ALCencryption: A Secure and Efficient Algorithm for Medical Image Encryption

: With the rapid development of medical informatization and the popularization of digital imaging equipment, DICOM images contain the personal privacy of patients, and there are security risks in the process of storage and transmission, so it needs to be encrypted. In order to solve the security problem of medical images on mobile devices, a safe and efficient medical image encryption algorithm called ALCencryption is designed. The algorithm first analyzes the medical image and distinguishes the color image from the gray image. For gray images, the improved Arnold map is used to scramble them according to the optimal number of iterations, and then the diffusion is realized by the Logistic and Chebyshev map cross-diffusion algorithm. The color image is encrypted by cross-diffusion algorithm of double chaotic map. Security and efficiency analysis show that the ALCencryption algorithm has the characteristics of small neighboring pixels, large key space, strong key sensitivity, high safety and short encryption time. It is suitable for medical image encryption of mobile devices with high real-time requirements.


Introduction
With the progress of information technology and medical field, there is a growing demand for DICOM images to be transmitted through public network. DICOM images contain patients' privacy data. In order to ensure the safe access of medical images, encryption processing is required. DICOM image encryption algorithm based on chaos theory is a recognized new method with high security, fast and effective. According to the dimension of chaos, this algorithm can be divided into one-dimensional, multi-dimension and mixed chaotic mapping.
Most medical image encryption schemes only use a single chaotic map to transform and diffuse image pixels. Hu et al. [1] scrambled the image pixels with the real random numbers generated by chaotic sequences as the key, which was 100 times faster than scrambling the images with AES, but did not diffuse the pixel values, affecting the security of encryption. Sathishkumar et al. [2] proposed a medical image encryption algorithm based on double chaos, which is transformed and scrambled by chaotic cyclic shift. Kanso et al. [3] used Cat mapping to scramble image pixels. Fu et al. [4] used Arnold Cat mapping to eliminate the correlation between adjacent pixels, and used Logistic mapping to achieve pixel confusion between plaintext image and ciphertext image. The medical image encryption algorithm based on one-dimensional chaotic mapping has the advantages of low algorithm complexity, simple implementation and fast encryption speed, but it has the disadvantages of uneven key distribution, limited unstable range of chaotic sequence, insufficient security in resisting differential attacks, choosing plaintext attacks and choosing ciphertext attacks.

Related Work
In order to make up for the shortage of one-dimensional chaotic image encryption, many researchers use high-dimensional chaotic map for medical image encryption. Fu et al. [5] used three-dimensional Chen chaotic mapping to carry out displacement and diffusion of DICOM image pixels, enhancing the security of attacks on known and selected plaintext. Chandrasekaran et al. [6] proposed a DICOM image encryption algorithm combining number theory method with Henon mapping, where key matrix is scrambled and chaotic controlled by Henon mapping, which can effectively resist statistical and differential attacks. Seyedzadeh et al. [7] proposed a color image encryption algorithm based on two-dimensional piecewise nonlinear chaotic mapping, which is characterized by high sensitivity, high security and high speed. In the medical image encryption algorithm with high dimensional chaos, three or four variables are generally used to transform the image pixels, which obviously enhances the security of the algorithm, but also increases the complexity and computational overhead of the algorithm.
Considering the advantages and disadvantages of one-dimensional and higher-dimensional chaotic maps, some researchers have begun to study medical image encryption algorithms that combine chaotic maps from multiple dimensions. Dai et al. [8] proposed a medical image encryption method based on the combination of Logistic mapping and Chebyshev mapping. By setting the parameters of Logistic mapping reasonably, this method firstly used Logistic mapping to encrypt the original image, and then used Chebyshev mapping to encrypt it again. This algorithm has higher transmission security and larger key space. Zhou et al. [9] proposed an image encryption method based on the combination of three one-dimensional chaotic maps, which has higher security and lower computing cost compared with higher-order chaotic maps. Ravichandran et al. [10] proposed a new encryption scheme based on Logistic, Tent and Sine chaotic mapping, which provided better protection for real-time medical image security applications. Boussif et al. [11] proposed an image encryption algorithm based on matrix product and separate addition, which realized the secure transmission of encrypted medical images by smart phones. The encryption algorithm has the characteristics of low real-time operation complexity and high security in embedded systems. Wen et al. [12] applied the DNA sequence and the chaotic system used to encrypt the sub-view image. Due to the limited processing capacity of smart mobile devices, the encryption algorithm based on hybrid chaos takes into account both security and timeliness, so it is very suitable for medical image encryption on mobile devices.

