A New Color Image Encryption Scheme Using CML and a Fractional-Order Chaotic System

The chaos-based image cryptosystems have been widely investigated in recent years to provide real-time encryption and transmission. In this paper, a novel color image encryption algorithm by using coupled-map lattices (CML) and a fractional-order chaotic system is proposed to enhance the security and robustness of the encryption algorithms with a permutation-diffusion structure. To make the encryption procedure more confusing and complex, an image division-shuffling process is put forward, where the plain-image is first divided into four sub-images, and then the position of the pixels in the whole image is shuffled. In order to generate initial conditions and parameters of two chaotic systems, a 280-bit long external secret key is employed. The key space analysis, various statistical analysis, information entropy analysis, differential analysis and key sensitivity analysis are introduced to test the security of the new image encryption algorithm. The cryptosystem speed is analyzed and tested as well. Experimental results confirm that, in comparison to other image encryption schemes, the new algorithm has higher security and is fast for practical image encryption. Moreover, an extensive tolerance analysis of some common image processing operations such as noise adding, cropping, JPEG compression, rotation, brightening and darkening, has been performed on the proposed image encryption technique. Corresponding results reveal that the proposed image encryption method has good robustness against some image processing operations and geometric attacks.


Introduction
Widespread transmission of digital images over various communication media challenges to build credible security methods for the protection of confidential and sensitive information to be transmitted. Hence the security of digital information has become a hot recent topic. Different from text encryption, most conventional ciphers such as Data Encryption Standard (DES), International Data Encryption Algorithm (IDEA), Advanced Encryption Standard (AES), RSA (developed by Rivest, Shamir and Adleman), etc., are not suitable to build cryptosystems for digital images due to inherent features of image data, e.g. bulk data capacity, high redundancy, strong correlation among adjacent pixels, etc. The implementation of these traditional algorithms for image encryption usually requires more computation time and power, and causes also other problems such as in handling various data formatting.
In 1989, Matthews developed the first chaotic stream encryption algorithm [1]. After that, many studies have shown that chaos-based algorithms have advantages in applications of bulk data encryption, because the chaotic signals have cryptographically desirable properties such as extreme sensitivity to initial conditions and parameters, long periodicity, ergodicity, high randomness and mixing [2]. In contrast to traditional cryptographic techniques, it has been found that chaos-based image encryption schemes have superior performance with respect to the trade-offs between the security and efficiency.
Since Fridrich presented a symmetric image encryption algorithm using the two-dimensional standard Baker map in 1998 [3], many image cryptosystems have been developed during the past decades. In practical applications, three types of methods, i.e., permutation, diffusion, and their combined form, are usually employed to design image encryption algorithms [4][5][6][7][8][9]. The aim of permutation is to transform a meaningful image into a meaningless, disordered and unsystematic image through scrambling the positions of the plain-image pixels, which will enhance the computational complexity of a potential chosen-plaintext attack. In the diffusion process, the values of the original image pixels are changed sequentially so that a tiny change for one pixel can spread out to almost all pixels in the whole image. The image encryption methods using either the permutation-only method or the diffusion-only method have some shortcomings in both security and speed [6,9].
So far, most image encryption algorithms combine scrambling the pixels positions and modifying the grey values of image pixels to achieve required cryptographic properties. In [10], a new color image encryption method was introduced based on chaotic logistic maps. An external secret key of 80-bit length and two chaotic logistic maps are used. The initial conditions for the logistic maps are obtained using the external secret key. Eight different types of operations are applied to encrypt the image pixels. Wang et al. [11] proposed a new color image encryption algorithm based on the logistic map. Some schemes have been suggested to achieve secure image scrambling based on the Baker map [3], Arnold cat map [12], Standard map [5,13] etc. Note that the above-mentioned chaos-based image cryptosystems are usually based on the low-dimensional and single chaotic systems, which results in fundamental drawbacks such as insufficient key space, slow speed and weak security function.
In order to improve the security and efficiency performance, many image encryption methods based on three-dimensional chaotic systems, hyperchaos and even spatiotemporal chaos have been presented in recent years [4,[14][15][16][17][18][19][20][21][22][23]. For example, Chen et al. [4] generalized a twodimensional chaotic cat map to a three-dimensional one for constructing a real-time secure symmetric encryption scheme, where the three-dimensional cat map is utilized to create confusion in the relationship between the cipher-image and the plain-image. Mao et al. [14] extended the same idea with the three-dimensional chaotic Baker map. In [15], a digital image encryption scheme based on the mixture of chaotic systems was proposed, where a typical coupled map was mixed with a one-dimensional chaotic map and used for high degree security image encryption. Gao and Chen [16] presented a new image encryption scheme, which used an image total shuffling matrix to shuffle the positions of image pixels and then employed a hyper-chaotic system to confuse the relationship