Physica D 237 (2008) 2638–2648www.elsevier.com/locate/physd

Image encryption with chaotically coupled chaotic maps

A.N. Pisarchika,∗, M. Zaninb

a Centro de Investigaciones en Optica, Loma del Bosque 115, Lomas del Campestre, 37150 Leon, Guanajuato, Mexicob Universidad Autonoma de Madrid, Cantoblanco, 28049, Madrid, Spain

Received 23 July 2007; received in revised form 7 March 2008; accepted 21 March 2008Available online 6 April 2008

Communicated by R. Roy

Abstract

We present a novel secure cryptosystem for direct encryption of color images, based on chaotically coupled chaotic maps. The proposed cipherprovides good confusion and diffusion properties that ensures extremely high security because of the chaotic mixing of pixels’ colors. Informationis mixed and distributed over a complete image using a complex strategy that makes known plaintext attack unfeasible. The encryption algorithmguarantees the three main goals of cryptography: strong cryptographic security, short encryption/decryption time, and robustness against noiseand other external disturbances. Due to the high speed, the proposed cryptosystem is suitable for application in real-time communication systems.c© 2008 Elsevier B.V. All rights reserved.

PACS: 05.45.-a; 05.45.Ac; 05.45.Gg; 05.45.Vx

Keywords: Chaotic cryptosystem; Logistic map; Image cipher

1. Introduction

In recent years, the transmission of digital images andvideo over communication media, such as computer networks,mobile phones, cable TV, etc. has highly developed. Theproblem of security in storage and transmission of confidentialvisual information is therefore growing in importance, andrequires solutions for many applications, such as pay TV,video conferencing, medical and military databases. Mostconventional ciphers, such as Data Encryption Standard (DES),International Data Encryption Algorithm (IDEA), AdvancedEncryption Standard (AES), linear feedback shift register(LFSR), etc. [1,2] with high computational security considerplaintext as either block cipher or data stream and are notsuitable for image/video encryption in real time becausetheir speed is slow due to a large data volume and strongcorrelation among image pixels. The implementation oftraditional algorithms for image encryption is even morecomplicated when undertaken with commercial software.

∗ Corresponding author.E-mail address: apisarch@cio.mx (A.N. Pisarchik).URL: http://www.cio.mx (A.N. Pisarchik).

0167-2789/$ - see front matter c© 2008 Elsevier B.V. All rights reserved.doi:10.1016/j.physd.2008.03.049

In the last decades many researchers pointed out theexistence of a strong relation between chaos and cryptography.Actually, in a real system, chaos and noise are two naturalirregular behaviors. Therefore, the utilization of these motionsin cryptography is also natural. The greatest advantage of achaotic system over a noisy one is that the chaotic system isdeterministic. This property of chaos significantly facilitates thedecryption process. The exact knowledge of initial conditionsand system parameters enables one to recover a message.Moreover, many fundamental characteristics of chaos, such asa broadband spectrum, ergodicity and high sensitivity to initialconditions are directly connected with two basic properties ofgood ciphers: confusion and diffusion. In Shannon’s originaldefinitions [3], diffusion is associated with dependency of theoutput on input bits, i.e. it refers to the property that redundancyin the statistics of plaintext is dissipated in the statistics ofciphertext, whereas confusion refers to making the relationshipbetween the key and the ciphertext as complex and involvedas possible, i.e. it implies permutation in the data sequence.Since confusion and diffusion mean deterministic disorder,any traditional cryptosystems can be regarded as a chaotic orpseudo-random system.

A.N. Pisarchik, M. Zanin / Physica D 237 (2008) 2638–2648 2639

Fig. 1. General scheme of a cryptosystem.

The goal of any cryptosystem is to convert plaintext tociphertext with the use of a secure algorithm. Generally, anycryptosystem can be schematically represented as that shown inFig. 1. The confusion and diffusion processes can be repeatedseveral times. Mathematically, the cryptosystem shown in Fig. 1can be described as [4]

R = Dα(Cβ(P, KC ), K D), (1)

where P and R are respectively plaintext and ciphertext, C andD are the confusion and diffusion functions, KC and K D arethe confusion and diffusion keys, and α and β are numbersof rounds for total encryption and for confusion, respectively.Eq. (1) determines the cryptosystem’s security; the higher thesensitivity of the functions C and D to their keys KC andK D and the larger the key space, the higher the security. Thecryptosystem’s key space in Fig. 1 is defined as

S = (SβC SD)α, (2)

where SD and SC are key spaces of the confusion and diffusionkeys, that are determined by the key spaces for initial conditionsand parameters in the confusion and diffusion functions. Asseen from Eq. (2), the higher the powers α and β, the largerthe key space and hence the higher the security. However, theencryption/decryption time (EDT) also increases as α and β

are increased. Therefore, while designing new cryptosystems,cryptographs should always balance between security andspeed.

The ergodic properties of chaos and its high sensitivityto initial conditions and parameters allow one to designencryption algorithms with good confusion and diffusionproperties. Chaotic encryption algorithms which use simplediscrete systems have recently received much attention togenerate chaotic keys [5–8]. In chaotic block cryptosystems,chaotic maps are usually used to encrypt a plaintext blockby block, whereas chaotic stream cryptosystems utilize achaotic map for bit-by-bit encryption. Much work has beendevoted to the design of chaos-based block algorithms forimage encryption [4,9–15].1 Parameters or initial values of thediffusion function, or chaotic map, or both normally servedas diffusion and confusion keys to modify sequentially pixelvalues and change pixel positions.

