Cryptosystem Based on the Elliptic Curve With a High Degree of Resistance to Damage on the Encrypted Images

In this work, a novel symmetric cryptosystem for image encryption is presented. The Symmetric Cryptosystem of the Elliptic Curve (SCEC) can resist damage to encrypted figures, up to 40% of the original figure. SCEC uses chaos to generate an $8\times {8}$ S-box with high nonlinearity to avoid the linear attack. A random permutation is used before starting encryption, making the cryptosystem more robust. For testing, damage according to four types of noise was applied to the encrypted images: additive, multiplicative, Gaussian, or occlusion. The median filter was applied to correct the damage in encrypted images, improving its sharpness, and a new measure, the Similarity Parameter (SP), is proposed to evaluate the difference between the original image and the decrypted image with damage. Several parameters and tests were applied to evaluate the performance of SCEC, from the encryption quality to the resistance to the differential attack. Experimental results indicate that SCEC has high-quality cryptographic properties, very much similar to the corresponding values of AES but with the addition of a high protection to noise damage on the encrypted images.


I. INTRODUCTION
Because of the advanced development of the communication networks and the high quantity of valuable information that can be contained in an image, the image ciphering for protecting confidential data is a field with a highly dynamic development [1]- [6].
Four points have to be considered when designing an encryption system for images, being the first one the resistance to attacks. For this work, attacks can be classified into three categories: those against the elliptic curve, those focused on the cryptosystem, and those directed to the encrypted images. Since SCEC is constructed using an elliptic curve, it is sensible to the attack of the discrete logarithm [7], [8]. The discrete logarithm problem can be compared The associate editor coordinating the review of this manuscript and approving it for publication was Di He .
with the problem of factoring a positive integer n in the Rivest-Shamir-Adleman cryptosystem (RSA). In this sense, to solve the discrete logarithm problem when the solution set of the elliptic curve has a prime factor of 2 256 , is equivalent to factoring n with a 2 3072 size [9]. However, an elliptic curve can be generated whose number of solutions has a prime factor of 2 512 , following the flow chart of Fig.1. This is equivalent to factoring n = 2 15000 in the RSA scheme, which is higher than the current RSA version [10]. On the other hand, a brute force attack to SCEC when the key set has 2 512 elements presents a higher complexity than a similar attack to the Advanced Encryption Standard (AES-256) [11].
The second point is related to the construction of an S-box that can resist the linear attack [12]. An 8 × 8 S-box build by chaos is used, with a Differential Power Analysis (DPA) < 10 [13], a value lower than the corresponding to the S-box of AES. SCEC is resistant to the linear attack, as it will be later VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ explained. Chaos is generated using Eq.(1), where f (x, P(x)) is presented in Eq.
dP(x) dx = f (x, P(x)) (1) f (x, P(x)) = aP(x) − bP(x) 2 (2) An 8 × 8 S-box is a permutation of elements from an array of 256 numbers, in this case, the hex values from 00 h to FF h . An algorithm to produce permutations was developed, which defines a one-to-one function [15]. The Walsh function is used to calculate the nonlinearity of the S-box [16].
The third point corresponds to the protection against damage on the ciphered images. If a communication scheme suffers an attack and the image gets damaged, the information could be unreadable depending on the damage extension and the applied cryptosystem [17]. As an example, AES working in CBC mode does not resist an additive noise attack to the encrypted image [18], [19]. SCEC can stand a certain damage degree over the encrypted image produced by additive, multiplicative, Gaussian, or occlusion noise [20], in such a way that when deciphering the information, it is possible to distinguish at a glance the original image if it has been damaged [21]. The damage degree can be up to 40% the size of the encrypted image. The parameters Number-of-Pixels Change Rate (NPCR), Unified Average Changing Intensity (UACI) and Avalanche Criteria (AC) were applied to determine the resistance of SCEC to the differential attack [22].
For evaluating the behavior of SCEC, a median filter of 3 × 3 was applied to improve the sharpness of the decrypted images with damage [23]. The proposed symmetric cryptosystem is of the Substitution Permutation Network type with a random permutation at the start of the image encryption [24], which increases the complexity to attack the cryptosystem.
The fourth point tackles the problem of quantifying how different the damaged image is from the original. The UACI c parameter is used to solve this, where c indicates a basic RGB color: red, green and blue, since the similarity percentage is evaluated for each of them. In this work, the parameter SP c given by Eq.(3) is proposed to measure the similarity percentage. Finally, this version of SCEC ciphers images without compression in bmp format, since this research was supported by the Mexican government, and its regulation do not allow data loss during the encryption process of sensitive information [25]. However, SCEC can be configured for ciphering compressed images in different formats such as jpg or png, for commercial applications.
In a comparison with recent developments, SCEC presents the following advantages: • The occlusion damage is tested over the ciphered images in diverse works [17], [26]. In addition to this type of damage, SCEC considers the effect of additive, multiplicative and Gaussian noise sources.
• The number of elements in the key set is particularly important for the security of a cryptosystem. In this sense, the number of keys in SCEC is considerably higher than in other proposals [26], [27].
• Generally, the developments in cryptosystems do not consider any filter to improve the sharpness of the ciphered images that have been damaged [28], [29].
In this work, a median filter is applied to increase the sharpness, and an additional parameter is proposed to measure this feature.
• Another parameter to evaluate the quality of the encrypted images is the entropy. The entropy results generated by SCEC when applied to a series of well-known images surpassed the performance of other cryptosystems [30], [31].
• Because of its implementation using Java-language threads, the execution time of SCEC is considerably lower than in other proposals [32]- [35]. Other cryptosystems (as is the case of AES), could be used in combination with the elliptic curve. However, this is only one of the features of the proposed cryptosystem. SCEC is a novel cryptosystem with additional advantages derived from its implementation, including aspects such as the use of a variable permutation for ciphering and the application of chaos for generating the S-box. Furthermore, AES was not chosen as the base for this development because it is a well-known cryptosystem whose weakness points are public domain.
This article is organized as follows: Section 2 describes the tools used in SCEC for image encryption and for measuring the randomness. Section 3 presents the algorithm for producing the permutation, detailing how an S-box with high non-linearity is generated. In Section 4, the encryption algorithm and the test images are described. Section 5 illustrates the damages that can affect the ciphered images. In Section 6, the randomness results of the ciphered images, and the image damage values are shown. Section 7 focuses on the analysis and discussion of results, while Section 8 corresponds to the conclusions and future work.

