ZigZag transform with Durstenfeld shuffle for fast and secure image encryption

Abstract

In this study, we propose an image encryption algorithm based on ZigZag transform with Durstenfeld Shuffling Algorithm (DSA), where we adopt confusion–diffusion architecture. Our encryption method is simpler to implement than high-dimensional chaos-based approaches, and its computational complexity is very low, which make it very fast and suitable for real-world applications. Additionally, its dependence on plaintext image makes it adaptive and hence very robust against brute force and differential attacks. Experimental analyses using histogram, correlation, NIST, NPCR, UACI and PSNR values suggest that our proposed algorithm is strong and secure against statistical and differential attacks.

Keywords:

• Image encryption
• ZigZag transform
• Durstenfeld Shuffling Algorithm
• security
• privacy

1. Introduction

Developments in information and communication technologies have enabled easier and low-cost generation, transmission and storage of vast amounts of data at every aspect of business, industry and daily life. Especially in the last two decades, due to the growth of the Internet and the use of mobile devices, primary type of data being generated and shared has become images (Ben Slimane et al., 2018). In addition, security of images must be ensured to protect them against unauthorised access and to keep their confidentiality as they may contain highly sensitive and personal information. Therefore, secure storage and sharing of image data has become more important than ever, and image encryption has become a topic of high interest among researchers and practitioners (Li et al., 2019).

Image data has some intrinsic characteristics that make it more challenging for encryption approaches. First, size of images in practical applications is very large in general, which makes it difficult to encrypt them in a reasonable amount of time. Second, image data contains too much redundancy and very high correlation between adjacent pixels, which renders encryption schemes useless if they are not sufficiently strong because attackers can easily discover ways to reveal information in decrypted images via some statistical approaches. Because of these characteristics, traditional encryption methods such as Data Encryption Standard (DES), Triple DES (TDES), Advanced Encryption Standard (AES) and Rivest–Shamir–Adleman (RSA), which are commonly employed in secure communication of textual data, are not appropriate for encrypting image data (Lyle et al., 2022). Image data requires the development of encryption methods that particularly consider its special characteristics.

Image encryption methods usually follow a common architecture proposed by Fridrich (1998) and divided into two distinct phases known as confusion (permutation) and diffusion (substitution) (Elghandour et al., 2021). The goal of the confusion phase is to eliminate the correlation between adjacent pixels of the plaintext image by scrambling the positions of them without modifying their values. In the diffusion phase, on the other hand, pixel values are systematically modified to alter the statistical properties of the image. Chaos-based encryption schemes have been very popular for image encryption since they propose solutions to provide necessary mechanisms needed in these two phases. Especially their high sensitivity to initial conditions, randomness and non-periodicity have placed chaos-based schemes into the focus of the image encryption research. Despite their effectiveness in image encryption, high-dimensional chaotic systems are known to be very costly to implement in both software and hardware due to their high computational complexity (Elghandour et al., 2021). Low-dimensional ones, on the other hand, provide lower chaotic performance and, as a result, lower security. We can see in the literature that a large body of research is focused on combining chaotic systems of different dimensionalities or combining chaos-based methods with other methods to achieve both computational efficiency and high security. Interested readers are referred to Kumari et al. (2017), Ben Slimane et al. (2018), Zhou et al. (2021), Lyle et al. (2022) and Fang et al. (2022) for a very comprehensive and complete literature on image encryption and particularly on chaos-based encryption. Additionally, there are other representative methods such as based on one-time keys (Liu & Wang, 2010), bit-level permutation (Liu & Wang, 2011), DNA rule (Liu et al., 2012; X. Y. Wang et al., 2015), based on mathematical model (X. Y. Wang et al., 2010), based on parallel computing (X. Wang et al., 2019), based on piecewise coupled map lattice (X. Wang & Yang, 2021), based on matrix semi-tensor product theory (X. Wang & Gao, 2020a, 2020b), based on fractal sorting matrix (Xian & Wang, 2021; Xian et al., 2022), based on compressive sensing (X. Wang et al., 2021), based on dynamic random growth technique (X. Wang et al., 2015) and based on Anti-Dynamic Degradation Theorem (X. Wang & Liu, 2022).

In this study, we propose an image encryption method based on ZigZag transform (Chai et al., 2018) with Durstenfeld Shuffling Algorithm (DSA) (Durstenfeld, 1964, July), respecting the special requirements of encrypting image data. Our method utilises ZigZag transform with DSA in different steps to achieve necessary level of confusion. Additionally, we employ a series of XOR operations to achieve required level of diffusion to be secure and robust against statistical attacks. Our encryption method is simpler to implement than high-dimensional chaos-based approaches, and its computational complexity is very low, which make it very fast and suitable for real-world applications. The main contributions and novelty of our encryption method are as follows:

1. Our proposed method has low computational complexity due to its simple structure and non-reliance on complex operations, however, it has better or similar performance characteristics than chaos-based encryption methods.

2. It is suitable for real-world applications where real-time encryption/decryption performance is a key requirement, since it takes only 0.25 s to encrypt or decrypt a colour image of dimensions $512\times 512$.

