See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/259190481

NPCR and UACI Randomness Tests for Image Encryption

Article · April 2011

CITATIONS READS
517 19,830

1 author:

Yue Wu
Raytheon BBN Technologies
77 PUBLICATIONS 5,446 CITATIONS

SEE PROFILE

All content following this page was uploaded by Yue Wu on 22 May 2014.

The user has requested enhancement of the downloaded file.

 Cyber Journals: Multidisciplinary Journals in Science and Technology, Journal of Selected Areas in Telecommunications (JSAT), April Edition, 2011

NPCR and UACI Randomness Tests

for Image Encryption
Yue Wu, Student Member, IEEE, Joseph P. Noonan, Life Member, IEEE,
and Sos Agaian, Senior Member, IEEE

 In binary sequence encryption, the cipher resistance to

Abstract—The number of changing pixel rate (NPCR) and the differential attacks is normally analyzed directly via calculating
unified averaged changed intensity (UACI) are two most common the independence matrix [4] between any two output bits and
quantities used to evaluate the strength of image encryption the dependence matrix [4] between the input bits and output
algorithms/ciphers with respect to differential attacks.
Conventionally, a high NPCR/UACI score is usually interpreted
bits. However, unlike binary sequence encryption, image
as a high resistance to differential attacks. However, it is not clear encryption [5-14] is a relatively new area with distinctive
how high NPCR/UACI is such that the image cipher indeed has a characteristics including 1) it is a type of two-dimensional data
high security level. In this paper, we approach this problem by with high information redundancy [15]; and 2) it usually
establishing a mathematical model for ideally encrypted images contains of a large number of pixels, each of which is composed
and then derive expectations and variances of NPCR and UACI of a number of binary bits. All these properties make the
under this model. Further, these theoretical values are used to
form statistical hypothesis NPCR and UACI tests. Critical values
conventional ciphers designed for binary data inappropriate for
of tests are consequently derived and calculated both symbolically image data [15]. For the same reason, randomness tests for
and numerically. As a result, the question of whether a given binary data are also not appropriate for image encryption
NPCR/UACI score is sufficiently high such that it is not methods/ciphers.
discernible from ideally encrypted images is answered by In image encryption, the cipher resistance to differential
comparing actual NPCR/UACI scores with corresponding critical attacks is commonly analyzed via the NPCR and UACI tests
values. Experimental results using the NPCR and UACI
randomness tests show that many existing image encryption
[5-14]. The NPCR and UACI are designed to test the number of
methods are actually not as good as they are purported, although changing pixels and the number of averaged changed intensity
some methods do pass these randomness tests. between ciphertext images, respectively, when the difference
between plaintext images is subtle (usually a single pixel).
Index Terms—Differential Attacks, Randomness Test, Image Although these two tests are compactly defined and are easy to
Encryption, UACI, NPCR calculate, test scores are difficult to interpret in the sense of
whether the performance is good enough. For example, the
upper-bound of the NPCR score is 100%, and thus it is believed
I. INTRODUCTION that the NPCR score of a secure cipher should be very close to
this upper-bound. However, the question is how close is ‘close’?
D IFFERNTIAL attack/cryptanalysis is a general name of
attacks/cryptanalysis applicable primarily to block ciphers
working on binary sequences. The discovery of differential
A NPCR score of 99% is close or a score of 99.9% or neither of
them is close enough. Therefore, it is trivial to answer the
cryptanalysis is usually attributed to Eli Biham and Adi Shamir, quantitative question that what are the NPCR and UACI scores
who published papers [1, 2] about this type of attacks to various for one image encryption algorithm/cipher, without knowing
ciphers, including a theoretical weakness of the Data the answer of the qualitative question that whether this
Encryption Standard (DES) [3]. Since then, the differential algorithm/cipher is able to generate secure enough ciphertext
attack becomes a common attack that has to be considered with resistance to differential attacks.
during the cipher design. Inspired by the FIPS 140-1 [16] and its successor FIPS 140-2
[17] randomness test sets for binary ciphers, we believed that
randomness tests giving qualitative results rather than pure
Manuscript received March 29, 2011. Manuscript accepted April 26, 2011. quantitative results should be derived for image encryption as
This research was supported by the Department of Electrical and Computer
Engineering, Tufts University, MA. well. In this paper, we focus on the NPCR and UACI tests and
Yue Wu is with the Department of Electrical and Computer Engineering, give our solutions to answer the qualitative question about
Tufts University, Medford, MA 02155 USA (phone: 617-627-3217; fax: NPCR and UACI tests for image encryption.
617-627-3220; e-mail: ywu03@ece.tufts.edu).
Joseph P. Noonan is with the Department of Electrical and Computer The remainder of the paper is organized as follows: Section
Engineering, Tufts University, Medford, MA 02155 USA. (e-mail: II gives the mathematical model of an ideally encrypted image
jnoonan@ece.tufts.edu). and derives the expectations, variances and hypothesis tests of
Sos Agaian is with the Department of Electrical and Computer Engineering,
Tufts University, MA 02155 USA. He is also with the Department of Electrical
NPCR and UACI; Section III gives numerical results of these
and Computer Engineering, University of Texas at San Antonio, San Antonio, expectations, variances and lookup tables of critical values for
TX 78249 USA. (email: Sos.Agaian@utsa.edu)

