A New 12-Bit Chaotic Image Encryption Scheme Using a 12 × 12 Dynamic S-Box

The use of 12-bit levels of grayscale in medical image representation allows for more precise image analysis and diagnosis, and encrypting such images is essential for protecting patient privacy and security. Existing 8-bit image encryption schemes become inefficient when applied to 12-bit images. In this paper, we design a cryptographically strong encryption scheme to improve the efficiency of encrypting 12-bit medical images. The core of the proposed scheme is a key-dependent <inline-formula> <tex-math notation="LaTeX">$12\times 12$ </tex-math></inline-formula> S-box, which plays a crucial role in enhancing the security and efficiency of the encryption scheme. Most notably, test results show that <inline-formula> <tex-math notation="LaTeX">$12\times 12$ </tex-math></inline-formula> S-boxes offer significantly stronger confusion and key-sensitivity than their <inline-formula> <tex-math notation="LaTeX">$8\times 8$ </tex-math></inline-formula> counterparts. This finding enables the proposed <inline-formula> <tex-math notation="LaTeX">$12\times 12$ </tex-math></inline-formula> S-box-based scheme to process 12-bit images 3.3 times faster than an <inline-formula> <tex-math notation="LaTeX">$8\times 8$ </tex-math></inline-formula> S-box while passing all security tests. Experimental results show that the proposed scheme can encrypt 12-bit images at speeds up to 300MB/s. Moreover, the proposed scheme has also been shown to efficiently handle 8-bit images. Comparative results highlight the security and efficiency advantages of the proposed scheme over existing medical image encryption schemes.


I. INTRODUCTION
Medical imaging is a crucial tool for medical diagnosis.Medical image pixel intensity values are frequently digitized into 4096 grayscale levels.The larger number of quantization levels facilitates more accurate diagnosis.Therefore, the DICOM standard medical image format [1] allows 12-bit or 16-bit pixel format to represent the 4096 levels.When medical images are stored or transmitted, they should be encrypted to protect patient privacy.Traditional image encryption schemes are often designed to deal with 8-bit pixel representing 256 grayscale levels.A straightforward application of those 8-bit schemes to a 12-bit image would only retain the 8 most significant bits of each pixel [2], thus causing a loss in contrast precision, which can lead to mistaken medical diagnosis.Alternatively, 12-bit medical The associate editor coordinating the review of this manuscript and approving it for publication was Pedro R. M. Inácio .image files may be treated as a sequence of 8-bit bytes, thus ignoring the difference between the least significant and the most significant pixel bits.However, the security and quality of encryption can be negatively affected, and the security analysis can be misleading.Moreover, this mismatch between the 8-bit architecture of the encryption scheme and the 12-bit data format of the image can require two 8-bit encryption operations per 12-bit pixel, which reduces the efficiency in terms of encryption speed.
The motivation for this work is to design an encryption architecture tailored for 12-bit medical images to achieve the following goals: 1) to retain the medical image information fidelity, 2) to enhance the security of encryption and the validity of security analysis, and 3) to improve the encryption speed.
Existing image encryption schemes often use a dynamic substitution box (S-box) as a building component that provides confusion.As a common building block of cryptosystems, a bijective n×n S-box receives a group of n input bits and nonlinearly transforms them into a corresponding group of n output bits.The number of input bits is referred to as the width of the bijective S-box.Increasing the width of the S-box input and output from 8 bits to 12 bits enhances its confusion power by increasing the S-box key space from 2 8  ! to 2 12  ! .When chaotic maps are used in image encryption to generate random mask, the output of the chaotic map is traditionally truncated to 8 bits (mod 256) to match the pixel size.To deal with 12-bit images, the output of the chaotic map should be truncated to 12 bits (mod 4096) instead.Since the statistical properties of the generated random numbers is affected by the truncation length, the quality of the 12-bit truncated chaotic output should be verified.
Our contribution in this paper can be summarized as follows: • Proposing a new 12-bit chaotic image encryption scheme to match the format of 12-bit medical images, • Improving the security of chaotic image encryption using a 12 × 12 dynamic S-box construction method, • Improving the throughput of the scheme to handle high resolution 3D medical images in real time by truncating chaotic sequences values at 12 bits.
In the rest of the paper, we first review the necessary background on dynamic S-boxes, and chaotic maps, and review medical image encryption literature in Section II.Then, we present the proposed medical image encryption scheme in in Section III.The security and speed analysis of the proposed scheme is reported in Section IV.The justification of the proposed scheme design and the role of each building block are presented in detail in Section V. Section VI compares the security and efficiency analysis of the proposed scheme to relevant medical image encryption schemes.Finally, we present our concluding remarks in Section VII.

