A robustness-improved image encryption scheme utilizing Life-liked cellular automaton

Image encryption is considered as an effective method to protect image against revealing. As a discrete dynamic system, the Life-liked cellular automaton (CA) has good chaotic performance and has been applied for image encryption. This paper proposes a robust block encryption scheme, based on reversible Life-liked CA with balanced rule. The proposed method adopts classic confusion–diffusion structure on block level and reversible Life-liked CA within block. An effect permutation method is developed to reduce the iteration rounds of whole system, while the diffusion module adopts reversible Life-liked CA with balanced rule to encrypt the blocks to noise-like ones. Performance analyses show the proposed scheme have good cryptographic features, satisfactory security for defeating common attacks and robustness to resist data loss and random noise.


Introduction
With the dramatic progresses of communication technologies, huge of digital images have been transmitted on the public networks and shared in mobile phones. The security of these images not only involves individual privacy, but also relates to society and government security. As one of the most effective privacy protection methods, image encryption has attracted worldwide attentions. Among the image encryption proposals, two different nonlinear dynamics, i.e., cellular automaton (CA) and chaotic system, have been widely adopted. Both the dynamic systems have many advantages for image encryption, such as sensitivity to initial condition, unpredictable evolution and random behavior.
There are many famous one-dimensional (1D) chaotic maps which have been adopted for image encryption, such as logistic map [1], sine map [2] and tent map [3]. Though they are simple to be implemented, they also have drawbacks. In [4], Li et al. stated that when a chaotic system is implicated on a finite precision platform, chaos degradation will happen and the chaotic system may degrade to a periodic one. In addition, Hua et al. [5] presented the average cycle length of some chaotic maps under different precisions. Some weak chaotic systems have been demonstrated to have security problems [6,7], and in this direction, many encryption schemes have been cracked [8,9]. More complex chaotic maps are needed to improve the security of encryption scheme. On the other hand, the CA has advantages over chaotic systems. As a time and space discrete dynamic system, it can avoid chaos degradation on different finite precision platforms. In addition, it can be easily implicated in encryption scheme without much additional hardware and software complexity. Many encryption schemes based on CA have been proposed. In [10], Wolfram first applied CA in cryptography. The works of [11][12][13] applied CA as pseudorandom number generator (PRNG), while the proposals in [14,15] adopted state attractor of some CAs to encrypt images. Jhon Conway introduced the well-known Game of Life [16], which is a kind of 2D CA with more complex chaotic behaviors, based on it, many researchers have developed a series of CA, called Life-liked CA and used them for image encryption [12,17,18].
As for encryption framework, many algorithms adopt the classic confusion-diffusion [19] architecture. However, this structure has inherent drawbacks, and the opponents can crack the encryption scheme by plaintext attack no matter which chaos system is adopted [20]. Researchers have proposed many methods to improve the security against plaintext attacks. However, some of these methods sacrifice so much robustness that they cannot defeat data loss and random noise. Wang et al. [21] proposed an algorithm with variable control parameters, which is able to bring unique chaos sequence for different plaintext. Though this method can resist plaintext analysis, slight error in the cipher pixel could make the original plain image fail to be recovered. The studies [17,22,23] adopted reversible CA (RCA) for diffusion, which could defeat plaintext attacks. However, because of the good diffusion property of CA, these methods also lack of robustness. Taking the method in [17] as an example, Ping et al. divide the whole permuted image into 2 binary images as the initial cell states of a second-order RCA and then iterate the RCA certain steps to produce the cipher image. Due to the satisfactory chaotic performance of RCA, only one-cell state modification could influence entire space. However, if one state in cipher image is changed, the whole recovered image could be interfered. Therefore, if a method adopts RCA to encrypt whole image, its robustness is limited.
In this work, we propose a block encryption scheme, based on the classic permutation-diffusion structure. The plaintext is first divided as a series of blocks with size 8 × 8, and then, the permutation is implemented among blocks, i.e., shuffle the image blocks yet keep the pixels within each block unchanged. The permutation sorts all the blocks by random numbers and specially ensure that the last block in image sorted as the first one. The diffusion module adopts reversible Life-liked CA with balanced rule in block-wise. Each bit plane's bit states are the initial RCA's configuration and then will be iterated several steps with a balanced rule to yield the encrypted block. The 2D logistic-sine coupling map (2D-LSCM) is employed to generate the random numbers used in the encryption process. A mechanism is developed to share chaos variables between the permutation and diffusion modules, so that the required chaotic iterations are reduced and the cryptosystem's efficiency is further improved. We find that a proper designed permutation method could make sure that 2 permutation-diffusion rounds are sufficient to achieve a satisfactory diffusion performance. Based on this concept, we propose the permutation method with the ability to shuffle image pixels and sort the last block as the first one, so as to greatly improve the efficiency of encryption system. In diffusion phase, we employ Lifeliked CA due to its good chaos performance and implement it in block-wise. The CA can ensure the security and diffusion performance within a block. On the other hand, an error in cipher image will be restricted within one block rather than affect the whole image so as to improve the robustness of the cryptosystem. Therefore, this method can greatly overcome the drawback, lack of robustness, in [17]. The simulation results and performance analysis indicate that the proposed cryptosystem can encrypt various types of plain image into noise-like ciphertexts, and it has sufficient security against various attacks and robustness against data loss or random noise.
The remaining parts in this paper are organized as follows. Section 2 introduces some related work, such as 2D-LSCM and reversible Life-liked CA. Section 3 is the main body and presents the proposed algorithm, while Sect. 4 analyzes the computation complexity and the ability to encrypt other image types in theory and Sect. 5 shows the simulation results of the scheme. The security and robustness analyses are carried out in Sect. 6, and Sect. 7 concludes our work.

