#### Abstract

This paper presents a solution to satisfy the increasing requirements for secure medical image transmission and storage over public networks. The proposed scheme can simultaneously encrypt and compress the medical image using compressive sensing (CS) and pixel swapping based permutation approach. In the CS phase, the plain image is compressed and encrypted by chaos-based Bernoulli measurement matrix, which is generated under the control of the introduced Chebyshev map. The quantized measurements are then encrypted by permutation-diffusion type chaotic cipher for the second level protection. Simulations and extensive security analyses have been performed. The results demonstrate that at a large scale of compression ratio the proposed cryptosystem can provide satisfactory security level and reconstruction quality.

#### 1. Introduction

Benefiting from the rapid developments of network technologies and prominent advantages of digital medical images in health protection [1], the increasing distribution of medical images over networks has been an essential of everyday life in medical systems. As medical images are the confidential data of patients, how to ensure their secure storage and transmission over public networks has therefore become a critical issue of practical medical applications. Mandates for ensuring health data security have been issued by the federal government, such as Health Insurance Portability and Accountability Act (HIPAA), enacted by the United states Congress and signed by president Bill Clinton in 1996 [2, 3]. Moreover, several major medical imaging communities such as American College of Radiology (ACR) have issued guidelines and mandates for ensuring medical image security, for example, the Picture Archiving and Communication Systems (PACS) [4]. However, transmission of medical image of PACS is generally within a hospital intranet whose security measures or instruments are often lacking [3]. Except for the intranet environment, medical images transmission over wireless networks is also in an increasing demand. Medical image security in both intranet and internet faces severe threats [5].

Encryption is the most convenient strategy to guarantee the security of medical images over public networks. However, recent achievements have demonstrated that block ciphers such as Data Encryption Standard (DES), Advanced Encryption Standard (AES), and International Data Encryption Algorithm (IDEA), which are originally designed for encrypting textual data, are poorly suited for digital images characterized with some intrinsic features such as high pixel correlation and redundancy [6–8]. Since 1990s, chaotic systems have drawn much attention as their fundamental features such as ergodicity, unpredictability, and sensitivity to initial system parameters can be considered analogous to some ideal cryptographic properties for image encryption [9]. In 1998, Fridrich proposed the first general architecture for chaos-based image cipher. This architecture is composed of two stages: permutation and diffusion [10]. Under this structure, a plain image is firstly shuffled by a two-dimensional area-preserving chaotic map in the permutation stage, with the purpose to erase the high correlation between adjacent pixels. Then the pixel values are modified sequentially using pseudorandom key stream elements produced by a certain qualified chaotic map in the diffusion procedure. During the past decades or so, researchers have performed extensive analyses to this architecture, and the improvements are subsequently proposed [11–19]. The improvements lie in various aspects, such as novel permutation approaches [12–14], improved diffusion schemes [15, 16], and enhanced key stream generators [17–19]. Chaos-based ciphers have also been employed for medical applications [20, 21]. In [20], a chaos-based visual encryption mechanism for clinical electroencephalography signals is developed, whereas a bit-level medical image encryption scheme is built in [21]. Besides the chaos-based encryption, compressive sensing (CS) [22, 23] is also found to be a feasible way to build cryptosystems, where the sensing matrix can be viewed as the secret key [24]. It is suggested by Rachlin and Baron that CS can guarantee computational secrecy [25]. In [26, 27] Zhou et al. proposed combining chaos theory with CS and then building two secure image encryption schemes, whereas the quantization process is ignored. In [28], researchers proposed a joint quantization and diffusion approach based on the similarities between error feedback mechanism of the quantizer and cryptographic diffusion primitive.

In this paper, a medical image encryption and compression scheme using compressive sensing and pixel swapping based permutation approach is proposed. The whole process consists of two stages, where the first one is the chaos-based CS procedure that is used to compress and provide the first level protection, while the second procedure is a chaos-based permutation-diffusion encryption module. Chaotic Chebyshev map is employed to generate the Bernoulli sensing matrix for CS, and then it is reused in the second stage to produce the permutation key stream elements. In the diffusion procedure, logistic map is introduced to generate the key stream to mask the plaintext. Simulations and extensive security analyses both demonstrate that the proposed scheme has satisfactory security and compression performances for practical medical applications. The proposed scheme will be given out in detail in the next section; simulations results and security analyses are carried out in Section 3. Finally, conclusions will be drawn in the last section.

