Medical image encryption scheme based on self-veriﬁcation matrix

To mitigate the shortcomings of existing medical image encryption algorithms, including a lack of anti-tampering methods and security, this report presents an anti-tampering encryption algorithm for medical images that is based on a self-veriﬁcation matrix. First, chaotic coordinates generated by chaos are used to traverse all pixels in a plain image to generate a two-dimensional matrix (a self-veriﬁcation matrix) with positioning information. The accurate location of illegally altered image pixels can be detected using the self-veriﬁcation matrix. To improve the security of the self-authentication matrix, DNA coding is also applied to the self-authentication matrix, and the plain image is also diffused statically to destroy the pixel distribution. Next, the scrambled image and self-veriﬁcation matrix are mixed and cross-scrambled. Finally, the fused image is diffused dynamically to improve the security of the encrypted image. Experimental simulation and performance analysis show that the algorithm achieves good encryption effectiveness, provides strong anti-tampering capabilities, and can accurately locate at least 4 pixels.


INTRODUCTION
In modern hospitals, digital medical images play an increasingly important role in the diagnosis and treatment of diseases, and have thus attracted increasing attention [1,2]. In recent years, medical image security has gradually become a research hotspot [3] and typically involves the following aspects: confidentiality (only authorized individuals can access patient data), integrity (proving that medical information has not been modified) and authentication (involving identity recognition; two communication participants should identify each other) [4,5]. Encryption and watermarking technology are typically used to provide security and integrity authentication for medical images. Encryption typically confuses the visual effect of medical images, and watermarking can unconsciously insert authentication information so that unauthorized users cannot access the hospital information system [6,7]. For many years, various encryption algorithms have been widely used to provide security for digital images [8][9][10][11][12][13]. Image encryption can provide protection for image information, thus ensuring the confidentiality and security of the image [14]. Image encryption is typically divided into two stages. In the scrambling stage, changing the position of image pixels will cause visual confusion. In the diffusion stage, the influence of a single plain-image pixel or key is diffused into more cipher images by changing the value of the image pixel to conceal the relationship between the statistical characteristics of the cipher image and plain image. However, once the image is decrypted, the image is no longer protected [15][16][17]. Although current medical image encryption algorithms play strong roles in protecting the security of medical images, the security level of medical images is still limited because medical images may involve the privacy of many patients, some of which are confidential and sensitive [18]. In [19], a medical image encryption algorithm based on the Goldreich-Goldwasser-Halevi encryption scheme was studied. That algorithm can ensure security while maintaining low algorithm complexity. However, that algorithm cannot resist ciphertext attacks and can only be improved by filling before encryption. In [20], the security and integrity of the enhanced Rivest cipher algorithm based on chaos in medical images were studied. In [21], a medical image encryption algorithm using high-speed scrambling and pixel adaptive diffusion was proposed, but a cipher image was found to be completely recoverable with the chosen plaintext attack. However, the diffusion ability of the Rivest cipher is poor, and the performance of encrypted images in resisting various attacks is poor. To solve some of the shortcomings of existing medical image encryption algorithms, researchers have proposed many strong encryption algorithms according to the characteristics of medical images [22][23][24][25][26][27][28][29]. In [22], an improved encryption scheme was proposed for [21] that uses the enhanced version of the original algorithm to perform non-linear operations on the image. The experimental results and security analysis show that the improved encryption algorithm can resist the selected plain-image attack and retain the advantages of the original algorithm. In [30], according to the characteristics of the frequency domain and spatial domain, a DICOM image encryption algorithm based on the fusion of the frequency domain chaotic attractor and spatial domain DNA sequence based on integer wavelet transform (IWT) were proposed. That algorithm exhibits strong robustness and the ability to resist statistical and differential attacks. In [18], an asymmetric medical image encryption scheme was proposed with an iris for medical image encryption to improve the security of the encryption scheme. Second, asymmetric optical encryption technology was combined with three-dimensional Lorenz chaos technology to improve the key space and solve the linear problem based on double random phase coding. In [31], Ma et al. proposed a novel reversible data hiding (RDH) scheme for medical images based on block classification and code division multiplexing (CDM) in the frequency domain. This scheme provides high visual quality and a large data embedding capacity for medical images. Although a variety of encryption schemes have been developed to protect medical images, most schemes address the security of medical images, and few schemes can verify the integrity of medical images and preventing tampering [32].
To overcome this limitation, many researchers have proposed digital watermarking to provide security for medical images by authenticating original images, their ownership and other security requirements [33]. In [34], a new color image watermarking replacement scheme based on a Fourier transform was proposed. Two variants of the scheme were applied and achieved good imperceptibility. In [35], a new image watermarking scheme based on singular value decomposition (SVD) and chaotic mapping was proposed to enable the algorithm to achieve a good balance between robustness and imperceptibility. In [36], Xu et al. proposed a QR-based digital watermarking scheme to enhance robustness to the shear attack. In addition, that method was found to yield superior performance compared to other methods in terms of invisibility, robustness, and embedding payload.
Watermarking also has some drawbacks [37]. For example, watermarking can only detect whether the image has been tampered with but cannot locate the exact location of the tampering. In addition, watermarking will not hide the image information itself; once the watermarking is deleted, the image will no longer be protected [38]. To overcome the limitation of only encrypting or watermarking methods, a tamper-proof encryption algorithm for medical images based on a selfverification matrix is proposed. The algorithm uses random chaotic coordinates to record the pixel position information of the plain image and obtains the self-verification matrix related to plaintext. In addition to anti-tampering, it can also effectively resist known plaintext attacks and selected plaintext attacks, and improve system robustness. Then, the statistical features in the self-verification matrix information are also hidden by DNA coding, and a new image is obtained by fusing the self-verification matrix with the plain image. To ensure the security of the encrypted image, the new image is crossscrambled, and dynamic diffusion is performed to obtain the final cipher image. To describe the proposed scheme's reliability, performance analysis (e.g. information entropy, histogram and key sensitivity) and anti-attack detection (e.g. differential attack, noise attack and clipping attack) are performed. Comprehensive experimental results show that the method achieves strong anti-tampering capabilities and anti-attack capabilities.
The remainder of this paper is organized as follows. The fractional Chen hyperchaotic system, 4D hyperchaotic system and DNA code are introduced in Section 3, Section 4 introduces the image encryption algorithm, and Section 5 analyzes the performance of the algorithm. The last section summarizes the paper.

