S-Box Design Based on 2D Multiple Collapse Chaotic Map and Their Application in Image Encryption

Abstract

As an essential part of an encryption system, the performance of a chaotic map is critical for system security. However, there are many defects for the existing chaotic maps. The low-dimension (LD) ones are easily predicted and are vulnerable to be attacked, while high-dimension (HD) ones have a low iteration speed. In this paper, a 2D multiple collapse chaotic map (2D-MCCM) was designed, which had a wide chaos interval, a high complexity, and a high iteration speed. Then, a new chaotic S-box was constructed based on 2D-MCCM, and a diffusion method was designed based on the S-box, which improved security and efficiency. Based on these, a new image encryption algorithm was proposed. Performance analysis showed that the encryption algorithm had high security to resist all kinds of attacks easily.

1. Introduction

With the rapid development of the network, image transmission through network has become more and more popular, contributing to higher risk of information leakage [1]. Therefore, the security of image transmission has become a research hotspot. Encryption of an image is the most direct and effective way to ensure image security [2,3]. In addition, as a large amount of information can be carried by images, higher speed of encryption algorithm is required. Because chaotic maps can quickly generate highly complex pseudo-random sequences, the combination of chaotic map and image encryption has become a focus of attention [4,5,6].

The research of image encryption algorithm based on chaotic maps is mainly focused on the optimization algorithm structure and optimization of chaotic map. For the former one, common encryption algorithms consist of two steps: scrambling and diffusion. Scrambling can not only change the pixel position in the image but also destroy the image structure. For image encryption algorithms based on chaotic maps, it is most common to directly scramble the image by using the index of chaotic sequence [7]. With further research, some other scrambling methods have been designed such as wavelet transform [8,9], cellular automata [10,11], and special matrix [12,13,14].

Diffusion is particularly important for encryption algorithms, which can extend the local changes in the image to the whole and, finally, change the pixels in the image and hide the image information. In addition to using chaotic sequences for diffusion [15], some methods in other fields, such as DNA computing [16,17,18] and Brownian motion [19,20], also help in diffusion. However, the implementation of the methods mentioned above is relatively complex. For example, encryption using DNA computing requires definitions of DNA addition and subtraction, which make the implementation far more difficult and, thus, make the speed of encryption slower. However, the substitution box (S-box), as a square matrix, becomes a key part of the block cipher, achieving a non-linear transformation of the input, and it is widely used because of high speed and security [21,22,23,24,25,26].

The optimization of chaotic maps is another research hotspot. The performance of chaotic maps will directly affect the security of encryption algorithms, and some encryption algorithms based on simple chaotic maps have been proven to be insecure. There are two main methods to search for high performance chaotic maps: to explore the combination or variation of existing chaotic maps [15,27,28] and to construct new chaotic maps [7,29,30,31]. Essentially, both approaches in many cases are the explorations of higher-dimensional chaotic maps. HD chaotic map has many advantages, such as more parameters and variables and high complexity, but there are some disadvantages, such as low iteration speed and unstable chaotic state. Therefore, it is vital to design a chaotic map that can provide a high complexity chaotic sequence without much computation.

Therefore, we proposed a new two-dimensional (2D) chaotic map, called 2D multiple collapse chaotic map (2D-MCCM). Based on the analysis of its phase trajectory, bifurcation diagram, Lyapunov exponent, and entropy spectrum, it is demonstrated that, compared with the existing 2D chaotic maps, 2D-MCCM has stronger randomness, larger chaotic range, and higher complexity. Then, a high-performance S-box was designed based on 2D-MCCM and the self-scrambling method. The S-box can be applied in diffusion and can obtain efficient and remarkable results. Therefore, we proposed an image encryption algorithm based on 2D-MCCM and S-box. With S-box, the security and efficiency of the algorithm can be dramatically improved.

The rest of this paper is organized as follows. Section 2 presents a 2D-MCCM chaotic map and its performance. Section 3 introduces the generation method of S-boxes and analyzes the security of the generated S-boxes. An image encryption algorithm based 2D-MCCM and S-boxes is presented in Section 4. Section 5 evaluates the performance of the encryption algorithm. Finally, Section 6 concludes the paper.

2. Design of 2D Chaotic Map

Stretching and collapse are the conditions of chaos behavior in the map. Stretching will lead to the separation of adjacent phase points, which reflects the sensitivity of the initial value of the map. Collapse is to constrain the map to a fixed region, so every x corresponds to multiple y, and, thus, chaos is generated accordingly.

For map f (x) and g (x), and assuming that f′(x) ≥ g′(x), x ∈ [a, b], it can be obtained as

$$\begin{array}{l}\hspace{1em}{f}^{\prime }(x)-g^{\prime }(x)\ge 0\\ \Rightarrow f(b)-g(b)\ge f(a)-g(a)\\ \Rightarrow f(b)-f(a)\ge g(b)-g(a)\end{array}$$

If f (x) and g (x) are collapsed into [c, d], where c ≥ a, d ≤ b, it can be obtained as

$$\frac{f(b)-f(a)}{d-c}\ge \frac{g(b)-g(a)}{d-c}$$

Based on the Lyapunov exponent [32] definition equation that

$$\lambda =\underset{n\to \infty }{\lim }\frac{1}{n}ln|{\displaystyle \prod _{i=0}^{n-1}{F}^{\prime }}(x_i)|.$$

(1)

Presuming that f′(x) ≥ g′(x), so

$$\begin{array}{l}\hspace{1em}\left|{\displaystyle \prod _{i=0}^{n-1}{f}^{\prime }}(x)\right|\ge \left|{\displaystyle \prod _{i=0}^{n-1}{\mathrm{g}}^{\prime }}(x)\right|\\ \Rightarrow \underset{n\to \infty }{\lim }\frac{1}{n}\ln \left|{\displaystyle \prod _{i=0}^{n-1}{f}^{\prime }}(x)\right|\ge \underset{n\to \infty }{\lim }\frac{1}{n}\ln \left|{\displaystyle \prod _{i=0}^{n-1}{\mathrm{g}}^{\prime }}(x)\right|\\ \Rightarrow {\lambda }_f\ge {\lambda }_g\end{array}$$

(2)

It indicates that the larger the derivative of the map is, the more times it is collapsed and the greater the Lyapunov exponent is.