between the plain-image and the cipherimage. The authors in [17] pointed out that this method is very weak to a chosen plain-text attack and a chosen cipher-text attack. In [18], a new image authentication scheme based on a cell neural network with hyper-chaos characteristics (HCCNN) was introduced. Zhu [19] proposed a novel image encryption scheme based on improved hyperchaotic sequences. In this algorithm, the hyperchaotic sequences were firstly modified to generate chaotic key stream that is more suitable for image encryption. Then the final encryption key stream was generated by correlating the chaotic key stream with plain-text. Özkaynak et al. [20] argued that this method is not secure enough, and obtained the secret parameters of the cryptosystem by using chosen plain-text attacks. In [21][22][23], spatial chaos systems were applied for image encryption in order to overcome the drawbacks of small key space and weak security in widely used onedimensional chaotic system. However, the previously mentioned algorithms are restricted to grayscale images. Though some of them can be easily extended to handle color images, this extension comes with a cost of substantially increased computation time as a result of additional information required to represent color components.
As is well known, the color images can provide more abundant information than the grayscale ones and are frequently used in many areas. So how to develop a secure encryption algorithm for color images has attracted growing attentions in recent years. Patidar et al. [24] designed a fast loss-less symmetric color image cipher based on the widely used substitutiondiffusion architecture which utilized chaotic standard and logistic maps. However, the analysis and simulation results in [25] showed that only a pair of (plain-text/cipher-text) was needed to totally break this cryptosystem. In [26], Huang and Nien proposed a color image cryptosystem using multi-chaotic systems, which is composed of two shuffling stages parameterized by chaotically generated sequences. But this scheme cannot resist known-plaintext attack and chosen-plaintext attack [27]. Rhouma et al. [28] have devised an approach for color image encryption based on one-way coupled-map lattices (OCML). An external secret key of 192-bit length was used to generate the initial conditions and parameters of the OCML by making some algebraic transformations to the secret key. Liu and Wang [29] applied a bit-level permutation and high-dimension chaotic map to encrypt color image. Firstly, a plain color image of size M × N was converted into a grayscale image of size M × 3N and the grayscale image was transformed into a binary matrix. Then the matrix was permuted at bit-level by the scrambling mapping generated by a piecewise linear chaotic map (PWLCM). Secondly, the chaotic Chen system was employed to confuse and diffuse the red, green and blue components simultaneously. More recently, several schemes combined DNA computing with chaotic systems to encrypt color images [30,31]. Such experiments can only be done in a well equipped laboratory using current technology, and it needs higher cost. For these reasons, the studies of DNA cryptography are still focusing on affordable methods in terms of practicality.
Due to the finite precision of digital computers, the most serious defect in single chaotic systems is that the chaotic dynamics degrade fast as they are implemented in computers. Different from this, it has been revealed that spatiotemporal chaotic systems maintain much longer periodicity in digitalization and gain excellent performance in cryptography. On the other hand, chaotic attractors have been discovered in fractional-order systems in the past decade [32][33][34][35][36][37]. Compared to integer-order systems, the fractional-order systems are found to have more complex dynamics because the fractional derivatives have complex geometrical interpretation due to their nonlocal character and high nonlinearity [38]. In addition, the derivative orders can be also used as secret keys as well, which will increase the key space of the cryptosystem. To our best knowledge, there are few encryption techniques using the fractional-order chaotic systems. Therefore, for the purpose of high security, it is very promising to employ CML and fractionalorder chaotic systems in color images encryption.
Motivated by the above discussions, in this paper, we propose a new color image cryptosystem using CML and a fractional-order chaotic system. For the purpose of reaching higher security, higher complexity and higher sensitivity, the present work employs an image divisionshuffling process which firstly divides the plain-image into four sub-images, and then shuffles the position of pixels in the whole image. This procedure will significantly enhance the resistance of the proposed cryptosystem against known/chosen-plaintext attacks. In order to increase the security of the presented algorithm, an external secret key of 280-bit length is utilized to generate initial conditions and parameters of the CML and the fractional-order chaotic system by making some algebraic transformations to the key so that the proposed encryption scheme is greatly sensitive to changes in even a single bit of the key. Moreover, to further strengthen the security and sensitivity of the cryptosystem, the CML is used to shuffle the positions of pixels totally, and the fractional-order Chen chaotic system and the plain-image are employed to change the values of the pixels. A simultaneous generation of the key streams and the parallel image division-shuffling process can improve the efficiency of the proposed encryption algorithm. Both theoretical analyses and computer simulations verify the feasibility and superiority of the proposed image cryptosystem. In addition, an extensive tolerance analysis of some common image processing operations such as noise addition, cropping, JPEG compression, rotation, brightening and darkening, is performed on the proposed image encryption technique. The experimental results demonstrate that our method is highly robust against some common image processing operations and geometric attacks.