3. It is adaptive in nature because the plaintext image is used for generating encryption keys, therefore, a small change in the plaintext creates an extremely different ciphertext, making statistical and differential attacks ineffective.

4. It has a very large key space, and it is extremely sensitive to keys.

5. It is very robust to noise and occlusion attacks.

6. The histograms and correlation charts of the encrypted images do not reveal any useful information to attackers.

7. With systematic experimentation, we present and verify the effectiveness and robustness of our proposed method, comparing it with recent different methods.

The rest of this paper is organised as follows. In Section 2, we provide an essential background on ZigZag transform and Durstenfeld Shuffle Algorithm. In Section 3, we give an elaborate description of our proposed algorithm. In Section 4, we present our experimental results, security analyses and discussion. Finally, in Section 5, we conclude this paper.

2. Preliminary background

2.1. ZigZag transform

ZigZag transform is a form of permutation to scramble the pixels of an image. In ZigZag transform, pixels are traversed beginning from the top left corner of the image and following a Z-shaped path until the bottom right corner; hence the name (Chai et al., 2018; Xingyuan et al., 2019). Scanned pixels are stored in an one-dimensional array and then they are read from this array in a certain order to form a two-dimensional matrix. The order that the pixels are traversed is always the same for classical ZigZag transforms with a regular and predictable pattern (X. Wang & Guan, 2020). Traversal of the pixels can also begin from the other corners of the image, but the idea is the same. ZigZag transform is widely used to scramble image pixels for image encryption purposes. Classical ZigZag transform is shown in Figure 1 applied to a sample $4\times 4$ matrix.

Figure 1. Classical ZigZag transform.

2.2. Durstenfeld shuffle algorithm

Shuffling is a process of randomising the positions of the elements in a list or array. In cryptology, shuffling is used to randomise the order of symbols in a message to make it more difficult for an attacker to discover the original message (Beimel et al., 2020). In statistics, shuffling is used to randomly permute the order of a sample, so that different orderings can be used to estimate the same quantity (Herranz et al., 2021).

In this study, we employed Durstenfeld Shuffle Algorithm (DSA) in our encryption process, which is a very efficient shuffle algorithm known to have $O(n)$ time and space complexity for a list of n items (Durstenfeld, 1964, July; S. Wang, Wang et al., 2020). DSA works simply as follows. Assume that we have an array $A[1\dots n]$ with n elements to shuffle. DSA essentially divides A into to two subsequent parts $A[1\dots k]$ and $A[k+1\dots n]$ in an iteration $k\leftarrow n\dots 2$, where $A[1\dots k]$ is the part that needs shuffling while $A[k+1\dots n]$ is the part already shuffled. At each iteration k, DSA picks a random number $r\in [1\dots k]$, chooses an item $A[r]$ from the unshuffled part $A[1\dots k]$ and exchanges it with $A[k]$. With this exchange, the item $A[r]$ is moved into the new shuffled part $A[k\dots n]$, where it does not move anymore in the remaining iterations. We illustrate DSA in Algorithm 1. Random number generators generate the same number sequence for the same seed, which makes it possible to utilise them for encryption and decryption processes. Therefore, DSA algorithm in Algorithm 1 takes a seed parameter along with the array A to shuffle.

To improve the ZigZag transform, we use DSA to shuffle an image such that the pixels are traversed following a totally random path unlike the classical ZigZag transform which always uses regular and predictable path. Our improved version of ZigZag transform with DSA is seen in Figure 2.

Figure 2. Improved ZigZag transform with Durstenfeld shuffle algorithm.

3. Algorithm description

3.1. Image encryption process

In this paper, we consider a plaintext image P and an encrypted image $P^{\prime }$ with dimensions of $M\times N$, where M is the height and N is the width in pixels. The image P can be a colour image with RGB layers (24-bit) or it can be a greyscale image with a single layer (8-bit).

The encryption process we propose is shown in Figure 3. It mainly consists of seven steps as explained as follows. In addition to P, a private key K is used as an input to the process.

Figure 3. System architecture of the proposed encryption process.

Step 1 - Secret Key Generation: As the first step of the encryption process, we calculate the SHA256 hash of the private key K and obtain an intermediate key of length 256 bits, as SHA256 algorithm always produces 256-bit hashes regardless of the length of K. Then, we split this hash into 8 equal length blocks of 32 bits and convert each block into its decimal value as $D_0\dots D_7$.

We combine pairs of the block values $D_0\dots D_7$ in a series of XOR operations to compute the key values $K_R$, $K_G$ and $K_B$ to encrypt RGB channels of P separately. At this point, to decide which block to XOR with which other block, we use the reference information given in Table 1. For example, we XOR $D_0$ and $D_1$ to obtain $K_{R_1}$ which is one of the three intermediate key values for R channel. Note that generated intermediate keys are different from each other. This process is illustrated in Figure 4 diagrammatically.

Figure 4. Key generation for RGB channels from the SHA256 hash of private key.

Table 1. Guiding information to select pairs of blocks to XOR.

