Novel image cryptosystem based on new 2D hyperchaotic map and dynamical chaotic S-box

Chaotic systems are widely used in image encryption due to their sensitivity to initial values, ergodicity, and other properties; many image encryption algorithms based on chaotic systems have been studied in the past few years. To obtain a more secure encryption algorithm, this work firstly proposes a new two-dimensional discrete hyperchaotic map, which has a wider continuous chaotic interval, larger Lyapunov exponents and passed all NIST and part of TestU01 tests. Then, we apply the proposed map to generate S-boxes and combine them in pairs; finally, twelve S-boxes are obtained, and the elements of the plaintext image are grouped, each group of pixels is summed, and modular operations are used to specify specific S-boxes. Next, each set of elements is bitwise XOR with the corresponding S-box. Finally, the cipher image is obtained by scrambling using chaotic signal. Experiments show that compared with some other encryption algorithms, the proposed S-box-based encryption method has higher security, and it resists to common attacks.


Introduction
With the development of society, each of us is in the era of information explosion, and our privacy is becoming more and more transparent. Digital information is widely used around us, such as communication, image and so on [1][2][3]. Compared with text information, image information is more used because it is more intuitive and interactive [4][5][6], so there are many studies on image processing, such as image correction, image denoising, image restoration, and image encryption [7][8][9]. In image transmission, if the image is not encrypted, there may be a risk of privacy leakage. Compared with traditional encryption, chaos encryption has better efficiency, more and more chaotic systems are used for encryption.
Since the emergence of ''chaos'' as a new scientific term in 1975, chaotic dynamics has been vigorously developed and studied, chaos is widely used in cryptography and related fields because of its nonlinearity, pseudo-randomness and sensitivity to initial values. To obtain better encryption effect, researchers began to improve the traditional continuous chaotic map and discrete chaotic map and apply them to encryption. Although the continuous chaotic map has high complexity, the efficiency of generating chaotic sequences is low; on the contrary, the discrete chaotic map has low complexity but high efficiency, so it is more suitable to apply the discrete chaotic map to encryption. Amine et al. used an improved onedimensional discrete chaotic map for encryption [10]. Gao et al. introduced a new two-dimensional hyperchaotic map in image encryption [11]. Arab et al. put forward Arnold map to generate the key of the image encryption algorithm and improved the AES algorithm for image encryption [12]. Of course, highdimensional discrete chaotic systems are also widely studied due to their higher complexity and better unpredictability [13][14][15][16]. However, two-dimensional discrete chaotic systems are more used due to their simple form and strong anti-degeneration ability. At present, many discrete two-dimensional chaotic systems have been proposed. De la Fraga et al. developed four sets of coefficient values of a two-dimensional chaotic map to generate a pseudo-random number generator and used the generated random sequence to encrypt the image [17]. Chen et al. presented a new 2D chaotic map based on sinusoidal maps, Chebyshev maps and linear functions and further proposed an improved cryptosystem [18]. Liu et al. proposed a new two-dimensional Hénon-Chebyshev modulation map by concatenating the Hénon map and the Chebyshev map [19]. Hua et al. designed a two-dimensional chaotic system with continuous and wide chaotic range and put forward a color image encryption algorithm based on this system [20]. Ahmad et al. studied an improved 2D hyperchaotic system and used it for S-box generation [21]. Qi et al. developed a 2D-TSCC chaotic system and used it for image protection [22]. Ma et al. presented a two-dimensional chaotic system with a simple algebraic form and analyzed its chaotic properties [23]. However, most of the existing two-dimensional chaotic maps still have the problem of narrow chaotic interval. To obtain a larger chaotic interval and ensure encryption efficiency, this paper presents a new two-dimensional hyper-chaotic map, which has a larger chaotic interval than most existing two-dimensional chaotic systems, and can be better used to design cryptographic algorithms.
To enhance the security of the encryption algorithm, this paper introduces S-box for XOR in the encryption process. S-box is usually the only nonlinear part of block cipher algorithm. Recently, many methods for constructing S-box have been proposed [24][25][26][27][28][29][30][31][32]. For example, some researchers used genetic algorithm to construct S-box with good performance [26,27], some others combined chaos and Boolean function to construct good S-box [28][29][30], and the others used chaotic maps to generate S-boxes [31,32]. In addition, researchers have also applied S-box to image encryption and achieved good encryption results [33][34][35][36]. To overcome the singularity of fixed S-boxes and make the encryption process more flexible, the concept of dynamic S-boxes is proposed. Wang et al. developed an image encryption scheme based on dynamic S-box [37]. Zhu et al. designed dynamic S-boxes by using the combination of chaotic mapping and adaptive function [38]. Devaraj et al. proposed an image encryption scheme based on improved standard mapping and dynamic S-boxes [39]. Liu et al. explored an encryption algorithm based on hyperchaotic system and dynamic S-box [40]. However, these algorithms are often very complex, increasing the runtime of the algorithm. Therefore, this work constructs a simple and flexible symmetric encryption algorithm under the premise of security and efficiency. Different from most studies, this paper combines S-boxes to generate more S-boxes, which saves running time and innovatively uses the S-box dynamically for the XOR step, making the algorithm more flexible and better resistant to noise attacks.
The main contributions of this paper are: 1. This paper presents a new two-dimensional discrete hyperchaotic system with a wider chaotic region, much larger Lyapunov exponents and more complex behavior. 2. We generate many new S-boxes using fixed S-box, which has higher security compared with a single S-box. 3. A novel image encryption algorithm combining the new chaotic system and dynamic S-box is proposed, which has higher security compared with the image encryption methods based on fixed S-box.
This work is organized as follows: Sec.2 introduces the proposed two-dimensional hyperchaotic map and its dynamic characteristic; the constructed S-box is presented in Sec.3; Sec.4 describes the encryption algorithm; simulation results and security analysis are shown in Sec.5; Sec.6 summarizes the full text and puts forward the direction of future work.

