Blockchain-Based Reversible Data Hiding for Securing Medical Images

Medical images carry a lot of important information for making a medical diagnosis. Since the medical images need to be communicated frequently to allow timely and accurate diagnosis, it has become a target for malicious attacks. Hence, medical images are protected through encryption algorithms. Recently, reversible data hiding on the encrypted images (RDHEI) schemes are employed to embed private information into the medical images. This allows effective and secure communication, wherein the privately embedded information (e.g., medical records and personal information) is very useful to the medical diagnosis. However, existing RDHEI schemes still suffer from low embedding capacity, which limits their applicability. Besides, such solution still lacks a good mechanism to ensure its integrity and traceability. To resolve these issues, a novel approach based on image block-wise encryption and histogram shifting is proposed to provide more embedding capacity in the encrypted images. The embedding rate is over 0.8 bpp for typical medical images. On top of that, a blockchain-based system for RDHEI is proposed to resolve the traceability. The private information is stored on the blockchain together with the hash value of the original medical image. This allows traceability of all the medical images communicated over the proposed blockchain network.


Introduction
e medical industry has been moving toward the digitized era, wherein a large amount of medical information is stored in a digital form and communicated digitally [1]. is helps in streamlining the acquisition, processing, and management of medical information and, at the same time, improving the efficiency in the medical industry. From all medical information, medical health record (MHR) is the most vital part, as it keeps all the important and private information regarding the patients and their diagnosis. MHR usually includes the patients' information like personal data, medical history, medical images, diagnosis reports, etc. Due to the booming of telemedicine technology, the exchange of medical images is becoming an important trend in the medical industry [2]. Medical image is one of the critical pieces of information in MHR that reveals a lot of sensitive information, which needs to be protected against malicious intrusion.
Traditional cryptographic algorithms can be used in protecting MHR (including medical images) effectively. For instance, Alam et al. [3] had proposed a framework for provisioning healthcare data, wherein Elliptic Curve Cryptography (ECC) and Advanced Encryption Standard (AES) are being used to encrypt the medical data. Recently, there is an increasing trend in employing reversible data hiding (RDH) techniques to embed sensitive information into medical images. RHD schemes have found some applications to the medical images, which are reported by Yang et al. [4,5].
is shows that RDH is a promising candidate in securing medical images with the additional ability to embed sensitive information, which is not found in traditional cryptographic algorithms.
RDH is a technique that allows perfect recovery of the original plain image and the embedded data. e embedded data is usually some important or sensitive data to be hidden within the plain image. For instance, in the context of medical images, this can be the patient's personal data, diagnosis report, and summary of past medical records related to the medical images.
e study [6] presented a flexible RDH scheme based on quad-tree and pixel value ordering (PVO) to exploit the similarity between neighboring pixels to hide more data. e paper [7] proposed a method that does not take the difference of the neighboring pixels in an image. Instead, they rearrange the columns/rows of the image in a way that improves the smooth regions, resulting in an increase in embedding capacity.
Recently, more attention turned toward RDH on the encrypted images (RDHEI). is is to ensure that the security and privacy of the transmitted image are being protected. Although these proposed RDHEI schemes are advanced and able to securely communicate the images and hidden data, they are still vulnerable to certain malicious activities. In particular, one can still modify the pixel values in an encrypted medical image for a malicious purpose, which should be detected. In other words, the integrity of RDHEI schemes needs to be checked, and this is still an open research problem to date. Moreover, the records of medical data communication are not properly protected, which makes the tracing and tracking of such communication a challenging issue to be resolved.
Blockchain is an emerging technology that aims to replace or compensate for the traditional centralized systems. It can be regarded as a Distributed Ledger Technology (DLT), wherein the transaction and storage of data are performed in a distributed manner. In such a way, even though there is no trust among all communicating parties, they can still trust the blockchain network. One of the key features of the blockchain is that all the data stored in the chain are connected through a cryptographic hash, which is very costly (or almost impossible) to tamper with.
Blockchain was recently applied to the healthcare system to improve security. For instance, [8] proposed Guardhealth, a decentralized blockchain system for privacy preserving and data sharing in medical industry. In this paper, our aim is to apply blockchain to improve integrity and traceability of the RDHEI scheme for protecting medical images.
An RDHEI scheme that vacates room after encryption of the cover image is proposed. e cover image is first divided into small blocks and then permuted by a permutation key. en, each block is stream ciphered by an encryption key. e data hider vacates the embedding room and hides secret data using the histogram shifting technique. Our scheme can achieve a high embedding capacity compared to the state-ofthe-art scheme by Zhang et al. [9]. A blockchain-based system is proposed to provide additional features to the proposed RDHEI scheme, which can be very useful in securing medical images. e contribution of this paper is summarized as follows: (1) is paper proposed an RDHEI scheme to embed private information into the medical images. e proposed scheme employed stream cipher to vacate more space for data embedding capacity compared to the state-of-the-art scheme proposed by Zhang et al. [9]. (2) A novel blockchain-based RDHEI system was proposed, wherein the hash value is generated from the output of RDHEI and stored on the blockchain. is ensures that any attempt to tamper with the medical images can be detected easily.
e proposed system allows the user to exchange the ciphered steganography medical image (CSMI) securely with other members within the blockchain network. is is an important contribution to the medical industry as important medical information can be communicated frequently without worrying about security issues.

