A Novel Image Authentication with Tamper Localization and Self-Recovery in Encrypted Domain Based on Compressive Sensing

This paper proposes a novel tamper detection, localization, and recovery scheme for encrypted images with Discrete Wavelet Transformation (DWT) and Compressive Sensing (CS). The original image is first transformed into DWT domain and divided into important part, that is, low-frequency part, and unimportant part, that is, high-frequency part. For low-frequency part contains the main information of image, traditional chaotic encryption is employed. Then, high-frequency part is encrypted with CS to vacate space for watermark. The scheme takes the processed original image content as watermark, from which the characteristic digest values are generated. Comparing with the existing image authentication algorithms, the proposed scheme can realize not only tamper detection and localization but also tamper recovery. Moreover, tamper recovery is based on block division and the recovery accuracy varies with the contents that are possibly tampered. If either the watermark or low-frequency part is tampered, the recovery accuracy is 100%. The experimental results show that the scheme can not only distinguish the type of tamper and find the tampered blocks but also recover the main information of the original image. With great robustness and security, the scheme can adequately meet the need of secure image transmission under unreliable conditions.


Introduction
With the rapid development of data storage and digital process, more and more digital information is transformed and transmitted over the Internet day by day, which brings people a series of security problems as well as convenience.For the openness of network, digital images are vulnerable to attack during the transmission over public network.Receivers often receive tampered images unconsciously.Therefore, unpredictable results occur.Especially for the fields such as governments, military, forensics, and electronic commerce, any slight attack will lead to serious consequences.Accordingly, people pay more and more attention to the protection of privacy information.The researches on digital image security, that is, image encryption, image data hiding, and image authentication, become more important than ever.
Image encryption technique scrambles the pixels of the image and decreases the correlation among the pixels, so that the encrypted image is hard to understand [1].However, the encrypted image may arouse an attacker's attention to guess the secret behind encryption and seek various ways to crack or break the encrypted content, which heavily threatens the security of the original information.Data hiding technique focuses on embedding some significant information or authentication information into the original cover image based on the redundancy of cover image, which makes it difficult to detect the embedded information.
With the developments of techniques, people hope not only that the data can be delivered to receiver securely but also that the receiver can detect the integrity and authenticity of the received data, which thirsts for image authentication to detect whether the image is tampered and how it is tampered.Conventional authentication techniques belong to integrity authentication, which does not allow any slight change during data transmission and therefore is not suitable for image content authentication.Different from conventional authentication, content-based digital signature and watermarking technique can detect the range of tamper and judge whether the tamper affects the real content of image.However, most of the existing digital signature and watermarking techniques can only detect the integrity of images or conduct image content authentication with no self-recovery ability or limited self-recovery ability.More and more application scenarios require not only exact tamper detection but also tampered content identification, tamper localization, and self-recovery.Take the transmission and storage of military and medical images as an example.The content owner often encrypts the images first for avoiding information leakage.The data hider embeds secret data in encrypted images.In the receiver side, secret data can be commendably extracted and can be employed to tamper detection, localization and original data recovery.In this way, data can be securely transmitted while the authentication of data integrity and authenticity also can be conducted, which has great practical significance.
In this paper, a novel image authentication with tamper localization and self-recovery for encrypted images is proposed.Firstly, the original image is transformed into Discrete Wavelet Transformation (DWT) domain and divided into important part, that is, low-frequency part, and unimportant part, that is, high-frequency part.Then, different parts are processed differently to realize different goals.Since the lowfrequency part contains the main information of image, traditional chaotic encryption is employed in encryption stage so that the low-frequency part can be fully recovered in decryption stage.Then, for the high-frequency part, Compressive Sensing (CS) is used to conduct encryption so as to vacate space for watermark embedding.The scheme takes the processed content of original image as watermark, from which the characteristic digest values are then generated.The watermark is designed mainly for tamper recovery while the digest values are considered as the standard of tamper detection.Tamper recovery is based on block division and the recovery accuracy varies with the contents that are possibly tampered.If either the watermark or low-frequency part is tampered, the recovery accuracy is 100%.If both the watermark and low-frequency part are tampered, the recovery accuracy will decrease while the tampered degree increases.However, some existing pixel prediction techniques can be used to further improve the visual quality of recovered image.The experimental results show that the proposed scheme can not only distinguish the type of tamper and find the tampered image block but also recover the main information of the original image.With great robustness and security, the scheme can adequately meet the need of secure image transportation under unreliable conditions.
The rest of this paper is organized as follows.Section 2 briefly overviews the existing image data hiding and image authentication schemes.Section 3 lists some general knowledge about CS.Section 4 presents the proposed image authentication scheme.Experimental results are demonstrated in Section 5. Finally, we conclude in Section 6.

