Fast and Secure Chaos-Based Cryptosystem for Images

,


Introduction
Today, chaos-based encryption algorithms have been widely used in image and video encryption systems [Hamidouche et al., 2015]. Research has shown that chaos systems are extremely sensitive to the changes of control parameters and initial conditions. They have pseudo-random behavior for nonauthorized parties [Akhshani et al., 2012;El Assad et al., 2014;Kassem et al., 2014;Chiaraluce et al., 2002;Chen et al., 2004;Behnia et al., 2008;Wang et al., 2013;Chang, 2009]. Experimental results show that the chaos-based encryption algorithm can overcome security issues in efficient and adaptive ways compared to the classical encryption ones (such as DES and AES) [Abd El-Latif et al., 2012;Furht & Socek, 2003;Li et al., 2006;Bhargava et al., 2004;Mansour et al., 2012;Bhatnagar & Jonathan Wu, 2012].
Any cryptosystem must achieve diffusion and confusion effects, in order to be robust and secure against several types of attacks. This has been explained in Shannon's famous paper [Shannon, 1949] "In a strongly ideal cipher all statistics of the cryptogram are independent of the particular key used". Confusion property aims to make the statistical relationship between the cipher image and the secret key as complex and involved as possible, whereas the diffusion property aims to make the statistical relationship between the plain image and the cipher image as complex and involved as possible. The diffusion effect principle can be described as each plaintext byte/bit affects many ciphertext bytes/bits. On the other hand, the confusion principle can be described as: such that the key should not relate to the ciphertext and each bit/byte of the ciphertext should depend on a complex mathematical relation of the key. The former can be achieved using chaotic maps to transfer the single byte/bit effect to other bytes/bits, whereas the latter can be achieved using chaotic maps of permutation and/or substitution. Most chaos-based cryptosystems use chaotic maps to achieve the required diffusion and confusion effects. Fridrich [1998] proposed a chaos-based encryption scheme based on an iterative pixel permutation and nonlinear processes. The permutation process is achieved using three 2-D chaotic maps: the Backer map, the Cat map, and the Standard map. The nonlinear process is achieved by a nonlinear feedback register.
In this way, Masuda et al. [2006] considered two classes of chaotic finite-state maps: key-dependent chaotic S-boxes and chaotic mixing transformation. They proposed two chaotic block ciphers, i.e. uniform and Feistel. In fact, they estimated bounds for differential and linear probability to make their cryptosystems resistant to differential and linear cryptanalysis.
Later, Yang et al. [2010], derived a fast image encryption and authentication scheme. A key hash function is introduced to generate a 128-bit hash value from both the plain image and the secret hash keys. The hash value plays the role of secret key for the encryption and the decryption processes, while the secret hash keys are used to authenticate the decrypted image. Permutation and substitution are performed in a single scan of the plain image pixels. The permutation process is achieved by the modified standard map and the substitution process (based on a logistic map) is done in such a way that the change of a particular pixel depends on the accumulated effect of all previous pixel values.
Recently, fast and secure cryptosystems were proposed: Chen et al. [2015] have proposed a fast chaos-based image encryption scheme using a dynamic state variables selection mechanism. In the presented algorithm the encryption structure is similar to the structure of Zhang , except the process of generating and selecting the dynamic keystream. The security level is reached for one encryption round. Murillo-Escobar et al. [2015] have proposed a color image encryption algorithm based on total plain image characteristics, and 1-D logistic map with optimized distribution. They claim that their structure can be implemented in real-time applications. Zhang et al. [2013] have proposed a dependent diffusion structure. To the best of our knowledge Zhang cryptosystems seem very secure against attacks (for two encryption rounds in the first cryptosystem and one encryption round in the second cryptosystem) and faster than the previous chaos-based cryptosystems.
The rest of the paper is organized as follows. Direct related works are introduced in Sec. 2. Section 3 presents the general design concept of the proposed cryptosystem and its main differences regarding the Zhang cryptosystems. Sections 4 and 5 describe the detailed mathematical model of the proposed cryptosystems and comparative theoretical security analysis with Fridrich and Zhang cryptosystems. In Sec. 6, security analysis and cryptosystems performance are reported. Finally, the conclusion is presented in Sec. 7.

Related Work
In 1997, a chaos-based encryption scheme was introduced by Fridrich [1997Fridrich [ , 1998. It is becoming the core structure of most chaos-based cryptosystems and it has been widely referenced since 1997. The general Fridrich architecture is shown in Fig. 1. The Fridrich encryption scheme is composed of two layers: the first one is the confusion layer using the 2-D Baker chaotic map. This map is used to calculate the new byte position using Eq. (1).