II. BACKGROUND A. CHAOTIC IMAGE ENCRYPTION
Chaos systems are a suitable choice for generating cryptographic pseudorandom sequences.Consequently, chaotic maps have been widely adapted and utilized in literature for various image encryption applications.Digital images in wireless communication systems have utilized chaotic maps to secure the transmission process [3], [4].Authors in [4] developed a new scheme to enhance the randomness of chaotic maps designated for wireless communication applications.In [3] two chaotic maps have been developed using Logistic Map and Arnold's Cat map to secure real-time transmission of digital images in wireless communication.
Thermal images can also be encrypted and secured using chaotic maps [5].Many chaotic image encryption schemes, such as [6], exploit DNA coding technique to enhance security.
Authors in [7] developed an efficient 1-D fractional chaotic map to improve speed and key space.Using their new chaotic map, the authors constructed an image encryption scheme capable of 20 MB/s encryption throughput.
In [8], authors utilized a hybrid chaos system that combines more than one map to develop a grayscale image cryptosystem.In their system, Arnold's cat map is exploited to implement the confusion process while the diffusion process is achieved by the combination of sine map, logistic map, and tent map.
Recently, authors in [9] developed a secure image encryption scheme based on chaotic map and S-boxes method.The proposed approach uses 16 different S-boxes which are constructed based on 16 distinct primitive polynomials.
The performance of chaotic image encryption can be greatly improved through hardware acceleration.In [2], the authors implemented their encryption scheme on a digital signal processor to achieve encryption speed of 2 MB/s.On a smartphone, the same scheme achieved 8 MB/s encryption throughput.The authors of [10] proposed a fixed-point chaotic map composed of cascaded Logistic map, Lozi map, and Tent map and used FPGA for the implementation to achieve real-time encryption speed of 27 MB/s on a 27 MHz FPGA.