Dynamical system analysis
This section introduces the proposed two-dimensional hyperchaotic map and its chaotic characteristics.

Preparatory work
Chaotic system can be divided into discrete chaotic system and continuous chaotic system. Table 1 shows the comparison of advantages and disadvantages of discrete chaotic system and continuous chaotic system.
Since the low-dimensional chaotic system has faster iteration speed than the high-dimensional chaotic system, it is more suitable for image encryption. Based on this, we propose a new two-dimensional chaotic map for encryption. Next, the chaotic properties of the proposed system are studied and compared with the classical two-dimensional Hénon map.

The new hyperchaotic map
The new hyperchaotic map is proposed as follows: x nþ1 ¼ sinð10 17 rx n þ y n Þ; where r 2 ½100; 200 and x n 6 ¼ 0; y n 6 ¼ 0. Figure 1 shows a partial phase diagram for the parameter r from 100 to 200; we can see that the attractor trajectory of the new two-dimensional hyperchaotic system is evenly distributed in the whole phase space when r ranges from 100 to 200. Therefore, the new system has good chaotic characteristics.

Bifurcation diagram
The bifurcation phenomenon of chaotic map is one part of the symbols of chaos. By depicting the bifurcation diagram, we can intuitively observe the relevant information of chaos. The bifurcation diagram of Hénon map and the bifurcation diagram of new two-dimensional hyperchaotic map are shown in Fig. 2. From Fig. 2a-d, we can infer that the new system has a larger chaotic interval than Hénon map.

Largest Lyapunov exponent
Lyapunov exponent describes the average change rate of orbit dispersion or convergence caused by the change of two slightly different initial values with time in the phase space generated by time series [42]. The two LEs of two-dimensional chaotic system at initial state x 0 is defined as: where g i ðW n Þ is the i-th eigenvalue of matrix W n , W n ¼ Jðx 0 ÞJðx 1 Þ Á Á Á Jðx nÀ1 Þ, and Jðx j Þ is the Jacobin matrix of the chaotic system at observation time j. The map is chaotic when one Lyapunov exponent is greater than 0; if both Lyapunov exponents are greater than 0, the map is hyperchaotic [43]. The Lyapunov exponent of Hénon map and the new two-dimensional chaotic map is shown in Fig. 3. From Fig. 3, only one Lyapunov exponent of Hénon mapping is greater than Proof of the existence of chaos Easy Hard 0, while the two Lyapunov exponents of the new twodimensional chaotic system are greater than 0, indicating that the new two-dimensional chaotic system has better chaotic characteristics.

NIST test
In this paper, SP800-22 standard is adopted to test the performance of the pseudo-random sequence. which includes 15 major items. Each binary sequence test metric gives a test result of P-value, set a threshold a ¼ 0:1; If P-value is greater than a, the random reliability of the test sequence is 1 À a, The sequence passed the random test of the index; on the contrary, it indicates that it has not passed the test [16]. As can be seen from the results in Table 2, the pseudo-random sequences generated by new system passed these tests, which indicates that our pseudo-  random sequence has a good pseudo-random performance.