Input								Output
$D_0$	$D_1$	$D_2$	$D_3$	$D_4$	$D_5$	$D_6$	$D_7$	$K_R$	$K_G$	$K_B$
1	1	0	0	0	0	0	0	$K_{R_1}$	0	0
0	0	1	1	0	0	0	0	$K_{R_2}$	0	0
0	0	0	0	1	1	0	0	$K_{R_3}$	0	0
0	0	0	0	0	0	1	1	0	$K_{G_1}$	0
1	0	0	0	0	0	0	1	0	$K_{G_2}$	0
0	1	0	0	0	0	1	0	0	$K_{G_3}$	0
0	0	1	0	0	1	0	0	0	0	$K_{B_1}$
0	0	0	1	1	0	0	0	0	0	$K_{B_2}$
0	1	0	0	0	0	0	1	0	0	$K_{B_3}$

We use the following formulae to compute all encryption keys for R channel: (1) $\begin{array}{rl}{K}_{R_1}& =D_0\oplus D_1\end{array}$(1) (2) $\begin{array}{rl}{K}_{R_2}& =D_2\oplus D_3\end{array}$(2) (3) $\begin{array}{rl}{K}_{R_3}& =D_4\oplus D_5\end{array}$(3) (4) $\begin{array}{rl}{K}_R& =(K_{R_1}\oplus K_{R_2})\oplus K_{R_3.}\end{array}$(4) Similarly, we use the following formulae to compute all encryption keys for G channel: (5) $\begin{array}{rl}{K}_{G_1}& =D_6\oplus D_7\end{array}$(5) (6) $\begin{array}{rl}{K}_{G_2}& =D_0\oplus D_7\end{array}$(6) (7) $\begin{array}{rl}{K}_{G_3}& =D_1\oplus D_6\end{array}$(7) (8) $\begin{array}{rl}{K}_G& =(K_{G_1}\oplus K_{G_2})\oplus K_{G_3.}\end{array}$(8) Then, we use the following formulae to compute all encryption keys for B channel: (9) $\begin{array}{rl}{K}_{B_1}& =D_2\oplus D_5\end{array}$(9) (10) $\begin{array}{rl}{K}_{B_2}& =D_3\oplus D_4\end{array}$(10) (11) $\begin{array}{rl}{K}_{B_3}& =D_1\oplus D_7\end{array}$(11) (12) $\begin{array}{rl}{K}_B& =(K_{B_1}\oplus K_{B_2})\oplus K_{B_3.}\end{array}$(12) Finally, we combine these three keys to obtain a single key to use in Step 5 as follows: (13) $K_{RGB}=(K_R\oplus K_G)\oplus K_B.$(13) Step 2 – Hidden Key Generation: In this step, we first generate MD5 hashes of the RGB channels separately as $MD{5}_R$, $MD{5}_G$ and $MD{5}_B$. Then, we combine different bytes of these hashes with each other in a series of XOR operations to obtain our hidden keys as $M{D}_R$, $M{D}_G$ and $M{D}_B$. Figure 5 shows one possible configuration for this process in detail. We use these hidden keys to make our system resistant to differential attacks as single pixel change in plaintext images causes significant differences in the generated ciphertext images.

Figure 5. Hidden key generation for RGB using MD5 hashing (one of the possible configurations).

