An image encryption algorithm with a plaintext-related quantisation scheme

This paper describes an image encryption algorithm that utilises a plaintext-related quantisation scheme. Various plaintext-related approaches from other algorithms are presented and their properties are brieﬂy discussed. Main advantage of the proposed solution is the achievement of a similar behaviour like that of more complex approaches with a plaintext-related technique used in a rather simple step such as quantisation. This design should result in a favourable computational complexity of the whole algorithm. The properties of the proposal are evaluated by a number of commonly used numerical parameters. Also, the statistical properties of a pseudo-random sequence that is quantised according to the plain image pixel intensities are investigated by tests from NIST 800-22 suite. Obtained results are compared to values reported in related works and they imply that the proposed solution produces encrypted images with comparable statistical properties but authors’ design is faster and more efﬁcient.


INTRODUCTION
Development of the first encryption algorithms designed specifically for images dates to the second half of the 1990s [1,2]. Since the early approaches exploited representation of digital images and perceived image encryption only as a permutation of pixel intensities and a combination with pseudo-random (PR) sequence, they were viewed as a quick and quite effective tool [2]. However, some design flaws were reported since then and the comparison with conventional encryption schemes such as Advanced Encryption Standard (AES) limited the usage of dedicated image encryption algorithms to certain specific applications. These include mainly applications where a change of data type is not possible such as: • encryption of images before embedding by means of image steganography [3,4], • security improvement for medical images [5] and some biometric systems [6], • performance improvement in some simple biometric systems that do not enable hardware acceleration necessary for more complex encryption schemes [6].
This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited. The need for solutions in the mentioned areas helped in the further development of dedicated image encryption approaches. One of their unresolved issues was identified by Solak et al. in 2010 [7] as a relatively weak sensitivity of the image encryption algorithms to small differences in pixel intensities of plain images. It was found out that differential attacks could identify whole steps of some older algorithms or reveal some portions of used key. This problem was later analysed also by Xie et al. in 2017 [8].
Several solutions have been proposed for solving the mentioned sensitivity issue of the image encryption algorithms. The most common approach is to create a dependence between at least one step of the image encryption algorithm and pixel intensities of used plain image. Since various plain images affect the chosen step of image encryption algorithm in a different way, the obtained encrypted images could not be utilised for a successful differential attack. Therefore, these algorithms could be called plaintext-related because of their behaviour.
Majority of the already presented plaintext-related solutions for image encryption could be classified into one of these categories: • the plain image affects parameters of chaotic map(s), • the plain image affects element values of generated PR sequences, • the plain image affects pixel shuffling during confusion stage, • the plain image affects computation of pixel intensities during diffusion stage.
Several examples of image encryption algorithms are briefly described in Section 2. While some approaches could be easily classified into one of the mentioned categories, other algorithms are more refined. This is also a case for the scheme proposed in this paper which quantises elements of PR sequences according to plain image pixel intensities. Main novelties and advantages of this solution include: • a custom plaintext-related quantisation technique that should have lower computational complexity than hash functions, • the quantisation technique able to obtain its input values also from encrypted image without the need of any supplementary information, • an additional non-linear substitution block that enhances non-linearity even in images with monotonous regions (with small intensity changes).
Since the proposed solution was designed with respect to mentioned applications of dedicated image encryption algorithms, it does not have any major limitations. Plain images that are going to be encrypted could have arbitrary resolution, the colour depths are limited to 8 bits per pixel (greyscale images) or 24 bits per pixel (true-colour images with three colour planes).
The key length is fixed at 128 bits and keys need to be entered in a hexadecimal notation. The proposed image encryption algorithm could be used for all mentioned applications-encryption of images containing secret data in steganographic systems, securing sensitive medical images and improving the performance of simple biometric systems by fast encryption of fingerprints or eye irises.
The rest of this paper is organised as follows: Section 2 provides a survey of solutions dealing with the plain image sensitivity issue. Section 3 briefly describes main ideas of the proposed solution and illustrates steps of the designed algorithm. Section 4 discusses obtained experimental results and compares them to numerical values reported in related works. The final, fifth section concludes the paper with an overview of the proposed image encryption algorithm.