1650021-2
Fast and Secure Chaos-Based Cryptosystem for Images B(x , y ) = 2x − 1, The second layer is the diffusion one, and is implemented using the following mathematical equations: The function G is some arbitrary function of the gray level. It was chosen as a fixed random permutation which can be implemented using a simple lookup table.
In [Lian et al., 2005] the authors analyzed the security of the Fridrich scheme. They found some weaknesses, and proposed some improvements to overcome these security failures. In 2010, the Fridrich encryption algorithm was broken by [Solak et al., 2010]. Solak proved that the Fridrich algorithm could be broken using a chosen ciphertext attack. Using this type of attack, some secret permutation of the algorithm has been revealed.
In Zhang's paper , two cryptosystems were designed based on the Fridrich architecture. The first one consists of a dependent diffusion layer based on the reverse 2-D cat map. The second algorithm of the Zhang cryptosystem presents new mapping from a pseudo-random position to another pseudo-random one for the confusion effect. Also, a diffusion layer based on the logistic map is used to produce the cipher image.
In these versions, Zhang tried to achieve the confusion and the diffusion effects sequentially. The Fridrich cryptosystem and other cryptosystems are designed so that all pixels are permuted before the pixel values are diffused. However, the Zhang cryptosystems calculate the new location of a pixel and then diffuse that pixel immediately. Thus, the effect of one ciphered pixel is transferred to the next one and so on. From this idea, only two encryption rounds (in the first cryptosystem) and one encryption round (in the second cryptosystem) of the diffusion-confusion process are needed to achieve high security level, instead of many encryption rounds of separated confusion and diffusion processes used in the traditional structures.

General concepts of the proposed cryptosystems
The first step of designing a chaos-based encryption algorithm is to define the chaotic maps which will be used in such a structure. These maps are used to achieve the confusion and the diffusion effects, which are the most important properties of any cryptosystem. The general block diagram of all proposed cryptosystems is shown in Fig. 2. The main objective of this structure is to achieve the dependent confusion-diffusion effects byte by byte. All proposed cryptosystems work on the CBC mode and use the El Assad and Noura chaotic generator that produces 32-bit samples [El Assad & Noura, 2011]. Figure 3 shows the general diagram of the encryption part of the CBC mode. In Fig. 3, P 0 is the first block from the plain image, IV is the initial vector generated by the chaotic generator, C 0 is the first encrypted block which will be transferred to the receiver side. The dash boxes represent the encryption/decryption parts of the proposed cryptosystem (see Figs. 2, 4 and 7).

General differences of the proposed cryptosystem with the Zhang one
In this section, we introduce some general differences between our proposed cryptosystem of the three versions and the Zhang one: • In the Zhang cryptosystem, a simple implementation of the logistic map was used to generate and manage the dynamic keys. In all versions of our proposed cryptosystem, a strong and robustness tested chaotic generator [El Assad & Noura, 2011] is used to manage and generate the dynamic keys. These dynamic keys are used for the dependent confusion-diffusion layer. • To overcome the fixed-point problem of the standard 2-D cat map, the Zhang cryptosystem selects a random pixel arr(r j x , r j y ) and swaps it with the first pixel in the plain image arr(0, 0). In our proposed cryptosystem, this problem is solved by using the modified 2-D cat map. This modification of the standard 2-D cat map also enhances the security of the proposed cryptosystem. Indeed the number of dynamic keys in the 2-D cat map increases from two dynamic keys to four. The first pixel (0, 0) can be mapped to any new position (i n , j n ).
• The Zhang cryptosystem works on the whole image. It is well known that the image encryption algorithms that work on the whole image give bad results for error propagation. The influence of one error bit of the ciphered data (due to the channel) on the decryption algorithm depends on the cryptographic modes. All versions of our proposed cryptosystem perform the encryption/decryption operations based on the Cipher-Block Chaining (CBC) mode [Ehrsam et al., 1978]. • One of the most important differences between our proposed cryptosystems and the Zhang cryptosystem is in the structure of the dynamic keys.
In the Zhang cryptosystem, the dynamic keys consist of two keys (q i , p i ) for the reverse 2-D cat map. These key values are changed just twice for the whole encryption process. For the logistic map, t is the initial value. The value of t is changed in each byte. When comparing with our proposed cryptosystem, in the 2-D cat map, four keys are used (v, u, ri, and rj). These keys' values are changed for every new encryption round and also for every new block. • All chaos-based cryptosystems that use more than one encryption round (i.e. r > 1) to reach the required security level, must save their dynamic keys for all rounds in order to use them later in the decryption process. From a security point of view, it is normal that the security level of any cryptosystem is strongly related to the environment where these dynamic keys have been temporarily saved. To the best of our knowledge, the only possible method to manage the dynamic keys in the decryption process in case of more than one decryption round is to save them temporarily, since the decryption process is achieved by starting from the last decryption round and finishing with the first decryption round. It is important to note that the chaotic generator has to be a noninvertible generator. To obtain the current key, the chaotic generator should generate all previous keys and use them in the reverse order.
All previously mentioned points are taken into consideration in the design process of a fast and secure cryptosystem, and it should use only one encryption round (r = 1), to obtain the required security level.

