Design and implementation of Threefish cipher algorithm in PNG file

This paper is presenting design and implementation of Threefish block cipher on grayscale images. Despite the fact that Threefish block cipher is one of the best secure algorithms, most studies concerning Threefish have focused on hardware implementation and have not commonly been applied on image encryption due to huge amount of data. The main contribution here was to reduce the time and the amount of data to be encrypted while maintaining encryption performance. This objective was achieved by encrypting just the most significant bits of image pixels. A 256-bit plain text blocks of the Threefish was constructed from 2n most significant bits of the pixels, where 0<n<3. Furthermore, Threefish block cipher was applied when n=3 to analyze the impact of uninvolving some bits in encryption process on the encryption performance. The results indicated that the encryption achieved good encryption quality when n=1, but it might cause some loss in decryption. In contrast, the encryption achieved high encryption quality when n=2, almost as good as the encryption of the whole pixel bits. Furthermore, the encryption time and the amount of data to be encrypted were decreased 50% as n decreased by 1. It was concluded that encrypting half of the pixel bits reduces both time and data, as well as significantly preserves the encryption quality. Finally, although the proposed method passed the statistical analysis, further work is needed to find a method resistant to the differential analysis.


Introduction
Sensitive data is required to be transmitted in an inexplicable form by the intruders [1]. Cryptographic system gives a significant role in providing data security and maintain privacy. It is a system that mainly consists of four elements: encryption function, decryption functions, protocol, and key. These four elements determine the category and the strength of cryptographic system [2]. Based on the number of keys, cryptographic system can be classified into symmetric and asymmetric cryptographic system. In symmetric cryptography, the same secret key is used for both encryption and decryption. In contrast, asymmetric cryptography uses two different keys: one is public used for encryption, while the other is private for the recipient used for decryption [3]. Cryptographic system, in addition, can be classified into stream cipher and block cipher according to the input type of the data that will be encrypted. Stream cipher encrypts data bit/byte by bit/byte, whereas block cipher encrypts blocks of bits/bytes [1]. The DES (Data Encryption Standard), AES (Advance encryption Standard), Blowfish, Twofish, and Threefish, are symmetric block cipher algorithms, while RC5 (Rivest Cipher) is symmetric stream cipher algorithm. In addition, both RSA (Rivest Shamir Adleman) and ECC (Elliptic Curve Cryptography) are asymmetric, where RSA is block cipher while ECC is stream cipher algorithm [3]. More than one study has examined the performance of different block cipher algorithms based on various parameters [3] [4]. These studies indicated that using large block size and extensive number of rounds made the Threefish algorithm one of the best secure algorithms. Threefish is considered tweakable block cipher, which is generalized form of block cipher. In tweakable block cipher, further input is used beside the input block and the key, which is known as tweak. Thereupon, the security level is increased [3] [4]. Threefish, however, is still not commonly applied on image encryption. Most of the studies used Threefish block cipher focused on hardware implementation on FPGA [5] [6] [7] [8]. Singh and Baburaj in 2018 proposed new image encryption method by combining Threefish algorithm and Artificial Neural Network in order to achieve high security and decrease the cost of computation [9]. As the image holds huge amount of data, our contribution here was to encrypt just the most significant bits of image pixels using Threefish block cipher in order to reduce the time and the amount of data to be encrypted while maintaining encryption quality. In this way, the proposed method encrypts half data of the image or less, and preserves the encryption performance at the same time.

Threefish
Threefish uses three different key lengths: 256, 512, or 1024 bits. In this algorithm, block size is identical to the key length used [4]. Threefish algorithm uses 128 bits tweak value regardless to the block size and key length. Threefish is adopted to use modulus arithmetic, bit rotation, and bitwise XOR. These operations are applied several rounds depending on the block size. Block size of 256 and 512 bits consist of 72 rounds, while block size of 1024 bits consists of 80 rounds [5]. In each round, Threefish operates on 64-bit unsigned integers, that is the plain text is divided into N w words of 64-bit where [6]: (1)

Threefish key scheduling
Threefish generates N r /4+1 subkeys from the cipher key, where N r is the number of rounds. Along with the cipher key K, Threefish uses the 128-bit tweak value T and 64-bit constant value C 240 to produce these subkeys (K 0 , K 1 , …, K Nw-1 ). Prior to start the subkeys scheduling, the two 64-bit words of tweak value (t 0 , t 1 ) are extended to further word t 2 . In addition, the 64-bit words of the original key (K 0 , K 1 , …, K Nw-1 ) are used to extend the K Nw key word as the following: The subkeys in every round are defined as the following: where 0 ≤ i ≤ N w -1, and 0 ≤ s ≤ N r / 4, the symbol denotes bitwise xor operation, and denotes to addition modulo 2 64 [3], [4], [7].