Overview of Blockchain Technology.
Blockchain is a distributed ledger system that is developed to work in an environment wherein the participating parties do not trust each other. In contrast to the traditional server-centric model, blockchain requires each participating node to store a copy of the ledger which records all the transactional details. Since the ledger is kept locally by all participating nodes, they can perform an audit on the transactions locally. With this feature, even though there is no trust among the participating nodes, one can still trust the consensus achieved through blockchain.
Another unique feature offered by blockchain is the introduction of a cryptographic hash to link up all the transaction records. Referring to Figure 1, all valid transactions are grouped into a block within a fixed time interval. A new hash value is generated based on these transaction details together with the hash of the previous block. Followed by this is the consensus process (e.g., Proof of Work (PoW)) to approve the transaction. During the consensus process, only the node that successfully solved the given difficult puzzle can add this block into the existing blockchain. e generation of hash in each transaction block is linked with the hash of the previous block. To modify one of the transaction records in the blockchain, one must generate a lot of valid blocks through the consensus process and overwrite the subsequent blocks. Since the PoW is a timeconsuming process, it is very difficult to generate a lot of new blocks in a short time; this makes blockchain an immutable solution to many applications. e consensus process through the PoW process in the blockchain is time consuming, which makes the transaction slow (e.g., 10 minutes for Bitcoin). Another alternative is to employ consortium blockchain, wherein a list of trusted members is predefined. In such case, a lightweight consensus process like Practical Byzantine Fault Tolerance (PBZT) [10] can be used. is allows timelier communication between the nodes within the same consortium blockchain, without sacrificing the key security features (i.e., auditability, traceability, and integrity) in the blockchain.