First Proposed Cryptosystem
The first proposed cryptosystem has some similarity to the Zhang cryptosystem . In this cryptosystem, the two dependent confusion-diffusion layers are the modified 2-D cat map (used to achieve the confusion effect) followed by the discrete logistic map (to achieve the diffusion effect). Using this structure, the required confusiondiffusion effects are obtained by one encryption round, and hence the execution time is decreased.

Encryption scheme of the first proposed cryptosystem
In the encryption scheme (see Fig. 4), for the first block, each pixel from the plain block (p 0 (k)) is XOR-ed with the initial byte (iv(k)) from the initial vector (IV ), then the output is XOR-ed with the discrete logistic map output to carry out the diffusion process. Then, the eight least significant bits resulting from the diffusion process LSB 8 (y 0 (k)) are relocated using the modified 2-D cat map to obtain the ciphered pixel at the new position (c 0 (k n )) [Farajallah et al., 2013a;Farajallah et al., 2013b]. It is important to note that the input of the discrete logistic map is based on the previous ciphered pixel (since c 0 (k n ) = LSB 8 (y 0 (k)) and the input of the discrete logistic map is 32 bits and the ciphered pixel is eight bits. That is why the cryptosystem takes (y 0 (k − 1)) before the LSB 8 function and not after. For the first encrypted byte, the input of the discrete logistic map is Kd m , and this value is reinitialized every new encryption round. Because the c 0 (k n ) is only a part of the logistic map input, it is impossible to recover y 0 (k − 1) from c 0 (k n ) only. The encryption of the next blocks is almost the same. Each pixel from the plain block (p l (k)) is XOR-ed with ciphered byte from the previous block at the same position (i.e. c l−1 (k) to achieve the CBC mode). Then the rest of the operations are the same as in the first encryption block. The 2-D cat map was tested and analyzed by [Fridrich, 1998] and [Wong et al., 2008]. To overcome the fixed-point problem of the Arnold cat map model, the parameters ri and rj are added to the standard model. Also, in our scheme the elements of the square matrix and the parameters ri and rj of Eq.
(3) become dynamic, they form the dynamic keys of the permutation process.
Equation (3) is a one-to-one function, which means that each point of the square matrix can be transferred to exactly one unique point. So, instead of exchanging the values at the new position (i n , j n ) with the old one (i, j), we use a transfer operation because of its speed compared to the swap operation that is usually used. The block size b s is M 2 (M is the square root of the block size in our proposed cryptosystem). The system parameters u, v, ri and rj are in the range of [0, M − 1]. The structure of the dynamic keys which are produced by the chaotic generator during the permutation process is: The modulo operation of Eq. (3) makes it a noninvertible equation. But it is still a reversible one. Thus, in the decryption part of the proposed cryptosystem, the reverse layer is also achieved by Eq.
(3). The implementation of this modified 2-D cat map is carried out by an optimized process, indeed: Then the modified 2-D cat map is implemented as: The Logistic map is a nonlinear chaotic discrete function that produces random sequences. In the proposed cryptosystem, the logistic map is used as a diffusion function to achieve the diffusion effect, by transferring the effect from one byte in the block to other bytes in the same block. This structure makes the proposed cryptosystem highly sensitive to the plaintext. The mathematical model of the discrete logistic map is: where X k+1 is the new value calculated from the previous one X k . N is the number of bits representing the integer output of the discrete logistic map, which is equal to 32 bits in all versions of our proposed cryptosystem. Figure 4 shows the block diagram of the encryption part of the first version of the proposed cryptosystem. From the figure, we write the encryption mathematical model as: where y l (k) is a 32-bit variable, p l (k), s l−1 (k) are 8bit variables and f is the logistic map. The following remarks should be considered: (1) During the encryption, Eq. (8) should be evaluated before Eq. (7), for each byte of a block and for all blocks.
(2) The input of the logistic map for k = 0 is kd m when l = 0 and it is y l−1 (b s − 1) for l > 0.
(3) For k > 0 and for all l, the input of the logistic map is the result of Eq. (8) and not the previous output [see Eq. (6)].
Note that: i n and j n are calculated using Eq.
(3). The sequence s l−1 (k) is given by the following equation: where, L, C, and P are the number of lines, the number of columns, and the number of planes of the image respectively. In Algorithm 1, we describe in detail the exact steps to achieve the ciphering process for all blocks.