1 In some works on image encryption plaintext and ciphertext are called“plain image” and “cipher image” [4,13,16].

Fridrich [9] was the first one to suggest a permutationof the pixel positions in a chaotic fashion, using either theBaker map or the cat map as a key for chaotic confusion.To enhance security, the dimension of these maps has beenextended to three [9–11]. However, Lian et al. [13] pointed outthat some parameters are not secure to be used as encryptionkeys. Therefore, they designed a symmetric block cipher basedon the chaotic standard map for a confusion process, a diffusionfunction, and a key generator. Most chaotic stream ciphersutilized only one chaotic system to generate a pseudo-randomsequence for image encryption that is not secure enoughwithstand a powerful cryptographic attack.

A more complex system which combines chaotic bothdiscrete and continuous systems has been designed by Guanet al. [14]. At the confusion stage pixel positions were shuffledby Arnold cat map while at the diffusion stage pixel values ofthe shuffled image were encrypted by the continuous Chen’schaotic system. Recently, Pareek et al. [17] proposed an imageencryption scheme which utilizes two chaotic logistic maps andan external key of 80-bit. The initial conditions for both logisticmaps were derived using the external secret key. The firstlogistic map was used to generate numbers in the range between1 and 24 and the initial condition of the second logistic map wasmodified by the numbers generated by the first logistic map.The authors showed that by modifying the initial conditionof the second logistic map in this way, its dynamics becamemore random. The majority of the known algorithms used ablock cipher encryption technique where plaintext files wererepresented as blocks of bits. The encryption speed of suchcryptosystems is relatively slow since the necessary number ofiterations of the chaotic map for encrypting an 8-bit symbol isat least 200 and the maximum is 29 617 [18]. A large blockof plaintext, such as 128-bit, usually used in conventionalcryptosystems, requires significantly lager EDT [19]. Since thelength of ciphertext is usually larger than the length of plaintext,the size of encrypted multimedia files is very large.

A completely different approach to image encryption hasbeen proposed recently in Ref. [16]. Every image pixelwas considered as a chaotic map so that the whole imageforms chaotic map lattices for each of red, green and bluecolor components of the image. Since the logistic map isnoninvertible, to recuperate the original image the maps inplain image should be coupled, so that every encrypted pixelshould contain information on the original color of anotherpixel. In other words, all pixels should be mixed somehow. Forexample, in the algorithm developed in Ref. [16] all maps werecoupled in series pixel by pixel by initial conditions, providinga good diffusion property. However, the main problem inmodern communication technology is not the security of anencryption algorithm, but rather its good dynamic properties,i.e. its robustness against noise or other external disturbances.It is in this sense, that unidirectional coupling of all imagepixels worsens the dynamic properties, since the image cannotbe recovered if only one pixel undergoes a small error.To overcome this drawback, the novel cryptosystem utilizeschaotic coupling or chaotic mixing of pixel’s colors. This allowssignificant enhancement of security, while the EDT decreases.

2640 A.N. Pisarchik, M. Zanin / Physica D 237 (2008) 2638–2648

Topologically mixing means that the system will evolve overtime in such a way that any given region or open set of its phasespace will eventually overlap with any other given region; themixing of colored dyes or fluids is a prototype of turbulence orchaos.

The proposed cryptosystem complies with the tworequirements mentioned by Shannon [3]; both the diffusion andconfusion processes are arranged in a chaotic manner with theuse of chaotic maps, whose high sensitivity to initial conditionsand parameters makes the cryptosystem extremely secure.Although chaos is an irregular motion, it is deterministic, andtherefore the original image can be completely recovered ifthe secret keys are exactly known. The cryptosystem is robustagainst cryptographic attacks, while the EDT is very shortthat allows its application for communication in real time.Moreover, the length of ciphertext is the same as the length ofplaintext.

The rest of the paper is organized as follows. In Section 2 wedescribe our algorithm in detail. Then, in Section 3 we apply itfor encryption of a real color image and analyze its security.Finally, main conclusions are given in Section 4.

2. Chaotic cryptosystem

2.1. Basic idea

Any digital image can be represented as a linear array ofdecimal values, where each pixel has three color componentspR , pG , and pB (red, green and blue) of integers between 0and 255. Thus, a M × N pixel image can be transformed intoan array of h = 3M N items of the color components that formsplaintext

P = {p1 = pR1 , p2 = pG

1 , p3 = pB1 , p4 = pR

2 , . . . ,

pi , . . . , ph = pBM N }. (3)

The color components of an 8-bit RGB image are integers inthe range [0, 255], rather than floating-point values in the range[0, 1]. As we already mentioned in the introduction, for shorterEDT the length of ciphertext should be equal to the lengthof plaintext. The aim of our encryption algorithm is to createciphertext

R = {r1, r2, . . . , ri , . . . , rh}, (4)

which contains h encrypted color components ri ∈ [0, 255].It is known that the security of a cryptosystem is determined

by its confusion and diffusion properties and its sensitivity tosecret keys. The basic idea underlying our encryption algorithmis to use chaotic systems for both the confusion and diffusionprocesses. First, plaintext P is converted into an array offloating-point values

X0 = {x (1)0 , x (2)

0 , . . . , x (i)0 , . . . , x (h)