RELATED WORKS
One of the first algorithms that addressed issues reported by Solak et al. was a proposal by Kanso and Ghebleh from 2012 [9]. In this case, the number of iterations of used chaotic map is related to the intensity of currently processed image pixel. However, as the amount of iterations increases with higher pixel intensities, this solution is prone to side-channel attacks.
An image encryption scheme that circularly shifts bits of currently processed pixel intensity was presented by Fu et al. in 2013 [10]. Each circular shift depends on an intensity of previous image pixel which raises a concern as there are only 8 possible shifts (including no shift) controlled by 256 intensities of the previous image pixel. Therefore, multiple intensities lead to same shift.
In 2014, Zhang proposed a solution that establishes dependencies between plain images and algorithm during confusion stage (it rearranges pixel intensities) [11]. In order to secure this solution against chosen plaintext attacks, the confusion stage was surrounded by two diffusion stages (usually there is only one) which significantly raised the computational complexity of whole algorithm.
A scheme presented by Norouzi et al. from 2014 [12] utilised the sum of all pixel intensities during the encryption of the first scanned image pixel. However, in images with two or more pixels, there are multiple ways for computing the same sum of pixel intensities. This flaw and other drawbacks were reported in the same year by Zhang et al. [13].
An approach designed by Murillo-Escobar et al. in 2015 [14] modified an element of generated PR sequence by a value obtained from used plain image. However, in this case the decryption algorithm is unable to compute this value. Therefore, Murillo-Escobar et al. decided to store this value in the encrypted image by the usage of steganography. This solution is not safe and also causes distribution of errors via ciphertext chaining. These drawbacks were analysed and presented by Fan et al. in 2018 [15] who also provided a way to break the mentioned image encryption algorithm.
Some of the most recent plaintext-related image encryption algorithms use plain image hashes as parameters of the chaotic maps. While the obtained numerical results for these solutions seem quite good, the usage of hash functions greatly increases computational complexity of the algorithms. The second issue is a belief that more complex chaotic systems provide better behaviour of whole image encryption algorithm. These issues are evident in proposals by Chai

PROPOSED SOLUTION
The design proposed in this paper takes a different approach for establishing dependencies between pixel intensities of plain images and the image encryption algorithm. Instead of affecting initial value of generated PR sequence(s) or direct usage in confusion or diffusion stage, the plain image intensities are used as parameters for a custom quantisation scheme. This could be perceived as a main novelty of the proposed solution.
Proposed plaintext-related quantisation scheme uses one row of pixel intensities for controlling quantisation of one row of elements from generated PR sequence. The quantised elements are then combined with a row of pixel intensities in the processed image. Since the pixel intensities that control the quantisation are processed prior to pixel intensities that are going to be combined, the decryption algorithm is able to obtain all necessary values. The used row-wise solution that does not use hash functions should also positively affect the speed of the performed operations.
Since speed is considered as a quite important property of the image encryption algorithms [14,16,17,20], the proposed solution uses a trade-off where the more complicated custom quantisation scheme is used only in one block of the proposed encryption algorithm. This block is then followed by other operations (non-linear substitution and a combination with a PR sequence) that should rule out any possibility of a successful attack.
A simplified block scheme of operations done for encryption and decryption by the proposed solution is shown in Figure 1. The operations such as confusion or diffusion done during the decryption are inverse to operations done during the encryption. Block denoted as "image rearrangement and key processing" rearranges images with multiple colour planes to a two-dimensional matrix, divides entered key into portions used by other blocks and finally generates and quantises the PR sequences.

Preliminaries
This subsection describes some techniques that may be unfamiliar to some readers but they are important for understanding how the proposed solution works. Logistic map (LM) is a one-dimensional chaotic map that uses one parameter r ∈ (0; 4) for mapping of a current iterate x n ∈ (0; 1) into a successive iterate x n+1 ∈ (0; 1). LM was popularised mainly by a work of May [21]. An equation of the LM can be expressed as (1): where n = 0, 1, 2, … , N is a sequential number of the iterate and N is a total number of iterates. Computation of the first iterate x 1 requires an initial value x 0 ∈ (0; 1). The sequences generated by the LM use a concept of a transient period, when certain amount of iterates is discarded prior to the generation of iterates used as PR sequence elements. This procedure helps to suppress possibly apparent relations between the first few generated iterates. Usual size of the transient period is 1000 iterates.
Chaotic behaviour of the LM [21,22] can be illustrated by a bifurcation diagram. An example of this diagram for r ∈ (0; 4) together with a detail for r ∈ (3; 4) is shown in Figure 2. The first bifurcation occurs at r ∼ 3 where successive iterates obtain values from one of two trajectories. As the value of r increases, more bifurcations and more possible trajectories are present. The point of r ∼ 3.56995 is known as "an onset of chaos" [22] even though there is a region around r ∼ 3.85 where the amount of trajectories decreases. Therefore, many image encryption algorithms which use LM utilise values of r close to 4.
A quantification of the chaotic behaviour could be done by estimating values of Lyapunov exponents (LEs) [22]. Estimation of LEs assumes a little difference between two initial values x 0 lying on two respective trajectories. In the case that the difference increases with the computation of successive iterates, the LEs are positive ( > 0) and whole system is considered chaotic [22]. The LEs estimated for the LM with x 0 of 0.5 and r ∈ ⟨3; 4) are displayed in Figure 3.
Some of the other drawbacks of the LM such as non-uniform distribution of iterate values, possible relation between pair of successive iterates or occurrence of the fixed points and periodicity were reported in several papers [23,24]. However, all known flaws were suppressed or bypassed by now [20,25].