Step 3 - XOR Keys Generation: In Step 1, we generate three different encryption keys $K_R$, $K_G$ and $K_B$ for RGB channels, respectively. In the coming steps, we use these key values to XOR with pixel values in corresponding channels. We, however, do not use these key values directly for XOR because they may be greater than 255 which is the maximum pixel value in a channel. Therefore, we take the modulo 256 of each key value before using with XOR and obtain XOR keys $K_{RX}$, $K_{GX}$ and $K_{BX}$ as follows: (14) $\begin{array}{rl}{K}_{RX}& =K_R\mathrm{mod}256\end{array}$(14) (15) $\begin{array}{rl}{K}_{GX}& =K_G\mathrm{mod}256\end{array}$(15) (16) $\begin{array}{rl}{K}_{BX}& =K_B\mathrm{mod}256.\end{array}$(16) Step 4 - ZigZag Transform with DSA: In Step 1, we generate three different encryption keys $K_R$, $K_G$ and $K_B$, and in Step 2, we generate three hidden keys $M{D}_R$, $M{D}_G$ and $M{D}_B$ for RGB channels, respectively. In this step, we XOR these keys with each other respectively to obtain seed values $S{D}_R$, $S{D}_G$ and $S{D}_B$. Using these seeds and DSA, we shuffle the pixels of each channel separately. DSA requires a random number generator (RNG), and we use $S{D}_R$ as the seed of RNG for shuffling the R channel. Similarly, we shuffle G and B channels using $S{D}_G$ and $S{D}_B$. After the shuffling, we obtain shuffled channels as $R_Z$, $G_Z$ and $B_Z$. Then, we XOR the pixels in each shuffled channel with the corresponding XOR keys $K_{RX}$, $K_{GX}$ and $K_{BX}$, respectively. As a result of this, we obtain XORed RGB channels as $R_Z^{\prime }$, $G_Z^{\prime }$ and $B_Z^{\prime }$. The process is shown in the following equations: (17) $\begin{array}{rl}{R}_Z& =\mathrm{DSA}(R,K_R)\end{array}$(17) (18) $\begin{array}{rl}{G}_Z& =\mathrm{DSA}(G,K_G)\end{array}$(18) (19) $\begin{array}{rl}{B}_Z& =\mathrm{DSA}(B,K_B)\end{array}$(19) (20) $\begin{array}{rl}{R}_Z^{\prime }& =R_Z\oplus K_{RX}\end{array}$(20) (21) $\begin{array}{rl}{G}_Z^{\prime }& =G_Z\oplus K_{GX}\end{array}$(21) (22) $\begin{array}{rl}{B}_Z^{\prime }& =B_Z\oplus K_{BX}.\end{array}$(22) Step 5 - Mixing Between RGB Layers: In Step 4, the image P is already strongly encrypted. In this step, we increase the complexity and the strength of the encryption by mixing $R_Z$, $G_Z$ and $B_Z$ channels among themselves. First, we concatenate them and obtain a single-dimensional array. Then, we shuffle this array using DSA to get the desired inter-channel mixing effect. Note that, pixels in a channel not only change their places across other channels but also change their places within their own channels due to the randomisation. Since we employ a single DSA in this step, we use $K_{RGB}$ as the seed of RNG. Next, we extract RGB channels back from this array by taking the first one third part of it for R, subsequently the rest for G and B channels as $R_{ZL}$, $G_{ZL}$ and $B_{ZL}$, as given in the following equation, where $\Vert$ represents concatenation: (23) $[R_{ZL},G_{ZL},B_{ZL}]=\mathrm{DSA}(R_Z^{\prime }\Vert G_Z^{\prime }\Vert B_Z^{\prime },K_{GS}).$(23) Step 6 - XORing RGB Channels with XOR Key: In this step, we XOR the pixels in each channel $R_{ZL}$, $G_{ZL}$ and $B_{ZL}$ with XOR keys $K_{RX}$, $K_{GX}$ and $K_{BX}$ to obtain $R_{ZL}^{\prime }$, $G_{ZL}^{\prime }$ and $B_{ZL}^{\prime }$, as follows: (24) $\begin{array}{rl}{R}_{ZL}^{\prime }& =R_{ZL}\oplus K_{RX}\end{array}$(24) (25) $\begin{array}{rl}{G}_{ZL}^{\prime }& =G_{ZL}\oplus K_{GX}\end{array}$(25) (26) $\begin{array}{rl}{B}_{ZL}^{\prime }& =B_{ZL}\oplus K_{BX}.\end{array}$(26) Step 7 - Final Ciphertext Generation: Finally, we generate a single-channel dummy image $P_D$ with the same dimensions as P using RNG with the seed $K_{RGB}$. This dummy image is used to further modify the pixel values of the encrypted image as part of the diffusion process. This provides an extra level of resistance to statistical attacks. Then, we XOR the pixels in each channel $R_{ZL}^{\prime }$, $G_{ZL}^{\prime }$ and $B_{ZL}^{\prime }$ with the corresponding pixel values of $P_D$. As a result, we obtain final encrypted RGB channels $R^{\prime }$, $G^{\prime }$ and $B^{\prime }$ to make up the final encrypted image $P^{\prime }$ as follows: (27) $\begin{array}{rl}{R}^{\prime }& =R_{ZL}^{\prime }\oplus P_D\end{array}$(27) (28) $\begin{array}{rl}{G}^{\prime }& =G_{ZL}^{\prime }\oplus P_D\end{array}$(28) (29) $\begin{array}{rl}{B}^{\prime }& =B_{ZL}^{\prime }\oplus P_D.\end{array}$(29) The encryption process explained in this section deals with only 24-bit colour image with RGB layers. However, when it comes to a 8-bit greyscale image, the same process can be used without making any changes. The only requirement is that all RGB layers must contain the same 8-bit layer of the greyscale image.

3.2. Image decryption process

To decrypt an encrypted image, we need to employ the same operations in reverse direction. However, there is a requirement that the hidden keys $M{D}_R$, $M{D}_G$ and $M{D}_B$ must be supplied to the receiver by the sender to use them in the decryption process. With these hidden keys and the private key, it is a straightforward process to decrypt a ciphertext image.

4. Experimental results and security analyses

4.1. Encryption and decryption results

We conducted encryption and decryption experiments with common colour benchmark images Lena Pepper, Baboon and Barbara of size $512\times 512$ on a workstation with Intel Core i7-4700 CPU at 2.4 GHz with 4 cores, 16 GB RAM and MS Windows 10 Pro 64 bit OS. The algorithm was implemented and tested in MATLAB 2020b environment.

We used the private key $K=$“maltepe@” for encryption. We present the results in Figure 6. It is clearly seen that the original plaintext images were obtained after decryption without any loss. We tested our method on all white and all black images as well, showing that encryption and decryption were performed successfully as seen in Figure 7.

