Hardware stream cipher with controllable chaos generator for colour ...

www.ietdl.org Published in IET Image Processing Received on 12th October 2012 Revised on 29th June 2013 Accepted on 14th July 2013 doi: 10.1049/iet-ipr.2012.0586

ISSN 1751-9659

Hardware stream cipher with controllable chaos generator for colour image encryption Mohamed L. Barakat1, Abhinav S. Mansingka1, Ahmed G. Radwan2, Khaled N. Salama1 1

Department of Electrical Engineering Program, King Abdullah University of Science and Technology (KAUST), Thuwal, Saudi Arabia 2 Department of Engineering Mathematics, Faculty of Engineering, Cairo University, Giza, Egypt E-mail: [email protected]

Abstract: This study presents hardware realisation of chaos-based stream cipher utilised for image encryption applications. A third-order chaotic system with signum non-linearity is implemented and a new post processing technique is proposed to eliminate the bias from the original chaotic sequence. The proposed stream cipher utilises the processed chaotic output to mask and diffuse input pixels through several stages of XORing and bit permutations. The performance of the cipher is tested with several input images and compared with previously reported systems showing superior security and higher hardware efficiency. The system is experimentally verified on XilinxVirtex 4 field programmable gate array (FPGA) achieving small area utilisation and a throughput of 3.62 Gb/s.

1

Introduction

Inherited randomness behaviour and sensitivity to initial conditions promote chaos-based random number generators (CB-PRNGs) as efficient candidates for cryptographic applications [1–3]. Many CB-PRNGs have been digitally realised using chaotic maps [4, 5] and recently using the numerical solution of differential equations [6, 7]. Digital design provides area efficiency, repeatability, portability and integrability with IC technology [8]. However, digital CB-PRNGs suffer from serious dynamical degradations because of quantisation error and finite representation of system states, including loss of ergodicity and shorter pseudo orbits [9]. Chaos-based image encryption using stream ciphers is a vivid, yet challenging, application of chaos because of the high correlation between image pixels. Unlike block ciphers [10], stream ciphering [11] operates on smaller data units and satisfies the high throughput requirement for data transmission applications [12] such as wireless communications. Chaotic stream ciphers utilise CB-PRNGs to generate a key stream necessary for masking and defusing image pixels. Nevertheless, flaws in CB-PRNGs result in weak encryption prone to various cryptanalysis attacks [13]; and therefore are solved by the hybridisation of two or more chaotic systems [14–17]. The work done by Huang [18] reports using Chebyshev function to generate the key stream to mask and permute image pixels in addition to two-dimentional Chebyshev function to avoid known-plaintext and chosen-plaintext attacks. Wang et al. [19] also used three chaotic maps in his encryption that alters between block and stream ciphering. Liu and Wanga [20] utilised a true random number generator to provide the seed for a piecewise linear chaotic map which generates a IET Image Process., 2014, Vol. 8, Iss. 1, pp. 33–43 doi: 10.1049/iet-ipr.2012.0586

key stream for image encryption. Amin et al. [21] used the tent map to generate a chaotic key stream to encrypt image bits though a non-linear transformation function. None of the previously mentioned encryption systems have been realised on hardware as they occupy a larger area and operate on lower throughput rates losing the sole advantages of stream encryption. To the best knowledge of the authors, this paper presents the first hardware realisation of a lightweight chaotic stream cipher utilised for coloured image encryption satisfying three corner requirements: (i) high throughput, (ii) robust encryption and (iii) small hardware area. A third-order jerk chaotic generator with signum non-linearity is utilised as a CB-PRNG. The size of the chaotic attractor is controlled dynamically by the input image increasing the sensitivity of the output chaotic stream. This paper further introduces a new post processing technique to overcome the defects in CB-PRNGs maintaining the same throughput and with a small hardware overhead. A thorough security analysis is provided for several images and the results are compared with the previously reported software-based encryption systems showing a superior performance. The hardware utilisation and the maximum throughput of the proposed stream cipher is compared with known ciphers such as RC4 [22], E0 [23], A5/1 [23], SNOW 3G [24] AES [25] and so on reflecting a higher hardware efficiency. The whole system is implemented on XilinxVirtex 4 FPGA.

2

Chaotic random number generator

The following set of three first-order ODEs describe a third-order non-autonomous double-scroll chaos generator 33

& The Institution of Engineering and Technology 2013

www.ietdl.org [26, 27] with a single controllable time-varying parameter ⎡

⎤ ⎡ 0 1 X˙ ⎢˙⎥ ⎢ 0 ⎣Y ⎦ = ⎣ 0 −1 −1 Z˙ 1 X sgn(X ) = −1 X

0

⎤⎡

X

⎤

⎡

0 0

⎤

⎥ ⎥⎢ ⎥ ⎢ 1 ⎦⎣ Y ⎦ + ⎣ ⎦, −1 Z Dt sgn(X ) ≥0 ,0

1 F F Dt = + 1 + 162 , F1 # {0, 1}, 4 16 2

F2 [ 0, 212 − 1 , F2 [ N Dt = {4′ b0010, F1 , F2 , 7′ b0} Dt [24 − bits] = [0010F1 F2 0000000]

(1)

where Dt is an arbitrary constant and controls the size of the attractor in real-time and has no effect on the qualitative system dynamics [26]. The same system with different constants and without controllability was previously implemented [28] using the Euler approximation.