Overview of RDHEI.
Many image steganography techniques have been proposed in the past in order to hide secret data in a way that the stego image appears with no difference from the cover image. To achieve this goal, only a slight modification of the pixel value is allowed, which severely limits the hiding capacity of a cover image. If we further constrain that the cover image should be perfectly recoverable [11] after the extraction of secret data, the embedding capacity is reduced to a very low level. Many reversible data hiding methods have been proposed to solve this challenging problem, which can be classified into three categories including lossless compression, histogram shifting, and pixel value differencing. e lossless compression [12,13] exploits redundancy of the cover image to embed data, in which the smooth images can hide more data than the complex images. Histogram shifting [14,15] was proposed later on, wherein the data is embedded by shifting one side of a peak value in the histogram outward, leveraging the expanded extra space. Pixel value differencing is a more advanced technique [16,17] that computes the differences of the pixel value in an image block and hides data by expanding the difference, in a way similar to the histogram shifting method. All these methods can embed secret data and recover the cover image after data extraction. e emergence of cloud services provides another possible framework, in which the data hiding operation is performed by a third party. RDHEI scheme can be used under this framework, wherein the content owner encrypts the cover image and sends it to the data hider to embed the secret data and forward it to the receiver. At the receiver end, the secret data can be extracted using the embedding key and the cover image can be reconstructed using the encryption key. In case the receiver is not authorized to acquire the secret data, he can still obtain the slightly distorted cover image using the encryption key only.
RDHEI schemes proposed in the past can be classified into two categories: vacating room after encryption (VRAE) and vacating room before encryption (VRBE). VRAE technique vacates room for embedding after the encryption. In 2008, Puech et al. [18] proposed an RDHEI scheme that applies bit substitution to embed secret data into an encrypted image. Later on, Zhang [19] proposed a separable RDH scheme, in which the receiver can extract secret data by using an encryption key and recover the cover image using a data hiding key. When the receiver has both keys, he can obtain both secret data and recover the image. VRBE is first proposed by Ma et al. [20] in 2013. By vacating embedding room before encryption, they claim that their scheme can achieve real reversibility; i.e., the data extraction and image recovery are free of any error. In 2016, Cao et al. [21] proposed a VRBE scheme based on sparse coding, in which the leading residual errors and learned dictionaries, together with the secret data, are embedded into the encrypted image. Malik et al. proposed an RDHEI scheme [22] that creates spare space using the prediction-error estimation method. e data is embedded into the most significant bits of the encrypted image. However, an additional location map is required to mark the nonembeddable pixels. RDHEI schemes can also be used to embed sensitive information into medical images. For instance, [4] had proposed a scheme to embed information into medical images through RDH and homomorphic encryption. Later on, [5] improved the scheme by proposing a novel paradigm (encrypt-then-RDH) to enhance the security of RDH over medical images.
Recently, Zhang et al. [9] proposed an interesting work along this research direction, in which they claim to achieve high embedding capacity. Referring to Figure 2, Zhang et al. [9] use additive homomorphic encryption and block permutation to encrypt the cover. e encryption and decryption formulas for homomorphic encryption are given by equations (1) and (2), respectively.
Transactional details

Hash of current block
Transactional details

Hash of current block
Block n -1 Block n Figure 1: Blockchain data structure.
Journal of Healthcare Engineering 3 where N � 256, K is Key-1, and E(·) and D(·) are encryption and decryption algorithms, respectively. For each subblock, all pixels are encrypted using the same key to preserve the correlation between them. A block permutation method based on the chaotic algorithm is applied to strengthen security. An additional key sequence Key-2 is required to execute this operation. In the data embedding phase, the pixels in a subblock are classified into three sets according to their locations. For each set of pixels, a particular prediction rule is applied to measure prediction errors. en, the histogram expansion and shifting process is used to embed secret data into the prediction errors. By controlling the embedding interval created by histogram expansion, the embedding capacity is adjustable. An embedding key Key-3 is required to store the information about embedding intervals.
is data hiding scheme suffers from some problems. First, homomorphic and block permutation encryptions of the cover image are not secure enough. e overall effect of image encryption is shifting of pixel gray level and changing of block spatial location. Secondly, the embedding key is not completely random, because it stores the parameters for data hiding, which is actually metadata for secret message extraction. e public key system could not help to share the encryption key under this scheme. e third and the most critical one is the problem of overflow. To hide the more secret data, the wider embedding interval should be expanded, and larger prediction errors exist. e encrypted pixel values may overflow the formal range of 0 to 255. To deal with the problems above, we propose a novel data hiding scheme in the following section.

