Secure Image Authentication Scheme Using Double Random-Phase Encoding and Compressive Sensing

Double random-phase encoding(DRPE-) based compressive sensing (CS) systems support image authentication for noisy images. When extending such systems to resource-constrained applications, how to ensure the authentication strength for noisy images becomes challenging. To tackle the issue, an efficient and secure image authentication scheme is presented. (e phase information of the plain image is generated using DRPE and quantized into a binary image as the authentication information. Meanwhile, a sparser error matrix generated by the same plain image and vector quantization (VQ) image works as the input of CS. (e authentication information and VQ indexes are self-hidden into the quantized measurements to construct the combined image. (en, it is permutated and diffused with the chaotic sequences generated from a modified Henon map. After decryption at the receiver side, the verifier can implement the blind authentication between the noisy decoded image and the reconstructed image. Supported by the detailed numerical simulations and theoretical analyses, the DRPE-CSVQ exhibits more powerful compression and authentication capability than its counterpart.


Introduction
As the primary form of information carrier and exchange, digital images experience fast-growing storage and transmission in communication media today, irrespective of whether mobiles or individual electronic devices are available [1]. When different kinds of digital images are managed and transmitted via open channels, illegal users may tamper, redistribute, and even destroy them, which will bring tremendous losses to legitimate terminal users [2]. It is a nontrivial task to ensure the security of images that contains user privacy or essential information. One viable solution is to encrypt digital images into unrecognizable or noise-like patterns [3,4]. Image encryption schemes, especially chaotic-based ones, have been widely investigated as a means of privacy protection [5]. However, most chaotic encryption designs are not secure enough against unauthorized operations [6,7]. Besides, some chaotic encryption schemes [3,5] encrypt plaintext into the ciphertext of the same size, which is not conductive to resource-constrained applications.
As two kinds of classic lossy compression technologies, vector quantization (VQ) and compressive sensing (CS) have already exerted their strengths in their respective fields [8][9][10][11][12][13][14][15]. VQ, a block-size compression coding method, has a tremendous high compression ratio by transforming block vector into codeword index. Some researchers used the compression property of VQ technology to restore the tampered contents [8][9][10]. In the recoverable scheme [10], the main content in one carrier region is compressed into an index by the VQ encoder and then embedded into the other carrier regions. After detecting malicious manipulations, the index extracted from the reserved regions can restore the main content of the tampered area with the public codebook. e restoration precision strictly relates to the codebook. If the plain content does not match the codebook closely enough, the restored content will have noticeable block artifacts [11]. CS is another technique to fulfill the same purpose using a different solution [12,13,15]. It has been proven that CS-based cryptosystems are computationally infeasible under brute-force attack and exhaustive searching [13]. However, the security is built on the measurement matrix as the key, which worsens key distribution and transmission [14]. Yu et al. [15] theoretically proved that the measurement matrix generated by chaotic map satisfies restricted isometry property (RIP), which provided an alternative construction of the CS measurement matrix. In addition, since the sparseness of the signal was utilized to reconstruct the original signal from the measurements, directly assigning raw images as inputs of CS may lead to a worse restoration and may not achieve the ideal compression effect due to the lower sparsity of raw images [16,17].
Double random-phase encoding (DRPE) technology, initially developed by Refregier et al. [18], has the distinct advantages of processing 2D complex data with parallelism and high speed. Many references have integrated DRPE with other conventional signal processing techniques [19][20][21][22][23], such as watermarking, encryption, and authentication by Fourier domain expansion to Fresnel domain. In [23][24][25], DRPE was mixed with photon-counting imaging to acquire sparse complex information and secure image authentication based on a statistical nonlinear correlation approach. Since phase information obtained by DRPE and photoncounting imaging is sparse and requires less space to store, it has been favored by other studies [22,[26][27][28][29]. To reduce storage and provide higher security, the schemes [22,26] only reserved partial phase information for the authentication. Likewise, references [24,26] used sparse complex information resulting from 2D elemental images for final authentication. In [23], Cho et al. proposed combining DRPE and 3D integer imaging techniques for 3D image authentication. In [28], Yi et al. noticed that most preliminary DRPE-based image authentication designs implicitly assumed that the receiver successfully received the encrypted images and that there were no attacks during transmission.
