An Efficient Image Encryption Scheme Based on S-Boxes and Fractional-Order Differential Logistic Map

In this work, an efficient image encryption based on S-boxes and fractional-order logistic map is proposed. The features of the fractional-order chaotic system in dynamical behaviors are exhibited. By simulation and comparison with the traditional logistic map, it is proved that the fractional-order logistic map contains larger key space and more parameters. Therefore, the fractional-order logistic system has better efficiency and security against cryptanalyst attacks. The S-boxes construction algorithm is proposed. By comparing with the S-boxes of the former schemes, the proposed S-boxes have good performance under Bits Independence Criterion (BIC), the Strict Avalanche Criterion (SAC) and the nonlinearity. Finally, the image encryption scheme is proposed for the verification. In the encryption process, the proposed S-boxes are used for scrambling and confusion. The simulation and experimental results indicate that the fractional-order method is a preferred approach to integer-order chaotic system.

In recent years, fractional-order differential equations and their application have attracted wide attention [25]- [34]. In comparisons with the integer-order equations, the fractional-order nonlinear dynamic systems exhibit new The associate editor coordinating the review of this manuscript and approving it for publication was Sun Junwei . dynamic behaviors in attractors, bifurcations and chaotic behaviors. Therefore, the motivation of the study is to exam the feasibility of applying the fractional-order chaotic systems in encryptions.
In this study, we mainly apply fractional-order differential logic map to design the encryption scheme. Jakimoski and Kocarev [24] proposed a four-step method to generate S-boxes by using employing chaotic maps. Farah et al. [13] proposed an S-box construction method based on two dimensional chaotic map and Chen et al. [9] ameliorated it by using a three dimensional map. Khan et al. [8] proposed a method for S-boxes generation based on multi-chaotic systems. Wang et al. [11] proposed a new method for designing S-box based on genetic algorithm and chaotic map. Hussain et al. [16] used a linear fractional transformation to construct a new S-box. Tang et al. [23] proposed a novel method to design S-boxes using chaotic maps. The aforesaid S-box construction methods are fast because the computational complexity of low-dimensional system is less than VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ that of high-dimensional systems; however, low-dimensional systems have limited and fixed parameter ranges due to the integer-order systems, which leads limited and fixed key space in encryptions. To overcome these problems, Hussain et al. [18] proposed an efficient LFT S-boxes construction method based on chaotic logistic map with the exponent as a parameter for good nonlinearity. Hussain's algorithm [18] achieves the larger parameter space. However, its fractional exponent is not continuous, which leads the uncertainty of employing the fractional exponent as a key. To overcome the above-mentioned shortcomings, we propose an efficient algorithm for constructing S-boxes by using the fractional-order logistic map. In comparisons with the integer-order logistic map, the fractional-order logistic map contains good features: 1) larger key space; 2) unfixed range of parameters; 3) more parameters; 4) the low computational complexity as the one-dimensional logistic map. Furthermore, it breaks the limit of the range of the parameter µ ∈ (3.57, 4] and has better chaotic ergodicity. Meanwhile, the fractional-order is continuous and can be used as a key parameter. Additionally, the Lyapunov exponent curves indicate the parameter µ has a much larger range in the fractional-order logistic equation than in the traditional logistic map. Therefore, the proposed algorithm has better randomness and security against common attacks.
In this paper, we thoroughly analyze the dynamics of the fractional-order Logistic map. Then, we introduce the construction scheme of S-boxes and give an efficient image encryption scheme that exemplifies the feasibility of fractional-order logistic map. To the best of our knowledge, few literatures apply the fractional-order chaotic system and S-boxes to design the encryption Scheme. The simulation and experimental results indicate that the proposed encryption scheme have high security performance.
The rest of this paper is arranged as follows: Section II introduces the fractional-order differential equation and its discretization. Section III shows features of the fractionalorder differential logistic map in dynamical behaviors. In Section IV, we present the chaotic S-box generation algorithm and related performance evaluation. In Section 5, the details of the image encryption scheme are proposed as well as the experimental results and performance analysis. In Section 6, the conclusions are drawn.