Related Works
Image encryption techniques, from traditional classical encryption algorithms, such as DES and AES, to chaotic novel encryption algorithms and joint encryption algorithms, such as [2], are designed to encrypt text and images.Data hiding techniques usually go with image encryption.The embedding domain can generally be plain domain or encrypted domain.For data hiding in plain domain, including both spatial domain and transform domain, the original image is watermarked first and then encrypted.The classical algorithms in spatial domain can be divided into LSB modification and substitution based algorithms [3], error expansion based algorithms [4], and histogram shifting based algorithms [5].The classical algorithms in transform domain include discrete cosine transform (DCT) algorithms and discrete wavelet transformation (DWT) algorithms [6][7][8][9][10][11].For data hiding in encrypted domain, also including both spatial domain and transform domain, the original image is first encrypted and then watermarked.Data hiding in spatial domain was conducted in [12][13][14][15][16], while authors of [17,18] hide data in transform domain.
Image authentication techniques can be generally divided into integrity authentication and content authentication.For integrity authentication, any slight change of image is not allowed.For content authentication, the operations that do not influence the content features of image are acceptable.The two methods of image authentication are digital signature and digital watermarking.
So far, a large number of image authentication schemes with digital signature and digital watermarking have been proposed.References [19][20][21] focused on digital signature, which is sophisticated and has been employed in many applications, especially in electronic commerce.Digital watermarking can be divided into spatial domain schemes and transformation domain schemes.Spatial domain schemes include block-based fragile watermarking [22] and pixel significant bit based watermarking [23].In [22], the cover image is divided into reversible blocks and irreversible blocks.Reversible blocks are employed to embed the feature information extracted from all the blocks, while irreversible blocks are used to extract the digest information of image.The scheme can accurately locate tampers and recover images with high quality.However, the scheme is quite complicated and cannot resist quantization attack.Moreover, the number of irreversible blocks cannot be more than that of reversible blocks.Otherwise, the scheme cannot realize reversible authentication.In [23] the 7 MSBs' checksum is computed of all the pixels in the original image, which is then embedded into the LSB of each pixel.Though the scheme is of practical value and is easy to implement, the security is extremely low and the scheme is subjected to LSB substitution attack.
Since transformation domain is suitable for the extraction of image features, the authentication methods often rest on wavelet transformation coefficients or cosine transformation coefficients.In [24], a watermark in the form of a visually meaningful binary pattern is used for tamper detection.One watermark bit is embedded into each DCT block by shifting a randomly selected coefficient to have a mapped value.Though the scheme works well in resisting some attacks, there is no tamper recovery capability.In [25], Hasan and Hassan proposed a robust self-embedding watermarking scheme for self-correction and a fragile watermarking scheme for sensitive authentication.The scheme can effectively detect and characterize changes and distinguish between malicious and normal manipulations and has autocorrection capabilities of local malicious alterations.In [26], a quantization and DCT based self-embedding fragile watermarking scheme with effective image authentication and restoration quality is proposed.The scheme used a small nonoverlapping block sized 2 × 2 to improve the accuracy of localization and can effectively remove the blocking artifacts.Unfortunately, the watermark data, which is embedded into three LSBs planes, may be destroyed by some image processing operations.
In [27], Liu and Hu designed two watermarks from the low-frequency band of DWT domain and embedded the watermarks into the high-frequency bands.The scheme can resist the mild modifications of digital image and be able to detect and recover the malicious modifications precisely.In [28], the image features are extracted from the lowestfrequency coefficients of each block as the first embedded watermark and the orientation adjustment is then calculate based on the two-level wavelet coefficients in the middlefrequency subbands for image authentication.The scheme uses image feature and logo watermark as two different embedded watermarks and can realize image authentication and recovery of the tampered regions simultaneously.In [29] a semifragile and self-recoverable watermarking algorithm is proposed based on a group quantization and double authentication method.The scheme takes the generated authentication watermarks as information watermarks to reduce the amount of the embedding watermarks, enhances security by randomly permuting coefficients among a group, enhances robustness by embedding the watermarks in the largest coefficient inside a group, and employs the double authentication ring structure to effectively improve localization accuracy.CS domain is another significant transformation domain, based on which image authentication schemes have sprung up.In [30], CS is employed to process watermark, which strengthens the security of watermark.However, due to the distortion during the process, the receiver cannot extract watermark exactly.In [31], CS is used to process watermarked image, which ensures the security of both watermark and cover image.However, the accuracy of watermark extraction is at risk.Some researchers have proved that hiding data in measurements is of strong robustness [32][33][34][35][36][37].In [32,33], Rachlin et al. showed the security and confidentiality of CS measurements.Without key and heuristic knowledge, attacker cannot infer the content of watermark from the measurements of encrypted image, which means that embedding watermark in CS measurements is feasible.In [34], the sender converts the original image into frequency domain with discrete wavelet transform (DWT), computes the measurements of encrypted image with compressive sensing measuring, and embeds watermark into the measurements.The watermarked encrypted image is then generated with CS reconstruction algorithm.However, only one measurement matrix is employed during the whole process, which is of huge computation and cannot resist large-scale noise attack.Moreover, the original image is needed for watermark extraction.Since the energy distribution of image is uneven and the embedding in energy-concentrated region will result in important information losing and destroying, it is better to embed watermark in energy-dispersed region.
CS based tamper authentication and recovery schemes for encrypted image can allow a certain compression ratio and effectively conduct tamper detection.The schemes can realize tamper content identification, or tamper localization or tamper recovery.However, the accuracy of tamper localization is not high and the above-mentioned three goals cannot be reached at the same time.In view of these insufficiencies, we propose a CS based image authentication scheme for the encrypted image jointly with tamper detection, localization, and recovery.The proposed scheme divides the image into important part and unimportant part and encrypts different parts with different encryption algorithms.For realizing tamper detection, localization, and recovery, the proposed scheme generates characteristic watermark from the original image and embeds the watermark into the compressive sensing measurements of the original image.The watermark is generated from the low-frequency part of DWT with CS.The reconstruction feature of CS is employed for tamper detection and recovery.And then the characteristic values extracted from watermark are considered as the tamper localization standard.