B. MEDICAL IMAGE CRYPTOSYSTEMS
Encryption of medical images have found considerable interest among researchers.A medical image cryptosystem has been presented in [11], which uses cosine number transform over a known Galois field.Another cryptosystem introduced in [12], applied the cosine number transform to the medial image in the three dimensions, by shuffling the image pixels three times using chaotic Arnold map.A downside of these cryptosystems is that they were not concerned with studying and reporting encryption time.
The authors of [13] proposed a cryptosystem which adds DNA encoding to chaos.They performed the permutation, substitution, and diffusion by using an encryption process with two rounds of six steps.The long encryption time of their system makes it not a good choice for real-time applications.Similarly, [14] utilized DNA encoding and crisscross diffusion to design a chaotic medical image encryption scheme with improved resistance to differential attacks.
A combination of 3D image encryption, compression, and non-autonomous Lorenz system was presented in [15].Two points are noted about their system.Firstly, the encryption time is extremely long because of the employed iterative mechanism.Secondly, their scheme was not tested against differential attacks, which makes us suspect that it may not be immune to such attacks.
The medical image encryption scheme proposed in [16] used a four-dimensional chaotic system for iterative scrambling and bidirectional diffusion and introduced image-dependent key using the SHA-256 hash function.The multi-round process of permutation and diffusion slows down the performance of their scheme considerably.
In [17], the authors introduced a modified version of El-Gamal encryption systems combined with Arnold transform multi-round to encrypt the medical images.Their cryptosystem decreases the size of the cipher images by using a single elliptic curve point with several image pixels to accelerate the encryption process.Despite this size reduction, the use of multiple rounds costs longer encryption time, and using the same random number for each block exposes the system to hacking.The authors in [18] improved the cryptosystem proposed in [17] with a different random number generator (Mersenne Twister).This modification led to decreasing the encryption time but did not resolve the issue of using an identical random number for encrypting all blocks of the image.
A medical image cryptosystem called MIE-BX is proposed in [19].MIE-BX performed very fast permutation and diffusion.The authors claimed that their system can perform faster than AES.The authors in [20] reported a weak point in the system proposed in [19], namely its susceptibility to an attack called the PRNG reset attack, in which the attacker can reset the random number generator which leads to generating the same random number for the encryption process.The authors of [20] proposed a non-linear algorithm applied to the permutated image to overcome the reset attack.Unfortunately, the authors did not report any complexity analysis or encryption time results to evaluate the speed of their proposed scheme.
In [21], the authors proposed a medical image encryption generic framework with guarantees on security against various cryptanalysis attacks.The framework uses a PRNG to generate random nonces used for the encryption of each image.The framework was shown to achieve high encryption speeds of about 90 MB/s using Henon map or Baker map.The authors of [22] introduced a novel encryption scheme to secure the transmission of medical images and data in healthcare, particularly addressing the vulnerabilities of traditional digital watermarking methods.This scheme embeds encrypted medical images, physicians' fingerprints, and patient health records into a non-significant image, leveraging a chaotic encryption algorithm based on a permutation key and a hybrid asymmetric cryptography scheme that combines Elliptic Curve Cryptography (ECC) with AES.The proposed approach not only enhances the visual security of encrypted images but also improves the quality of medical image reconstruction, demonstrating significant advancements over existing secure image encryption methodologies in ensuring the integrity, authenticity, and confidentiality of transmitted medical data.Several existing medical image encryption schemes process 12-bit and 16-bit images.In [23], the authors address the critical balance between data security and image quality in healthcare watermarking schemes.Traditional methods often compromise image integrity, leading to security vulnerabilities.To counter this, they propose a novel reversible watermarking methodology, prioritizing both data embedding capacity and image imperceptibility without sacrificing security.This approach uses a uniquely generated key through a random path in a 4 × 4 block, ensuring robust security and minimal data distortion.The study tests data sizes ranging from 8 KB to 32 KB to evaluate image quality using metrics like PSNR, SSIM, and MSE.The findings demonstrate that their methodology significantly outperforms existing techniques, particularly in average PSNR (49.29), indicating a substantial improvement in embedding capacity and imperceptibility for MRI watermarked images.A 12-bit pixel is padded with zeros to form a 16-bit word, which is then processed by the encryption scheme.The scheme proposed in [2] was also applied to 12-bit medical images.The scheme presented in [12] encrypts 3D medical images with 16-bit pixels but the expected value of the differential analysis metric was not modified correctly to reflect the 16-bit nature of the data.The authors of [19] calculated the expected values of differential analysis metrics, but not the critical intervals for passing the tests.

C. BAKER MAP
The Baker map is a traditional chaotic map that can be used in scrambling an image, which changes pixels positions based on a key.The standard Baker map B splits a square into two rectangles as follows [24]: As a generalization, the Baker map splits a square into vertical rectangles of different widths based on the key, then maps each rectangle to a horizontal slice of the output square.
A discretized version of Baker can map image pixel positions to new output positions in a bijective way.The mapping process starts by splitting a square matrix of H × H pixels into rectangular slices of varying widths w k , such that each w k divides H.Each resulting slice of size H×w k pixels is split into w k horizontal rectangles of size H k × w k pixels, where H k = H/w k .The H pixels within each rectangle are then output in column-major order from the bottom up into a corresponding row of the output.The number of input columns preceding the kth slice is denoted W k = k−1 t=1 w t .Each input pixel at column x and row y from the kth slice such that W k−1 ≤ x < W k is transposed to output column x ′ and row y ′ using the following discretized Baker map formula [24] x ′ , y On the other hand, the Baker map can be used to change the pixel value (substitution) instead of changing its position.
Starting from an initial state, (x 0 , y 0 ), the process then applies Baker map to compute sequence of L points, where L is the number of image pixels.Each point, (x n , y n ), is calculated from the last point using the following recurrence formula [21].
Subsequently, the chaotic sequence ⟨(x i , y i )⟩ L i=1 is transformed into a mask sequence ⟨m i ⟩ L i=1 of 8-bit elements using the following formula: XORing the resulting chaotic mask sequence with plain image pixels is useful for achieving histogram equalization.