2
Related work

2.1
The fractional Chen hyperchaotic system model is described as [39] When a = 35, b = 3, c = 12, d = 7 and e = 0.58, the system has two positive Lyapunov exponents of 1 = 0.567 and 2 = 0.126; thus the system is hyperchaotic. The prediction time of hyperchaotic systems is typically shorter than that of chaotic systems; thus the security of hyperchaotic systems is higher. Its partial chaotic attractors are shown in Figure 1.

Coding and decoding of DNA
DNA is composed of nucleotides. The nitrogen-containing bases of nucleotides are A (adenine), C (cytosine), G (guanine), and T (thymine). A and T complement each other, and G and C complement each other. Because 0 and 1 are complementary in the binary system, 00 and 11 are complementary, and 01 and 10 are complementary [41]. Using 00, 01, 10 and 11 to code for A, C, G and T, there are 24 coding rules. However, only eight coding rules satisfy the Watson-Crick rule [42], as shown in Table 1. DNA decoding rules are contrary to DNA coding rules.

TAMPER-PROOF ENCRYPTION/ DECRYPTION SCHEME
To protect the confidentiality and integrity of medical images, and to check whether medical images have been tampered with illegally, a chaotic medical image encryption algorithm based on the self-verification matrix is designed to prevent tampering. Its structure is shown in Figure 3. The proposed scheme is deployed at the ends of Alice and Bob, where Alice is the sender of information and the encryption end, and Bob is the receiver of information and the legitimate decryption end. Eric is an attacker, that illegally tamper with the information.