31
 Cyber Journals: Multidisciplinary Journals in Science and Technology, Journal of Selected Areas in Telecommunications (JSAT), April Edition, 2011

hypothesis tests; Section IV shows results of the proposed be discernible from a true random image. More specifically,
randomness tests of NPCR and UACI for a number of Definition 1. Ideally Encrypted Image
published image encryption methods; Section V concludes the An ideally encrypted image is a random field at size of
paper and discusses our future work -by- , where for any fixed integer and ,
the random variable of pixel value identically and
II. MATHEMATICAL DERIVATIONS OF independently (i.i.d) follows a discrete uniform distribution on
NPCR AND UACI RANDOMNESS TESTS 0 to ’s largest supported integer , i.e. , ,
A. NPCR and UACI Definitions .
For our best knowledge, NPCR and UACI are first shown in
It is noticeable that the above definition is plausible in the
2004 [5, 18], both of which point to Yaobin Mao and Guanrong
context of image encryption, where the aim of encryption is to
Chen. Since then NPCR and UACI become two widely used
obtain random-like ciphertext images such that attackers cannot
security analyses in the image encryption community for
figure out the internal relations between plaintext and
differential attacks.
ciphertext. In fact, other security analyses [5-14], e.g.
Suppose ciphertext images before and after one pixel change
histogram analysis, entropy analysis and autocorrelation
in a plaintext image are and , respectively; the pixel value
analysis, are all designed to test whether or not a ciphertext
at grid in and are denoted as and ;
image is random-like.
and a bipolar array is defined in Eqn. (1). Then the NPCR
For any pixel at any location in an ideally encrypted image ,
and UACI can be mathematically defined by Eqns. (2) and (3),
its value is equally likely to be an arbitrary intensity level in
respectively, where symbol denotes the total number pixels
, namely . In order to save
in the ciphertext, symbol denotes the largest supported pixel
notations, the spatial index can be expressed by an
value compatible with the ciphertext image format, and
absolutely index as Eqn. (4) shows. As a result, we have
denotes the absolute value function.
.
(4)
(1)

