Medical Image Encryption and Compression Scheme Using Compressive Sensing and Pixel Swapping Based Permutation Approach

This paper presents a solution to satisfy the increasing requirements for secure medical image transmission and storage over public networks. The proposed scheme can simultaneously encrypt and compress the medical image using compressive sensing (CS) and pixel swapping based permutation approach. In the CS phase, the plain image is compressed and encrypted by chaosbased Bernoulli measurement matrix, which is generated under the control of the introduced Chebyshev map. The quantized measurements are then encrypted by permutation-diffusion type chaotic cipher for the second level protection. Simulations and extensive security analyses have been performed. The results demonstrate that at a large scale of compression ratio the proposed cryptosystem can provide satisfactory security level and reconstruction quality.


Introduction
Benefiting from the rapid developments of network technologies and prominent advantages of digital medical images in health protection [1], the increasing distribution of medical images over networks has been an essential of everyday life in medical systems.As medical images are the confidential data of patients, how to ensure their secure storage and transmission over public networks has therefore become a critical issue of practical medical applications.Mandates for ensuring health data security have been issued by the federal government, such as Health Insurance Portability and Accountability Act (HIPAA), enacted by the United states Congress and signed by president Bill Clinton in 1996 [2,3].Moreover, several major medical imaging communities such as American College of Radiology (ACR) have issued guidelines and mandates for ensuring medical image security, for example, the Picture Archiving and Communication Systems (PACS) [4].However, transmission of medical image of PACS is generally within a hospital intranet whose security measures or instruments are often lacking [3].Except for the intranet environment, medical images transmission over wireless networks is also in an increasing demand.Medical image security in both intranet and internet faces severe threats [5].
Encryption is the most convenient strategy to guarantee the security of medical images over public networks.However, recent achievements have demonstrated that block ciphers such as Data Encryption Standard (DES), Advanced Encryption Standard (AES), and International Data Encryption Algorithm (IDEA), which are originally designed for encrypting textual data, are poorly suited for digital images characterized with some intrinsic features such as high pixel correlation and redundancy [6][7][8].Since 1990s, chaotic systems have drawn much attention as their fundamental features such as ergodicity, unpredictability, and sensitivity to initial system parameters can be considered analogous to some ideal cryptographic properties for image encryption [9].In 1998, Fridrich proposed the first general architecture for chaos-based image cipher.This architecture is composed of two stages: permutation and diffusion [10].Under this structure, a plain image is firstly shuffled by a twodimensional area-preserving chaotic map in the permutation stage, with the purpose to erase the high correlation between adjacent pixels.Then the pixel values are modified sequentially using pseudorandom key stream elements produced by a certain qualified chaotic map in the diffusion procedure.During the past decades or so, researchers have performed extensive analyses to this architecture, and the improvements are subsequently proposed [11][12][13][14][15][16][17][18][19].The improvements lie in various aspects, such as novel permutation approaches [12][13][14], improved diffusion schemes [15,16], and enhanced key stream generators [17][18][19].Chaos-based ciphers have also been employed for medical applications [20,21].In [20], a chaos-based visual encryption mechanism for clinical electroencephalography signals is developed, whereas a bit-level medical image encryption scheme is built in [21].Besides the chaos-based encryption, compressive sensing (CS) [22,23] is also found to be a feasible way to build cryptosystems, where the sensing matrix can be viewed as the secret key [24].It is suggested by Rachlin and Baron that CS can guarantee computational secrecy [25].In [26,27] Zhou et al. proposed combining chaos theory with CS and then building two secure image encryption schemes, whereas the quantization process is ignored.In [28], researchers proposed a joint quantization and diffusion approach based on the similarities between error feedback mechanism of the quantizer and cryptographic diffusion primitive.
In this paper, a medical image encryption and compression scheme using compressive sensing and pixel swapping based permutation approach is proposed.The whole process consists of two stages, where the first one is the chaosbased CS procedure that is used to compress and provide the first level protection, while the second procedure is a chaosbased permutation-diffusion encryption module.Chaotic Chebyshev map is employed to generate the Bernoulli sensing matrix for CS, and then it is reused in the second stage to produce the permutation key stream elements.In the diffusion procedure, logistic map is introduced to generate the key stream to mask the plaintext.Simulations and extensive security analyses both demonstrate that the proposed scheme has satisfactory security and compression performances for practical medical applications.The proposed scheme will be given out in detail in the next section; simulations results and security analyses are carried out in Section 3. Finally, conclusions will be drawn in the last section.