The Proposed Chaotic Cryptosystem for Color Images
The proposed chaos-based cryptosystem for color images consists of the following four parts: i) an image division-shuffling process, ii) a key streams generation process, iii) an image permutation process and iv) an image diffusion process. The flowchart of the image encryption procedure using the proposed scheme is displayed in Fig. 1. Firstly, the plain-image is divided into four sub-images, and then these blocks are shuffled to obtain a disordered image. This process can enhance the resistance of the cipher-image against plaintext attack. Secondly, a 280-bit external secret key is used to generate initial conditions and parameters of the CML and the fractional-order chaotic system. The key streams can be generated by using the obtained initial conditions and parameters to iterate the CML and the fractional-order chaotic system. Thirdly, the positions of the image pixels are permuted by the pseudo-random key stream generated from the CML. In the last stage, the pixel values are modified by the pseudo-random key stream generated from the fractional-order chaotic system. After this, the cipher-image is finally achieved.

The image division-shuffling process
Without loss of generality, we assume that the size of the color plain-image I is M × N, where M and N are the width and height of the image, respectively. Converting the image I into its red, green and blue components, one can get three color matrices I R , I G , I B with size M × N. Then combine the red, green and blue matrices horizontally by the following formula (1) and obtain a matrix I 1 with M rows and 3N columns: And the sizes of the other two blocks keep unchanged. In the following, we will further shuffle the plain-image, which makes the encryption operation more confusing and complex as it adds one extra step to the encryption process. We firstly create three empty matrices, i.e., P 1 with size ⎿M/2⏌×3N, P 2 with size (M−⎿M/ 2⏌)×3N and I 2 with size M ×3N. Then insert each column of Blk.4 in turn into the odd columns of matrix P 1 and insert each column of Blk.1 sequentially into the even columns of matrix P 1 as illustrated in Fig. 3. Similarly, insert each column of Blk.2 in turn into the odd columns of matrix P 2 and insert each column of Blk.3 sequentially into the even columns of matrix P 2 . Finally, insert each row of P 2 in turn into the odd rows of matrix I 2 and insert each row of P 1 sequentially into the even rows of matrix I 2 . Thus a disordered image matrix I 2 with size M ×3N is obtained.
Implementing the above procedure, we apply the first complexity to our encryption approach, which significantly enhance the resistance against known/chosen-plaintext attacks.

CML and the fractional-order Chen chaotic system
The cryptosystems based on widely used one-dimensional discrete chaotic maps suffer from fundamental drawbacks such as small key space, slow performance speed and weak security function [39]. To overcome these limitations in the proposed encryption scheme, a 2D coupled map lattice (CML) and the fractional-order Chen chaotic system are utilized to generate the key streams.
A 2D CML was introduced by Kaneko and Tsuda [40] as a simple model capturing essential features of spatiotemporal dynamics of extended nonlinear systems and later was employed for modeling complex spatial phenomena in diverse areas of science and engineering. Recently, CML was introduced for cryptography of a self-synchronizing stream cipher. The 2D CML is defined as follows: where f(x) is the mapping function, n is the discrete time index, n = 0, 1, 2.. . .,L−1, with L being the system size, k = 1, 2, . . .,S is the lattice site index, and "2(0, 1) is the coupling constant. In general, periodic boundary conditions x n (k+L) = x n (k) are assumed, and f(x) = 1-μx 2 is chosen where μ is a constant parameter and μ2(0, 2). The chaotic behavior of 2D CML (2) is demonstrated in Fig. 4(a). Another chaotic system in our scheme is the fractional-order Chen chaotic system, which is described by where a, b, c and d are positive system parameters. When a = 35, b = 7, c = 28, d = 3, and α j 2[0.8,1] (j = 1, 2, 3), the fractional-order Chen system behave chaotically [41], as displayed in Fig. 4(b).

Generation of the initial conditions and parameters
In the proposed scheme, let L = M × N and S = 3 for the CML, i.e., n = 0, 1, 2,. . ., M × N − 1, k = 1, 2, 3. In view of the basic need of cryptology, the cipher-text should have a close correlation with the key. There are two ways to accomplish this requirement: one is to mix the key thoroughly into the plain-text through the encryption process, another is to use a good key generation mechanism. Here we use a 280-bit long external secret key (K), which is divided into blocks (K i ) of 8-bit, to derive the parameters ", μ, a j (j = 1, 2, 3) and the initial conditions , y 1 (0), y 2 (0) and y 3 (0) in systems (2) and (3). The 280-bit long secret key (K) is given by: The initial conditions and parameters are obtained as follows: x 0 ð3Þ ¼ where the | operator is the bitwise OR; the & operator is the bitwise AND; ⊕ is the bitwise XOR operator. Clearly, from Equations (5)- (15), one can see that the initial conditions and parameters of the CML and the fractional-order Chen system are greatly sensitive to changes in even a single bit of the 280-bit secret key. Therefore, the proposed cryptosystem with a key space of 2 280 can resist any brute-force attack.