D. CRYPTOGRAPHIC SUBSTITUTION BOXES
Substitution boxes are basic component of cryptographic schemes.It works as a function from m-bit input vector to an n-bit output vector.For bijective S-boxes, the size of input and output vectors is the same and the mapping must be invertible.
In dynamic S-boxes, the mapping between input and output bit vectors changes dynamically for each encryption instance.A dynamic S-box is called key-dependent if the mapping is determined by a secret key to add an extra layer of confusion to the encryption scheme.Dynamic 8 × 8 S-boxes have a vast key space of 2 8 !∼ =2 1684 , which is extended even further by dynamic 12 × 12 S-boxes to 2 12  !∼ =2 43250 .S-boxes are usually implemented using lookup tables.Therefore, a 12 × 12 S-box can be stored in 8192 bytes of byte-oriented memory, which has become a negligible cost considering the state-of-the-art in computer architecture.
Several algorithms for constructing dynamic S-boxes appear in literature.The work presented in [25] compares five categories of algorithms for constructing dynamic bijective S-boxes from random sequences, namely, cleansing duplicates, sorting elements, Fisher-Yates shuffle, naïve shuffle, and random composition.The author concludes that the quality of the generated S-box is almost independent of the S-box construction algorithm.Earlier work in [26] showed that the choice of the chaotic map generating the random sequence doesn't affect the properties of the dynamic S-box either.
Although most of the literature is focused on generating 8 × 8 S-boxes, a few attempts at generating wider S-boxes have been reported.The authors of [27] used heuristic search to evolve bijective S-boxes of various sizes up to 12 × 12 S-boxes.In [28] the author used an algebraic structure to construct a highly nonlinear 12 × 12 S-boxes.

III. PROPOSED MODEL A. SCHEME INITIALIZATION
The proposed scheme uses a PRNG component to generate random nonces that serve as ephemeral encryption keys.The PRNG must be initialized with a secret seed derived from a truly random source.The proposed scheme uses a public-key encryption for sharing the ephemeral encryption keys.To setup a secure communication channel between a sender and a receiver, the receiver uses elliptic curve ElGamal public key scheme, described in [29], to generate a pair of public and private keys, (K A , K B ).The receiver then shares the public key, K A , with the sender over the channel.

B. ENCRYPTION PROCESS
The encryption process takes a plain image, I, containing L = n × m pixels.The plain image pixels are taken in lexicographic order, denoted ⟨I i ⟩ L i=1 .For each plain image, two random nonces, N S and N C , are generated to serve as the image encryption keys.Using N S , a dynamic key-dependent 12 × 12 S-box, S, is constructed by following the S-box construction algorithm described later in Section III-D.Using N C , a Baker chaotic map is initialized, run for 512 iterations to increase key sensitivity, and then run for L iterations to generate a 2D chaotic sequence (x i , y i ) L i=1 using equations ( 1) and ( 2), and convert it to a sequence of 12-bit integer numbers M = ⟨M i ⟩ L i=1 using the following equation.
The sequence M is flipped to obtain M ′ , i.e., M i Each pixel, I i , of the plain image, I, is encrypted to produce a corresponding cipher pixel, C i , of the cipher image, C, using the equation.
Using the receiver's public key, K A , the encryption subkeys, N S and N C , are encrypted by the elliptic curve ElGamal cryptosystem [29], into N S ′ and N C ′ , respectively.The encrypted subkeys, N S ′ and N C ′ , are transmitted along with the cipher image C to the receiver.The encryption process is illustrated in Fig. 1.

C. DECRYPTION PROCESS
Using the private key, K B , the decryption process recovers the encryption subkeys, N S and N C , from N ′ S and N ′ C extracted from the received cipher message.
The decryption process replicates steps 3, 4, and 5 of the encryption process to generate the key-dependent S-box, S, the chaotic mask, M, and the flipped chaotic mask M'.
The inverse S-box, S −1 , is obtained by calculating: Each cipher pixel, C i , of the received cipher image, C, is decrypted using the following equation, to produce a corresponding pixel, I i , of the plain image, I .
The decryption process is illustrated in Fig. 2.

