Secure Image Encryption Based on Compressed Sensing and Scrambling for Internet-of-Multimedia Things

In this paper, we propose a secure image encryption system based on compressed sensing (CS) with a scrambling mechanism. For efficient encryption, we use a sparse measurement matrix, where the nonzero elements are generated by a linear feedback shift register (LFSR) based keystream generator. Then, several pairs of data scramblers, also based on LFSR, are attached behind the CS-encryption for diffusion. While guaranteeing theoretically reliable CS-decryption, numerical results indicate that the proposed cryptosystem has more reliable CS-decryption performance than other CS-based cryptosystems. Examining the histogram, entropy and correlation of the ciphertexts, experimental results demonstrate that the proposed cryptosystem has strong statistical security. Moreover, it turns out that the proposed cryptosystem has higher plaintext sensitivity than other CS-based cryptosystems, thanks to the bit-level diffusion from the scramblers.


I. INTRODUCTION
Compressed sensing (CS) is a signal processing technique which allows to reconstruct a sparse signal from the incomplete measurements sampled at a rate lower than the Nyquist rate [1]. We say that a signal x ∈ R N is K-sparse with respect to an orthonormal basis Ψ ∈ R N ×N if α = Ψx has at most K nonzero elements, where K N . In CS, the sparse signal x is measured by y = Φx ∈ R M , where Φ ∈ R M ×N is a measurement matrix with M N . The reconstruction of the original signal x can be achieved by solving an l 1 -minimization problem [2]. Thanks to the efficient data acquisition, there have been various CS applications, such as communications [3], [4], bio signal processing [5], image processing [6], RFID identification [7], etc. In particular, CS can be an attractive choice for data acquisition in a resourcelimited transmitter of the Internet of Things (IoT) [8]- [11].
The CS techniques can be applied in a symmetric-key cryptosystem for information security. In CS-based cryptosystems, a plaintext x is encrypted to a ciphertext y = Φx using a secret matrix Φ. A sender and a legitimate recipient share a secret key to generate the elements of the secret matrix Φ. The legitimate recipient who knows Φ can reconstruct the original plaintext through CS reconstruction algorithms. Rachlin and Baron [12] showed that the CSbased cryptosystem cannot be perfectly secure but might be computationally secure. Orsdemir et al. [13] claimed that estimating the random Gaussian secret matrix of the CSbased cryptosystem is computationally infeasible. In [14], Bianchi et al. proved that CS-based cryptosystems can resist known-plaintext attacks (KPA) by encrypting plaintexts in a one-time-sensing (OTS) manner, where the secret matrix is renewed at every encryption. Furthermore, they showed that the Gaussian-OTS (G-OTS) cryptosystem, which uses a random Gaussian secret matrix in the OTS manner, can be perfectly secure if the plaintext has constant energy. In [15], it is quantitatively shown that the Bernoulli-OTS (B-OTS) cryptosystem, which uses a random Bernoulli matrix to encrypt a plaintext in the OTS manner, can resist against KPA. Moreover, the indistinguishability [16] was discussed for the G-OTS and the B-OTS cryptosystems [17], respectively.
For image encryption, Zhou et al. proposed CS-based cryptosystems [18], [19] based on chaotic systems. In [20], a multi-class CS-encryption is proposed, which gives different decryption qualities to different class recipients. Zhang et al. [21] designed a multi-image encryption, which uses the random convolution [22] for CS-encryption. In [23], Zhu et al. proposed a CS-based cryptosystem employing a circular shift for diffusion. Li et al. [24] proposed an efficient image encryption for IoT monitoring applications by reducing time consumption in encryption and reconstruction. Zhu et al. [25] proposed a CS-based cryptosystem, where permutation and diffusion are executed simultaneously for encryption. There are many other applications of CS for information security [26]- [29].