us, most of these would fail to authenticate even when the transmitted images had been disturbed by noises, a common occurrence in reality during Internet transmission. e schemes [29][30][31][32] combined DRPE and CS (DRPE-CS) to cope with the security concerns of current cryptosystems. In [30], Zhang et al. developed a joint orthogonal encoding and CS method to implement DRPE-based multiple-image encryption. e block reconstruction process reestablished every single image perfectly. In [31], Huo et al. proposed a similar multiple-image encryption scheme to sample each plain data and integrate the sampled data into a synthesized ciphertext by the orthogonal encoding process.
e key storage is efficient and straightforward since the pseudorandom sequences generated by chaotic systems are employed to construct the CS measurement matrix and the two random phases of DRPE. Besides, through applying dimensionality reduction and random projection to CS sampling, Lu et al. developed a DRPE-CS image encryption scheme in [32], which achieved lower data volume for encryption and higher security for information protection. To upgrade the security level and realize blind authentication, Zhou et al. presented a novel and secure DRPE-BCS method [29]. However, the reconstructed image precision was not ideal. Firstly, a lower sampling ratio would cause a poorquality reconstructed image because of the raw image as the CS input. Secondly, performing different cropping regions on the cipher images would cause severe distortion on the reconstructed image since no remedy is provided when attacked. Given these considerations, ensuring the quality of the reconstructed image at lower sampling rates and loss reduction after being attacked such that more robust authentication strength can be available becomes a challenge.
To have more robust authentication between the noisy decoded image and the reconstructed image, we detail a secure image authentication scheme by integrating DRPE and VQ with CS. e plain image is encoded into authentication information by DRPE and quantized into the VQ image by the VQ encoder/decoder. e sparse error matrix generated by the same plain image and VQ image is as the CS input. e reconstructed error matrix by CS only fulfills information compensation to the VQ reconstructed image. Consequently, the final reconstructed image quality does not have high requirements for the codebook, and it has no strict restriction for CS compression. e combined image consists of the VQ indexes, the authentication bits, and the quantized measurements, followed by the permutation and diffusion to improve security. Experiments have confirmed that selecting an error matrix for CS compression counteracts the interaction between reconstructed quality and compression ratio. erefore, the main contributions of this paper are as follows: (1) CS and VQ are combined to achieve sampling at the fast and efficient characteristics. (2) A self-embedding method with authentication capability is implemented, which outperforms conventional DRPE-CS methods. (3) e restoration precision of the reconstructed image at a lower sampling ratio surpasses that of conventional CS where the nature image is as CS input. (4) After being attacked, if replacing the damaged indexes with the undamaged neighbor indexes, the restoration quality of the final reconstructed image will be much better than that of no operation; thus, the DRPE-CSVQ vastly reduces the costs and losses after malicious attacks. Finally, we want to emphasize that (3) and (4) play vital roles in the final authentication effect. e rest of the paper is organized as follows. In Section 2, related technologies are introduced. In Section 3, the compression, encryption, and authentication method is discussed in detail. Detailed experiment results and performance analyses are given in Section 4. e conclusion is provided in Section 5.

Double Random-Phase
Encoding. DRPE involves the operations of two random-phase marks, respectively, in the input and the Fourier transform planes, which is shown in Figure 1. For an input image I 0 � I 0 (x, y) x�1,y�1 of the same size that satisfies stationary white noise using two random-phase masks m 1 where n(x, y) and b(μ, ]) are distributed in the range [0, 1] with uniform probability, (x, y) and (μ, ]) denote the coordinates of the input image plane and the second mask plane, respectively, j represents the imaginary unit, m 1 (x, y) � e (j2πn(x,y)) , and m 2 (μ, ]) � e (j2πb(μ,])) . e encoding process can be expressed as [28] E(ξ, η) � FT FT I 0 (x, y) · e (j2πn(x,y)) · e (j2πb(μ,])) , (1) where (ξ, η) represents the coordinate in CCD plane, FT(·) is the Fourier transform, and E(ξ, η) is a complex image that contains an amplitude image and a phase image.
Similarly, DRPE decoding is the reverse process of encoding.
where D � D(x, y) M,N x�1,y�1 is the decoded image and IFT(·) is the inverse Fourier transform.