Compressive Sensing
In this section, we provide a brief introduction to CS. Compressive sensing, also known as compressive sampling or sparse sampling, is a new signal acquisition technology to capture and represent compressible signals at a rate significantly below the Nyquist rate.The original signals can be exactly or approximately reconstructed with a small number of measurements.
The general framework of compressive sensing, including sampling process in the encoder side and reconstruction process in the decoder side, is shown in Figure 1.Suppose that  is an  × 1 natural signal which itself may or may not sparse in the canonical basis but is sparse or approximately sparse in an appropriate basis Ψ.

𝑥 = Ψ𝜃,
where  is  sparse; that is, there are exactly  ≪  nonzero components.For the sampling process, measurements  can be computed through multiplying an  ×  ( ≪ ) measurement matrix Φ by .
where , an  × 1 sample vector, contains most useful information of .Φ satisfies the restricted isometry property (RIP) of a certain order [38].Then the sparse  signal can be directly sampled via the following equation: For the reconstruction process, the signal  can be reconstructed from measurements  by solving an  1 minimization problem.
where x is the recovered signal.
To the best of our knowledge, if the entries of matrix Φ are generated from a Gaussian distribution with zero mean and variance, Φ is a RIP matrix with overwhelming probability.In this paper, such a Gaussian distribution is employed to generate compressive sensing matrix.Moreover, the DWT is adopted to make the original signal sparse.

The Proposed Scheme
As illustrated in Figure 2, the proposed scheme mainly involves three parties: content owner, data hider, and receiver.The content owner generates watermark and characteristic digest values from the original image and encrypts the original image.When receiving the encrypted image and watermark, the data hider embeds the watermark into the encrypted image and transmits the watermarked encrypted image to the receiver.With relevant keys, the receiver can easily decrypt the watermarked encrypted image and conduct tamper detection, tamper localization, and image recovery.

Image Encryption and Watermark
Embedding.In this stage, the content owner first encrypts the original image and generates the watermark to be embedded.Then the data hider conducts watermark embedding into the encrypted image.The framework is illustrated in Figure 3.  Step 1.The content owner decomposes the original image I with DWT and gets low-frequency part LL and highfrequency parts HL, LH, and HH.For further processing, the low-frequency part is considered as the important part while the high-frequency parts are deemed as the unimportant parts.
Step 2. There are two operations for important part LL.One is traditional image encryption.The other is watermark generation and characteristic digest value generation with direct block division and compressive sensing.

