, while dealing with a bigger and bigger volume of information. It is well known that a strong cryptosystem must include two main steps [15]: P-Box or permutation step, where the information position is changed in the data sequence, and S-Box or substitution step, where every single piece of information (symbol or group of symbols, e.g. each byte) is substituted by another symbol. These two steps reflect two basic properties of a good cryptosystem, confusion and diffusion [23]. When one deals with a large amount of information (for example, realtime videos or 3D images), several fast algorithms are available for implementing the S-Box; they usually encode groups of bits in a sequential way, for instance, any stream ciphers, such as A5/1 or RC4 [15,24]. It is with the P-Box processes that serious speed problems arise, since these algorithms need to shuffle the whole message many times, following complex rules and therefore rising the computational cost. Recently, many new secure algorithms which use nontraditional techniques have been developed (see, for instance, [16,9,17,26,4,3]). Some of them are based on discrete chaotic systems [16,9,17], because of the ergodic property and their ⇑ Corresponding author. Tel.: +34 606 993761. E-mail address: [email protected] (M. Zanin). http://dx.doi.org/10.1016/j.ins.2014.02.131 0020-0255/Ó 2014 Elsevier Inc. All rights reserved.

M. Zanin, A.N. Pisarchik / Information Sciences 270 (2014) 288–297

289

high sensitivity to initial conditions and parameters they provide both P-Box and S-Box processes with good efficiency and high security. Among possible approaches for high-dimensional data encryption with chaotic maps, we distinguish the most secure algorithms based on the implementation of map lattices’ layers [18,19] and on the use of spatial chaotic maps [25]. As in many other cryptographic steps (or algorithms), theoretically the best result would be a completely random output. Indeed, the only algorithm which has been mathematically proven as secure is the ‘‘one time pad’’ encryption scheme. If permutations (or substitution) are performed on a random number sequence, there is no way to recover the original message, because of the lack of structure in the encrypted random data. Of course, this approach is usually not feasible in practice, since it requires a key (a random sequence) as large as the message to be encrypted. Recently, Sun et al. [25] designed a high secure permutation algorithm based on the logistic map; however the authors were unmindful of the high computational cost of their cipher, that makes their cryptosystem unpractical for real-time applications. Similar problems arise with traditional cryptographic techniques, such as DES and IDEA [22,5], while handling new multimedia formats; they are no longer suitable for practical image encryption, especially in real-time communication scenarios [1]. The purpose of this work is to design a rapid P-Box algorithm which would allow a fast permutation of a very large amount of data inside a multi-dimensional memory structure. It is clear that a cryptosystem based on permutation only, cannot guarantee much security because of their vulnerability to plaintext attacks; to ensure high security, a complete cryptosystem needs a secure S-Box [12]. Even so, a designed cryptosystem using both a P-Box and an S-Box may not be good enough to deter attacks; for example, one such system has been cryptanalyzed by Rhouma and Belghith [20]. If we are willing to pay the security tag in favor of speed as far as P-Box is concerned, the security of the complete cryptosystem has to rely completely on the security of the S-Box selection, one good possibility is an S-Box based on chaotic systems, such as the one we recently proposed [19]. The main function of the designed P-Box is the fast permutation of very extensive information data. To approach this problem, we take advantages of Gray numbers, as an alternative for existing chaotic algorithms proven inefficient when in need to manipulate a large amount of data in real time. We then demonstrate the capacity of such PBox for high-dimensional data encryption on a real 3D image. We also test the security of a complete cryptosystem build with the designed P-Box and a chaotic map based S-Box. The rest of the paper is organized as follows. In Section 2 we demonstrate the inefficiency of a P-Box based on chaotic maps for encryption of a large amount of data. In Section 3 we construct a new fast permutation algorithm based on the Gray code, in Section 4 we demonstrate its computational benefits when encrypting real 3D images, and in Section 5 we provide several security tests. Section 6 presents the example of a complete cryptosystem combining the proposed P-Box with a chaotic S-Box based on the logistic map. Finally, the main conclusions are given in Section 7. 2. Permutation with chaotic maps The possibilities of using chaotic maps for data permutation have been demonstrated by several authors (see, e.g. [16,9,17–19,25]), in particular, Sun et al. [25] recently implemented a permutation process with chaotic series generated by a 2D spatial chaotic map. Although, from a theoretical point of view, their idea is very appealing, we will show that it is hardly applicable to a high-dimensional data encryption calling for a very long computational time. To underline this drawback, we consider a 3D m  n  l data array in orthogonal Dekart coordinates with X; Y and Z axes. A basic permutation algorithm based on a chaotic function would have to include the following operations: 1. Choose a convenient chaotic function f: taking into account that the major part of the calculation time is spent looking for the next map value, f must be fast and optimized for real hardware or software implementation. Since the security depends on f and its chaotic properties, a balance between speed and security has to be reached. 2. Permute the data structure in the spirit of Sun et al. [25], the 3D array is first cut in slices of thickness 1 along one axis to then rearrange them in a different order. Starting with the X axis, the data is divided between m YZ separated planes labeled with M i (i ¼ 1; 2; . . . ; m), thus creating an orderly array M ¼ ðM 1 ; M2 ; . . . ; M j ; . . . ; M m Þ. The chaotic function f is then applied to generate a pseudo-random sequence to shuffle all planes. The initial conditions are used as secret keys. The chaotic sequence indicates with which plane Mj the plane M i (i – j for 8i; j 2 ½1; m) is permuted with. 3. Repeat the previous step to create for the XZ and XY planes two sequences N and L of sizes n and l, respectively. An algorithm with such a structure suffers from two main drawbacks: (i) The calculations of arrays M; N and L are long and slow, because each value in the arrays must be different from the others in the series. Let us suppose, for example, that we are constructing array M. Using the chaotic function f, we create a long series S ¼ ðS1 ; S2 ; . . . ; Sm Þ; the first value of M (i.e. M 1 ) is readily available, since M 1 ¼ S1 (if the output of f is in the range ½0; 1, each value must be multiplied by m to cover the range ½0; m, and rounded to the closer integer number). The problem arises as we go further in calculations of M when the next value S2 is taken and compared with all previous values of M to verify whether or not it has already appeared and be discarded if so. This process must be repeated for each and all values of S! As the array’s dimension becomes bigger, more and more values have to be discarded while the computational time increases very fast, as shown in Fig. 1. Both calculation rates V and R for