Proposed chaotic generator
The generator used in this cryptosystem is a simplified implementation of the one published by El Assad and Noura in a patent [El Assad & Noura, 2011]. It consists of two chaotic maps (i.e. Skew Initialize the value of s −1 (k) = iv(k) 8: Calculate (i n , j n ) using equation (3) 9: Calculate k n = i n × M + j n 10: Calculate y 0 (k) value using equation (6) and equation (8) 11: Calculate c 0 (k n ) value using equation (7) 12: End j 14: End i 15: End m 16: for l = 1: b n − 1: step = 1 do 17: for m = 0: r − 1: step = 1 do 18: Generate the values of Kp m using the chaotic generator to encrypt the current block of the plain image. Initialize the value of s l−1 (k) = c l−1 (k)

23:
Calculate (i n , j n ) using equation (3) 24: Calculate k n = i n × M + j n 25: Calculate y l (k) value using equation (6) and equation (8) 26: Calculate c l (k n ) value using equation (7) 27: k = k + 1  generated sequences. The generator produces 32-bit (four bytes) samples. For our first version of the proposed cryptosystem, the following generated samples are needed to encrypt an image: Kd is a 32-bit size, supplied for the first block, and changed for every encryption round, so the total number of required samples for Kd is: IV is a vector of b s bytes, it is supplied one time for the first block, so the total number of required samples for IV is: Kp consists of four variables (u, v, ri and rj), each variable is q bits with q = log 2 √ b s , so the total 1650021-7 M. Farajallah et al. number of required samples for Kp is: From Eqs. (10)-(12), the total samples required to encrypt an image is: The discrete Skew Tent Map and the discrete PWLCM are defined in the following equations. First, the discrete Skew Tent Map is defined as [Masuda et al., 2006]: where P is the control parameter, ranging from 1 to 2 N − 1, and N = 32 bits, is the finite precision. Second, the PWLCM map is defined as [Lian et al., 2007]: The control parameter P of the PWLCM ranges from 1 to 2 (N −1) − 1. The proposed chaotic generator has the following cryptographic properties: pseudo-random mapping, delta-like auto-correlation, nearly zero cross-correlation, uniform distribution, passing empirical statistical test NIST 800-22 (National Institute of Standards and Technology) tests [Rukhin et al., 2001], and having a large size of the secret key. The size of the secret key is determined by four initial conditions: two values for the Skew Tent and PWLCM maps of size N and the others for the two LFSRs, and two control parameters, i.e. P 1 (for the Skew Tent) and P 2 (for the PWLCM).
Moreover, the implemented generator is very secure against known attacks: ciphertext attack and chosen-plaintext attack (this latter attack is the easiest one among all known attacks). The objective of these attacks is to determine the secret key that was used. The ciphertext attack, means here, guessing the secret key from the generated sequences. This attack is ineffective, because the generated sequences are obtained by a combination of sequences supplied by two different nonlinear maps. And it is impossible to analyze sequences of each map separately. The chosen-plaintext attack is equivalent here to the key sensitivity attack, because the only input of the system is the secret key. From the main property of any chaotic system (the extreme sensitivity to even one bit change of the secret key), the implemented generator passes this test (see also, the test done in Sec. 6.3 about the key sensitivity attack).

Decryption scheme of the first proposed cryptosystem
The decryption scheme of the first proposed cryptosystem is almost identical to the encryption one. Figure 6 shows the decryption structure of the CBC mode in all proposed cryptosystems, while Fig. 7 shows the decryption structure of the first proposed cryptosystem.
The decryption equation resulting from the encryption equations is: (7) and (8): where y l (k) = p l (k) ⊕ s l−1 (k) ⊕ f (y l (k − 1)). (18) As we can see, Eq. (17)  Calculate (i n , j n ) using equation (3) 8: Calculate k n = i n × M + j n 9: Calculate p 0 (k) value using equation (17) 10: Calculate y 0 (k) value using equation (6)  Calculate (i n , j n ) using equation (3) 24: Calculate k n = i n × M + j n 25: Calculate p l (k) value using equation (17) 26: Calculate y l (k) value using equation (6)   In reality, as we can see in Fig. 7, Eq. (18) is implemented as follows: Lian et al., in their paper [2005], analyzed the Fridrich model, and they pointed out some possible attacks on that model. We apply and analyze these attacks on our proposed cryptosystem to ensure its robustness against them.