Compressive
Sensing. CS relies on properties of incoherence, signal sparsity, and compressibility. Suppose x is a 1D signal of length N, and then the signal can be represented in a dictionary Ψ � [Ψ 1 , Ψ 2 , . . . Ψ N ] as follows: where s i is the coefficients of the signal x. e equivalent form of x is where Ψ is a N × N matrix with Ψ i N i�1 as columns. e core is to find a dictionary so that the coefficient vector s is sparse; namely, only K ≪ N coefficients are nonzero.
After sparsity to the signal, a condensed representation with M < N linear measurements between x and a collection of functions Φ m M m�1 can be written as y m � 〈x, Φ m 〉. Stacking y m into M × 1 vector and Φ T m as rows into a matrix Φ of size M × N, we can obtain where y and Φ are the measurements and the measurement matrix, respectively. Since the transformation from x to y is a dimensionality reduction process, it is difficult to reconstruct the original signal faithfully with CS. Fortunately, it has been proven that, only using M ≥ O(K log(N/K)) random measurements, x can be recovered approximately as long as ΦΨ satisfies the restricted isometry property (RIP) [33]. us, by solving the ℓ 1 -norm optimization problem, we can reconstruct x from the measurements y [34].
ere exist some widely used algorithms to deal with the optimization problem: total variation, orthogonal matching pursuit (OMP), and iterative threshold, and so on. In this paper, a MATLAB-based modeling system for convex optimization (CVX) is used to reconstruct the original signal x.

Vector Quantization.
As a lossy block-size data compression way, VQ was first proposed by Linde et al. in 1980 [35]. e compression coding mainly consists of three components: codebook generation, VQ encoder, and VQ decoder. e codebook CB� Y i N i�1 that contains N k-dimensional codewords Y i � y i,j k j�1 should be trained and preshared beforehand. e original image is divided into nonoverlapping sub-blocks V� v j j�k j�1 . For each sub-block, the nearest codeword Y i is found based on a minimum Euclidean distance by sequentially comparing V to the codewords Y i of the codebook CB. e Euclidean between V and Y i is where y i,j is the j-th component of the codeword Y i and v j is the j-th component of the image sub-block V. When the nearest codeword Y i is found, the corresponding index i is used to encode vector V. After all sub-blocks of V are encoded, the original image can be represented by indices of these nearest codewords.
It is easy to reconstruct the original image from the VQ indexes based on the preshared codebook CB when VQ decoding is required. e decoding must conduct on each index to retrieve each sub-block of the original image.

Conjugate
Decoding Encoding

The Proposed Encryption and Authentication Scheme
Our DRPE-CSVQ can achieve encryption and authentication simultaneously and efficiently. Figure 2 presents the flowchart of the encryption and hiding algorithm, from which one can find the four stages from the plain image to the final encrypted hidden image: DRPE, VQ, CS, and permutation-diffusion. e VQ encoder encodes the plain image into VQ indexes and the error matrix, and the DRPE transformation operates the same plain image into the binary image as authentication information. e obtained error matrix is permuted and compressed by CS to get the measurements.
e combined image is constructed that includes the index vector, the quantized measurements, and the authentication information, followed by the encryption to generate the final encrypted hidden image. e following subsections will describe more details about the four stages.

Error Matrix Generation. Initially, the input plain image
To comply with the subsequent operations, we reshape the resultant vector into 2D matrix z � z(x, y) M,N/l/l x�1,y�1 . After all the encoded indexes are done VQ decoder, a reconstructed image I vq that is much close to the input plain image I 0 can be easily generated.
e error E 1 between the reconstructed image and the input plain is e reconstructed sub-block by VQ index might not be the same as the input sub-block as the preshared codebook CB impacts the reconstruction effect. A larger codebook has a higher chance of seeking the codeword that is precisely the best matching to the input sub-block but meanwhile means more time consumption for codebook training and vice versa. Moreover, there usually exist block artifacts in the reconstructed image I vq . To lessen the intrinsic dependency for the codebook, we fully leverage CS superiority to compress the error matrix.