The Proposed Reversible Data Hiding Scheme for Medical Images
In this section, we propose an RDHEI scheme based on stream ciphering and histogram shifting techniques. Our scheme includes three phases, namely, (1) the image encryption, (2) the data hiding, and (3) the data extraction and image decryption as shown in Figure 3. ree secret keys are involved in the proposed RDHEI scheme. Key-I and Key-II are the image encryption keys and Key-III is the data hiding key. e length of each key could be 64, 128, or 256 bits depending on the required security level. In the image encryption phase, the gray level cover image occupied by the content owner is firstly divided into mutually exclusive blocks of size 3 × 3. Block permutation with encryption key Key-I is applied to crumble the spatial relationship between image blocks. en, stream ciphering with encryption key Key-II is leveraged to encrypt the image. In the data hiding phase, the data hider embeds secret data and metadata using the histogram shifting technique with Key-III. At the receiver end, the metadata is extracted first. With histogram rough restoration, the approximate cover image can be recovered using encryption keys Key-I and Key-II. With histogram fine restoration, the cover image can be perfectly recovered. For an authenticated receiver, a secret message can be deciphered from secret data using Key-III.

Cover Image Encryption
Phase. e cover image encryption phase includes two steps: block permutation and stream ciphering. e cover image is divided into mutually exclusive blocks of size 3 × 3 first. en, Key-I is applied to generate a random sequence of length equal to the number of total blocks in the image and all blocks are reordered according to the random sequence. An illustrative tiny image of 2 × 2 blocks is shown in Figure 4, where (a) is the original tiny image and (b) is the permuted image according to the random sequence 2; 3; 1; 0. After block permutation, we apply Key-II to generate a secret stream. en, each image block is encrypted by where K is an 8-bit stream code truncated from the secret stream, P and C represent the input block and the cipher block, respectively, and the encryption function E(•) is an Exclusive-OR operation denoted by "⊕." All blocks are sequentially encrypted with a distinct 8-bit code segment for each. Pixels within the same block are encrypted with the same code segment; therefore, their correlation is preserved.
is is an important feature for the following data embedding phase.
An illustrative example of the cover image encryption is shown in Figure 5. To simplify the representation, we use two blocks only to demonstrate the encryption operation. e two image blocks in (a) are permuted using the sequence generated by Key-I to obtain (b). en, the two blocks are stream ciphered by two code segments generated by Key-II, individually. We take the first pixel of each block as an example. e binary codes of the first code segment and first-pixel value are 62 � (00111110) 2 and 104 � (01101000) 2 , respectively. By Exclusive-OR operation, it results in (01010110) 2 � 86. e code segment and first-pixel value of the second block are 193 � (11000001) 2 and 106 � (01101010) 2 , respectively. It results in (10101011) 2 � 171. Other pixels are calculated in the same way to get the result (c).

Data Embedding Phase.
e data embedding process for the data hider is as shown in Figure 3. e preprocessing for each block in the encrypted image is an internal Exclusive-OR operation given by where c c is the center pixel value of a block, c i is a pixel value around the center pixel as shown in Figure 6(a), and g i is its corresponding output pixel value as shown in Figure 6(b). By simple derivation as given by equation (5), we can find that g i is equal to p c ⊕p i . For a smooth block, all pixel values are close to each other. erefore, there are a lot of zeros in the output image.