Dynamic key space analysis of Fridrich, Zhang and our cryptosystems
Lian in his paper assumes that the dynamic key space of the whole Fridrich cryptosystem is S r = (S 1 × S 2 ) r , where S 1 is the dynamic key space of the confusion layer, S 2 is the dynamic key space of the diffusion layer, and r is the number of iterations. The total dynamic key space of the Fridrich model can be calculated as: where M is the square root of the tested image size and L = 256, is the number of gray levels.
In the Zhang cryptosystem, the first algorithm has q 1 , q 2 , p 1 and p 2 in the range [0, 511], and also t 0 which is eight bits, so: The second algorithm has q 1 , q 2 , p 1 and p 2 in the range [0, 511], and also temp1 and temp2 of eight bits each, so: In our proposed cryptosystem, the total dynamic key space is defined as:

1650021-10
Fast and Secure Chaos-Based Cryptosystem for Images where S 1 is the dynamic key space of the confusion layer (the modified 2-D cat map), S 2 is the dynamic key space of the diffusion layer (the logistic map).
The total dynamic key space of our proposed cryptosystem can be calculated as: (1) The whole image is divided into a number of blocks and the dynamic keys are changed for every new encryption round and every new block.
For r = 1: As an example and to make the comparison between cryptosystems, of Zhang, Fridrich and ours, the gray-scale Lena image of 512 × 512 is taken, and then for one encryption round (remark, for our proposed cryptosystem M = 32): KS Proposed = (32 4 × 2 32 ) × ( 512×512 32 2 ) = 2 60 . It is clear from the previous calculations that the dynamic key space of our proposed cryptosystem is 2 16 times more than the first Zhang cryptosystem, and 2 8 times more than the second Zhang cryptosystem.

Chosen-plaintext attack
Fridrich proved that his proposed model is secure against a chosen-plaintext attack based on the fact that the difference between the ciphertexts encrypted by the same key for two plaintexts differing on one bit is large enough to keep a high security level against the chosen-plaintext attack. However, Lian et al. [2005] pointed out another kind of attack that can be used to cryptanalyze the Fridrich model. Since the fixed-point problem was not solved in the 2-D cat map, Baker or standard maps were used in the Fridrich model, and so the cipher of the first plain pixel of any image will remain in the first position (that means c 0 is the encryption of the p 0 , and so, no permutation is done on the first pixel). Then it is easy to find the initial value of the diffusion key (Q −1 ) in the Fridrich model (more details of this attack can be found in [Lian et al., 2005]).
In Zhang cryptosystems, a simple solution to overcome this problem is introduced, the solution is carried out by swapping the first pixel with a random pixel from the image before starting the encryption process.
In our proposed cryptosystem, the first kind of chosen-plaintext attack is solved, and it satisfies a high security level. This is well stated by our proposed cryptosystem in Sec. 6.2.
The fixed-point problem does not exist in our proposed cryptosystem, since it is solved by adding the ri and the rj dynamic keys to the original 2-D cat map, and the chaotic generator insures that ri and rj will never be zero at the same time.
Our solution has two advantages, first, it increases the dynamic key space of the 2-D cat map, second, any pixel can be mapped to any position with the same probability.

Some specific differences in the diffusion process
Zhang cryptosystems implement the logistic map based on eight bits. This means, that the input and the output of the logistic map for all operations are in eight bits, whereas in our proposed cryptosystem, the logistic map is implemented to receive 32 bits as input and to produce 32 bits as output. As a result, the dynamic key of the logistic map is increased from eight bits to 32 bits, and the security level of the overall cryptosystem is increased. Finally, it is well known that the implementation of the logistic map based on eight bits has some security weaknesses and failures. Finally, as the proposed cryptosystem uses new dynamic keys for each new block, then, the cryptosystem is secure against the chosen-plaintext attacks, according to the fact that a chosenplaintext attack will be useless if different keys are used to encrypt different plaintexts in the same message.