290

M. Zanin, A.N. Pisarchik / Information Sciences 270 (2014) 288–297

Fig. 1. Number of values (dots) and number of series (squares) calculated per one second with a Pentium IV 1 GHz processor, as a function of the logistic map series length. The onset shows these dependences in a log–log scale demonstrating the 1.2 and 2.2 power law scalings. For a consistent permutation algorithm each value in the series should be unique: this condition forces to discard a higher number of values as the series length grows, with a direct impact on the performance.

the number of values and for the number of series, respectively, decrease as the 1.2 and 2.2 powers with respect to the series size m, i.e. V  m1:2 and R  m2:2 . Moreover, the application of the chaotic maps in cryptography entails problems other than computational time, such as the existence of periodic windows and compatibility between different hardwares for floating point operations [19]. (ii) Standard hardwares work with one-dimensional data structures (or arrays) and have low efficiency if one wishes to maintain an original 3- (or higher) dimensional configuration. Although it is, of course, possible to convert the Dekart coordinate system into linear pointer pðx; y; zÞ ¼ xML þ yL þ z , this still requires a lot of extra operations for either reading or writing data. To permute a three-dimensional memory structure, using vectors M; N and L, we have to permute each YZ; XZ and XY plane according to these arrays. This yields a total of 3mnl memory permutations and every permutation needs at least three memory operations: read from the original memory structure, save it to a temporary array, and then write it back to the image. Therefore, the total number of memory operations required by a pointer conversion is 9mnl. 3. P-Box algorithm based on Gray numbers In order to overcome the speed problem when permuting a high-dimensional data structure, we propose an algorithm that handles information as if it were a linear array. To improve the efficiency we impose that this array size d is a power of 2. Thus, for the 3D example described above

d ¼ mnl ¼ 2q :