II. THEORETICAL TOOLS APPLIED IN SCEC FOR IMAGE ENCRYPTION A. ELLIPTIC CURVE
SCEC is a symmetric cryptosystem based on the elliptic curve depicted by Eq.(4): The elliptic curve meets the conditions shown in Eqs. (5,6,7): where #E(F q ) is the number of solutions for the curve in the F q field. Eq.(5) guarantees that the curve is non-singular, which implies that it has three different real roots [36].
Eq. (6) implies that the curve is non-supersingular, a condition required to prevent the MOV attack [37]. Eq. (7) states that the curve is not trace one, that is, the Fobenius trace must be different to one since the elliptic curves of trace one present a higher vulnerability [38]. Additionally, the prime factor of the number of solutions must be large enough so the discrete logarithm attack cannot be carried out, at least with the currently available technology [7]. The sum operation (+) is defined on the set of solution points of the curve, so that this set (E, +) is an Abelian group [39]. Theorem 1 is applied to calculate the number of solutions: Theorem 1: Let p be an odd prime number, k ≡ 0 mod p, and #E(F p ) the number of solutions for the elliptic curve defined by Eq.(4). Additionally, p ≡ 1 mod 4, where p can be written as in Eq. (8), such that a, b are positive integers, b is an even number, and a+b ≡ 1 mod 4. The number of solutions is given by Eq. (9) when k is not a fourth power mod p of some element in the field F p , but a square power mod p.
Consequently, k must meet the condition of being not a fourth power mod p of some element of F p . For this purpose, Lemma 1 is demonstrated: Lemma 1: Given the elliptic curve of Eq.(4), when the condition p ≡ 1 mod 4 is met then k is a fourth power mod p if k (p−1)/4 mod p ≡ 1.
The Euler criterion is used for finding out if k is a square power mod p of some element in the F p field [41]. Lemma 2 is presented to develop a cyclic subgroup in the solution set.
Lemma 2: Let the conditions stated in Theorem 1 be met, then 4 | #E(F p ).
According to the conditions mentioned in Theorem 1, it is known that #E(F p ) = p+1+2a. On the other hand, since the prime p = 2 and b is even, it follows that a is odd. Besides, p + 1 + 2a = (a + 1) 2 + b 2 , which implies that a + 1 is even. Thus, 4 | (a + 1) 2 and 4 | b 2 ⇒ 4 | #E(F p ) . Furthermore, the Theorem 2 gives information to construct a cyclic subgroup in the solution set.
Theorem 2: Let E be an elliptical curve defined on Z p , where p is a prime number > 3. Then, there are two positive integers n 1 , n 2 such that there is an isomorphism from (E, +) to Z n 1 × Z n 2 . Also, n 2 | n 1 and n 2 | (p − 1).
For this case, n 2 = 1 and n 1 = q, which is a prime factor of #E(F p ), and q is defined in Eq. (10). Sometimes, q is not prime. However, it is necessary to search for another prime number p that meets the conditions of Theorem 1, generating a prime q. q = (p + 1 + 2a)/4 (10) In this research, the problem of finding the first solution is posed in a different way, namely: an initial point (x, y) is given, and a k is required that meets Eq.(4). In fact, this k value must meet Eq.(11), The following example illustrates the above mentioned, using particular values: Given a = 197 and b = 8, it follows that p is 38873. It can be verified that p mod 4 ≡ 1, and a + b ≡ 1 mod 4. A solution point α = (4934, 9259) is selected, and k is calculated according to Eq.(11) resulting in k = 36926. Then, k is verified using Eqs. (12) and (13),  Fig.1 explains the process to generate the elliptic curve. When the elliptic curve is calculated for real implementations of the proposed system, there is a potential problem derived from the fact that there are some values of a where the computation program requires a longer time to find the generator element α. Nevertheless, this problem is solved by running the algorithm of the Fig. (1) with several threads to obtain the elliptic curve, proposing for each thread a value of a chosen in a chaotic way. Additionally, the number of solutions is prime and is calculated according to Eq. (10). It follows that the probability of finding the generating element is 1 4 , so the failure probability is 3 4 . Using the binomial distribution, the total fail probability considering 32 threads is presented in Eq. (14). As can be seen, the probability of success is very high, that is, 0.9999, and can be increased if required.