Some simple one-dimensional (1D) chaotic maps can be generated by stretching and collapse. Currently, maps are collapsed mainly by adding function segments, trigonometric functions, and modular operations. For example, the Chebyshev map is achieved with the use of the cosine function to collapse the monotonic subtraction function arccos(x) to [−1, 1], resulting in chaotic behavior. Similarly, the Iterative chaotic map with infinite collapses (ICMIC) [33] is achieved with the use of sinusoidal functions to collapse the monotone decreasing function (1/x) to [−1, 1]. Additionally, Tent Map uses piecewise functions to double the range of functions before they collapse back to the original range. However, these 1D chaotic map structures are too simple, so their chaotic behavior can be easily predicted and the encryption algorithm is not secure when they are used.

2.1. Definition of 2D-MCCM

In order to solve the problems above, we designed a new 2D Multiple Collapse Chaotic Map (2D-MCCM). It has much more complex chaotic behavior and higher iteration speed than a 1D chaotic map, which is what HD chaotic maps do not have. The mathematical expression of 2D-MCCM is as follows:

$$\left\{\begin{array}{l}{x}_{n+1}=\arctan \left[\frac{b}{10a{y}_n}+\tan (a\pi x_n)\right];\\ y_{n+1}=\arctan \left[\frac{b}{a{x}_n}+\tan (10a\pi y_n)\right].\end{array}\right.$$

(3)

where, a and b are parameters, a, b ∈ (−∞, +∞).

In 2D-MCCM, the arctangent function is used to collapse the map instead of the sine function. Although the sine function can collapse the map to [−1, 1] and collapse the same map several times, the arctangent function as a monotone function can make the distribution of chaotic sequence more uniform. Moreover, the chaotic map has a wider chaotic domain, which makes it more suitable for image encryption.

2.2. Performance Evaluation

To evaluate the performance of 2D-MCCM, we use chaotic trajectories, bifurcations, Lyapunov exponents, and permutation entropy to analyze the attractors, chaotic sequence distribution, initial value sensitivity, and system complexity of 2D-MCCM, and compare them with four recently proposed 2D chaotic maps used for image encryption, i.e., 2D Sine Logistic modulation map (2D-SLMM) [34], 2D Logistic ICMIC cascade map (2D-LICM) [35], 2D Logistic-Sine-Coupling Map (2D-LSCM) [15], and 2D infinite collapse map (2D-ICM) [7], which are defined as follows.

$$\begin{array}{l}\text{2D-SLMM:\hspace{1em}\hspace{1em}\hspace{1em}}\end{array}\left\{\begin{array}{c}{x}_{i+1}=a(\sin (\pi y_i)+b)x_i(1-x_i);\\ y_{i+1}=a(\sin (\pi x_{i+1})+b)y_i(1-y_i).\end{array}\right.$$

(4)

$$\begin{array}{l}\text{2D-LICM:\hspace{1em}\hspace{1em}\hspace{1em}}\end{array}\left\{\begin{array}{c}{x}_{i+1}=\sin (21/(b(y_i+3)a{x}_i(1-a{x}_i)));\\ y_{i+1}=\sin (21/(b(a{x}_{i+1}+3)y_i(1-y_i))).\end{array}\right.$$

(5)

$$\begin{array}{l}\text{2D-LSCM:}\end{array}\left\{\begin{array}{c}{x}_{i+1}=\sin (\pi (4a{x}_i(1-x_i)+(1-a)\sin (\pi y_i)));\\ y_{i+1}=\sin (\pi (4a{y}_i(1-y_i)+(1-a)\sin (\pi x_{i+1}))).\end{array}\right.$$

(6)

$$\begin{array}{l}\text{2D-ICM:\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}\end{array}\left\{\begin{array}{c}{x}_{i+1}=\sin (\frac{a}{y_i})\cdot \sin (\frac{b}{x_i});\\ y_{i+1}=\sin (\frac{a}{x_i})\cdot \sin (\frac{b}{y_i}).\end{array}\right.$$

(7)

2.2.1. Phase Trajectory

Chaotic motion is an aperiodic reciprocating motion whose phase trajectory is a curve that never closes and is confined to a bounded region and, thus, leads to the generation of strange attractors. The dynamic characteristics of a chaos map can be preliminarily described based on its phase trajectory diagram. In general, for chaotic maps, the larger the distribution of strange attractors in the phase space is, the more uniform the distribution is, and the better randomness the chaotic sequence will have. In order to analyze the performance of 2D-MCCM, we set the initial values (x₀, y₀) = (0.4, 0.6) of 2D-MCCM, and took four 2D maps as comparison and iterated them for 20,000 times. In order to obtain the chaotic sequence in stable state, only the last 15,000 terms were selected for the phase trajectory diagram, as shown in Figure 1.

As shown in Figure 1, the trajectories of 2D-LICM, 2D-ICM, and 2D-MCCM all fill the whole phase space. However, it is obvious that the phase space of 2D-MCCM is larger and the trajectory distribution is more uniform. This indicates that the chaotic sequence generated by 2D-MCCM iteration has stronger randomness and its results are more difficult to be predicted, so it has higher security when used for image encryption.

2.2.2. Bifurcation Diagram

A bifurcation diagram can show how the variables of a chaotic system vary with bifurcation parameters, which is similar to phase trajectory diagram. The more uniform the distribution of bifurcation diagram is, the stronger the randomness of the chaotic system is. The difference is that the phase trajectory diagram only shows the trajectory of the chaotic map under certain parameter values, while the bifurcation diagram can show how the chaotic system behaves with the change of parameters. Figure 2 shows the bifurcation diagram of x component in 2D-MCCM and four 2D maps, respectively. The initial value is set as (x₀, y₀) = (0.4, 0.6). Since parameter a in 2D-LICM and 2D-ICM is not equal to 0, the parameter field is set as (0, 1]. It can be seen that only the bifurcation diagrams of 2D-LICM, 2D-ICM, and 2D-MCCM cover the entire chaotic interval. In order to describe the distribution of points in the bifurcation diagram more intuitively, we proposed a method to divide the bifurcation parameter domain into five segments on average and the chaotic domain into 10 segments on average. Then, we calculated the proportion of the number of points in each segment to the total number of points, respectively. The results are shown in Figure 3.

It can be seen from Figure 2 and Figure 3 that 2D-LICM, 2D-ICM, and 2D-MCCM are in chaotic state in the whole parameter domain. However, it is obvious that the bifurcation graph of 2D-MCCM is more uniform, which indicates that its chaotic sequence has strong randomness. At the same time, 2D-MCCM has a larger chaotic interval, which can provide a larger key space for image encryption.