Quantisation approaches
Because the iterate values of the LM are real numbers ranging from 0 to 1 and pixel intensities are integers from set {0, 1, 2, … , 255}, the data types of these two sets need to be unified. Since operations with integers are considered to be faster, the iterate values need to be quantised, preferably to a set {0, 1, 2, … , 255}. The simplest and most straightforward way can be expressed by (2): where brackets ⌊a⌋ denote rounding to the closest integer number equal to or less than a, M stands for a maximal possible quantised value, x ′ n ∈ {0, 1, 2, … , M } is a sequence of quantised iterates and x n ∈ (0; 1) is a sequence of iterates prior to quantisation.
However, as quantisation by using (2) does not solve the issue of non-uniform iterate distribution [20,25], a more complex quantisation equation (3) was proposed in one of our prior works [25]: where S is a number of the most significant iterate decimal places that are going to be discarded during the quantisation and a (mod b) returns remainder after dividing a by b. Usual values of S are 4 or 5 decimal places which ensure almost uniform distribution of iterate values [20,25]. Higher values of S may result in unnecessary increase of computational complexity. In most implementations, the iterate values are double precision   [20]. The effects of decimal place removal during quantisation are illustrated in Figure 4. The combined histogram contains bins of two colours-dark blue (without any removed decimal places, S = 0) and dark red (with 4 removed decimal places, S = 4). Please take note that the visible spikes present for S = 0 at histogram boundaries are suppressed for S = 4. Therefore, the distribution for S = 4 could be considered as more uniform.
The removal of the most significant decimal places in iterate values helps not only to balance the distribution of iterate values but also to suppress any possibility of observing relations between the values of successive iterates [25].