For processing large size data, the secret matrix of a CS-based cryptosystem may require large data storage and high computational complexity. To resolve this issue, the parallel CS-based cryptosystem was proposed in [30], where the columns of an image are encrypted in parallel with the counter mode operation. Also, a CS-based cryptosystem [31] was proposed to reduce data storage for the secret matrix by employing the semi-tensor product. In [32], Cho et al. proposed the sparse-OTS (S-OTS) cryptosystem in which a plaintext is encrypted in the OTS manner by a sparse secret matrix with only a few nonzero elements. By using the sparse matrix, the S-OTS cryptosystem can save storage space and computational cost. Therefore, it can be an attractive choice to use the S-OTS cryptosystem in a resource-limited environment, e.g., sensors of IoT.
To evaluate the security of image encryption, we can analyze the encrypted images with statistical measures, such as histogram, entropy, correlation and plaintext sensitivity [21], [24]. Although the S-OTS cryptosystem has efficiency and security, we realize in this paper that it has weak security in terms of the statistical measures. To enhance the statistical security of the S-OTS cryptosystem, a scrambler can be introduced for diffusion mechanism. Scramblers have been widely used in communications [33], [34] and information security [35]. Based on a linear feedback shift register (LFSR), a scrambler randomizes its input bitstream such that the corresponding output bitstream seems to be independently distributed at random. Moreover, a few changes of an input bitstream to a scrambler can lead to significant changes in the output by the recursive structure. Exploiting this property, a scrambler structure was proposed to give the avalanche effect for a secure key distribution to the receivers of wireless local area networks [36].
In this paper, a secure CS-based cryptosystem with strong statistical security is proposed for image encryption. The proposed cryptosystem uses a sparse matrix of the S-OTS cryptosystem and several scrambler chains for diffusion. It is noteworthy that the proposed cryptosystem can theoretically guarantee reliable CS-decryption inherited from the S-OTS cryptosystem, which will be numerically demonstrated. Each scrambler chain consists of a pair of scramblers aligned in series, where the output of the first scrambler is fed as an input to the second scrambler in reverse order. While this scrambler chain is similar to the scrambler structure in [36], we use it at a transmitter to give the avalanche effect for CS-based encryption. To prevent a malicious attacker from restoring the scrambled contents, a keystream generator of a stream cipher is also employed for simultaneous scrambling and encryption. Due to the hardware-friendly structure, the proposed cryptosystem can be implemented easily in real world applications.
For statistical security, we conduct numerical experiments to analyze the histogram, entropy, correlation and plaintext sensitivity for the proposed cryptosystem. We demonstrate that the proposed cryptosystem can achieve flat histogram, high entropy and low correlation of adjacent pixels in ciphertexts, thanks to the diffusion by the proposed scrambler structure. Especially, since the diffusion mechanism of the proposed cryptosystem is executed in ciphertext bit-level, the quantitative evaluation measures of the plaintext sensitivity are much better than those of the other CS-based cryptosystems [23]- [25], [30] that execute the diffusion mechanisms in ciphertext element-level, where each ciphertext element consists of multiple bits. In summary, the proposed CSbased cryptosystem has a hardware-friendly structure and reliable CS-decryption performance. Through numerical results, we demonstrate that the proposed cryptosystem can be statistically secure achieving flat histogram, high entropy, low correlation and high plaintext sensitivity, thanks to the proposed scrambler structure.
The rest of the paper is organized as follows. Some background knowledge for understanding this paper is given in Section II. In Section III, we briefly introduce other CSbased cryptosystems [23]- [25], [30] for comparison. The details of the proposed CS-based cryptosystem, including encryption, scrambling and decryption processes, are described in Section IV. In Section V, experimental results about the statistical security measures of the proposed CSbased cryptosystem are presented and compared to those of the other CS-based cryptosystems [23]- [25], [30]. Finally, concluding remarks will be given in Section VI.