Second Proposed Cryptosystem
The construction and design process of the following cryptosystems begins by keeping in mind the structure of the first proposed cryptosystem. As we know, there is always a trade off between the security level and the encryption time. Increasing the security level in general leads to making the system more complex, and then adding some additional delays on the encryption operations. For this reason, two subversions of the second version are described in this section. These subversions have the same structure as the first proposed cryptosystem, but using a different diffusion layer, namely the Finite Skew Tent Map (FSTM) as a generator instead of the logistic map.

Finite Skew Tent Map as diffusion layer
The diffusion layer is implemented using a modified version as a generator of the original FSTM in [Masuda et al., 2006;Masuda & Aihara, 2002], based on a lookup table of eight bits for the first subversion and on a mathematical calculation of 32 bits for the second subversion [see Eq. (20)]. The FSTM has a better nonlinear transformation than the logistic map and so its diffusion is stronger than that of the logistic map. This implies that the cryptosystem is more resistant against differential cryptanalysis attacks. So, using the FSTM as a dependent diffusion layer increases cryptosystem sensitivity to plain sensitivity attacks. The mathematical model of the modified FSTM generator is [Farajallah et al., 2013b]: where A 0m , X, F (X) ∈ {0, 1, 2 (20) is f (y l (k−1)) and the initial value X 0 is Kd m (see Figs. 4 and 7). The structure of the dynamic keys during the diffusion process is: where r is the number of rounds for each block. In the standard FSTM, the fixed-point problem is not solved (i.e. when the input of the FSTM is ZERO the output is ZERO). To overcome this problem we introduce A 0m in the FSTM equation. As a result, any input value is mapped to any output value with the same probability without any restrictions. Moreover, introducing the dynamic key A 0m increases the dynamic key space.
The first subversion uses eight bits to implement the FSTM generator as a lookup table, and so it is faster than the first cryptosystem, while still having a high security level. The lookup table is created since the input and the output of the FSTM are limited to eight bits. Figure 4 can be used to describe the encryption process of this subversion. The first step is to generate the dynamic keys (Kp m , X 0 , A m and A 0m ). The permutation process is applied on the plain pixels by taking each byte, and calculating their new position according to Eq. (3). Then, Eq. (8) is applied to obtain the y k value which defines the ciphered pixel as shown in Eq. (7). Note that the value of y k is eight bits and so there is no need for the LSB function of Eq. (7). It is important to note that Eq. (20) is implemented in lookup table of 64 KB size without the A 0m , the returned value from the lookup table is added to the A 0m .
The second subversion uses 32 bits to implement the FSTM as a generator. It is slower than the first cryptosystem, but it has a dynamic key space greater than the first cryptosystem and thus it is very robust against cryptanalysis. The encryption process in this version is exactly identical to the first one, except in this version Eq. (20) is used instead of Eq. (6).
Using the lookup table based on eight bits for the first subversion, the first eight bits from each sample of the chaotic generator are taken to be used as the dynamic key (A m or A 0m ), and the remaining 24 bits are skipped. If the first eight bits are zeros, then the next eight bits are taken and so on.
The dynamic keys of the first subversion need two samples for each round of each block. It is important to note that the used chaotic generator never produces a sample of 32 bits where all of the bits are zeros. The dynamic keys A m and A 0m in the second subversion are 32 bits each, so, two samples are also needed for each round of each block.
So the total number of required samples in this version is:

Analysis of the second proposed cryptosystem
In this section, we analyze the dynamic key space and the chosen-plaintext attacks.

Dynamic key space analysis
In our proposed cryptosystem, the total dynamic key space is: For one encryption round (r = 1): First subversion key space: are eight bits each.
Second subversion key space: are 32 bits each.
Again, to make the same comparison between our proposed cryptosystem, the Zhang and the Fridrich cryptosystems, the Lena image of 512 × 512 bytes is taken, then for one encryption round (remark, for our proposed cryptosystem M = 32): It is clear from the previous calculations that the dynamic key space of the first subversion is 2 8 times more than the first Zhang cryptosystem, and the same as the second Zhang cryptosystem, whereas the dynamic key space of the second subversion is 2 80 times more than the first Zhang cryptosystem, and 2 72 times more than the second Zhang cryptosystem.

Chosen-plaintext attack
In this cryptosystem version, the modified 2-D cat map is the same as before, and so the analysis of the chosen-plaintext attack is the same. The FSTM is enhanced by adding the parameter A 0 . This means that the fixed-point problem is solved also for the diffusion layer, and so, this type of attack will be useless.