Encryption algorithm
The encryption algorithm uses a plain image P and a key K as inputs. Plain images can have arbitrary resolution and colour depths of 8 or 24 bits per pixel. The proposed algorithm uses 128 bit long key, entered as a 32 symbol (0 -F) long hexadecimal string. Resulting encrypted image is stored in a matrix denoted as E.
Step 1: Plain image processing. At first, the height h, width w and number of colour planes num cp of plain image P are obtained. Number of all image pixels num px is acquired simply as num px = h ⋅ w ⋅ num cp . The plain image P is then rearranged to a two-dimensional matrix P ′ by (4). Please take note, that if the plain image P is greyscale, it is only copied to the matrix P ′ . Rearrangement of true-colour images is illustrated in Figure 5.
Step 2: Key processing. Used key K is divided into eight parts denoted as K 1 to K 8 by using (5). Each of these key parts consists of four hexadecimal symbols.
where i = 1, 2, 3, … , 8 is a sequential number of key part and j = 1, 2, 3, 4 is an index of a hexadecimal symbol. The values of K 1 to K 8 are then converted from hexadecimal to decimal notation with usage of a big-endian ordering scheme (the first symbol is the most significant). Obtained values are used for computing eight parameter values r 1 to r 8 by (6): where i = 1, 2, 3, … , 8 is a sequential number of parameter and usage of constants 10 −15 and 4 16 or 2 ⋅ 4 16 ensures that values of odd and even r i are in non-overlapping intervals. This situation enables alternation between odd and even values of r i during generation of PR sequences by the LM (1). The variation of parameter values suppresses possible issues with fixed points or periodicity as both these problems are caused by constant parameter values [24].
Step 3: Generation of PR sequences. The sequences are generated by iterating the LM (1) with an initial value x 0 of 0.5 and a transient period of 1000 iterates for all sequences. During the transient period, all four pairs of parameter values (r 2⋅i−1 , r 2⋅i ), i = 1, 2, 3, 4 are used to create an effect known as key diffusion [26]. Key diffusion ensures that even small differences in one key character would affect all generated sequences and therefore also all key dependent blocks of the image encryption algorithm.
The shifting pattern of parameter values and other details of the generated PR sequences are explained in Table 1. The first parameter value of each pair is used for the computation of iterates with odd sequential numbers (n = 1, 3, 5, … ) and the sec- ond parameter value of each pair is utilised for calculating iterates with even sequential numbers (n = 2, 4, 6, … ).
Step 4: Quantisation of PR sequences. The quantisation of generated sequence elements belonging to an interval (0; 1) into a set {0, 1, 2, … , M }, where M is the maximal possible quantised value is done by applying (3). Used values of parameters M and S are included in Table 2. The quantised sequences that are computed from sequences seq 1 to seq 6 are distinguished by the usage of an apostrophe-they are denoted as seq ′ 1 to seq ′ 6 .
Step 5: Processing of the first PR sequence. Only elements of seq ′ 1 are quantised according to used plain image due to higher computational complexity of this step. The 65,536 possible element values (the first one is 0) after Step 4 can be represented by 16 bits.
Firstly, two sequences are created from element values of seq ′ 1 . The first sequence seq ′ M is obtained from the first eight most significant bits of elements while the second sequence seq ′ L takes values of eight remaining (less significant) bits of elements. This step could be mathematically expressed as (7): where n = 1, 2, 3, … , num px is an element sequential number.
Step 6: Combination with a quantised plaintext-related matrix. Since sequences seq ′ M and seq ′ L represented by row vectors are going to be combined with rearranged plain image P ′ that is a matrix, it is useful to convert the two vectors into two matrices. The resulting matrices seq ′ Mm and seq ′ Lm have h rows and w ext columns and use row-first scanning pattern demonstrated in Figure 6 for storing values obtained from the vectors. The combination of plain image and acquired matrices depends on plain image pixel intensities. It is done as a rowwise operation that takes whole rows of rearranged plain image P ′ and whole rows of matrices seq ′ Mm and seq ′ Lm as inputs. The outputs are rows of modified pixel intensities and they are inserted to matrix P ′ . The whole operation could be expressed by a set of equations (8): where auxiliary matrices A i , i = 1, 2, 3 are used only for better clarity; the algorithm computes all four equations at once. Index l − 1 denotes the previously scanned row, the first row (l = 1) uses the bottom row (l − 1 = h) as previously scanned. The symbol ∶ is a substitution for all image pixels or sequence elements in a row and operators ∧ and ⊕ denote operations of binary AND and binary XOR (eXclusive OR) [27]. The constant of 255 in second equation is used for computing negation of P ′ (l − 1, ∶).
The whole point of operations done by (8) is that the combination of elements of seq ′ Mm and seq ′ Lm depends on previously scanned row of rearranged plain image pixel intensities. If quantisation approach (3) with S = 4 would be used, the quantised PR sequence would look like seq ′ M . However, as some of the less significant bits from seq ′ L might be used, the whole quantisation step could be viewed as non-linear.
An example of computation of six intensities in one row of P ′ after the plaintext-related quantisation step is illustrated in Table 3.
Step 7: Preparation of a substitution table. In order to suppress any indications of linearity in particular types of images (e.g. monotonous images with small intensity changes) after Step 6, the pixel intensities of the matrix with processed image P ′ are going to be substituted by values from a substitution table. This table is represented by a matrix ST with 16 rows and 16 columns. At first, the matrix ST is filled by a sequence {0, 1, 2, … , 255} using the row-first scanning pattern demonstrated in Figure 6.
Then the matrix elements are shuffled using two sets of circular shifts. The first set of shifts is done in each of the 16 columns of matrix ST . Shift sizes are determined by elements of sequence seq ′ 2 . The other set of shifts rearranges each of the 16 rows of the matrix and the size of shifts is controlled by sequence seq ′ 3 . Both sets of shifts move rearranged elements to the side with increasing coordinate-the first set moves elements to the bottom while the second set moves elements to the right side of the matrix. The whole process of substitution table rearrangement is shown in Figure 7.
The substitution table ST is then rearranged to a row vector ST v by the usage of row-first scanning pattern (see Figure 6).
Step 8: Non-linear substitution. Pixel intensities of matrix P ′ are substituted by (9): where l = 1, 2, 3, … , h and k = 1, 2, 3, … , w ext are height and width indices and h and w ext are height and width of matrix P ′ .
Step 9: Two directional confusion. Image encryption algorithms use a confusion stage for suppressing correlation between adjacent image pixel intensities [2]. The proposed solution utilises two circular shifts for rearranging pixel intensities in a similar fashion as it was done in Step 7 (see example in Figure 7). The first set of shifts is done in individual columns of matrix P ′ (∶, k), k = 1, 2, 3, … , w ext . The size of shifts is set by elements of sequence seq ′ 4 . The second set of shifts is carried out in rows of matrix P ′ (l , ∶), l = 1, 2, 3, … , h with shift sizes given by elements of sequence seq ′ 5 . Circular shifts done in the confusion stage could be expressed mathematically by a set of equations (10): where A 4 and A 5 are auxiliary matrices used only for better clarity of the notation, l = 1, 2, 3, … , h and k = 1, 2, 3, … , w ext denote row and column indices, h and w ext stand for height and width of matrix P ′ and symbol ∶ denotes all image pixels either ∈ ∈