0 }, (5)

that can serve as initial conditions for chaotic maps x (i)0 (i =

1, 2, . . . , h), for example the logistic map

xn+1 = axn(1 − xn), (6)

which is chaotic when a ∈ [3.57, 4].2 Both the parameter a andthe number of iterations n serve as secret keys. To transform Pinto X0, we convert the color components to the map variablesso that they lie within the chaotic attractor of the map Eq. (6),i.e. the normalized value

X0 = P/[255(xmax− xmin)], (7)

where xmax and xmin are the maximum and minimum values ofx generated by the chaotic map Eq. (6). For example, for a = 4,xn ∈ [0, 1], while pi ∈ [0, 255] and hence we should simplynormalize P to 255, i.e. X0 = P/255. To enhance security, aand n can be different for different maps (i.e. for every pixel)and both can be generated by another chaotic map, for instance,again by the logistic map

zi+1 = czi (1 − zi ) (8)

with parameter c and initial condition z0. In this case we willhave h map parameters determined according to the chaoticsequence

Z = {z1, z2, . . . , zi , . . . , zh}. (9)

For c = 4, zi ∈ [0, 1] and the parameter value for map i canbe determined as ai = 0.43zi + 3.57, to be within the chaoticrange, ai ∈ (3.57, 4). The value ai = 4 should be excludedfrom consideration because for this parameter the map alwaystakes x (i)

n = 0 when x (i)0 = 0 or x (i)

0 = 1. It does not allow theencryption of white and black pixels with grey values ri = 0and ri = 255.

We should underline that the use of the logistic map inour cryptosystem was just to show, with a simple example,how a chaotic system works in our algorithm. However, as itis known, most of the smooth chaotic systems (including thelogistic map) exhibit a dense set of periodic windows for certainrange of parameters [20], thus imposing restrictions for thepractical application of such systems in chaotic cryptography.To overcome this problem, one can either select properlythe map parameter to exclude a parameter resulting in anyperiodicity lower than the number of pixels in the image(i.e. explore parameters which only produce chaotic behavior,parameters along a chaotic fiber [21]) or use a robust chaoticsystem, like a piecewise smooth map proposed by Banerjee,Yorke, and Grebogi [22].

2.2. Chaotic coupling

In the algorithm described in Ref. [16], all chaotic mapsrepresenting the pixels’ values were coupled unidirectionallyso that x (i)

n was used as the initial condition for the subsequentmap (i + 1). Such a coupling provides diffusion propertiesso good that after three rounds (α = 3), the cryptosystembecomes extremely sensitive to any change in a pixel valueand a small error in one only pixel diffuses over the whole

2 The same approach can be applied for encrypting a text. In this case, eachsymbol is considered as a chaotic map whose initial condition is related to theASCII value.

A.N. Pisarchik, M. Zanin / Physica D 237 (2008) 2638–2648 2641

ciphertext. To overcome this drawback, we propose anothercoupling scheme based on chaotic mixing of all image pixels.The chaotic coupling provides excellent confusion propertiesand can be realized by generating a chaotic key with anotherchaotic map, for example, the logistic map

yi+1 = byi (1 − yi ), (10)

where b ∈ [3.57, 4] is the map parameter and i = 1, 2, . . . , his the number of iterations. The total number of iterations isequal to the number of items in plaintext. Starting from a certaininitial condition y0, after h iterations the map Eq. (10) generatesthe chaotic sequence

Y = {y1, y2, . . . , yi , . . . , yh} (11)

of map values yi ⊂ A, where A is the chaotic attractor definedby the map function Eq. (10), parameter b, and initial conditiony0. Array Y has the same length h as plaintext P. To use Y asa chaotic key for color mixing, we transform Y into a chaoticsequence K of decimal integers k ∈ [1, h], where ki indicatesthe position of the map in X. For example, for b = 4, yi ∈ [0, 1]

and hence we obtain the chaotic key

K = round[Y(h − 1)] + 1 = {k1, k2, . . . , ki , . . . , kh}, (12)

indicating the number of an item in plaintext P with whichsubsequent item pi should be mixed.3 In the other words, thesubsequent map i is coupled with map j = ki selected bychaotic key Eq. (12). It is important for decryption that item piis not coupled with itself. Therefore, we impose the restriction:if j = 1 then j = j − 1.

Starting from the first map (i = 1), after n iterations weget map value x (1)

n which is used to permute the color of itemj = k1. The map coupling or color mixing can be realized withthe use of a mixing function F : X → X which can be definedsuch that

x ( j)= F(x (i), x ( j)

0 ) mod 1. (13)

F can be determined in different manners depending on howcomplex we wish to make the encryption algorithm. Thesimplest mixing function is just the sum of the map variables,i.e.

F(x (i), x ( j)0 ) = x (i)

n + x ( j)0 . (14)

We repeat the confusion and diffusion processes for the eachmap up to the last (i = h). If any number in chaotic sequenceK is repeated, the corresponding value of map j is updated.Finally we obtain the sequence of the map variables

X = {x (1), x (2), . . . , x ( j), . . . , x (h)}, (15)

which can be converted to the values of encrypted pixel’s colorsby inverting the transformation to form the ciphertext. The

3 The number of significant digits in Y is determined by computer precisionwhich should be higher than 1/h to incorporate all integers between 0 and h inchaotic sequence K.