2.2.3. Lyapunov Exponent

The Lyapunov Exponent (LE), which is used to quantitatively describe the speed of adjacent phase points in the phase space at the time of their separation, can illustrate the sensitivity of a chaotic map to initial values. The definition of LE of a 1D discrete map is given in Equation (1) above. Generally speaking, λ > 0 means that two adjacent phase points are about to separate, and the chaotic map is in a chaotic state. The larger λ is, the faster the adjacent points in the phase space separate from each other and the higher the sensitivity of the initial value is. For an n-dimensional chaotic map, there should be n LEs. When more than one Les are larger than 0, the system is in a hyperchaotic state, which means the system has more complex dynamic behavior.

In general, a 2D chaotic map has two LEs. Figure 4 shows the LEs’ comparison diagram between 2D-MCCM and the four 2D chaotic maps used as comparisons [36]. The parameter b of 2D-LICM, 2D-ICM, and 2D-MCCM is set to be 0.5, 21, and 21, respectively, denoting the larger LEs as λ₁ and the smaller LEs as λ₂. It can be seen from Figure 4 that 2D-LICM, 2D-ICM, and 2D-MCCM are all in a hyperchaotic state where a ∈ (0, 1]. However, the values of both λ₁ and λ₂ of 2D-MCCM are the largest, indicating that their initial sensitivity is the highest. In order to further study the influence of the values of parameters a and b on λ₁ of 2D-LICM, 2D-ICM, and 2D-MCCM, we drew a chaotic graph based on λ₁ in Figure 5. The value of λ₁ is larger when the color is closer to red. The closer the color is to red, the greater the value of λ₁ is. Obviously, the red region of 2D-MCCM is the largest, and the value of λ₁ increases with parameter b. In addition, parameter a does not significantly affect the value of λ₁, indicating that a is suitable for image encryption as a key. This shows that 2D-MCCM has the best performance compared with existing 2D chaotic maps and is also suitable for image encryption.

2.2.4. Spectral Entropy

Spectral entropy (SE) [37] can be used to quantitatively analyze the similarity between a chaotic sequence and a random sequence. The larger the SE value is, the more similar these two sequences are. The larger the SE value is, the more similar the sequence is with a random one, and the higher its security will be. According to the method in [37], the conditions of SE value of x sequence and y sequence of each 2D chaotic map are calculated with the transformation of parameter a, as shown in Figure 6. It can be seen that compared with the existing 2D chaotic maps, 2D-MCCM can generate chaotic sequences with higher complexity in the whole parameter domain, which can reduce the security risks caused by the reduction of chaos sequence complexity under specific parameters.

3. Design of S-Box

In this section, we devised a simple method of producing an 8-bit S-box using 2D-MCCM and selective self-scrambling.

3.1. S-Box Generation

Figure 7 briefly illustrates the generation process of an S-box, with specific steps as follows:

• To set the initial values and parameters of 2D-MCCM.
• To iterate 2D-MCCM to generate chaotic sequences x and y.
• To convert x to a random sequence X from 0-255 by Equation (8).

  $$X=\left\{floor(x\times {10}^{10})\right\}\mathrm{mod}256$$

  (8)
• To sort y in ascending order and record its position as index sequence Y.
• To select the value in X according to Y and check whether the value already exists in the S-box. If not, store the value in the S-box until there are 256 non-repeated values in the S-box.
• Then, to randomly generate four S-boxes according to the method in Step 5.
• Since linear attack and differential attack are the two most common attack modes, the two S-boxes with the best performance are selected according to the average non-linearity N_avg of S-boxes and the maximum differential approximation probability DP_max of the S-boxes, which are defined as S₁ and S_2, respectively. The calculation method is shown in Equation (9), and the larger the value is, the better the performance of the S-box is.

  $$f=\left\{\begin{array}{l}\begin{array}{cc}1.5N_{avg}-D{P}_{\max }& D>18\end{array}\\ \begin{array}{cc}1.5N_{avg}-2D{P}_{\max }& D<18\end{array}\end{array}\right.$$

  (9)
• S₂ is used to scramble S₁ to get the final S-box.

Table 1. An example of a generated 8-bit S-box.

i/j	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16
1	132	88	9	17	218	141	95	86	198	76	136	178	203	128	10	133
2	168	43	72	27	170	222	163	235	142	87	120	217	173	213	179	127
3	34	249	116	192	195	38	254	19	150	175	229	104	177	35	137	162
4	94	176	186	54	211	50	199	220	152	58	45	109	5	231	210	57
5	13	227	64	41	70	48	80	61	167	30	75	91	233	246	172	103
6	191	126	190	62	143	52	135	183	24	215	250	241	53	187	47	112
7	101	147	153	36	145	26	81	130	209	69	248	206	160	55	11	105
8	107	99	129	63	228	92	66	123	223	204	44	102	40	118	7	189
9	93	56	221	1	23	193	207	202	110	100	111	89	244	139	156	208
10	197	67	243	240	242	188	255	6	3	74	219	196	113	185	146	216
11	131	32	73	124	108	122	18	12	205	29	184	245	232	0	166	251
12	85	238	149	230	174	60	140	125	234	154	214	194	90	42	20	253
13	148	225	121	161	82	115	79	114	96	68	97	59	237	98	4	22
14	83	252	158	28	25	138	16	169	212	180	239	201	14	106	2	77
15	31	21	165	65	117	51	49	181	182	144	224	46	236	226	71	15
16	155	119	164	134	159	200	8	247	84	33	151	157	78	39	37	171

shows an 8-bit S-box based on the method above. Since this method only uses chaotic map iteration without complex matrix row and column transformation, it has high generation efficiency. At the same time, there is a selective self-scrambling, which ensures the performance of the generated S-box.

3.2. Performance Analysis of S-Box

In order to evaluate the performance of the constructed S-box, the following five methods are used for analysis in this section.