(A) Traditional Image Encryption with Arnold Scrambling and Logistic Map
(1) Separate out sign matrix LL sig, absolute integer matrix LL int, and decimal matrix LL de from LL.
Conduct 1 times Arnold scrambling to the 16-bit planes of LL int, respectively, and then the scrambled bit panes are reassembled.The periodicity of Arnold scrambling 1 and the iterations 1 are part of the private key 1.
(2) According to another part of the private key 1, the initial values (0, 0), and a big integer , use Logistic map to generate a random sequence with the size as LL int, multiply it by the big integer , and then perform modular 65536 operation.
(3) XOR the generated pixels and the random numbers to get the encrypted low-frequency integer matrix ELL int, which is then reassembled with the sign matrix LL sig and decimal matrix LL de to form the encrypted low-frequency part ELL.
(B) Watermark Generation.The watermark generated from LL with block compressive sensing in this proposed scheme is designed for tamper authentication and recovery.Therefore, the size of measurement matrix should be the same as that of block.Watermark is generated as follows.
Divide LL into nonoverlapping blocks with the size of  × .Generate chaotic measurement matrix 1 with the seed private key 2.Here  and 2 are part of the private key 2.For each block, reshape it into one-dimensional vector through Zig-Zag scanning.Then each vector is measured to get the measurement value.All the measurement values are combined to form the measurement watermark matrix .Since the watermark will be used for low-frequency recovery, the compression ratio is set to 1 for reducing distortion.
(C) Characteristic Digest Value Generation.Characteristic digest value is generated through watermark processing, which will be used for image authentication in the coming stage.Since it is transmitted via secure channel, it can be employed for tamper authentication and localization.
Take the absolute value of  as an integer matrix.Transform each element of the matrix into 16-bit sequence with 0 and 1, which is then permuted with the private key .Pick out the LSB plane from the 16-bit planes to form W LSB. Compress it with run-length encoding.Then it is considered as the characteristic digest value  and transmitted to the receiver side together with other private keys.
It should be noted that since the characteristic digest value is generated through taking a bit plane from the blocks of watermark  which originates from low-frequency part with compressive sensing, the characteristic digest value can only detect whether the watermark or low-frequency part is tampered and then find out the tampered blocks.
Step 3.For the unimportant part, that is, high-frequency parts HL, LH, and HH, different compressive sensing operation will be employed to ensure the reasonability of watermark embedding and the invariance of image size before and after encryption.
(A) For HL. Divide HL into nonoverlapping blocks with the size of  × .Reshape each block into one-dimensional vector with the same method.Generate a measurement matrix 2 with the private key 3.Then each block is measured to get a measurement value, which is then transformed and combined as the measurement value matrix YHL with compression ratio of 1.
(B) For LH and HH.Divide LH and HH into nonoverlapping blocks with the size of  × .Reshape each block into one-dimensional vector with the same method.Generate a measurement matrix 3 with the private key 4.Then each block is measured to get a measurement value, which is then transformed as the blocked measurement value matrices YLH and YHH with compression ratio of 0.5.The vacant positions are filled up with 0. Here, half of space in LH and HH after compression is vacated for watermark.Moreover, , 3, and 4 are part of 3.

Watermark Embedding.
Watermark is made up of measurement values and will be embedded into the measurement values of high-frequency part.Therefore, it not only makes watermark localization and extraction convenient but also reduces the error rate of watermark extraction.After being embedded, the watermark and other elements in high-frequency part show the same distribution features of encrypted data so that it is difficult to distinguish whether watermark is embedded.
Step 1. Separate each watermark block into two parts, that is, the upper part and the lower part.The size of each part is /2 × .Embed these two parts into the corresponding positions of YLH and YHH, respectively, which have been filled up with "0."After watermark embedding, YLH w and YHH w are generated and then combined with YHL to form the watermarked high-frequency part.
Step 2. Reassemble the low-frequency part and the highfrequency part.Generate a random sequence using Logistic map with the private key (1, 1).Combine this sequence and the watermarked encrypted image with XOR operation.Then perform 2 times Arnold scrambling to the resultant matrix to get the final watermarked encrypted image .Here, iteration cycle 2 and iteration times 2 and (1, 1) are part of the private key 4.