FIGURE 7
An example of proposed matrix element shuffling technique in a row with an index l or in a column k.
where l = 1, 2, 3, … , h and k = 1, 2, 3, … , w ext are row and column indices, h and w ext denote height and width of matrix P ′ . If the computed row index is 0 or h + 1, values of h and 1 are used. When the computed column index is 0 or w ext + 1, values of w ext or 1 are utilised.
Step 10: Four directional diffusion. The diffusion stage introduces dependencies between intensities of the rearranged pixel intensities [2]. In the case of the proposed solution, the pixel intensities in the matrix P ′ are processed in four steps. Each step scans matrix elements in a different direction, beginning with top to bottom, continuing with left to right and bottom to top and finishing with right to left. This procedure is important for the propagation of the difference between similar plain images. The worst scenario for the proposed solution (the difference between two plain images marked by orange spot is located at bottom right corner) is shown in Figure 8. However, also in this case the different matrix elements affect all matrix elements after the final step of diffusion stage.
The four steps of diffusion procedure could be given as a set of equations (11). Please bear in mind that each equation uses both rows or columns that are going to be scanned (with incremented index) and also rows or columns that were already scanned (with decremented index). This bidirectional approach spreads the differences during both encryption and decryption.
The equations from set (11) use two mathematical operations in order to distinguish two vectors-one operation (modulo 256 addition) for a vector that was already scanned and the second one (combination by means of XOR) for vector that is going to be scanned. Step 11: Combination with a PR matrix. This step increases the difficulty of all potential attacks as attackers need to crack this step before they could analyse any other steps. The combination uses sequence seq ′ 6 which is rearranged to a matrix seq ′ 6m using the row-first scanning pattern (see Figure 6). Then the combination is carried out by (12): where l = 1, 2, 3, … , h and k = 1, 2, 3, … , w ext are height and width indices.
Step 12: Encrypted image processing. At this point, the matrix P ′ represents encrypted image. However, it needs to be rearranged from matrix representation to an image with one or three colour planes. A procedure that is inverse to (4) can be expressed as (13): where num cp stands for number of colour planes. K 3 0× 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Decryption algorithm
The steps of decryption algorithm are analogous to the steps done during encryption. At first, Steps 1-4 are carried out. Then Step 11 is done, followed by an inverse of Step 10. The inverse version of this step means that the equations are computed in reversed order, starting with the last one from (11) and continuing to the first one. Also, the sign between two expressions used for the modulo operation changes from "+" to "−". The last difference for Step 10 is the reversal of the indices as l begins with h, h − 1, h − 2 and ends with 1. Similarly, values of k go from w ext , w ext − 1, w ext − 2 to 1. After inverse diffusion stage, the decryption algorithm continues with inverse confusion stage. In this case the order of equations in the set (10) is reversed and elements of sequences seq ′ 4 and seq ′ 5 are multiplied by a factor of −1. Then, the substitution table is prepared by Step 7 and inverse substitution maps coordinates of table elements to pixel intensities in Step 8. After that, Step 5 takes place. Since the row of pixel intensities with coordinate l = h − 1 contains the same values as those used by encryption algorithm for operations with the last row of intensities (l = h), the decryption algorithm is able to utilise the second to last row of pixel intensities for operations done with the last row of pixel intensities. The computations by (8) are carried out by similar fashion, only coordinate l has reversed elements, ranging from h, h − 1, h − 2 to 1.
The result after combination with the sequence quantised according to a plain image is the decrypted image stored in a matrix D. With usage of the same key for both encryption and decryption, the decrypted image is identical to plain image (D = P).

EXPERIMENTAL RESULTS
All experiments done with the proposed image encryption algorithm were performed on a PC with 2.5 GHz CPU, 12 gigabytes of RAM running MATLAB R2015a on Windows 10 OS. Used set of experimental keys is presented in Table 4. Key K 1 contains the first 128 bits of binary expansion of number . Please take note that the highlighted difference between keys K 1 and K 2 is present only in one hexadecimal symbol with the smallest possible amplitude. A set of experimental images chosen from USC-SIPI database [28] is shown in Figure 9. The first three rows of images represent plain images. Results of encryption with various keys are illustrated in the last row. Parameters of the plain images are described in Table 5.  Figure 10. This example points out that even monotonous regions of plain images are turned in more detailed areas by the encryption, even with not complex keys.

FIGURE 10
Magnified region of a processed image

Key space size
As the proposed image encryption algorithm uses 128 bit long keys, the size of whole key space could be expressed as 2 128 . The brute-force attack on a greyscale image with a resolution of 512×512 pixels would take approximately 1.3488 × 10 30 years as decryption with one key requires approximately 125 ms (see Section 4.6 for details).