(2)
C. NPCR Test
In this section, the expectation and the variance of NPCR for
(3) two ideally encrypted images are calculated first and then an
-level hypothesis test is derived based on these two statistics.
It is clear that NPCR concentrates on the absolute number of For simplicity,
pixels which changes value in differential attacks, while the
UACI focuses on the averaged difference between two paired Theorem I. For the th pixels ( [1,MN]) in two ideally
ciphertext images. encrypted images defined in Definition 1, define a random
The range of NPCR is . When , it variable
implies that all pixels in remain the same values as in .
When , it implies that all pixel values in are
changed compared to those in . In other words, it is very Then this random variable follows a Bernoulli distribution
difficult to establish relationships between this pair of with the parameter .
ciphertext image and . However, rarely Proof. Using the assumption of independence and ,
happens, because even two independently generated true it is easy to see,
random images fail to achieve this NPCR maximum with a high
possibility, especially when the image size is fairly large
compared to .
The range of UACI is clearly as well, but it is not
obvious that what a desired UACI for two ideally encrypted
images is. Fortunately, these results will be given in next
sections with the form of expectations and variances.
B. Ideally Encrypted Image Consequently, .
Before start to derive the interested statistics about NPCR Therefore, . ∎
and UACI for ideally encrypted images, the term of ‘ideally
encrypted image’ has to be clarified first. Although it may be Moreover, if the total number of pixels whose is
considered differently in other literature, in this paper, we denoted as a random variable , then has the Binomial
consider an ideally encrypted image is some image that cannot distribution as Theorem II states.

32
 Cyber Journals: Multidisciplinary Journals in Science and Technology, Journal of Selected Areas in Telecommunications (JSAT), April Edition, 2011

Theorem II. The random variable defined on values in and are both i.i.d, pixels in is also i.i.d with
two ideally encrypted images follows a Binomial distribution some unknown distribution.
, where . (11)
Proof. Using the conclusion of Theorem I and i.i.d property Let , then this random variable
between pixels, it is clear that for the averaged changed intensity for one pixel location in two
ideally encrypted images follows a discrete distribution showed
in Theorem III.

Theorem III. If , which is the

which is the Binomial distribution . ∎ changed intensity of two ideally encrypted images at location ,
then
Therefore, the expectation and the variance of are
explicitly defined as Eqns. (5) and (6), respectively.
(5)
Proof. From Theorem I, it is clear that when
(6)
When ,
It is clear that this random variable is a scaled version of the
NPCR score, where .
Therefore, , if two test ciphertext images Calculate using Definition 1, we obtain
and of size -by- are ideally encrypted. That is

(7)

(8)

(9)
Similarly, .
Thus, . ∎
As a result, the following statistical test can be used as a test of
NPCR for image encryption: Theorem III gives the probability density function (PDF) of
the random variable and the i.i.d distribution in the random
Definition 2. Randomness Test for NPCR field as well. In addition, the mean and the variance of can
Suppose and are two test ciphertext images at the size also be obtained as Eqns. (12) and (13) show.
-by- , the hypotheses with α-level significance for
, then, are
(12)

where we reject , when , the critical value

of the NPCR test; otherwise we accept . The critical
value is defined in Eqn. (10), where is the inverse
cumulative density function (CDF) of the standard Normal (13)
distribution .

(10) Let quantity , then this is

nothing but the mean value of , as Eqn. (14) shows. Moreover
the relationship between and UACI is ,
which implies is a scaled version of the UACI score.
D. UACI Test for Ideally Encrypted Image
Similarly to NPCR test, the UACI test derived in this section
is also with respect to two ideally encrypted images. (14)
Consider a new random field , which is the absolute
difference between and as Eqn. (11) shows. Since pixel

33
 Cyber Journals: Multidisciplinary Journals in Science and Technology, Journal of Selected Areas in Telecommunications (JSAT), April Edition, 2011

and the PDF of NPCR statistic have already been shown in

Theorem IV. If is the scaled Eqns. (5)-(7). The distribution of the NPCR random variable
version of UACI between two ideally encrypted images and for two true random images follows a Binomial
whose plaintext images are slightly different, then distribution . When and ,
this distribution is shown Fig. 1, where figure (b) is an enlarged
Proof. version for the peak in figure (a). From Fig. 1, it is clear that
The Central Limit Theorem (CLT) tells that as long as the has Gaussian-like distribution. Indeed, a Binomial
sample size is large enough, the sample mean of any i.i.d distribution can be approximated as a Gaussian distribution
distributed sample with an arbitrary PDF with an average and whenever the condition is
a finite is approximately a Gaussian . In our case, satisfied [21].
is the number of pixels and is usually much large than 100, 0.025 0.025