Error Matrix
Compression. Due to local regularities and global symmetries of nature images, different regions of the error matrix E 1 have massive diversity in sparsities. To better use the same measurement matrix Φ ∈ R M×N to compress all sub-blocks of the error matrix E 1 , the element distribution of the error matrix E 1 must be uniform enough. us, we scramble the error matrix E 1 with a pseudorandom sequence generated by the following modified Henon map function [36]: where x 0 and y 0 are the initial values and α and β are the control parameters. e system is in a chaotic state when α � 3.85 and β � 0.3. e initial parameter set (x as the permutation key iterates equation (11) for M × N times to generate the pseudorandom sequence a � a t M×C t�1 . Let the 1D vector of the error E 1 bee 1 � e 1 (t) M×N t�1 , and the scrambled error vector where a t represents the element of the sorted-indexed vector a � a t M×C t�1 generated by sorting the pseudorandom sequence a � a t M×C t�1 in ascending order. And we can obtain the 2D permuted error matrix E 2 � E 2 (x, y) M,N x�1,y�1 by reshaping the vector e 2 � e 2 (t)

M×N t�1
into M rows and N columns.
After getting the much uniform error E 2 , we describe how to compress it with the same measurement matrix Φ. e sparse error E 2 is split into nonoverlapping sub-blocks of size l ′ × l ′ , and the elements of all sub-blocks are separately stretched into vector sets Λ � Λ t M×N/l′/l′ t�1 . If the number of nonzero values of each block is saved in , we can use a measurement matrix of size M k × l k (l k > M k > NZ t and l k � l ′ × l ′ ) to compress each vector in Λ as follows: Since the newly generated low-dimensional measurements y t are double-precision numeric type a uniform quantization is leveraged to map the values to the range [0, 255], 4 Security and Communication Networks where y min t and y max t are the minimum and maximum values in y t and floor(·) is the rounding down operation. After all of the sub-blocks in E 2 are compressed with the same measurement matrix, the resulting values constitute a mea-

Self-Embedding and Encryption.
In the VQ process, we use a codebook with 256 codewords of length l × l � 16; thus, we can acquire the index vector of size N vq � α vq × M × N from the plain image, where α vq � 1/16. In the DRPE process, every 8 bits of the binary image are combined into one pixel of authentication information; thus, we can generate the authentication information of size N drpe � α drpe × M × N from the binary image, where α drpe � 1/8. In the CS process, let l k � l ′ × l ′ � 16 × 16 and the sampling ratio be α cs , the number of the measurements of each sub-block is then M k � α cs × l k , and the number of the whole error matrices is us, the total number of VQ indexes, authentication information, and measurements is Ν total � M × N × (α vq + α drpe + α cs ). Since α vq and α drpe are two constants, the number Ν total of all the data will be consistent with the size of the plain image when the sampling ratio is α cs � 13/16. erefore, after obtaining the index matrix z � z(x, y) x�1,y�1 of the same size as the plain image can be obtained by appending them orderly: In the following, we will dedicate to the encryption based on a permutation and diffusion architecture. Using the other two sets of parameters (x as the diffusion key. After sorting, we can get To facilitate subsequent diffusion, we convert each ele- e bitwise exclusive or diffusion is conducted according to equation (18) [37]: After rearranging all the elements of the diffused vector e d � e d (t)

M×N t�1
into a 2D matrix, the final encrypted and hidden image E d � e d (x, y) M,N x�1,y�1 is yielded.