(5)
After preprocessing, we apply the histogram shifting technique to embed secret data. According to the required embedding capacity, a threshold of gray level g th is determined and the histogram is expanded by A vacating band of width g th after the gray level 128 is created. en, the first g th gray levels are shifted to even values without disrupting their order and the gray levels are shifted outward between g th and 128. e threshold value g th , recorded with six bits, and the information in the vacating band are encoded and stored as metadata.   Journal of Healthcare Engineering e binary secret stream is encrypted using Key-III with the conventional stream ciphering technique into an encrypted bitstream S � b 1 , b 2 , b 3 , . . . , b N . For all embeddable pixels with g i ′ < 2 × g th , we collect them in ascending order of gray level and in a raster scan order for pixels of the same gray level. en, we consecutively embed secret bit by After embedding, postprocessing with the same operation as preprocessing is executed again to reverse the effect. For each block, where the definitions of g c and g i can refer to Figure 5. To achieve reversibility of the proposed scheme, the histogram band in the range 128 ≤ g i < 128 + g th erased by the vacating process of histogram shifting should be recorded. Since only a very small amount of data is required to record, we design a simple and straightforward coding rule. Six bits are used to record g th ; twelve bits are used to record the total number of coded pixels; 3 bytes for each pixel are used to record its gray level g i and coordinates (x, y) in the image. e image encryption and data embedding process is summarized as follows.
Input: cover image, binary secret stream, encryption key: Key-I, Key-II, data hiding key: Key-III Output: encrypted image with data embedded Content owner: Step 1: encrypt the image by block permutation with Key-I and stream ciphering with Key-II Data hider: Step 2: preprocess the encrypted image according to equation (4) Step 3: apply histogram shifting to vacate embedding area by equation (6) Step 4: encode the erased histogram band into metadata Step 5: collect the embeddable pixels in ascending order of gray level and raster scan order Step 6: apply stream ciphering to the secret binary stream with Key-III into an encrypted data stream Step 7: embed metadata first and then encrypted data stream by equation (7) Step 8: postprocess the embedded image by equation (8) to produce the output image e tiny image example given in Figure 5(c) is applied to illustrate the data embedding process as shown in Figure 7. e two encrypted image blocks are shown in Figure 7(a). e preprocessed blocks are shown in Figure 6(b), where we apply the threshold gray level g th � 4 and the embeddable  Figure 5: An illustrative example of block permutation and stream ciphering. pixels are denoted by red characters. e embedding order of all embeddable pixels is labeled with green Arabic numerals. Except for the center pixel of each block, all pixel values are expanded according to equation (6). en, the encrypted secret stream is embedded in the predefined order by equation (7) to obtain Figure 7(c). Finally, the two blocks are postprocessed to get Figure 7(d). An example of pixel processing is also given in the figure.

Data Extraction and Image Recovery
Phase. e data extraction and cover image recovery are executed in the reverse order of encryption and embedding. e overall process is summarized as follows ( Figure 8). e data extraction and image recovery process.
Input: encrypted image with data embedded, encryption key: Key-I, Key-II, data hiding key: Key-III. Output: binary secret stream, cover image. Receiver: Step 1: preprocess each block of the input image by where the notation definitions of g c and g i ′ are the same as equation (9).
Step 2: collect the first six pixels belonging to 0, 1 { } in the raster scan order and convert them to get g th .
Step 3: according to g th , collect all embeddable pixels in the ascending order of g i /2 and raster scan order for the pixels of the same value, where ⌊ · ⌋ is the floor function.
Step 4: consecutively extract the metadata and encrypted secret stream by even-odd decision.
Step 5: decipher the binary secret stream using Key-III.
Step 6: backward shift the pixel values and recover the vacating band according to the metadata. e backward shifting is given by g i − g th , g i ≥ 2 × g th and g i < 128 + g th , where ⌊ · ⌋ is the floor function.
Step 7: postprocess each block by where the notation definitions of c c and g i are the same as equation (4).
Step 8: decipher the histogram recovered image using Key-II.
Step 9: apply backward permutation to obtain a cover image using Key-I.
e data embedded tiny illustrative image in Figure 7(d) is applied as an input of the data extraction and image recovery process as shown in Figure 7(a). e two blocks are preprocessed to get Figure 7(b). en, according to g th � 4, the secret data stream can be extracted, and the histogram can be recovered as shown in Figure 7(c). Next, we postprocess the two blocks to get Figure 7(d). Finally, we use the encryption key to decipher the image blocks. Note that we do not show the extraction of metadata and recovery of vacated histogram band as in an actual application.