B. ENTROPY
The entropy is calculated using Eq.(15) [42]: For this case, the images are coded in RGB format and each color is represented with a one-byte value, using 256 combinations. In this sense, if each basic color has a uniform distribution, that is, all points have the same probability, the entropy is 8. However, this is not a sufficient condition for considering a random bit distribution, since theoretically it is possible to construct a non-random string with entropy 8, as is the case of an image with a exact uniform distribution of colors. In practical cases, entropy values close to 8 are desired for the primary color distributions of an encrypted figure [43]. Additionally, other instruments were applied in this work to verify the randomness.

C. CORRELATION COEFFICIENT
The linear analysis between adjacent pixels of encrypted images is performed using the Correlation Coefficient, or correlation. An encrypted image complies with a good randomness degree if the correlation between its adjacent pixels is close to zero. Most image encryption works carry out this analysis in three directions: horizontal, vertical and diagonal [44]. The first step for calculating the correlation between two random variables y and z is to randomly select an encrypted image pixel. Every pixel has a value between 0 and 255 for each basic color, denoted as y r , y g and y b . Then, an adjacent pixel is taken for each direction; horizontal, vertical or diagonal according to the case. The adjacent pixel also has a value for each color, denoted as z r , z g and z b . Suppose that N pairs of pixels y, z are chosen at random. Thus, it is possible to calculate the correlation in the three directions for the three basic colors. The formula for calculating the correlation in the horizontal direction for the red color is given in Eq. (16), and the expressions for y r and z r are shown in Eqs. (17) and (18). The expressions for the other basic colors and the remaining directions are similar.

D. DISCRETE FOURIER TRANSFORM
The Discrete Fourier Transform (DFT) is a test included in the NIST 800-22 standard, for measuring the randomness degree of a binary chain, that is, there are no repetitive zeros-andones patterns, one after another [45]. The parameters involved in the calculation are: N 0 , an expected theoretical quantity given by (0.95) × n/2, where n is the string length; and N 1 , the number of values lower than the threshold h, calculated from Eq. (19), Then, f j is obtained using Eq. (20), If n is odd, the last string bit is deleted, and f j is a complex number. The module f j is calculated and compared to h. If f j < h, then 1 is added to N 1 . Otherwise, N 1 remains the same.
Eq. (21) is evaluated to obtain d and then calculate Eq. (22), where erfc is determined by Eq. (23). The decision rule is: if P − value < 0.01 the hypothesis that the string is random is rejected, otherwise it is accepted.

E. PARAMETERS TO MEASURE THE STRENGTH OF SCEC AGAINST THE DIFFERENTIAL ATACK
As mentioned before, NPCR, UACI, and AC are used to evaluate the strength of the proposed system against the differential attack. NPCR is defined in Eq. (24), where c indicates the color, and the function D(i, j) c = 1 when the bytes in position (i, j) of the encrypted images 1 and 2 are different. Otherwise, it is 0. The variables W and H are the width and height of the image, respectively. An appropriate percentage of this parameter to avoid the differential attack is in the range close to 99.6% [46].
The byte C 1,c (i, j) is defined as follows: it has a position (i, j) and the color c in the first image. Similarly, the byte C 2,c (i, j) has a position (i, j) and a color c in the second image. With this information, UACI is defined by Eq. (25). (25) A good percentage of UACI to endure the differential attack is close to 33.4% [47]. The calculation of AC for a particular color is carried out according to Eq.(26), where T is the total number of bits in the encrypted image, and the function b(i, j) c is defined by Eq. (27).
That is, if a bit in image 1 for color c is equal to the corresponding bit in image 2 for the same color, then b(i, j) c = 0.
Otherwise, b(i, j) c = 1. An appropriated value of AC to prevent the differential attack is close to 50% [48].

F. GOODNESS-OF-FIT TEST
This tool aims to find out if the distributions of the primary colors fit to a uniform distribution [49]. If so, the distribution of the colors is said to be random. However, the above approach leads to a statistical hypothesis test. The test requires two elements, namely: a test statistic and a rejection region. In this research, the statistic χ 2 is utilized for each primary color. The χ 2 variable distribution is the Chi-square with k-1 freedom degrees, and is expressed in Eq. (28), where o i and exp are the observed and expected values, respectively.
It is important to consider the variance of the histogram of the ciphered image [50]. The χ 2 test indicates the adjustment of the graph corresponding to the histogram, with respect to a uniform distribution. Additionally, the χ 2 test is based on the variance of the frequencies. According to the Central Limit Theorem, the statistic χ 2 approaches to the normal distribution with mean µ = 255 and standard deviation σ , shown in Eq.(29) [51]. Taking this into account, the threshold can be calculated using the right side of the normal distribution with a significance level of α = 0.01, which is approximately 308. Thus, the decision rule is: if χ 2 > 308 the hypothesis that the string is random is rejected, otherwise it is accepted.
This type of test does not appear in the NIST 800-22 test set to find out the randomness degree of the bit string. That is, the randomness of the tone distribution for the basic colors in the encrypted image is not measured in that standard.