II. DISCRETE THE FRACTIONAL-ORDER DIFFERENTIAL LOGISTIC MAP
Consider the following fractional differential equations [34]: where D = d dt with the initial condition x(0) = x 0 . In the following section, we introduce the discretization process of Eq. (1) with piecewise constant arguments where, the initial condition Set t ∈ [nr, (n + 1)r) and n is a positive integer with n = 0, 1, 2, 3 . . . , then t r ∈ [n, n + 1). And hence, Eq. (2) is converted [34] into Set t → (n + 1)r, the above equation can be converted into .

III. FEATURES OF THE FRACTIONAL-ORDER DIFFERENTIAL LOGISTIC MAP IN DYNAMICAL BEHAVIORS A. BIFURCATION
The bifurcation diagram can directly reflect the dynamic behavior of the system in various parameter assignments. The fractional-order logistic system in Eq. (3) is analyzed, shown in Fig.1, with different values of the fractional-order parameter α. In Fig. 1, the fractional-order logistic differential equation contains the same period-doubling bifurcations approach chaos as in the classical logistic map. However, the parameter µ in the fractional-order logistic differential map breaks the range of µ ∈ (3.57, 4) in the traditional logistic map. In addition, the value of the chaotic sequence x n also breaks the range of (0, 1). In this work, the fractional-order parameters α and µ are chosen as secret keys to construct S-boxes. The different orders of this chaotic map contribute various ranges of parameters. Therefore, the proposed scheme has a larger key space than the traditional logistic map does.

B. LYAPUNOV EXPONENTS
Lyapunov exponent is an important index to evaluate the dynamic behavior of chaotic systems. The maximum Lyapunov exponent is related to its predictability. Any system with chaotic behaviors has at least one positive Lyapunov exponent. We calculate the Lyapunov exponent curves of the fractional-order logistic map with different values of the parameter α and the traditional logistic map in Fig. 2.
In Fig.2, the fractional-order logistic map has a much larger interval of the Lyapunov exponent than the traditional logistic map does. Therefore, the fractional-order logistic map has a large range of parameters for dynamical behaviors.

C. THE CHAOTIC TRAJECTORY
The value of the chaotic sequence x n , shown in Fig.3, breaks the range of (0, 1). It has the better randomness than the  traditional logistic system, which indicates the fractionalorder logistic system has stronger energy and chaotic ergodicity. Therefore, the fractional-order logistic system is more suitable for constructing S-boxes.

IV. PROPOSED S-BOXES ALGORITHM AND ITS PERFORMANCE A. CONSTRUCTION OF S-BOXES
The construction process of S-box is described as follows step by step: Step 1: Set parameter µ, α, r and initial value x 0 for Eq. (3).
Step 4: Add y n into the S-box if it does not exist in the S-box, otherwise the process returns to step 2 above to generate a new output value.
Step 5: Until all cell values of the S-box component are filled, the process continues.
Without loss of generality, we show two sample S-boxes designed by using the proposed algorithm and the first S-box is listed in Table 1. To evaluate the efficiency of the proposed scheme, we randomly choose different parameters to generate another S-box listed in Table 2.

B. PERFORMANCE ANALYSIS OF PROPOSED S-BOXES
Different standard performance analyses are accomplished to evaluate the strength of the proposed S-boxes. In this section, these assessments include strict avalanche criteria (SAC), bit independent criteria (BIC), nonlinearity, auto-correlation, correlation immunity, algebraic immunity, algebraic degree, fixed points, sum of squares, transparency order and NIST randomness test.

1) SAC
If half of the output bits of a Boolean function change when an input bit changes, the Boolean function is said to satisfy SAC. The ideal value for SAC is 0.5 [66]. And the SAC analyses of the proposed S-boxes are listed in Table 3.

2) BIC
In cryptographic systems, the bit independence is a very important property. As the independence between bits VOLUME 8, 2020  increases, it becomes more difficult to attack the cryptosystem. Table 3 shows the results of BIC analysis of the proposed S-boxes.