Fig. 2. Schematic of our encryption algorithm.

cipher image can be visualized by representing R as an arrayof pixel’s colors with r R , r G , r B components such that

R = round(255X) = {r1 = r R1 , r2 = r G

1 , r3 = r B1 , . . . ,

r j , . . . , rh = r BM N }. (16)

To ensure good cryptographic properties and high security,the above sequence must be repeated several times, usingciphertext Rα of round α (α = 1, 2, . . .) as an input for thenext round α + 1, i.e. Rα = Pα+1. The secret key y0 andmixing function F can be different in every cycle increasing thekey space dimension. The encryption algorithm Eqs. (3)–(16)for chaotic mixing ensures a high security due to the chaoticmap evolution: information is mixed and distributed over allimage in a complex strategy that makes known plaintext attackunfeasible. Next, we consider the encryption and decryptionalgorithms in more detail.

2.3. Encryption algorithm

The encryption scheme of our cryptosystem is shown inFig. 2. In the first two steps we obtain a chaotic key and then weuse this key for chaotic mixing of image colors. The encryptionalgorithm includes the following steps.

2642 A.N. Pisarchik, M. Zanin / Physica D 237 (2008) 2638–2648

Step 1. Starting from certain initial condition y0,4 we iteratethe map Eq. (10) h times to obtain chaotic sequence Y Eq. (11).Due to the exponent divergence of a chaotic trajectory frominitial conditions, Y is extremely sensitive to y0 which servesas a secret key.

Step 2. We normalize Y to the total number of items h toobtain chaotic sequence K Eq. (12).

Step 3. The original M × N image is converted to a sequenceof decimal values forming plaintext P Eq. (3) with h items.

Step 4. The array P is transformed into a sequence ofnormalized floating-point values Eq. (7) which serve as initialconditions for chaotic maps X0 Eq. (5), for example, the logisticmaps Eq. (6).

Step 5. Starting from initial condition x (i)0 , we make n

iteration of map i to get map value x (i)n . This value is not stored

in item i .Step 6. Using K as a key, we determine the number j = ki

of the map in X0, with which map i is coupled, according tomixing function F Eq. (14), to get map value x ( j) Eq. (13)which is stored in item j .

Step 7. We repeat steps 5 and 6 h times starting from i = 1to i = h, every time updating X0, and finally getting sequenceX Eq. (15).

Step 8. We substitute X to X0 and repeat steps 5–8 α times.Each time the chaotic key K can be different, by taking differentinitial conditions yα

0 .Step 9. We get ciphertext R Eq. (4) by converting X to

the array of color components of image pixels. The ciphertextcan be sent via any communication medium and visualized bygrouping the items in blocks of three by three, corresponding toRGB colors.

2.4. Decryption algorithm

The decryption process is evident. As in the encryptionalgorithm, in the first two steps we obtain the chaotic keyand then we use this key to decode the image. The algorithmincludes the following steps.

Step 1. Knowing initial condition y0, we obtain the chaoticsequence of map values Y by iterating the map Eq. (10) h times.

Step 2. We normalize Y to the total number of items h toobtain chaotic key K.

Step 3. We transform ciphertext R to map values X. In thecase of the logistic map Eq. (6), X = R/[255(xmax

−xmin)]. Weknow xmax and xmin because we know the map parameter a.

Step 4. Starting from the last item i = h, we iterate the mapn times using x (h) as the initial condition and get x (h)

n . We knowfrom K that this map is coupled with j = kh map.

Step 5. We calculate new value x ( j)new of each subsequent item

of K in the inverse direction of P(i = h, h − 1, . . . 1) usinginverse mixing function F−1: X → X defined as

x ( j)new = F−1(x ( j), x (i)

n ) mod 1. (17)

4 To exclude transients, y0 should be chosen within a chaotic attractor,y0 ∈ A.

Fig. 3. Three-items illustration of encryption and decryption algorithms.

In the simplest case

F−1(x ( j), x (i)n ) = x ( j)

− x (i)n . (18)

Step 6. We repeat steps 4 and 5 h times and finally get thesequence of initial values X0.

Step 7. We obtain plaintext P by transforming X0 into anarray of integers in the range [0, 255] which yield the colorvalues of the 8-bit RGB image.

Step 8. The h items are grouped three by three, recoveringthe original pixel’s colors.

Step 9. Steps 3–8 are repeated α times, as in the decryptionprocess.

2.5. Simple example

We now present a simple example with only three itemsto demonstrate how the encryption and decryption algorithmswork. The first line in Fig. 3 shows successive numbers i of theitems of the plaintext x (1), x (2), and x (3). The second line showsnumbers j of the items with which the items i should be mixed.The sequence of j can be generated by a chaotic map [e.g.,Eq. (10)]. The arrows indicate the directions of the mixing. Inour case, item 1 is mixed with item 2, item 2 with item 1, anditem 3 with item 1.

2.5.1. EncryptionIn compliance with our encryption algorithm, we start from

item i = 1 and generate a chaotic value x (1)n by a chaotic map

M taking x (1) as the initial condition (x (1)0 = x (1)). After n

iterations we get x (1)n and add this value to x (2). We keep this

sum as a new item 2, i.e. x (2)new = x (2)

+ x (1)n . Thus, item 2 is

transformed into the new value x (2)7−→ x (2)

+ M(x (1)) mod 1[e.g., the logistic map Eq. (6)]. To be able to recuperate theplaintext with the decryption algorithm, item 1 is kept as before,i.e. x (1)

= x (1)0 . Then we repeat the encryption procedure for

item 2. Since it was coupled with item 1, item 2 is different now(x (2)

= x (2)new). We take the new item 2 as the initial condition

to generate a chaotic value x (2)n and add this value to x (1). As a

result, we get a new item 1, i.e. x (1)7−→ x (1)

+ M(x (2)) mod 1.Finally, we do the same procedure with item 3 which againyields a new item 1, i.e. x (1)

7−→ x (1)+ M(x (3)) mod 1. The

summary of the encryption procedure is shown below.(1) x (2)

7−→ x (2)+ M(x (1)) mod 1,

(2) x (1)7−→ x (1)

+ M(x (2)) mod 1,

(3) x (1)7−→ x (1)

+ M(x (3)) mod 1.