Encryption/decryption algorithm
The proposed algorithm consists of a self-verification matrix generation stage, a DNA coding encryption stage, a decussate scrambling stage, and a dynamical diffusion stage. This encryption flowchart is shown in Figure 4.
Step 1: We assume that plain-image P is an M × N grey medical image.
Step 2: Iterate the fractional Chen hyperchaotic system (1) M × N times. The results y 1 , y 2 , y 3 , y 4 are mapped to integer sequences CS 1, CS 2, CS 3 and CS 4: Step 3: The elements of sequence CS 1, CS 2 and CS 4 in Equation (3) are transformed into three hyperchaotic matrices CM , CM 1 and CM 2, whose sizes are M × N , respectively.
Step 4: We eliminate the repetitive elements in the integer sequences CS 1, CS 2, CS 3, and CS 4, and then obtain the hyperchaotic coordinate pairs (Q x , Q y ) and (Q z , Q w ): where ismember () is the function to eliminate the repetitive elements in the sequence.
Step 5: The self-verification matrix W is computed using the coordinate pair (Q x , Q y ) and hyperchaotic matrix CM , as described in Equation (7): where is the pixel value at position (Q x (i ), Q y ( j )) in plain-image P; and bitxor () represents a bitwise XOR operation. In short, the selfverification matrix is composed of the pixel differences of two positions in the plain image.
Step 6: Concurrently, the plain-image P is statically scrambled and diffused by the DNA coding encryption method as follows: First, the pixel values in the plain-image P are converted into 8 bits binary. Second, according to the DNA coding rules, to obtain the DNA coding image DNA P . Then the hyperchaotic coordinate pair (Q z , Q w ), shown in Equation (6), is used for position information to scramble DNA P Finally, the scrambling The DNA coding encryption process is shown in Figure 5.
Step 7: The 4D hyperchaotic system (2) is used to generate the secret keys of decussate scrambling and dynamical diffusion.
where ST 1 and ST 2 are the decussate scrambling key matrices, and ST 3 and ST 4 are the dynamical diffusion key matrices.
Step 9: Up and down splice the W (i, j ) and DNA E of decussate scrambling, obtain the scrambling image Img.SImg is dynamically diffused by the dynamical diffusion keys matrices ST 3 and ST 4, and then we finally obtain the cipher-image CImg: where is the dynamic encryption control parameter, ∈ ℕ, and ≤ 2 × M × N . This algorithm is a symmetric encryption algorithm, and the decryption process is the inverse of encryption. Through the inverse operation of the dynamical diffusion and decussate scrambling, we can obtain the decrypted image and a decrypted self-verification matrix 'W '.

EXPERIMENTAL SIMULATION AND PERFORMANCE ANALYSIS
Here, we simulate the proposed algorithm, and analyze the security of grey images and color images, including key space analysis, statistical analysis and differential attack analysis. As shown in Figure 6a