Blockchain-Based Reversible Data
Hiding System e proposed blockchain system is presented in this section, with the aim of providing integrity and traceability in existing RDHEI. A consortium blockchain system is used in this paper, in which the participants in the blockchain network are trusted parties. For instance, the hospitals and health research institute (HRI) can form a consortium blockchain to share the medical images among themselves. In this way, an expensive consensus algorithm (e.g., PoW) is not required; it can be replaced with a lightweight algorithm like PBZT. Moreover, consortium blockchain is also a more appropriate choice as we do not expect any unauthorized person to join the blockchain network and gain access to the medical information, which is supposed to be private.

Architecture of the Proposed Blockchain-Based Reversible Data
Hiding System. Figure 9 shows the architecture of the proposed blockchain system, which can be used to exchange medical images safely. Doctor A first encrypts the medical records of a patient and then generates the CSMI using the proposed RDHEI scheme, wherein the encrypted medical records are embedded into the patient's medical image. e encrypted medical records and CSMI are stored in the database of his hospital (Hospital X). A transaction block is generated and added to the blockchain.
With the proposed blockchain system, anyone who wants to share medical information can verify the integrity of transmitted data at the receiver end. For instance, Doctor A shares the CSMI with Doctor B and Medicate Institute Y. Upon receiving the CSMI, Doctor B first computes the hash value of received data and compares it against the blockchain to verify its integrity. He then extracts the hidden medical records with a legitimate key and then decrypts the medical records with another legitimate key. A similar process is performed by Medical Institute Y. e details on how to generate a new block and verify the integrity of CSMI are presented in the next section. Figure 10, the medical records of a patient are first encrypted by a symmetric key algorithm through the following equation:

Process of Generating New Blocks and Verifying the Integrity of CSMI. Referring to
where MR refers to the medical records, K 1 is the symmetric key, and C MR is the resultant ciphertext. Next, we generate another key K 2 � Key-I || Key-II || Key-III, where Key-I, Key-II, and Key-III are the keys used in the proposed RDHEI scheme. We embed the encrypted medical records (C MR ) into the medical image and generate a CSMI through the proposed RDHEI scheme. In Step 3, the generated CSMI and the hash value of the previous block in blockchain (H prev ) are concatenated. e hash value of the current block is generated through the following equation: where Hash can be any standardized cryptographic hash function (e.g., SHA-2 and SHA-3) and H curr is the hash value of the current block. e newly generated block is transmitted to the blockchain network for the consensus process, wherein a lightweight algorithm can be used. Once the peers   If both values are the same, then CSMI′ is untampered; otherwise, CSMI′ or C MR has been modified. e proposed blockchain system can be implemented with any popular blockchain framework, e.g., Hyperledger Fabric and Ethereum.
Step 1 can employ an industry-grade block cipher (e.g., AES) to perform the encryption, while Step 2 can be carried out by using the techniques described in Section 3. Subsequently, Steps 3-6 are common operations found in a standard blockchain framework, which can be implemented easily.