Image permutation based on CML
Image data have strong correlations among adjacent pixels in horizontal, vertical, and also diagonal directions for both natural and computer-graphical images. In order to weaken the strong relationship among adjacent pixels, a CML is used to scramble the pixel positions of the image I 2 .
Step 2. Preprocess the above three chaotic sequences by the following formula (16): where x l 1 þi ðjÞ 2 D j , x 0 l 1 þi ðjÞ 2 D 0 j , i = 1, 2, . . ., MN, j = 1, 2, 3, and Round(x) represents the integer function which rounds the real number x to the nearest integer. Thus we get three chaotic analogue sequences D 0 1 , D 0 2 and D 0 3 with very well expressed random-like properties.
Step 6. Let i 1; Step 7. Sort N values of the i-th row of MD j and obtain the transform positions TM j,i = {pm j,i (1), pm j,i (2),. . . pm j,i (N),} (j = 1, 2, 3). Scramble the pixel positions of the i-th row of image I 3,j according to TM j,i , i.e., move the pm j,i (1) column of the i-th row to the first column, the pm j,i (2) column of the i-th row to the second column etc., until all columns have been moved; thus a new column transformation of the i-th row is generated.
Step 8. Let i i + 1, return to Step 7 until i reaches M. Thus we get three row-permuted matrices I 41 , I 42 and I 43 .
Step 9. Let i 1; Step 10. Sort M values of the i-th column of MD j and obtain the transform positions . Shuffle the pixel positions of the i-th column of image I 4j according to TD j,i , i.e., move the pd j,i (1) row of the i-th column to the first row, the pd j,i (2) row of the i-th column to the second row etc., until all rows have been moved; thus a new row transformation of the i-th column is obtained.
Step 11. Let i i + 1, return to Step 10 until i reaches N. Thus we obtain three new total shuffled matrices I 51, I 52 and I 53 , which are respectively the R, G and B color matrices of a new permutation image denoted by I 5 .
Obviously, the above permutation-only process just rearranges the pixel positions without changing the pixel's value. Different from conventional block encryption methods such as DES and AES, the proposed algorithm shuffles the positions of image pixels totally by using the transform positions. Compared with the permutations based on one-dimensional or two-dimensional chaotic maps, the permutation scheme proposed overcomes the drawback of short periodicity, since the relationship between the original and shuffled position of one pixel is not directly related to the chaotic map. However, there are still some potential weak points in these permutation-only algorithms [42], which are weak against statistical attack and known-text attack. To deal with the weakness of pure position permutation method, in the following, a diffusion process is further employed to modify the pixel's gray value to enhance the security of the encryption algorithm.

Image diffusion based on the fractional-order Chen chaotic system
The encryption algorithm proposed in this paper is based on a permutation-diffusion architecture. In the diffusion stage, the fractional-order Chen chaotic system is employed to generate the key stream for diffusion, and the pixel values are modified sequentially to confuse the relationship between the cipher-image and the plain-image. In some existing chaos-based image ciphers, the key stream used in the diffusion process is solely determined by the key. The same key stream is applied to encrypt different plain-images if the key remains unchanged. An opponent may derive the key stream by the plain-text attack, i.e., by ciphering some special plain-text sequences and then comparing them with the corresponding cipher-text sequences. In order to make the cryptosystem secure against a differential attack, the modification made to a particular pixel depends not only on the corresponding key stream element, but also on the accumulated effect of all previous pixel values. The diffusion process is decomposed into the following 5 steps: Step 1. Arrange the pixels of permuted color matrices I 51, I 52 and I 53 obtained in Section 0.3 from left to right and then from top to bottom, respectively, we get three one-dimensional vectors PR = {pr 1 , pr 2 ,. . ., pr MN ,}, PG = {pg 1 , pg 2 ,. . ., pg MN ,} and PB = {pb 1 , pb 2 ,. . ., pb MN ,}.
Step 3. To get the key streams, preprocess the above three chaotic sequences according to the following formula (17): where y j (l 2 + i) ∊ L j , y 0 j ðl 2 þ iÞ 2 L 0 j , i = 1, 2, . . ., MN, j = 1, 2, 3, and Round(x) represents the integer function which has the same meaning as that in Equation (16), the function Abs(x) returns the absolute value of x and the function Fix(x) returns the value of x to the nearest integer towards zero. Thus we obtain three key streams L Step 4. Calculate the corresponding pixel data of the cipher-image by using the values of the currently operated pixel and the previously operated pixels, according to the following formula: Step 5. Transform three encrypted vectors C_R, C_G and C_B with length MN into three matrices with size M × N, i.e., CR, CG and CB, respectively, which are the R, G, B components of the ciphered image C. Thus we finally obtain the encrypted image.
Since the CML and the fractional-order chaotic system have a nonlinear structure and more complex dynamics than low-dimensional ones, the proposed chaos-based cryptosystem is greatly sensitive to a change in even a single bit of the 280-bit long secret key. Moreover, using the division-shuffling process and the permutation-diffusion process, a slight change of plainimage pixel causes a significant change in the cipher-image, which makes a differential analysis inefficient and practically useless. These features will in turn strengthen the security and sensitivity of the cryptosystem. In addition, the generation of pseudo-random numbers by the CML and the fractional-order Chen chaotic system and the division-shuffling process on the plainimage can be carried out simultaneously, i.e., in a parallel manner, which promotes the speed performance of the proposed image encryption algorithm. Therefore, our proposed scheme has higher security and overcomes the limitations in the image cryptosystem based on one-dimensional or two-dimensional chaotic maps.