Preliminaries
This section introduces three significant models utilized in this paper and illustrates their advantages in image encryption. Some abbreviations used in this paper are listed in Table 1.

Two-dimensional logistic-sine coupling map
In [5], Hua et al. introduce the 2D-LSCM and illustrate its good chaotic property. The 2D-LSCM is an expanding map of two basic 1D chaotic maps, the logistic map [1] and the sine map [2]. The logistic map is defined as where the control parameter η ∈ [0, 1]. The sine map is defined as where the control parameter β is also in the interval [0, 1]. However, these two chaotic maps have many weaknesses, such as simple behaviors and frail chaotic intervals. Therefore, to achieve sufficient security of a encryption scheme, more complex chaotic system is expected. The 2D-LSCM is obtained by coupling the two maps to have quite complex chaos, and it is defined by where θ is the control parameter and θ ∈ [0, 1]. The 2D-LSCM has complex chaotic behavior can account for three aspects. First, it couples the logistic and sine map together, the complexity of the two maps are mixed. Then it performs a sine transform to the coupling result. At last, it expands the dimension to 2D. Hua et al. [5] evaluate the chaos performance of 2D-LSCM in terms of chaos trajectory, Lyapunov exponent [24], Kolmogorov entropy [25] and dynamical degradation. It is shown that 2D-LSCM has chaotic behavior when θ ∈ (0, 1), and it would have hyperchaotic behavior when θ ∈ (0, 0.34) ∪ (0.67, 1). In addition, the output sequences of 2D-LSCM can pass all the subtests in National Institute of Standards and Technology (NIST) SP800-22 [26]; it indicates that 2D-LSCM can generate random sequences that are suitable for image encryption.

Life-liked CA with balanced rules
The CA is an abstract dynamic system with discrete and finite states. Due to its local rules, the CA could present complex chaotic behavior after certain discrete time evolution.