Decryption and Authentication.
e decryption and authentication are shown in Figure 3 en, we solve the ℓ 1 -norm optimization:  Security and Communication Networks where Ψ is a dictionary of size l k × l k and _ s t is the spare coefficient. Based on the newly generated coefficients s ⌢ t , we can reconstruct the elements of the sub-block _ Λ t from the measurements _ y t .
In addition, the authentication information, namely, the extracted Bp · , is transformed into a binary image and is quantized inversely into a phase image _ where I t (μ, η) and _ I 0 (ξ, υ) are the 2D Fourier transforms of the target image I t and the decoded image _ I 0 , φ I t (μ, η) and φ _ I 0 (ξ, υ) are the phase signals of I t (μ, η) and _ I 0 (ξ, υ) , FT −1 is the inverse Fourier transform, and k denotes the strength of the applied nonlinearity. e value of k is often set to 0.3 [28]. To quantitatively measure the correlation between the decoded image _ I 0 and the target image I t , peak-to-correlation energy (PCE) is calculated with where max(·) is a maximum function. A higher PCE value indicates a stronger correlation between the decoded image _ I 0 and the target image I t .
3.6. Discussion. Based on the above procedures, the proposed method can achieve optical authentication for the noise-like and unrecognizable images in resource-constrained environments, and this will be detailedly analyzed in the next Section 4.2.1. e binary image generated by the DRPE technology serves as the authentication information, and the time complexity of this process is low due to the parallel processing trait of optical DRPE. In addition, compensating the reconstructed error information on the VQ image can obtain a better final reconstructed image quality, making the decrypted noise-like authentication information and the final reconstructed image authenticated with a higher probability.
On the other hand, the purpose of generating encrypted images containing authentication bits is to protect users' copyright information in insecure cloud-based environments. For example, to use the resources in the cloud data centers, the users needed to update the multimedia data onto the cloud servers in advance. Upon updating to cloud servers, the user can retrieve the data when needed from any location, whereas transmitting the data to cloud servers managed by third-party servers may lead to security and privacy issues. It is vital to settle the security concerns involved in cloud computing. Fortunately, the security of stored content can be premanaged by application of the  conventional encryption designs. However, if unwanted processing occurs in an insecure cloud, ensuring users' copyright is a real challenge. us, it is necessary to embed authentication information into the encrypted domain.  Figure 4 shows the detailed implementations on encryption and hiding, and Figure 5 shows the implementations on decryption and authentication. In our experiments, if the sampling ratio α cs is smaller than 13/16, the final encrypted and hidden image will be compressed; otherwise, it will not be compressed. In Figures 4 and 5, the sampling ratio is fixed as α cs � 13/16. e input image, the phase image obtained by DRPE, the binary image generated by the quantization, the VQ image reconstructed by the preshared codebook, and the error matrix between the plain image and the reconstructed VQ image are shown in Figures 4(a)-4(e); and the permuted error matrix, the measurements by CS, the combined image, the permuted image, and the final encrypted and hidden image diffused are shown in Figures 4(f)-4(j). It follows from Figure 4(e) that smaller values or 0 values are full of the whole error matrix; thus, the error matrix is much sparse than the input image. In addition, the permutation process has made the distribution of nonzero values of the error matrix more uniform in Figure 4(f); thus, using the same measurement matrix to compress all sub-blocks of the error matrix will have little or no impact on the error reconstruction. And, one can find intuitively from Figure 4(h) that the VQ index matrix, the measurements, and the authentication information have been aligned orderly in the combined image. At last, the incomprehensible and noise-like image in Figure 4(j) indicates no information leakage compared to the original input. Figure 5 shows the detailed implementations of decryption and authentication. We know that the VQ image reconstructed from the extracted VQ indexes has noticeable block artifacts in Figure 5(d), while no such issue appears in Figure 5(f). Moreover, the PSNR value between the VQ image in Figure 5(d) and the input image in Figure 4(a) is 24.8878 dB, but the value reaches 40.2863 dB for the final reconstructed image in Figure 5(f) and the input image in Figure 4(a).

Experimental Results and
us, the reconstructed error in Figure 5(e) fulfills better information compensation to the VQ image, facilitating subsequent authentication based on a nonlinear cross-correlation coefficient strategy. e authentication information extracted from the rightmost 32 columns of Figure 5(c) is converted into Figure 5(g) and then inversely quantized to the phase image in Figure 5(h). e noisy decoded image in Figure 5(i) are difficult to recognize with naked eyes virtually but have been successfully authenticated in Figure 5(j) based on a nonlinear cross-correlation between it and the reconstructed image in Figure 5(f), the authentication of which is a blind process since it is needless for the participation of the plain image in Figure 4(a).