Design of image decryption algorithm
Because the presented color image encryption algorithm is a symmetric cryptosystem, the decryption procedure is similar to that of the encryption process but just in the reversed order. However, some remarks should be considered in the decryption process, which are summarized as follows: Remark 1. We can rewrite Equations (18)- (23) to give the pixel values in the RGB components: PGðiÞ ¼ ððC GðiÞ È L 0 2 ðiÞÞ È ðC Gði À 1Þ È L 0 2 ði À 1ÞÞÞ È ðC Rði À 1Þ È C Bði À 1ÞÞ; ð25Þ where i = MN,(MN − 1), (MN − 2),. . .,3,2. Remark 2. Perform the reverse operations to remove the effect of permutation. All operations are the same as steps 3-11 in the image permutation process.
Remark 3. Use the same method in the image division-shuffling process but in the reversed order to recover the original color image.
Figs. 5 and 6 show the encryption and decryption of two color images of Lena and Vegetables with size 256 × 256, respectively, where the secret key is chosen as "2eea2814e6087660406d59f82f740bfd9c2e5e463d96bdafe482c8054f457bab5cd180" (in hexadecimal). Throughout this paper, the original image of Lena is freely available at the USC-SIPI image database [43].

Performance and Security Analysis
In this section, the performance of the proposed image cryptosystem is analyzed by using different security test measures. These measures are taken as follows: key space analysis, statistical analysis including histogram analysis and computing the correlation coefficients of adjacent pixels, information entropy analysis, test security against differential attack including  calculating the number of pixel change rate (NPCR) and unified average changing intensity (UACI), and key sensitivity analysis.

Key space analysis
The size of the key space is the total number of different keys that can be applied in the encryption/decryption process. The key space should be large enough to make brute-force attacks infeasible. From the cryptographic point of view, the size of the key space should not be smaller than 2 100 to ensure a high level of security [44]. Since the secret key of the proposed scheme is 280-bit long, the key space is 2 280 , which is sufficiently large enough to resist a brute-force attack.

Statistical analysis
Shannon suggested that diffusion and confusion should be employed in a cryptosystem [8] for the purpose of frustrating a powerful statistical analysis. An ideal cipher should be robust against any statistical attack. In order to demonstrate the robustness of the proposed image encryption scheme, we have performed some statistical tests on the histograms of the ciphered images and on the correlations of adjacent pixels in the ciphered image.
A. Histogram analysis. Image histogram is a significant feature in image analysis. Indeed, one can see the frequency of each gray level from the histograms, which can leak image information. For a good encryption algorithm, the distribution of cipher-text should hide the redundancy of plain-text and not leak any information about the plain-text or the relationship between the plain-text and the cipher-text.
Figs. 7 and 8 display the histograms of the color plain-image "Lena" (Fig. 5(a)) and the corresponding cipher-image ( Fig. 5(b)), respectively. From these figures, one can clearly see that the histograms of the encrypted image are fairly uniform and significantly different from those of the plain-image. The statistical feature of the plain-image is enhanced in such a manner that the cipher-image has a uniform gray level distribution and good balance property. Hence it does not offer any clue to be used in a statistical analysis attack on the encrypted image.
B. Correlation analysis of two adjacent pixels. It is well known that the adjacent pixels of the plain images are highly correlated either in horizontal, vertical or diagonal directions. An efficient image encryption algorithm should decrease the correlation of two adjacent pixels in the ciphered image as low as possible.
In the following, the correlation between all pairs of two horizontally adjacent pixels, all pairs of two vertically adjacent pixels, and 2000 pairs randomly selected of two diagonally adjacent pixels in the plain-image and cipher-image is tested. The correlation coefficients between two adjacent pixels in an image are calculated using the following equations: where x and y are gray level values of two adjacent pixels in the image, N is the total number of pixels selected from the image, E(x) and E(y) are the mean values of x i and y i , respectively. Fig. 9 shows the vertical relevance of adjacent pixels in the plain-image of Lena ( Fig. 5(a)) and the encrypted one ( Fig. 5(b)). The detailed results of the correlation coefficients for two horizontally (vertically and diagonally) adjacent pixels in the red, green and blue components of the original plain-image and the encrypted one are given in Table 1. These results clearly show that the correlation coefficients of the plain-image are close to 1, while those of the cipher-image are nearly 0 and the distribution of adjacent pixels is fairly uniform. It indicates that the proposed algorithm has successfully reduced the correlation of adjacent pixels in the plain-image so that neighboring pixels in the cipher-image virtually have no correlation. So the proposed algorithm can resist statistical attacks. Furthermore, the comparison performed in Table 2 demonstrates that the proposed scheme in this paper is superior to other methods reported in the literature. The cipher-image using our proposed algorithm has the highest performance in the horizontal, vertical and diagonal directions.