2.1

system as follows

Digital realisation

A step size of h = 2−2 is used to maximise chaos enhancement through the incorporation of additional truncation non-linearities [29–31] ⎤ ⎤ ⎡ ⎤⎡ ⎤ ⎡ Xt+h Xt 0 1 h 0 ⎦ (2) ⎣ Yt+h ⎦ = ⎣ 0 1 h ⎦⎣ Yt ⎦ + ⎣ 0 Zt+h hDt sgn(Xt ) Zt −h −h 1 − h

(3a)

(3b)

This guarantees that Dt ∈ [0.25, 0.375]) at any instance and simultaneously ensures that the attractor stays within the bounds of the fixed point representation space [ − 1, 1), verified through rigorous numerical simulation. Therefore constant Dt has an easy representation in binary form to realise the expression (3a) in terms of F1 (1-bit) and F2 (12-bits), given in (3b) where the first number ‘4’ in the expression 4′b0010 represents the number of bits and ‘b’ implies a binary format followed by the logical bits [0010]. Thus, the expression 7′b0 is translated into seven logical zeros. The LFSR used in F1 is 128-bit length with a feedback polynomial described in [32].

⎡

The circuit schematic of the numerical solution is shown in Fig. 1. A fixed point two’s complement format is used with 24-bits representing each of {X, Y, Z}, 1-bit allocated to the sign and integer part and the remaining 23-bits to the fractional part. The constant Dt is a 24-bit added or subtracted from X based on whether X is positive or negative, respectively, and stored in a temporary register T to reduce the critical path at the Z-register. This implements the signum non-linearity with the controllable input. From the diagram in Fig. 1, the total component count for this chaotic oscillator is three 24-bit adders, two 24-bit subtractors, one 24-bit adder/subtractor and four 24-bit registers. Since scalar multiplications reduce to arithmetic shifts because they are powers of 2, they only rewire the bits and do not require any hardware. The initial condition (IC) of the state registers {X, Y, Z} is of width 72-bits and is provided by the user. The constant that controls the attractor size Dt is carefully designed to divide the controllability between the user and the input image adding extra randomness to the system. The expression of Dt is specified in terms of a 1-bit input F1 derived from a linear feedback shift register (LFSR) with a seed provided by the user, and a 12-bit input F2 as a feedback from the cipher

2.2

Post processing

Statistical defects in the output bits of chaotic oscillators cause short-term predictability [33] and thus, reduce the security in cryptographic applications. To overcome such defects, this work proposes a post processing technique in which all the 72-bits of the output are put through delayed feedback after a rotation of 1-bit to the right and XORing operation, according to Fig. 2. Since 1 and 72 are relative primes, this guarantees that every output bit receives contributions from every single input bit, thus equalising the bias and completely suppressing short-term predictability. According to a general equation that

Fig. 2 Circuit diagram of the full CB-PRNG showing initial condition and controllable-size inputs, the post processing circuit and the resulting decomposition into three 24-bit outputs for use in the stream cipher

Fig. 1 Circuit diagram of the fully digital third-order ODE-based non-autonomous double-scroll chaos generator 34


IET Image Process., 2014, Vol. 8, Iss. 1, pp. 33–43 doi: 10.1049/iet-ipr.2012.0586

www.ietdl.org Table 1 Experimental results on XC4VSX35-10FF668 FPGA for the generator before and after post processing Components utilised slices slice FF four input LUTs Frequency, MHz

Chaotic generator

Chaotic generator with post processing

189 219 299 153.4

230 291 370 153.4

illustrates the expectation after XORing of two 34-bits [34] 1 1 1 1 E(A ⊕ B) ≃ − 2 E(A) − E(B) − − r (4) 2 2 2 2 where A and B are the correlated random variables with r denoting correlation between A and B. If A is an ideal random variable (E(A) = 0.5) and B is loaded with bias (E(B) ≠ 0.5), the expression indicates that the XOR operation gives a result with lower bias (E(A ⊕ B) ≃ 0.5) provided the correlation is low (r ≃ 0). Area results of the chaotic generator before and after post processing are shown in Table 1. Hardware efficiency motivates implementing the rotation as simple rewiring without any hardware overhead. Synthesis results reflect the low hardware cost of post processing without affecting the frequency of operation. 2.3

Chaotic response

Oscilloscope traces of the attractors (X − Y − Z-phase plots) of the original oscillator are shown in Figs. 3a–c which

demonstrates a good correspondence with the analogue attractor in [26]. A positive maximum Lyapunov exponent (MLE) for the output time series indicates the presence of chaotic dynamics. Given an arbitrary change in initial conditions, the MLE approximates the long-term divergence in the output by dS(t) ≃ elt S(dt), with a positive MLE confirming the existence of chaos. The software based on [35] enables the calculation of the MLE from a time series of discrete data, giving the result as 0.136. The seed value of the resulting CB-PRNG is the initial condition of the {X, Y, Z} registers. In addition, the final post processed output is split into three 24-bit outputs {U, V, W} for utilisation in colour image encryption, given that a standard RGB image pixel is composed of 24-bits. The phase plots of {U, V, W} are shown in Figs. 3d–f, in which it is clear that post processing has suppressed the attractor shape, enabled full coverage of the entire available phase space and thus eliminated short-term predictability. The performance of the output under the NIST SP. 800-22 test suite is assessed in further sections after the description of the stream cipher.