Life-liked CA
Life-liked CA is a certain type of CA; generally, it can be described as C A = {C, S, V, f } [17].
-C is a two-dimensional cell space and can be described as C = {(i, j)| 1 ≤ i ≤ m, 1 ≤ j ≤ n}. -S represents the cell's states, and S = {1, 0} generally refers to the survival and death of a cell, respectively. -V is the set of a cell's neighbors. In two-dimensional cell place, a cell generally has two types neighborhoods, von Neumann neighborhood and Moore neighborhood. Moore type is generally utilized in Life-liked CA, and V set contains 8 surrounding neighbors. f is the local function, also called as the local rule. It determines the state of one cell in the next iteration step, according to its present and the neighbors' states. A local function of Life-liked CA can be described by Eq. (2), where S t i, j represents the state of a cell at position (i, j) at the tth discrete time.
(2) In this paper, all cells in the space follow the same local rule f . Thus, the rule is a function determining the iteration method of a CA system.
In addition, because the CA is implemented on a finite computation system, the boundary condition should be considered. Generally, periodic boundary is utilized, because it can simulate the infinite situation without losing any properties. The periodic boundary in this paper is described as Eq. (3), where i, j, u, v represent the coordinates in cell space, and m, n are the size of space.
The local rule of a Life-liked CA is described as Bx/Sy, where B and S, respectively, represent "Birth" and "Survival," the two behavior of a cell. In addition, because Life-liked CA utilizes Moore neighborhood, the central one and its neighbors are 9 cells. The variable sets x and y refer to the number of survival numbers of the 9 cells. The rule means that if the central cell's state is "death" at step t, and there are x survival neighbors around it, at the next step, it will "reborn." Similarly, if the central cell's state is "survival," and there are y survival neighbors around it, at the next step, it will keep alive. For example, John Conway proposed the famous Life-liked CA "Game of Life," which can be described as "B3/S23." The set x = {3}, y = {2, 3}, which means a death central cell has 3 survival neighbors, it will reborn at next step; and a survival central cell, only its survival neighbors are 2 or 3, and it will keep alive.

Balanced rules
After iterating certain steps following the local rules, the ratio between survival and dead cells are almost stable, even though the space distribution of them is chaotic. Therefore, the local rule can control final ratio between survival and dead cells. Generally, in each bit plane of a cipher image, the distributions of bit "0" and "1" are almost uniform. In other words, the percentage of each bit is around 50% [27]. Thus, if a local rule can control the percentage of cells' states approximately equal, this local can be utilized in image encryption [17].
In [17], Ping et al. propose a method to evaluate whether a local rule is balanced. The method can be summarized as follows.
Step 1. According to the local rule, list all the birth and death cases in the sets B, D.
Step 2. Calculate the number of birth and death events with Eq. (4), where a i is a Boolean value. If i belongs to the set, a i = 1; otherwise, a i = 0.
Step 3. Only when the birth event number T b equals to death event number T d , the Life-liked CA is balanced.
For example, the Life-liked CA with local rule B1357 /S02468, the set B = {1, 3, 5, 7}, D = {1, 3, 5, 7}. Thus, the event value T b = T d = 128, the CA is balanced. Figure 1 presents the evolution process of a Lifeliked CA with local rule B1357/S02468, whose size is 128 × 128. Take Fig.1a-d; for example, the percentage of alive cell in initial CA is 9.72%; then, the percentage rapidly tends to 50%. At steps 2 and 5, the percentage are, respectively, 42.68% and 49.66%. Finally, at step 100, it comes to 49.95%. As to Fig. 1e-h and i-l, they, respectively, present the evolution process with initial 50 and 90% alive cells. At the step 100, all the CAs approximately have 50% alive cells. Therefore, no matter the initial percentage of alive cells, after several steps' iteration, the final amount distribution is uniform.

Reversible Life-liked CA
Because of the complex chaos performance of CA system, a Life-liked CA is generally not reversible. This means the evolution process would be lost. Therefore, a reversible CA is needed for the propose of recovering the original information in an encryption scheme. In [17], a second-order CA is defined as where S t represents whole CA's configuration at time step t, F is local rule of CA which is used to update the configuration and symbol ⊕ is XOR operation. This formula means the configuration at step t + 1 not only Fig. 1 Evolution process of balanced CA: a, e, i initial images with alive cells' percentages of 10, 50 and 90%; b, f, g evolution images at step 2; c, g, k evolution images at step 5; d, h, l evolution images at step 100 influenced by the state at step t, but also by the state at step t − 1. Similarly, the state at time t − 1 could be obtained by In addition, Eq. (5) can extend to higher order. In [22], a fourth-order CA is developed as and the reverse process is defined as Because of the chaotic property of Life-liked CA, any slight difference in initial configuration could account for extreme difference in final states. However, this property also decrease the robustness of an encryption system, because a slight difference in the final configuration may make the reverse process fail to recover the original image. Figure 2 shows the robustness analysis of a thirdorder reversible Life-liked CA whose size is 64 × 64.  ference between second and third column images. As for the fifth column images, they are the results recovered from the third images, and they are much different from the first column images. It is clear that only an one-cell difference is introduced to the final evolved image, and the recovered images have obvious difference. Thus, if the reversible Life-liked CA is directly applied for image encryption [17], the cryptosystem could lack of robustness.