Figure 6. Experimental results for encryption and decryption, (a)–(d) plaintext images Lena, Pepper, Baboon and Barbara, (e)–(h) encrypted images Lena, Pepper, Baboon and Barbara, (i)–(l) decrypted images Lena, Pepper, Baboon and Barbara.

4.2. Algorithm complexity analysis

Our proposed method consists of seven steps, each of which has contribution to the total complexity of the encryption process with different amounts. In Step 1, we only generate secret encryption keys based on the private key using SHA256. Therefore, this step adds a very small and constant amount of complexity to the whole encryption process.

Figure 7. Experimental results for encryption and decryption with all white and all black images.

In Step 2, we generate hidden keys for each channel of the plaintext image using MD5 hashing. To do this, this step requires three iterations, one for each MD5 calculation, over the pixels of the image where there are $M\times N$ pixels. Thus time complexity of this step can be expressed as $3\times M\times N$.

Step 3 does not involve any operations on the image pixels as this step only calculates XOR Keys with a few very small modulo operations. Hence, this step can totally be ignored in terms of computational complexity.

Step 4 is one of the most computationally intensive one because we apply ZigZag Transform with DSA to scramble the pixel values of each channel of the plaintext image. Computational complexity of DSA is proportional to the number of elements to shuffle (n) and it is $O(n)$. Therefore, total complexity of this shuffling process is $3\times M\times N$. After shuffling the channels, we XOR the pixels in each shuffled channel with their corresponding XOR keys. This operation has also the complexity of $3\times M\times N$ as well.

In Step 5, we employ a sort of mixing among the pixel values between the channels of the image encrypted until this step. This operation involves another shuffling with DSA, introducing an additional $3\times M\times N$ complexity.

Step 6 performs a series of XOR operations on the pixels in each channel with their corresponding XOR keys. This operations has the complexity of $3\times M\times N$.

In Step 7, we first generate a single-channel dummy image with the same dimensions with random pixel values. This has the time complexity of $M\times N$. Then, we XOR the pixels in each channel of the encrypted image with the corresponding pixel values of the dummy image, whose time complexity is $3\times M\times N$.

When we combine the computational complexities of our proposed method's steps, we find that total time complexity is $20\times M\times N$, and, therefore, it can simply be expressed as $O(M\times N)$. As a result, our proposed method has a linear time complexity with respect to number of pixels in plaintext images, and it can effectively be applied in real-world scenarios where efficiency is a key requirement as well as encryption strength.

4.3. Key analysis

4.3.1. Key space

In our proposed method, we first apply SHA256 to a given private key K to obtain a 256-bit intermediate key. Then, we use this intermediate key for the subsequent operations. Therefore, the key space of our method is $2^{256}$, which is comparably larger than the requirement of $2^{100}$ as suggested by Alvarez and Li (2006).

4.3.2. Sensitivity analysis of key

We encrypted colour Lena of size $512\times 512$ with the private key $K=$“maltepe@”. Then, we experimented with different keys with slight differences to decrypt the ciphertext image. The keys were “Maltepe@”, “malTepe@”, “ma1ltepe”, “maltrpe_”, and “maltePe” as an attacker would possibly try. We present the decrypted images with these incorrect keys as well as the correct key in Figure 8.

Figure 8. Decryption results with correct and incorrect keys: (a) decrypted image with the correct key maltepe@, (b)–(f) images decrypted with keys with little difference (Maltepe@, malTepe@, ma1ltepe, maltrpe_, maltePe).

When we analyse the experimental results, we find that the original image can only be obtained by decrypting with the correct key. This shows that our method is very sensitive to the key. To present this sensitivity, we computed Number of Pixel Change Rate (NPCR) values for the decrypted images in Figure 8 as given in Table 2. NPCR is calculated between two images $P_1$ and $P_2$ as follows (Wu et al., 2011; Zhang & Wang, 2015): (30) $\mathrm{NPCR}=\frac{\sum _{ij}D(i,j)}{M\times N}\times 100,$(30) where M and N represent the width and height of the images respectively. $D(i,j)$ is 0 if the pixel values of images $P_1$ and $P_2$ at coordinate $(i,j)$ are the same, and 1 otherwise. In general, NPCR values are required to be very close to 99.6093%. As seen in Table 2, the NPCR values of images decrypted by incorrect keys are very close to this ideal value, which demonstrates the sensitivity of our method to the key.

Table 2. NPCR (%) values of decrypted images with different keys.

Channels	(a)	(b)	(c)	(d)	(e)	(f)
R	0	99.60	99.60	99.60	99.59	99.62
G	0	99.58	99.60	99.61	99.62	99.62
B	0	99.61	99.63	99.62	99.61	99.60

4.4. Histogram analysis

Histogram is a powerful tool to analyse the distribution of pixel values of an image. If the distribution of a ciphertext image is uneven, then an attacker can obtain important information through statistical analysis. Therefore, a good encryption algorithm is expected to generate ciphertext images with even distribution to make the ciphertext image resistant to statistical analysis (Zhang & Wang, 2014). In Figure 9, we present the histogram of each channel before and after encryption of colour images Lena, Pepper, Baboon and Barbara. It is seen that the histograms of plaintext images are uneven before encryption, and the corresponding histograms of ciphertext images are even after encryption. Therefore, our method generates ciphertext images resistant to statistical analysis.