A.N. Pisarchik, M. Zanin / Physica D 237 (2008) 2638–2648 2643

Table 1Digital example showing the main steps of our encryption algorithm: Pixel numbers → item numbers i → plaintext P → initial conditions X0 → chaotic sequenceY → chaotic key K → ciphertext R

Pixel number 1 2 3 4i 1 2 3 4 5 6 7 8 9 10P 93 52 53 100 54 53 99 54 56 90X0 0.4201 0.2349 0.2394 0.4517 0.2439 0.2394 0.4472 0.2439 0.2530 0.4066Y 0.3543 0.8920 0.3756 0.9144 0.3051 0.8266 0.5588 0.9612 0.1453 0.4842K 206 769 529 568 219 199 531 889 178 406 482 401 326 114 560 953 84 797 282 578R 98 57 34 88 45 75 142 156 118 202

Thus, after encryption we get the ciphertext, i.e. thesequence of values v(i), each of which is a function of theplaintext values x (i)

0 .

v(1)= x (1)

0 + M(x (2)0 + M(x (1)

0 )) + M(x (3)0 ) mod 1, (19)

v(2)= x (2)

0 + M(x (1)0 ) mod 1, (20)

v(3)= x (3)

0 . (21)

2.5.2. DecryptionIn the decryption process we start from the last item 3. We

know that this item is coupled with item 1. Therefore, to finditem 1, we use v(3) as the initial condition to generate thechaotic value v

(3)n with the map M . It is evident that new item

1 is v(1)− M(v(3)) mod 1. Then, we continue the decryption

procedure with item 2 and get another new item 1, becauseitem 2 is also coupled with item 1. As a results, v(1)

7−→

v(1)− M(v(2)) mod 1. Finally, we repeat the procedure with

item 1 getting v(2)7−→ v(2)

− M(v(1)) mod 1. To summarize,(3) v(1)

7−→ v(1)− M(v(3)) mod 1,

(2) v(1)7−→ v(1)

− M(v(2)) mod 1,

(1) v(2)7−→ v(2)

− M(v(1)) mod 1.

Now we have the sequence of the values x (i).

x (3)= v(3), (22)

x (2)= v(2)

− M(v(1)− M(v(3)) − M(v(2))) mod 1, (23)

x (1)= v(1)

− M(v(3)) − M(v(2)) mod 1. (24)

By substituting Eqs. (19)–(21) into Eqs. (22)–(24), one cansee that the plaintext is completely recuperated.

3. Computer experiment

The original image of 559 × 348 pixels is represented aslinear array P of h = 583 596 items. Table 1 shows the first 10values of this array. We convert this array into array X0 of initialconditions for the logistic map Eq. (6) with a = 3.8899. For thismap xn ∈ [0.1044, 0.9724]. For pixel’s diffusion, we generatethe chaotic sequence Y using another logistic map Eq. (10) withb = 4. Starting from initial condition y0 = 0.8989, we make583 596 iterations of the map Eq. (10). The first 10 items ofthe chaotic sequence Y are shown in Table 1.5 Each component

5 For economy, we present only the first four significant decimal values forX0 and Y.

of Y is multiplied by h and rounded, according to Eq. (12) toyield chaotic key K. This key indicates the number j of themap with which the chaotic map i is coupled. The color mixingby simple summing the map values and taking mod 1 resultsin encrypted array X. By grouping the components in in threeby three blocks and transforming the map values into the colorvalues as round(255X) is taken, we get the cipher image R.

The integer values in sequence K are used for diffusing theimage pixels by putting j = ki and the mixing function updatesthe value of x j by using x ( j)

= x (i)n + x ( j)

0 . Therefore, not allitems are mixed and a few items are mixed more than once dueto the repeated values in the sequence K. However, this cannotbe considered as a drawback of the method. On the contrary,this accounts for the important advantages of the method. First,the cryptanalysis becomes more difficult because a cryptanalysthas no way to know whether a pixel is mixed or left as such andwhich pixel is mixed more than once, and second, the algorithmis more robust against noise. Since not all noisy (wrong) itemsare mixed with other items, fewer pixels become erroneousduring transmission (see Section 3.3).

3.1. Security analysis

3.1.1. Statistical attacksA good cryptosystem must resist any statistical attack, hence

the ciphertext has to possess certain random properties. Thedistribution of the ciphertext is very important because it hasto hide the redundancy of the plaintext and should not leak anyinformation about plaintext or any relation between ciphertextand plaintext. Several recent image encryption algorithms yielda flat or uniform distribution of the ciphertext [12–14,17,23,24]providing a better security. We also perform statistical analysisby calculating image histograms of the ciphertext to illustratehow the pixel’s colors are distributed over the image. Theoriginal image and its histogram are shown in Fig. 4(a) and(b) and the cipher images encrypted with different number ofrounds α and their histograms are presented in Fig. 4(c)–(h).