The proposed method
This section introduces the modules of the proposed image encryption scheme, including preprocessing, permutation and diffusion.
As it is demonstrated in Sect. 2.3, the reversible Life-liked CA has good diffusion property, but it lacks robustness. Thus, this proposed scheme adopts block encryption to increase the robustness of system. In our proposal, a block consists of 8 × 8 adjacent pixels. Figure 3 shows the whole structure of the scheme. The chaos variable generator adopts 2D-LSCM chaotic map introduced in Sect. 2.1. In [28], it is indicated that the chaotic system iteration process has the highest computational complexity in an image encryption scheme. Therefore, it can improve the efficiency of whole system if the chaotic variables are utilized properly.

Chaos variables generator
In this module, chaos variables are generated for encryption referring to a secret key which is a 256bit sequence. The chaos variable sequence is generated by the following steps.
Step 1. Calculate the number of blocks in the image. In this scheme, the 8 × 8 pixel block is adopted, and if the image's size cannot be divisible by 8, the image should firstly fill some pixels. The number of blocks in the image whose size is of M × N is Step 2. Calculate the initial values of the 2D-LSCM system. There are 5 parameters {x 0 , y 0 , r, a 1 , a 2 } obtained from the key K , where (x 0 , y 0 ) are initial coordinates in the 2D-LSCM, r is the control parameter and a 1 , a 2 are perturbation values to change r in the two encryption rounds. The variables x 0 , y 0 , r are, respectively, extracted from a non-overlapping 64-bit sequence in K . Suppose that a 64-bit sequence is denoted as The variables a 1 , a 2 are two integers, whose values v are obtained from a 32-bit string To ensure a one-bit modification could account for totally different chaos variable sequence, r i is obtained from {a 1 , a 2 } by At the ith round, the control parameter θ of the 2D-LSCM is extracted by Step 3. Iterate the 2D-LSCM system for generating sufficient chaos variables for each block. Firstly, 30-round iteration is conducted to avoid initial effect of the chaotic system. In this scheme, each block needs 9 chaos variables in the encryption steps. For one block, iterate the 2D-LSCM system 5 rounds to generate the chaos variables Specially, the ninth chaos number utilized in the block is (x 5 + y 5 )/2.

Preprocessing
In this module, an image is filled to make its width and height both can be divisible by 8. In addition, because the Life-liked CA cannot encrypted block with identical state "0" or "1," it is critical to add some disturbing pixels. The preprocessing can be described as follows. Step Step 2. In each block, 4 disturbing pixels are added.
With the corresponding chaos variable sequence, the second-fifth variables determine the position of disturbing pixels, and the 6th-9th ones determine the values. Each block can be transformed to a 64-pixel one-dimensional sequence, and the position and value of disturbing pixels are, respectively, defined by Eqs. (7)- (8), where x(i) and y(i) are chaos variables for generating the ith disturbing pixel's position and value, respectively. Therefore, the pixel after preprocessing can be described as where B(i) represents the ith pixel value in a block.
Step 3. Repeat Step 2 until all the blocks are preprocessed. The literature [29] has demonstrated that modular operation can enhance the randomness of chaotic system. They illustrate the mod 255 and mod 1023 functions can broaden the spectrum of chaotic maps, which helps to improve the randomness of chaos system. Similarly, in this phase, we adopt mod 64 and mod 256 functions. These two modular operation also can enhance the robustness of chaotic system. Figure 4 shows the bifurcation diagram of 1D logistic map and the map using mod 64 and mod 256 functions. Figure 4a shows the original bifurcation diagram of logistic map, and it is clear that the map only has a narrow parameter range when the map is chaotic. Figure 4b, c shows bifurcation diagram of enhanced logistic map using mod 64 and mod 256 functions. It is evident that the spectrum of enhanced map is broadened; therefore, the modular operations in this phase can enhance chaotic performance.