Threefish encryption
Encryption in Threefish block cipher starts by adding the subkey to the plain words. This operation is repeated every four rounds. Every round consists of Mix operations and permutation. Fig. 1 shows four rounds of Threefish256 block cipher [7]. Every Mix operation operates on two 64-bit words as the following: (see Fig. 2): where d = s mod 8, and the expression R indicates to bit rotate left R times, where R is a constant value as listed in Table 1 [5].  The 64-bits words resulted from Mix operations is permutated, as listed in the Table 2, to produce the 64-bits cipher words that pass to the next round. Prior to the end of encryption process, Threefish256 block cipher performs a subkey addition to produce the final cipher words after 72 rounds [8].

Threefish decryption
In Threefish, decryption includes the same steps of encryption, but in reverse order. Fig. 3 shows single round of Threefish256 decryption. Threefish256 starts by subtracting the subkeys from the cipher text words. Then, the 72 rounds started by permutating the cipher words according to Table 2. These permutated words passed to the inverse Mix operation as the following: indicates to bit rotate right R times according to Table 1, and is subtraction modulo 2 64 . In every four rounds, the subkey is subtract from the cipher words in reverse order. These operations are repeated until getting the plain words after 72 rounds [7].

The proposed method
According to the concepts of Threefish256, the proposed method encrypts PNG grayscale images. The encryption is limited to the most 2 n significant bits of pixel image because those bits has significantly affected the image quality. The proposed method adopted n=1 and n=2. For grayscale image pixels "156 159 158 159…...", the plain text block that generated when n=1 is "10101010…...", while it is "1001100110011001…..." when n=2. The 256-bits plain blocks were generated according to the following steps: 1. Determining the value of n. 2. Getting the 2 n most significant bits from each pixel. 3. Collecting those bits in a matrix, let's naming it WORDS, of 256 × X where: (9) 4. Converting each 64 bits of the WORDS matrix into unsigned integer 64 number.
The constant value of C 240 used key scheduling was 1BD11BDAA9FC1A22 in hexadecimal. The proposed method used 32-characters phrase as a secret key and 16-characters phrase as a tweak value. " Fig. 4" shows the dataflow of Threefish256 encryption of the proposed method.
The decryption follows the same steps but with flipped subkeys. The 256-bits cipher blocks were made up the WORDS matrix according to the previously mentioned steps. Then, these 64-bit blocks were entered to the decryption process along with the subkeys that were scheduled using the same key and tweak value that is used in encryption. In decryption, the subkeys were used in reverse order, i.e., in round 1 the subkey 18 was subtracted from the cipher blocks. The image cryptographic system is resistant to statistical analysis if it is infeasible to predict the key or the plain image according to the distribution of grayscales in cipher image [10]. The most common statistical analysis tests are histogram variance, entropy, contrast, and energy. The cipher image histogram should be uniform as much as possible. The histogram uniformity was measured by variance, which is calculated as the following: where h i is the value of cipher image histogram of pixel value i [11]. the lesser the variance, the more uniform the histogram [12]. The entropy estimates the randomness amount in the cipher image. It is calculated as the following [13]: Enter the key (11) where p(s i ) is the probability of value s i . The higher the entropy, the more randomly pixels distribution is. For 8-bit grayscale image, the ideal value of the entropy is 8 [12]. The contrast refers to the difference in intensity among adjacent pixels in image. A good encrypted image should have high contrast. The contrast is calculated as the following: (12) where p(i; j) is pixel position in GLCM (Gray Level Co-occurrence Matrix ) matrix [1].The energy evaluates the change rate in pixel brightness. The energy can be computed as the following: where, ŋ (i; j) is the number of GLCM matrices. The lowest the energy the more secure cipher image is [1]. PSNR (Peak Signal-to-Noise Ratio) estimates the distortion between plain and cipher image. the lower the value of PSNR, the more secure encryption is. PSNR can be computed as the following: where MSE, the Mean Square Error, can be computed as the following: where p and c are the plain and cipher image, respectively. The higher the MSE, the more secure encryption is [1], [11]. Cipher image should not be correlated with the neighbored pixels whether in diagonal, vertical, or horizontal directions. For the two vectors u and v, the correlation coefficients can be computed as the following [11]: In the plain image, the correlation coefficients are near to 1, while they are close to 0 in cipher image [13]. The image cryptographic system is resistant to differential analysis if any tiny changes in the plain image can, significantly, affects the cipher image [11]. NPCR (Number of Pixels Change Rate) is used to compute the change rate in pixel values at specific position of two cipher images when a single value differs in the corresponding plain image. NPCR is calculated as the following: where (21) C 1 is the cipher image, and C 2 is the cipher image of the same plain image, but with one-pixel value differs [11]. UACI (Unified Average Changing Intensity) is used to measure the average of the difference of the pixels in specific position to the maximum difference. It can be computed as the following [11]: The ideal value of each NPCR and UACI are 99.6094% and 33.4635% respectively [12].