Watermark Extraction and Image Decryption.
In this section, all the operations will be done by the receiver.As illustrated in Figure 4, the process can be divided into four stages, that is, watermark extraction, image decryption, tamper validation, and tamper localization and recovery.

Watermark Extraction.
After receiving the watermarked encrypted image, the receiver first decrypts the image and then extracts the watermark from the image.The watermark extraction process is the inverse process of embedding.
Step 1.The receiver first separates (1, 1) from 4.Generate a chaotic random sequence using Logistic map with (1, 1).Then pick up iteration cycle 2 and iteration times 2.Perform 2−2 times Arnold scrambling to the watermarked encrypted image .Perform XOR operation between this scrambled image and the generated chaotic random sequence and then divide it into low-frequency part ELL RE and watermarked high-frequency part.
Step 2. Divide the watermarked high-frequency part into three parts, that is, YHL RE, YLH w RE, and YHH w RE, which are then further divided into nonoverlapping blocks.From the first block of YLH w RE and YHH w RE, take the lower part of the corresponding block to get a watermark block and put it into the corresponding block position of the watermark extraction matrix W RE. When the processing of all the blocks finishes, the watermark is fully extracted.Moreover, the high-frequency part after watermark extraction will change into YLH RE and YHH RE.
The extracted watermark is mainly used for tamper verification.Without tamper, a high quality image will be directly reconstructed after decryption.When tamper occurs, the characteristic digest value will be generated and then compared with the transmitted characteristic digest value for tamper localization and recovery.

Image Decryption (A) Low-Frequency Part
with LL_new (i, j) replacing LL_RE with (i, j)

LL_new
and LL_RE (i, j), (i, j)  Since the low-frequency part contains the important information of image and the highfrequency part contains the unimportant information of image, the former is encrypted with traditional encryption algorithm while the latter is processed with CS.Due to the lossy compression of CS, it cannot perfectly recover the original image.Therefore, the low-frequency part should be recovered as completely as possible.Watermark is generated from the low-frequency part with CS, the sensibility of which can be used for tamper detection.Moreover, watermark is embedded into the high-frequency part.
For the reversibility of watermark embedding, watermark is mainly used for tamper verification and recovery in low-frequency part.Generated from watermark and transmitted via secure channel, the characteristic digest value can be used for tamper localization that occurred to the watermark.Based on the above theoretical analysis, three kinds of tampers may happen to the watermarked encrypted image during the transmission in the channel, that is, tamper with watermark, tamper with low-frequency part, and tamper with both low-frequency part and watermark.For LL RE, its related operations include traditional encryption and decryption, which are reversible.So it can be correctly recovered unless tamper occurs.
If the low-frequency part is tampered, the decrypted LL RE will vary and the newly generated watermark W new will change.If the watermark is tampered, the extracted watermark W RE will vary.Since these two are the same, it is believed that no tamper occurs and the low-frequency part LL RE is correct.
(2) If PSNR(W RE, W new) ̸ = Inf, the low-frequency part or the watermark is tampered.Tamper localization and tamper recovery are needed.
If the low-frequency part is partly tampered, the decrypted LL RE will vary and the newly generated watermark W new will change.If the watermark is tampered, the extracted watermark W RE will vary.Under these circumstances, accurate tamper localization will greatly contribute to the recovery of image.

Tamper Localization and Recovery.
When a tamper is detected, a comparison between the characteristic digest values generated from the extracted watermark and the one transmitted via a secure channel is needed for tamper localization, tamper content authentication, and tamper recovery.This process runs on each block.The blocks without tamper remain unchanged.