Security Analysis.
In this section, a security analysis on the proposed blockchain system is provided, with consideration of various attacking scenarios.
(1) Attackers cannot retrieve the steganography of medical images. In the proposed system, the CSMI is stored in the database of the hospital. Assuming that  Step 1: encrypt the medical records with K 1.
Step 5: new block is created.
Step 6: new block is added to the original blockchain.
Step 2: with the proposed RDHEI, embed the encrypted medical records and generate CSMI for the medical image using K 2.
Step 3: combine the CSMI and the hash value of previous block (H prev ) .
Generate the hash value of current block (H curr ) .. Journal of Healthcare Engineering the malicious attacker has access to the CSMI, he cannot recover the steganography of medical images (SMI). is is because he does not hold K2 to successfully recover the SMI. On top of that, he can never extract the patient's medical records embedded into CSMI (2) e proposed system can protect the confidentiality of medical records. e patient's medical records are being encrypted by a symmetric key algorithm with key K 1 , before embedding it into the medical image. Assume that the malicious attacker has access to the CSMI, and he had successfully extracted the SMI. In such a situation, he cannot successfully extract the medical records, because he does not have the K 1 to decrypt them. Hence, the confidentiality of the patient's medical records is protected (3) e proposed system can achieve integrity. It is also possible that the malicious attacker is interested in creating fake CSMI instead of extracting information from it. For instance, one can generate fake keys K 1 ′ to encrypt the legitimate medical records (C MR ′ ) and then embed them to the other medical image to produce a fake CSMI′. is fake CSMI′ is being stored in the database as a new entry. However, the hospital can detect this fake CSMI′ easily by comparing it against the hash value stored in our blockchain system. Since CSMI′ is calculated from fake keys K 1 ′ and K 2 ′ , the hash value generated (H curr ′ ) is not the same as the one stored in the blockchain (H curr ). In order to create fake CSMI′ that everyone trusts, the attacker needs to modify the blockchain accordingly. However, referring to equation (13), the hash value in each new block depends on the previous block. To modify one record in blockchain, the attacker must also recalculate all the subsequent blocks, which is almost impossible. Hence, the proposed system is secure against malicious attacks that attempt to compromise its integrity (4) e image encryption scheme is robust under chosen-plaintext analysis. e permutation process with Key-I has corrupted the block correspondence between the cover image and the encrypted image. Without the mapping information between the image blocks before and after encryption, chosen plaintext analysis is useless. Even if the block mapping is known, it is still too complicated for analysis since image blocks are encrypted with distinct keys generated by Key-II