Results and discussion
More than 10 PNG grayscale images were used to analyze the security of the proposed method using MATLAB. The experiments included applying Threefish256 block cipher in the case of n=1 and n=2. Furthermore, Threefish256 block cipher was applied when n=3 to analyze the impact of uninvolving some bits in encryption process on the encryption performance. In the statistical analysis, histogram variance was used to measure the uniformity of histogram, entropy was used to measure the randomness, contrast, and energy were used to measure the differences in intensity and brightness of the cipher image. Fig. 5 shows the histogram of the plain and cipher images for one of the tested images. The result of PSNR and MSE are listed in Table 4, where the cipher images had low PSNR and high MSE in all cases of n, that means that cipher images are highly different from the corresponding plain images. Fig. 6 shows the encrypted images in the cases n=1, n=2, and n=3. The nonzero MSE for the decipher images indicates that there is a loss in some decipher images in case of n=1. Fig. 7 shows the cipher and decipher images in the three cases of n. The correlation coefficients of 2000 random pixels on horizontal, vertical, and diagonal are listed in Table 5. The correlation coefficients of the cipher images were close to 0, which means that the adjacent pixels are highly décorrelated to each other. The distribution of the 2000 adjacent pixels of the plain and the cipher images of one of the tested images are shown in Fig. 8.

Plain image horizontal pixels distribution
Plain image vertical pixels distribution Plain image diagonal pixels distribution Cipher image horizontal pixels distribution, n=1 Cipher image vertical pixels distribution, n=1 Cipher image diagonal pixels distribution, n=1 Cipher image horizontal pixels distribution, n=2 Cipher image vertical pixels distribution, n=2 Cipher image diagonal pixels distribution, n=2 Cipher image horizontal pixels distribution, n=3 Cipher image vertical pixels distribution, n=3 Cipher image diagonal pixels distribution, n=3 Both of NPCR and UACI tests are computed between two cipher images of the same plain image but with one-pixel value difference. The values of NPCR and UACI, listed in Table 6, are far from the ideal values because the change in a single pixel affected the corresponding 256-bit block but not the whole image. Furthermore, the value of NPCR and UACI decreased as the value of n increased; because not all the pixel bits are involved in the encryption when n < 3. The average encryption and decryption time of the proposed method in all cases of n are listed in Table 7, which indicated that the time is decreased by 50% as n decreased by 1. It is worth mentioned that the number of 256-bit blocks of 256×256 grayscale image when n=3 is 2048 blocks, while it is decreases to 1024 blocks when n=2, and 512 blocks when n=1.

Conclusion
The objective of the current work was to design and implement Threefish block cipher on grayscale images by applying the encryption just on the 2 n most significant bits of image pixels to reduce the time and the amount of data to be encrypted while maintaining encryption performance. The results showed that the encryption of just the 2 1 most significant bits achieves good encryption quality but it may cause some loss in decryption, while the encryption of the 2 2 most significant bits achieves high encryption quality almost as good as the encryption of the total bits. Furthermore, the encryption time and the amount of data to be encrypted are decreased to 50% as n decreases. Encrypting the 2 2 most significant bits instead of encrypting total bits is sufficient to preserve high encryption quality, as well as reduces the time and the data to be encrypted. The proposed method resists the statistical analysis; however, further work to find a method resistant to the differential analysis for both colored and grayscale images is recommended.