CS with Cryptographic Features Embedded.
The CS is a new framework for simultaneous sampling and compression of signals.For a length  signal , it is said to be -sparse if  can be well approximated using only  coefficients under some linear transform  = Ψ, where Ψ is the sparsifying basis and  is the transform coefficient vector with at most  ≪  (significant) nonzero entries.Many natural signals are sparse or compressible, such as the smooth signals which are compressible in the Fourier basis, whereas natural images are mostly compressible in a wavelet or discrete cosine transform (DCT) basis.In CS, the signal is measured not via standard point samples but rather through the projection by a linear measurement matrix Φ: where  is the sampled vector with  ≪  data points and Φ represents  ×  acquisition matrix.The CS framework is attractive as it implies that  can be faithfully recovered from only  = ( log ) measurements, suggesting the potential of significant cost reduction in data acquisition [29].
Unlike the random linear projection in the sampling process, the signal recovery process from the received measurements  is highly nonlinear.When Θ satisfies the restricted isometry property (RIP), the reconstruction can be preceded by solving the following ℓ 1 -norm minimization problem [30]: At the receiver end, convex optimization algorithms [22,23] or greedy pursuit method such as Orthogonal Matching Pursuit (OMP) [31] can be employed for reconstruction.The popular family of the measurement matrices is a random projection or a matrix of random variables, such as Gaussian or Bernoulli matrices.This family of measurement matrices is well known as it is universally incoherent with all other sparsifying bases, which is crucial for satisfying the RIP requirement.In our scheme, Bernoulli matrix as shown in ( 3) is introduced for signal projection.Here, Φ , ( ≤ ,  ≤ ) represents the entry of the  ×  measurement matrix, and it has values ±1/ √  with signs chosen independently and uniformly distributed: As pointed out in [29], one of the challenging issues of CS in practice is to design a measurement matrix that satisfies (1) optimal sensing performance; (2) universality with almost all sparsifying basis; (3) low complexity; and (4) hardware/optics implementation friendliness.Traditional Bernoulli matrices meet the first two requirements whereas it is costly to generate, store, and transmit in practice.As a result, it is preferable to generate and handle the measurement matrix by one or more seed keys only.In this paper, we propose to construct the measurement matrix using chaotic Chebyshev map, as described in (4), where  and   are the control parameter and state value, respectively.As can be seen, the iteration results of Chebyshev map fall within [−1, 1]: For Φ , ( ≤ ,  ≤ ), the Chebyshev map will iterate once and then be quantized to the required format of Φ , by (5).In this strategy, the measurement matrix is under the control of chaotic sequence, which is generated by chaotic system with initial values and particular control parameter.
In short, control parameter  and initial state value  0 can be combined as the keys.This facilitates the transmission and sharing that only requires a few values instead of the whole measurement matrix: The use of CS for security purposes was first outlined in [24], where it is suggested that the measurements obtained from random linear projections can be treated as ciphertext as the attacker cannot decode it unless he knows in which random subspace the coefficients are expressed.Then in [32,33], it is investigated that the Shannon perfect secrecy is, in general, not achievable by such a CS method while computational security can be achieved.In the proposed scheme, with the introduction of Chebyshev map, the CS is regarded as a joint encryption and compression procedure.

Pixel Swapping Based Permutation Strategy.
In traditional image permutation techniques, pixels are generally scrambled by a two-dimensional area-preserving chaotic map, without any modification to their values.Three types of chaotic maps, Arnold cat map, standard map, and baker map, are always employed [7,9,18].All pixels are scanned sequentially from upper-left corner to lower-right corner, and then the confused image is produced.However, such permutation maps cannot be used for the proposed scheme.That is because the CSed image is generally not a square one.As pointed out in [7], Arnold cat map, standard map, and baker map are merely suitable for shuffling square images.When confusing a nonsquare plain image, extra pixels have to be padded to construct a square image firstly, and that would downgrade the efficiency of the cryptosystem.
Regarding this, a novel pixel swapping based permutation strategy (PSP) is developed for shuffling nonsquare images.In PSP, pixels of the plaintext and the ciphertext are represented by  = {(1), (1), . . ., ( × )} and  = {(1), (1), . . ., ( × )} from left to right, top to bottom, respectively.Each pixel in the plain image will be swapped with another pixel located after it, whose position is determined by a pseudorandom number acting as current key stream element.Suppose that  is the current pixel position and   is the coordinate of the corresponding swapped pixel.The coordinate   is calculated according to (6), where   () is current permutation key stream element.In PSP,   () is obtained from the Chebyshev state variables produced in the CS procedure, the production formula is described in (7), where floor() returns the value nearest integers less than or equal to , and mod(, ) returns the remainder after division.In collaboration with (6), PSP can ensure that all of the pixels swapping operations are performed within the valid region: Simulations have been performed to verify the image permutation performance of PSP; the results are demonstrated in Figure 1.The plaintext is shown in Figure 1(a), which is a deliberately customized CT image with size of 256 × 512 for PSP evaluation.Figures 1(b) and 1(c) are the shuffled images using 1 round and 2 rounds of PSP, respectively.Obviously, the permutated images are completely unrecognizable and with no similarity with the plaintext, which means the plaintext has been effectively encrypted.Besides, the noise-like two images are of less difference with each other.In practice, one round is sufficient to hide the plain information and reduce the pixel correlation of the plain image, as the preferred case in our scheme illustrated in the next subsection.