which is the sample size believed the CLT can be applied [19,
20]. 0.02 0.02

Because , are i.i.d distributed with PDF specified in

0.015 0.015
Theorem III. Therefore, where and are

Possibility

Possibility
shown in Eqns.(15) and (16), respectively. ∎ 0.01 0.01

(15) 0.005 0.005

0 0
0 20 40 60 80 100 99.55 99.6 99.65 99.7
(16) NPCR % NPCR %

(a) PDF NPCR (b) Zoom-in

Fig. 1. PDF of NPCR for and
As a result, we obtain the expectation and the variance for the
UACI test as follows: Numerical results of NPCR critical values with respect to
(17) different parameter combinations are given in Table I. From
Eqns. (5) and (6), it is noticeable that is a constant and
(18) is proportional to , respectively, when is fixed.
Therefore, as the increases four times, remains
unchanged, while deceases a half.
Since the reference results have been derived from the In Table I, , , and denote the critical values
ideally encrypted image, the following statistical test can be to reject the null hypothesis with respect to the significance
used to test UACI: level , and . This means that if
, the NPCR test for two paired ciphertext images
Definition 3. Randomness Test for UACI and , less than , then and are NOT randomly-like
Suppose and are two test ciphertext images at the size with an -level of significance. In other words, the possibility
-by- , then the hypotheses with α-level significance for to say ‘ and are not random-like’, when they are
, then, are random-like, is α, which is a small quantity.
B. Numerical Results for UACI
where we reject , when , the Table II shows related numerical results for UACI. In this
critical values of the NPCR test; otherwise we accept . The table, it is noticeable that is independent of . Because
critical value and are defined in Eqns. (19) and (20), , which is a single variable function
respectively, where is the inverse CDF of the standard about (see Eqn. (17)), the largest allowed integer related to
Normal distribution . the image format. Meanwhile, halves its value as
increases in the table. This is because is proportional to
, whenever increases four times, halves itself.
(19)
Unlike the critical value for NPCR test, the critical value
(20) for UACI test is composed of two parts, the left value
and the right value . All these values are listed in Table II.
For any tested , if it is out of the acceptance
interval , we reject the null hypothesis and say the
tested ciphertext images and are NOT random-like.
III. NUMERICAL RESULTS FOR NPCR AND UACI
RANDOMNESS TESTS Again, this assertion maybe wrong, but the possibility to make
a mistake is only , which is a small quantity.
A. Numerical Results for NPCR
As the previous section derived, the expectation, the variance

34
Cyber Journals: Multidisciplinary Journals in Science and Technology, Journal of Selected Areas in Telecommunications (JSAT), April Edition, 2011

TABLE I. NUMERICAL RESULTS FOR NPCR RANDOMNESS TEST

Binary Image: Gray Image:

50.0000% 0.7813% 48.7150% 48.1825% 47.5858% 99.6094% 0.0975% 99.4491% 99.3826% 99.3082%
50.0000% 0.3906% 49.3575% 49.0913% 48.7929% 99.6094% 0.0487% 99.5292% 99.4960% 99.4588%
50.0000% 0.1953% 49.6787% 49.5456% 49.3964% 99.6094% 0.0244% 99.5693% 99.5527% 99.5341%
50.0000% 0.0977% 49.8394% 49.7728% 49.6982% 99.6094% 0.0122% 99.5893% 99.5810% 99.5717%
50.0000% 0.0488% 49.9197% 49.8864% 49.8491% 99.6094% 0.0061% 99.5994% 99.5952% 99.5906%

TABLE II. NUMERICAL RESULTS FOR UACI RANDOMNESS TEST

Binary Image: Gray Image:

48.4688% 47.9876% 47.4293% 32.7389% 32.5112% 32.2469%

50.0000% 0.7813% 33.4635% 0.3697%
51.5312% 52.0124% 52.5707% 34.1882% 34.4159% 34.6802%
49.2344% 48.9938% 48.7146% 33.1012% 32.9874% 32.8552%
50.0000% 0.3906% 33.4635% 0.1849%
50.7656% 51.0062% 51.2854% 33.8259% 33.9397% 34.0718%
49.6172% 49.4969% 49.3573% 33.2824% 33.2255% 33.1594%
50.0000% 0.1953% 33.4635% 0.0924%
50.3828% 50.5031% 50.6427% 33.6447% 33.7016% 33.7677%
49.8086% 49.7485% 49.6787% 33.3730% 33.3445% 33.3115%
50.0000% 0.0977% 33.4635% 0.0462%
50.1914% 50.2515% 50.3213% 33.5541% 33.5826% 33.6156%
49.9043% 49.8742% 49.8393% 33.4183% 33.4040% 33.3875%
50.0000% 0.0488% 33.4635% 0.0231%
50.0957% 50.1258% 50.1607% 33.5088% 33.5231% 33.5396%

TABLE III. COMPARISON OF THEORETICAL VALUES AND EXPERIMENTAL VALUES

Binary Image:
NPCR % UACI %

50.0000000000 0.7813000000 49.9984221458 0.7838076127 50.0000000000 0.7812500000 49.9984221458 0.7838076127

50.0000000000 0.3906000000 49.9944293455 0.3913540553 50.0000000000 0.3906250000 49.9944293455 0.3913540553
50.0000000000 0.1953000000 49.9965943224 0.1956158262 50.0000000000 0.1953125000 49.9965943224 0.1956158262
50.0000000000 0.0977000000 49.9988945723 0.0970774641 50.0000000000 0.0976562500 49.9988945723 0.0970774641
50.0000000000 0.0488000000 50.0011780387 0.0486855663 50.0000000000 0.0488281250 50.0011780387 0.0486855663

Gray Image:
NPCR % UACI %

99.6094000000 0.0975000000 99.6092433089 0.0989692547 33.4635416667 0.3697318566 33.4462493563 0.3741631181

99.6094000000 0.0487000000 99.6097590990 0.0486867022 33.4635416667 0.1848659283 33.4537322188 0.1858105271
99.6094000000 0.0244000000 99.6096636839 0.0244907014 33.4635416667 0.0924329642 33.4595629123 0.0919732060
99.6094000000 0.0122000000 99.6095651442 0.0121198368 33.4635416667 0.0462164821 33.4654786002 0.0453526000
99.6094000000 0.0061000000 99.6096801758 0.0061338739 33.4635416667 0.0231082410 33.4640661364 0.0231559551

35
Cyber Journals: Multidisciplinary Journals in Science and Technology, Journal of Selected Areas in Telecommunications (JSAT), April Edition, 2011

TABLE IV. NPCR RANDOMNESS TEST FOR IMAGE ENCRYPTION

Tested Image Size -by- Theoretically NPCR Critical Value
256-by-256 99.5693% 99.5527% =99.5341%
NPCR Test Results
Image Encryption Methods Reported Value(s)
0.05-level 0.01-level 0.001-level
Zhang 2005 [7] 98.669% Fail Fail Fail
99.26% Fail Fail Fail
Zhu 2006 [8]
99.45% Fail Fail Fail
(reported in [9])
99.13% Fail Fail Fail
Behnia 2008 [6] 41.962% Fail Fail Fail
99.42% Fail Fail Fail
Huang 2009 [9] 99.54% Fail Fail Pass
99.60% Pass Pass Pass
99.66% Pass Pass Pass
Liao 2010 [10] 99.65% Pass Pass Pass
99.63% Pass Pass Pass
Zhang 2010 [11] 99.61% Pass Pass Pass
Kumar 2011 [12] 99.72% Pass Pass Pass

Tested Image Size -by- Theoretically NPCR Critical Value

512-by-512 99.5893% 99.5810% =99.5717%
NPCR Test Results
Image Encryption Methods Reported Value(s)
0.05-level 0.01-level 0.001-level
Chen 2004 [5] 50.22% Fail Fail Fail
Lian 2005 [13]
99.5914% Pass Pass Pass
(reported in [14])
Zhu 2010 [14] 99.6273041% Pass Pass Pass