Self-verification tamper-proof method
As shown in Figure 3, Alice encrypts the plain-image P to the cipher image CImg, and then sends it to the legal decryptor Bob. The attacker Eric illegally intercepts and decrypts CImg, and maliciously tampers with it to obtain the tampered image TImg, which is then sent to Bob. Thus, the decryption-image obtained by Bob is a tampered decrypted image DTImg. The proposed self-verification method can achieve pixellevel image tampering detection. First, a decrypted selfverification matrix W ′ is generated during the decryption process. Next, we calculate the verification matrix V , as shown in Equation (12): where, Q x (i ), Q y ( j ) and CM (i, j ) are symmetrically computed from the fractional Chen hyperchaotic system(1), as described in Section 2.1.  Ultimately, the decrypted self-verification matrix W ′ is compared with the verification matrix V and then, the detection matrix U is generated.
The self-verification matrix is calculated by the difference between the pixel values of two random positions(i, j ) and (Q x (i ), Q y ( j )) in the image. If there are different values between the decrypted self-verification matrix W ′ and the selfverification matrix V calculated in the decrypted image, the encrypted image been tampered with. As shown in Figure 7, the value in the self-verification matrix is derived from the difference between P (i, j ) and (Q x (i ), Q y ( j )). When W ′ and V in the self-verification matrix are different, the two pixels have been tampered with. By comparing the values in the two self-verification matrices, we can identify the pixels that may be tampered with. Finally, the densest area of pixel aggregation is found to be the tampered location. Thus, we can accurately locate the tampered pixels that have been tampered with.
The black parts of the highlight block are the tampered parts that tamper with 4, 9 and 16 pixels in Figures 8a-c and 9a-c, respectively. We can easily find the locations of pixels that have been tampered with using the detection matrices shown in Figures 8d-f and 9d-f. Experimental results show that the proposed method effectively detects and locates pixels that have been tampered with.

Normalization analysis
In order to prove the robustness of the proposed scheme, we do a series of performance analysis and anti-attack test on the merged cipher image, and also do the color scale normalization on the self-verification matrix W and medical image DNA E before merging. It can be seen from Figure 10 that after image enhancement, neither the image nor the histogram can show any useful information, which further proves the feasibility of the scheme [44].

Information entropy
The information entropy of the image can measure the distribution of the image grey value. Image entropy H (m) is defined as [43]: where N is the number of m i pixels and p(m i ) is the probability of m i . For 256 greyscale images, the ideal information entropy of the cipher image is 8, which shows that the probability of occurrence of each grey-level pixel is equal, indicating a uniform distribution (i.e. a white noise image). Therefore, the information entropy of cipher image with high security should be near 8. Table 2 shows the results of the information entropy   of 'bone' and 'intestine' cipher images. The entropy value is shown to be closer to the theoretical value, which highlights that the algorithm can effectively resist information entropy attacks.

Histogram analysis
The image histogram represents the intensity distribution of pixels in an image. A secure encryption system should make the histogram distribution as flat as possible because only the uniform distribution histogram has maximum entropy [44]. Figure 11 shows histograms of 'large intestine' and 'bone' plain images and cipher images. Figure 11 shows that the histogram distribution of all cipher images is relatively uniform, and the strong regularity of the plain-image pixels is not brought into the cipher image, which indicates that the attacker cannot obtain any useful statistical information from the cipher image to attack the algorithm.

Variance analysis
We use the variances of the histograms to evaluate the uniformities of the encrypted images. Variance is defined by [45]: whereas z represents the value of the histogram vector, the lower the variance of image is, the higher the uniformity. Table 3 shows the test results of different images. Compared with the plain image, the variance of the cipher image is markedly lower.

Correlation analysis
Due to the characteristics of digital images, plain images typically show a certain degree of correlation between two adjacent pixels. To analyze the correlation of adjacent pixels, 4000 pairs of adjacent pixels are randomly selected from the plain image and cipher images of 'bone' and their correlation coefficients , where x and y represent the grey value of two adjacent pixels, and the correlation distribution of adjacent pixels in horizontal, vertical and diagonal directions is shown in Figure 12 [10,46,47] reports comparative algorithms, where the adjacent pixels of plain image have a strong correlation, and adjacent pixels of cipher image have low correlation. Then, we calculated the correlation coefficients of adjacent pixels of 'intestine' and 'bone' in three directions. As shown in Table 4, the correlation coefficient of the cipher image is significantly lower and near zero, which also highlights that the proposed method can effectively resist statistical attacks.

Key sensitivity analysis
A secure cryptosystem should be sensitive to a given encryption key. A small change in the encryption key will result in a large change in the cipher image, and a small difference in the decryption key will also lead to the incorrect decryption of the image. Considering a 128 × 256 'intestine' image as an example. Figure 13a shows the plain image, and Figure 13 shows the  Figure 13c-f shows that if there is any change in the keys, even just a 10 −16 difference, we cannot correctly recover the plain image.