Permutation
In this module, we propose a block permutation algorithm which can improve the robustness and efficiency of the encryption system. In a cryptosystem, for improving the diffusion performance, a common method is to increase the encryption rounds of the whole system. In most cases, 2-round encryption is generally insufficient to achieve a satisfactory diffusion performance. An example of the relationship between permutation and diffusion performance is illustrated in Fig. 5. In this example, the permutation phase adopts Arnold map, and diffusion phase conducts pixel-by-pixel encryption. However, after 2-round encryption, the first pixel in cipher image is not influenced by diffusion effect. That is because we cannot ensure the diffused cipher pixels of the first encryption round can be spread to the start of the permutation ciphertext in the second round.
Previous works have attempted to introduce certain diffusion effects in the permutation phase. Such a concept would improve the diffusion performance, yet it will decrease the robustness of system. We notice that the last pixel will be certainly influenced in a single permutation-diffusion round no matter which of the plain pixel has a modification. Therefore, if a permutation is able to move the last pixel to the first one, 2 permutation-diffusion encryption iterations are sufficient to yield a satisfactory diffusion effect, i.e., a plain pixel's slight modification can spread to the whole ciphertext. In this direction, our permutation approach is developed as follows.
Step 1. Obtain chaos variable used in the permutation phase. In each block's chaos variables sequence, the first value is used as the label of block. And specially, the last block does not use the variable in sequence, and its label value is fixed as "0." This means the last block has the least label value among all the blocks.
Step 2. Obtain the block order in permuted image by the label value. Sort the label value by ascending order. s(i) represents order of the label value of the ith plain image block's in label sequence. So, the ith block in permuted image P B i can be described as This step can be illustrated in Fig. 6, where the integers represent block order in the original image, and the decimals are value of labels in each block.
Similarly, in decryption phase, the ith block in recovered image R B i is described as As Fig. 6 shows, in plain image the block 16 is the last one, and in permuted image, the block 16 is moved to the first one.

Diffusion
In this module, each of the image block is encrypted to a noise-like one. Taking the 8-bit grayscale image as an example, each block can divide into 8 bit planes with size of 8 × 8. The diffusion phase proceeds as follows.
Step 1. Shuffle the bit planes and calculate iteration step T . The encryption order is determined by the first eight chaos variables {x(1), x(2)...x(8)}. Each bit plane P i has a corresponding chaos variable x(i). Sort the bit planes in ascending order by the variable, and obtain the shuffled bit planes {S P 1 , S P 2 ...S P 8 }.
The iteration steps T should be greater than 4, which could ensure the diffusion performance within block. On the other hand, T should not be too great to decrease the efficiency. In this scheme, it is calculated by Step 2. Encrypt the block with reversible Life-liked CA. The tth iteration can be described as Eq. (9), Equation (9) is an expanding form of Eq. (5), an eighth-order reversible CA. In this scheme, F(·) adopts Life-liked CA rule B1357/S02468. Iterate Eq. (9) T times, the encrypted block can be obtained. Similarly, the decryption equation is described as Step 3. Block-to-block diffusion. Each pixel of the block XORs with the corresponding one in the previous encrypted block. The jth pixel in B i block is encrypted by Specifically, this step is skipped when encrypting the first block.
Step 4. Repeat Steps 1 to 3 until all the blocks are encrypted.

Theoretical analysis
In this section, we analyze the efficiency of our proposed scheme in theory. In addition, this algorithm can expand to many image types. Due to different hardware and software conditions, analyzing the computation complexity can be more proper than simply comparing encryption time. When encrypting an image with size of M × N , 10 chaos variables are need for each block, so the computation complexity of generating chaos variables is O (10 In permutation phase, quick sort algorithm is recommended, so the ideal computation complexity of this phase is O( M N 64 log( M N 64 )), which is more efficient than most permutation algorithm. In the diffusion phase, parallel computing can help to improve computation efficiency, for CA iteration can be completed in a constant time. Therefore, the complexity of this phase by parallel computing is O (14 M N  64 ). The whole algorithm need 2-round permutation-diffusion; in conclusion, the complexity is 2O(10 M N 64 + M N 64 log( M N 64 ) + 14 M N 64 ). As mentioned above, we proposed algorithm is aimed at encrypting 8-bit gray image, which is one basic type of images. Because in the diffusion phase, the CA configurations is generated from each bit plains, which can be convenient for expanding to different type images. For example, the transforming image elements to structured data based on BP neural network have more image dimension. And X-ray image denoising based on wavelet transform and median filter may have more pixel accuracy. In short, these images use more bits to describe one pixel. A possible expanding method is adopting RCA with more higher order. Taking structured data based on BP neural network as example, if the data has d dimensions, and each dimension has 8 bits, a eighth-order RCA system can be used to encrypt the data. Therefore, the proposed algorithm can be expanded to encrypt many type images.