3.2.1. Nonlinearity

As a nonlinear calculation element, the nonlinear degree is an important index to evaluate the performance of the S-box. The expected value of the nonlinear degree is 112. Walsh spectrum [38] is usually used to calculate the nonlinearity of the S-box, which is defined as:

$$N_f=2^{-n}(1-\underset{\omega \in GF(2^n)}{max}|S_{<f>}(\omega )|)$$

(10)

where GF(2ⁿ) represents the Galois domain with space size of 2ⁿ, and S_{< f >}(ω) is the cyclic spectrum of function f (x), which is defined as:

$$S_f(\omega )=2^n{\displaystyle \sum _{\omega \in GF(2^n)}(-}1{)}^{f(x)\oplus x*\omega }$$

(11)

In general, the higher the nonlinearity of an S-box is, the more secure it will be. The eight nonlinearity values of the constructed S-box are 108, 108, 108, 108, 106, 108, and 108, respectively, with an average of 107.75. The minimum nonlinearity of the proposed S-box is easy to be attacked. However, the minimum nonlinearity of the proposed S-box reached 106, which is even better than the average nonlinearity of some S-boxes, indicating that the S-box is capable of resisting a nonlinear cryptanalytic attack.

3.2.2. Strict Avalanche Criterion

The strict avalanche criterion can quantitatively analyze the avalanche effect of Boolean function, that is, when the input of one bit of Boolean function changes, half of the output value will change [39]. For the S-box, the strict avalanche criterion is usually tested by calculating its dependence matrix. If the S-box strictly satisfies the strict avalanche criterion, every element in the dependence matrix will be 0.5.

Based on the method in [40], we calculated the dependence matrix of the S-box, as shown in

Table 2. Dependency matrix of the proposed S-box for the strict avalanche criterion (SAC).

i/j	1	2	3	4	5	6	7	8
1	0.5313	0.4844	0.4844	0.4844	0.4688	0.4531	0.5469	0.4844
2	0.4844	0.5156	0.4531	0.4844	0.4531	0.4531	0.5156	0.5469
3	0.5469	0.5313	0.4688	0.5156	0.4375	0.5000	0.4531	0.5000
4	0.4844	0.5313	0.4375	0.4531	0.4375	0.4688	0.4688	0.5000
5	0.5313	0.4531	0.4844	0.5313	0.4688	0.4531	0.4219	0.4375
6	0.5000	0.5156	0.5000	0.5313	0.5156	0.4688	0.5938	0.5313
7	0.5000	0.5469	0.5156	0.5313	0.5156	0.4219	0.5469	0.5469
8	0.4844	0.5156	0.5000	0.4219	0.4531	0.4375	0.4844	0.4688

. Meanwhile, it can be found that the average deviation of the elements in the dependence matrix from the expected value of 0.5 is 0.0327, which tends to be close to 0 and can satisfy SAC.

3.2.3. Bit Independence Criterion

Bit independence criterion (BIC) is a desirable feature for cipher transformation. For the Boolean functions f_i and f_j with two output bits of the S-box, if f_i⊕f_j is highly nonlinear and satisfies SAC as much as possible, then the S-box satisfies the BIC.

Based on the method in [40], we calculated Bic nonlinearity and BIC-SAC of S-box, as shown in

Table 3. Bit independence criterion for nonlinearity of the proposed S-box.

i/j	1	2	3	4	5	6	7	8
1	-	104	102	106	102	102	102	104
2	104	-	106	104	104	104	104	102
3	102	106	-	106	102	96	100	104
4	106	104	106	-	104	102	108	102
5	102	102	102	104	-	104	102	104
6	102	102	96	102	104	-	106	106
7	102	102	100	108	102	106	-	102
8	104	104	104	102	104	106	102	-

and

Table 4. Bit independence criterion for SAC of the proposed S-box.

i/j	1	2	3	4	5	6	7	8
1	-	0.4980	0.5059	0.5176	0.4961	0.4961	0.4746	0.4824
2	0.4980	-	0.5020	0.5313	0.4844	0.5156	0.5039	0.5195
3	0.5059	0.5020	-	0.4980	0.4746	0.4961	0.5176	0.5313
4	0.5176	0.5313	0.4980	-	0.5156	0.4766	0.5039	0.4883
5	0.4961	0.4844	0.4746	0.5156	-	0.4922	0.5078	0.4980
6	0.4961	0.5156	0.4961	0.4766	0.4922	-	0.4883	0.4941
7	0.4746	0.5039	0.5176	0.5039	0.5078	0.4883	-	0.5137
8	0.4824	0.5195	0.5313	0.4883	0.4980	0.4941	0.5137	-

. It was obtained that the mean value of BIC nonlinearity and BIC-SAC of the proposed S-box is 103.2857 and 0.5008, respectively. And the mean value of BIC-SAC is even better than that of the AES S-box, showing a very outstanding BIC performance.

3.2.4. Differential Approximation Probability

Differential approximation probability (DP) can be used to quantitatively analyze the crypt function’s resistance to differential attack. It represents the maximum probability of the output, which will be Δy in a given Boolean function when the input difference is Δx, and the expected value of DP is 0.0156. For an 8-bit S-box, the calculation formula of DP is as follows:

$$DP=\underset{\Delta x\ne 0,\Delta y}{\max }(\frac{\#\{x\in X|f(x)\oplus f(x\oplus \Delta x)=\Delta y\}}{2^8})$$

(12)

where X = {0, 1, ⋯, 255}. For the S-box, the less the maximum DP value, the stronger is the ability to resist a differential cipher attack.

Table 5. Differential approximation matrix of the proposed S-box.

i/j	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16
1	6	8	6	6	6	8	10	10	8	6	8	6	8	6	6	6
2	6	6	6	6	6	8	4	6	6	6	6	6	10	8	8	6
3	6	8	8	8	6	8	6	6	8	6	8	6	6	8	6	6
4	6	8	6	6	6	10	6	6	6	8	6	6	6	6	6	6
5	8	8	8	6	6	6	6	6	8	6	6	8	6	8	6	6
6	6	8	8	6	6	6	6	6	6	6	6	10	6	8	8	6
7	8	8	6	8	6	6	6	8	6	8	6	8	6	8	6	6
8	6	8	6	6	6	8	6	8	8	8	6	6	8	6	6	6
9	6	8	6	8	6	6	6	10	6	6	8	6	6	8	6	6
10	6	6	10	6	8	6	8	8	6	6	6	10	8	6	6	8
11	10	4	6	6	6	8	6	6	6	6	6	6	6	8	6	6
12	6	8	6	8	6	6	8	6	8	6	8	8	6	6	6	6
13	6	6	10	8	6	8	6	8	6	6	6	8	10	6	6	8
14	10	4	8	6	8	8	6	8	6	8	8	6	6	8	8	6
15	6	8	8	8	8	10	8	8	6	6	8	6	6	6	6	8
16	10	6	6	6	6	6	6	6	6	6	8	8	6	8	6	-

shows the differential approximation matrix of the proposed S-box, and the maximum value is 10. In addition, the maximum DP value of the proposed S-box can be calculated from Equation (12) to be 0.0391, which is close to the expected value, indicating its strong resistance to differential attacks.