3) NONLINEARITY
Nonlinearity is defined for Boolean functions. To resist linear cryptographic attacks, the nonlinearity of Boolean functions should be large enough. The nonlinearity test results of the proposed S-boxes are listed in Table 3 together with SAC and BIC. Table 3, the proposed S-boxes have good performance under BIC, SAC and the nonlinearity in comparisons with Refs. [9], [24], [35]- [38]. The average SAC result of the proposed S-box2 is 0.5002, which is closer to the ideal value 0.5 than that of the obtained S-boxes in schemes [24], [35]- [38]. The fractional-order system has good ergodcity; therefore, the proposed S-box2 holds better SAC performance. Furthermore, the average values of the Nonlinearity of the proposed S-box1 and S-box2 are 105 and 104.5 respectively. The comparison in Table 3 shows that the  proposed S-boxes have better performance than the S-boxes in Refs. [24], [35]- [38]. Additionally, the BIC results of the proposed S-box1 and S-box2 are 102.9 and 103.4 respectively. The results are also comparable or superior to those of S-boxes in literature. The proposed scheme by using the simple fractional-order logistic map has the equivalent performances as the schemes by two dimensional chaotic maps [35], three dimensional chaotic map [9].

4) FIXED POINTS
In cryptosystem, direct or reverse (S(i) = i or S(i) = 255 − i) fixed points of S-boxes are usually undesirable, because they mean that the output is equivalent to the input. The test results of fixed points on the proposed S-boxes are presented on Table 4.
As shown in Table 4, there are very few fixed points for the proposed S-boxes. Therefore, it is impossible to attack the cryptosystem by analyzing the fixed points of the proposed S-boxes.

5) AUTOCORRELATION
Auto-correlation is a measure of the randomness of a chaotic sequence. In order to illustrate the randomness of the proposed S-boxes, the auto-correlation simulation experiments on the proposed S-boxes are carried out, and the results are shown in Fig. 4.
As shown in Fig. 4, the autocorrelation coefficients are close to 0. Therefore, the proposed S-boxes have the nature of randomness.

6) ALGEBRAIC IMMUNITY
It is important to measure the algebraic immunity of an S-box in cryptosystem. S-boxes with high algebraic immunity can effectively resist algebraic attacks for an encryption system. The algebraic immunity results of the proposed S-boxes are listed in Table 5.

7) ALGEBRAIC DEGREE
The S-boxes with high algebraic degree can effectively resist higher order differential attacks. Therefore, the algebraic degree of an S-box is desired to be as high as possible. The VOLUME 8, 2020 algebraic degree results of the proposed S-boxes are also listed in Table 5.

8) TRANSPARENCY ORDER
The transparency order (TO) of S-box can be used to illustrate the resistance against DPA attack. The lower the value of the TO is, the higher the resistance against DPA attack of an S-box would be. The TO value of m?mS-box can be calculated as follows [36]: where F m 2 is m dimensional vector space in binary finite field and wt(β) is the Hamming weight of vector β. The transparency orders of the proposed S-boxes are also listed in Table 5.
As shown in Table 5, the algebraic degree values and the algebraic immunity values of the proposed S-boxes are 7 and 4, respectively, which are highly desirable. Therefore, the proposed S-boxes can reduce the possibilities of differential attacks and algebraic attacks. Additionally, the proposed S-boxes have lower TO values among the existing S-boxes, which further verifies the safety of the proposed S-boxes.

9) NIST TEST
NIST test is used to analyze the feature of randomness. We have performed NIST-800-22 test on the proposed S-boxes and the results are presented in Table 6. It can be seen that 12 tests have passed successfully. However, due to the insufficient sequence length, Random Excursions Test, Random Excursions Variant Test and Universal Statistical Test are not applicable.

V. PROPOSED IMAGE ENCRYPTION SCHEME
The proposed S-boxes are suitable for designing cryptosystem. This section exemplifies a specific application of the proposed S-boxes in image encryption.