Compressibility.
e compression ratio of our DRPE-CSVQ is defined as the ratio of the final encrypted hidden image to the plain image: where N vq , N drpe , and N cs are the sizes, respectively, from the index matrix, the authentication information, and the measurements, α cs and α cr represent the sampling ratio and the compression ratio, α drpe � 1/8, and α vq � 1/16. If the sampling ratio α cs is smaller than 13/16, our DRPE-CSVQ can implement three functions of compression, encryption, and authentication simultaneously. Figure 6 shows the detailed implementations at compression ratio α cs � 5/8 with multiple test images "Camera," "Lena," and "Baboon" of sizes 256 × 256 as inputs. At first, the inputs "Camera," "Lena," and "Baboon" are encoded using the encryption and hiding algorithm to generate the corresponding compressed and encrypted images shown in Figures 6(a1)-6(a3). en these are decoded using the decryption and authentication algorithm to obtain the reconstructed images in Figures 6(e1)-6(e3) and the decoded images in Figures 6(f1)-6(f3), thus achieving the authentications in Figures 6(g1)-6(g3). e reconstruction quality is evaluated with peak signal-to-noise ratio (PSNR) value, and the authentication result is quantitatively testified by PCE value. e PSNR results of VQ images generated by extracted VQ indexes (in Figures 6(c1)-6(c3)) are 24.7856 dB, 26.0553 dB, and 24.8610 dB while the PSNRs of final reconstruction images (in Figures 6(e1)-6(e3)) reach 29.9680 dB, 29.5055 dB, and 26.3824 dB, respectively. e PSNRs of our DRPE-CSVQ reconstruction are all much larger than the PSNRs of VQ reconstruction for the same image, so the reconstructed error matrices (in Figures 6(d1)-6(d3)) have freed up codebook dependency for VQ reconstruction. Besides, the correlation planes between the final reconstruction images (in Figures 6(e1)-6(e3)) and the decoded images (in Figures 6(f1)-6(f3)) have exhibited high peaks at the centers and possess the PCE values of 0.0064, 0.0030, and 0.0033, respectively, which indicate that the proposed method successfully authenticates all images at compression ratio α cr � 5/8. Besides, Figure 7 shows the correlation planes at different compression ratios. Figures 7(a)-7(d) show the correlation planes at compression ratios α cs � 13/16, α cs � 5/8, α cs � 7/16, and α cs � 1/4, respectively. From Figure 7, we can easily find the high peak from the center of each correlation plane; thus, the reconstruction image has a strong correlation with the authentication information. To make a more quantitative analysis of the authentication result, we calculate the PCE values of all the correlation planes, the values of which are 0.0067, 0.0064, 0.0055, and 0.0048, respectively, thus again testifying the authentication ability of our DRPE-CSVQ. Meanwhile, we also execute simulations of multiple plain images and compute the average of PSNRs (APSNRs) to test the reconstructed quality of our DRPE-CSVQ at different compression ratios. Table 1 lists the comparison results among the proposed method and the methods in BLP-CS [39], BCS-In [40], and DRPE-BCS [29]. Table 2 presents all parameter settings of these comparisons. We can find from Table 1 that our DRPE-BCS is greater than the other three approaches at least 1 dB at compression ratio 30%, and at least 2 dB when compression ratio equals 20%.
us, our DRPE-CSVQ provides a more powerful compression property while keeping image quality.
Since we dedicate to the two concerns above [29], we give detailed numerical comparisons. Figure 8 presents comparison   Security and Communication Networks 9 10 Security and Communication Networks results, where the standard image "Camera" is still the input image. Figure 8(a) shows the PSNR value of the reconstructed image, and Figure 8(b) shows the corresponding PCE value of the authentication result. One can see that our method is wholly better than [29] when the compression ratio is smaller than 0.5 and comparable to [29] when the compression ratio is larger than 0.5. Both PSNR and PCE values in our method decline slowly and entirely outperform the values in [29] while the compression ratio is less than 0.5. e two processes in [29] have a quick decline because the input image "Camera" in [29] was as direct input of CS that makes the reconstructed image accordingly decline with the reduction of the compression ratio. As a contrast, we select a sparser error matrix as CS input. e reconstructed error matrix by CS exclusively achieves information compensation to the VQ reconstructed image; thus, the reconstruction quality of our method was not substantially affected by the descent of compression ratios. In short, our approach can well ensure the restoration precision of the reconstructed image, thereby equipped with more robust authentication capability.    Figure 9 shows the histograms of the plain image and the encrypted images at compression ratios of α cr � 1, α cr � 13/16, α cr � 5/8, α cr � 7/16, and α cr � 1/4, respectively. It is clear that as compression ratios decrease, the total numbers of pixels in the cipher images shrink accordingly. Still, all histograms of the cipher images are uniformed, and none of the valuable information is leaked to the adversary. Although the purpose of error matrix permutation is to make the signal as evenly distributed as possible to be compressed by the same measurement matrix and obtain a more efficient reconstruction of the signal later, the permutation also makes the measurements by CS have a similar distribution. Besides, the subsequent permutation and diffusion render the pixel intensities of the combined image uniformly distributed in the range of [0,255]. us, we can conclude that the proposed scheme tackles the energy leakage issue.