III. BUILDING ELEMENTS
This section presents the procedure to generate chaos, and the algorithm for producing permutations.

A. CHAOS
The generation of an S-box with the appropriated characteristics for security, including high nonlinearity (≥ 100), a Differential Power Analysis (DPA) < 10, and a robustness of differential cryptanalysis ≥ 0.96, among others, can be a difficult issue. However, this complexity can be reduced if chaos is used, this is, choose it in a random way. In SCEC, the logistic map equation shown in Eq.(30) is applied to generate chaos: The limit of y n (if exists) can be calculated when n → ∞ in Eq. (30). This limit is expressed by Eq. (31): In practical situations, the values y n are stabilized when n ≤ 1000 if the limit exists. However, when r = 3.88171828182845. . . 27618 (311 digits after the decimal point) the number of possible y n is so high that chaos occurs [52]. In this research, that value of r is taken, and x 0 is in the range 0 < x 0 < 1. The values y n in Eq.(30) meets the three aspects of chaos: 1) They are deterministic.
The numbers (m − 1)!, (m − 2)!, . . . 1!, 0! are fixed for a given m, and for simplicity they can be expressed as (m − i)!, where i = 1, . . . , m represents the factorial base. It will be seen in the algorithm description that D m−1 = 0, and the inequality in Eq.(33) applies: Once the values D 0 , D 1 , . . . , D m−2 are calculated, Algorithm 2 is executed: Step 0: An array in increasing order is generated using Eq. (34): Step 1: Applying Eq.(33), it follows that D 0 < m. Thus, X [D 0 ] is an element of the Step 0 arrangement. X [D 0 ] is removed from the array and its place is taken by X [m−1], that is, the last element arrangement, and two operations are performed: elimination and substitution. It means that the other array elements remain unchanged and only the new position of X [m − 1] is assigned. If the value of D 0 corresponds to the last element position, then X [D 0 ] is removed from the array and its position is taken by X [m − 2].
Step 2: In the same way as in the previous step, D 1 < (m − 1) using Eq. (33), and X [D 1 ] is an element of the Step 1 arrangement. Then, X [D 1 ] is removed from the array and replaced with the last element. If X [D 1 ] is the last member of the array, proceed as in the previous step.
Step Algorithm 2 defines a bijective function Z m :→ m , which is denoted as I m . This is stated in Theorem 3: Theorem 3: Given the sets Z m = {n ∈ N | 0 ≤ n ≤ m! − 1} and m = {π | π is a permutation from 0, 1, . . . m − 1 array }, then Algorithm 2 defines a function I m : Z m → m that is bijective.
Proof: First, it is shown that I m is a one-to-one function. The reductio ad absurdum method is used for the proof. It is assumed that for n 1 = n 2 ∈ Z m ⇒ I m (n 1 ) = I m (n 2 ), but according to Eq.(32), the positive integers n 1 and n 2 can be expressed as in Eqs. (35) and (36), respectively: By hypothesis, I m (n 1 ) = I m (n 2 ) means that the elements of both permutations were selected in the same way, so that D 0,1 = D 0,2 , D 1,1 = D 1,2 , . . . , D m−2,1 = D m−2,2 , and if this is true then n 1 = n 2 . However, this contradicts the hypothesis, so it follows that if n 1 = n 2 ∈ Z m ⇒ I m (n 1 ) = I m (n 2 ). This demonstrates that I m is a one-to-one function. The function is also onto because the number of elements in both sets Z m and m is the same.

C. S-BOX GENERATION WITH HIGH NONLINEARITY
From Eq.(30), it is possible to generate numbers with a chaotic form using a certain r value. In this research, r = 3.881 . . . 7618 as previously stated. In spite of there are several possible values that can be assigned to r to generate chaos, r has a fix value and y 0 is variable in the range 0 < y 0 < 1.
The Java programming language was used for implementing the proposed algorithm. The procedure to generate the boxes is as follows: the y 0 value is calculated multiplying a prime p by π. Then, 499 digits of the product are taken after the decimal point, and this is y 0 . This process starts with p = 2, 3, 5, 7, . . . and so on. The number of iterations n goes from 200 to 5,000, at most. The result is lower than one, and the digits to the right of the decimal point do not follow any pattern, that is, they appear in a pseudo-random way. Thus, 1000 digits are taken after the decimal point in every iteration.It is possible because the BigDecimal Java class was applied for defining the number, where the precision given by the number of digits to the right of the decimal point can be arbitrary established as required. It is proposed to take blocks of one byte, one after another, from the decimal point to the right to calculate the constants that are required in expression (32), using the relation D i = b i mod(256 − i), where b i is the non-negative integer value associated to the i-th byte, for i = 0, 1, . . . , 254. Once the constants D i are calculated, Algorithm 2 is applied to obtain a permutation of an 256-element array, taking into account that D 255 = 0.
A substitution box is a permutation of a 256-position arrangement. After the box is obtained its nonlinearity is calculated by to Eq. (37), where NL i is obtained from the Walsh function [53], expressed in Eq. (38): It is required an S-box with a minimum nonlinearity of 100, considering that the maximum nonlinearity is 128. Additionally, the box must have a DPA < 10, since the propose box must be resistant to the differential attack [54]. Table 1 shows a S-box with nonlinearity of 100 and DPA < 10, with the corresponding values for y 0 , r, p, and n:

IV. ENCRYPTION PROCEDURE
SCEC is a cryptosystem of the Substitution-Permutation-Network type with 14 rounds, which defines a symmetric encryption process [24], using the S-box from Table 1. In Section VII, the characteristics of this box are compared with the original and a variant of the AES S-box, considering the endurance to differential and linear attacks [55], among other parameters. The following is a high-level description of the encryption algorithm: I) A line of bits randomly selected by the algorithm is added after the last line of the image, before starting the ciphering process by itself. The resulting image is 513 × 512 pixels, considering that the image size in this research is 512 × 512 pixels. The objective is to improve the values of NPCR and UACI, since the key depends on the inserted line.
II) The Sha-512 function is applied to the 513 × 512 image to generate a 512-bit string. It is proposed that the integer associated with this string, K , be the encryption key. Because of the characteristics of the Sha-512 function, every time an image is encrypted the keys are probably different; that is, the probability of collision is very low [33], [56]. So, the number of elements in the key set is ≈ 2 512 . III) A permutation P that has the image size is applied before the first round. Then, an XOR operation between the first schedule key and the string resulting from the permutation is applied as the first step in the first round. The procedures for generating the permutation and the keys are described later, but it is pointed out that each schedule key has the image size. The substitution procedure is applied after performing the XOR operation, using Table 1 according to the FIPS 197 standard, and P is applied to the result.
IV) From the second to the thirteenth round the XOR and substitution operations are applied, in this order.
V) In the fourteenth round, the XOR and substitution operations are applied, in that order. Then, the inverse permutation P −1 and the XOR with the last schedule key are carried out to finish the encryption.

A. PERMUTATION
The image has m pixels numbered from 0 to m − 1; then, the constants D i are calculated to alter the order of the image pixels. It is not necessary to know n in expression (32). The first schedule key k 1 is considered for calculating D i . It is divided into one-byte blocks. The first three blocks from k 1 are taken; i.e. 1, 2 and 3, to form a 24-bit string, where a 0 denotes the non-negative integer value of this string. Then, it is proposed to calculate the first constant as D 0 = a 0 mod (m − 0), where m is the number of pixels in the image. A byte is right shifted to compute the second constant, D 1 . In other words, bytes 2, 3 and 4 are taken from the string k 1 , in another 24-bit block. Following the same process, D 1 = a 1 mod (m− 1) and the last constant D m−1 = 0. Blocks of 24 bits are used since the intensity resolution in many images is 2 24 . Once the constants D i have been calculated, Algorithm 2 is applied to obtain the permutation P.
The elliptical curve encrypts points of itself. In fact, when it is desired to encrypt symmetric-cryptosystem keys, a protocol is required for that encryption. In this sense, the proposed system encrypts only one point, and it is not necessary to elaborate an additional protocol for the distribution of the keys. Furthermore, a secure communication scheme requires two cryptosystems: a symmetric one for ciphering the image, and an asymmetric system for ciphering the key. However, SCEC is simpler since it only requires the elliptic curve. Besides, with the elliptic curve it is possible to use the Diffie-Hellman protocol. VOLUME 8, 2020

B. GENERATION OF THE SCHEDULE KEYS
The curve described in Eq.(4) is used to generate the schedule keys for the proposed cryptosystem. The values a, b, p, q, k and #E(F p ) meet the conditions mentioned in Section II-A.
When the number of solutions of the elliptic curve is a prime, all the solutions (x, y) are different and they appear in a pseudo-random way. In addition, the elliptic curve proposed has the following characteristics: the prime p is higher than 2 512 and the prime in Eq.(39) is approximately the same size. For this research, a value of p = 2 565 was selected. An example is shown below: Generator element: The first schedule key k 1 is obtained as follows: the point (K )α = P 1 = (x 1 , y 1 ) is evaluated, where K is the positive integer associated to the Sha-512 chain of the image. Then, the points P 1 + α, P 1 + 2α, . . . are computed, such that the concatenation of the coordinates for these points is the shortest string, but higher or equal to the image size. If it is higher, the remaining bits are removed to make the string length equal to the image size. Lets denote this chain as D. Subsequently, a one-bit circular left shift is proposed for the D-chain. The resulting string is divided into 8-bit blocks, and the substitution process is applied using the box in Table 1. Lets call D 0 the previous result. Another circular left shift is applied, and then the S-box is used in the same way as above. The result is denoted as D 1 .
If this process is repeated, the D 6 chain will be obtained which is proposed as the first schedule key, i.e. k 1 . This decision is further explained in Section VII. The procedure continues to obtain the remaining 14 keys k i , with i = 2, . . . , 15, in the same way: starts with one-bit left rotation using chain k i−1 , and then the substitution operation is performed.
On the other hand, it can be observed that (x 1 , y 1 ) is the base for developing the symmetric cryptosystem. The sender uses the public key of the receiver, say Q , to encrypt (x 1 , y 1 ), and later the receiver using their private key, say m , decrypts the sent point [14]. Also, using the elliptic curve and the value of the Sha-512 function it is possible that the sender signs the information, applying the Elliptic Curve Signature Algorithm -ECSA [57].
Regarding the concatenation of the curve point coordinates, from a given point (x 1 , y 1 ), it is important to note that each coordinate is written without zeros to the left. That is, it starts with the most significant hexadecimal number other than zero, so that at most there will be 3 zeros to the left. In fact, this happens when the number 1 is expressed in hexadecimal. Another relevant point to note is that the K integer is utilized to obtain the point K × α = (x 1 , y 1 ) and only masks the information. In other words, the receiver does not need to know the value of K , since the schedule keys can be calculated by knowing the point (x 1 , y 1 ).