ð1Þ

The core of the proposed algorithm is a reflected binary code, also known as Gray code after Frank Gray [21]. In this code, the representation of two successive values should differ in one bit only; this property has been found useful in many applications, mainly related with the generation of Hash codes or efficient hardware design [7,6]. There are many possible codes that fulfill the previous definition [28], but the most commonly used codes are created via the Q ¼ q  q matrix multiplication defined as follows: (i) 1 in the main diagonal, (ii) 1 along the upper/minor diagonal, and (iii) 0 elsewhere. For example, the matrix Q for q ¼ 4 would be

3 1 1 0 0 60 1 1 07 7 6 Q ¼6 7 40 0 1 15 2

0

0

ð2Þ

0 1

with every operation performed in mod 2. A more efficient conversion algorithm for a software or hardware implementation is given by

G ¼ B  ðB  1Þ;

ð3Þ

where G is the resulting Gray number, B is the original number (in a binary representation),  is the binary XOR operation, and  represents the binary right shift. Table 1 shows the Gray representation of some numbers in a 4-bit code. A nonlinear transformation T has to be defined when a further operation is performed. The following steps show how to do it.

M. Zanin, A.N. Pisarchik / Information Sciences 270 (2014) 288–297

291

Table 1 The example of a 4-bit Gray code. The binary numbers are transformed into Gray numbers according to Eq. (3). The decimal meaning of a Gray number is the decimal value of the Gray representation, without going back to the standard binary representation. Decimal number

Binary representation

Gray number

Decimal meaning of the Gray number

0 1 2 3 4 5

0000 0001 0010 0011 0100 0101

0000 0001 0011 0010 0110 0111

0 1 3 2 6 7

1. Given a binary number x in a q-bits code, calculate its Gray representation with Eq. (3). 2. Read the obtained number as a standard binary representation, as shown in Table 1, column 4. It is worth noting that the above transformation T has several interesting properties:  The transformation output of any q-bits number (i.e., 0 6 x < 2q ) is any possible q-bits number, in other words, T is a bijective map that covers the whole 2q space.  Although the input numbers are arranged sequentially, the output is not linear, especially for high values of q.  The software implementation of this transformation is extremely fast, since it requires only two basic operations for each number: bit-shift and XOR. Once T is defined, we can describe the whole permutation algorithm. It should take values from array A of length d ¼ 2q and produce a permuted array Ap . To achieve this aim, the algorithm uses two offsets (or pointers), Of 1 and Of 2. The first one represents the position where one has to read information from the original data set; it follows the evolution of the Gray code and hence has a nonlinear behavior. The second (Of 2) indicates where to locate the byte read by Of 1. Recapitulating, for each item i in A, the steps are as follows. 1. Calculate the first offset by T-transforming the number i and applying a binary XOR operation with key K 1 :

Of1 ¼ TðiÞ  K 1 :

ð4Þ

2. Calculate the second offset by adding the second key K 2 to the previous value of the offset, modulus d. For the first item, the offset will be set to the initial value K 0 :

Of2 ¼ ðOf2 þ K 2 Þmod d; Of2 ¼ K 0 ;

i ¼ 1:

i > 1;

ð5Þ ð6Þ

3. To ensure that Of2 passes once for every item of the array, K 2 must be a prime number. Moreover, if we take into account that a mod b ¼ a&ðb  1Þ (& being the bitwise AND operator) when b ¼ 2q , the efficiency of this step still be improved. Since the array dimension d has a potential form previously given in Eq. (1), we can write

Of2 ¼ ðOf2 þ K 2 Þ&ðd  1Þ;