Figure 9. Histogram analysis: (a) histogram of the plaintext Lena in all channels, (b)–(d) histograms of the ciphertext image Lena in channels R, G and B, respectively, (e) histogram of the plaintext Pepper in all channels, (f)–(h) histograms of the ciphertext image Pepper in channels R, G and B, respectively, (i) histogram of the plaintext Baboon in all channels, (j)–(l) histograms of the ciphertext image Baboon in channels R, G and B, respectively, (m) histogram of the plaintext Barbara in all channels, (n)–(p) histograms of the ciphertext image Barbara in channels R, G and B, respectively.

4.5. Correlation between adjacent pixels

There is usually a high correlation between adjacent pixel values in plaintext images, which makes them vulnerable to statistical attacks. Unlike plaintext images, ciphertext images are required to show very low correlation between adjacent pixel values. Therefore, it is necessary for an encryption algorithm to reduce the correlation between adjacent pixels of a ciphertext image. We calculated the correlation coefficients between adjacent pixels of plaintext and ciphertext images of Lena using Equation (31(31) $\begin{array}{rl}{r}_{xy}& =\frac{\mathrm{cov}(x,y))}{\sqrt{D(x)}\sqrt{D(y)}}\end{array}$(31) ). (31) $\begin{array}{rl}{r}_{xy}& =\frac{\mathrm{cov}(x,y))}{\sqrt{D(x)}\sqrt{D(y)}}\end{array}$(31) (32) $\begin{array}{rl}\mathrm{cov}(x,y)& =\frac{1}{N}\sum _{i=1}^N(x_i-E(x))(y_i-E(y))\end{array}$(32) (33) $\begin{array}{rl}D(x)& =\frac{1}{N}\sum _{i=1}^N(x_i-E(x){)}^2\end{array}$(33) (34) $\begin{array}{rl}E(x)& =\frac{1}{N}\sum _{i=1}^N{x}_i.\end{array}$(34) We randomly picked 5000 pairs of adjacent pixels of RGB channels in the plaintext image Lena and its corresponding ciphertext image from horizontal, vertical and diagonal directions. The correlations between adjacent pixels are compared from each direction for RGB channels as shown in Figures 10, 11, and 12, respectively.

Figure 10. Correlation between adjacent pixels in channel R of Lena: (a)–(c) horizontal, vertical and diagonal correlations in plaintext, (d)–(f) horizontal, vertical, diagonal correlations in ciphertext.

Figure 11. Correlation between adjacent pixels in channel G of Lena: (a)–(c) Horizontal, vertical, and diagonal correlations in plaintext, (d)–(f) horizontal, vertical, diagonal correlations in ciphertext.

Figure 12. Correlation between adjacent pixels in channel B of Lena: (a)–(c) horizontal, vertical and diagonal correlations in plaintext, (d)–(f) horizontal, vertical, diagonal correlations in ciphertext.

We present the correlation coefficients of plaintext and ciphertext images Lena in all RGB channels in Table 3, comparing our method to several previous studies. It is obvious that there is a high correlation between adjacent pixels in the plaintext image, and that there is a low correlation between adjacent pixels in the ciphertext image. Thus our method can effectively resist statistical attacks.

Table 3. Correlations between adjacent pixels of plaintext and ciphertext images of Lena.

	Horizontal			Vertical			Diagonal
Method	R	G	B	R	G	B	R	G	B
Plaintext	0.9783	0.9787	0.9593	0.9896	0.9900	0.9791	0.9675	0.9686	0.9409
Our Method	0.0008	−0.0005	−0.0032	0.0026	0.0010	0.0009	0.0007	−0.0003	−0.0014
Xingyuan et al. (2019)	−0.3131	−0.0007	0.0036	0.0142	−0.0167	0.0083	−0.0044	−0.0145	−0.0214
Ben Slimane et al. (2018)	0.0271	0.0021	0.0205	0.0297	0.0168	0.0029	0.0254	0.0011	0.0172
Gan et al. (2018)	−0.0084	−0.0077	−0.0232	−0.0134	0.0237	0.0063	0.0059	0.0085	0.0176
Arpacı et al. (2020)	−0.0125	0.0184	0.0096	0.0118	0.0221	0.0030	0.0009	−0.0041	−0.0009
Yang and Chien (2020)	−0.0003	0.0012	−0.0038	−0.0012	−0.0009	−0.0007	−0.0005	−0.0038	0.0029
Chai et al. (2020)	0.0027	−0.0167	0.0033	−0.0124	0.0153	−0.0004	0.0022	−0.0127	−0.0027
Firdous and Missen (2019)	0.0105	0.0073	−0.0134	−0.0391	0.0114	−0.0312	0.0028	−0.0081	−0.0184

4.6. Information entropy

Information entropy is the degree of randomness of information, and it is calculated as in Equation (35(35) $H(s)=-\sum _{i=0}^{255}p(s_i){\log }_{2}p(s_i)$(35) ). (35) $H(s)=-\sum _{i=0}^{255}p(s_i){\log }_{2}p(s_i)$(35) where $p(s_i)$ is the probability of symbol $s_i$, which is the probability of different pixel values (from 0 to 255) in the image.