3 3.1

Image encryption system Encryption/decryption algorithm

Each input colour pixel undergoes several stages of diffusion using feedback, pixel confusion and bit permutations. Assume a consecutive sequence of plain image pixels Pi where i denotes the location index. Similarly, let Ci,j denote a ciphered image pixel in the ith location at the jth encryption stage. Let Pj denote bit permutation in encryption where the bit locations are shuffled and let P j

Fig. 3 Experimentally obtained a X–Y b Y–Z c X–Z original attractors from the digital chaotic oscillator In addition to d U–V e U–W f V–W phase portraits after post processing the output Results are drawn on an oscilloscope from a Xilinx Virtex 4 FPGA IET Image Process., 2014, Vol. 8, Iss. 1, pp. 33–43 doi: 10.1049/iet-ipr.2012.0586

35


www.ietdl.org denote the corresponding reverse permutation in decryption. The encryption algorithm is thus expressed as

Ci, j

⎧ ⎨ Pj (Ci, j−1 ⊕ Ui ), = Pj (Ci, j−1 ⊕ Vi ), ⎩ P (C j i, j−1 ⊕ Wi ),

j=1 j=2 j=3

(5a)

Ci, 0 = Pi ⊕ Ci−1, 1 ⊕ Ci−2, 2

⎡

3, 4 (6a)

⎤ 0 0 0 1 0 0⎥ ⎥ ⎥ 0 0 0⎥ ⎥ 0 0 0⎥ ⎥ ⎥ 0 0 1⎦ 0 1 0 ⎤ 0 0 1 1 0 0⎥ ⎥ ⎥ 0 0 0⎥ ⎥ 0 0 0⎥ ⎥ ⎥ 0 0 0⎦ 0 1 0 (6b)

where m denotes a permutation scheme. Each permutation matrix has a cyclicity index bigger than three and is not the inverse of any of the others. Moreover, the net effect of 36

Ci, j

(5b)

The proposed algorithm consists of three identical stages of encryption to prevent any information leakage based on the values of input pixels. This process is performed on two levels: (i) masking each colour pixel values using the processed chaotic outputs, (ii) shuffling bits between the colour RGB layers through bit permutations Pj . The stream of ciphered pixels from the second stage Ci, 2 is taken as feedback to the generator to control attractor size Dt dynamically creating a direct relationship between the input image and the chaos generation. Another stage of encryption is required to distribute the effect of correlation between each two neighbouring pixels on the following consecutive pixel. In addition, pixels constituting this stage Ci−1, 1, Ci−2, 2 are chosen after applying bit permutations P1 , and P2 , respectively. For any random input pixel if one bit flips, the following pixels experience an avalanche effect [36] with a flipping rate depending on the bit shuffling. Hardware efficiency motivates implementation of the static reversible bit permutations through a simple bit rewiring which can be re-configured for different designs producing completely different outputs. In addition, to reduce the wiring complexity, permutations are performed on the nibble level. Each colour component is divided into 4-bits yielding a total of six parts per pixel and each encryption stage alternates between four different nibble shuffling schemes chaotically. Permutation matrices are described as follows ⎤ R1 ⎢ R2 ⎥ ⎢ ⎥ ⎢ G1 ⎥ ⎢ ⎥, j = 1, 2, 3, and m = 1, 2, Ci, j = Pm × j ⎢ G2 ⎥ ⎢ ⎥ ⎣ B1 ⎦ B2 ⎡ ⎡ ⎤ 0 0 0 0 0 1 0 1 0 ⎢0 0 1 0 0 0⎥ ⎢0 0 0 ⎢ ⎢ ⎥ ⎢ ⎢ ⎥ ⎢ ⎢0 0 1 ⎥ 1 0 0 0 0 0 1 2 ⎢ ⎢ ⎥ Pj = ⎢ ⎥, Pj = ⎢ 1 0 0 0 0 0 0 1 0 ⎢ ⎢ ⎥ ⎢ ⎢ ⎥ ⎣0 1 0 0 0 0⎦ ⎣0 0 0 0 0 0 1 0 0 0 0 0 ⎡ ⎡ ⎤ 0 1 0 0 0 0 0 0 0 ⎢0 0 0 0 1 0⎥ ⎢0 0 0 ⎢ ⎢ ⎥ ⎢ ⎢ ⎥ ⎢ ⎢0 0 1 ⎥ 0 0 0 0 0 1⎥ 4 ⎢ = , P P3j = ⎢ j ⎢0 0 1 0 0 0⎥ ⎢1 0 0 ⎢ ⎢ ⎥ ⎢ ⎢ ⎥ ⎣0 0 0 1 0 0⎦ ⎣0 1 0 1 0 0 0 0 0 0 0 0

applying cascaded three stages of the permutations results in a different location from the original colour component which guarantees inter-colour confusion. The decryption algorithm achieves a reverse operation as follows


⎧ ⎪ ⎨ Pj (Ci, 0 ⊕ Wi ), = Pj (Ci, 0 ⊕ Vi ), ⎪ ⎩ Pj (Ci, 0 ⊕ Ui ),

j=1 j=2

(7a)

j=3

Pi = Ci, 3 ⊕ Ci−1, 1 ⊕ Ci−2, 2 ⎡

0 0 1

⎢0 ⎢ ⎢ ⎢0 P1j = ⎢ ⎢0 ⎢ ⎢ ⎣0 ⎡

0 1 0 0

0 0 0 0

0 0 0 1

1 0 0 0

0 0 0

0 0 0

0 0 1

0 0 0 1

0 0 0 0

0 0 1

0 1 0 0

0 0 1 0

⎡

⎤

0⎥ ⎥ ⎥ 0⎥ ⎥, 1⎥ ⎥ ⎥ 0⎦

1 0 0

⎢1 ⎢ ⎢ ⎢0 3 Pj = ⎢ ⎢0 ⎢ ⎢ ⎣0

3.2

0 0 0

0⎥ ⎥ ⎥ 0⎥ ⎥, 0⎥ ⎥ ⎥ 0⎦

0 0 0

⎢1 ⎢ ⎢ ⎢0 P2j = ⎢ ⎢0 ⎢ ⎢ ⎣0 ⎡

⎤

0 0 1 0

0 1 0 0

1 0 0 0 0 0 0

0 0 0 0

0 1 0

0 0 0

1 0 0

0 0 1 0

0 1 0 0

1 0 0

0 0 0 0

1 0 0 0

⎤

0⎥ ⎥ ⎥ 0⎥ ⎥ 0⎥ ⎥ ⎥ 1⎦

0 0 0

⎢0 ⎢ ⎢ ⎢0 4 Pj = ⎢ ⎢0 ⎢ ⎢ ⎣0

0 0 0

(7b)