The images in the left-hand column show sensitivity of ourcryptosystem to the number of rounds α. One can see that withonly one round (α = 1) the shape of the original image still canbe distinguished in the encrypted image [Fig. 4(c)]. However,after two cycles (α = 2) [Fig. 4(e)] and all the more after fourcycles (α = 4) [Fig. 4(g)] the cipher image becomes pseudo-random. The histograms in the right-hand column represent thedistribution of the averaged (grey) values of the pixels. One cansee that for relatively large α the distribution is approximately

2644 A.N. Pisarchik, M. Zanin / Physica D 237 (2008) 2638–2648

Fig. 4. (a) Original image, (b) its histogram, and (c–h) cipher images and their histograms, encrypted respectively with (c,d) α = 1, (e,f) α = 2, and (g,h) α = 4.a = 3.8899, n = 100. The solid lines show the Gaussian fits.

Gaussian, i.e. random. The same distribution of pixel’s valuesin ciphertext is observed in the case of a black or white image.As an example, we apply our algorithm to the black imageshown in Fig. 5(a). After encryption this image becomes chaotic[Fig. 5(b)] with Gaussian distributed colors in the ciphertext[Fig. 5(c)]. Thus, a cryptanalyst gets no information whether animage is or not sent. The Gaussian distribution appears becausewe take an average of the three color components (RGB). If wecalculate separately the histograms for the red, green, and bluecomponents, we get the uniform distribution shown in Fig. 6.

After encryption, the distributions of ciphertext are all flat, nomatter what the original image was, and hence does not provideany clue to statistical attacks.

3.1.2. Key spaceTo provide a cryptosystem with high security, the key

space should be large enough to make any brute force attackineffective. Our cryptosystem actually does have some of thefollowing secret keys: (1) initial conditions yα

0 and z α0 , (2)

map parameters a, b, and c, (3) number of iterations n, and (4)

A.N. Pisarchik, M. Zanin / Physica D 237 (2008) 2638–2648 2645

Fig. 5. (a) Black image, (b) cipher black image encrypted with α = 1, and(c) histogram of encrypted black image. The solid line is the Gaussian fit.

number of rounds α.6 The high sensitivity to initial conditionsinherent to any chaotic system, i.e. exponential divergence ofchaotic trajectories, ensures high security. The sensitivity of ourcryptosystem to y0 is illustrated in Fig. 7. When the error in theinitial condition ∆y0 = 10−10, the original shape of the imageis still distinguishable in the encrypted image [Fig. 7(a)]. Onecan see from Fig. 7(b), that for small error in initial conditions(∆y0 < 10−9) the number of erroneous pixels rises up linearly(in the log–log scale) with ∆y0 and saturates with increasing∆y0. It is impossible to recuperate the original image if itwas encrypted with three rounds when ∆y0 = 10−9 becausealmost all pixels are erroneous. The variation of y0 withinchaotic attractor A ∈ [0, 1] with a step 10−10 yields 29 bitsof information.

The sensitivity of our cryptosystem to the map parameteris similar to that considered in Ref. [16]. The variation of theparameter in the chaotic region between 3.57 and 4 with a stepof 10−7 yields 19 bits of information if all periodic windows

6 Typically, α is selected between 3 and 11 to provide shorter EDT.

Fig. 6. Histograms of (a) red, (b) green, and (c) blue channels of the encryptedimage shown in Fig. 4(g).

are taken into account (periodic windows take away 3 bits ofinformation). In general, every color item can be encryptedwith a different map, where parameters can be distributed ina chaotic way with the use of another logistic map Eq. (8)with parameter c and initial condition z0. To ensure a largedivergence of a chaotic trajectory from the initial condition,the number of iterations should be relatively large but nottoo much so, for shorter EDT (usually n < 1000). Thisprovides an increase of the key space dimension by 103. Finally,the secret key α carries approximately 3 bits of information,according to Shannon entropy. As it was already mentioned inthe Introduction, the total key space includes the key spacesfor the confusion and diffusion processes, SC and SD (seeEq. (2)). In our cryptosystem SC = Sb Sy and SD = Sc Sz Sn ,where Sb = Sc ≈ 4.3 × 106 are the key spaces for mapparameters b and c, Sy = Sz ≈ 1010 are the key spaces forinitial conditions y0 and z0, and Sn ≈ 103 is the key spacefor number of iterations n.7 The existence of periodic windows

7 For simplicity we suppose that n is the same for all chaotic maps X.

2646 A.N. Pisarchik, M. Zanin / Physica D 237 (2008) 2638–2648

Fig. 7. Sensitivity to initial condition. (a) Image decrypted with wrong initialcondition y0 + 10−10 and α = 3. (b) Number of erroneous output pixels of asa function of error value in map parameter b. M × N = 100 × 100.

decreases the key space, since not all parameters can be used.If we assume roughly that the periodic windows occupy lessthan 10% of the parameter space of the logistic map, thenSb = Sc ≈ 3.9 × 106. The cryptosystem key space totaldimension can be calculated as

S = (SC SD)∆α= (Sb Sy Sc Sz Sn)∆α, (25)

where ∆α = αmax − αmin = 10 − 3 = 7 is the rangeof possible α. The simple estimation shows that the proposedimage cipher has S ≈ 10247 different combinations of the secretkeys.8 To our knowledge, this is the largest key space amongknown image encryption algorithms (for comparison analysissee Table 2).

The minimum global key-space dimension is 51 bits,9 mean-ing that the required time for the most dangerous brute-forceattack would be 105 years. For some applications which needhigher security, the attack time can be increased by including alarger number of secret keys, for instance, it is possible to as-sociate the secret keys with groups of items. In the limit case,each item of the image can have its own key and the algorithmwill be equivalent to a one time pad scheme.