The information entropy of plaintext and ciphertext images of Lena in all channels is given in Table 4, comparing them with the findings of several previous studies. For a secure encryption algorithm, the entropy of ciphertext images is required to be as close to 8 bits as possible for each RGB channel. As seen in Table 4, our method generates ciphertext images with very high information entropy values. The results from the entropy analysis are in good agreement with the results from the histogram analysis. Therefore, we can state that it is difficult to disclose information from ciphertext images generated by our method, and those ciphertext images can resist statistical attacks.

Table 4. Entropy analysis results (in bits).

Test image	R	G	B
Plaintext Lena	7.2584	7.5791	6.9810
Ciphertext Lena	7.9993	7.9994	7.9993
Ben Slimane et al. (2018)	7.9984	7.9981	7.9977
Gan et al. (2018)	7.9993	7.9992	7.9994
Arpacı et al. (2020)	7.9995	7.9988	7.9991
Chai et al. (2020)	7.9995	7.9993	7.9992
Firdous and Missen (2019)	7.9993	7.9992	7.9992

4.7. Sensitivity analysis to plaintext

As well as being sensitive to key, a good encryption method is required to be sensitive to plaintext, which means a slight change in the plaintext results in entirely different ciphertext. This way, the encryption system can resist against attacks known as differential attacks. In a differential attack, an attacker changes a single pixel in the plaintext image and generates ciphertext images for both plaintext images to analyse the relationship between them to guess the encryption mechanism. When the ciphertext images are completely different, attacker's attempts will reveal no meaningful and useful information. To this end, we changed the pixel value of a random location in Lena from its original value to 0 and generated ciphertexts using the same private key. Then, we compared ciphertexts in terms of NPCR and Unified Average Changing Intensity (UACI) values. UACI is calculated between two images $P_1$ and $P_2$ as follows (X. Wang et al., 2012; Wu et al., 2011): (36) $\mathrm{UACI}=\frac{1}{M\times N}\left[\sum _{ij}\frac{|P_1(i,j)-P_2(i,j)|}{255}\right]\times 100$(36) where M and N represent the width and height of the images respectively. We present different values of NPCR and UACI for Lena in Table 5 as the average of 500 repetitions for the above process. In general, the values of NPCR and UACI are required to be as close as possible to 99.6093% and 33.4635%, respectively. According to the obtained results, both NPCR and UACI values are very close to these ideal values, which demonstrate our method's sensitivity to the plaintext, and its resistance against differential attacks.

Table 5. NPCR and UACI values of ciphertext images of Lena for plaintext sensitivity analysis.

	NPCR (%)			UACI (%)
Method	R	G	B	R	G	B
Our method	99.61	99.61	99.62	33.33	33.41	33.42
Ben Slimane et al. (2018)	99.63	99.62	99.61	33.46	33.45	33.45
Gan et al. (2018)	99.61	99.60	99.59	33.47	33.42	33.48
Arpacı et al. (2020)	99.60	99.61	99.59	33.49	33.44	33.49
Firdous and Missen (2019)	99.58	99.61	99.65	33.45	33.49	33.44
Devaraj and Kavitha (2016)	99.61	99.79	99.79	38.00	37.10	31.94
Zhang et al. (2020)	99.62	99.61	99.62	33.42	33.43	33.46

4.8. Robustness analysis

Robustness is the resistance of encryption system to disturbances, and thus, it is a crucial attribute. To test the robustness of our proposed encryption algorithm, we employed noise attacks as well as occlusion attacks.

First, we tested our algorithm against noise attacks using common noise types such as Gaussian noise and salt-and-pepper noise (Zhou et al., 2021). After encrypting the plaintext image, we added Gaussian noise with different variances as well as salt-and-pepper noise with different intensities to the ciphertext image. Then we decrypted this noise-added ciphertext with the same private key. In Figure 13, we present decrypted images after adding Gaussian noise with variances of 0.01 and 0.1, and salt-and-pepper noise with intensities of 0.01 and 0.05. It is clear that with a limited amount of noise, decrypted images are comprehensible. Therefore, we can state that our proposed encryption algorithm is robust against noise attacks.

Figure 13. Experimental results for a noise attack. Gaussian noise decryption results with variance of (a) 0.01 and (b) 0.1. Salt-and-pepper noise decryption results with intensity of (c) 0.01 and (d) 0.05.