Performance and Security Analysis
The performances of the proposed cryptosystems have been evaluated by: measuring the encryption/decryption speed, the throughput, and the number of cycles for each algorithm. The obtained results are compared with results of other known cryptosystems. Experimental and statistical analysis is used to evaluate the security of the proposed cryptosystem for all kinds of known attacks in the literature.

Time and complexity analysis
The speed evaluation of our proposed cryptosystem is carried out using a C compiler, on a PC with 3.1 GHz processor Intel Core i3-2100 CPU, 4 GB RAM, and Windows 7, 32-bit Operation System. It encrypts different images of different sizes.
In particular, the security and the performance analysis of the proposed cryptosystems are compared with Zhang  cryptosystem, since, to the best of our knowledge, it is the fastest chaos-based cryptosystem. Table 1 presents the encryption and the decryption times for our proposed algorithms, based on two different block sizes (b s = 256 and b s = 1024 bytes) and the image under test was Lena. The time calculation process of encryption and decryption is evaluated as follows: the test image (Lena with block size 1024) is encrypted for 1000 different secret keys, then the average of these executions is calculated. From Table 2, it is clear that our proposed cryptosystems are faster than both of the Zhang algorithms and other known cryptosystems. Table 3 presents a comparison of performance of our proposed cryptosystem with some known recent cryptosystems in the literature. The performance is evaluated in terms of encryption throughput (running speed) in Mega Byte Per Second (MBps) and number of needed cycles to encrypt/decrypt one byte. The encryption throughput is calculated by Eq. (24) in bytes, whereas Eq. (25) is used to compute the number of cycles that are needed to encrypt one byte.

Plaintext sensitivity attacks
A cryptosystem should be sensitive to one bit change in the plaintext. This requirement is most important to resist the known plaintext and the chosen-plaintext attacks [Lian et al., 2005;Mao et al., 2004]. In a chosen-plaintext attack, more than one plaintext (with one-bit changes between them) is selected to analyze the difference between their corresponding ciphertexts. The measurement tool to test the sensitivity of any cryptosystem to these attacks is carried out as: Select P 1 as the first plain image, change one bit in P 1 and name it as P 2 (i.e. P 1 and P 2 are exactly the same except for one bit, this bit is chosen to be located in the beginning, middle or the end of the first block, the plaintext results are calculated as an average of these three cases). Then both images (P 1 and P 2 ) are encrypted using the same secret key. This encryption produces two cipher images C 1 and C 2 . Most researchers use two security parameters to measure the resistance of any chaos-based cryptosystem for plaintext sensitivity attacks. These parameters are: The Number of Pixel Change Rate (NPCR) and the Unified Average Changing Intensity (UACI), they are given by the following equations respectively: where The optimal NPCR value is 99.61%, and the optimal UACI value is 33.46% [Wu et al., 2011;Maleki et al., 2008]. The above tests are also used to measure the resistance of a cryptosystem against the differential attacks introduced by Eli Biham and Adi Shamir [Biham & Shamir, 1991].
In our opinion, the previous tests are not sufficient to ensure that the proposed cryptosystem is resistant against plaintext sensitivity attacks. A new measurement test called the Avalanche effect is used. When the input is changed slightly (for example, flipping a single bit) and the output is changed significantly (e.g. half of the output bits are flipped), in this case the Avalanche effect is achieved. The block cipher quality is achieved when there is a small change in either the key or the plaintext, and there will be a drastic change in the ciphertext [Mar & Latt, 2008]. Therefore, this evaluation test is used to measure the resistance of any cryptosystem to plaintext and key sensitivity attacks. The scenario of this test is exactly identical to the previous one, but here the Hamming Distance is used to test if the cryptosystem has the Avalanche effect or not: with |Ib| = 8 × L × C × P . The Hamming Distance (HD) in bits between the corresponding ciphered images C 1 and C 2 should be close to 50% (probability of bit changes, one bit difference in plain image will make every bit of the corresponding cipher image change with a probability of a half [Wang et al., 2013]). Therefore, the plaintext sensitivity attack would become a useless attacking method. All versions of our proposed cryptosystem are tested using 3000 random secret keys. For each execution, we calculated the HD, NPCR, and UACI values between the two ciphered images C 1 and C 2 . Finally, the average of the previous tested values are calculated. As a result, all versions of our proposed cryptosystem achieve the Avalanche effect from the first round (r = 1) and then, they overcome the plaintext sensitivity attacks. The plain images under test were Lena, Barb, and Boat images of the same size 512 × 512 gray scale images (the selected images are chosen like those in the literature). Moreover, Lena and Peppers color images of the same size were used on the same test. Table 4 presents all of these results, and it is clear that the HD value is very close to the optimal value of 50% for the three proposed cryptosystems. Also the UACI and NPCR values are close to optimal. These values indicate that the proposed cryptosystems are very sensitive to one bit