3.2.5. Linear Probability

Linear Probability (LP) can be used to quantitatively analyze the cryptographic function’s ability to resist a linear attack, and the expected value of LP is 0.0625. As a nonlinear element, the S-box can realize the nonlinear map between input and output, and its ability to resist nonlinear attacks is very important. For an 8-bit S-box, the formula of LP is as follows:

$$LP=\underset{a_x,b_x\ne 0}{max}(\frac{\#\{x\in X|x\cdot a_x=f(x)\cdot b_x\}}{2^8}-\frac{1}{2})$$

(13)

where X = {0, 1, ⋯, 255}, a_x and b_x are input and output masks, respectively. In general, A lower LP value shows a stronger S-box of resisting the linear cryptanalysis attacks. Based on equation (13), we calculated the LP value of the proposed S-box to be 0.125, which is around the expected value, indicating its strong resistance to linear cryptanalysis attacks.

3.2.6. Performance Comparison

In order to better demonstrate the performance of the proposed S-box, the S-box generated by several recently proposed representative algorithms was analyzed [21,22,23,24,25,26], and the results are shown in

Table 6. Performance comparison between different S-boxes.

S-Box	Nonlinearity			BIC		SAC			MaxDP	LP
	Max	Min	Avg	BIC-Non.	BIC-SAC	Max	Min	Offset
Proposed	110	106	107.75	103.29	0.5008	0.5938	0.4219	0.0327	0.0391	0.1250
Ref. [21]	108	102	105.25	103.21	0.5070	0.5938	0.4688	0.0344	0.0547	0.1406
Ref. [22]	108	104	106.5	102.86	0.4939	0.6406	0.4063	0.0276	0.0469	0.1406
Ref. [23]	108	106	106.5	104.07	0.4968	0.6094	0.4219	0.0305	0.0391	0.1328
Ref. [24]	107	101	104.5	103.28	0.5019	0.6094	0.3828	0.0383	0.0391	0.1406
Ref. [25]	108	104	106.25	103.21	0.5004	0.6250	0.3906	0.0347	0.0469	0.1406
Ref. [26]	108	102	104.5	104.64	0.5075	0.6406	0.4219	0.0298	0.0469	0.1172
Ref. [27]	108	104	106.75	103.57	0.5022	0.6250	0.4063	0.0356	0.0391	0.1328
AES	112	112	112	112	0.5011	0.5625	0.4375	0.0295	0.0156	0.0625

. It can be seen that the proposed S-box was distinguished in all aspect. In addition, it can be concluded that AES S-box was not optimal on BIC-SAC and SAC, indicating that it is very difficult to design an S-box that is optimal in all indicators.

4. Proposed Image Encryption and Decryption Algorithm

4.1. Image Encryption Algorithm

In this section, an image encryption algorithm based on 2D-MCCM and a new S-box is proposed. The 2D-MCCM was used to process the key and generate the initial value, and a “diffusion-scrambling-diffusion” framework was used to improve security. Diffusion and scrambling are based on the random sequence generated by 2D-MCCM with both efficiency and security. The proposed S-box was used for the second diffusions, and its nonlinear characteristics were utilized to enhance the sensitivity of the algorithm to small changes in pixels. The algorithm structure is shown in Figure 8.

4.1.1. Initial Value Generation

The selection of the key affects the security of the whole encryption algorithm. In this section, we set the key K of the encryption algorithm as 32 random integers of 8 bits with a value range of [0, 255]. At this time, the length of the key K reached 256 bits, which is enough to resist violent attacks. For easy calculation, K is divided into three parts, such that K = [a₁, ⋯, a₄, b₁, ⋯, b₄, k₁, ⋯, k₂₄]. In addition, in order to enhance the key sensitivity of the algorithm, we used 2D-MCCM in the process of generating initial values from the key. The specific steps are shown in Algorithm 1.

Algorithm 1 The generation of initial values

Input: K: 32 8-bit random integers with values ranging from [0, 255]. 1: xr = [a1 + b1 × (k1 + ⋯ + k6)]mod π − π/2; 2: yr = [a2 + b2 × (k7 + ⋯ + k12)]mod π − π/2; 3: ar = [(k13 + ⋯ + k18)/a3 + b3]mod 4 − 2; 4: br = [(k19 + ⋯ + k24)/a4 + b4]mod 10 + 20; 5: for i = 1 to 104 do 6: Iterative 2D-MCCM map with xr, yr, ar and br as initial values to obtain chaotic  sequences X and Y; 7: end for 8: Z = X × Y; 9: x = (|Z(1)| + ⋯ + | Z(2 × 103)|)mod π − π/2; 10: y = (|Z(2 × 103 + 1)| + ⋯ + | Z(4 × 103)|)mod π − π/2; 11: a0 = (|Z(4 × 103 + 1)| + ⋯ + | Z(6 × 103)|)mod 4 − 2; 12: b0 = (|Z(6 × 103 + 1)| + ⋯ + | Z(104)|)mod 10 + 20; Output: Initial value (x0, y0, a, b)

4.1.2. S-Box-Based Diffusion

We designed a novel diffusion method based on 2D-MCCM and S-box, which can magnify small changes in pixels and quickly expand to the entire image. The diffusion algorithm has two steps: forward diffusion and reverse diffusion. Two diffusions in the opposite direction can make the diffusion more sufficient and improve the stability of the algorithm. Forward diffusion and reverse diffusion change the first pixel and the last pixel of the image, respectively, and then spread the transformation to the whole image to change the value of each pixel in the image. The specific process is shown in Algorithms 2 and 3.

Forward Diffusion

Algorithm 2 The forward diffusion process

Input: P: The plaintext image of size M × N. S: The proposed S-box. X, Y: Chaotic sequences generated by iterating 2D-MCCM map. 1: A(1) = {S(P(1) + 1) + floor[X(S(1) + 1) × 105] + floor[Y(S(256) + 1) × 105]}mod 256; 2: for i = 1 to (M × N − 1) do 3: k1 = i mod 256 + 1; 4: k2 = (255 − i) mod 256 + 1; 5: A(i + 1) = {S(A(i) + 1) + S(P(i + 1) + 1) +      floor[k1 × X(S(k1) + 1) × 105] + floor[k2 × Y(S(k2) + 1) × 105]}mod 256; 6: end for 7: A = reshape(A, M, N); Output: A: The matrix of forward diffusion.