(A) Data Preprocessing
(1) Generate new characteristic digest values W new LSB from the watermark W new.
(2) Generate new characteristic digest values W RE LSB from the extracted watermark W RE.
(B) Tamper Localization and Recovery.Compare W LSB with W RE LSB and W new LSB, respectively, for tamper localization.Since they are all generated directly or indirectly from the low-frequency part LL after block division and W LSB is transmitted to the receiver side after being coded with runlength encoding, they are suitable for tamper localization.
(1) Start from the first block.For the block (, ), take the elements W LSB(, ), W RE LSB(, ), and W new LSB(, ) from W LSB, W RE LSB, and W new LSB, respectively.
(2) Compare W LSB(, ) with W RE LSB(, ) and W new LSB(, ), respectively: (a) If  ̸ = 1 and  = 1, it is believed that the recovered watermark W new(, ) of this block is correct, which means (D) If both the extracted watermark and the low frequency were tampered, some existing pixel prediction techniques [39][40][41] with full use of spatial correlation can be employed to further improve the visual quality of the recovered image I final.
(a) With the help of the tamper localization matrix , the tampered blocks and their neighboring blocks can be easily found out.
(b) For all the pixels in the tampered block, pixel prediction will begin from the tampered pixels with most nontampered neighboring pixels.If two or more neighboring blocks were tampered, theses blocks can be taken as an integrated whole to select the prediction beginning pixel.The predicted pixels can be used as nontampered pixels for next predictions.
(c) Apply corresponding pixels prediction algorithms to further improve the visual quality of image.Without loss of generality, the method in [41] is selected in this paper.After prediction, an improved image will be obtained.

Experimental Results and Performance Analysis
The test image set of this proposed scheme consists of 8 standard test images of size 512 × 512, that is, Couple, Lena, Peppers, Milkdrop, Lake, Baboon, Airfield, and Plane, shown in Figure 5.

Image Quality Analysis
(A) Watermarked Encrypted Image Quality.In the proposed scheme, the watermark is generated from the low-frequency part of cover image with CS and then is embedded into the encrypted high-frequency part.After encryption and permutation, the original image and watermark cannot be seen from the watermarked encrypted image any more.That is to say, the watermark and original image are well masked.Table 1 shows that the PSNR of different encrypted images are all below 25 dB.According to Table 2, the correlation coefficients of eight test images after encryption and data embedding are all close to 0. For the watermarked encrypted images, as shown in Figure 6, one can see nothing related to the original image and cannot distinguish whether a watermark is embedded into this image.
(B) Recovered Image Quality.In this proposed scheme, the encryption key and embedding key are employed during the process of image encryption and watermark embedding.Moreover, the high-frequency part is encrypted with CS while the low-frequency part is encrypted with traditional encryption algorithms.When the encrypted image is not tampered, the distortion of the recovered image only results from the reconstruction of high-frequency part with CS.Since other operations are all reversible and the watermark extraction is also reversible, the quality of the recovered image with correct keys and without tamper is reasonably high.

Image Authentication Performance Analysis.
The watermark is generated from the low-frequency part with CS in order to perform accuracy tamper detection with the sensibility of CS and CS measurements.Firstly, data preprocessing is done:     In this experiment, tamper simulation is to replace the elements of some rows with 1. Figures 7-10 show the tamper localization and recovery effects when the low-frequency part or watermark is tampered.Without loss of generality, image Couple is taken as an example.Figure 7 shows the original image and watermarked encrypted image.
Figure 8 shows the tamper localization matrix, recovered image, and tamper recovered image when the low-frequency part is tampered.As can be seen, when a low-frequency part block of the watermarked encrypted image is tampered, the corresponding element of tamper localization matrix  will be changed into 2.The directly decrypted image, shown in (b), is damaged.However, since the watermark is not tampered, the recovered low-frequency part LL new is correct and the quality of decrypted image I new is   Figure 9 shows the tamper localization matrix, recovered image, and tamper recovered image when the watermark is tampered.As can be seen, when the watermark of a block in watermarked encrypted image is tampered, the corresponding element of tamper localization matrix  will be changed into 1.Since the low-frequency part of this block is not tampered, there is no modification to be done and it can be directly decrypted to get a good quality image I RE, shown in (b).But since the watermark is tampered, the recovered low-frequency part LL new is incorrect and the quality of the decrypted image I new is damaged, shown in (c).In other words, the proposed tamper recovery algorithm can identify that the watermark is tampered and then conduct  Figure 10 shows the tamper localization matrix, recovered image, and tamper recovered image when both the lowfrequency part and the watermark are tampered.As can be seen, when both the low-frequency part and the watermark of a block in watermarked encrypted image are tampered, the corresponding element of tamper localization matrix  will be changed into 3.For the low-frequency part of this block is tampered, the directly decrypted image, shown in (b), is damaged.Since the watermark is tampered, the recovered low-frequency part LL new is incorrect and the quality of decrypted image I new is damaged, shown in (c).In other words, the proposed tamper recovery algorithm can identify that both the low-frequency part and the watermark of this block are tampered, then replaces LL RE with the median of LL RE and LL new, and finally decrypts the image to get a relatively high quality image I final, shown in (d).With pixel prediction techniques, the visual quality of I final can be further improved.As shown in (e), though tampered traces still can be seen by the naked eye the heavily tampered blocks have been well improved.
In general, the proposed scheme has better tamper verification and recovery effects on this kind of local tampers.
The smaller the block size is, the more accurate the tamper localization is.