Information entropy analysis
There are various kinds of entropy, such as K-S entropy, K2 entropy, Tsallis entropy and information entropy etc. Information entropy, also called Shannon entropy, which was introduced by Shannon in 1948, is described by  where s denotes the information source, N is the number of bits to represent a symbol s i ∊ s, p (s i ) is the probability of symbol s i . For a purely random source emitting 2 N symbols, i.e., s = 2 N , the information entropy is H(s) = N. In fact, a practical information source seldom generates random messages. Therefore, in general its entropy value is smaller than the maximum one. However, when the messages are encrypted, their entropy should ideally be N. If the output of such a cipher emits symbols with entropy less than N, there is a certain degree of predictability, which threatens its security. In order to design a good cryptosystem, the information entropy of the cipher-image should be as close to the ideal case as possible.
For the cipher-image ( Fig. 5(b)) of the original Lena image (Fig. 5(a)) encrypted using the proposed scheme, we record the number of occurrence of each cipher-image pixel m i and calculate the probability of occurrence for the red, green and blue components of the cipherimage, respectively. The entropy of the three color components of the cipher-image is: where R i, G i and B i are the color components of the pixel m i . The values obtained are very close to the theoretical maximum value N = 8 for the three color components, which indicates that information leakage in the encryption process is negligible and the cryptosystem is secure against an entropy attack. Further, Table 3 compares information entropy using the proposed algorithm with those using the existing algorithms mentioned in Refs. [29,46]. Obviously, the entropy obtained using our proposed algorithm is indeed closer to the maximum.

Differential attack
In general, an opponent may make a slight change (e.g., modify only one pixel) in the plainimage and compare the ciphered images to find out some meaningful relationship between the plain-image and the cipher-image, which can facilitate in determining the secret key. If one minor change in the plain-image can cause a significant change in the cipher-image, with respect to diffusion and confusion, then this differential attack would become very inefficient and practically useless. As a general requirement for all the image encryption schemes, the encrypted image should be clearly different from its original form. Such a difference can be measured by means of two criteria, namely, the number of pixel change rate (NPCR) and the unified average changing intensity (UACI) [4,28]. The more NPCR approaches 100%, the more effective for the cryptosystem to resist a plain-text attack. The larger UACI is, the more effective for the cryptosystem to resist a differential attack.
The formulas for calculating NPCR and UACI are described, respectively, as follows: where M and N are the width and height of the image, C R,G,B and C 0 R;G;B are the two encrypted images before and after only one pixel of the plain-image is changed, respectively, C R,G,B (i, j) and C 0 R;G;B ði; jÞ are the values of the corresponding red, green or blue component in the two cipher-images, respectively. The matrix D R,G,B is defined as follows: if C R;G;B ði; jÞ ¼ C 0 R;G;B ði; jÞ, then D R,G,B (i, j) = 0; otherwise, D R,G,B (i, j) = 1. For instance, for two random images with 256 × 256 pixels and 24-bit true color, the expected values of NPCR R,G,B and UACI R,G,B are, respectively, computed as follows: NPCR R = NPCR G = NPCR B = 99.6094% and UACI R = UACI G = UACI B = 33.4635%.
To test the NPCR and UACI of the proposed cryptosystem, two plain images with only one bit difference are employed, i.e., the original color image of Lena, and the other one which is obtained by randomly modifying the value '213' of the pixel located at (2,129) of the red component in the original image as '214'. Their corresponding ciphered images are obtained by encrypting the two plain images with the same key after n rounds of the proposed permutation process. The NPCR R,G,B and UACI R,G,B versus permutation rounds n are plotted in Fig. 10(a) and (b), Table 3. Comparison of the information entropy using the proposed algorithm with some other algorithms.
Algorithm Entropy