Key sensitivity attack
Key sensitivity is extremely crucial for any cryptosystem. A cryptosystem has a high security level relative to key sensitivity attacks if a slight change in the secret key will produce a completely different ciphered image [Pareek et al., 2013]. The testing scenario of key sensitivity is almost identical to the plaintext sensitivity attack test: we have a plaintext P and two secret keys are different in one bit. First, P is encrypted using K 1 to obtain C 1 . Then the same plaintext P is encrypted using K 2 to obtain C 2 . Then the previous equations of the NPCR, UACI and HD, (26), (28) and (29) are used to evaluate the key sensitivity attacks of the proposed cryptosystem. Table 5 presents the results obtained from the key sensitivity attack test for the three versions of the proposed cryptosystem using the same parameters as were used in Table 4. From Table 5, it is clear that the proposed cryptosystem has a high security level relative to the key sensitivity attacks.

Histogram analysis
One of the most common cryptosystem attacks is the one based on statistical analysis. A cryptosystem is considered to be strong against these attacks if the histogram of the encrypted image is uniformly distributed. In Fig. 8, we show some visual results obtained with the third version of the proposed cryptosystem (similar results are obtained for the other versions): (a) the plain Lena image of size 512 × 512 × 3, (b) the corresponding cipher image, (c) the histogram of the plain image, and (d) its corresponding cipher image. The histogram of the encrypted image is very close to the uniform distribution and completely different from the plain image histogram. This means that there is no visual information than can be observed from the ciphered image of the proposed cryptosystem. The visual test is necessary but is not sufficient. To ensure uniformity, the chi-square test is applied [using Eq. (30)] to statistically confirm the uniformity of the histogram:   Where Nv is the number of levels (here 256), o i is the observed occurrence frequency of each color level (0-255) on the histogram of the ciphered image, and e i is the expected occurrence frequency of the uniform distribution, given here by e i = L×C×P 256 . We present in Table 6 the results obtained from the chi-square test of histograms for three ciphered images of different nature (i.e. Lena, Boat, and Baboon). All of them have the same size of 128 × 128 × 3, with a significant level of 0.05. From the obtained values, we can observe that χ 2 exp < χ 2 th (255, 0.05) = 293, and then the tested histograms are uniform and do not reveal any information for statistical analysis.

Correlation analysis
Correlation analysis is also one of the types of statistical attacks. Correlation analysis should not give any information on the secret key used or any partial information of the original plain image. This means that the encrypted image should be greatly different from its original one. Correlation analysis is one of the usual ways to measure this property. Indeed, it is well known that adjacent pixels in the plain images are highly redundant and correlated. So, in the encrypted images, adjacent pixels should have a redundancy and a correlation as low as possible. To test the correlation between adjacent pixels, the following procedure was carried out. Firstly, 8000 pairs of two adjacent pixels are selected randomly in vertical, horizontal, and diagonal directions from the original and the encrypted images. Then, the correlation coefficient is computed according to the following formulas: where cov(x, y) image. One example of this extensive study is the Barb gray scale image of 512×512×1. The obtained results are shown in Table 7 and Fig. 9. These results demonstrate that the correlation coefficient, in all directions, of the plain images is close to one (see Fig. 9), and the correlation coefficient of the encrypted images is close to zero. This means that there is no detectable correlation between the original and its corresponding ciphered image, and also, there is no relation between pixels of the ciphered image.

Conclusion
In this paper, firstly we studied and analyzed one of the fastest chaos-based cryptosystems, namely Zhang cryptosystems. Then, based on a similar structure of the Zhang and Fridrich cryptosystems, we designed three versions of a chaos-based cryptosystem. We have shown that all versions of our proposed cryptosystem are faster and more secure than Zhang and many other chaos-based cryptosystems. The time performance is carried out using encryption/decryption time, running speed, and the number of cycles needed to encrypt or decrypt one byte. The last measurement method is necessary to compare different cryptosystems working on different platforms. All versions of our proposed cryptosystem are implemented using the CBC mode and a robust chaotic generator to produce the dynamic keys for each new encryption round and new block. The high security level of all versions of the proposed cryptosystem is verified by testing them for different kinds of known mathematical attacks, and using the well-known statistical analysis. Finally, all results prove the superiority of the proposed cryptosystems for use in secure and realtime applications.