C. IMAGES USED FOR TESTING
The images used for testing SCEC are presented in Fig. 2. These images are 512 × 512 pixels, and have been recurrently employed in previous works for their special characteristics [58]. The Donkey and Cameraman images were selected because they are black-and-white pictures, and if a symmetric system is used for encrypting them there is a risk that the encrypted images could not pass the randomness tests proposed in this work. Two more images were employed for testing SCEC: one completely white and another completely black, with all the bits in 1 or in 0, respectively. On the other hand, the AES-CBC system is commonly used to encrypt images. However, this mode of encryption do not produce good results when the ciphered image is damaged by noise, as will be seen later. Furthermore, the CBC mode is sequential [24]. For this reason, the cryptographic characteristics of the S-box of SCEC were compared directly to AES, while the performance of SCEC for encrypting images is compared to AES-CBC.

V. NOISE EFFECT ON THE CIPHERED IMAGES
SCEC can stand a certain damage degree produced by noise over the encrypted image. In order to test this capability, different noise sources were applied to the encrypted images to simulate their effect. Four types were considered: Gaussian, additive, multiplicative, and occlusion noise. A new measure denominated Similarity Parameter is implemented in this work, to evaluate this feature. Also, a median filter was applied to the damaged images to complement the testing.

A. NOISE GENERATED BY A GAUSSIAN RANDOM VARIABLE
Mathematical models of the Gaussian noise have been developed in two domains: spatial and frequency. In this work, the standard normal distribution is applied to assign values in the frequency domain, while a uniform distribution is used for choosing points in the spatial domain.
The density function of the normal distribution is expressed in Eq. (40), where µ is the mean and σ is the standard deviation. The normal distribution of the random variable x with parameters µ and σ is denoted as x ∼ N (µ, σ ).
A random variable z has a standard normal distribution if z ∼ N (0, 1). Eq.(41) corresponds to the density function for this particular case:

1) SPATIAL DOMAIN
The selection of the (x, y) points is carried out as follows: the points are listed as (0,0) ↔ 0, · · · , (0,511) ↔ 511, (1,0) ↔ 512, · · · , (512,511) ↔ 262655, since the encrypted images are 513 × 512 pixels size. Then, it is possible to define the set W by Eq. (42). With this information, a sample is randomly selected from W , with a size up to 40% that of the encrypted image, as it was pointed out previously.

2) FREQUENCY DOMAIN
For the frequency domain, a random variable w c is defined in the discrete range 0, 1, 2, · · · , 255, where c indicates the basic color. A value z is chosen with a number generator, taking into account that z ∼ N (0, 1). In addition, z = −3 and z = 3 are taken if the number generator assigns values lower than −3 or higher than 3, respectively. Then, −3 ≤ z ≤ 3, and the random variable w c is defined according to Eq.(43), considering that this type of noise replaces the original intensities of the image with central values; i.e., integers around 127.5.
On the other hand, the symbols , and , are used to discretize w c . The first pair, w c , means that the integer part of the variable is taken, and is applied when the decimal fraction of w c is ≤ 0.5. The second case, w c , means that the integer part of w c plus one is taken if the fraction is > 0.5. VOLUME 8, 2020 Summarizing, the process for simulating noise generated by a random Gaussian variable over an encrypted figure is as follows: • The points (x, y) are selected from the map of the encrypted figure, and the number of points depends on the noise degree to simulate.
• Every point has an intensity level assigned for each basic color, denoted as w c . The procedure is carried out separately for each basic color, within an intensity range from 0 to 255.
• The z-value is generated according to the standard normal distribution, and w c is computed using Eq.(43).
• The value w c is replaced by the discrete value of w ' c .

B. ADDITIVE AND MULTIPLICATIVE NOISES
For generating these types of noise, a set of pairs is randomly chosen, each pair formed by a point (x, y) and an integer η(x, y). In the frequency domain, the intensity levels w c are converted to w c . For additive noise, Eq. (44) is used for the conversion, while Eq. (45) is applied for multiplicative noise:

C. OCCLUSION NOISE
For this type of noise, the points (x, y) are selected according to a concentric parallelogram over the encrypted image. Then, the intensity values of the points inside the parallelogram are replaced by a single color. A cherry color was selected for the simulation in this work. This process is equivalent to deleting the information in a specific central area of the encrypted image, as shown in Fig.3.