Image Security Analysis.
In the proposed scheme, image encryption and watermark embedding are alternate, and encryption key and embedding key are mutually bounded, which make the scheme secure.Moreover, the scheme can resist cropping attacks to a certain extent.Take Lena as an example to get the recovered images from the watermarked encrypted images with different cropping strengths.As can be seen in Table 3, when the watermarked encrypted image is cropped within a certain range, the directly recovered image and the image recovered from watermark will be affected in different degrees.However, for the image recovered with the proposed tamper recovery scheme, its PSNR will be the better one of the former two recovered images.

Conclusions
In this paper, we propose a novel tamper verification and recovery scheme for encrypted images with CS.After DWT, the original image can be divided into important part, that is, low-frequency part, and unimportant part, that is, highfrequency part.The watermark and characteristic digest value

Figure 1 :
Figure 1: The framework of compressive sensing.

Figure 2 :
Figure 2: The general framework of the proposed scheme.
4.1.1.Image Encryption and Watermark Generation.Suppose that the original image is a gray scale image I.

Figure 3 :
Figure 3: The framework of encryption and watermark embedding.

(A) Data Preprocessing ( 1 )
Firstly, generate a new watermark matrix W new from the decrypted LL RE. (2) Secondly, recover a new image of low-frequency part LL new from the extracted watermark W RE. (B) Comparison between  and W new (1) If PSNR(W RE, W new) = Inf, W RE is exactly the same as W new, which means that LL RE and W RE are correctly recovered.Therefore, I RE is the very image that has been correctly recovered.No tamper occurs.

( 1 )
Conduct inverse DWT of the decrypted LL RE and the decrypted high-frequency part to get the recovered image I RE.(2) According to the extracted watermark W RE, recover the low-frequency part LL new.Conduct inverse DWT of LL new and the decrypted high-frequency part to get recovered image I new.(3) According to the tamper detection and recovery method, recover the low-frequency part LL RE.

Figure 7 :
Figure 7: The original image I (a) and the watermarked encrypted image E (b).

Figure 8 :
Figure 8: The effect of tamper detection and recovery when low frequency is tampered.

Figure 9 :
Figure 9: The effect of tamper detection and recovery when watermark is tampered.
I RE (c) I new (d) I final (e) I improved

Figure 10 :
Figure 10: The effect of tamper detection and recovery when watermark and low frequency are tampered.
these 16-bit planes, respectively, and then reassemble the scrambled bit panes to get the decrypted integer part of the low frequency LL int RE.(3) Combine LL int RE with ELL sig RE and ELL de RE to form the decrypted image of the low frequency LL RE.

Table 1 :
The PSNRs of watermarked encrypted images.

Table 2 :
Correlation coefficients of the watermarked encrypted images.) is correct while the newly generated watermark W new LSB(, ) is incorrect, which means that the low-frequency part is tampered; (, ) = 2. Then replace LL RE(, ) with LL new(, ) which is recovered from W RE(, ). it is believed that both the extracted watermark and the low-frequency part of this block are tampered; (, ) = 3.Then replace LL RE(, ) with LL mid(, ) which is the median of LL RE(, ) and LL new(, ).

Table 3 :
PSNR and NC of the recovered images through the different proportion of cropping attacks.generated from the low-frequency part with block CS.The characteristic digest value will be encoded and then transmitted via secure channel together with private keys.The watermark is designed mainly for tamper recovery and is embedded into the high-frequency part processed with CS.The receiver can employ the extracted watermark and characteristic digest value to perform accurate tamper detection, localization, and recovery.Theoretical analysis and experimental simulations show that in an unreliable environment the proposed scheme is robust and secure against moderate attacks, such as cropping attacks.Moreover, the tampered blocks can be accurately and effectively found out with tamper localization matrix and the tampered image can be well recovered.Comparing with the existing image authentication algorithms, the proposed scheme can simultaneously implement tamper verification, tamper content identification, tamper localization, and tamper recovery.With great robustness and security, the scheme can adequately meet the need of secure image transmission under unreliable conditions. are