A. CS-BASED CRYPTOSYSTEMS
Let x = Ψ T α ∈ R N be a plaintext, which is K-sparse with respect to an orthonormal basis Ψ ∈ R N ×N . Then, the corresponding ciphertext of a CS-based cryptosystem is y = Φx, where Φ ∈ R M ×N is a secret matrix with M N . A legitimate recipient who knows the secret matrix can decrypt the ciphertext by CS reconstruction techniques, such as an algorithm for l 1 -minimization [37] and a greedy algorithm [38].

B. S-OTS CRYPTOSYSTEM
The secret matrix Φ of the S-OTS cryptosystem is a sparse matrix with only a few nonzero bipolar entries, which is represented by where S ∈ {−1, 0, 1} M ×N is a sparse matrix and P ∈ R N ×N is a column permutation matrix. The row-wise sparsity r is defined by r = q N , where q is the number of the nonzero elements of each row of S. The nonzero elements of S are generated by the self-shrinking generator (SSG) [39], which is an LFSR-based keystream generator. The first qM bits of an SSG keystream k = (k 1 , k 2 , · · · ) are used to generate S. The i-th row of S has a column index set Λ i of the nonzero elements defined as where η = N q . Then, the element in the i-th row and the j-th column of S is The S-OTS cryptosystem can encrypt a plaintext quickly, since the matrix-vector multiplication of the encryption process can be implemented row-wise in parallel. The CSdecryption can also be processed efficiently, exploiting the few nonzero elements of Φ. In addition, the authors of [32] showed that the S-OTS cryptosystem can be computationally secure through the security analyses against ciphertext only attacks (COA) and chosen plaintext attacks (CPA). Moreover, the S-OTS cryptosystem can theoretically guarantee a stable and reliable CS-decryption for a legitimate recipient.

C. STATISTICAL SECURITY MEASURES
The histogram of an image shows the number of the occurrences of all pixel values. For secure image encryption, the histogram of an encrypted image should have a fairly uniform distribution, which means that the frequencies of the occurrences of all pixel values are almost equal. If the histogram of an encrypted image is non-uniform, it may be vulnerable to statistical attacks. To measure the randomness of an image quantitatively, we can use the entropy. An encrypted image with higher entropy means that its histogram is closer to the uniform distribution. The entropy E of an 8-bit gray-scale image is defined as where l = 256 is the number of the gray levels of the image, i is a pixel value in [0, 255], and p(i) is the frequency of the occurrences of i. Ideally, p(i) = 1 256 for all i, where E takes the maximum of 8, and the histogram shows the ideal uniform distribution.
In correlation analysis, we measure the correlation of adjacent pixels of an encrypted image for horizontal, vertical and diagonal directions, respectively. We can quantitatively evaluate the correlation of an encrypted image using the correlation coefficient (CC) [21], which is defined as where x i and y i represent randomly selected adjacent pixel values of an encrypted image,x = 1 n n i=1 x i ,ȳ = 1 n n i=1 y i , and n is the number of the selected pixel pairs.
The plaintext sensitivity shows the degree of variation in a ciphertext when we modify its plaintext slightly. Let C 1 be the ciphertext of a plaintext M 1 for a cryptosystem by a key K. Another plaintext M 2 , which is different with M 1 by one-bit, can be encrypted to a ciphertext C 2 by the same key K. Then, we can compare C 1 and C 2 by using the unified average changing intensity (UACI) [24] and the number of pixels change rate (NPCR) [24], respectively. The UACI, which represents the average of absolute difference of pixel values for two 8-bit gray-scale images, is defined as where W and H are width and height of the images, respectively. In (6), C 1 (i, j) and C 2 (i, j) are the pixel values of C 1 and C 2 at the pixel position (i, j), respectively. The NPCR, which represents how many pixels are different for two 8-bit gray-scale images, is defined as where The expected values of the NPCR and the UACI are theoretically calculated by treating every pixel value of two images to be uniformly distributed, which results in 99.6094% and 33.4635%, respectively [40].

D. SCRAMBLERS
An input bitstream of length H, denoted by m = (m 1 , m 2 , · · · , m H ), can be scrambled by an L-stage LFSRbased scrambler characterized by a polynomial P (x) = 1+a 1 x 1 +a 2 x 2 +· · ·+a L x L with a i ∈ {0, 1} and a L = 1. In Fig. 1(a), the output bitstream is s = (s 1 , s 2 , · · · , s H ), where for i = 1, 2, · · · , H and ⊕ denotes the bit-wise XOR operation. In this paper, we assume that the initial state of the LFSR is all-zero state. We can restore the original input bitstream m by using the descrambler in Fig. 1(b), where the descrambling process can be described as Note that the scrambling process is recursive, so the current input bit can influence the output bits thereafter. Therefore, we expect that if a bit flip occurs in m t , a scrambler can make significant changes in s i 's for i ≥ t.

E. GRAIN-128
The Grain-128 [46] is a stream cipher with a 128-bit key and a 96-bit initialization vector (IV). The stream cipher consists of a 128-stage LFSR, a 128-stage nonlinear feedback shift register (NFSR) and an output generating function, as illustrated in Fig. 2. Due to the simple structure, Grain-128 is suited for a resource-limited environment with easy implementation in hardware.  Let (b 0 , b 1 , · · · , b 127 ) and (f 0 , f 1 , · · · , f 127 ) be the states of the NFSR and LFSR at a clock, respectively. The feedback Boolean function of the NFSR generating g is defined as With Finally, the output keystream bit z is defined as Readers are referred to [46] for more details on Grain-128.