Red Green Blue
The proposed algorithm 7.9893 7.9898 7.9894 respectively. One can find that different NPCR R,G,B and UACI R,G,B are obtained after different permutation rounds; after n = 14 permutation rounds, we get the largest value of NPCR R,G,B , while the value of UACI R,G,B is small; after n = 10 permutation rounds, we obtain the largest values of UACI R,G,B , and the values of NPCR R,G,B are more than 99.7%. From Fig. 10, we also find that the performance of NPCR R,G,B and UACI R,G,B are better after n = 10 permutation rounds than that obtained after other permutation rounds. The detailed results of NPCR R,G,B and UACI R,G,B with permutation rounds n = 10 are given in Table 4. One can easily see that the NPCR R,G,B is over 99.79% and the UACI R,G,B is over 49.19%, which implies that the proposed image cryptosystem is very sensitive to tiny changes in the plain-image. A slight change in the original image will result in a significant change in the ciphered image, so the proposed scheme can well resist a known/chosen plaintext attack. Table 5 compares the NPCR R,G,B and UACI R,G,B for the proposed method and the schemes in Refs. [11,26,28,30,37,45,46] on the color image of Lena. As it is clear from the simulation results, our proposed cryptosystem achieves a higher performance by having NPCR R,G,B ⩾ 99.79% and UACI R,G,B ⩾ 49.19%.

Key sensitivity analysis
An efficient encryption scheme has also to be sensitive to the secret key, i.e., a very small change in the key will cause a significant change in the output. Suppose that two 280-bit secret keys are chosen randomly as: K1 =" 2eea2814e6087660406d59f82f740bfd9c2e5e463d96bda-fe482c8054f457bab5cd180" and K2 =" 2eea2814e6087660406d59f82f740bfd9c2e5e463d96bda-fe482c8054f457bab5cd181". Obviously, two keys are different in only one bit. The key sensitivity test is carried out as follows.
The original color image of Lena is firstly encrypted by using the secret key K1 and then encrypted by using the secret key K2. We get two ciphered images by two slightly different keys. Fig. 11 displays the test results. The test shows that there is a difference up to 99.64% in terms of pixel gray-scale values between the encrypted image with K1 ( Fig. 11(b)) and the encrypted one with K2 (Fig. 11(c)). Moreover, in Fig. 12, we have shown the results of some attempts to decrypt an encrypted image with slightly different secret keys. We use the color image of Lena as the plain-image. Fig. 12(a) shows the encrypted image by using the secret key K1. Fig. 12(b) displays the decrypted image by using another trivially modified key K2. Fig. 12(c) plots the decrypted image by using the correct key K1. The encrypted image by using the secret key K2 is displayed in Fig. 12(d). The decrypted image by using the slightly different key K1 is shown in Fig. 12(e). The decrypted image by using the correct key K2 is depicted in Fig. 12(f). Obviously, the decryption with a slightly different key fails completely and hence the proposed image encryption scheme is highly key sensitive.
Furthermore, as discussed in Section 0.3, the transformations used in Equations (5)-(15) are constructed such that the initial conditions and parameters of the CML and the fractionalorder Chen chaotic system are highly sensitive to a slight change even in one bit of the secret key, which will lead to undesired decryption images. The average pixel differences of some color images (Figs. 5(a), 6(a) and 13) using the random keys K1 and K2 are given in Table 6. From the results in Table 6, one can easily see that the values obtained by the proposed method are very close to the expected value of pixel difference on two randomly generated images (NPCR = 99.6094% and UACI = 33.4635%).

Speed performance
Besides the security consideration, the running speed of the algorithm is also an important issue for a well applicable cryptosystem, especially for real-time Internet applications. We implement the proposed algorithm by using Matlab 7.1. The speed performance is tested in a computer with an Intel Core 2 Duo CPU 2GHZ, 1.99GB Memory and 600GB hard-disk capacity, and the operating system is Microsoft Windows XP. From Refs. [47,48,49], we know that the encryption time of Refs. [5,50,51] are 3.704s, >10s and 2.901s, respectively. Table 7 shows the comparison of the experimental results between the proposed encryption method and other image cryptosystems in [5,50,51,52]. Compared to the encryption schemes in [5,50,51,52], we can see that the operation speed of our method is clearly faster for the image of Lena.

Tolerance of Image Processing
Taking into account the variation tolerance of image processing operations such as noise addition, cropping, JPEG compression etc., the ability of surviving from these attacks for an image encryption scheme is also crucial, apart from the security consideration. PSNR (Peak Signal-to-Noise Ratio) is used in this paper to analyze the visual quality of the decrypted image I' in comparison with the plain-image I. PSNR is defined as: where MSE is the mean squared error between the plain-image I and the cipher-image I', which is given by The higher the PSNR value is, the less distortion is there to the plain image. Generally speaking, when the value of PSNR ⩾ 30, the human eyes cannot percept differences between the plainimage and the decrypted image. When no attack occurs, the PSNR value of the decrypted image ( Fig. 5(c)) is 76.28. If we observe the original plain-image ( Fig. 5(a)) and the decrypted image ( Fig. 5(c)), we can not find any visual degradation. In the following, several common image processing operations such as noise addition, cropping, JPEG compression, rotation, brightening and darkening are performed on our proposed encryption algorithm. Results for the "Lena" image ( Fig. 5(a)) are shown in this section. Table 8 displays the PSNR values of the decrypted image as the cipher-image is attacked by different image processing operations. The results demonstrate that the decrypted image is still recognizable despite the cipher-image being seriously distorted. The attacks are described as follows.