We applied occlusion attack as a second type of robustness test. Again after encrypting the plaintext image, we occluded 1/16, 1/4 and 1/2 of the ciphertext images with black pixels in different shapes as rectangles and a plus. Then, we decrypted the ciphertexts with occlusions with the same private key. In Figure 14, we present decrypted images. As seen in the figure, as the size of the occlusion increases, the quality of the decrypted image degrades. However, they are still very well understandable, and the loss of information is at a minimum level. Even half of the ciphertext is occluded, we are able to recover the plaintext as a whole to some extent. Thus we can express that our proposed encryption algorithm is robust against occlusion attacks as well. Besides visual results, we also provide the Peak Signal-to-Noise Ratio (PSNR) (Zhou et al., 2021) results to show the robustness of our method in Table 6 along with NPCR and UACI values. PSNR between plaintext image $P_1$ and decrypted image $P_2$ can be calculated as follows: (37) $\begin{array}{rl}\mathrm{PSNR}& =10\times {\log }_{10}\frac{{255}^2}{\mathrm{MSE}}\end{array}$(37) (38) $\begin{array}{rl}\mathrm{MSE}& =\frac{1}{M\times N}\sum _{ij}(P_1(i,j)-P_2(i,j){)}^2\end{array}$(38) where M and N represent the width and height of the images respectively.

Figure 14. Experimental results for occlusion attacks. The encrypted images with (a) 1/16, (b) 1/4 and (c) 1/2 occlusion, (d) Plus occlusion, (e)–(h) are the corresponding decrypted images.

Table 6. Quantitative results of occlusion attack resistance.

	MSE			PSNR			NPCR (%)			UACI (%)
Occlusion	R	G	B	R	G	B	R	G	B	R	G	B
1/16	13.15	11.74	10.34	25.75	26.74	27.84	1.57	1.56	1.54	0.53	0.52	0.51
1/4	51.77	47.28	41.75	13.85	14.64	15.72	24.90	24.84	24.93	8.31	8.36	8.26
1/2	73.10	67.05	59.13	10.85	11.60	12.70	49.78	49.79	49.83	16.57	16.77	16.55
Plus	48.99	44.92	39.65	14.33	15.08	16.17	22.32	22.39	22.36	7.46	7.52	7.43

4.9. NIST test of randomness

To create shuffling with DSA, we use random sequence generated by an RNG and we need to test the randomness of the sequences generated to make sure they are suitable for image encryption. We adopted SP800-22 test suit which consists of 15 sub-tests from the National Institute of Standards and Technology (NIST) to measure the randomness of the sequences used in our method (X. Wang, Guan et al., 2020). The test scores represent the corresponding P-values where a test is considered a pass when $P-\mathrm{value}>=\alpha$ where α is the significance level and generally is taken as $\alpha =0.01$. We present the NIST test results in Table 7. It is clearly seen from the test results that all P-values are greater than $\alpha =0.01$ and we can confidently state that the sequences used in the encryption have reasonably good randomness.

Table 7. NIST test results.

Test	P-value	Pass/Fail
Frequency test	0.888	Pass
Block frequency test	0.809	Pass
Cumulative sums test-forward	0.423	Pass
Cumulative sums test-reverse	0.867	Pass
Runs test	0.252	Pass
Longest run test	0.733	Pass
Discrete Fourier transform test	0.604	Pass
Rank test	0.903	Pass
Non overlapping template test	1.000	Pass
Overlapping template test	0.895	Pass
Universal test	0.995	Pass
Approximate entropy test	0.660	Pass
Serial test	0.522	Pass
Random excursions test	0.594	Pass
Random excursions variant test	0.317	Pass
Linear complexity test	0.454	Pass

5. Conclusion

We propose an image encryption algorithm based on ZigZag transform with DSA in this paper. Our encryption method is simpler to implement than high-dimensional chaos-based approaches, and its computational complexity is very low. Additionally, its dependence on plaintext image makes it adaptive and hence very robust against brute force and differential attacks. Experimental results with NPCR values suggest that our encryption algorithm is very sensitive to the encryption key. In addition, histograms of the encrypted images are even. Moreover, the correlation coefficients of adjacent pixels in the encrypted images in all three directions are very close to zero. Besides, the entropy values calculated from the encrypted images are significantly close to ideal value of 8. These results of histogram, correlation and entropy analyses show that our method generates ciphertext images resistant to statistical analysis. In addition to these analyses, we performed sensitivity analysis to plaintext using NPCR and UACI metrics, and according to the obtained results, both NPCR and UACI values are remarkably close to the ideal values, which demonstrates our method's sensitivity to the plaintext, and its resistance against differential attacks. Furthermore, we performed robustness analysis with noise and occlusion attacks, and show that our method is secure and robust against these types of attacks according to NPCR, UACI and PSNR values. Finally, according to our timing experiments, both encryption and decryption of a colour image of size $512\times 512$ take about 0.25 s which make it very fast and suitable for real-world applications, along with its security and robustness. Secure and fast image encryption is a requirement not only of personal daily use but also of industrial use. For instance, in Internet of Things (IoT) and Internet of Vehicles (IoV) settings, lots of sensitive images are likely to be collected and transmitted, where a simple, fast, efficient, and low-cost encryption and decryption would be a key factor. Our proposed method is highly suitable for such industrial applications with its simple to implement and low-complexity structure.

Acknowledgments

The authors would like to thank Kaan Bıçakcı for his invaluable suggestions and support for the research.

Disclosure statement

The authors report there are no competing interests to declare.

Funding

This research did not receive any specific grant from funding agencies in the public, commercial or not-for-profit sectors.