III. SOME KNOWN CS-BASED CRYPTOSYSTEMS
For investigating statistical security measures of our proposed CS-based cryptosystem, we introduce other CS-based cryptosystems for comparison in this section. Note that ⊕ denotes the bit-wise XOR operation between a-bit integers. We define the binary representation of an a-bit integer d as . Then, if p and q are a-bit integers, r = p ⊕ q is an a-bit integer, where r = (r 1 , r 2 , · · · , r a ) with r i = p i ⊕ q i for i = 1, 2, · · · , a.

A. CIRCULAR SHIFT-BASED CRYPTOSYSTEM
In the circular shift-based cryptosystem [23], a sparse representation matrix α = ΨX ∈ R n×n is randomly permuted to α , where Ψ ∈ R n×n is an orthonormal basis and X ∈ R n×n is an image. Then, α is encrypted to Y = Φα ∈ R m×n , where the secret matrix Φ ∈ R m×n is generated by using the Chebyshev map [47]. Then, Y is quantized to Y Q by an a-bit quantizer. Each row of Y Q can be concatenated into y Q = (y Q,1 , y Q,2 , · · · , y Q,mn ) ∈ R mn , where y Q,i is an a-bit integer for i = 1, 2, · · · , mn. Each element of y Q is modified by for i = 1, 2, · · · , mn, where circshift(u, v) is a bitwise circular shift operation to an a-bit integer u, i.e., mn ) is generated by using the 4-D hyper-chaotic system [23], where k (1) i < a is an integer for i = 1, 2, · · · , mn. Finally, an element-level diffusion is applied to each element e i to yield the ciphertext c = (c 1 , c 2 , · · · , c mn ) ∈ R mn by (14) where e i = ( k (2) i · c i−1 · 10 14 ) mod 2 a , c 0 = 0, and i = 1, 2, · · · , mn. The keystreams k (2) = (k (14) are generated by using the 4-D hyper-chaotic system [23], where k is an a-bit integer. The details of the keystream generation are described in [23].

B. KRONECKER CS-BASED CRYPTOSYSTEM
The Kronecker CS-based cryptosystem [24] encrypts an image X ∈ R n×n to Y = ΦX ∈ R m×n . In this cryptosystem, the secret matrix Φ can be constructed by where ⊗ denotes the Kronecker product [41]. In (15), A ∈ R m p × n p is a random chaotic matrix with each element generated from a chaotic system called the Tent map [42]. Also, P = P π D ∈ R p×p is a weighted permutation matrix, where P π ∈ R p×p is a permutation matrix and D ∈ R p×p is a diagonal matrix with diagonal elements generated from the Logistic-Tent chaotic system [45].
After CS-encryption, a-bit quantization is performed to Y, which results in a quantized ciphertext Y Q . Each row of Y Q can be concatenated into a vector y Q = (y Q,1 , y Q,2 , · · · , y Q,mn ) ∈ R mn , where y Q,i is an a-bit integer for i = 1, 2, · · · , mn. The first diffusion is applied to each element of y Q , which yields e = (e 1 , e 2 , · · · , e mn ) ∈ R mn with where i = 1, 2, · · · , mn and e 0 = 0. In (16), the keystream mn ) is generated by using the Logistic-Tent chaotic system [45], where k (1) i is an a-bit integer. Note that in the element-level diffusion, the l-th bit position of y Q,i cannot influence the t-th bit position of y Q,j , where l = t for i, j = 1, 2, · · · , mn. Therefore, bit-level variations cannot be diffused within the whole ciphertext, which leads to weak plaintext sensitivity. The second element-level diffusion yields the final ciphertext c = (c 1 , c 2 , · · · , c mn ) ∈ R mn by where i = mn, mn − 1, · · · , 1 and c mn+1 = 0. In (17), mn ) is generated by using the Logistic-Tent chaotic system [45], where k (2) i is an a-bit integer. The details of the keystream generation are described in [24].