Noise addition
Generally, addition of noise is responsible for the degradation and distortion of the image. The cipher-image is also degraded by noise addition, resulting in difficulties in image decryption. We tested the proposed scheme's robustness against two types of noise: Pepper & Salt noise and Gaussian noise, which are added to the cipher-image. Fig. 14(a) and (b) show the plainimage of Lena and the corresponding cipher-image without noise addition, respectively. We add Pepper & Salt noise with different noise densities, i.e., 0.005, 0.05 and 0.5, to the cipherimage, as displayed in Fig. 14(c), (e) and (g), respectively. The proposed scheme is utilized to decrypt the noise-contaminated ciphered images. The decrypted images are shown in Fig. 14  (d), (f) and (h), respectively. The corresponding PSNR values of the decrypted images are 47.57dB, 31.87dB and 19.11dB, respectively. In addition, Gaussian white noise with mean value 0 and variance value 0.05 is added to the cipher-image, as shown in Fig. 14(i). Fig. 14(j) plots the decrypted image of the cipher-image in Fig. 14(i). Here the PSNR value of the decrypted image is 19.25dB. The results demonstrate that the noise-added encrypted image can still be decrypted appropriately, i.e., most information can be recovered.

Cropping
Image cropping is very common in real applications. Cropping removes the outer parts of an image to enhance framing, accentuate subject matter or modify aspect ratio, which is a lossy manipulation. Fig. 15(a) shows that 25% of the cipher-image is removed where 255 is inserted to the cropped pixels, and then the decrypted image is well obtained using the proposed scheme ( Fig. 15(b)). The corresponding PSNR value is 29.15. Even there were only a half of the encrypted image remained (Fig. 15(c)), the deciphered image is still recognizable, as shown in Fig. 15(d). Here the PSNR value is 23.88. In fact, we can always decrypt the cropped cipherimage with most recover information when the cropped part has a size of less than 256×256 pixels.

JPEG compression
Image compression is another very prevalent operation in digital images. In testing the tolerance of JPEG compression, the results show that the encrypted image, if being JPEG compressed, can be decrypted by the designed image encryption scheme, and the decrypted image after JPEG compression is still recognizable. A test is shown in Fig. 16. Fig. 16(a) displays the cipher-image after JPEG compression, where the quality factor used by the JPEG compression is 50. Here, the quality factor is a kind of measure for JPEG compression, commonly within a range between 1 to 100: the bigger the factor, the better the quality of the image after JPEG compression and, correspondingly, the smaller the compression rate. The PSNR value of the decrypted image ( Fig. 16(b)) is 18.65dB. Further simulation results show that the deciphered image can still be decrypted with most recover information while any quality factor in [1,100].

Rotation
Image rotation makes the coordinate axes changed. Without synchronization of the orthogonal axes, one cannot decrypt the cipher-image correctly. Here, we do not consider the question of how to recover the axes, which have been geometrically distorted. We assume that the distorted axes have been recovered before the cipher-image is decrypted. Simulations have shown that in this case we can still decipher the encrypted image ( Fig. 17(b)) when the ciphered image is rotated by 45°, as shown in Fig. 17(a). Here the value of PSNR is 18.65dB.

Brightening and darkening
We also test the proposed scheme's robustness against image brightening and darkening attacks, which increases or decreases the color intensities in a colormap. Simulation results are given in Fig. 18. Fig. 18(a) and (c) display the cipher-image after brightened and darkened, respectively. Fig. 18(b) and (d) show the deciphered images decrypted from the brightened and darkened encrypted images, respectively, where the PSNR values of the decrypted images separately are 18.68dB and 18.66dB. These test results show that the ciphered image after brightened or darkened can still be decrypted with most recovered information. Remark 5. From the above results, one can easily conclude that the proposed image encryption technique is highly robust against some common image processing operations and geometric attacks, e.g. noise addition, cropping, JPEG compression, rotation, brightening and darkening.

Conclusions
In this paper, we have proposed a new color image encryption algorithm based on a CML and a fractional-order chaotic system. The presented cryptosystem is composed of four processes, i.e., an image division-shuffling process, a key streams generation process, an image permutation process and an image diffusion process, to enhance the security and sensitivity of the cryptosystem. Moreover, the generation of the key streams and the image division-shuffling process are carried out simultaneously in a parallel mode, which accelerate the operation speed of our method. Experimental results have demonstrated that, comparing with current image encryption algorithms, the proposed encryption algorithm has a better performance in terms of security, sensitivity, speed and robustness. Furthermore, corresponding results also show that the presented encryption method efficiently overcomes the drawbacks in the present onedimensional chaotic image encryption algorithms.