#### 2. The Proposed Scheme

##### 2.1. CS with Cryptographic Features Embedded

The CS is a new framework for simultaneous sampling and compression of signals. For a length_ signal , it is said to be -sparse if can be well approximated using only coefficients under some linear transform , where is the sparsifying basis and is the transform coefficient vector with at most (significant) nonzero entries. Many natural signals are sparse or compressible, such as the smooth signals which are compressible in the Fourier basis, whereas natural images are mostly compressible in a wavelet or discrete cosine transform (DCT) basis. In CS, the signal is measured not via standard point samples but rather through the projection by a linear measurement matrix :where is the sampled vector with data points and represents acquisition matrix. The CS framework is attractive as it implies that can be faithfully recovered from only measurements, suggesting the potential of significant cost reduction in data acquisition [29]. Unlike the random linear projection in the sampling process, the signal recovery process from the received measurements is highly nonlinear. When satisfies the restricted isometry property (RIP), the reconstruction can be preceded by solving the following -norm minimization problem [30]: At the receiver end, convex optimization algorithms [22, 23] or greedy pursuit method such as Orthogonal Matching Pursuit (OMP) [31] can be employed for reconstruction.

The popular family of the measurement matrices is a random projection or a matrix of random variables, such as Gaussian or Bernoulli matrices. This family of measurement matrices is well known as it is universally incoherent with all other sparsifying bases, which is crucial for satisfying the RIP requirement. In our scheme, Bernoulli matrix as shown in (3) is introduced for signal projection. Here, represents the entry of the measurement matrix, and it has values with signs chosen independently and uniformly distributed:

As pointed out in [29], one of the challenging issues of CS in practice is to design a measurement matrix that satisfies optimal sensing performance; universality with almost all sparsifying basis; low complexity; and hardware/optics implementation friendliness. Traditional Bernoulli matrices meet the first two requirements whereas it is costly to generate, store, and transmit in practice. As a result, it is preferable to generate and handle the measurement matrix by one or more seed keys only. In this paper, we propose to construct the measurement matrix using chaotic Chebyshev map, as described in (4), where and are the control parameter and state value, respectively. As can be seen, the iteration results of Chebyshev map fall within :

For , the Chebyshev map will iterate once and then be quantized to the required format of by (5). In this strategy, the measurement matrix is under the control of chaotic sequence, which is generated by chaotic system with initial values and particular control parameter. In short, control parameter and initial state value can be combined as the keys. This facilitates the transmission and sharing that only requires a few values instead of the whole measurement matrix:

The use of CS for security purposes was first outlined in [24], where it is suggested that the measurements obtained from random linear projections can be treated as ciphertext as the attacker cannot decode it unless he knows in which random subspace the coefficients are expressed. Then in [32, 33], it is investigated that the Shannon perfect secrecy is, in general, not achievable by such a CS method while computational security can be achieved. In the proposed scheme, with the introduction of Chebyshev map, the CS is regarded as a joint encryption and compression procedure.

##### 2.2. Pixel Swapping Based Permutation Strategy

In traditional image permutation techniques, pixels are generally scrambled by a two-dimensional area-preserving chaotic map, without any modification to their values. Three types of chaotic maps, Arnold cat map, standard map, and baker map, are always employed [7, 9, 18]. All pixels are scanned sequentially from upper-left corner to lower-right corner, and then the confused image is produced. However, such permutation maps cannot be used for the proposed scheme. That is because the CSed image is generally not a square one. As pointed out in [7], Arnold cat map, standard map, and baker map are merely suitable for shuffling square images. When confusing a nonsquare plain image, extra pixels have to be padded to construct a square image firstly, and that would downgrade the efficiency of the cryptosystem.

Regarding this, a novel pixel swapping based permutation strategy (PSP) is developed for shuffling nonsquare images. In PSP, pixels of the plaintext and the ciphertext are represented by and from left to right, top to bottom, respectively. Each pixel in the plain image will be swapped with another pixel located after it, whose position is determined by a pseudorandom number acting as current key stream element. Suppose that is the current pixel position and is the coordinate of the corresponding swapped pixel. The coordinate is calculated according to (6), where is current permutation key stream element. In PSP, is obtained from the Chebyshev state variables produced in the CS procedure, the production formula is described in (7), where returns the value nearest integers less than or equal to , and returns the remainder after division. In collaboration with (6), PSP can ensure that all of the pixels swapping operations are performed within the valid region:

Simulations have been performed to verify the image permutation performance of PSP; the results are demonstrated in Figure 1. The plaintext is shown in Figure 1(a), which is a deliberately customized CT image with size of 256 × 512 for PSP evaluation. Figures 1(b) and 1(c) are the shuffled images using 1 round and 2 rounds of PSP, respectively. Obviously, the permutated images are completely unrecognizable and with no similarity with the plaintext, which means the plaintext has been effectively encrypted. Besides, the noise-like two images are of less difference with each other. In practice, one round is sufficient to hide the plain information and reduce the pixel correlation of the plain image, as the preferred case in our scheme illustrated in the next subsection.