Correlation Analysis.
e correlation among adjacent pixels of an image is a vital criterion to assess encryption security. Here, we randomly select 2000 adjacent pixel pairs in horizontal, vertical, and diagonal directions from the plain "Camera" and the corresponding encrypted image to test the correlation results. Figure 10 shows the correlation distributions of "Camera" and the corresponding encrypted image in the three directions. Two adjacent pixels in the input plain "Camera" are highly correlated. In contrast, the correlation between two adjacent pixels in the encryption version is weak enough and almost disrupted to a randomness pattern. e distributions of the vertical and diagonal directions possess similar modalities.
In addition, to quantitatively analyze this, correlation coefficients are calculated: where x i and y i are the values of two adjacent pixels and L s is the total number of selected pixel pairs. Table 3 lists the correlation coefficients of plain images and those of the corresponding encrypted versions. e results show that the coefficients for the encrypted images are all sufficiently low, indicating that the proposed method is equipped with a better encryption effect. In Table 4, we compare ours with other encryption schemes [41][42][43]. We can see that our method outperforms them in three directions. e chaotic operation in our system engages VQ indexes, error   measurements, and authentication information, whereas the operation in other systems engages raw images. ese combined VQ indexes, error measurements, and authentication information have a much lower correlation than pixels in nature images. erefore, our method has stronger robustness to resist correlation-based statistical attacks.

Information Analysis.
Information entropy is used to measure the uncertainty and randomness associated with a random variable. e entropy value of a random variable is defined as where p(x i ) is the probability of appearance of x i . e bigger the information entropy of the cipher image is, the more secure the cryptosystem is. Table 5 lists the entropies of the plain images and the corresponding encrypted versions. One can see that the proposed method is better than the works [42,43], and the entropies change within a very narrow range, which means that the information leakage of the proposed method is negligible. us, our approach can well resist entropy-based statistical analysis.

Differential Attack Analysis.
To test the sensitivity to plain image, we randomly select one pixel from each plain image and modify the last bit of the pixel at the same location to obtain the corresponding modified plain image. e original and modified plain images are encrypted with the same keys, and we get two encrypted images. e two encrypted images are evaluated quantitatively by the number of pixels change rate (NPCR) and unified average changing intensity (UACI): where C 1 and C 2 are two encrypted images obtained by a slight change in the chosen plaintext image and D(i, j) is defined as

Direction
Mean correlation coefficients Ref. [41] Ref. [42] Ref. [ e results are tabulated in Table 6 and compared with the works [41][42][43]. As seen, our method outperforms the works [41][42][43] either in NPCR or in UACI. Unlike the results in [41][42][43], one-pixel variation in two plain images will make at least one pixel changed markedly in the corresponding two encrypted images. In our method, if making the slightest bit of a randomly chosen pixel changed, the two encrypted images may be the same because a tiny change perhaps does not impact the index vector or change authentication information and measurements. It may change one index or 8bit depth authentication information or error measurements if replacing a chosen pixel by a random value. ese changed pixels may influence almost all the pixels of the encrypted image through the subsequent diffusion phase. us, our method has a better ability to resist differential attacks.