Sensitivity to used key
An example of key sensitivity of the proposed image encryption algorithm is shown in Figure 11. At first, plain image lena was encrypted with key K 1 . Then it was decrypted twice, one time by correct key K 1 , then by a slightly different key K 2 . While the image decrypted with correct key is identical to plain image lena, the image decrypted with incorrect key does not provide any information about content or scene of the plain image.

Statistical properties of the sequence quantised according to a plain image
Since one of the generated PR sequences is quantised with a respect to pixel intensities of used plain image, it may be interesting to investigate the statistical properties of this PR sequence. Therefore, an NIST 800-22 test suite [29] used for choosing AES candidates was selected to evaluate properties of matrix A 3 from (8). Mentioned matrix is later combined with processed image P ′ in Step 6 of the encryption algorithm (see Section 3.2 for details).
NIST recommends at least 10 8 bits of input data for obtaining plausible test results [29]. The input data is represented by 100 binary sequences, each of them is 10 6 bits long. These sequences are filled by elements of matrix A 3 from (8) that was computed during encryption of a zero intensity image with key K 3 . The intensities of all image pixels in zero intensity images are equal to 0.
Elements of matrix A 3 are scanned by the row-first pattern ( Figure 6) and then they are decomposed to eight bits using the big-endian ordering scheme. In order to provide big enough data sample, the zero intensity image has a resolution of 3840×2160 pixels and colour depth of 24 bits per pixel. Testing sequences use the first 10 8 scanned bits from computed matrix A 3 .
The results of performed statistical tests are included in Table 6. Required pass rates and default values of additional parameters such as block sizes are discussed in [29].
The obtained results presented in Table 6 show that even in the case of the zero intensity plain image and zero key (K 3 ), the resulting PR sequence quantised according to the plain image has appropriate statistical parameters by means of the NIST 800-22 test suite. Therefore, any concerns about suitability of the proposed plaintext-related quantisation scheme are not confirmed.

Robustness against statistical attacks
Robustness of the proposed image encryption algorithm against statistical attacks could be evaluated by several measures. First of all, encryption should suppress significant peaks present in a histogram of a plain image. This test was performed with a plain image lenaG and encryption was done with key K 1 . Resulting combined histogram of images before and after encryption is shown in Figure 12. Statistical data presented in histograms could be expressed by two measures. The first one, histogram variance var expresses differences between individual bin values for each colour plane (14): where L is a colour depth of analysed colour plane and i and j denote bin indices of histogram hg. Since the histograms of  [30]. The second measure used for the interpretation of histogram data is the value 2 obtained after chi-squared test. This test computes difference between the actual distribution of pixel intensities and the expected one [31,32]. The value of 2 could be calculated by (15): where hg e is the expected value of histogram bins and h and w stand for height and width of analysed colour plane. Lower values of 2 are favourable as they point to more uniform distribution of pixel intensities in histograms. Also, there are some critical values of 2 that confirm a hypothesis that histogram distribution is uniform. These depend on used sig-nificance level and number of degrees of freedom n df (255 for colour planes with 8 bit colour depth). The critical value of 2 for commonly used values of = 0.05 and n df = 255 is equal to 293.25 [32].
The resulting values of histogram variance var and 2 obtained for the set of experimental images are included in columns 4 and 5 of Table 7. Letters R, G and B indicate red, green or blue colour plane of used image. Symbol "-" denotes greyscale images or plain images that were not encrypted.
where cov(a, b) represents covariance of sequences a and b, (a) is a standard deviation of sequence a, pp = 1, 2, 3, … , num pp is an index of pixel pair, num pp stands for amount of pixel pairs, sequences in 1 and in 2 contain pixel intensities from pixel pairs and a denotes arithmetic mean of sequence a. Please take note that the usage of proposed image encryption algorithm resulted in nearly uniform distribution of values among histogram bins. Also, the encryption significantly decreases the values of histogram variance var and 2 . All values of 2 for encrypted images are lower than the critical value of 293.25 for = 0.05 and n df = 255. Therefore, the possibility of a successful statistical attack could be considered as significantly suppressed. Secondly, the statistical properties of encrypted images can be investigated by correlation diagrams. These diagrams use certain amount of randomly chosen adjacent image pixel intensities. Usual amount of pixel intensity pairs is 1000. The pixel intensities in a pair are adjacent either in horizontal, vertical or diagonal direction. Then, the two pixel intensities in a pair are used as two coordinates of a plotted point in the correlation diagram.
An example of two correlation diagrams for plain image lenaG and its version encrypted with key K 1 are shown in While the first diagram shows that pixel intensity pairs in the plain image are quite correlated (the points are located around line y = x), the second diagram has more uniform distribution of points. This means that the encryption helps to decrease correlation between adjacent image pixel intensities.
Thirdly, there are some numerical parameters that reflect robustness against statistical attacks. The correlation coefficients are computed for a certain number of intensities of horizontally ( h ), vertically ( v ) or diagonally ( d ) adjacent pixel pairs. Usually, 1000 randomly chosen pairs of adjacent pixel intensities are used. The correlation coefficients are calculated separately for each colour plane of the investigated image by (16).
Ideal values of correlation coefficients for encrypted images are close to 0. Plain images have values of close to 1, which means that their pixel intensities are rather closely correlated.
Another parameter that is utilised for evaluating the robustness against statistical attacks is called entropy H . Entropy is computed for individual colour planes of images by (17): where in denotes intensity of image pixels, L stands for colour depth of analysed colour plane and p(in) represents probability of occurrence for a pixel with intensity in. The theoretical boundary of entropy for images is the same as used colour depth. In this case, the investigated image could be considered as a source of random information. Practical values of entropy for encrypted images are close to their colour depth.
Obtained values of correlation coefficients and entropy H are included in columns 4 to 7 of Table 8. Correlation coefficients were computed from 1000 randomly chosen pairs of adjacent pixel intensities. Characters R, G and B stand for red, green or blue colour plane of images. The symbol "-" is used either for greyscale images (they have only one colour plane) or plain images that were not encrypted.