**(a)**

**(b)**

**(c)**

##### 2.3. Schematic of the Proposed System

The schematic of proposed medical image encryption and compression system is shown in Figure 2. As can be seen, the proposed system consists of two primary procedures. The first one is the CS module with cryptographic features embedded, which is used to compress the plaintext and simultaneously provided the first level encryption, with the initial value and control parameter of the introduced Chebyshev map serving as the secret key. The subsequent procedure is a permutation-diffusion type image cipher, which will extensively encrypt the quantized measurements produced in the CS stage. Obviously, the latter procedure is an iterative module, in which PSP is employed for image permutation. Following the PSP is a typical diffusion operation as illustrated in (8), in which , , , and represent the current plain pixel, key stream element, output cipher-pixel, and the previous cipher-pixel, respectively. The key stream element used for masking is calculated by (9), where is the current state of the chaotic map:Chaotic logistic map is employed in our scheme for the generation of , which is described bywhere and are the control parameter and state value, respectively. If one chooses , the system is chaotic. The initial value and control parameter combine as the secret key. Here notice that there exist some periodic (nonchaotic) windows in chaotic region of logistic map. To address this problem, values corresponding to positive Lyapunov exponents should be selected for parameter , so as to keep the effectiveness of the cryptosystem [21].

The operation procedures of the proposed scheme can be described as follows.

*Step 1. *Iterate (4) with for times to avoid the harmful effect of transitional procedure, where is a constant.

*Step 2. *Iterate (4) times, and generate the measurement matrix using (5). Besides, for the first iterations, get the permutation key stream elements simultaneously according to (7).

*Step 3. *Compressive sample the plaintext according to .

*Step 4. *Quartzite the measurement data through Lloyd quantizer, which is known as an optimal quantizer in the mean square error sense.

*Step 5. *Confuse the quartzited data according to (6) and (7), with the help of the permutation key stream elements produced in the second step.

*Step 6. *Iterate (10) with for times to avoid the harmful effect of transitional procedure constant.

*Step 7. *Iterate (10) continuously for times. For each iteration, obtain a diffusion key stream element according to (9).

*Step 8. *Calculate the cipher-pixel value using (8). For the first pixel, an initial value can be set as a seed.

*Step 9. *Repeat Steps 5–8 to satisfy the security requirement.

#### 3. Simulations and Security Analyses

In this section, simulation results of the proposed encryption and compression scheme are given out for validation. Four medical images with size are introduced as plaintexts, as shown in the first column of Figure 3, named as CT_Abdomen, CT_Paranasal_sinus, MR_Knee, and X_Lungs, respectively. The reconstruction algorithm for the CS module is OMP [31], and the sparsifying basis is discrete wavelet transform. The compression ratio is 0.5 for demonstration, which means . The algorithm is simulated in Matlab R2010a platform, and the secret key is random selected as , for Chebyshev map, and , for logistic map.

##### 3.1. Encryption Results

The results are shown in Figure 3, with the plaintexts and ciphertexts depicted in the first and third column, respectively. It is obvious that the volumes of the ciphertexts have been compressed half compared with those of the plaintexts. Besides, the ciphertexts are noise-like and unrecognizable from visual perception. We further verify the randomness of the ciphertexts from the statistical perspective. The histograms of the corresponding plaintexts are illustrated in the second column, whereas those of the ciphertexts are shown in the fourth column. Comparatively, the histograms of the ciphertexts are uniformly distributed and quite different from those of the plain images, which indicate that the redundancy of the plain image has been successfully hidden after the encryption and consequently does not provide any clue to apply statistical attacks.

In the receiver end, we use OMP to reconstruct the plaintexts; the recovered images are illustrated in the fifth column of Figure 3. From visual perception, one can observe that the recovered images are of meaningful information and there is no notable quality degradation compared with the plaintexts. We compute the Peak Signal Noise Ratio (PSNR) as a numerical objective metric to evaluate the reconstruction quality. Under the compression ratio of 0.5 as shown in Figure 3, the recovered images are with PSNRs 33.8968 dB, 34.9182 dB, 36.7858 dB, and 36.1887 dB, respectively. All of the PSNRs exceeded 30 dB, which implies that the reconstruction quality was acceptable. From 0.1 to 0.9, PSNRs under different compression ratios are plotted in Figure 4, from which one can see that the PSNR can exceed 30 dB when the compression ratio is greater than 0.3. In practical medical applications, there is a large scale for the compromise between compression ratio and recovery quality.