TestU01
TestU01 is a software library implemented in ANSI C and provides a set of utilities for empirical statistical testing of unified random number generators [16]. Both sequences of the proposed system passed the SmallCrush test, which was then subjected to more rigorous shredding tests to further verify their randomness, and some of the tests failed. As can be seen from Table 3, although our x sequence has only passed some TestU01 tests, it has better randomness compared with some existing methods. Since y sequence contains only one variable and has poor nonlinearity, the test result is also poor, we will try to improve it in the future work.

Post-processing method
To improve the randomness of the generated chaotic sequence and strengthen its anti-degradation ability, we proposed a post-processing method which is shown in Algorithm.

Example
To verify the effectiveness of the method, we applied it to the proposed map. Assume that the computer precision is 13 bit and we set the initial value is ðx 0 ; y 0 Þ ¼ ð0:001; 0:002Þ, and the data length is 400. Figure 4 and b shows x 1 and y 1 sequences before processing, respectively. Figure 4c and d shows the x and y sequences after postprocessing, respectively. It can be seen that periodic points have appeared in the system before processing, but not in the sequence after processing. Information entropy and spectral entropy can effectively reflect the disorder degree of sequence [30,45]. According to the higher entropy value, the more complex the sequence is, which means that it has better randomness. Table 4 shows the comparison of the sequences before and after the processing. We find that the information entropy and spectral entropy of the processed sequences become much larger, which indicates that the processed sequences have better randomness and also show that our method is effective. Later, we will apply this post-processing method to the encryption step.

S-box structure and performance analysis
S-box is the sole nonlinear structure of AES. S-box mainly plays a role of confusion and diffusion in the cryptography system. This work presents a new hyperchaotic system in Sec. 2 used to generate chaotic sequences, which are used to scramble the number 0 À 255 without repetition, and then, the number is rearranged into a 16 Â 16 matrix. The above steps are repeated to obtain three different S-boxes, which are compounded in pairs to obtain nine S-boxes. For space reasons, we chose one of the S-boxes (S 10 ) as the box for subsequent performance analysis. Table 5 shows the obtained S 10 . Next, we will study the performance of the S-box from six aspects, including its bijectivity, nonlinearity, and strict avalanche criterion. Table 6   Table 3 TestU01 test of different methods (number of failed tests)

Test
SmallCrush (15) Crush (144) New system (x n ) 0 9 New system (y n ) 0 shows the S-box lookup table where S a Á represents S a replacement of Á.

Bijectivity
Adamas and Tavares proposed the conclusion that f is bijective if the sum of the linear operations of the Boolean functions f i of the components of the S-box of n Â n is 2 nÀ1 [46].
where a i 2 f0; 1g and a i ði ¼ 1; 2 Á Á Á nÞ are not both 0,ÁwtðÞ is the Hamming weight. According to the S-box construction method, the S-box constructed in this paper is bijective.

Nonlinearity
Nonlinearity is a measure of the ability of cryptographic function to resist linear attack. The ability of a function to resist linear attack is proportional to its nonlinearity [47]. The nonlinearity of the n-bit Boolean function f ðxÞ is defined as follows: where S ðf Þ ðxÞ is the Walsh cycle spectrum of f ðxÞ. The results obtained by calculating the nonlinearity of S 10 are shown in Table 7. It can be seen that the proposed S-box has high nonlinearity.

Strict Avalanche criterion (SAC)
Webster and Tavares presented a strict avalanche criterion combining completeness and avalanche effect. The strict avalanche criterion is when you   change one input to a Boolean function, half of the output values will change, that is, the probable change of each output bit is 0:5. The independent matrix is used to obtain the SAC value of the S-box [48]. If an Sbox satisfies SAC, each element of the independent matrix is close to 0:5. Table 8 shows the independent matrix of the newly constructed S-box. As we can see from Table 8, each element has a value close to 0:5.

Output bits independence criterion (BIC)
Adamas and Tavares designed a method to measure the independence between output bits [49]. There are two Boolean functions that output bits in the S-box: f j ðxÞ and f k ðxÞ.If f j ðxÞ È f k ðxÞ is highly nonlinear and meets as strict an avalanche criterion as possible, the correlation coefficient of the output bit pairs may approach 0 when any input bit is inverted. Table 9 shows BIC-nonlinearity of the proposed S-box. Table 10 shows BIC-SAC of the proposed S-box.