Experimental Results and Discussion
In this section, we present the experimental results of the proposed RHDEI and its application to medical images. e hardware resources are Intel ® Core ™ i7-3770 CPU @ 3.40 GHz and 8 GB RAM PC. e application software is MATLAB R2017a running with Windows 10 Professional operating system. Six standard test images (see Figure 11) including "Airplane," "Baboon," "Boat," "Lena," "Peppers," and "Sailboat" are applied to demonstrate the effectiveness of our scheme. e encrypted images are shown in Figure 12. e preprocessed images and postprocessed images with data embedded are given in Figures 13 and 14, respectively. e histograms of the test images and their corresponding encrypted images are given in Figures 15 and 16. Referring to Figure 16, the histogram of encrypted images is evenly distributed in the entire range of gray levels regardless of the different image features. is indicates a high-security level of the proposed image encryption scheme. e histogram after the preprocess of the embedding phase is given in Figure 17. For smooth images, the histogram is more concentrated while it is more distributed for complex images such as "Baboon." Note that the histogram band of [128,192] gray levels is very "clear" by observation. To know the details, we further restrict the display range of the vertical axis to [0, 200] pixels as shown in Figure 18.
ere are some pixels distributed in the band. To achieve the complete reversibility of the embedding scheme, the metadata includes three data segments. e first segment records the threshold g th with six bits. e second segment records the number of pixels in the vacating band with twelve bits. e last segment contains all details of each pixel in the vacating band by one byte for its gray level and two bytes for its coordinates in the image. erefore, the total length of metadata is 6 + 12 + (3 × 8 × N p ), where N p is the number of pixels in the vacating band. After histogram shifting and data embedding, the histogram in Figure 17 changes to the distribution shown in Figure 19, where the applied threshold of vacating band is g th � 64. Figure 20 shows the resulting histogram of the marked encrypted image after postprocessing. e histogram is still evenly distributed and preserves at a high-security level.
Since the total number of pixels in the vacating band is very small, we can recover the histogram in a more efficient way by retrieving the first two segments of metadata to get g th and determine the remaining length of metadata to be discarded. us, the recovery of the vacating band can be skipped, and the process is proceeded directly to extract the secret data stream. To know the visual quality of the approximated image, we apply the peak-signal-to-noise ratio (PSNR) index given by PSNR � 10 log 10 where MSE is the mean square error between the cover image I i,j and the approximated image I i,j ′ and W and H are the width and height of the image. e second measure of similarity between them is the structural similarity (SSIM) defined by SSIM I, I ′ � where μ I , μ I′ , σ I , and σ I′ are the mean values and standard deviations and σ II′ is the covariance of the two images. e experimental results of the proposed RDHEI scheme with different thresholds are listed in Table 1. e "capacity" and "metadata" are measured in bits. e actual embedding capacity of secret data can be calculated by subtracting the amount of metadata from the "capacity" value. e "ER" is the embedding rate measured in bits per pixel (bpp). e PSNR and SSIM values listed in the table indicate that the approximated images under fast recovery have good visual quality. Figure 21 shows the PSNR values with respect to the embedding rate (ER). e threshold value determines the width of the vacating band and therefore degrades the visual quality. However, the ER also increases with the increased threshold. Another important point of observation is that the PSNR value is dependent on the image feature. e most complex image "Baboon" has the lowest PSNR level among all. e second set of test images are two medical images downloaded from the website of MIDAS/National Alliance for Medical Image Computing (NAMIC) as shown in Figure 22. e image size 256 × 256 is relatively smaller than the standard test images in the first experiment. e encrypted images, preprocessed images, and postprocessed images are given in Figures 23-25, respectively. Histograms of the cover images are shown in Figure 26. Notice that the pixel values are concentrated to very low gray levels due to the inherent nature of MRI images. is phenomenon is especially beneficial to our data hiding scheme. e histogram distributions for different processing phases are given in Figures 27-31. e experimental values are listed in Table 2. e major difference from the first experiment is that the embedding rate reaches 0.6 bpp at the lowest threshold of g th � 4, which is much higher than the capacity      of standard test images. At the highest threshold of g th � 64, the medical images can reach an embedding rate of 0.8 bpp. Figure 32 compares the proposed scheme with other related works, including VRAE-based schemes (Zhang et al.'s scheme [9,12]) and VRBE-based schemes (Cao et al.'s scheme [21] and Malik et al.'s scheme [22]), for two typical test images "Lena" and "Baboon." Note that all these schemes are completely reversible.
e PSNR values are compared under the situation of discarding some information in image deciphering. e proposed scheme reaches a good embedding rate with a good visual quality of the approximation image. e scheme proposed in [17] is VRBE-based; therefore, it provides only one fixed embedding rate.
Compared to a recently proposed RDH technique by Anushiadevi et al. [23], the proposed technique offers a   flexible threshold (g th ) to allow performance tuning. e user can flexibly select a higher embedding capacity or higher PSNR by adjusting g th ; this is not found in [23]. Another recent work that offered homomorphic encryption on RDH was proposed by Anushiadevi et al. [24]. Our proposed technique shows performance on par with them in terms of ER, PSNR, and flexible threshold configuration.

Conclusion
Medical images are important assets to the medical industry, and they should be protected to avoid potential infringement of privacy. To achieve this goal, we propose an RDHEI scheme, in which the cover image is encrypted by block permutation using encryption Key-I and stream ciphering using encryption Key-II. en, the encrypted patient data is embedded into the encrypted image through Key-III to produce a secure CSMI. Experimental results show that the performance of the proposed RDHEI scheme is excellent when applied to medical images. e embedding rate is over 0.8 bpp for typical medical images. An image of high visual quality can be recovered even if the receiver only holds the image encryption keys. Since most processes of the proposed RDHEI scheme are based on the simple Exclusive-OR operation, our scheme can be executed very efficiently. To provide an integrity check, we propose a blockchain system on top of the RDHEI. e hash value of CSMI is stored in a commonly used blockchain system for future verification. e proposed RDHEI blockchain system allows the user to check the integrity of CSMI from time to time, which shows additional benefit compared to the conventional RDHEI schemes.
Data Availability e data used in the experiments and discussions in the paper are available within this article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.