Reverse Diffusion

Algorithm 3 The reverse diffusion process

Input: B: The global scrambled image of size M × N. S: The proposed S-box. X, Y: Chaotic sequences generated by iterating 2D-MCCM map. 1: C(M × N) = {S(B(M × N) + 1) + floor[X(S(256) + 1) × 105] +       floor[Y(S(1) + 1) × 105]}mod 256; 2: for i = (M × N) to 2 do 3: k1 = (255 − i) mod 256 + 1; 4: k2 = i mod 256 + 1; 5: C(i − 1) = {S(C(i) + 1) + S(B(i − 1) + 1) +      floor[k1 × X(S(k1) + 1) × 105] + floor[k2 × Y(S(k2) + 1) × 105]}mod 256; 6: end for 7: C = reshape(C, M, N); Output: C: The matrix of reverse diffusion.

4.1.3. Global Scrambling

A scrambling process can effectively reduce the correlation between pixels and reduce the redundant information in the image. The traditional scrambling method usually scrambles the index matrix of the pseudo-random sequence generated by the chaotic system once, but sometimes it cannot have a good scrambling effect because of the uncertainty of the pseudo-random sequence. For this reason, a new global scrambling method was designed, which gradually scrambles the image from local to global. The specific steps are shown in Algorithm 4.

Algorithm 4 The global scrambling process

Input: The image A with size M × N obtained by diffusion I and the chaotic sequence X, Y. 1: Divide A into u parts on average; 2: m = M/sqrt(u), n = N/sqrt(u); 3: for i = 1 to u do 4: [~, Ii] = sort[X(103 × i: 103 × i + m × n − 1)]; 5: end for 6: Scrambling each part of A with Ii; 7: [~, J] = sort[Y(103: 103 + u − 1)]; 8: Scrambling the order of the u parts with J to get a matrix A′; 9: Z = X × Y, 10: [~, K] = sort[Z(103: 103 + M × N − 1)]; 11: Scrambling each pixel in A′ with K to get a matrix B. Output: The scrambled matrix B.

For a more intuitive explanation of the proposed global scrambling method, a numerical illustration for a 4 × 4 image is given in Figure 9. The 4 × 4 plaintext image was evenly divided into four parts for scrambling with a good scrambling effect. Considering safety and efficiency comprehensively, the image was divided into 256 parts for scrambling in practical use.

4.2. Image Decryption Algorithm

In simple terms, the decryption process and the encryption process are mutually inverse ones, which mainly include generating initial value from the correct key, finding inverse S-box, inverse backward diffusion, inverse global scrambling, and inverse forward diffusion. For the decryption algorithm proposed, a solution to inverse S-box is a vital step, which remarkably affects the efficiency of the decryption algorithm. The specific generation method is shown in Algorithm 5.

Algorithm 5 Generation of an inverse S-box

Input:S: The proposed S-box. 1: S(S = 0) = 256; 2: for i = 1 to 256 do 3: S′(S(i)) = i; 4: end for 5: S′ = reshape(S′, 16, 16); Output: S′: The inverse S-box.

Since the S-box contains 0 rather than 256, regarding 0 as an index is meaningless. Therefore, before the S-box is used to generate the inverse S-box, 0 is replaced with 256. In this way, pixels with a value of 0 in the ciphertext image can be replaced with 256 to restore the image using the inverse S-box before decryption.

5. Simulation Results and Security Analysis

Security is the most important indicator to evaluate the image encryption algorithm. Therefore, the security of the proposed encryption algorithm is evaluated in many perspectives, and comparison with other representative encryption algorithms is made.

5.1. Encryption Result and Histogram Analysis

A histogram of the image can intuitively show the distribution of the pixels. As pixel distribution of each plaintext image is regulated by certain law, the purpose of encryption is to destroy the law, preventing the attacker from acquiring the information in the image histogram, and the pixels should be evenly distributed.

In this section, five 512 × 512 images were used for the experiment. The color images were Earth and Splash, and the gray images were Lena, Black, and White. The results are shown in Figure 10. The histograms of five plaintext images had their own features. After encryption, both grayscale and color images turned into noise-like ciphers. They can only be distinguished by their ciphertext and histogram, and no more useful information can be obtained. This showed that the proposed algorithm can resist the attack of statistical analysis based on pixel distribution.

Since the histogram can only demonstrate pixel distribution, when it comes to the similarity of histograms of the five ciphertext images in Figure 10, it failed to describe their differences accurately. Therefore, the χ² statistics [41] is usually used to quantitatively analyze the uniform distribution of pixels in the image, which is defined as:

$${\chi }^2={\displaystyle \sum _{i=0}^{255}\frac{{(f_i-g)}^2}{g}}$$

(14)

where f_i is the frequency distribution of pixel values in the image and g is its theoretical frequency distribution. When the significance level is 0.05, the pixels of the image are considered to be evenly distributed, where point ${\chi }_{\mathrm{0.05(255)}}^2$ = 293.2478. In general, the smaller the χ² value of an image, the more uniform the pixel distribution is.

Table 7. Chi-square test of ciphertext images.

Image			χ2
Color image	Earth	R	247.6250
		G	218.9609
		B	254.3496
	Splash	R	223.7773
		G	266.7207
		B	279.7109
Grayscale image	Lena		232.2539
	Black		231.0508
	White		232.4707

shows the χ² test results of the five test images after encryption. It can be seen that the χ² value of all ciphertext images was less than 293.2478, indicating that the proposed encryption algorithm had good encryption effect for both color images and grayscale images.

5.2. Shannon Entropy Analysis

Shannon entropy can be used to describe the randomness of pixels in an image. The larger its value is, the more similar the image is with a random image. Its calculation method is as follows:

$$H(x)=-{\displaystyle \sum _{i=1}^n{p}_i}{log}_2{p}_i$$

(15)

where x is pixel, p_i is probability of taking each pixel, i = 1, 2, ⋯, n, 0 < p_i < 1, and p₁ + p₂ + ⋯ + p_n = 1. Shannon entropy for the 8-bit sequences is 8 when all pixels are equally probable. For image encryption, it is desirable to encrypt the image into a random image. Therefore, the closer the Shannon entropy of the ciphertext image is to 8, the better the encryption effect of the algorithm will be.