D. DYNAMIC S-BOX CONSTRUCTION ALGORITHM
The proposed key-dependent S-box construction algorithm adapted from [31] combines two very efficient components, namely the Mersenne Twister pseudorandom number generator (MT19937 PRNG), and the Fisher-Yates shuffle algorithm [30].The PRNG is initialized using a seed computed from the random nonce, N S .Then the PRNG is queried to generate a pseudorandom sequence of 32-bit integers, which determine the two-round shuffling sequence.Tworound shuffling has the advantage of protecting the S-box against chosen plaintext cryptanalysis attacks as proven in [31].

IV. PERFORMANCE ANALYSIS
In this section, we analyze the security and efficiency of the proposed medical image encryption scheme.A set of three 12-bit medical plain images of size 512 × 512 pixels, shown in Fig. 3, is used for performing the different security tests.

A. STATISTICAL ANALYSIS
Statistical tests indicate the ability of the proposed scheme to resist statistical attacks.These tests include histogram, entropy, and correlation.The entropy of a 12-bit image I of size N ×M pixels can be computed as follows: where f k is the frequency of the pixels of image I having a particular color intensity value k.Whereas the entropy of an ideal 8-bit random image is 8, the optimal entropy value of a 12-bit random image should be 12.Table 1 shows the entropy values for the variety of plain images and for their corresponding cipher images, making it evident that our scheme almost achieves the optimum value of the random 12-bit image.A flat histogram of an image means that each pixel value has the same frequency which is an expected result of good randomness.However, for a 12-bit random image, the histogram has a large dynamic range of levels (2 12 ), getting a visually flat histogram is challenging, due to the small number of pixels that fall within each of the 2 12 bins.Fig. 3. shows the cipher images generated by the proposed scheme and their corresponding histograms.Although the histograms of the cipher images are more uniform than those of the plain images, it is difficult to judge the quality of the distribution visually.
For a more accurate judgment of the histogram, the Chisquared (χ 2 ) test is used to compare the histogram variance of the resulting cipher images to that of perfectly random images.The χ 2 test is computed as follows: where f k is the number of occurrence of pixels with color level equal to k in the cipher image, and E = N × M 4096 is the expectation of the number of pixels for each gray level in a uniformly random image.The histogram being tested is considered a uniform histogram if the p-value corresponding to the calculated value of χ 2 is greater than the significance level, α.To validate the randomness of cipher images generated by the proposed scheme, the χ 2 test is repeated for 1000 cipher images corresponding to each plain image with varying encryption keys.The results shown in Table 1 indicate that the proposed scheme produces a cipher image with a satisfactory histogram that is statistically indistinguishable from that of a uniformly random image that has 4096 gray levels.
The cross-correlation between the plain and cipher images is another widely used test that indicates the dissimilarity between the two images.In this test, a cross correlation value close to 0 means the two images are fully independent, whereas a value of 1 means linearly dependent images.Table 1 presents the cross-correlation values between the plain and cipher images, which reveal the proposed scheme success to generate a cipher image completely independent from the corresponding plain image.
Since adjacent pixels of an image are usually highly correlated, the plain image auto-correlation will be almost equal to 1 in all spatial directions (horizontal, vertical, and diagonal).If the proposed scheme can successfully cancel the spatial correlation in all direction, the auto-correlation value of the cipher image should be almost zero.As shown in Table 2, the auto-correlation values of the cipher images are close to zero.

B. DIFFERENTIAL ANALYSIS
In differential cryptanalysis, the adversary attempts to infer information about the secret key by observing how slight changes in the input plain image affect the corresponding cipher image.To ensure that the proposed encryption scheme can resist differential attacks, a slight change in the plain image should cause a dramatic change in the cipher image.In more rigorous terms, the difference between two cipher images corresponding to a one-bit change in the plain image should be indistinguishable from a random image.Two common measures of randomness used in differential analysis are the NPCR and UACI metrics.Given a 12-bit grayscale plain image, I , containing N ×M pixels, a single bit change is introduced at a random location to obtain the modified plain image, I ′ .The corresponding cipher images are denoted C and C ′ , respectively.The NPCR and UACI metrics are calculated using the following equations: For arbitrary 512 × 512 random 12-bit grayscale image, the mean and standard deviation of NPCR and UACI are calculated as follows [32].
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
Table 3 shows the acceptable values for NPCR and UACI randomness tests for 512×512-pixel 12-bit images at different significance levels.

