**4. Proposed cryptosystem**

Hybrid cryptography framework presents the perfect idea for numerical image protection. It employs both symmetric and asymmetric algorithms. The first one is employed for large data encryption and the second one is to share the secret key and permits authentication by signature generation, fully related to the data and the sender. The keccak hash function is used to generate the initial secret key provided as the digest of the original image.

The flow design of the hybrid cryptosystem is given in **Figures 4** and **5**.

### **4.1 Encryption process**

The encryption process requires a symmetric algorithm to encrypt the plain image. For this, we have chosen to use the AES-256 algorithm with CTR mode for the encryption process because it is the rapid mode. However, AES requires an initial key Ki for key expansion, so we have proposed to generate the keccak hash function. On the other hand, the image is decomposed into blocks of 32 bytes. As a consequence,

#### **Figure 4.**

*Encryption and generation of the digital signature.*

*Hardware Implementation of an Improved Hybrid Cryptosystem for Numerical Image Encryption… DOI: http://dx.doi.org/10.5772/intechopen.105207*

**Figure 5.** *Decryption and verification of the digital signature.*

the used encryption mode is the CTR. Thus, a counter function is employed for generating 256-bit count values, after that, it is encrypted by the AES-256 mechanism. On the other part, to secure the transmission of the initial key Ki, which is ciphered using the RSA algorithm.

#### **4.2 Image authentication and the Key exchange**

For image authentication, a 256-bit signature is generated fully related to the owner logo using keccak algorithm. The signature is combined with the 256-bit initial key and encrypted together by the RSA for more security. However, the initial key is encrypted using the public key of the receiver using the Eq. (1). At the reception, the private key is only used for decrypting the initial key, using Eq. (2),

$$K\_f = K\_i^\epsilon \bmod{(n)}\tag{1}$$

where *Ki* is the plain key, *Kf* is the correspondent encrypted key, and (*n*, *e*) is the public key of destination.

$$K\_i = K\_f^d \bmod (n) \tag{2}$$

where *Ki* is the decrypted key, *Kf* is the encrypted key, and (*n*, *d*) is the private key of the destination.

#### **4.3 Decryption process**

After the encryption process, ciphered image is sent to the destination over an insecure channel. At the reception, a decryption process should be done to restrain the plain image and detect the owner's logo. This phase is the reverse of the encryption

process. The algorithm starts by decrypting the encrypted key by the RSA system to obtain the plain key. The first part, 256-bit, is the initial key Ki used for image decryption, and the remaining part, 256-bit, is the owner's digital signature used for image authentication. However, using Ki, the received image is ciphered by the decryption system. This treatment enables finding the original image. On the other hand, using the digital signature with the help of a database, we detect the image owner's logo.