Table 8. Shannon entropy of plaintext images and ciphertext images.

Image	Plaintext Image	Ciphertext Image
Lena	7.2185	7.9994
Black	0	7.9993
White	0	7.9993

shows the comparison of Shannon entropy of the three gray images before and after encryption. It can be seen that the Shannon entropy of the three ciphertext images was very close to the expected value. For Black and White, although the Shannon entropy was 0 because the pixels in the images were exactly the same, the proposed algorithm still had a good encryption effect after encryption.

Since Shannon entropy is calculated based on the global image, its accuracy and calculation efficiency are easily affected by the image size; thus, it fails to be used as a general test standard. In order to analyze the proposed encryption algorithm more comprehensiv-ely, the local Shannon entropy (LSE) calculation method proposed in [42] was adopted. The LSE is obtained by randomly selecting k blocks of the same size from an image and calculating the average entropy of each of them as follows:

$$H_{k,N}(P)={\displaystyle \sum _{i=1}^k\frac{H(L_i)}{k}}$$

(16)

where L_i is the blocks picked and k and N are the number of pixels and number of blocks, respectively. In order to facilitate the analysis, the significance level is set at 0.05 and (k, N) = (30, 1936) during the experiment. At this point, when LSE is within the interval of [7.901901, 7.903037], the image is considered to have passed the test and is close to random distribution.

Twenty-five standard images from the USC-SIPI image database were selected for several experiments. The average was taken as the final result, and the experimental results were compared with three typical algorithms [12,15,30]. The experimental results are shown in

Table 9. Comparison of local Shannon entropy of different encryption algorithms.

Image	Size	LSE
		Ref. [15]	Ref. [30]	Ref. [12]	Proposed
5.1.09	256 × 256	7.902281	7.902967	7.903154	7.902848
5.1.10	256 × 256	7.902198	7.902436	7.901680	7.901973
5.1.11	256 × 256	7.899982	7.904837	7.902725	7.902510
5.1.12	256 × 256	7.902827	7.890333	7.901605	7.902480
5.1.13	256 × 256	7.902281	7.903234	7.901269	7.902726
5.1.14	256 × 256	7.903117	7.902911	7.902341	7.903120
5.2.08	512 × 512	7.902304	7.903500	7.902038	7.902896
5.2.09	512 × 512	7.902022	7.902604	7.902722	7.902585
5.2.10	512 × 512	7.906701	7.902812	7.902478	7.902364
5.3.01	1024 × 1024	7.902119	7.902591	7.902057	7.902349
5.3.02	1024 × 1024	7.902119	7.902850	7.902396	7.902230
7.1.01	512 × 512	7.902191	7.903333	7.902012	7.901949
7.1.02	512 × 512	7.902047	7.901752	7.902484	7.904338
7.1.03	512 × 512	7.902584	7.904041	7.902833	7.902261
7.1.04	512 × 512	7.901913	7.901952	7.902047	7.902943
7.1.05	512 × 512	7.902392	7.902065	7.902568	7.902546
7.1.06	512 × 512	7.902565	7.902507	7.902022	7.902645
7.1.07	512 × 512	7.904015	7.902027	7.902398	7.902925
7.1.08	512 × 512	7.901096	7.902023	7.902137	7.902640
7.1.09	512 × 512	7.902933	7.902044	7.902142	7.902116
7.1.10	512 × 512	7.902534	7.902021	7.902171	7.902623
7.2.01	1024 × 1024	7.902529	7.902051	7.902330	7.902438
boat.512	512 × 512	7.901782	7.902769	7.902046	7.902846
gray21.512	512 × 512	7.902593	7.902200	7.902718	7.902190
ruler.512	512 × 512	7.904102	7.902178	7.902004	7.902658
PASS/ALL	-	18/25	18/25	21/25	23/25

. It can be seen that after encrypting 25 images, 23 ciphertext images of the proposed algorithm passed the LSE test, indicating that the proposed encryption algorithm can encrypt images into ciphertext images with high randomness.

5.3. Adjacent Pixel Correlation Analysis

The correlation of adjacent pixels is an important index to evaluate the redundant information in the image, and encryption is to remove the redundant information. The lower the correlation of the adjacent pixels of the ciphertext image is, the less redundant information there is, and the better encryption effect algorithm has. Supposing that N adjacent pixels (x_i, y_i) are randomly selected from the image, the calculation method of the correlation of adjacent pixels is as follows:

$${\rho }_{xy}=\frac{1}{N}{\displaystyle \sum _{i=1}^N\frac{(x_i-\overline{x})(y_i-\overline{y})}{{\sigma }_x{\sigma }_y}}$$

(17)

where σ_x and σ_y are the standard deviations of x and y, respectively. When the correlation between adjacent pixels in the image is at a low level, its correlation value is close to 0, otherwise it is close to 1. The value of correlation between adjacent pixels can be negative.

In this Section, 25 standard images for encryption and 5000 pairs of adjacent pixels were selected for calculation of the correlation coefficients of the Horizontal, Vertical, and Diagonal diagonals of the ciphertext images. The absolute value of the correlation coefficient was taken, which was convenient for observation, and the results are shown in Figure 11. It can be seen that after the encryption of the 25 standard images, the correlation coefficients of the adjacent pixel points of the ciphertext images in all directions dropped to around 0 and were all less than 0.006, which is approximately no correlation. This shows that the proposed algorithm can significantly disrupt the correlation of adjacent pixels of an image and encrypt arbitrary images of different sizes with excellent results.

In addition to the correlation coefficient of the image, we can also analyze the encryption effect of the algorithm using the correlation graph of the adjacent pixels of the image. Figure 12 shows the correlation diagram of adjacent pixels before and after Lena encryption. It can be seen that the pixel pairs of plaintext images were clustered near x = y and had a strong correlation; however, after encryption, the pixel pairs were evenly distributed and the correlation was greatly reduced. It shows that the proposed algorithm can destroy the correlation between pixels well and has the ability to resist anti-statistics attack.

5.4. Robustness to Noise and Data Loss

Due to human or non-human factors, loss and destruction of data may occur in information transmission. An encryption algorithm is considered to be effective if it can recover the plaintext image from the ciphertext image under shear attack or noise attack.

In this section, we made preliminary analysis of the ability of the proposed encryption algorithm to resist shear attack. We cut down 1/256, 1/16, and 1/4 of the pixels in Lena ciphertext images, respectively, and then decrypted them. The results are shown in Figure 13. It can be seen that even if the ratio of data loss reached 1/4, most information of the image can still be recovered, indicating that the proposed algorithm can resist shear attack.