A. GENERATION OF THE SECRET KEY
Our cryptosystem utilizes a 128-bit secret key K , which is generated by the hash algorithm MD2. For plaintext images, even if only one bit is changed, its hash value will change completely. By dividing the 128-bit secret key into 16-bit blocks (k i ), K can be expressed as follows: The new initial values can be obtained by the following formula: where α, u, x 0 and r are the initial given values. 54180 VOLUME 8, 2020

B. IMAGE ENCRYPTION ALGORITHM
The proposed image encryption algorithm includes four parts. Firstly, the key sequence K and the new initial values are generated by the hash algorithm. Secondly, the rows and columns of the plain image are permuted by using the proposed S-box1 and the sort function. Thirdly, the pixel values of the plain image are replaced by the values in the proposed S-box1. Fourthly, the ciphered image is obtained by XOR operations and chaotic diffusions. The entire flowchart of the encryption algorithm is shown in Fig. 5.
Without loss of generality, assuming that the size of the original image is M × N , the image encryption algorithm based on the proposed S-boxes consists of the following steps: Condition: Suppose the plain-image P is of size M ×N and A 1 is a matrix corresponding to the plain image P. Set S 1 is the chaotic sequence corresponding to the proposed S-box1 and S 2 is the chaotic sequence corresponding to the proposed S-box2.
Step 1: Generate the key sequence K and the initial values α , u , x 0 and r of the fractional-order logistic system according to Sect. 5.1.
Step 4: Let A 2 = reshape(A 2 , M × N , 1) and convert the elements of the matrix A 2 into 8-bits binary numbers and set i = 1. Choose four even digits and four odd digits of the ith 8-bit binary digits to form two four-bit binary digits, respectively. Then, these two decimal digits m and n are obtained by converting the two four-digit binary digits into decimal digits. Step 5: Set m = m + 1, n = n + 1, and then, substitute the (m, n) element of the proposed S-box1 for A 2 (i) in A 2 . Set i = i + 1, and return to step 4 until i reaches M × N .
Step 7: Generate the chaotic sequence S 3 whose length is 15000 by using the Fractional-order Logistic system with the initial values α , u , x 0 and r .
Step 9: Set N 2 = mod (M × N , 15000). Encrypt the last N 2 elements in A 3 according to the following equation: Finally, the ciphered image is obtained. In addition, this encryption scheme is also applicable to color images and binary images. A color image can be divided into three channels (red, green and blue) and encrypted separately by applying the proposed encryption scheme correspondingly. Then the final cipher image can be obtained by combining the red, green and blue cipher images.

C. DECRYPTION PROCEDURE
The decryption process is the reverse procedure to the encryption process. By using the secret keys, the receivers decrypt the cipher image according to the reverse operations of the encryption algorithm. The entire decryption algorithm is presented in Fig. 6. VOLUME 8, 2020

D. SIMULATION EXPERIMENTS AND PERFORMANCE ANALYSIS
The performance analysis of the proposed encryption algorithm includes key space analysis, histograms, correlation coefficients and differential analysis. In the experiments, the test images are the 512 × 512 images with an 8-bit gray scale.

1) SECRET KEY SPACE
The total number of different keys used in the encryption process represents the size of the key space. For any encryption system, the key space must be large enough to resist violent attacks. During the construction of S-boxes, the secret keys include three decimal parameters µ, α, r and the initial value x 0 for Eq. (3). If the accuracy of the computer is 10 16 , for the construction of an S-box, the total key space H 1 ≥ 10 16 4 = 10 64 . In the proposed encryption algorithm, due to using two different S-boxes and the 128-bit secret key, the total key space H 2 > 0.5 × H 1 × H 1 = 0.5 × 10 128 > 2 383 . To resist violent attacks, the size of the secret key space should not be less than 2 100 [47]. Obviously, the proposed encryption algorithm has enough key space to resist all kinds of violent attacks.