D. MEDIAN FILTER
The median filter is a non-linear type statistical. In this case, a 3 × 3 element mask is used. In general, the filter makes a manipulation in a space (n × m) of the image pixels. The median algorithm process is as follows: given any image pixel (x, y) the analysis is made in the neighboring elements. For a 3 × 3 mask, the adjacent pixels to (x, y) are shown in Fig.4. The levels of the basic colors for each of the neighbor cells and the image pixel (x, y) are ordered. After the cells are arranged, their median must be higher or equal than the first n 2 -1 elements; (i.e 50%), and lower than the remaining cells. The median for each color is denoted as M r,i , M g,i and M b,i , respectively.

E. SIMILARITY PARAMETER
As mentioned before, four types of noise were considered for testing the images encrypted with SCEC, namely: Gaussian, additive, multiplicative, and occlusion. The test began with a damage percentage of 20% of the image size, then it was increased to 30% and 40%, all this carried out for each of the noise types. In this order of ideas, it is important to measure the sharpness-loss percentage for damages in an encrypted image, in respect to the original image. Furthermore, a question arises: what is the sharpness improvement of a damaged image when it passes through a filter? For answering it, a new measure named Similarity Parameter (SP) is proposed in this research. SP is calculated according to Eq. (46): In Eq. (46), c indicates that the measurement is made for each color. On the other hand, since the range of values for UACI is from 0% to around 33.4%, the factor 2.994 is included to let SP cover an approximate range from 0% to 100%. When both images are equal (that is, without encryption) then SP = 100%. However, if the resulting image is well encrypted UACI ≈ 33.4 and SP ≈ 0, indicating that there is no similarity between them. As can be seen, SP gives an accurate idea of the damage impact on the sharpness, as well as the improvement when a filter is applied.

VI. TEST PROCEDURE AND RESULTS
First, the results of images ciphered without damage are presented, followed by the results of images with damage. The instruments for measuring the randomness are divided in two: those that present a deterministic result, such as entropy, correlation, NPCR, UACI and AC; and those that perform a hypothesis test: the Discrete Fourier Transform and the Goodness-of-Fit test. As an example of the testing, Fig. 5 presents the Lena original image, and its encryption using SCEC.  Table 3. The first key is obtained from (x 1 , y 1 ) using K , which is the integer associated to the Has Sha-512 chain of this image.

A. ENTROPY AND CORRELATION
The values of the correlation are presented in Table 4. The NPCR value appears in Table 5, for each basic color.      Similarly, Table 6 and Table 7 shown the values of UACI and AC, respectively.

B. DISCRETE FOURIER TRANSFORM AND THE PROPOSAL TEST
The results of the randomness in the ciphered images measured with DFT are presented in Table 8. As previously explained, an additional test named Goodness-of-Fit using the χ 2 distribution was proposed for this measurement. Table 9 shows the results of this test for the four encrypted images.

C. TEST IMAGES COMPLETELY BLACK OR WHITE
The following experiment was carried out in this section: two images were encrypted, one completely black and another completely white, and the resulting values of NPCR, UACI and AC parameters are reported in Table 10.

D. RESULTS OF THE ENCRYPTED IMAGES WITH DAMAGE
This section presents the results when noise was applied to the encrypted images to simulate damage. It starts presenting the results of images encrypted with the AES-CBC mode and a percentage of noise. Two encryption cases are considered, one with additive noise and another with occlusion. Fig. 6a presents the original Lena image. Subsequently, this image is encrypted with AES-CBC mode with an additive noise equivalent to a 35% of the image size, applied to the encrypted image. Then, it is deciphered and the result appears in Fig. 6b. Fig. 7 illustrates the second case; i.e., the image is encrypted according with AES-CBC mode and occlusion noise of 40% of the image size. This same process was carried out encrypting the image with the proposed algorithm. Fig. 8 shows the image of Lena encrypted and decrypted with 40% damage applying occlusion noise, using SCEC.    In Section V, it was pointed out that a 3 × 3 median filter would be used to improve the sharpness in the encrypted images with damage. In this vein, Fig.9a presents the Jet image decrypted with SCEC, after additive noise of 40% was inserted to the encrypted image. Subsequently, the filter was applied to the decrypted image with damage, and the result is shown in Fig.9b. Table 11 presents the value of SP with different percentages of additive noise damage, for the encrypted test images. Table 12 shows the SP values after applying the filter, inserting a 40% damage for the four noise types. The results in both tables were generated by SCEC.

E. SENSITIVITY
In this research, the sensitivity is measured by using the correlation, and the objective is to prove that there is no  relation between two images that were ciphered with very similar (close) keys [61]. So, an attack making small changes on the key can be implemented in the same way a differential attack is performed by small changes in the plain image. The sensitivity is evaluated as the correlation between two cipher operations applied to the same plain image using two different but very close keys, K and K + 1, where K is randomly chosen. It is considered that there is no relation between two ciphered images if their correlation is close to zero. The results of this analysis are presented in Table 13.