Schematic of the Proposed System.
The schematic of proposed medical image encryption and compression system is shown in Figure 2. As can be seen, the proposed system consists of two primary procedures.The first one is the CS module with cryptographic features embedded, which is used to compress the plaintext and simultaneously provided the first level encryption, with the initial value and control parameter of the introduced Chebyshev map serving as the secret key.The subsequent procedure is a permutationdiffusion type image cipher, which will extensively encrypt the quantized measurements produced in the CS stage.Obviously, the latter procedure is an iterative module, in which PSP is employed for image permutation.Following the PSP is a typical diffusion operation as illustrated in (8), in which (), (), (), and ( − 1) represent the current plain pixel, key stream element, output cipher-pixel, and the previous cipher-pixel, respectively.The key stream element () used for masking is calculated by (9), where () is the current state of the chaotic map: Chaotic logistic map is employed in our scheme for the generation of (), which is described by where  and   are the control parameter and state value, respectively.If one chooses  ∈ [3.57, 4], the system is chaotic.The initial value  0 and control parameter  combine as the secret key.Here notice that there exist some periodic (nonchaotic) windows in chaotic region of logistic map.
To address this problem, values corresponding to positive Lyapunov exponents should be selected for parameter , so as to keep the effectiveness of the cryptosystem [21].
The operation procedures of the proposed scheme can be described as follows.
Step 1. Iterate (4) with (,  0 ) for  0 times to avoid the harmful effect of transitional procedure, where  0 is a constant.
Step 3. Compressive sample the plaintext according to  = Φ.
Step 4. Quartzite the measurement data  through Lloyd quantizer, which is known as an optimal quantizer in the mean square error sense.
Step 5. Confuse the quartzited data according to ( 6) and (7), with the help of the permutation key stream elements produced in the second step.
Step 6. Iterate (10) with (,  02 ) for  0 times to avoid the harmful effect of transitional procedure constant.
Step 7. Iterate (10) continuously for  ×  times.For each iteration, obtain a diffusion key stream element according to (9).
Step 8. Calculate the cipher-pixel value using (8).For the first pixel, an initial value (−1) can be set as a seed.
Step 9. Repeat Steps 5-8 to satisfy the security requirement.

Simulations and Security Analyses
In this section, simulation results of the proposed encryption and compression scheme are given out for validation.Four medical images with size 512 × 512 are introduced as plaintexts, as shown in the first column of Figure 3, named as CT Abdomen, CT Paranasal sinus, MR Knee, and X Lungs, respectively.The reconstruction algorithm for the CS module is OMP [31], and the sparsifying basis is discrete wavelet transform.The compression ratio is 0.5 for demonstration, which means  = 256.The algorithm is simulated in Matlab R2010a platform, and the secret key is random selected as  = 5.782595812953629,  0 = 0.236925687412914 for Chebyshev map, and  = 3.999345672564248,  02 = 0.256799133578126 for logistic map.

Encryption Results.
The results are shown in Figure 3, with the plaintexts and ciphertexts depicted in the first and third column, respectively.It is obvious that the volumes of the ciphertexts have been compressed half compared with those of the plaintexts.Besides, the ciphertexts are noiselike and unrecognizable from visual perception.We further verify the randomness of the ciphertexts from the statistical perspective.The histograms of the corresponding plaintexts are illustrated in the second column, whereas those of the ciphertexts are shown in the fourth column.Comparatively, the histograms of the ciphertexts are uniformly distributed and quite different from those of the plain images, which indicate that the redundancy of the plain image has been successfully hidden after the encryption and consequently does not provide any clue to apply statistical attacks.
In the receiver end, we use OMP to reconstruct the plaintexts; the recovered images are illustrated in the fifth column of Figure 3. From visual perception, one can observe that the recovered images are of meaningful information and there is no notable quality degradation compared with the plaintexts.We compute the Peak Signal Noise Ratio (PSNR) as a numerical objective metric to evaluate the reconstruction quality.Under the compression ratio of 0.5 as shown in Figure 3, the recovered images are with PSNRs 33.8968 dB, 34.9182 dB, 36.7858dB, and 36.1887dB, respectively.All of the PSNRs exceeded 30 dB, which implies that the reconstruction quality was acceptable.From 0.1 to 0.9, PSNRs under different compression ratios are plotted in Figure 4, from which one can see that the PSNR can exceed 30 dB when the compression ratio is greater than 0.3.In practical medical  applications, there is a large scale for the compromise between compression ratio and recovery quality.