Difference approximation probability (DP)
The difference approximation probability DP f represents the XOR distribution of the input and output of the Boolean function [50]. Given an input difference Dx, the highest probability that the output is Dy.The smaller DP f is, the more resistant it is to differential attacks. The maximum value of S-box DP proposed in this paper is 0.0390.

Linear approximation probability (LP)
The probability of linear approximation is that when two masks Cx and Cy are arbitrarily selected, perform mask Cx operation on all possible values of the input Table 5 The proposed  S-box  102  13  85 202  46  97 179 168  3 173 159  63 174 158 239 148   135  4 190 236  82 196  94 137  1  31  30 192  17 127 112 103   21  199 215  52 153 194  90  60  50 171 220  72 128  57  44 216   241 229 184 126 201 105  98 150 188 109 235  40 172 183 139 222  162  76 244 154 133  8 255  93  91  14  24 114  79 106 157    value x and mask Cy operation on the output value SðxÞ of the corresponding S-box. The maximum number of the same result obtained after the operation of the input value and the output mask is the maximum linear approximation [51]. The smaller LP is, the more resistant it is to linear attacks. The maximum value of S-box LP constructed in this paper is 0.1328. Table 10 shows the comparison between the indexes of the proposed S-box and other methods. It can be obtained from Table 11 that the S-box constructed is better and has strong encryption characteristics than some other methods, which is conducive to the subsequent research on encryption algorithms.

Dynamical chaotic S-boxes encryption algorithm
This section introduces the proposed encryption algorithm, as shown in Fig. 5. Then, we present the novel image cryptosystem, to prevent degradation; we use the x and y sequences in Eq. (2) in the encryption step, which are described as follows: Step 1 Inputting the picture P, remember that the size of the picture is M Â N and convert the picture into the sequence I of length M Â N; Step 2 Using the hash function SHA-512 from sequence I to get y 0 . Pick any real number x 0 2 R, r2 ½100; 200 to get chaotic sequences, and process our sequences according to the methods in Sect. 2.9.1.
Step 3 Discarding the value of the first 1000 iterations and iterate the y sequence for M Â N times to obtain the sequence y 1 . Sorting it from smallest to largest to obtain C, and obtain the position sequence A according to the position of C in y 1 ; Step 4 Constructing the S-boxes. (1) Discarding the value of the first 1000 iterations and iterating the x sequence for 16 Â 16 times to get the sequence x 1 ; (2) Discarding the value of the previous 6000 iterations and iterating the y sequence for 16 Â 16 times to get the sequence y 2 ; (3) Discarding the value of the previous 6000 iterations and iterating the x sequence for 16 Â 16 times to get the sequence x 2 ; (4) Using sort function to get index set k 1 ¼ sortðx1Þ; k 2 ¼ sortðy2Þ; k 3 ¼ sortðx2Þ; Mark D ¼ 0 : 255, then we calculate to get three S-boxes; Table 8 The independence  matrix of the proposed  S-box   1  2  3  4  5  6  7   Step 5 Compound the above S-boxes according to the method in Sec.3 to get twelve S-boxes; Step 6 Calculating a ¼ MÂN 256 , and further calculating BðiÞ ¼ modðsumðIð256 Á ði À 1Þþ 1 : 256 Á iÞÞ; 12Þ þ 1, where i ¼ 1; 2 Á Á Á a, Sequence B is obtained, that is, a different S-box is selected for each 256 elements of sequence I; As shown in Fig. 6; Step 7 All the selected S-boxes are transformed into onedimensional sequences of length 16 Â 16, and the sequence S with length M Â N is connected at one time. According to the S-box selected by I, calculate P1 ¼ bitxorðI; SÞ to get the sequence P1; Step 8 Scrambling sequence P1 with A in Step 3 to get P2; Step 9 Sequence P2 is transformed into the matrix of M Â N to obtain the cipher image C2.

Simulation results and security analysis
In this section, the performance of gray image is analyzed, and the proposed encryption algorithm is compared with the results of recent research algorithms on image encryption.

Gray image encryption simulation
The algorithm is used to encrypt images with different resolutions. Figures 7, 8, 9 show the encryption and decryption results. It shows that the proposed algorithm can encrypt and decrypt the images effectively.

Key space
Our encryption key includes x 0 ; y 0 ; r and sequence B, where x 0 and y 0 are all real numbers, r is the real number of ½100; 200, the element in B is an integer from 1 to 12, and the length of B depends upon the size of the plaintext image. Since the computer precision is 10 À14 , our key space should be greater than or equal to: Obviously, the proposed encryption algorithm can defend against brute force attacks.