Simulation results
This section presents the simulation results of the image encryption scheme. All the images utilized in the experiment are collected from the USC-SIPI image database. 1 Figure 7 shows the plain images, cipher images and their histograms. For an ideal cipher image, it should  be random-like, and its pixels should be uniformly distributed. Therefore, the opponent cannot obtain any useful information by analyzing the distribution of pixels in a cipher image. In addition, the Chi-square test can quantitatively evaluate the uniformity of distribution of pixels in cipher images [30]. The Chi-square is defined as where k is the gray level of an image, e i denotes the expected frequency of each gray level, while o i denotes the observed frequency. For an 8-bit gray cipher image, when its Chi-square test value χ 2 test < χ 2 255,0.05 = 293, it can be considered that the image can pass the Chisquare test. Table 2 shows the values of Chi-square test. The results well demonstrate that the all cipher images are random-like, and the pixels in them are uniformly distributed.

Security and robustness analysis
This section demonstrates the security and robustness of the proposed image encryption scheme. It is demonstrated that an cryptosystem should have good security performance in terms of adjacent pixel correlation, ability of resisting differential attack, key's sensitivity, local Shannon entropy and plaintext attack resistance.

Adjacent pixel correlation
Generally, there are strong correlations between the adjacent pixels in a plain image, especially in horizontal, vertical and diagonal direction. The strong correlations could reveal the information in an image; thus, it is essential to weaken the adjacent pixel correlations for a good image encryption scheme. The correlation coefficients between adjacent pixels are calculated by Eqs. (10)- (12), where x and y are values of the two adjacent pixels, E(x) is the mathematical expectation of x, D(x) represents the variance of x and N denotes the number of sampling pixels. When r xy is close to 0, x and y have a weak correlation, while r xy is close to −1 or 1, which indicates a high correlation between x and y.
For testing the proposed image encryption scheme, 3000 pairs of adjacent pixels are sampled from the plain image and cipher image. Then the correlation coefficients in the horizontal, vertical and diagonal directions are, respectively, calculated. Figure 8 presents the results of image Couple and its cipher image. It is clear that the pixel pairs in plain image almost distribute on the diagonal line or the near area of the phase plane, which indicates that the adjacent pixels in plain image have strong correlation. In contrast, the pixel pairs in cipher image are randomly distributed in the whole phase plane. This means that the correlation between adjacent pixel pairs is very weak in a cipher image. Numerically, Table 3 shows the correlation coefficients of the testing images. As indicated, the proposed scheme can effectively weaken the correlation between adjacent pixels.

Resistance against differential attack
Differential attack is a popular model to crack an encryption scheme. It refers to extract clues by analyzing the difference between two cipher images which are encrypted by two plain image with only one-bit difference between them, then the opponent try to establish a mapping relationship between plain image and cipher image. To resist against differential attack, the encryption scheme should have certain diffusion performance. The performance means that any slight difference in The ability of an image encryption scheme to resist differential attack is quantitatively estimated by the number of pixel change rate (NPCR) and unified average changed intensity (UACI). These two values are calculated by Eqs. (13)- (15).
In these equations, C 1 and C 2 represent the ciphertexts whose corresponding plain images have only one-bit difference, M and N are the width and height of the image, and L denotes gray level of the image. When the cipher images obtained by differential attack can pass the NPCR and UACI test, it is indicated that the two cipher images are randomly irrelevant ones; thus, the opponent cannot get any useful information from this differential attack. Furthermore, the NPCR and UACI critical values were argued in [33]. For NPCR test, there is a threshold N * α related to a significance level α. When the result is greater than the threshold, it is considered to pass the NPCR test. Similarly, for UACI test, there is an interval (U − α , U + α ). Only in the case that the results fail into this interval, it can pass the UACI test. In [33], Wu et al. mathematically give the critical value, U − α , U + α and N * α for different size images, when the significance level α equals to 0.05, 0.01 and 0.001, respectively. In this experiment, the size of images is 512 × 512, and gray level is 256. When α=0.05, N * α = 99.5893% and (U − α , U + α ) = (33.3730, 33.5541%).
First, one-bit difference was elaborately designed at the right bottom of all the test plain images. In addition, for confirming the influence of different pixels located at other positions, in image Couple, four other random coordinates are selected. The four different pixels are, respectively, located at (146, 65), (159, 51), (511, 263), (2,259), and corresponding images are named as Cou-ple1, Couple2, Couple3 and Couple4. Table 4 shows the NPCR and UACI test results of the proposed scheme, and all the results indicates that the algorithm can pass the NPCR and UACI tests. This means the scheme has sufficient ability to resist against the differential attack.