ð7Þ

where ðd  1Þ being a constant can be pre-calculated in advance. This step is therefore reduced to a sum and an AND operation. 4. Read the Of1 -th item of array A and write it in the Of2 -th position of array Ap . These keys should be q-bits’ dimensional because they are used along with the offsets in the XOR operations. Therefore, the whole key space dimension is 2q  2q  2q ¼ 23q , i.e. 3q bits. 4. Algorithm velocity To test the velocity of the proposed algorithm, we first need to create a 3D data structure. There are different ways of interpreting what 3D information means. One is to give the information on the entire body surface (holograms), a second is to create slices of the whole volume and study the underline structure (magnetic resonance, tomography), and a third is a temporal sequence of 2D images, i.e., a video or a movie In this paper we consider the second and third interpretations because the information to process is larger. The first example is the sequence of natural images (slices) of a dragonfly’s eye taken with a high-resolution optical microscope (Fig. 2). The symmetry of the dragonfly’s eye was the main reason to select it as the study object; it presents zones with regular patterns and high correlation between adjacent pixels that makes it very interesting for cryptographic purposes, and hence only a good permutation algorithm would be able to completely delete all these patterns. Each frame has 256  256 pixels, so the total array size d is a power of 2. The encrypted image obtained with secret keys

292

M. Zanin, A.N. Pisarchik / Information Sciences 270 (2014) 288–297

Fig. 2. The optical microscope images of a dragonfly’s eye (the focal distance between each shot is 60 microns). This images’ sequence can be handled like a three dimensional picture of 256  256  8 pixels of the total size d ¼ 524288 ¼ 219 .

K 1 ¼ 346644; K 2 ¼ 601, and K 0 ¼ 0 is shown in Fig. 3. One can see that the permutation process breaks the original image structure. From a cryptographic point of view, it is convenient to consider a movie as 3D data instead of a collection of isolated images because this implies different frames encrypted together allowing to mix information and therefore enhancing the security. Fig. 4 shows the example of such a movie along with its permuted version. This movie is created by plotting the Julia Set fractal, corresponding to the escape time of series znþ1 ¼ z2n þ c, when the parameter changes from c ¼ 0:20 þ 0:6i to c ¼ 0:41 þ 0:6i. The computational velocities and encryption times for the logistic map and Gray numbers permutation algorithms are summarized in Table 2, while their speed efficiencies are compared in Fig. 5. The permutation speed W (number of permuted pixels per second) for both the spatial logistic map and the Gray numbers can be approximated by an exponential function in terms of the image size d : W  ed=d with d ¼ 9 for the former and d ¼ 0:04 for the latter algorithm, respectively [Fig. 5(b)]. The analysis of Fig. 5 reveals the following important aspects.  The speed of the Gray number algorithm is almost independent of the image size nor of the dimension of the permuted data because software operations are needed only to discriminate duplicated values in arrays M; N and L.  For small images, the logistic map algorithm is especially inefficient.  For large images, the Gray number algorithm is approximately 30 times faster than the chaotic logistic map. Let us analyze the velocity calculated for the logistic map algorithm in Table 2. The encryption of 8 images of the dragonfly’s eye takes a little more than 0.09 s, i.e. about 90 images per second, well above for real time-application requirement (24 frames per second). Now suppose that we want to encrypt a movie (a sequence in time of 2D images) in the new Full High Definition format which can be found in Blu Ray discs: 1920  1080 pixels at 24 fps. Each image has around 30 times more data to be permuted than one slice of the dragonfly’s eye considered; clearly, this movie cannot be encrypted frame by

Fig. 3. Permutation images obtained with the Gray numbers algorithm for the dragonfly’s eye in Fig. 2 with the secret keys K 1 ¼ 346644; K 2 ¼ 601, and K 0 ¼ 0.

293

M. Zanin, A.N. Pisarchik / Information Sciences 270 (2014) 288–297

Fig. 4. Example of permutation process applied to a video. (Top) Original sequence of Julia Set images when the parameter changes from 0:20 þ 0:6i to 0:41 þ 0:6i. (Bottom) Result of permutation. The secret keys are the same as for Fig. 3.