D. PARALLEL CS-BASED CRYPTOSYSTEM
In the parallel CS-based cryptosystem [30], the columns of an image X = [X 1 , X 2 , · · · , X n ] ∈ R n×n are encrypted in parallel. Each column X i is encrypted to Y i = Φ i X i ∈ R m for i = 1, 2, · · · , n, where Φ i ∈ R m×n is a secret matrix with each element generated from the Logistic-Tent chaotic system [45]. Then, Y ∈ R m×n = [Y 1 , Y 2 , · · · , Y n ] is quantized to Y Q by an a-bit quantizer. Each row of Y Q can be concatenated into a vector y Q = (y Q,1 , y Q,2 , · · · , y Q,mn ) ∈ R mn , where y Q,i is an a-bit integer for i = 1, 2, · · · , mn. The final ciphertext c = (c 1 , c 2 , · · · , c mn ) ∈ R mn can be obtained after an element-level diffusion, which can be described as where i = 1, 2, · · · , mn and c 0 = 0. In (19), the keystream k = (k 1 , k 2 , · · · , k mn ) is generated by using the Logistic-Tent chaotic system [45], where k i is an a-bit integer. The details of the keystream generation are described in [30].

IV. PROPOSED CS-BASED CRYPTOSYSTEM
In this section, we describe the details of the proposed CSbased cryptosystem. For CS-encryption, we use the secret matrix of the S-OTS cryptosystem. Then, the quantized ciphertext of the S-OTS cryptosystem is fed into the proposed scrambler structure, which enhances the statistical security of the proposed cryptosystem. Fig. 3 illustrates the overall structure of the proposed CS-based cryptosystem. In the proposed CS-based cryptosystem, it is noteworthy that the LFSR-based keystream generation by SSG and Grain-128 can be easier to be implemented in real world applications than others, e.g., chaos-based keystream generation [43], [44].

A. CS-ENCRYPTION
The columns of an 8-bit gray-scale n × n image are stacked into a column vector x ∈ R N , where N = n 2 . We assume that each 8-bit gray-scale pixel of x takes a value in [−128, 127] by shifting its original value by −128. With the shared key K 1 , one can generate a keystream for constructing the secret matrix Φ = 1 √ M r SP ∈ R M ×N , where S is a sparse matrix with only q nonzero bipolar elements in each row, and P is a column permutation matrix. The secret matrix Φ encrypts the plaintext x to y = Φx ∈ R M . Then, y is quantized by an a-bit quantizer. The quantized CS-encrypted ciphertext y Q ∈ R M is where y max = q·128 √ M r , y min = −q·128 √ M r , 1 is an all-one vector of length M , and round(v) replaces each element of vector v with the nearest integer. As each element of x is between −128 and 127, it is readily checked that the range of the elements of y is from −q·128 √ M r to +q·128 √ M r with its resolution 1 √ M r , from which y has 2 · q · 128 + 1 possible values. Thus, the number of quantization level should be sufficiently high to represent all possible values of each element of y, i.e., 2 a ≥ 2 · q · 128 + 1, which suggests that the number of quantization bits should be a ≥ log 2 (2 · q · 128 + 1).
In the proposed scrambler structure, the reverse order feeding by the LIFO buffer can cause the avalanche effect for each scrambler chain. Suppose that a bitstream m (w) = (m When m (w) and m (w) err with H = 10 4 enter a scrambler chain, Fig. 4 sketches the bit difference rate at the outputs of Scrambler 1 and Scrambler 2, respectively. We assume that every scrambler is characterized by a polynomial P (x) = 1 + x 18 + x 23 . We denote d 1 as the number of different bits between s (w) and s 50% regardless of t, which numerically demonstrates the avalanche effect of the scrambler chain.
We can get the plaintextx after CS-decryption through an l 1 -minimization algorithm where Ψ ∈ R N ×N is an orthonormal basis, such as 2D version of the Daubechies 4 (D4) wavelet basis withx = Ψ Tα . Finally, the decrypted plaintextx is mapped to the range [0, 255] by adding 128 to each element.