⎤

0⎥ ⎥ ⎥ 0⎥ ⎥ 0⎥ ⎥ ⎥ 1⎦

0 0 0 (7c)

Hardware realisation

Cipher and decipher hardware architectures are described in very-large-scale-integration hardware descriptive language (VHDL) and verified on Xilinx Virtex 4 FPGA. The digital design consists of pipeline registers, two-input XOR gates, selection MUXs, in addition to permutation units, shown in Fig. 4. Each stage contains an MUX selected between four different permutation schemes randomly through a 2-bit chaotic signal coming from the chaotic outputs {U, V, W}. The system’s key is 200-bits in width provided by the user and is divided into 72-bits as IC to the chaotic generator, in addition to 128-bits as a seed to the LFSR. Table 2 summarises the area results of both architectures, without accounting for the chaotic generator and the post processing, achieving frequencies of up to 408 and 440 MHz for both the cipher and decipher systems, respectively. Output signals of the FPGA are shown in Figs. 5a–f obtained from the oscilloscope after applying an 8-bit staircase signal in the RED component with zeros in the remaining bits as an input test image. The input function Sin(t) is described in the binary form [using the same notation as in (3b)] as ⎧ {24′ b0}, ⎪ ⎪ ⎪ ⎪ ⎨ {4′ b0100, 20′ b0}, Sin (t) = {4′ b1000, 20′ b0}, ⎪ ⎪ ⎪ {4′ b1100, 20′ b0}, ⎪ ⎩ ′ {8 b1, 16′ b0},

0 ≤ t ≤ 50 51 ≤ t ≤ 101 102 ≤ t ≤ 152 153 ≤ t ≤ 203 204 ≤ t ≤ 255

(8)

where t is an 8-bit counter. Unlike the input signal, the FFT of the ciphered signal is uniformly distributed over the whole spectrum with characterisitcs similar to white noise. IET Image Process., 2014, Vol. 8, Iss. 1, pp. 33–43 doi: 10.1049/iet-ipr.2012.0586

www.ietdl.org

Fig. 4 Circuit diagram of a Encryption b Decryption systems Decryption implements a reverse functionality of the encryption

Table 2 Experimental results on XC4VSX35-10FF668 FPGA for the cipher and decipher systems Components utilised

Encryption system

Decryption system

164 218 236 408.5

202 244 249 440.3

slices slice FF four input LUTs Frequency, MHz

4

Security analysis

The analysis in this section is conducted on a 512 × 512 coloured Lena.bmp. Experiments are carried out and the data are analysed using MATLAB. 4.1

sequence of permutations at each encryption stage and thus, gives a completely different output. The chaotic generator utilised has three state registers each of 24-bit wide. On adding the 128-bit seed of the LFSR, the total key space in this system is 2200. Key sensitivity is visually inspected by examining the wrong decrypted image when altering the system’s key as shown in Fig. 7c. Quantitatively, key sensitivity is measured through the mean-square error (MSE) which assesses the distortion in the wrong decrypted image compared with the original one when the input key to the decryption system is wrong. The MSE test is described as MSE =

M N

2 1 P i, j − D(i, j) M × N i=1 j=1

(9)

Key space analysis

The initial states of the generator’s registers (IC) in addition to the seed of the LFSR are considered the key of this proposed cipher. Brute-force attack is defined to systematically check all possible keys until the correct one is found [37]. Secure encryption requires: (i) large key space to make the brute-force attack inefficient, and (ii) sensitivity to the input key in which small changes in the decipher’s key lead to completely wrong decryption. In the proposed stream cipher, both the key provided by the user and the input image affects the chaotic output values from the generator as discussed earlier and consequently affects the permutation selection at each MUX. As a result, changing the input key or the input image produces different IET Image Process., 2014, Vol. 8, Iss. 1, pp. 33–43 doi: 10.1049/iet-ipr.2012.0586

where M and N are the width and height of the image, respectively, P(i, j) is the original plain image pixel and D (i, j) is the corresponding deciphered image pixel. The higher MSE value reflects the bigger difference between the two images indicating higher sensitivity to the system’s key. Fig. 6 depicts the MSE values of the wrong deciphered image with respect to the number of error bits in the decryption key. The values shown in the figure imply that the system is highly sensitive to even 1-bit error in the decryption key and remains at the same sensitivity level with additional erroneous bits. It is also shown that the MSE values of the colour components are ordered irrespective to the number of error bits; green MSE is the lowest and blue MSE is the highest. This is a direct result 37


www.ietdl.org

Fig. 5 Experimentally obtained results of a Input test image (RED component) b Staircase input signal c FFT of the input signal d Output signal from the cipher e FFT of the ciphered signal f Output signal from the decipher

from the feedback F2 which creates a relationship between the input image and the chaotic generation as explained earlier. Thus, MSE values change with the input image producing a profile for each colour component differing from one image to another. 4.2

χ2 test is performed on the RGB histograms to analytically examine the quality of the uniform distribution. The test is used to determine whether there is a significant difference between the expected number of intensity counts for colour levels and the observed counts in the ciphered image assuming a uniform distribution [38] and is described as

Histogram analysis

Image histogram depicts statistical distribution of colour intensities. Secure ciphered images are characterised by flat histograms for all colours in which the intensities are evenly distributed over the whole colour scale. Visual inspection of the histograms in Fig. 7 confirms the uniform distribution of the RGB colour components. Furthermore, a

x2 =

L (Oi − Ei )2 Ei i=1

(10)

where Ei is the expected occurrence of each colour level asserted by the null hypothesis, L is the colour level (256) and Oi is the observed count of each colour level [0–255].