Robustness against differential attacks
The point of differential attacks is a comparison of encrypted images that were obtained by encryption of similar plain images by the same key. The best practice is usage of two plain images P 1 and P 2 that differ only in an intensity of one image pixel (in one colour plane) by one intensity level. In this case, the resulting encrypted images can be denoted simply as E 1 and E 2 .
There are two commonly used measures that evaluate the robustness against differential attacks. First one, Number of Pixel Change Ratio (NPCR) sums up the number of pixels that have different intensities in a pair of corresponding colour planes of encrypted images E 1 and E 2 . NPCR is computed separately for each colour plane of an encrypted image by (18): where h and w stand for colour plane height and width, l = 1, 2, 3, … , h and k = 1, 2, 3, … , w are height and width indices, Di f f m is a difference matrix and E 1 and E 2 stand for respective colour planes of two encrypted images. The second parameter, Unified Average Changing Intensity (UACI) operates with intensities of differences between colour planes of the encrypted images. UACI is calculated for individual colour planes by (19): where L denotes colour depth of investigated colour plane. Values of NPCR and UACI obtained by (18) and (19) are affected by location of pixel with modified intensity and also by direction of the change (the intensity could be decremented or incremented). In order to suppress significantly good or bad values, a set of repeated measurements with various locations of changed intensity and different directions of intensity change is used for the calculation of an arithmetic mean. The means presented as final NPCR and UACI values are usually computed from a set of 100 measurements.  Since the mentioned expected values are valid for a significance level = 0.001, resulting confidence level for resistance against differential attacks is 100 ⋅ (1 − 0.001) = 99.9 % [33].
Calculated values of NPCR and UACI are presented in columns 8 and 9 of Table 8. The presented values are arithmetic means of 100 repeated measurements. Letters R, G and B indicate red, green or blue colour plane of used image. Symbol "-" denotes greyscale images or plain images that were not encrypted.

Measurement of computational complexity
The computational complexity of image encryption algorithms could be evaluated via several measures. The first one is a measurement of time necessary for an operation with an image (the operation being either encryption or decryption). In the rest of this paper, these times are denoted as t enc and t dec . The presented values are arithmetic means of a set of 100 repeated measurements with the same key in order to decrease impact of some faster or slower measurements.
The encryption times t enc and decryption times t dec do not take parameters of used image as resolution or colour depth into consideration. Therefore, encryption speed v enc and decryption speed v dec are computed from t enc or t dec via (20): where h, w and num cp stand for image height, width and number of its colour planes, a constant of 2 20 represents number of bytes in a megabyte and t oper is a time necessary either for one encryption (t enc ) or one decryption (t dec ). The t oper is measured in seconds.
Since the PCs used for testing of image encryption algorithms have different hardware components, the configuration of used PC can be taken in account by calculating the number of CPU cycles necessary for one operation cyc oper by (21): where f CPU represents CPU frequency. Please take note that the number of CPU cores is not considered as the used computational environment (MATLAB R2015a) utilises only one CPU core. Obtained encryption and decryption times t enc , t dec , encryption and decryption speeds v enc , v dec and the number of CPU cycles necessary for encryption and decryption of one image byte cyc enc , cyc dec are included in Table 9. The encryption and decryption times t enc , t dec are arithmetic means of a set of 100 repeated measurements.
The computational complexity could be expressed also in big O notation. Encryption of image with num px pixels with the proposed algorithm takes approximately O(36 ⋅ num px ) operations. In this case, the most complex operation is division [34]. Comparison of computational complexity by means of big O values could be tricky since many papers do not report exact values or they do not report them at all. Generally speaking, the complexity of many image encryption algorithms is linear (the order of complexity is O(n)) and it rises with number of processed image pixels. This was reported also in some of the referenced papers [25,30].