Table 2 Speed comparison between the chaotic logistic map and the Gray numbers P-Box algorithms. Velocity (in millions of pixels per second) is calculated with a 1 GHz PC. Calculation time (in seconds) is the time needed to permute the 3D image in Fig. 2. Algorithm

Complexity

Velocity (Mp/s)

Calculation time (s)

Logistic map Gray numbers

LS(M) + LS(N) + LS(L) + O(9MNL) O(MNL)

5.650 150.312

0.0928 0.0035

frame in real time by the logistic map permutation algorithm (less than 3 fps), but can comfortably be encrypted by the Gray code numbers (around 70 fps). 5. Security assessment It is well known that a P-Box alone cannot be used when designing a secure cryptosystem. When no S-Box is present, it is easy for a hacker to recover the original message through a dictionary attack, a targeted technique for defeating a cipher by trying all words in a dictionary to determine the decryption key. In short, the attacker would have to encrypt a message containing numerical values in an ascendant order, i.e. the plaintext would be A ¼ ½0; 1; 2; . . . ; d. When such plaintext is encrypted, the resulting ciphertext will reveal what the permutation of each pixel is. Even if an S-Box is to be used, it is in our best interest to make sure that the P-Box output data does not create any structure, so that it behaves as close as possible to a random permutation. The random permutation, as a modification of the one time pad encryption scheme is the only secure P-Box since no structure whatsoever can be obtained from a randomly permuted data. The main drawback of the random permutation is that its secret key has the same dimension as the message to be codified, that makes it difficult for real applications. Therefore, the only realistic goal is to achieve, with reasonable small keys, performances as close as possible to a random permutation. To fulfill the above requirement, let us compare the outputs of the proposed algorithm and of a random permutation. In Fig. 6 we plot the return map, i.e. a pixel’s position before permutation versus its new position after permutation (Of1 versus Of2 ). The algorithm is applied for different random keys to gather 2  105 different permutations and the representative results are shown as a gray-scale 2D probability plot. Although some thin structures can be detected in this plot, the overall distribution is flat and diffused enough to ensure that with the additional use of an S-Box they cannot help cryptanalysis. Fig. 7(a) displays the probability distribution of the distance between the initial and permuted pixel’s positions (jOf1  Of2 j). In the left-hand side we compare the distribution obtained with a given pair of keys ðK 1 ; K 2 Þ (black solid line) with the one generated by a random permutation (dashed red1 line). The graphics in the right-hand side shows the sensitivity of the algorithm to small changes in the secret keys K 1 and K 2 . Now the same pixel is permuted with slight different keys, that is a one-bit change either in K 1 (solid black line) or in K 2 (red dashed line). In both cases, the results are very close 1

For interpretation of color in Fig. 7, the reader is referred to the web version of this article.

M. Zanin, A.N. Pisarchik / Information Sciences 270 (2014) 288–297

(a) 148

6

Speed, W (10 pixeles/s)

294

55

20

7 0

100

200

300

400

500

Image size, d

5

(b)

ln W

slope = -0.04 4

slope = -9 3

2 0.00

0.05

0.10

0.15

1/d Fig. 5. (a) Permutation velocities for the Gray numbers (open dots) and for the logistic chaotic algorithm (squares) when applied to the dragonfly’s eye 3D image, as a function of image size d. (b) Scaling relations between the velocities and the image size for Gray numbers (open dots) and logistic chaotic map (squares). The data was obtained with a 1 GHz PC.

Fig. 6. Example of a return map of the proposed permutation process, based on the Gray code.

to the random permutation. The standard deviations for the probability distributions of the random, the K 01 , and the K 02 permutations are respectively 3:6246  104 ; 5:2533  104 , and 4:7477  104 ; Pearson’s Correlation coefficient between the random and the K 01 (K 02 ) permutations is 0:01002 (0:02353). Also, the null hypothesis that all three distributions are drawn from the same underlying distribution is not to be rejected with a 5% significance level. This means that the proposed Gray code performance is equivalent to that of a random permutation. Thus, the designed P-Box fulfills the cryptographic requirements.