2) HISTOGRAM ANALYSIS
The histogram represents the distribution characteristics of the pixel intensity of an image. To resist any statistical attacks, a secure encryption system must ensure that the encrypted image has a uniform histogram. The histograms of the plain image Lena, BARB and their cipher images are presented in Fig. 7. Obviously, the gray scale values of the cipher images are uniformly distributed in Fig. 7 (d, h). Therefore, there is a significant difference from the distribution of the plain image Lena and BARB in Fig. 7 (a, e). Additionally, as shown in Fig. 7 (i − k), the proposed encryption scheme is also effective for binary images.
In order to further verify the uniform distribution of ciphered image pixels, we have performed the χ 2 -test on the ciphered images Lena and BARB. The value of the χ 2 -test for a ciphered image is calculated according to the following formula: where v 0 = M × N 256 , M × N is the size of ciphered image and v i is the observed frequency of a pixel value i(i = 0, 1, 2, . . . , 255.). The results of the test are listed in Table 7.   As shown in Table 7, the χ 2 -test values are lower than the critical value 293.25 [57], which indicates the proposed encryption scheme has passed the χ 2 -test. Therefore, the pixel value distribution is uniform in the encrypted images.

3) CORRELATION ANALYSIS OF TWO ADJACENT PIXELS
In horizontal, vertical and diagonal directions of a plain image, there is a high correlation between adjacent pixels. To resist statistical attacks, the correlation between adjacent pixels of a ciphered image should be as low as possible. We perform the following steps to calculate the correlation between plain and ciphered images. First, randomly choose 3000 pairs of two adjacent pixels of an image. Then, calculate the correlation coefficient according to the following formula [64], [70]- [72], [76]- [77]: where x and y are two adjacent pixels of an image with cov(x, y) = 1 3000 By using the formulas (5)-(8) and the proposed encryption algorithm, the correlation coefficients of plain images Lena, BARB and their ciphered images are calculated and the results are presented in Table 8. Clearly, the correlation coefficients of the plain image approximate to 1, while those of the ciphered image approximate to 0 along all three directions. Therefore, the correlation between adjacent pixels of the ciphered images is extremely low, which means that the proposed encryption scheme has good confusion and diffusion properties.

4) INFORMATION ENTROPY ANALYSIS
Information entropy is the most important index to measure randomness. Calculate the information entropy according to the following formula [59], [60], [76], [78], [38]: where m is the source of information, n is the bit number required for the symbol m i , and p(m i ) denotes the probability of symbol m i . If all the pixels are uniformly distributed for an 8-bit gray image, the maximum entropy is 8, which means that the information is random. For a ciphered image, the information entropy should be close to 8. The closer to 8, the less possible the attacker will decrypt the cipher image. By using Eq. (9), the information entropies of the plain images and the cipher images are calculated. The results are presented in Table 9. Obviously, the entropies of the ciphered images approximate to the ideal value 8, which means that the proposed scheme has the desired information entropy properties.

5) DIFFERENTIAL ATTACKS ANALYSES
To defend against a differential attack, a good encryption scheme needs to ensure that any minor modification of the plain image will lead to a significant difference in the ciphered images. The proposed encryption scheme can make VOLUME 8, 2020  two ciphered images be different completely, even if their plain images have only one different pixel. Let c 1 and c 2 be the two ciphered images and calculate the measure value of the sensitivity to a minor change of the plain image according to Eq. (10) and Eq. (11) [63], [69], [76] and [38]: Without loss of generality, choose the Lena image and BARB image as the test images and calculate the values of NPCR and UACI. The results of NPCR and UACI are listed in Table 10. As observed, the proposed algorithm obtains the mean NPCR at over 99.5% and the mean UACI at over 33.4%. Therefore, the proposed encryption algorithm has good NPCR and UACI scores, which means that there is strong robustness against differential attack.