Peak signal-to-noise ratio
The difference between the plain image and cipher image is measured by the mean square error (MSE). MSE is defined as: where T represents the number of pixels in a cipher image. The larger the value of MSE is, the greater the difference between the cipher image and the plain image, and the better the image encryption effect. The peak signal noise ratio (PSNR) is the ratio between the plain image and cipher image. PSNR is defined as:  where MAX is the maximum pixel value of plain image. In a good encryption algorithm, PSNR should be as low as possible, because the larger the PSNR value, the more similar the cipher image is to the original image. The MSE and PSNR values of the cipher image are shown in Table 5, and [47] reports an algorithm for comparison.

Differential attack
An ideal cryptosystem should ensure that any minor changes in plain images should produce large changes in cipher images. The number-of-pixels change rate (NPCR) [49] and the unified averaged changing intensity (UACI) [50] are two criteria that are used to analyze differential attacks. These metrics are defined by :  where c 1 and c 2 represent two cipher images after changing one bit in the same plain image, and D(i, j ) is defined as: The ideal NPCR value and UACI value of the cipher image are 99.6093% and 33.4653%, respectively [51]. 'Intestine' and 'bone' and 'chest' images are used as test images. The UACI and NPCR values of this algorithm are compared with those of other algorithms as shown in Table 6. Results show that the NPCR and UACI values of this algorithm are similar to the theoretical values and have the ability to resist differential attacks.

Data loss attack
To protect the cryptosystem from data loss attacks during transmission and storage, image data with sizes of 64 × 64, 128 × 128 and 256 × 128 are deleted from the cipher image to evaluate the robustness of the proposed algorithm to the data loss attack. Cropping results are shown in Figure 14a-c, and the corresponding decrypted images are shown in Figure 14d-f.  The experimental results show that the decrypted image after cropping is still recognizable, and the algorithm can resist the data loss attack.

Noise attack
During real transmission and storage, noise is often added to the image. The ability to resist noise attacks is also an evaluation index to verify the robustness of the cryptosystem. In this section, salt-and-pepper noise is used to test the anti-noise attack ability [51].

Speed analysis
In addition to security, encryption efficiency is also important, particularly real-time Internet multimedia applications. In the proposed encryption scheme, cross-scrambling and dynamic diffusion can improve the overall encryption efficiency. Compared with other encryption schemes, Table 7, shows that the proposed algorithm exhibits advantages with regard to speed. Concurrently, due to the symmetric structure, the time costs of encryption and decryption are the same. The proposed scheme meets the definition of real-time encryption and decryption; real-time encryption can perform real-time processing of data encryption and decryption requirements in the user's normal work, without displaying the encryption and decryption process, and does not generate temporary files. Real-time encryption and decryption technology provides users with a transparent operating experience while avoiding the process of repeated encryption and decryption of data on the storage medium, and solves the problems of complex operations and low efficiency of traditional encryption and decryption technologies). Thus, the proposed algorithm can realize support real-time communication.

CONCLUSION
In this study, a tamper-proof encryption scheme for medical images based on a self-verification matrix is proposed. The self-verification matrix is composed of plain-image position information that is controlled by a chaotic system. By combining DNA coding with a chaotic system, cross-scrambling and dynamic diffusion are used to ensure the security and integrity of the self-verification matrix and medical image. Finally, through security analysis and a tamper-proof test, the reliability of the proposed encryption scheme is shown to exhibit good tamper-proof capabilities and accurate positioning abilities. In future work, we plan to perform more detailed research on anti-tampering methods, particularly with regard to hiding verification information. The self-verification matrix information proposed in this paper should be combined with the plain image and encrypted together. The next step in this field of research is to integrate verification information into the cipher image, which can effectively reduce the complexity of the algorithm and improve encryption efficiency.