C. KEY SENSITIVITY
An encryption scheme should be highly sensitive to changes in the encryption key to thwart related-key attacks.In this type of attacks, two keys which are closely related are used for encrypting the same image to analyze the effect of each bit of the key on the encryption process.A slight change in the encryption key of a secure encryption scheme should produce a change in the cipher image that is indistinguishable from a random image.To test the key sensitivity of the proposed encryption scheme, we apply the NPCR and UACI randomness tests when the least significant bit of each of the encryption keys, N S or N C is changed.The test is based on 1000 encryption attempts and the pass rates are reported in Table 5.
The proposed scheme is highly sensitive to changes in the S-box construction key, N S .
Similarly, Table 6 indicates that the proposed system is just as sensitive to the Baker map key, N C

D. RESISTANCE TO CHOSEN PLAINTEXT ATTACKS
To resist chosen-plaintext attacks (CPA), a PRNG is used to generate two random nonces, N S and N C , for each image being encrypted.N S and N C serve as encryption subkeys to initialize the MT19937 PRNG for dynamic S-box construction and the Baker map for chaotic mask generation.Each invocation of the encryption process generates a onetime-use S-box and chaotic mask.Therefore, the potential damage of any cryptanalysis attempt that could discover the chaotic mask or the S-box or even go further to reveal the corresponding encryption subkeys, N S and N C , is limited to the attacked image alone.Furthermore, the adopted two-round S-box shuffling procedure has the advantage of protecting the S-box against chosen-plaintext cryptanalysis attacks as proven in [31], which adds another obstacle to chosen-plaintext attacks against our scheme.

E. KEY SPACE ANALYSIS
Although the proposed dynamic 12 × 12 bijective S-boxes used by the proposed encryption scheme allows a key space of 2 12  !∼ =2 43250 , the actual key space of the S-box is determined by the size of the key, N S , allowed by the S-box construction algorithm.The proposed dynamic S-Box construction algorithm based on Mersenne Twister allows a key of size up to 19937 bits.
Similarly, the key space of the proposed encryption scheme is determined by its most vulnerable component, which is the public key encryption stage used for exchanging the image-dependent shared encryption keys, N S and N C .The elliptic curve ElGamal cryptosystem guarantees a higher security per key bit compared to its RSA counterpart [33].To guarantee security against elliptic curve discrete logarithm cryptanalysis, the size of the public key, K A , must be sufficiently large, for instance by utilizing a standard 256-bit Curve25519.

F. SPEED ANALYSIS
Efficiency is a major design objective of image encryption schemes.The 12-bit data path feature of the proposed image encryption scheme enables faster encryption of 12-bit medical images.To demonstrate the advantage of the 12-bit data path over the traditional 8-bit data path, 12-bit medical images of different sizes are encrypted using the proposed scheme using 8-bit and 12-bit data paths.The scheme was coded in Java and executed on Java virtual machine version 1.8 on a Core-i7-8565U processor with base frequency of 1.8 GHz and 12GB of RAM.
Table 7 shows the encryption speed up obtained by using a 12-bit data path.The speed up is defined by: Speed up = Encryption time using 8 − bit data path Encryption time using 12-bit data path When a 12-bit image is encrypted by an 8-bit data path, each pixel is zero-extended to 16 bits and treated as two 8-bit words.The results in Table 7 indicate that a 12-bit data path increases the encryption speed by at least 44% for images of size 1024 × 1024 pixels.Therefore, our scheme operating in 12-bit data path mode exhibits superior speed in encrypting 12-bit medical images, which have a higher dynamic range that facilitates more accurate medical diagnosis.Moreover, the results in Table 8 show that the proposed 12-bit data path can handle 8-bit images faster than the 8-bit data path.To achieve this speed, our scheme packs every three 8-bit pixels into two 12-bit words.