V. EXPERIMENTAL RESULTS
In this section, we demonstrate the statistical security of the proposed CS-based cryptosystem through numerical experiments. The statistical security measures are compared to those of the circular shift-based [23], the Kronecker CSbased [24], the division-based [25], and the parallel CSbased [30] cryptosystems, which are referred to as circular CS, Kronecker CS, division CS, and parallel CS, respectively. To demonstrate the statistical security enhancement  by the proposed scrambler structure, we encrypt plaintexts only with the S-OTS cryptosystem [32], which is called S-OTS only. In contrast, the proposed cryptosystem, called S-OTS scrambled, includes the proposed scrambler structure, where Scrambler 1 and Scrambler 2 are characterized by a polynomial P (x) = 1 + x 18 + x 23 , respectively. We use 'Lena', 'Barbara', 'Boat', 'Plane', and 'Peppers' of 256×256 test images, which are shown in Fig. 5. In S-OTS encryption, the SSG operates with a 128-stage LFSR, the number of the nonzero elements of each row of the secret matrix is q = 8, the compression ratio is ρ = 0.625, and the quantization bit size is a = 12. For the Kronecker CS, we select the parameter p = 8 for the secret matrix. With the same quantization bit VOLUME 4, 2016  size and compression ratio, the other experimental settings of circular, Kronecker, division, and parallel CS, such as initial values and control parameters for chaotic systems and initial conditions, are selected randomly to meet the constraints presented in [23]- [25], [30], respectively. For all CS-based cryptosystems, each a-bit ciphertext c is mapped to e =

A. CS-DECRYPTION PERFORMANCE
In [32], reliable and stable CS-decryption of the S-OTS cryptosystem have been theoretically guaranteed. Moreover, the phase transition shown in [32] demonstrated that the CS-decryption performance of the S-OTS cryptosystem is similar to that of the B-OTS cryptosystem with random Bernoulli secret matrices. Clearly, the S-OTS scrambled inherits the theoretically guaranteed reliable performance of CS-decryption from the S-OTS cryptosystem. The peak signal-to-reconstruction noise ratio (PSNR), defined by PSNR = 10 log 10 N ·255 2 x−x 2 , can be used to evaluate the CS-decryption performance, where x andx are original and decrypted plaintexts, respectively. For CS-decryption, we employ SPGL1 [48] for the basis pursuit (BP) with D4 wavelet basis. The decryption results of the proposed cryptosystem in noiseless condition are shown in Fig. 5, which demonstrates that the decrypted images are visually acceptable. Table 1 shows that the proposed cryptosystem numerically guarantees higher PSNR for decrypted images than circular, Kroneckor, division, and parallel CS. Therefore, we conclude that the proposed cryptosystem can achieve more reliable CS-decryption performance than the other CS-based cryptosystems, while guaranteeing theoretically reliable and stable CS-decryption performance. Fig. 6 shows the histograms of original and encrypted images of S-OTS only and S-OTS scrambled, respectively. A secure cryptosystem should conceal the histograms of original images and have ciphertexts with uniform histograms. We can see that the encrypted images of the S-OTS only show nonuniform histograms, which can be vulnerable to statistical attacks. The encrypted images of the S-OTS scrambled show uniform histograms, which means that the proposed scrambler structure can successfully flatten the histograms of the ciphertexts of the S-OTS only. We also observed that the encrypted images of 'Lena', 'Barbara', 'Boat', 'Plane', and  'Peppers' have uniform histograms for circular, Kronecker, division, and parallel CS. Therefore, our proposed CS-based cryptosystem is statistically secure with the uniform histograms of ciphertexts.

C. ENTROPY
In Table 2, the entropies of encrypted images of each CSbased cryptosystem are shown. We observe that the S-OTS scrambled can increase entropies of the encrypted images of the S-OTS only by means of scramblers, which demonstrates the statistical security enhancement by the proposed scrambler structure. Similar to circular, Kronecker, division, and parallel CS, the S-OTS scrambled has entropies close to the ideal value 8. Therefore, the S-OTS scrambled is sufficiently secure in terms of entropy.

D. CORRELATION
In correlation analysis, we randomly select 2, 000 adjacent pixel pairs from an encrypted image and calculate the correlation coefficients by using (5) in horizontal, vertical and diagonal directions, respectively. Table 3 shows that the encrypted images of the S-OTS scrambled present low correlation coefficients, similar to the other CS-based cryptosystems, which demonstrates the statistical security of the proposed cryptosystem. We observed similar results of low correlation coefficients for the other test images of 'Boat', 'Plane' and 'Peppers' for all the CS-based cryptosystems, respectively. For analyzing the correlation, we also examine the correlation distribution, which is a scatter diagram plotting randomly selected 2, 000 adjacent pixel pairs of an encrypted image. Fig. 7 displays the correlation distributions of original and encrypted images of 'Lena'. We also observed that the other test images show similar correlation distributions for original and encrypted images. The original image shows a linear distribution in all directions, which means that the adjacent pixel pairs are highly correlated. The encrypted VOLUME 4, 2016   On the other hand, the uniform distribution of the S-OTS scrambled suggests that adjacent pixel pairs of the encrypted image are uncorrelated to each other. Therefore, we conclude that the proposed scrambler structure can successfully reduce the correlation between adjacent pixel pairs.