M. Zanin, A.N. Pisarchik / Information Sciences 270 (2014) 288–297

295

Fig. 7. Security analysis for the Gray code permutation box. (Left) Probability distribution of the distance between a pixel and its permuted position, compared with the one obtained by a random permutation. (Right) Analysis of keys sensitivity: distance between a pixel permuted with a given key K 1 (K 2 ), and the same pixel permuted with a new key K 01 (K 02 ) differing in just one bit.

6. Complete cryptosystem To corroborate the usefulness of the proposed Gray code permutation algorithm, we have constructed a complete secure cryptosystem by adding an S-Box after the permutation process. For practical reasons, we choose the S-Box we proposed in Ref. [19]. This S-Box is based on the well known logistic map

xkþ1 ¼ Lðxk Þ ¼ axk ð1  xk Þ;

ð8Þ

where L is the logistic function and a is the parameter which defines the system behavior and can act as a secret key for the S-Box process. For a 2 ½3:58; 4 the map Eq. (8) is chaotic (except for some periodic windows that can easily be avoided) and therefore it is suitable for cryptographic applications. Starting from an initial value x0 2 ½0; 1, after k iterations we obtain a new value xk . Each pixel’s value pi in the image (color component of a color image) is updated according to the transformed value of the previous pixel pi1 as follows:

pi ¼ ðpi þ Lk ðpi1 ÞÞmod 1:

ð9Þ

In other words, we iterate the value of the preceding pixel k times and the result is then added to the actual pixel value. Since the pixel’s color is usually codified as a number between 0 and 255, the color value should be properly normalized to get a suitable pi (see Ref. [19] for more details). If a higher security is needed, the permutation–substitution process can be repeated several times by executing the necessary number of loops l. Fig. 8 shows the cipher-image of Fig. 2(b) encrypted with the complete algorithm by applying the permutation–substitution process 10 times (l ¼ 10); since no structure is visible, no useful information about the original picture can be inferred. However, high enough security is guaranteed already for l ¼ 2; the reader may check this in Fig. 9, where we show the probability distribution of 256 symbols used to codify the gray level of each image pixel, and plot the resulting power spectra for different l. For l ¼ 10, the null hypothesis that the distribution is uniform cannot be rejected at a 5% significance level, using a standard chi-square test. Other security tests, such as the estimations of the Pearson’s Linear Correlation Coefficient rx;y between the adjacent pixels and the Mean Absolute Error (MAE) between the plain-image and the cipher-image yield, respectively, r x;y ¼ 0:000131 and MAE ¼ 74:64. MAE quantifies the changes between the original and encrypted pixels as follows:

MAE ¼

d   1X pp  pc ; i d i¼1 i

Fig. 8. Encrypted image obtained by combining the Gray code P-Box with a chaotic S-Box for the dragonfly’s eye in Fig. 2.

ð10Þ

296

M. Zanin, A.N. Pisarchik / Information Sciences 270 (2014) 288–297

Fig. 9. Security analysis of proposed cryptosystem. (a) Probability distribution of 256 gray symbols in plain-image and in cipher-image for l ¼ 1; 2; 5; 10 and (b) power spectrum for plain-image and cipher-image for l ¼ 1; 2; 10.