Fig. 6 MSE values with respect to the number of error bits in the decryption 38



www.ietdl.org

Fig. 7 Visual analysis for the encryption quality a Original image b Ciphered image c Wrong deciphered image (1-bit error in the key) In addition to d–f Histograms of the RGB components for the original image and similarly g–i For the ciphered image.

With a significance level of 0.05, it is found that x2test , x2 (255, 0.05) for the three histograms implying that the null hypothesis is not rejected and the histogram distributions are uniform.

4.3

2 N N 1 1 D(x) = x − x N i=1 i N j=1 j

(11b)

cov(x, y) r = √√ D(x) D(y)

(11c)

Pixel correlation analysis

High correlation between adjacent pixels in the images requires an efficient confusion and diffusion algorithm to maintain the correlation as minimally as possible in the ciphered image. The correlation coefficient ρ between two adjacent pixels xi and yi can be calculated as [37] N N N 1 1 1 x − x y yi − (11a) cov(x, y) = N i=1 i N j=1 j N j=1 j IET Image Process., 2014, Vol. 8, Iss. 1, pp. 33–43 doi: 10.1049/iet-ipr.2012.0586

Table 3 Correlation coefficients for the horizontal, vertical and diagonal orientations for both original and ciphered images Axis

horiz. vert. diag.

Original image

Ciphered image

Red

Green

Blue

Red

Green

Blue

0.9753 0.9871 0.9634

0.9748 0.9872 0.9630

0.9532 0.9741 0.9334

0.001 0.0016 − 0.004

0.0005 0.0022 0.0032

0.0015 0.004 − 0.003

39


www.ietdl.org

Fig. 8 Visual inspection for the horizontal correlation a–c Original image RGB colours, respectively, and similarly d–f Ciphered image RGB

where cov (x, y) is the covariance between the two pixels and N is the total number of pixels selected from the image for the calculation. Table 3 summarises the auto correlation coefficients for horizontal, vertical and diagonal orientations of the original and ciphered image and Fig. 8 shows the visual inspection of the horizontal correlation for RGB components. Furthermore, to measure how different the ciphered image is from the original, the cross-correlation coefficients are calculated using the same equations in (11a–c) by considering each pixel value xi from the original image and its corresponding pixel yi from the ciphered one. Cross-correlation coefficients are found to be 0.0035, −0.001 and 0.0002 for the RGB colours, respectively. Low coefficient values imply robust confusion and diffusion algorithm implemented in the system to prevent any information leakage regarding pixel correlations.

4.4

Entropy analysis

The entropy is a measure of the predictability of a random source. The ciphered image data should appear as random noise to avoid any information leakage. For a binary source S producing 28 symbols of equal probabilities each symbol is 8-bits wide and the entropy of this source is defined as [36] 2 8

Entropy = −

P(Si ) log2 P(Si )

i=1

40


(12)

where P(Si) is the probability of the symbol Si. A source with entropy equal to 8 is considered truly random. Table 4 depicts the entropy values of the ciphered image compared with the original ones which imply the high randomness levels achieved by the proposed stream cipher. 4.5

Differential analysis

To prevent revelation of any meaningful statistical relationships between the input and the output, small changes in the original image should result in significant changes in the ciphered image. In general, this property is directly controlled by the quality of diffusion and confusion adopted in the system. Quantitatively, the sensitivity of the encryption algorithm to the input is evaluated through two tests [37]. The first test is the NPCR, which represents the number of pixels change rate of the ciphered image while one pixel of the original image has changed. Assume two ciphered images, C1 and C2, whose corresponding original images have only one pixel difference, the NPCR value is Table 4 Entropy results for original and ciphered images for all the colour components Entropy red green blue

Original image

Ciphered mage

7.2634 7.5899 6.9854

7.9994 7.9993 7.9993


33.367 33.406 33.447

4.6

Strict avalanche criterion

The strict avalanche criterion (SAC), first introduced in [36], examines the bit level difference between the input and the Table 6 NIST SP. 800-22 tests for the original and processed chaos output as well as the ciphered image Test

monobits block frequency cumulative sums runs longest run rank FFT N. O. template O. template universal app. entropy random Exc. random Exc. Var. serial linear complexity final result

Original chaos

Processed chaos

PV

PP

PV

✓ x x x x x x x x x x ✓ ✓ x ✓

0.96 0.95 0.95 0.79 0.76 0.91 0.85 0.80 0.78 0.83 0.74 0.97 0.99 0.68 1.00

✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

fail

PP 1.00 1.00 1.00 0.99 0.99 0.98 1.00 0.99 1.00 0.99 0.99 0.99 1.00 0.99 0.98 pass


Ciphered image PV ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

PP 0.95 1.00 0.95 1.00 1.00 1.00 0.95 0.98 1.00 1.00 0.91 0.97 1.00 0.95 1.00 pass

99.594 99.596 99.597 99.594 99.592 99.593 99.594 99.592 99.593 99.599 99.594 99.593 99.595 99.589 99.59 99.592 99.589 99.591 Ciphered Original

0.0008 −0.0034 −0.0038 0.0045 −0.0027 −0.0037 −0.0005 −0.0039 0.0008 −0.0001 0.0011 −0.0016 0.0013 −0.0017 0.0018 0 0 0 −0.0031 −0.0005 0.002 −0.0019 0.0038 0.0012 −0.002 −0.0019 −0.0016 −0.0013 0.0002 0.0013 0.0003 −0.0014 0.0013 0.004 −0.0039 −0.0005 −0.0013 0.0027 0.0003 −0.0006 −0.0021 −0.0045 −0.0008 −0.0036 0.0005 −0.002 0.0008 −0.0022 0.0002 0.0008 0.0002 −0.0001 0.0047 −0.0004 red green blue red green blue red green blue red green blue red green blue red green blue

Both tests are conducted 500 times with inputs having only 1-bit change randomly in only pixel with an arbitrary location. Table 5 depicts the mean values of the NPCR and UACI tests for all the colour components. The results reflect the effect of using the chained confusion algorithm implemented in the system in which changing 1-bit in the input affects the chaotic sequence from the generator resulting in a completely different output.