Discussion
Numerical values presented in Tables 8 and 9 point to several conclusions. First of all, the usage of encryption decreases values of correlation coefficients . Also their values for individual images are similar, therefore the usage of different keys does not have a significant impact on statistical properties of the resulting encrypted images. Furthermore, correlation coefficients are similar also for all four testing images. These results illustrate that the proposed image encryption algorithm obtains balanced results for various plain images. Achieved values of entropy H show that the encrypted images could be considered more random than the plain images. The values for encrypted images are also much closer to the theoretical bound of 8 bits per image pixel.
The presented values of NPCR and UACI fulfil the condition of expected values set by the paper of Wu et al. [33]. The differences between values obtained with usage of various keys or different plain images are rather small. Also, the results do not show any pattern-there is not a case where one of the colour planes achieves best score for all three keys.
Encryption and decryption times t enc , t dec are consistent with different plain images with identical parameters (resolution and colour depth) and various keys. One of the significant differences can be found between the duration of encryption and decryption. This situation is caused by a more complex approach for non-linear substitution during the encryption. As the decryption algorithm has the element index already loaded when it obtains substituted pixel intensity, the decryption is a bit faster than encryption.
The second difference is more visible by comparing the values of encryption and decryption speeds v enc , v dec and corresponding numbers of CPU cycles cyc enc , cyc dec . Presented results show that the speeds are decreasing for larger images. This is caused by a rather complex PR generation and quantisation procedures. Used techniques suppress the flaws of LM but on the other hand they take more time than all other steps of the whole algorithm. Therefore, generation and quantisation of longer PR sequences for larger images would decrease speed of the proposed image encryption algorithm.

Comparison with similar approaches
This section compares obtained numerical parameters for the proposed image encryption algorithm with values reported in other papers [9-11, 14, 16-18]. The comparison presented in Table 10 was done with plain images lena and lenaG since they were used also by majority of similar algorithms. Values for true-colour image lena represent only its red colour plane as some papers did not provide data for other colour planes. The proposed solution used key K 1 for all calculations. Correlation coefficients favour the proposed solution for both true-colour and greyscale images. Some approaches (e.g. [18]) reported almost similar results; however, the combinations of are more balanced for the proposed solution.
Our proposal records the highest values also for entropy H . While the values reported by [9,14] for red colour plane or true-colour image lena are significantly lower, the values for greyscale image lenaG achieved by [11,16,18] are close to the proposed solution.
Presented values of NPCR and UACI could be perceived as a weakness of the described solution. While they are higher than the expected values [33], they are not as good as the values reported in other papers. Properties of the proposed solution regarding differential attacks could be improved by the addition of some blocks, for example, the combination with more PR sequences or more complex diffusion stage. However, ideas like these could raise computational complexity and lead to a solution with less balanced performance.
Another advantage of the proposed solution is rather small number of CPU cycles necessary for operations with one byte of image data. Only one algorithm [14] reported better result; however, it was already broken [15] mainly due to its simplicity. Furthermore, the second fastest solution for greyscale images [18] uses approximately 4 times more CPU cycles for encryption than the proposed algorithm.

CONCLUSION
This paper described an image encryption algorithm that utilises a plaintext-related quantisation scheme for the processing of one PR sequence. Main novelty of the proposed solution is the mentioned quantisation scheme which could be perceived as a two step procedure. While the first step suppresses known drawbacks of the LM that generates elements of PR sequences, the second step computes final element values with respect to previously processed pixel intensities. This solution enables decryption without any additional information. Also, due to the processing of whole rows of pixel intensities at once, the proposed solution is quite efficient. Furthermore, the properties of the described solution were evaluated by commonly used numerical parameters with some well known testing images. Obtained results were then compared with the values reported for some other algorithms that also use plaintext-related designs. While numerical results show that our proposal is not as robust against differential attacks as some other algorithms, it still reaches expected values of used parameters. The robustness against statistical attacks is by means of numerical values; the highest among reported results.
The partial conclusions presented in this paper imply that the usage of a plaintext-related technique during quantisation stage results in a same behaviour as is achieved by applying plaintext-related approaches in other stages and whole image encryption algorithm remains effective. Since the utilisation of plaintext-related solution in some complex stages such as diffusion could negatively affect the computational complexity of the whole image encryption algorithm, we would like to investigate the possibilities of introducing plaintext-related techniques to other simple stages of image encryption algorithms in our future work.