Key Space Analysis.
The key space size is the total number of different keys that can be used in a cryptosystem.For an effective cryptosystem, key space should be large enough to make brute-force attack infeasible.In the proposed scheme, the keys consist of the initial value  0 ∈ (−1, 1) and control parameter  ∈ [2, +∞) of Chebyshev map and the initial value  0 ∈ (0, 1) and control parameter  ∈ (3.57, 4] of logistic map.It should be noted that  should be restricted to a particular interval of 2 to prevent Chebyshev map from producing periodic orbits.According to the IEEE floatingpoint standard [34], the computational precision of the 64-bit double-precision number is about 10 −15 .The total key space of the proposed scheme is which is large enough to resist brute-force attack.

Pixel Correlation Analysis.
For a medical image with meaningful visual content, each pixel is usually highly correlated with its adjacent pixels either in horizontal, vertical, or diagonal directions.An effective cryptosystem should produce ciphertexts with sufficiently low correlation between adjacent pixels.The following steps are performed to evaluate an image's correlation property.(1) 3000 pixels are randomly selected as samples; (2) the correlations between two adjacent pixels in horizontal, vertical, and diagonal directions are calculated according to (12), where   and   are gray-level values of the th pair of the selected adjacent pixels, and  represents the total number of the samples: The correlation coefficients of adjacent pixels in the plain image and its cipher image are listed in Table 1.Furthermore, the correlation plots of two adjacent pixels are depicted in Figure 5.The high correlation of adjacent plain pixels can be observed in Figures 5(b), 5(c), and 5(d), as the dots are located along the diagonal.They are scattered over the entire plane in Figures 5(f), 5(g), and 5(h), which reflect the correlations of the ciphertext.Both the calculated correlation coefficients and the figures can substantiate that the strong correlation among neighboring pixels of a plain image can be effectively decorrelated by the proposed cryptosystem.

Key Sensitivity Test.
Extreme key sensitivity is a crucial feature of an effective cryptosystem and can be evaluated in  two aspects: (i) completely different ciphertexts should be produced when slightly different keys are used to encrypt the same plaintext; (ii) the ciphertext cannot be correctly decrypted even if tiny mismatch exists between the encryption and decryption keys.
To evaluate the key sensitivity of the first case, the encryption is carried out with a randomly chosen secret key to obtain a cipher image.Then a slight change 10 −15 is introduced to one of the parameters while all others remain unchanged, and repeat the encryption process.The corresponding cipher images and differential images are shown in Figure 6.The differences between the corresponding cipher images are computed and listed in Table 2.It is clear that a tiny difference in the secret key causes substantial changes between the corresponding cipher images.
Furthermore, decryption using keys with slight alternations as described previously has also been performed, so as to evaluate the key sensitivity of the second case.The decipher images are shown in Figure 7.It is obvious that all of the incorrect decipher images are completely unrecognizable and cannot reveal any perceptive information of the plaintext, which demonstrated the failure of reconstruction when using a neighbor key.

Entropy Analysis.
Information entropy is a significant property that reflects the randomness and the unpredictability of an information source.It was firstly proposed by Shannon in 1949, and the entropy () of a message source  is defined in (13), where  is the source,  is the number of bits to represent the symbol   , and (  ) is the probability of the symbol   .For a truly random source consisting of 2  symbols, the entropy is .Therefore, for a secure cryptosystem, the entropy of the cipher image with 256 gray levels should ideally be 8: The entropies of the introduced medical images and their ciphertexts are listed in Table 3.It is obvious that the entropies of the cipher images are very close to the theoretical value of 8, which means that the information leakage in the encryption  procedure is negligible and the proposed cryptosystem is secure against entropy attack.

Conclusions
In this paper, a medical image encryption and compression scheme has been proposed.We employed compressive sensing to firstly compress and encrypt the plaintext, and the measurement matrix is generated using chaotic Chebyshev map.Then the quantized measurements are subsequently encrypted using chaos-based permutation-diffusion cipher to further enhance the security.Simulations and security analyses have demonstrated the satisfactory compression and encryption performances of the proposed scheme.

Figure 2 :
Figure 2: The schematic of the proposed system.

Figure 3 :Figure 4 :
Figure 3: Simulation results of the proposed scheme: from the first to the fifth column are plaintext, histogram of the plaintext, ciphertext, histogram of the ciphertext, and the recovered images, respectively.

Figure 5 :
Figure 5: Correlation plots of adjacent two pixels: (a) plain image, correlation plots of the plain image in (b) horizontal, (c) vertical, (d) and diagonal directions; (e) cipher image, correlation plots of the cipher image in (f) horizontal, (g) vertical, (h) and diagonal directions.

Table 1 :
Correlation coefficients of adjacent pixels.

Table 2 :
Differences between cipher images produced by slightly different keys.

Table 3 :
Entropies of plain images and cipher images.