3.2. EDT estimation

The great advantage of our algorithm is that every stepof the transformation can be pre-calculated and stored in the

8 The security is sufficiently high even if only four secret keys are used, a =

b, y0, α, and n as in our example. In this case S = (3.9×106×1010

×103)7≈

10137 is also very large.9 Excluding secondary parameters, like the image size M × N , etc.

memory array, resulting in a great speed-up. Both plaintextP and ciphertext R are stored in the computer memory asarrays of integer values with size h insuring a fast calculationspeed. The chaotic sequence Y of the map variables can be pre-calculated taking α different initial conditions y0, as well as Z.The encryption speed is made faster because ciphertext has thesame length as plaintext. Since mixing functions F and F−1 aresimple, they are also very fast. Thus, the encryption/decryptionalgorithm requires three memory accesses and one summation,which is a very simple task for up-to-date computer technology.Table 3 shows EDT for four different sized colored images withdifferent number of rounds α.10 Three cycles are sufficient forgood encoding. The calculations are made with a Pentium IV3.2 GHz PC with 1.0 GB of RAM, using Borland C++Builder5.0 software.

We compare the encryption speed of the proposedcryptosystem with other known ciphers for encryptingimage/video files. The details of the analysis listed in Table 4indicate that the proposed method, to our knowledge, is thefastest one, among the known algorithms. The high speed ofour cryptosystem is sufficient for a real-time encryption thatmakes it suitable in digital TV for pay-per-view transmissionand multimedia communications.

3.3. Robustness against noise

One of the most important problems in a real-worldcommunication technology is the robustness of a cryptosystemagainst noise. Very often signal-independent noise occurs whilean image is being transmitted electronically from a transmitterto a receiver. If P is the original image and N is noise due to thetransmission, the resulting image Z = P + N, where P and Nare uncorrelated. Most of the commonly used cryptosystems arevery sensitive to noise; a small change in the encrypted imageinduces a strong distortion in the decrypted image that doesnot allow one to recuperate the original image. For example,the cryptosystem described in Ref. [16] also suffers from thisdrawback; an error in one pixel and one looses the originalimage completely. Instead, as we will show below, the presentalgorithm is robust against noise.

Fig. 8(a) shows the decrypted image of 10 000 pixels whichwas affected by 0.1% noise during transmission. This meansthat 30 randomly chosen items of the ciphertext, being withinthe chaotic attractor, were randomly modified. Such noise,after three decryption cycles, results in a random change ofonly 179 pixels. Noise and errors during transmission of anencrypted image are tolerated if the image size is relativelylarge. We assume that each color component is affected by noiseindependently. When a pixel is represented by three items, as arule only one color component is changed, turning the imageinto a different shade of the same color; this maintains intactthe overall image information for the human eye. Fig. 8(b)represents the number of erroneous output pixels as a functionof the number of original pixels modified by noise. The number

10 The input/output and visualization times are not included.

A.N. Pisarchik, M. Zanin / Physica D 237 (2008) 2638–2648 2647

Table 2Comparison of key space dimensions

Cipher Gua et al. Pareek et al. Xiang et al. Kwok and Tang Lian et al. Proposed

S 1042 [14] 280 [17] 256 [23] 6 × 1057 [24] 2256 [13] 10247

Table 3Encryption/decryption time

Image size M × N pixels Time (α = 3) (ms) Time (α = 2) (ms) Time (α = 1) (ms) Encryption rate (frames/s)

100 × 100 2 1 <1 5000300 × 300 11 6 3 909559 × 348 41 20 10 243720 × 480 87 44 22 114

Table 4Encryption speed of image/video files of the fastest cryptosystems (in MB/s)

Cipher Baptista et al. Xiang et al. Wong Xiang et al. Wei et al.EDT 0.019 [5] 0.1 [23] 0.14 [25] 0.188 [12] 0.42 [8]

Cipher Pareek et al. DES AES Kwok and Tang ProposedEDT 4.76 [17] 6.5 [26] 11.4 [26] 40 [24] 140

Fig. 8. Sensitivity of our cryptosystem to noise. (a) Decrypted imagecontaining 179 erroneous pixels, when 0.1% noise is added to cipher imageencrypted with n = 100 and α = 3. (b) Number of erroneous output pixels as afunction of number of pixels modified by noise. M × N = 100 × 100.

of wrong pixels increases almost linearly as noise is increasedand is proportional to α, i.e. Nout ≈ εαNin (ε = 12 in ourexperiment).

Next, we study how noise affects the detection of awatermark in the original image. It is known that digitalwatermarks provide means of placing additional informationwithin digital media so that if copies are made, the rightfulownership may be determined. To demonstrate watermarks

Table 5Maximum noise for watermark detection

Level 1 (%) Level 2 (%) Level 3 (%) Level 4 (%)

Detectable 2.0 2.3 2.6 3.5Readable 1.3 1.9 2.4 3.1

recovery from images in the presence of noise, we adda Digimarc c© watermark to the original image shown inFig. 4(a). Table 5 shows the maximum quantity of noise withfour different levels of intensity for which the watermark isdetectable and readable.