Cropping Attack Analysis.
If the sampling ratio is α cr � 13/16, the encrypted image has the same size as the input plain image. e indispensable VQ indexes hold solely 6.25% pixels of the whole encrypted image, and the authentication information and the error information occupy 12.5% and 81.25%, respectively. e VQ indexes share a much smaller number of pixels than the error data while saving the most information of the input plain image. When the encrypted image is subjected to attacks, the probability of the damaged index data will be much smaller than that of error data, and even after being damaged, the damaged indexes can be replaced with the undamaged neighbor indexes. eoretically, the DRPE-CSVQ can ensure the image restoration quality to a certain degree. Figure 11 also gives the experiment results of the proposed method under cropping attack with the cropping size 64 × 64. e first column to the third column presents detailed image reconstructions and authentications with multiple standard images "Camera," "Lena," and "Baboon." We can see from the second row that there are full of different types of noises, indicating that the error matrix and the VQ indexes are both destroyed. ese destroyed sub-blocks correspond to those VQ indexes damaged in the encrypted image. e PSNR results of the reconstructed images with error compensation are 15.9090 dB, 15.9326 dB, and 15.7447, respectively, which are far from satisfactory to authenticate. If ignoring the error matrix, we can obtain the images in the third row with PSNR values of 19.8572 dB, 21.1723 dB, and 20.9273 dB, respectively, which have better visual perception than those in the second row. But there are still some discrete sub-blocks in the images in the third column, which are indications of the destroyed indexes. An alternative solution is to replace the damaged indexes with their neighbor indexes, and the fourth row shows the final reconstructed images. e PSNR values of the fourth row are 24.4895 dB, 26.5853 dB, and 24.2341 dB, respectively, which are enough to accomplish subsequent authentication. e fifth row shows the decoded images after the inverse DRPE transform, and the last row shows the authentication results between decoded images and final reconstructed images.
e PCE values of the authentication results reach 0.0032, 0.0021, and 0.0017, respectively, indicating that our DRPE-CSVQ implements successful authentication after cropping attack.
As mentioned earlier, we also implement the work [29] with the same input images under cropping size 64 × 64. After simulations by the same software, we can obtain the final reconstructed images with respective PSNR values of 7.0614 dB, 10.3057 dB, and 11.5010 dB in Figures 12(b1)-12(b3), which are much worse than those in our method. In addition, one cannot find the apparent high peak from the center of each correlation plane, indicating that the distortions on these reconstructed images have severely influenced the authentication effect. What is more, the PCE values of the authentication results are only 0.000885, 0.000415, and 0.000450, respectively; thus, we can conclude that the method [29] fails to authenticate after being attacked with the cropping size 64 × 64.

Conclusion
is paper has presented a secure and efficient image authentication scheme based on DRPE-CSVQ. It is the first time we generalize the DRPE technology to compressive sensing and vector quantization application scenarios. e phase information of the plain image is obtained using DRPE and quantized to generate the authentication information. Simultaneously, the same plain image is compressed by VQ, and then an error matrix is generated. Since VQ can preserve enough details of an image, the error matrix would be very sparse. To balance the sparse degree of all sub-blocks of the error matrix such that the subblocks can be sensed with the same sensing matrix, we conduct a permutation on the error matrix and follow the block-based CS compression on the error matrix. e combined image that comprises the VQ indexes, the quantized measurements, and the authentication information is permutated and diffused to ensure security. Supported by the detailed numerical simulations and theoretical analyses, the DRPE-CSVQ fits into the practical realm better than its counterpart.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare no conflicts of interest.