6) CIPHERTEXT-ONLY ATTACK ANALYSES
Ciphertext-only attack refers to the exhaustive attack when only the encrypted text is known. Attacker tries a list of ciphertext to deduce the original secret key. As mentioned in the above sections, the proposed encryption scheme not only has fast encryption speed, but also has many keys and large key space. Additionally, the proposed cryptosystem applies a 128-bit secret key K generated by the hash algorithm MD2, which indicates the secret key is one-time pad. By Shannon's theory, ciphertext only attack cannot be carried out. So the proposed encryption scheme is secure.

7) NIST TEST
In order to test the pixels' randomness of the ciphered images, we have performed NIST-800-22 test on the ciphered images. The test results are presented in Table 11. It can be seen that all the tests have passed successfully.  [73], [77], and [38]: where p ij and c ij are the pixels of plain and ciphered images at the position (i, j), respectively, and I max is the maximum pixel's estimation of image. Both structural similarity index metric (SSIM) and normalized cross-correlation (NCC) can be used to measure the similarity two images. The difference is that SSIM focuses on the similarity of structure, contrast and luminance between images, while NCC focuses on the similarity of pixel values between images. Calculate the values of SSIM and NCC according to Eq. (15), and Eq. (16) [69], [71], [72]: where p ij and c ij are two images, µ p , µ c are their mean values, respectively, and σ pc is the standard deviation. Table 12 presents the results of MAE, MSE, PSNR and SSIM between the plain and ciphered images. Table 13 presents the results of SSIM and NCC between the ciphered and decrypted images. These show that the proposed encryption scheme achieves the desired effect.

9) CORRELATION BETWEEN PLAIN AND CIPHERED IMAGES AND CONTRAST, ENERGY ANALYSES
The correlation between plain and ciphered images is analyzed in this subsection. Calculate the correlation coefficient according to Eq. (17) [62]- [64], [72]: wherep,c are the average of plain and ciphered images, respectively. The results of the correlation are listed in Table 14. Clearly, the correlation coefficients between the plain and ciphered images are close to 0, which means that the proposed encryption scheme has the desired correlation property.
The contrast analysis calculates the intensity difference between pixels and their neighboring pixels in the whole image [58]. The high contrast value reflects the superiority of Y. Q. Zhang et al.: An Efficient Image Encryption Scheme Based on S-Boxes and Fractional-Order Differential Logistic Map the image encryption scheme. The contrast value can be calculated by Eq. (18) [62], [63], [69] and [72]: where p ij is given as the number of gray-level co-occurrence matrices (GLCM), M and N represent the number of rows and columns of GLCM, respectively. The contrast values of the proposed encryption scheme are listed in Table 14.
The energy analysis quantifies the information of ciphered image and reflects the disorder degree of ciphered image. The lower energy value of ciphered image indicates the higher encryption quality. The energy value is calculated by Eq. (19) [69], [72]: where p ij is given as the number of GLCM. The energy values of the ciphered images given by the proposed encryption scheme are also listed in Table 14.
As shown in Table 14, the energy values are closer to 0 and the contrast values are much larger in the proposed VOLUME 8, 2020 scheme than in schemes [82], [83]. Therefore, the proposed encryption scheme has high security.

VI. CONCLUSION
In this paper, we not only propose an efficient construction scheme of S-boxes based on the fractional-order logistic system, but also present an image encryption scheme using the fractional-order Logistic system, S-boxes and Secure Hash Algorithm MD2. The simulation and experimental results of S-boxes indicate that the proposed S-boxes have better BIC property, SAC property and Nonlinearity property. Furthermore, the proposed construction scheme of S-boxes could find other S-boxes satisfying perfect cryptographic properties by changing the order of the fractional-order differential equation. Moreover, from the above discussion, not only the proposed S-boxes construction scheme but also the proposed image encryption algorithm is more efficient. Although the high dimensions chaotic systems may have large parameter space, the expense of more computational complexity. Therefore, the proposed algorithms based on the fractionalorder logistic map have advantages in both better ability to withstand common cryptanalyst attacks and less execution time. In future practical research work, we will intend to apply the fractional-order chaotic logistic system to circuit board design.