V. JUSTIFICATION FOR PROPOSED SCHEME DESIGN
The proposed scheme includes four effective design elements that facilitate the achievement of its security objectives with high computational efficiency.Namely, the scheme includes 1) a 12-bit key-dependent S-box, 2) two rounds of S-box substitution and XOR masking, 3) chaotic mask flipping, and 4) a final round of S-box substitution.To justify these design elements, we test a variety of potential configurations and measure S-box key sensitivity to determine which configurations are sufficiently secure.Subsequently, we compare the encryption throughput of proven configurations and choose the most efficient configuration.A configuration is determined by four factors: • The number of S-box-XOR rounds which is varied between 1 and 3.
• The mode used for generating the XOR mask for each round.The first mode uses the same chaotic mask for all rounds.The second mode generates a different mask for each round.The third mode flips the first-round mask and use the flipped mask for the second round.
• The key-dependent S-box can either be an 8 × 8 S-box or a 12 × 12 S-box.
• The final stage of S-box substitution can be implemented or removed.Table 9 summarizes the key sensitivity and throughput results for each of the 4 × 7 configurations.The encryption key sensitivity is tested with respect to changes in the S-box key using the UACI and NPCR randomness tests with α = 0.01 significance level.The test is repeated 100 times for each configuration and the configuration is said to pass the key sensitivity test when both the UACI and the NPCR tests are passed at least 96 times.Otherwise, the configuration is considered to fail the key sensitivity criterion.The results Authorized licensed use limited to the terms the applicable license agreement with IEEE.Restrictions apply.
in Table 9 show that only 8 configurations pass the key sensitivity tests, in which case its encryption throughput is reported.The configuration with the highest throughput uses 12-bit S-box in two rounds plus a final substitution with mask flipping, thus justifying the configuration proposed in Fig 1 .In the remainder of this section, we investigate the effect of individual design choices on security and efficiency.

A. THE EFFECT OF THE NUMBER OF ROUNDS
Existing chaotic encryption schemes which use a chaotic sequence to mask the plain image through an XOR often use key-dependent dynamic S-boxes to increase the key space and introduce further confusion into the encryption process.The schemes presented in [9], [34], and [35] use one S-box substitution in addition to the XOR operation.Alternatively, the scheme in [21] use two dynamic S-box substitutions: one before the XOR operation and another afterwards.The proposed scheme performs two rounds of S-box substitutions and XOR masking in addition to a final substitution.To avoid related key attacks, such encryption schemes should pass the key sensitivity test with respect to the dynamic S-box key.To isolate the effect of the number of the rounds, the remaining configuration parameters are fixed.Namely, we use a 12 × 12 S-box, with mask flipping and include a final substitution.The results in Table 10 show the effect of the number of rounds of S-box substitutions on the sensitivity tests with respect to the S-box key.Clearly, one round of S-box substitution is potentially vulnerable to related key attacks, whereas two or more rounds are secure.However, applying two or more rounds reduces encryption throughput.Therefore, the proposed scheme applies two rounds of substitution.

B. EFFECT OF MASK FLIPPING
When using 2 rounds, the two masks must be statistically independent.Instead of generating two different masks, we can exploit the low autocorrelation of the mask by reusing a flipped or shifted version of the mask in the second round.As shown in Table 11, mask flipping improved UACI test results from 25% to 99.2%.Moreover, mask flipping achieves a 150% increase in throughput in comparison to using a different mask for the second round.Therefore, mask flipping improves key sensitivity significantly while avoiding extra cost of generating a different mask for the second round.

C. EFFECT FINAL SUBSTITUTION
When using 2 rounds, the presence of the final substitution significantly affects the sensitivity to the S-box key avoiding the need for an extra round.The results in Table 12.demonstrate the significant improvement in sensitivity to the S-box key due to adding a final substitution after the second round.Adding a third round would have also fixed the key sensitivity issue, but at a higher toll on the throughput.

