An image encryption scheme based on public key cryptosystem and quantum logistic map

Most of existing image encryption schemes are proposed in the spatial domain which easily destroys the correlation between pixels. This paper proposes an image encryption scheme by employing discrete cosine transform (DCT), quantum logistic map and substitution-permutation network (SPN). The DCT is used to transform the images in the frequency domain. Meanwhile, the SPN is used to provide the security properties of confusion and diffusion. The SPN provides fast encryption as compared to the asymmetric based image encryption since operations with low computational complexity are used (e.g., exclusive-or and permutation). Different statistical experiments and security analysis are performed against six grayscale and color images to justify the effectiveness and security of the proposed image encryption scheme.

Quantum logistic map. Goggin et al. 35 derived a logistic map with quantum corrections by coupling a kicked quantum system to a bath of harmonic oscillators. The proposed quantum logistic map was applied to image encryption by Akhshani et al. 36 as follows: (1) x n+1 = r(x n − |x n | 2 ) − ry n , (2) y n+1 = −y n e −2β + e −β r[(2 − x n − x * n )y n − x n z * n − x * n z n ], (3) z n+1 = −z n e −2β + e −β r[2(1 − x * n )z n − 2x n y n − x n ], Scientific Reports | (2020) 10:21044 | https://doi.org/10.1038/s41598-020-78127-2 www.nature.com/scientificreports/ where x = �a�, y = �δa † δa�, z = �δaδa� and β is dissipation parameter. Besides, x n , y n and z n are complex numbers with x * n being the complex conjugate of x n . The same notation applies to x n . However, the initial values x n , y n and z n are set as real numbers to meet the requirement of communication.
Meanwhile, the logistic map is written as follows: where x n ∈ [0, 1] and u ∈ [0, 4] . We analyse both logistic map and quantum logistic map in terms of bifurcation, Lyapunov exponent and phase diagram. Bifurcation is a qualitative change in the dynamics of a given chaotic system due to the change of the control parameter. In the bifurcation diagram, the dotted line shows the chaotic behavior of the system, while the solid line shows that the system has changed to be periodic. Figure 1a shows that the logistic map has chaotic behavior when u is in the interval of 3.57-4. In Fig. 1b, when we fix r = 3.99 , the quantum logistic map has a wider chaotic region as the data outputs of the chaotic sequence fully occupies the interval of 0 to 1, when the control parameter β > 4 . As compared with the logistic map, the quantum logistic map has many good properties: (1) Larger key space with a three-dimensional system; (2) Larger continuous interval; (3) More uniform distribution for the output. Therefore, the non-periodicity and randomness of chaotic sequences are enhanced. We like to note that Fig. 1 is drawn by author Wun-She Yap. Lyapunov Exponent (LE) is a tool to measure the sensitivity of the chaotic map to the slight changes in the initial conditions and control parameters. The LE of a differentiable non-linear system x i+1 = f (x i ) can be calculated as: The chaotic map with a positive LE demonstrates good chaotic behavior. The higher the LE value indicates a better sensitivity of the map to its initial value. Figure 2 shows that logistic map only have positive LE when u ∈ [3.57, 4] while quantum logistic map has positive LE when β > 6 . Therefore, it shows that quantum logistic map has better chaotic behavior than the logistic map. We like to note that Fig. 2 is drawn by author Wun-She Yap. For a dynamical system, the distribution of the trajectory on the phase plane demonstrates the randomness of the outputs. Figure 3b shows the phase diagrams of quantum logistic map with the parameters r = 3.99 and β = 7 . As compared to the phase diagram of the logistic map with u = 3.58 shown in Fig. 3a, the trajectory of quantum logistic map disperses widely on the x − y plane with high density, which indicates that it has a good ergodicity property. We like to note that Fig. 3 is drawn by author Wun-She Yap.
Discrete cosine transform. Discrete cosine transform (DCT) is widely used for image and video compression standards including JPEG and MPEG. In this paper, the two-dimensional forward DCT 37 is used. Given an image P consisting M rows and N columns and P(i, j) denotes the pixel value of image P at row i and column j, the DCT of image P is defined as follows: where σ (u) and σ (v) are defined as follows:  www.nature.com/scientificreports/ After the DCT transformation, the low-frequency coefficient reflects the outline and gray distribution characteristics of the target in the image while the high-frequency coefficient reflects the detailed information of the target shape. Finally, the image P can be restored by the inverse DCT as follows:

The proposed image encryption scheme
The proposed image encryption generates the initial values x 0 , y 0 and z 0 based on a plain image P, a secret (denoted as message m) and ciphertext c generated by a secure public key encryption scheme. The proposed initial value generation method removes the need for a secure channel for the transmission of secrets. Besides, the initial value generation method is dynamic since it relies on the ciphertext and image to be encrypted. The proposed image encryption scheme mimics one-time pad 38 if different secret m is selected in each image encryption process. The encryption structures is a substitution-permutation network that iterates for five rounds. Each round consists of permutation (i.e. row and column permutations) and substitution (i.e. exclusive-or operation) to provide the properties of confusion and diffusion. Assume the recipient B with his public and secret keys (pk B , sk B ) respectively. A wishes to encrypt an image P containing M × N pixels. As shown in Fig. 4, the image encryption process consists of the following steps: 1. Generation of initial values (x 0 , y 0 , z 0 ) :

Generation of Initial Values
Image P x 0 , y 0 , z 0

Row Permutation
Column Permutation

Row Permutation
Column Permutation Inverse DCT Repeat another four rounds www.nature.com/scientificreports/ (b) For k = 1, 2, 3 , A randomly selects three secret messages m k and generates ciphertexts c k = Enc(pk B , m k ) . Notice that m k ∈ {0, 1} n and n depends on the public key encryption used. (c) A generates the initial values for quantum logistic maps as follows: where | · | is the modulus function.

3.
A transmits c 1 , c 2 , c 3 , r and the encrypted image X 5 to B.

Remark.
We ignore the description of the image decryption process as the decryption process is the inverse of the encryption process and straightforward.

Experimental results
For illustration purposes, RSA 34 is selected as the public key encryption scheme. Besides, as shown in Fig. 5, six images are randomly selected (Images Grass, Pentagon and Earth are free from the USC-SIPI database, anyone can read the Copyright Information for these images at http://sipi.usc.edu/datab ase/copyr ight.php. Image Tree is taken by author Kaixin Jiao. Images Art and Sun are taken by author Guodong Ye) for testing purposes. All the experiments are performed on MATLAB R2017b where the proposed algorithm consists of 5-round encryption process.
Correctness analysis. Table 1 shows the selected parameters for RSA cryptosystem. Details of RSA can be referred to Ref. 34 . Besides, the selected messages are m 1 = 5, m 2 = 11 and m 3 = 20 for illustration purposes. β and r of quantum logistic map is set as 6 and 3.99, respectively. Figure 6 shows the encrypted images of plain images shown in Fig. 5. Notice that as shown in Fig. 7 the image encryption scheme fulfills the correctness properties where the decrypted images are similar to the plain image.
On the other hand, Table 2 presents the time needed by the proposed scheme to encrypt images with different sizes for the different number of rounds. The time measured includes the process to generate the initial value for the underlying quantum logistic map. www.nature.com/scientificreports/   www.nature.com/scientificreports/ Security and key space analysis. A naive approach to break the proposed image encryption scheme is to guess the initial values (x 0 , y 0 , z 0 ) . As each initial value is of 14 decimal places with the range between 0 to 1, there exists 10 14 possible values for each of (x 0 , y 0 , z 0 ) . This contributes to 2 46.5 possible guesses of value x 0 . This applies to y 0 and z 0 as well. Thus, there are 2 139.5 possible values of (x 0 , y 0 , z 0 ) . This also indicates the key space is of 139.5-bit. Besides, the inclusion of c in generating initial values is to provide more possibilities by using subtraction and modulus operations. Notice that r is with the smaller range given that there exists a smaller number of pixels and each pixel is of 8-bit long 39 . Thus, the generation of initial values will not be greatly affected by r. The second approach is to break the proposed image encryption scheme by breaking the underlying public key encryption scheme. Assuming a public key encryption is secure and with the 128-bit security level, then the second approach will not work.
Instead of recovering the initial values (x 0 , y 0 , z 0 ) , the adversary may recover the keystreams (also known as round keys). As shown in Fig. 4, the round keys affect the permutations (i.e. row and column) and substitution (i.e. exclusive-or operation). Instead of guessing x ′ k , y ′ k , z ′ k and w ′ k , it is sufficient for the adversary to guess the permutation directly especially when the image contains a smaller number of pixels. Assuming the image is of M × N pixels, there exists possible (M × N)! permutation since DCT and inverse DCT operations do not require the knowledge of round keys. Similarly, the substitution can be guessed by 256 M×N trials. Thus, the total guesses of round keys for one round is (M × N)! × 256 M×N . If M = N = 4 , the approach to guess round keys will be with complexity greater than 2 128 . By increasing the number of rounds to 5 (for differential-like attack concern 40-42 ), the proposed image encryption scheme shall provide sufficient security.
Histogram analysis. The histogram is a basic attribute of a digital image, which reflects the statistical characteristics of the relationship between image gray level and image frequency. A good image encryption    where L is the intensity level, o L and e L are the observed reference and the expected reference of the gray level in the encrypted image, respectively. Table 3 shows the chi-square test results of the encrypted and plain images. Meanwhile, Table 4 presents the comparison of the chi-square value of the encrypted colour images between the proposed scheme with a recent proposed scheme 43 . The smaller the chi-square value, the more uniform the pixel distribution, thus the higher the safety.
Correlation analysis. Since the original image has a strong correlation between adjacent pixels, the attacker may obtain meaningful information through the correlation of the pixels in the horizontal direction, vertical   www.nature.com/scientificreports/ direction or diagonal direction. To measure the correlation coefficient, 10,000 adjacent pixel pairs of the plain image and the encrypted image are randomly selected from three different directions using Eq. (10).
where R xy represents the correlation coefficient, x and y are the gray values of two adjacent pixels, and N is the total pixels. Figure 9 shows the correlation of "Grass" grayscale image pixels and its encrypted image pixels in three different directions. Meanwhile, Figs. 10, 11 and 12 show the correlation of "Sun" color image pixels and its encrypted image pixels in three different directions and three different channels. Tables 5 and 6 are the correlation coefficients of the grayscale and color images respectively. Table 7 compares the correlation coefficients of cipher images encrypted with different algorithms. It can be seen that the correlation coefficients of adjacent pixels in the plain images and encrypted images are close to 1 and 0 respectively, which indicates that the proposed scheme greatly reduces the correlation of adjacent pixels in the images. Besides, the pixels of the encrypted images are randomly distributed.
Information entropy. The information entropy reflects the average amount of information in an image, and the randomness of an image can be judged by the information entropy. For an image with 256 gray values, the ideal value of the global Shannon entropy is 8. The more uniform the gray value distribution, the stronger the randomness of the image. The information entropy can be computed using Eq. (14).  Table 8. It can be seen that the information entropy of encrypted image is very close to the ideal value, so the proposed image encryption scheme has high randomness.     www.nature.com/scientificreports/ for an image S and randomly select k non-overlapping blocks S i . Besides, TB denotes the number of pixels in S i and H(S i ) represents Shannon information entropy value. Table 9 shows the local information entropy value of the grayscale images and the color images (i.e. the mean value of the three different channels). It can be seen that the local information entropy of the image is above 7.95, which further reflects the randomness of the encrypted image.
Differential attack analysis. According to the principles of cryptography, the encryption algorithm should be sufficiently sensitive to the changes of plaintext. The stronger the sensitivity, the stronger the ability to resist differential attacks. The number of pixels change rate (NPCR) and the unified average changing intensity (UACI) are important indicators to measure the resistance of image encryption algorithms to differential attacks. NPCR reflects the change rate of the gray value of the corresponding encrypted text, and UACI reflects the average change of the gray value. NPCR and UACI can be computed using Eqs. (16) and (17).    j) ; otherwise, 1. Besides, C 1 is the normal encrypted image, C 2 is the encrypted image when the value of a pixel in the original image changes, and M × N is the size of the image. Table 10 shows the NPCR and UACI values of grayscale encrypted images. Table 11 shows the comparison of NPCR and UACI values for different color images encrypted by different schemes. It can be seen from the table that both NPCR and UACI values pass the randomness test 52 , indicating that a modification of the pixel value will result in a completely different encrypted image. The results show that the proposed image encryption scheme can resist differential attack. Note that NPCR and UACR become two widely used metrics for the security analyses against differential attack in the image encryption community since these two metrics were introduced 53,54 .