where the super indices p and c are referred to the plain-image and cipher-image, respectively. The obtained MAE is very close to the expected value for a random series, MAEr ¼ 74:73. The largest Lyapunov exponent of the original image is negative (k0 ¼ 1:50 0:05), whereas the cipher-images encrypted only with l ¼ 1 and l ¼ 2 have already positive largest Lyapunov exponents (k1 ¼ 1:04 0:02 and k2 ¼ 1:26 0:01). Thus, the original regular structure is rapidly transformed into chaotic sequence and a further increase in n does not substantially change k. Another important aspect of security is sensitivity to secret keys. In order to assess this point, we have calculated the number of bits that change in each pixel (encoded with one byte) of the cipher-image when one secret key is changed in one bit. The results, namely 4:000 0:002 for K 1 and 4:001 0:003 for K 2 , are very close to the expected value of 4 bits for each byte. The same result (4:000 0:003 bits modified in each pixel) is obtained when the plain-image is changed in one bit, therefore confirming the high sensitivity of the algorithm, already stated in Section 5. High security of the complete system is also guaranteed by its key-space dimension, that is the sum of the P-Box keyspace (3q bits, as calculated previously) and the S-Box key-space; the latter can be approximated by 19 bits including periodic windows and supposing that other parameters (such as the image size) are known [19]; therefore, the total key-space dimension is 3q þ 19 bits (where q is the dimension, as in Eq. (1)). To obtain the image in Fig. 2(b), the key needed is 76 bits long. While security tests prove a good security level of the proposed cryptosystem, at least higher than that of other chaosbased algorithms reported in the literature [14,27,8], the algorithm we are proposing has the great advantage to be able to operate in real time. Since the image is processed like a linear array, the algorithm is unmindful of the number of dimensions of the plain-image. The complete cryptosystem has a lower computational cost when compared with the Sun’s et al. [25] algorithm (0.0273 s per loop versus 0.0928 s per loop). If we take into account the computational cost of one iteration and the key-space dimension, one would need a total brute force attack time of 6:55  1013 years; clearly this kind of attack is not feasible. 7. Conclusions The analysis of existing chaotic map based algorithms showed that they are not suitable for high-dimensional data encryption, because of their extremely high computational cost. For real-time secure communication with a large amount