Diag.

(14)

Vert.

M N C1 (i, j) − C2 (i, j) 1 × 100 UACI = 255 M × N i=1 j=1

Horiz.

The second test is the UACI which represents the unified average changing intensity measuring the average intensity difference of two ciphered images, whose corresponding original image has only one pixel difference as follows

Diag.

(13b)

Cross corr.

M N 1 D(i, j) M × N i=1 j=1

Entropy

(13a)

Vert.

C1 (i, j) = C2 (i, j) C1 (i, j) = C2 (i, j)

Ciphered image corr.

NPCR =

0, 1,

Original image corr.

D(i, j) =

Table 7 Correlation, entropy and differential analysis results for coloured images obtained from USC-SIPI image database

Horiz.

expressed as

black image

32.837 32.936 32.905

peppers (4.0.07)

33.839 33.972 33.946

sailboat (4.2.06)

99.59 99.592 99.589

airplane (4.0.04)

99.4 99.425 99.442

mandrill (4.2.03)

99.743 99.742 99.748

33.417 33.465 33.457 33.479 33.497 33.571 33.573 33.459 33.519 33.401 33.497 33.506 33.488 33.457 33.426 33.438 33.359 33.379

Mean

7.9993 7.9993 7.9993 7.9993 7.9995 7.9994 7.9992 7.9992 7.9992 7.9993 7.9994 7.9993 7.9993 7.9993 7.9994 7.9993 7.9993 7.9993

Min

6.9481 6.8845 6.1265 7.7067 7.4744 7.7522 6.7178 6.7990 6.2138 7.3124 7.6429 7.2136 7.3388 7.4963 7.0583 0 0 0

Max

0.0007 −0.0007 0.0012 0.0004 0.0007 0.0009 0.0007 0.0014 0.0002 0.0024 −0.0001 −0.0005 −0.0032 −0.0015 0.0015 0.0002 0.0003 −0.0011

Mean

0.9894 0.9711 0.9649 0.8543 0.7348 0.8399 0.9343 0.9326 0.9146 0.9420 0.9530 0.9530 0.9564 0.9687 0.9478 1 1 1

Min

NPCR, %

Max

0.9951 0.9871 0.9789 0.8660 0.7650 0.8809 0.9568 0.9678 0.9353 0.9541 0.9663 0.9694 0.9663 0.9818 0.9664 1 1 1

UACI, %

Image (file name)

red green blue

NPCR, %

UACI, %

Colour

0.9936 0.9812 0.9826 0.9231 0.8655 0.9073 0.9726 0.9578 0.9640 0.9558 0.9715 0.9710 0.9635 0.9811 0.9665 1 1 1

components

splash (4.2.01)

Table 5 Differential analysis results for all the colour

49.995 49.989 49.987 49.991 49.984 49.989 49.999 49.987 49.969 49.977 49.999 49.993 49.976 49.994 49.978 49.993 49.978 49.971

SAC, %

www.ietdl.org

41


www.ietdl.org Table 8 Comparison in the security analysis results between the proposed cipher and other reported software-based chaotic systems Analysis

horiz. corr. vert. corr. diag. corr. entropy NPCR, % UACI, %

Huang [18]

Wang et al. [19]

Liu and Wanga [20]

Amin et al. [21]

This work

− 0.097

0.014

0.0965

− 0.021

0.002

0.0484

− 0.009

− 0.031

− 0.014

0.0016

− 0.07

0.005

0.0362

− 0.035

0.002

— 99.31 33.46

7.9939 98.563 33.081

7.9845 99.606 33.393

7.9998 99.61 33.41

7.9993 99.601 33.462

5

output data because of a 1-bit change in the input. Ciphers with good SAC property achieve theoretically 50% bit difference between the input and the output images. The SAC value for the proposed stream cipher is calculated 500 times with only a 1-bit change in the input image resulting in mean values of 49.995, 49.992 and 49.988% for the RGB colours, respectively. The results confirm the high sensitivity of the encryption algorithm originating from the dynamic control of the attractor size Dt and the permutation functions used. 4.7

Statistical randomness analysis

The randomness of the CB-PRNG utilised in addition to the ciphered image are assessed using NIST SP. 800-22 statistical test suite [39]. Table 6 shows the NIST results for the chaotic output before and after post processing as well as the ciphered image. The results are represented by the proportion of the passing sequences and the validity of the P-value (PV) distribution. The results imply that the post processing effectively removed the bias in the original chaotic stream producing uniformly distributed random bits. In addition, the ciphered image is considered as a pseudo random noise source. 4.8

the six images. The results imply that the proposed stream cipher maintains the same high security levels regardless of the input image.