Key sensitivity analysis.
A good image encryption scheme should be highly sensitive to the changes of key. To measure the key sensitivity, assume two different initial value x 0 (denoted as k 1 ) and x ′ 0 (denoted as k 2 ) are selected to encrypt the image "Art". Figure 13 shows the corresponding key sensitivity analysis results. It can be seen from Fig. 13d that there are great differences in the encrypted images with the changes of the initial value. As shown in Fig. 13e-g, only the correct key can recover the original image. Meanwhile, Fig. 14 shows the test results when the parameter of the quantum logistic map changes slightly. As a nutshell, the proposed image encryption scheme is sensitive to keys and can resist violent attacks.    www.nature.com/scientificreports/ Cropping attack analysis. When digital images are transmitted over the network, some data may be lost due to network congestion or malicious attack. When a part of the encrypted image is cropped, the pixel value of the corresponding part is replaced by zero. Figures 15 and 16 show the cropped decryption images with different data loss degrees. Although the decrypted image becomes more blur with the increase of crop area, the image is still visible. Therefore, the proposed image encryption scheme can resist shear attack to some extent.
Noise attack. Other than cropping attack, images are mainly polluted by noise during transmission. For example, pepper and salt noise (SPN), Gaussian noise (GN) and speckle noise (SN), which makes image recovery more difficult. Different noises with a mean value of 0 and variance of 0.006 are added to the encrypted image respectively, and the decrypted images are shown in Fig. 17. Although the quality of decrypted images decreases after affected by noise, the proposed image encryption scheme still resist noise attack to some extent.
Comparison of information entropy. The encryption algorithm proposed in this paper is also applicable to color images. For the color image, it is divided into R, G, B channels where each channel is encrypted