TABLE V. UACI RANDOMNESS TEST FOR IMAGE ENCRYPTION

Tested Image Size -by- Theoretically UACI Critical Values
33.2824% 33.2255% =33.1594%
256-by-256
33.6447% 33.7016% 33.7677%
NPCR Test Results
Image Encryption Methods Reported Value(s)
0.05-level 0.01-level 0.001-level
Zhang 2005 [7] 33.362% Pass Pass Pass
21.41% Fail Fail Fail
Zhu 2006 [8]
23.42% Fail Fail Fail
(reported in [9])
15.08% Fail Fail Fail
Behnia 2008 [6] 33.25% Fail Pass Pass
27.78% Fail Fail Fail
Huang 2009 [9] 27.66% Fail Fail Fail
24.94% Fail Fail Fail
33.20% Fail Fail Pass
Liao 2010 [10] 33.31% Pass Pass Pass
34.61% Fail Fail Fail
Zhang 2010 [11] 38% Fail Fail Fail
Kumar 2011 [12] 32.821% Fail Fail Fail

Theoretically UACI Critical Values

Tested Image Size -by-
33.3730% 33.3445% =33.3115%
512-by-512
33.5541% 33.5826% 33.6156%
NPCR Test Results
Image Encryption Methods Reported Value(s)
0.05-level 0.01-level 0.001-level
Chen 2004 [5] 25.21% Fail Fail Fail
Lian 2005 [13]
33.3359% Pass Pass Pass
(reported in [14])
Zhu 2010 [14] 33.4815979% Pass Pass Pass

36
 Cyber Journals: Multidisciplinary Journals in Science and Technology, Journal of Selected Areas in Telecommunications (JSAT), April Edition, 2011

IV. SIMULATION RESULTS

In this section, two types of simulations are presented. First,
the Monte Carlo simulation is applied to generate interested
statistics of and , where and are
images of size -by- generated by pseudo random number
generator which is built-in function in MATLAB. Secondly,
the designed NPCR and UACI tests are applied to various
existing image encryption methods/ciphers.
A. Monte Carlo Simulation (a) (b)
In order to estimate the interested statistics, the sample mean
and variance defined in Eqns. (21) and (22) are used, where
denotes the interested statistics and is the number of
observations. Recall the Law of Large Numbers (LLN), which
states that the sample mean converges to the true mean , as
. Meanwhile, the sample variance is an unbiased and
consistent estimator of the true variance, which implies that
, as . Therefore, these two quantities can be
used to estimate our interested statistics, including , ,
(c) (d)
and under different values.
Fig. 2. Difference between the estimated values and experimental values
(a) and when ; (b) and
(21) when ; (c) and when ; (d) and
when .

These image encryption methods include Zhang’s method

(22) based on chaotic maps (Zhang 2005) [7], Zhu’s method based
on Chen’s chaotic system (Zhu 2006) [8], Huang’s method
Simulation results of these interested statistics are shown in using multiple chaotic systems (Huang 2009) [9], Behnia’s
Table III. It is worth to note that each estimated statistics in method using a mixture of chaotic maps (Behnia 2008) [6],
Table III (marked with a cap), it is calculated from 10,000 pairs Liao’s algorithm based on self-adaptive wave transmission
of and that are randomly generated images. More (Liao 2010) [10], Zhang’s method using DNA addition with
chaotic maps (Zhang 2010) [11], Kumar’s method using
specifically, the estimated statistics , , and are
extended substitution-diffusion network with chaos (Kumar
obtained via Eqns. (23) –(26), respectively.
2011) [12], Chen’s encryption scheme using the 3D cat map
(Chen 2004) [5], Lian’s block cipher using chaotic standard
(23) map (Lian 2005) [13], and Zhu’s method using a bit-level
permutation (Zhu 2010) [14]. The NPCR and UACI scores are
obtained directly from papers of related methods without any
(24) modification.
Using reference Table I and II, these reported NPCR and
UACI scores are evaluated to see whether the two test
(25) ciphertext images are random-like. In order to simplify the
comparison, we listed these results in the chronological order
and sorted with respect to the test images size, which
(26) determines the critical value(s) of the test. The NPCR and
UACI test results are shown in Table IV and Table V,
respectively.
Fig. 2 shows the difference between the theoretical values From Table IV, it is noticeable that when the test image size
and the experimental values. It is noticeable that such is 256-by-256, although most NPCR scores are not far different
differences are subtle. More specifically, they are of or below from each other and close to 100%, they do have significant
the level of . Therefore, the provided reference Tables I difference in the point view of statistics. Many earlier methods
and II are reliable. (before 2010) fail the test, but recent methods have better
B. Randomness Test for Image Encryption NPCR test results. Same phenomenon is also observed when
the test image size is 512-by-512.
In this section, the reported results of differential attacks
From Table V, it is clear that most of the test image
from various image encryption papers are collected and
encryption methods fail the UACI test, with an either too low or
compared with critical values of NPCR and UACI tests.