Secret key analysis
An encryption scheme should have sufficient key space and should be extremely sensitive to the secret keys.
The key sensitivity means that in both encryption and decryption phase, even 1 one-bit difference in secret key should bring about significant different results in the encryption or decryption procedures. For key sensitivity evaluation, we first select a secret key K 0 and then randomly select a bit to reverse, so four keys K 1 ...K 4 can be obtained. The involved secret keys are as follows.
Because the cipher images are random-like ones, in is demonstrated in [34] that the NPCR and UACI can be used to evaluate the difference between two cipher images encrypted with two secret keys. Figure 9 shows the key sensitivity in the image encryption phase, and Table 5 presents the NPCR and UACI values. The results well demonstrate that in the encryption phase, a slight change in secret key could account for enormous difference.
In the decryption phase, these keys are utilized to decrypt the cipher image, and only the correct secret key can recover the original plain image, while the other keys even with only one-bit difference is unable to recover any useful information of the plain image. Because the original image is not a random one, NPCR and UACI test are not suitable in this phase. Therefore, calculating the incorrectly decrypted pixels in decrypted images can evaluate the sensitivity of secret key in the decryption phase. Table 6 and Fig. 10 demonstrate the key sensitivity in decryption phase. The result indicates the high key sensitivity of the proposed encryption scheme in the decryption procedure.

Local Shannon entropy
The pixels in a cipher image should be random and uniformly distributed; thus, it can resist various attacks. Generally, Shannon entropy is adopted to evaluate the randomness of image pixels [39]. For an image information source S, its entropy is defined by Eq. (16), where L is the gray level and P(s i ) represents the probability of symbol s i .
For an 8-bit gray cipher image, its ideal entropy is 8. Due to different secret keys, original plain images, the entropy of cipher image would vary in a certain range. Generally, if the entropy of cipher image is higher than 7.99, it can be considered secure enough to defeat statistical analysis. For example, in studies [31,32], their entropy test results are, respectively, higher than 7.99 and 7.999. Wu et al. further indicate that the global entropy is not appropriate to describe the randomness in some cases [35]. Then they propose local Shannon entropy where S i is a selected block in test image, k is the number of the blocks and T B represents the number of pixels in each block, respectively. Local Shannon entropy is an average result of these non-overlapping selected blocks. Following Wu et al. [35], k = 30, T B = 1936 and the significance level α = 0.05, an 8-bit image is considered to pass the test when its local Shannon value falls into the interval (h * le f t , h * right ) = (7.901901, 7.903037). Table 7 lists the local Shannon test results of our proposal. It is clear that the cipher images have high global entropy, which are higher than 7.999, and can pass the local Shannon test. Therefore, the proposed scheme can encrypt image with sufficient randomness.