M. Zanin, A.N. Pisarchik / Information Sciences 270 (2014) 288–297

297

of information, we designed a P-Box algorithm which takes advantage of the Gray code properties. The algorithm was optimized for integer n-bit operations that allows its direct implementation in almost any hardware platform and avoids rounding errors of floating-point operations [10]. The proposed cipher works 30 times faster than the existing chaotic algorithms and its encryption speed is independent of the data size, that allows encryption of extremely large amounts of information in real time. It should be noted that similar fast P-Box algorithms can be designed on the base of other maps, for example, the T-function introduced by Klimov and Shamir [11]. In this case one only has to make the first Offset follow the T-function instead of the Gray code. However, not only T-functions present security problem [2], they also suffer from two big drawbacks: (i) they are not easily invertible (it can be done, but at a higher computational cost) and (ii) they are slightly more costly than the Gray code solution, because they use integer mathematics instead of only bitwise logical operations. Although the speed difference is not so high, when handling great quantities of data, the time difference becomes noteworthy. Finally, the proposed permutation algorithm can be used only as a part of a complete cryptosystem which must include also secure substitution steps. Applying different kind of cryptographic attacks, such as brute-force, bit-flipping, timing, and distinguishing attack, as well as differential cryptanalysis, we demonstrated that a complete cryptosystem formed by the proposed P-Box and an S-Box based on the logistic map combines the advantages of high speed and high security, making the cryptosystem a valuable solution for real-time encryption of big-volume information. Acknowledgements The authors thank to Dr. Sergio A. Calixto-Carrera for providing with dragonfly’s eye images. The work was partly supported by the Mexican Council of Science and Technology (CONACYT), Project No. 100429. References [1] D. Arroyo, R. Rhouma, G. Alvarez, S. Li, V. Fernandez, On the security of a new image encryption scheme based on chaotic map lattices, Chaos 18 (2008) 033112. [2] V. Bénony, F. Recher, E. Wegrzynowski, C. Fontaine, Cryptanalysis of a particular case of Klimov–Shamir pseudo-random generator, in: Sequences and Their Applications – SETA 2004, Lecture Notes in Computer Science, vol. 3486, Springer, Berlin/Heidelberg, 2005, pp. 313–322. [3] T.-H. Chen, C.-S. Wu, Compression-unimpaired batch-image encryption combining vector quantization and index compression, Inform. Sci. 180 (2010) 1690–1701. [4] Y.F. Chung, Z.Y. Wub, T.S. Chen, Unconditionally secure cryptosystems based on quantum cryptography, Inform. Sci. 178 (2008) 2044–2058. [5] J. Daemen, B. Sand, V. Rijmen, The Design of Rijndael: AES – The Advanced Encryption Standard, Springer-Verlag, Berlin, 2002. [6] P. Diaconis, S. Holmes, Gray codes for randomization procedures, Stat. Comput. 4 (2004) 960–3174. [7] C. Faloutsos, Multiattribute hashing using Gray codes, in: Proc. ACM SIGMOD Internat. Conf. Management of Data, ACM New York, NY, USA, 1986. [8] H. Gao, Y. Zhang, S. Liang, D. Li, A new chaotic algorithm for image encryption, Chaos Solitons Fractals 29 (2006) 393–399. [9] Z.H. Guan, F.J. Huang, W.J. Guan, Chaos-based image encryption algorithm, Phys. Lett. A 346 (2005) 153–157. [10] N.J. Higham, in: Accuracy and Stability of Numerical Algorithms, second ed., SIAM, 1961. [11] A. Klimov, A. Shamir, A new class of invertible mappings, in: Cryptographic Hardware and Embedded Systems – CHES 2002, Lecture Notes in Computer Science, vol. 2523, Springer, Berlin/Heidelberg, 2003, pp. 470–483. [12] S. Li, C. Li, G. Chen, N.G. Bourbakis, K.-T. Lo, A general quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks, Signal Process.: Image Commun. 23 (3) (2008) 212–223. [13] S.G. Lian, J. Sun, Z. Wang, Security analysis of a chaos-based image encryption algorithm, Physica A 351 (2005) 645–661. [14] Y.B. Mao, G.R. Chen, S.G. Lian, A novel fast image encryption scheme based on 3D chaotic baker maps, Int. J. Bifurcat. Chaos 14 (2004) 3613–3624. [15] A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997. [16] N.K. Pareek, V. Patidar, K.K. Sud, Discrete chaotic cryptography using external key, Phys. Lett. A 309 (2003) 75–82. [17] N.K. Pareek, V. Patidar, K.K. Sud, Image encryption using chaotic logistic map, Image Vision Comput. 24 (9) (2006) 926–934. [18] A.N. Pisarchik, N. Flores-Carmona, M. Carpio-Valadez, Encryption and decryption of images with chaotic map lattices, Chaos 16 (2006) 033118. [19] A.N. Pisarchik, M. Zanin, Image encryption with chaotically coupled chaotic maps, Physica D 237 (2008) 2638–2648. [20] R. Rhouma, S. Belghith, Cryptanalysis of a new image encryption algorithm based on hyper-chaos, Phys. Lett. A 372 (38) (2008) 5973–5978. [21] C. Savage, A survey of combinatorial Gray codes, SIAM Rev. 39 (4) (1997) 605–629. [22] B. Schneier, in: Applied Cryptography – Protocols, Algorithms, and Source Code in C, Second ed., John Wiley & Sons Inc., New York, 1996. [23] C.E. Shanon, Communication theory of secrecy systems, Bell Syst. Thech. J. 28 (4) (1949) 656–715. [24] M. Stamp, in: Information Security – Principles and Practice, Wiley-Interscience, 2006. [25] F. Sun, S. Liu, Z. Li, Z. Lü, A novel image encryption scheme based on spatial chaotic map, Chaos Solitons Fractals 38 (3) (2008) 631–640. [26] Y. Yin, X. Li, Y. Hu, Fast S-box security mechanism research based on the polymorphic cipher, Inform. Sci. 178 (2008) 1603–1610. [27] L. Zhang, X. Liao, X. Wang, An image encryption approach based on chaotic maps, Chaos Solitons Fractals 26 (2005) 759–765. [28] Actually, it has been demonstrated that 2q ðq!Þ different codes can be defined for a number of q bits.