4. Conclusions

In this paper, we have presented a novel cryptosystem forencoding and decoding digital images/videos. The proposedalgorithm combines good confusion and diffusion propertiesby using chaotically coupled chaotic maps. It utilizes chaoticconfusion of image pixels by using chaotic coupling betweenchaotic maps, each of which in turn induces chaotic diffusionof pixels’ color values. The comparative analysis shows that atpresent, and to our knowledge, the proposed cryptosystem is themost secure due to an extremely large key space and the fastestone among existing image/video encryption ciphers basedon chaotic or standard algorithms. The experimental resultsdemonstrate good dynamical properties of our cryptosystem; itsrobustness against noise and small external disturbances allowsus to recover watermarks from images in the presence of noise.The encryption and decryption algorithms are symmetric,making it suitable for multimedia encryption. Due to theexcellent confusion and diffusion properties, both exploitingimportant properties of chaos, the proposed cryptosystem isextremely secure and fast enough to be used in real-timecommunications, such as digital video, pay-TV, etc.

2648 A.N. Pisarchik, M. Zanin / Physica D 237 (2008) 2638–2648

Acknowledgement

The work was supported by the Mexican Council of Scienceand Technology (CONACYT), Project No. 46973.

References

[1] B. Schneier, Applied Cryptography — Protocols, Algorithms, and SourceCode, second ed., C. John Wiley & Sons, Inc., New York, 1996.

[2] J. Daemen, B. Sand, V. Rijmen, The Design of Rijndael: AES — TheAdvanced Encryption Standard, Springer-Verlag, Berlin, 2002.

[3] C.E. Shanon, Communication theory of secrecy systems, Bell. Syst. Tech.J. 28 (4) (1949) 656–715.

[4] S.G. Lian, J. Sun, Z. Wang, Security analysis of a chaos-based imageencryption algorithm, Physica A 351 (2005) 645–661.

[5] M.S. Baptista, Cryptography with chaos, Phys. Lett. A 240 (1998) 50–54.[6] N.K. Pareek, V. Patidar, K.K. Sud, Discrete chaotic cryptography using

external key, Phys. Lett. A 309 (2003) 75–82.[7] F. Huang, Z.H. Guan, Cryptosystem using chaotic keys, Chaos Solitons

Fractals 23 (2005) 851–855.[8] J. Wei, X. Liao, K.W. Wong, T. Xiang, A new chaotic cryptosystem, Chaos

Solitons Fractals 30 (2006) 143–152.[9] J. Fridrich, Symmetric ciphers based on two-dimensional chaotic maps,

Int. J. Bifurc. Chaos 8 (6) (1998) 1259–1284.[10] G. Chen, Y.B. Mao, C.K. Chui, A symmetric image encryption scheme

based on 3D chaotic cat maps, Chaos Solitons Fractals 12 (2004)749–761.

[11] Y.B. Mao, G. Chen, S.G. Lian, A novel fast image encryption schemebased on the 3D chaotic baker map, Int. J. Bifurc. Chaos 14 (10) (2004)3613–3624.

[12] T. Xiang, X. Liao, G. Tang, Y. Chen, K.W. Wong, A novel blockcryptosystem based on iterating a chaotic map, Phys. Lett. A 349 (2006)109–115.

[13] S.G. Lian, J. Sun, Z. Wang, A block cipher baser on a suitable use ofchaotic standard map, Chaos Solitons Fractals 26 (1) (2005) 117–129.

[14] Z.H. Guan, F.J. Huang, W.J. Guan, Chaos-based image encryptionalgorithm, Phys. Lett. A 346 (2005) 153–157.

[15] K. Wang, W.J. Pei, On the security of 3D cat map based symmetric imageencryption scheme, Phys. Lett. A 343 (2005) 432–439.

[16] A.N. Pisarchik, N.J. Flores-Carmona, M. Carpio-Valadez, Encryption anddecryption of images with chaotic map lattices, Chaos 16 (3) (2006)033118-1/6.

[17] N.K. Pareek, V. Patidar, K.K. Sud, Image encryption using chaotic logisticmap, Image Vis. Comput. 24 (9) (2006) 926–934.

[18] K.W. Wong, S.W. Ho, C.K. Yung, A chaotic cryptography scheme forgenerating short ciphertext, Phys. Lett. A 310 (2003) 67–73.

[19] J. Wei, X. Liao, K.W. Wong, T. Zhou, Cryptoanalysis of a cryptosystemusing multiple one-dimensional chaotic maps, Commun. Nonlinear Sci.Numer. Simul. 12 (2007) 814–822.

[20] M.V. Jacobson, Absolutely continuous invariant measures for one-parameter families of one-dimensional maps, Commun. Math. Phys. 81(1981) 39–88.

[21] M.S. Baptista, M.B. Reyes, J.C. Sartorelli, C. Grebogi, E. Rosa,Communication-based on topology preservation of chaotic dynamics, 13(2003) 2551–2560.

[22] S. Banerjee, J.A. Yorke, C. Grebogi, Robust chaos, Phys. Rev. Lett. 80(1998) 3049–3052.

[23] T. Xiang, K.W. Wong, X. Liao, A novel symmetrical cryptosystem basedon discretized two-dimensionla chaptic maps, Phys. Lett. A 364 (2007)252–258.

[24] H.S. Kwok, W.K.S. Tang, A fast image encryption system based onchaotic maps with finite prescision representation, Chaos Solitons Fractals32 (2007) 1518–1529.

[25] K.W. Wong, A fast chaotic cryptographic scheme with dynamic look-uptable, Phys. Lett. A 310 (2002) 238–242.

[26] Crypto++ Library, http://www.cryptopp.com.