Application to other images and comparison

The security of the proposed system is further examined for five standard coloured images obtained from the miscellaneous volume of the University of Southern California-Signal and Image Processing Institute (USC-SIPI) image database [40] in addition to a black image where the RGB components are all zeros. Table 7 depicts the correlation and entropy in addition to the mean values of the differential analysis, and SAC values for all

Comparison with previous work

The security performance of the proposed stream cipher is evaluated in Table 8 as compared with four recent chaos-based image encryption systems [18–21]. This comparison is based on the mean values of the correlation coefficients, entropy and differential analysis. Unfortunately, the hardware comparison between the proposed system and the previously reported systems is not mentioned since they have not been implemented on hardware. The results reflect that the proposed system outperforms all the others and imply the high level of randomness and robust encryption achieved. In addition to the security comparison, hardware area efficiency and throughput results of the proposed stream cipher are compared in Table 9 with the standard stream and block cipher systems such as: RC4 used in 802.11 Wi-Fi security protocol, E0 used in Bluetooth protocol, A5/1 used in GSM communications, SNOW 3G used by the 3GPP group as a mobile cellular standard, in addition to the advanced encryption standard (AES) adopted in many applications. Since this paper exhibits an FPGA implementation, the gate count is expressed as 8 × (LUT + FF) to facilitate a basic area/throughput comparison between systems. As shown in Table 9, the proposed system yields the highest area/ throughput ratio compared with all other systems and therefore achieved the best hardware efficiency. Together with the high security accomplished, the proposed stream cipher can be considered a new encryption standard.

6

Conclusion

This paper presents the first hardware realisation of the chaos-based stream cipher designed for image encryption applications. The encryption system utilises a third-order jerk chaotic generator with signum non-linearity in addition to a dynamically controllable attractor size. To reduce the bias in the output sequence, a simple post processing technique is proposed with a small hardware cost. The ciphering algorithm masks and permutes the original pixels creating a feedback loop between the ciphered image and the chaotic generator to increase the output sensitivity to small changes in the input. The security analysis is conducted for several images and the results are compared with previously reported systems which confirm the superior performance of the proposed system. Finally, the

Table 9 Comparison in the hardware performance results between the proposed system and other reported non-chaos-based ciphers System Mickey128 [2] Trivium [25] Moustique [41] Salsa20 [42] RC4 [22] E0 [23] A5/1 [23] SNOW 3G [24] AES [43] this work

42

Area (Gc)

T.put, Mb/s

Efficiency T.put/area

Implementation target

5039 2580 7264 12 126 10 653 1902 932 25 016 14 322 8968

413.2 327.9 369 121 135.52 93.36 90.85 7968 3709 3682.87

0.082 0.127 0.05 0.009 0.013 0.049 0.097 0.318 0.259 0.411

ASIC ASIC FPGA ASIC FPGA FPGA FPGA ASIC FPGA FPGA



www.ietdl.org proposed stream cipher system can be considered as a new symmetric encryption standard.

7

References

1 Liu, F., Wu, C.-K.: ‘Robust visual cryptography-based watermarking scheme for multiple cover images and multiple owners’, IET Inf. Secur., 2011, 5, (2), pp. 121–128 2 Ding, Q., Wang, J.N.: ‘Design of frequency-modulated correlation delay shift keying chaotic communication system’, IET Commun., 2011, 5, (7), pp. 901–905 3 Wagemakers, A., Escribano, F.J., López, L., Sanjuán, M.A.F.: ‘Competitive decoders for turbo-like chaos-based systems’, IET Commun., 2012, 6, (10), pp. 1278–1283 4 Chen, S.-L., Hwang, T., Chang, S.-M., Lin, W.-W.: ‘A fast digital chaotic generator for secure communication’, Int. J. Bifurcation Chaos, 2010, 20, (12), pp. 3969–3987 5 Li, C.-Y., Chen, Y.-H., Chang, T.-Y., Deng, L.-Y., To, K.: ‘Period extension and randomness enhancement using high-throughput reseeding-mixing PRNG’, Trans. Very Large Scale Integr. (VLSI) Syst., 2012, 20, (2), pp. 385–389 6 Zidan, M.A., Radwan, A.G., Salama, K.N.: ‘Controllable v-shape multiscroll butterfly attractor: system and circuit implementation’, Int. J. Bifurcation Chaos, 2012, 22, (6), pp. 1250143–1250156 7 Zidan, M.A., Radwan, A.G., Salama, K.N.: ‘Random number generation based on digital differential chaos’. Int. Midwest Symp. Circuits Syst. (MWSCAS), 2011, pp. 1–4 8 Taylor, G., Cox, G.: ‘Digital randomness’, IEEE Spectr., 2011, 48, (9), pp. 32–58. 9 Li, S., Chen, G., Mou, X.: ‘On the dynamical degradation of piecewise linear chaotic maps’, Int. J. Bifurcation Chaos, 2005, 15, (10), pp. 3119–3152 10 Barakat, M.L., Radwan, A.G., Salama, K.N.: ‘Hardware realization of chaos-based block cipher for image encryption’. Int. Conf. Microelectronics (ICM), 2011, pp. 1–5 11 Kircanski, A., Youssef, A.M.: ‘On the sliding property of SNOW 3 G and SNOW 2.0’, IET Info. Secur., 2011, 5, (4), pp. 199–206 12 Millérioux, G., Guillot, P.: ‘Self-synchronizing stream ciphers and dynamical systems: state of the art and open issues’, Int. J. Bifurcation Chaos, 2010, 20, (9), pp. 2979–2991 13 Alvarez, G., Amigó, J.M., Arroyo, D., Li, S.: ‘Lessons learnt from the cryptanalysis of chaos-based ciphers’, in Kocarev, L., Lian, S. (Eds.): ‘Chaos-Based Cryptography’ (Springer, Berlin/Heidelberg, 2011), vol. 354, pp. 257–295 14 Gao, T., Chen, Z.: ‘Image encryption based on a new total shuffling algorithm’, Chaos Solitons Fractals, 2008, 38, (1), pp. 213–220 15 Giesl, J., Behal, L., Vlcek, K.: ‘Improving chaos image encryption speed’, Int. J. Future Gener. Commun. Netw., 2009, 2, (3), pp. 23–36 16 Ismail, I.A., Ismail, M., Diab, H.: ‘A digital image encryption algorithm based a composition of two chaotic logistic maps’, Int. J. Netw. Sec., 2010, 11, (1), pp. 1–9 17 Huang, C.K., Nienb, H.H.: ‘Multi chaotic systems based pixel shuffle for image encryption’, Opt. Commun., 2009, 282, (11), pp. 2123–2127 18 Huang, X.: ‘Image encryption algorithm using chaotic Chebyshev generator’, Nonlinear Dyn., 2012, 67, (4), pp. 2411–2417 19 Wang, X., Wang, X., Zhao, J., Zhang, Z.: ‘Chaotic encryption algorithm based on alternant of stream cipher and block cipher’, Nonlinear Dyn., 2011, 63, (4), pp. 587–597 20 Liu, H., Wanga, X.: ‘Color image encryption based on one-time keys and robust chaotic maps’, Comput. Math. Appl., 2010, 59, (10), pp. 3320–3327 21 Amin, M., Faragallah, O.S., Abd El-Latif, A.A.: ‘A chaotic block cipher algorithm for image cryptosystems’, Commun. Nonlinear Sci. Numer. Simul., 2010, 15, (11), pp. 3484–3497