37
 Cyber Journals: Multidisciplinary Journals in Science and Technology, Journal of Selected Areas in Telecommunications (JSAT), April Edition, 2011

too high UACI score. On the other hand, judging two encryption methods by
Considering these results in Table IV and Table V, ‘Lian comparing their test scores quantitatively is also questionable.
2005’ [13] and ‘Zhu 2010’ [14] are two best ones among the In other words, better than some poor method(s)/algorithm(s) is
test ten image encryption algorithms, because they passed the not sufficient to say a method is good. Because it is still unclear
both the NPCR and UACI randomness tests. Although ‘Zhu whether this method is able to generate ciphertext images as
2010’ has slightly higher NPCR and UACI scores than those of random-like as those ideally encrypted images, although its test
‘Lian 2005’, it does not mean that ‘Zhu 2010’ is more secure score is better than some other(s). Unless comparing test
than ‘Lian 2005’, because their test scores are not statistically score(s) with theoretical values like those derived in this paper,
different. This conclusion also points out a common mistake in it is hard to know whether a method is good and how good it is.
the image encryption literature: some author claims his/her
method is better than some others’ by simply comparing some REFERENCES
test scores. For example, ‘Lian 2005’ [13] is used as a reference
algorithm for comparing the NPCR and UACI scores with ‘Zhu [1] E. Biham and A. Shamir, "Differential Cryptanalysis of DES-like
Cryptosystems," in Proceedings of the 10th Annual International
2010’ in [14], where the author claims that ‘Zhu 2010’ is better Cryptology Conference on Advances in Cryptology: Springer-Verlag,
than ‘Lian 2005’ by simply comparing test scores. However, 1991.
test results of ‘Zhu 2010’ and ‘Lian 2005’ in Tables IV and V [2] E. Biham and A. Shamir, "Differential Cryptanalysis of the Full
show that they do not have significant difference. This implies 16-Round DES," in Proceedings of the 12th Annual International
Cryptology Conference on Advances in Cryptology: Springer-Verlag,
that maybe both algorithms are able to generate random-like 1993.
ciphertext image and thus the different test scores are purely [3] "FIPS PUB 46: Data Encryption Standard," National Bureau of Standards,
caused by the stochastic process. 1977.
[4] H. Williams, A. Webster, and S. Tavares, "On the Design of S-Boxes," in
Advances in Cryptology — CRYPTO ’85 Proceedings. vol. 218: Springer
V. CONCLUSION Berlin / Heidelberg, 1986, pp. 523-534.
[5] G. Chen, Y. Mao, and C. Chui, "A symmetric image encryption scheme
In this paper, we discussed the NPCR and UACI randomness based on 3D chaotic cat maps," Chaos, Solitons and Fractals, vol. 21, pp.
tests for image encryption. Unlike the conventional usage of 749-761, 2004.
NPCR and UACI for calculating scores, we consider both [6] S. Behnia, A. Akhshani, H. Mahmodi, and A. Akhavan, "A novel
algorithm for image encryption based on mixture of chaotic maps," Chaos,
scores as random variables under the ideally encrypted image Solitons and Fractals, vol. 35, pp. 408-419, 2008.
model and derive their expectations and variances. Meanwhile, [7] L. Zhang, X. Liao, and X. Wang, "An image encryption approach based
hypothesis tests with an α-level of significance are designed for on chaotic maps," Chaos, Solitons & Fractals, vol. 24, pp. 759-765, 2005.
[8] C. X. Zhu, Z. G. Chen, and W. W. Ouyang, "A new image encryption