VII. ANALYSIS AND DISCUSSION OF RESULTS
This section begins with an analysis of the security in SCEC. Three different attacks were considered: those directed to the elliptic curve, those applied to the proposed symmetric cryptosystem, and those producing damages to the encrypted images. The attack on the elliptic curve leads to the problem of the discrete logarithm. Since the prime number q used in this proposal is > 2 512 , it follows that the discrete logarithm problem is equivalent to factoring an integer n of size 2 15000 in an RSA scheme, which is much higher than the RSA version currently in use [10]. Regarding the brute force attack, the following considerations are made: since q > 2 512 , it implies that the set of keys of SCEC is > 2 512 elements. So, in a brute force attack to SCEC, approximately 2 512 keys must be proved, which is much higher than the 2 256 keys in the AES-256 cryptosystem. Therefore, a brute force attack on SCEC is practically impossible because of the quantity of both the computing resources and the time required.
There are two main attacks to the symmetric systems: linear and differential. A way to evaluate the resistance of an S-box to them is by using the DPA parameter, which must be <10 [13]. In this sense, the S-box of AES presents a value of 9.6, while the S-box of SCEC has a value of 9.3. Considering than the lower the DPA value the higher the resistance, then the proposed S-box would be more resistant to the linear and differential attacks than the box of AES. However, there are other parameters to consider in order to make a fair comparison. For this reason, the SET tool [63] was applied to the SCEC and AES boxes, and the results are shown in Table 14. As can be seen, the performance of SCEC concerning the resistance to the linear and differential attacks is very much similar to AES.
On the other hand, the differential attack over SCEC cannot be performed because NPCR ≈ 99.96%, as well as UACI ≈ 33.4%, and AC ≈ 50%, indicating the system robustness [48]. The same situation occurred when encrypting completely white or black images.
As for the noise attack to encrypted images, it can be affirmed that SCEC resists damage up to 40% of the encrypted image size, from four types of noise: occlusion, additive, multiplicative, and Gaussian. In addition, a 3 × 3 median filter was applied to the decrypted images with damage to improve their sharpness, such that the similarity parameter SP has at least a value of 78%, and in some cases it reached almost a 90% as indicated in Table 12.
The encryption quality of the images is analyzed in two directions: the first considers the entropy, correlation, DFT, and the proposed Goodness-of-fit test, and the second one is referenced to the NPCR, UACI and AC parameters. In both cases, the results show that the encryption is adequate from a security point of view. The correlation and entropy corresponding to some of the ciphered images also were calculated in [59], [60]. The results generated by SCEC are similar to the reported results in those works for the correlation, while in the case of the entropy the values from SCEC surpass them. However, these parameters in SCEC are calculated for each basic color, producing a higher precision to evaluate the performance. As an example, Table 15 presents the corresponding results for the cameraman image, considering both the horizontal correlation and the entropy.
Finally, the entropy of the schedule keys is analyzed. In Section IV-B it was indicated that the process of shifting and substitution is applied six times before generating the first key. It is because the first strings have a low entropy, that is, 7.9. . ., but from the seventh step and ahead the chains reach an entropy of 7.999. . .. This results are shown in Table 3.
The proposed algorithm was developed using the Java language, taking advantage of the thread programming approach. An equivalent to an internal multitasking can be implemented with this approach, but avoiding the overhead derived from security and data integrity aspects corresponding to the process scheduling. This programming scheme highly reduces the execution time of the tasks that can be parallelized [62], without requiring multiprocessor platforms. Table 16 shows the reported time for different encryption systems, when ciphering a 512 × 512 image. As can be seen,   the time required by SCEC for this operation is considerably lower.

VIII. CONCLUSION
In this work, a novel symmetric cryptosystem (SCEC) is presented, for encrypting color images using the elliptic curve with a prime number p = 2 565 . SCEC is highly secure because it can resist the following attacks: linear, discrete logarithm, differential, brute force, and noise affecting the encrypted images. The quality of the encryption was measured according to the following parameters: entropy, correlation, DFT, and Goodness-of-fit test. In addition, the NPCR, UACI, and AC, among other parameters, were also used for evaluating the performance of SCEC from the security point of view. The results are satisfactory, and very much similar to the corresponding values of AES. However, the addition in SCEC of a high protection to different types of noise damage on the encrypted images produces a higher performance than the version of AES for this task, AES-CBC. Also, the encryption of completely black or white images was carried out, obtaining good results in both cases.
It is pointed out that the permutation applied at the beginning of the encryption and its inverse in the last round is variable; that is, it changes in every encryption process because it depends on the first schedule key. For this reason, the complexity to attack the SCEC cryptosystem is highly increased.
An additional advantage of SCEC is its flexibility to be converted from a symmetrical system to a hybrid one, since even its schedule keys can be ciphered without requiring to send the key to the receiver.
As future work it is considered to implement versions of SCEC for ciphering compressed images in different formats such as jpg or png, for commercial applications. Also, it is intended to evaluate the effect of different filter types for improving the sharpness of encrypted images with damages from diverse sources, in order to include one of these filters as a part of the proposed cryptosystem. Finally, the use of tools as the Matlab function GLCM2 is considered for comparison purposes.