E. PLAINTEXT SENSITIVITY
To analyze the plaintext sensitivity, we calculate the NPCR and the UACI for test images. For secure encryption, the NPCR and the UACI should be close to the theoretically expected values, 99.6094% and 33.4635%, respectively.
In numerical experiments, we randomly select a pixel position and flip the least significant bit of the pixel for test images. To evaluate the plaintext sensitivity, we examine the average NPCR and UACI over 100 trials of each cryptosystem. Table 4 shows that circular, Kronecker, division and parallel CS with ciphertext element-level diffusion mechanisms show lower average NPCR and UACI than the theoretically expected values, respectively, while the S-OTS scrambled has average NPCR and UACI close to the theoretically expected values, respectively. This demonstrates that our proposed CSbased cryptosystem has high plaintext sensitivity. Moreover, the variances of NPCR and UACI for 'Lena' are 0.0027 and 0.0272 for the S-OTS scrambled, 271.3460 and 30.7554 for the circular CS, 1120 and 24.3601 for the Kronecker CS, 262.2163 and 1.0785 for the division CS, 1179 and 22.3574 for the parallel CS, respectively. We observed similar results for the other test images of 'Barbara', 'Boat', 'Plane' and 'Peppers'. Since circular, Kronecker, division, and parallel CS have large variances in NPCR and UACI, their diffusion performance for the plaintext sensitivity is not stable. Mean-while, extremely small variances of the S-OTS scrambled indicate that our diffusion mechanism can stably guarantee high plaintext sensitivity. As the S-OTS only rarely achieves high plaintext sensitivity, the stable diffusion performance of the S-OTS scrambled demonstrates security enhancement in terms of plaintext sensitivity by the proposed scrambler structure. Fig. 8 shows the differential images of the CS-based cryptosystems for test image 'Lena', respectively. In this experiment, the original 'Lena' is encrypted to the ciphertext C 1 , while the other ciphertext C 2 is obtained from a modified 'Lena' with one pixel modification. Then, bit-wise XOR operation between each pixel pair of C 1 and C 2 yields the differential image. The noise pattern of Fig. 8(a) demonstrates that a slight modification of a plaintext results in significant changes in the ciphertext for the S-OTS scrambled. Meanwhile, the other CS-based cryptosystems show partially black or almost black differential images due to the high similarity of C 1 and C 2 , which implies the weak plaintext sensitivity of circular, Kronecker, division, and parallel CS, respectively. Therefore, we conclude that the proposed cryptosystem has high plaintext sensitivity due to the bit-level diffusion by the proposed scrambler structure.

F. KEY SPACE
It is important to have a large key space to resist a bruteforce attack for a secure cryptosystem. In the proposed cryptosystem, we use a 128-bit key for the SSG to construct the secret matrix Φ and a 128-bit key for Grain-128 for diffusion. This means that the key space of the proposed cryptosystem is 2 128 × 2 128 = 2 256 , which implies that the proposed cryptosystem can be secure against a brute-force attack with