Key sensitivity
A marvelous encryption algorithm must be key sensitive, that is, the plaintext image cannot be correctly solved after a small perturbation of the key. Figure 10 shows the decryption image after the perturbation of the key, which shows that the new encryption algorithm is sensitive to the key.

Differential attack
Number of pixels change rate (NPCR) and unified average changing intensity (UACI) are used to analyze the influence of small changes in plaintext on the ciphertext [52]. The ideal value for NPCR is 99:61%; the closer you are to the ideal value, the more sensitive the ciphertext you are to the change of plaintext. The ideal value for UACI is 33:46%; the closer you are to the ideal value, the more resistant you are to differential attacks. Assuming that the two ciphertext images are C 1 ; C 2 , corresponding to the plaintext images with only one pixel difference, then calculate Dði; jÞ Â 100%; ð7Þ where M; N are the number of rows and columns of the image. Table 12 shows that the NPCR and UACI values are all close to their ideal values. As can be seen from this table, the algorithm presented can resist the differential attack. Table 13 compares the NPCR and UACI obtained by this algorithm with other literatures. It indicated that our algorithm has as good security as other works.

Histogram analysis
The histogram reflects the gray-level statistics of all pixels in the image. The more evenly the histogram of the encrypted graph is distributed, the more difficult it is for an attacker to obtain valid information from the   Fig. 11, which indicate that the distribution of our histogram of the encrypted images are uniform. Figure 12 shows that the spatial pixel value distribution of images with different resolutions and their encrypted images. It can be seen that all pixels of the encryption images are evenly distributed between 0 and 255.

Correlation analysis of adjacent pixels
Encryption algorithms can resist statistical analysis attacks only when the correlation between adjacent pixels of ciphertext images should be as low as possible. The smaller the correlation coefficient of the image is, the weaker the correlation of the image is. In other words, the correlation coefficient should be close to 0, which it resists statistical attack [53]. Figure 13 shows the pixel correlation analysis of Lena. It can be obtained from Fig. 13 that each direction of ordinary image has strong correlation, but each direction of encrypted image has a weak correlation. Table 14 shows the correlation coefficients of encrypted images with different resolutions. Table 15 shows the comparison of correlation coefficients of different methods. We can conclude that the weak correlation of each direction of the encryption images obtained by this algorithm is better than other algorithms.

Information entropy
Information entropy, which reflects the randomness of pixel gray value in the encrypted image, has a theoretical value of 8. If the information source is expressed as s, the information entropy HðsÞ is calculated as follows [30].
Pðs i Þ log 2 1 Pðs i Þ : ð9Þ Table 16 shows the information entropy of the encrypted images obtained by using our encryption. It can be concluded from Table 16 that the information entropy of encrypted images with different resolutions is close to the theoretical value 8. Table 17 shows the information entropy comparison between the   Table 17, like the information entropy obtained by the encryption algorithm proposed in Sec.4 is closer to the theoretical value, and the gray value of the encrypted image pixel appears more random.

Robustness Analysis
A good encryption algorithm, even if the ciphertext image information is partially missing, should also be able to obtain part of the image information through decryption, that is, it should have anti-shear ability and anti-noise ability. Figure 14 shows the decryption situation in the absence of ciphertext. Through observation that the proposed encryption algorithm can effectively resist image clipping. Figure 15 shows that the decryption results under Gaussian noise attack. From these figures, the decrypted image restores the important information of the original image, which can be inferred that the proposed algorithm has excellent robustness.

Comparison with other methods
To illustrate the effectiveness of our method, we compare it with other existing methods. As shown in Table 18, (1) our information entropy, NPCR and UACI are consistent with other works and (2) the proposed correlation coefficient values is close to zero    same with other schemes. Based on the above, our method is effective.

Conclusions
This paper presented a new two-dimensional discrete hyperchaotic map, which has a wider continuous chaotic region and two larger Lyapunov exponents compared with Hénon map, and the proposed map passed all NIST and part of TestU01 tests, which indicates its good randomness for image encryption.
To investigate the application of our method in image encryption, we explored a novel encryption method based on the proposed chaotic map and dynamic S-boxes. In this method, three fixed S-boxes were used to generate many new S-boxes, which has higher security than a single S-box. Simulation results showed that the proposed method is effective. Compared with AES algorithm and some existing encryption algorithms, our method can resist some common attacks and has higher security. Although the encryption algorithm has not been mathematically proven, we will investigate it in the future. Data availability statements The datasets generated during and/or analyzed during the current study are available from the corresponding author on reasonable request.