Subsequently, in order to analyze the robustness of the proposed encryption algorithm to noise attack, we added 1%, 5%, and 10% impulse noise in the ciphertext images of Lena, respectively, and then decrypted them. The results are shown in Figure 14. It can be seen that, although the recovered image information became less and less with the increase of noise ratio, the decrypted images can still be distinguished, indicating that the proposed algorithm is able to resist noise.

5.5. Key Sensitivity Analysis

Key sensitivity analysis is an important index to evaluate the security of an encryption algorithm and decryption algorithm, and aims to compare two images obtained by encryption or decryption before and after the slight change of key. The more different they are, the higher the sensitivity of key will be. In practical application, the difference between the two images can be quantitatively analyzed by calculating the rate of change of pixel number (NPCR) and the normalized mean intensity of change (UACI) [43], as shown below.

$$NPCR=\frac{1}{M\times N}{\displaystyle \sum _{i=1}^m{\displaystyle \sum _{j=1}^{n}D}}(i,j)\times 100\%$$

(18)

where

$$\begin{gathered} D(i,j)=\left\{\begin{array}{l}1P_1(i,j)\ne P_2(i,j)\hfill \\ 0P_1(i,j)=P_2(i,j)\hfill \end{array}\right. \\ UACI=\frac{1}{M\times N}{\displaystyle \sum _{i=1}^m{\displaystyle \sum _{j=1}^n\frac{|P_1(i,j)-P_2(i,j)|}{F}}}\times 100\% \end{gathered}$$

where P₁ and P₂ are the two images used for comparison, M × N is the size of the image, and F is the maximum pixel value allowed in the image.

In general, the expected values of NPCR and UACI are 99.6094% and 33.4635%, respectively. However, a more rigorous discrimination method is proposed in [43]. That is, when the significance level is α, the two images could be considered completely different if the NPCR of the two images is greater than $N_{\alpha }^{*}$ or the UNCI is among the range of $[U_{\alpha }^{*-},U_{\alpha }^{*+}]$. $N_{\alpha }^{*}$, $U_{\alpha }^{*-}$, and $U_{\alpha }^{*+}$ can be obtained by the following equations:

$$N_{\alpha }^{*}=(F-{\varphi }^{-1}(\alpha )\sqrt{F/M\times N})/(F+1)$$

(19)

$$\left\{\begin{array}{l}{U}_{\alpha }^{*-}=\mu -{\varphi }^{-1}(\alpha /2)\sigma \hfill \\ U_{\alpha }^{*+}=\mu +{\varphi }^{-1}(\alpha /2)\sigma \hfill \end{array}\right.$$

where

$$\left\{\begin{array}{l}\mu =(F+2)/(3F+3),\\ \sigma =\sqrt{\frac{(F+2)(F^2+2F+3)}{18{(F+1)}^{2}F(M\times N)}}\end{array}\right.$$

At the same time, $U_{\alpha }^{*+}$ denotes the inverse cumulative density function. In

Table 10. Expected values of NPCR and UACI for images of different sizes (unit: %).

Image Size	${\mathit{N}}_{\mathit{\alpha }}^{*}$	${\mathit{U}}_{\mathit{\alpha }}^{*-}$	${\mathit{U}}_{\mathit{\alpha }}^{*+}$
256 × 256	99.5693	33.2255	33.7016
512 × 512	99.5893	33.3730	33.5541
1024 × 1024	99.5994	33.4183	33.5088

, the significance level was set at 0. 05 to obtain the expected values of NPCR and UACI for images of different sizes.

In the test of the encryption algorithm, the NPCR value and UACI value between the ciphertext images were obtained after randomly changing the key 1 bit twice. For the decryption algorithm, the correct key was first used for encryption, and then the wrong key was used for decryption. After randomly changing the key 1 bit, the decryption was carried out again, and the image obtained by two decryptions was used for calculation. In order to make the experimental results more accurate and intuitive, we carried out several experiments and took the average values as the final results, as shown in Figure 15 and Figure 16. It can be seen that both the encryption algorithm and the decryption algorithm passed the tests of all 25 images, indicating that they have good key sensitivity.

5.6. Difference Analysis

For the encryption algorithm with poor diffusion performance, the attacker can break the encryption algorithm by constructing a specific plaintext image and analyzing the ciphertext image. This attack method is called a differential attack, also known as a selective row plaintext attack. Therefore, it is very important for an encryption algorithm to resist a differential attack.

In general, the stronger the diffusion performance of the encryption algorithm is, the better it is to resist differential attack. Two slightly different plaintext images were encrypted using the algorithm with the same key and then these two ciphertext images obtained were compared to analyze the algorithm’s ability to resist a differential attack, which is called a plaintext sensitivity test.

Based on the analysis above, NPCR and UNCI introduced in the previous section were used for the test. Different from the sensitivity of the test key, the 256-bit key K was randomly generated firstly, and K was used to encrypt the test image. Then, a pixel in the test image was randomly changed by 1, and then K was used to encrypt the changed image. Finally, the NPCR value and UACI value of the ciphertext image obtained by two encryptions were calculated and compared with the algorithms in [31,35,44], as shown in Figure 17 and Figure 18. It can be seen that the proposed algorithm passed the NPCR and UACI tests of all 25 images, indicating that the proposed algorithm is superior in resisting a differential attack.

6. Conclusions

In this paper, a new 2D chaotic map (2D-MCCM) was proposed. The results of the experiment showed that, compared with existing 2D chaotic maps, 2D-MCCM is very suitable for image encryption due to its advantages in fast iteration speed, large chaotic range, high randomness, stable initial sensitivity, and complexity. Then, we designed a new S-box, which was obtained by selective self-scrambling of multiple initial S-boxes generated by the chaotic sequence of 2D-MCCM. The analysis of the performance of the S-box showed that it has the ability to resist all kinds of security attacks.

Based on 2D-MCCM and the proposed S-box, we designed a new image encryption algorithm, with a main structure of forward diffusion, scrambling, and backward diffusion. The two diffusion processes are based on the nonlinear transformation characteristics of S-box and the chaotic characteristics of 2D-MCCM, which has a good diffusion effect. In addition, scrambling from local to global can effectively reduce the correlation between pixels. Simulation results showed that the algorithm can encrypt various images safely, is superior to several existing algorithms, and has a wide application prospect.