G. KEY SENSITIVITY
For a secure cryptosystem, if we modify the key slightly, the ciphertext should be changed significantly. In numerical experiments for key sensitivity, we change either K 1 or K 2 by one-bit randomly for the S-OTS scrambled, while one of the chaotic parameters is changed by 10 −15 randomly for circular, Kronecker, division, and parallel CS, respectively. Table 5 shows the average NPCR and UACI over 100 trials of the ciphertexts of all the test images for the CS-based cryptosystems, when we change their keys, respectively. We observe that one-bit modification of the key can result in significant changes in the ciphertext for the S-OTS scrambled, where the average NPCR and UACI are close to the theoretically expected values for all test images, respectively. Also, the numerical results of the S-OTS scrambled are similar to those of the other CS-based cryptosystems. In addition, we observed that the variances of NPCR and UACI for all the test images are extremely small for all the CS-based cryptosystems, which implies that the proposed cryptosystem has key sensitivity with stable performance. Fig. 9 shows the decryption results of the S-OTS scrambled with a one-bit wrong key. It demonstrates that one cannot visually recover the original 'Lena' after decryption with a one-bit wrong key. Table 6 shows the average PSNR over 100 trials of decrypted images for the CS-based cryptosystems, when we use a wrong key. For a cryptosystem with high key sensitivity, it is reasonable to assume that a decrypted image by a wrong key has the uniform distribution of the pixel values to provide no useful information about the original image. Under this assumption, Table 6 also presents the average PSNR of the decrypted images of uniformly distributed pixel values as a benchmark. Compared to the other CS-based cryptosystems, the PSNR of the decrypted images of the S-OTS scrambled is relatively high, but close to the benchmark PSNR, where the decrypted images with a one-bit wrong key are not recognizable, as shown in Fig. 9(b).

H. COMPUTATIONAL COMPLEXITY
For each CS-based cryptosystem, Table 7 shows the numbers of addition, multiplication, and XOR operations for encryption, respectively. Since the CS-decryption performance of the S-OTS cryptosystem is known to be irrelevant to q [32], we can select q n to reduce the computational complexity for the S-OTS scrambled, while maintaining reliable CSdecryption performance. Given identical compression ratio ρ and quantization bit size a for all the CS-based cryptosystems, the computational complexity including all operations of the S-OTS scrambled is O(n 2 ). For the Kronecker CS, the minimum computational complexity is O(n 2 ) for n p = 2, since n p ≥ 2 is an integer from the secret matrix structure of the Kronecker CS. This implies that the S-OTS scrambled can have similar computational complexity to the Kronecker CS. Also, the computational complexity of the S-OTS scrambled is lower than the computational complexity O(n 3 ) of circular, division, and parallel CS, respectively. Note that the multiplication operations with bipolar entries of the secret VOLUME 4, 2016 S-OTS scrambled ρn 2 (q − 1) ρn 2 q 5aρn 2 circular CS [23] ρn 2 (n − 1) + 2ρn 2 ρn 3 + 2ρn 2 aρn 2 Kronecker CS [24] ρn 2 ( n p − 1) ρ n 3 p 4aρn 2 division CS [25] ρn 2 (n − 1) + 2ρn 2 ρn 3 2aρn 2 parallel CS [30] ρn 2 (n − 1) ρn 3 2aρn 2 matrix of the S-OTS scrambled can be implemented as simple operations, i.e., sign change for the numbers multiplied with the negative entries. Meanwhile, the other CS-based cryptosystems require more complex multiplication with floating point numbers. Therefore, we conclude that the proposed cryptosystem has a benefit in terms of computational complexity with a proper selection of q.

VI. CONCLUSION
In this paper, we proposed a secure CS-based cryptosystem for image encryption with hardware-friendly structure, which can be easily implemented in real world applications. In addition to a sparse secret matrix for efficient CS-encryption, a scrambling mechanism has been proposed for enhancing the statistical security of the CS-encryption. We numerically confirmed that the proposed CS-based cryptosystem has more reliable CS-decryption performance than the other CS-based cryptosystems. For analyzing the statistical security, we investigated the histogram, entropy, correlation and plaintext sensitivity of the proposed cryptosystem, which demonstrates that the proposed cryptosystem is sufficiently secure in terms of the statistical measures. In particular, we confirmed that our bit-level diffusion by the proposed scrambler structure has superior performance in plaintext sensitivity than the element-level diffusion mechanisms of the other CS-based cryptosystems. In conclusion, the proposed cryptosystem can be statistically secure thanks to the proposed scrambler structure. Despite the strong statistical security, the proposed CSbased cryptosystem may have some potential drawbacks. First, the bit-level diffusion by the proposed scrambler structure takes longer time than the element-level diffusion. Also, the proposed scrambler structure requires memory space for the LIFO buffers as well as the scramblers. For a future work, we will further study to reduce the time complexity and the memory requirement for the proposed cryptosystem. We found that the CS-based encryption of [49] employs the hash of a plaintext for keystream generation. Our future work may exploit the hash-based structure to improve our proposed CS-based cryptosystem further.