Plaintext attack analysis
The classic confusion-diffusion structure has inherent weakness, and the drawback has been utilized by many researchers to crack the whole encryption scheme. Chen et al. [36] proposed that diffusion phase adopting XOR or modular addition has intrinsic drawback, and the opponent can obtain the equivalent chaos sequence by plaintext analysis and further crack the whole system.
In this scheme, we adopt block encryption in blockwise and reversible cellular automaton within block, which has been demonstrated having complex chaotic behavior. Because the RCA is much more complex, the opponent cannot analyze the mapping relation between plaintext and ciphertext, even though the opponent construct some elaborately designed plain image with identical pixels. Therefore, the drawback of confusiondiffusion structure is significantly addressed.
Generally, the opponents select some special plain images to prove the insecurity of encryption schemes. Many encryption algorithm when dealing with such as full black and full white images may behave insecure. Figure 11 shows the results that our proposed algorithm encrypting full black and white image with size of 512×512. Table 8 further shows information entropy and adjacent correlations of cipher images of full black and white. It can be concluded that our proposed algorithm can defeat plaintext analysis.    When the cipher images are transmitted in public networks, they may loss data or be blurred by noise. The ability of defeating noise and data loss is also significant for an encryption scheme. Because the scheme utilizes block encryption, the robustness of this scheme is greatly improved. When a pixel error occurs in a cipher image, this error will make the block containing this pixel fail to recover in decryption phase; in addition, it may affect the next block by diffusion property. However, the error could be limited within the block, and the rest pixels in the cipher image could be correctly decrypted.
To quantitatively demonstrate the ability of the encryption scheme in resisting data loss and random noise, the peak signal-to-noise ratio (PSNR) and mean square error (MSE) are adopted to test the difference between the original plain image and the decrypted image. The MSE and PSNR are, respectively, defined as Eqs. (17)- (18).
In both formulas, P 1 and P 2 are the original plain image and decrypted image, L is the gray level of image, and M, N represent the image size, respectively. The image Boat is utilized as the example. We adopt salt and pepper noise to interfere cipher image, which means the pixel value influenced by noise would randomly be 0 or 255, and it is a common noise in image transmission. Table 9 lists the MSE and PSNR test results of the cipher image with different percentages of data loss and noise. Figure 12 presents the results of this scheme in defending data loss and noise. Figure 13 shows the PSNR performance of different data loss. The scatters represent original experimental results, and the red line is the fitted curve. It is clear that even though the cipher images loss some data or are blurred by noise, the decryption phase can still recover the original ones with high visual perception. In addition, it is obvious that the proposed algorithm have good PSNR performance when loss rate less than 25%, and the performance on data loss is better than random noise.

Comparison analysis
To further analyze the performance of our proposed scheme, we compare it with other advanced algorithms [37,38]. For conducting a fair comparison, we adopt the results reported in these references papers. Table 10 compares the proposed scheme and other encryption algorithms by NPCR and UACI tests. The numbers in underline are the results fail to pass the UPCR and UACI test. The bold font numbers are the results fail to pass the test; thus, our proposed scheme has more stable performance comparing with these advanced methods. Table 11 compares the adjacent pixel correlation with some recent algorithms. The most closed to 0 result is marked in bold font, and our proposed method performed best on many tests. So this proposed algorithm have good ability to weaken the correlation of adjacent pixels among these advanced methods.

Conclusion
In this paper, we propose an image encryption scheme based on block encryption, 2D-LSCM chaos map and reversible Life-liked CA. First, we find that the reversible Life-liked CA lack of robustness, which can make the encryption algorithm cannot defeat data loss or random noise. To overcome this loophole, the block encryption not only maintain the diffusion performance of Life-liked CA, but increase the robustness of whole system. In addition, we demonstrate that a proper designed permutation method can increase the efficiency of whole permutation-diffusion structure.
The permutation method needs to move the last pixel to the first one. Thus, we propose an efficient permutation method, which can ensure sufficient diffusion perfor-mance with only 2 permutation-diffusion rounds. The simulation results presents that the cipher images are noise-like with uniform distributed pixels. Chi-square test and histogram of cipher image indicate the uniform distribution of pixel value in cipher image. The security analysis demonstrates that the proposed encryption scheme can greatly weaken the pixel correlation, resist differential attack and plaintext analysis. In addition, the proposed scheme also have sufficient key sensitivity and pixel randomness. The results of comparison with other advanced algorithms show that our proposal has good secure performance among these algorithms.
In particular, it has more stable performance in resisting differential attack. The robustness analysis demonstrates that the cryptosystem can efficiently resist data loss and random noise.
Publisher's Note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.