22 Hamalainen, P., Hannikainen, M., Hamalainen, T., Saarinen, J.: ‘Hardware implementation of the improved WEP and RC4 encryption algorithms for wireless terminals’. Eur. Signal Proc. Conf., 2000, pp. 2289–2292 23 Batina, L., Lano, J., Mentens, N., Örs, S.B., Verbauwhede, B., Preneel, I.: ‘Energy, performance, area versus security trade-offs for stream ciphers’. State of the Art of Stream Ciphers, Workshop Record, ECRYPT, 2004 24 Kitsos, P., Selimis, G., Koufopavlou, O.: ‘High performance ASIC implementation of the SNOW 3G stream cipher’. Int. Conf. Very Large Scale Integration, 2008 25 Good, T., Benaissa, M.: ‘ASIC hardware performance’, in Robshaw, M., Billet, O. (Eds.): ‘New stream cipher designs’ (Springer, Berlin/ Heidelberg, 2008) pp. 267–293 26 Sprott, J.C.: ‘A new class of chaotic circuit’, Phys. Lett. A, 2000, 266, (1), pp. 19–23 27 Elwakil, A.S., Salama, K.N., Kennedy, M.P.: ‘A system for chaos generation and its implementation in monolithic form’. Int. Symp. Circuits Syst. (ISCAS), 2000, pp. 217–220 28 Mansingka, A.S., Radwan, A.G., Zidan, M.A., Salama, K.N.: ‘Analysis of bus width and delay on a fully digital signum nonlinearity chaotic oscillator’. Int. Midwest Symp. Circuits Syst. (MWSCAS), 2011, pp. 1–4 29 Sprott, J.C.: ‘Chaos and time-series analysis’ (Oxford University Press, 2003) 30 Zidan, M.A., Radwan, A.G., Salama, K.N.: ‘The effect of numerical techniques on differential equation based chaotic generators’. Int. Conf. Microelectronics (ICM), 2011, pp. 1–4 31 Mansingka, A.S., Radwan, A.G., Salama, K.N.: ‘Design, implementation and analysis of fully digital 1-D controllable multiscroll chaos’. Int. Conf. Microelectronics (ICM), 2011, pp. 1–5 32 Alfke, P.: ‘Efficient shift registers, LFSR counters, and long pseudo random sequence generators’. Xilinx Application Note, 1996 33 Yalcin, M.E., Suykens, J.A.K., Vandewalle, J.: ‘True random bit generation from a double-scroll attractor’, Trans. Circuits Syst. I, Reg. Pap., 2004, 51, (7), pp. 1395–1404 34 Davies, R.B.: Exclusive OR (XOR) and Hardware Random Number Generators. Available at: http://www.robertnz.net/pdf/xor2.pdf, February 2002 35 Kodba, S., Perc, M., Marhl, M.: ‘Detecting chaos from a time series’, Eur. J. Phys., 2005, 26, (1), pp. 205–215 36 Webster, A., Tavares, S.: ‘On the design of S-boxes’, in Williams, H. (Ed.): ‘Advances in cryptology’ (Springer, Berlin/Heidelberg, 1986), pp. 523–534 37 Corrochano, E.B., Mao, Y., Chen, G.: ‘Chaos-based image encryption’, in Corrochano, E.B. (Ed.): ‘Handbook of geometric computing’ (Springer, Berlin Heidelberg, 2005), pp. 231–265 38 L’Ecuyer, P., Simard, R.: ‘TestU01: A C library for empirical testing of random number generators’, ACM Trans. Math. Softw., 2007, 33, (4), pp. 22–40 39 Rukhin, A., Soto, J., Nechvatal, J., et al.: ‘A statistical test suite for random and pseudorandom number generators for cryptographic applications’, NIST Special Publication 800-22, 2001 40 Weber, A.G.: (1997) The USC-SIPI image database version 5. USC-SIPI Rep. no. 315. Available at: http://www.sipi.usc.edu/services/ database/Database.html 41 Daemen, J., Kitsos, P.: ‘The self-synchronizing stream cipher Moustique’, in Robshaw, M., Billet, O. (Eds.): ‘New stream cipher designs’ (Springer, Berlin/Heidelberg, 2008), pp. 210–223 42 Good, T., Benaissa, M.: ‘Hardware results for selected stream cipher candidates’. Workshop Record of Stream Ciphers (SASC), 2007, pp. 191–204 43 Bouhraoua, A.: ‘Design feasibility study for a 500 Gbits/s advanced encryption standard cipher/decipher engine’, IET Comput. Digit. Tech., 2010, 4, (4), pp. 334–348

43