D. EFFECT OF 12 × 12 S-BOX
The use of the proposed 12 × 12 S-box improves the sensitivity of the scheme to the S-box key when the number of rounds is set to two with mask flipping engaged.Under these circumstances the 8 × 8 S-box counterpart fails the UACI test at α = 0.01 as shown in Table 13.A scheme based on 8 × 8 S-box only passes the UACI test after the third round provided that different masks are applied at each round.Consequently, the proposed 12-bit encryption scheme performs three times faster than an 8-bit scheme of similar security.

VI. COMPARISON WITH OTHER SCHEMES
To highlight the advantages of the proposed medical image encryption scheme, we compare its security and efficiency analysis to similar existing schemes.Unless otherwise stated, all 8-bit and 12-bit images used in the subsequent analysis are of size 512 × 512 pixels.
Table 14 shows the results of the entropy and spatial correlation properties of the cipher images generated by the proposed scheme in comparison to other schemes.The results indicate that the proposed scheme produces cipher images competitively close to the values expected of a random image.differential analysis results for the proposed scheme are compared to those of other schemes in Table 15.The results indicate that the proposed scheme is highly immune to differential cryptanalysis.To facilitate the comparison of the proposed scheme with related schemes, we used the same test environment used in [Ref. 21], i.e., Java virtual machine version 1.8 on a 3.6GHz quad-core Intel®Core™i7-4790 with 32GB RAM.37640 VOLUME 12, 2024 Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
In Table 17, we compare the encryption time of 12-bit image.As the results show, the proposed scheme reduced the encryption time of a 512 × 512-pixel 12-bit image from 5.6 ms down to 2.16 ms.For the other images, the proposed scheme consistently saves more than half of the encryption time.

VII. CONCLUSION
In this paper, we proposed a 12-bit architecture for medical image encryption based on a 12 × 12 dynamic keydependent S-box.The proposed scheme handles 12-bit medical images with high efficiency using the dynamic S-box for substitution and a Baker chaotic map for diffusion.We investigated 28 potential configurations and concluded that the best configuration that satisfies security requirements efficiently consists of two rounds of substitution-diffusion with mask-flipping followed by a final substitution.
Our experiments also showed that 12 × 12 key-dependent S-boxes are more immune to related-key attacks compared to 8 × 8 S-boxes.The proposed scheme passes key-sensitivity tests where the corresponding configuration based on 8 × 8 S-boxes fails.The proposed scheme achieves a 300 MB/s encryption throughput for encrypting 12-bit encoded DICOM medical images, which is three times faster than the equivalently secure 8 × 8-based configuration.
In addition to its superior efficiency in handling 12-bit images, the proposed scheme still handles 8-bit images slightly more efficiently than its counterparts with an 8-bit data path.A crucial design decision that enabled the proposed scheme to reap the performance benefits of the 12 × 12 S-box is the use of the extremely efficient Fisher-Yates shuffle and Mersenne twister PRNG to construct a dynamic 12 × 12 S-box in 0.1 ms which is negligible with respect to the image encryption time.
The proposed scheme passes all the security tests in electronic code book (ECB) mode without the need for chaining.This enables straightforward parallelization of the scheme once the Baker map is replaced by a parallelizable chaotic map such as the EC-based map found in [35].Parallelization will enable the proposed scheme to take advantage of readily available parallel processing capabilities such as multicore and multithreading processors available on modern computing platforms.

FIGURE 3 .
FIGURE 3. Effect of the proposed encryption scheme on image histogram.

TABLE 3 .
NPCR and UACI randomness test limits.The results of the NPCR and UACI randomness tests, based on 1000 encryption attempts, are shown in Table4.The results indicate that our scheme resists differential cryptanalysis.

TABLE 4 .
Differential analysis and pass rate.

TABLE 9 .
Throughput (MB/s) with various design elements.

TABLE 10 .
S-box key sensitivity for different number of rounds.

TABLE 11 .
Effect of mask flipping on security and throughput.

TABLE 12 .
Effect of final substitution on S-box key sensitivity.

TABLE 13 .
S-box key sensitivity with different S-box size.

TABLE 14 .
Statistical analysis for 8-bit cipher images.

TABLE 15 .
Differential analysis for 8-bit and 12-bit images.

Table 16
presents a comparison of key-sensitivity analysis results.The proposed scheme passes the NPCR and UACI tests with high probability.