##### 3.2. Key Space Analysis

The key space size is the total number of different keys that can be used in a cryptosystem. For an effective cryptosystem, key space should be large enough to make brute-force attack infeasible. In the proposed scheme, the keys consist of the initial value and control parameter of Chebyshev map and the initial value and control parameter of logistic map. It should be noted that should be restricted to a particular interval of to prevent Chebyshev map from producing periodic orbits. According to the IEEE floating-point standard [34], the computational precision of the 64-bit double-precision number is about . The total key space of the proposed scheme iswhich is large enough to resist brute-force attack.

##### 3.3. Pixel Correlation Analysis

For a medical image with meaningful visual content, each pixel is usually highly correlated with its adjacent pixels either in horizontal, vertical, or diagonal directions. An effective cryptosystem should produce ciphertexts with sufficiently low correlation between adjacent pixels. The following steps are performed to evaluate an image’s correlation property. 3000 pixels are randomly selected as samples; the correlations between two adjacent pixels in horizontal, vertical, and diagonal directions are calculated according to (12), where and are gray-level values of the th pair of the selected adjacent pixels, and represents the total number of the samples:

The correlation coefficients of adjacent pixels in the plain image and its cipher image are listed in Table 1. Furthermore, the correlation plots of two adjacent pixels are depicted in Figure 5. The high correlation of adjacent plain pixels can be observed in Figures 5(b), 5(c), and 5(d), as the dots are located along the diagonal. They are scattered over the entire plane in Figures 5(f), 5(g), and 5(h), which reflect the correlations of the ciphertext. Both the calculated correlation coefficients and the figures can substantiate that the strong correlation among neighboring pixels of a plain image can be effectively decorrelated by the proposed cryptosystem.

**(a)**

**(b)**

**(c)**

**(d)**

**(e)**

**(f)**

**(g)**

**(h)**

##### 3.4. Key Sensitivity Test

Extreme key sensitivity is a crucial feature of an effective cryptosystem and can be evaluated in two aspects: (i) completely different ciphertexts should be produced when slightly different keys are used to encrypt the same plaintext; (ii) the ciphertext cannot be correctly decrypted even if tiny mismatch exists between the encryption and decryption keys.

To evaluate the key sensitivity of the first case, the encryption is carried out with a randomly chosen secret key to obtain a cipher image. Then a slight change is introduced to one of the parameters while all others remain unchanged, and repeat the encryption process. The corresponding cipher images and differential images are shown in Figure 6. The differences between the corresponding cipher images are computed and listed in Table 2. It is clear that a tiny difference in the secret key causes substantial changes between the corresponding cipher images.

**(a)**

**(b)**

**(c)**

**(d)**

**(e)**

**(f)**

**(g)**

**(h)**

**(i)**

**(j)**

Furthermore, decryption using keys with slight alternations as described previously has also been performed, so as to evaluate the key sensitivity of the second case. The decipher images are shown in Figure 7. It is obvious that all of the incorrect decipher images are completely unrecognizable and cannot reveal any perceptive information of the plaintext, which demonstrated the failure of reconstruction when using a neighbor key.

**(a)**

**(b)**

**(c)**

**(d)**

**(e)**

**(f)**

##### 3.5. Entropy Analysis

Information entropy is a significant property that reflects the randomness and the unpredictability of an information source. It was firstly proposed by Shannon in 1949, and the entropy of a message source is defined in (13), where is the source, is the number of bits to represent the symbol , and is the probability of the symbol . For a truly random source consisting of symbols, the entropy is . Therefore, for a secure cryptosystem, the entropy of the cipher image with 256 gray levels should ideally be 8:

The entropies of the introduced medical images and their ciphertexts are listed in Table 3. It is obvious that the entropies of the cipher images are very close to the theoretical value of 8, which means that the information leakage in the encryption procedure is negligible and the proposed cryptosystem is secure against entropy attack.

#### 4. Conclusions

In this paper, a medical image encryption and compression scheme has been proposed. We employed compressive sensing to firstly compress and encrypt the plaintext, and the measurement matrix is generated using chaotic Chebyshev map. Then the quantized measurements are subsequently encrypted using chaos-based permutation-diffusion cipher to further enhance the security. Simulations and security analyses have demonstrated the satisfactory compression and encryption performances of the proposed scheme.

#### Conflict of Interests

The authors declare no conflict of interests.

#### Acknowledgment

This work was supported by Programs for Science and Technology Development of LiaoNing Province (no. 2013225036-13, Research on Regional Collaborative Medical Imaging Information Platform; no. 2013225089, Research on Imaging of Children’s Congenital Heart Disease Using Multi-Slice CT).