NPCR and UACI tests respectively. With these two hypothesis algorithm based on general Chen's chaotic system," Journal of Central
tests, it is easy to accept or reject the null hypothesis that test South University (Science and Technology), 2006.
ciphertext images are random-like. Therefore, such tests [9] C. K. Huang and H. H. Nien, "Multi chaotic systems based pixel shuffle
for image encryption," Optics Communications, vol. 282, pp. 2123-2127,
provide qualitatively results rather than quantitatively results 2009.
for image encryption. [10] X. Liao, S. Lai, and Q. Zhou, "A novel image encryption algorithm based
Experimental results show the estimated expectations and on self-adaptive wave transmission," Signal Processing, vol. 90, pp.
variance of NPCR and UACI are very close to the theoretical 2714-2722, 2010.
[11] Q. Zhang, L. Guo, and X. Wei, "Image encryption using DNA addition
values, which justify the validity of theoretical values. Further, combining with chaotic maps," Mathematical and Computer Modelling,
the proposed NPCR and UACI randomness tests are also vol. 52, pp. 2028-2035, 2010.
applied to various image encryption algorithms. Test results [12] A. Kumar and M. K. Ghose, "Extended substitution-diffusion based
image cipher using chaotic standard map," Communications in Nonlinear
show that many of these tested algorithms are problematic or at Science and Numerical Simulation, vol. 16, pp. 372-382, 2011.
least not statistically random-like. Meanwhile, these results [13] S. Lian, J. Sun, and Z. Wang, "A block cipher based on a suitable use of
also showed that the conventionally quantitative analysis the chaotic standard map," Chaos, Solitons & Fractals, vol. 26, pp.
117-129, 2005.
methodology for image encryption is questionable. Because [14] Z.-l. Zhu, W. Zhang, K.-w. Wong, and H. Yu, "A chaos-based symmetric
these test scores, e.g. NPCR or UACI, are random variables image encryption scheme using a bit-level permutation," Information
dependent on parameters such as the image size and the format Sciences, vol. 181, pp. 1171-1186, 2010.
[15] M. Yang, N. Bourbakis, and L. Shujun, "Data-image-video encryption,"
of the image rather than static values. Purely comparing two Potentials, IEEE, vol. 23, pp. 28-34, 2004.
NPCR/UACI scores for two algorithms without noting these [16] "FIPS PUB140-1: Security Requirements for Cryptographic Modules."
parameters is not fair. For example, a NPCR score based on vol. 11: National Institute of Standards and Technology, 1994.
[17] "FIPS PUB140-2: Security Requirements for Cryptographic Modules,"
gray images is 99.5710%, which is very close to the expectation National Institute of Standards and Technology, 2001.
99.6094% (see Table I), but when the test image size is [18] Y. Mao, G. Chen, and S. Lian, "A novel fast image encryption scheme
512-by-512, this score is out of 99.9% confidence interval based on 3D chaotic Baker maps," Int. J. Bifurcation and Chaos in June,
(99.5717%, 100%] of the NPCR score. This conclusion means 2003.
[19] R. Peck, C. Olsen, and J. L. Devore, Introduction to Statistics and Data
that test ciphertext images do not follow the relations between Analysis: Cengage Learning, 2008.
two ideally encrypted images and thus it may be vulnerable to [20] M. Sternstein, Statistics: Barron's Educational Series, 1996.
differential attacks. Moreover, the significance level tells that [21] R. J. Larsen and M. L. Marx, An introduction to mathematical statistics
and its applications: Pearson Prentice Hall, 2006.
the chance of making a wrong conclusion is one out of a
thousand.

38
View publication stats