Algorithm Design Idea
Shannon proposed that the basic principle of designing encryption algorithm is scrambling and diffusion, which is usually performed on the plaintext image for many times to make the image become chaotic [13][14][15][16][17][18]. DICOM images have color and gray images, endoscopy and pathological section images are color ones, while X-ray, CT, MRI and ultrasound images are gray ones. Most of the images in DICOM are grayscale. Since the values of the three channels of RGB are equal, the grayscale images need to be fully scrambled before diffusion. Arnold mapping has the characteristics of good chaos, simple and easy to implement, so the encryption algorithm is often used to scramble the image.
Arnold mapping can only scramble N × N images, which is not applicable for most medical images. Therefore, Arnold mapping needs to be improved to make it enable to scramble M × N images, the improved equation as shown in formula (1)-(3) [19][20][21].
The Image I M×N is scrambled to be I M×N , (x i , y j ), (x i , y j ) respectively which represents the positions of pixel points before and after scrambling, i ∈ [1, M], j ∈ [1, N], a and b are positive integers. Using formula (4)-(6), we can calculate the scrambling degree and mean value of n-order images after each Arnold mapping.
The d(x i , y j ) represents the pixel moving distance value, E(d) represents the average value of the moving distance of the entire image, SH n represents the n-order scrambling degree, and a k represents the weighting coefficient, which is set according to the effect of different order distance on the scrambling degree. In other words, the smallest pixel pair is scattered as far as possible first, and then the second pixel pair is dispersed. The larger the SH n value, the more chaotic the image pixels. When the image is scrambled by Arnold mapping, the scrambling effect of the image is related to the iteration times, and the reasonable iteration times can be selected according to the scrambling degree. When the SH n value is the maximum, the number of iterations is the best, and so is the scrambling effect of the image. In general, the optimal scrambling number of images is around half of the Arnold transformation period, so the optimal scrambling degree can be obtained with a small amount of computation. Therefore, when Arnold mapping scrambling is performed on DICOM images, the corresponding number of iterations can be selected according to the optimal scrambling degree, which can not only achieve the best scrambling effect of images, but also reduce the number of iterations and the time cost of scrambling. For the diffusion of DICOM images, a dual chaotic crossdiffusion method based on Logistic mapping and Chebyshev mapping proposed by the author in literature [20,21] was used.
Combining the characteristics of mobile platform and DICOM image, we proposed a medical image encryption algorithm ALCencryption based on hybrid-chaotic mapping by using improved Arnold mapping, Logistic mapping and Chebyshev mapping. The algorithm first analyzes the real image part of DICOM image and distinguishes whether the image is color one or gray one. For DICOM gray scale image, the improved Arnold mapping is adopted to select the best iteration times according to the maximum scrambling degree, so as to achieve the best scrambling effect of DICOM image, while reducing the iteration times and the time cost of scrambling. Then, key generated by Logistic mapping and Chebyshev mapping cross iteration was used to spread the pixel position in the way of forward and backward cross diffusion based on parity, and the image encryption was completed. For DICOM color images, double chaotic cross diffusion encryption algorithm based on Logistic mapping and Chebyshev mapping proposed in literature [20,21] was used to realize encryption. The algorithm flow chart is shown in Fig. 1.
Pixels are odd?
Parse image Improved Arnold scrambling

Yes No
Is the pixel taken?

ALCencryption Algorithm Implementation
The ALCencryption algorithm implementation includes the following steps: Step 1: Input DICOM image DI; Step 2: Analyze the DICOM image to get information such as the pixel value, image size, and image type (color or grayscale image); Step 3: Parameters µ (µ ∈ (3.5699456, 4]) of Logistic mapping and k (k ≥ 2) of Chebyshev mapping are generated randomly; Step 4: Generate random keys key L (key L ∈ (0, 1)) and key C (key C ∈ [−1, 1]), where key L is the initial key for Logistic mapping iteration, and key C is the initial key for Chebyshev mapping iteration; Step 5: If the DI is a color image, encrypt it using µ, k, key L , key C and an image encryption algorithm based on cross diffusion of double chaotic maps, then go to Step (12); Step 6: If DI is a grayscale image, use improved Arnold mapping to scramble its pixel position according to the optimal number of iterations, and then convert it into a one-dimensional matrix DI [0, M * N − 1]; Step 7: Take key L as the initial key, use Logistic mapping to iterate n times (eliminate the influence of transient, use it for 80 times in the experiment), and then use Logistic mapping to iterate for 1 time to save the result in key L , which is key L = Logistic (key L ), as the initial key of Chebyshev mapping; Step 8: Take key C as the initial key, iterate n times with Chebyshev mapping (eliminate the influence of transient, and use it for 80 times in subsequent experiments), take the absolute value of the result of one iteration with Chebyshev mapping and save it in key C , that is, key C = ABS (Chebyshev (key C )), as the initial key of Logistic mapping; Step 11: If all the pixels in DI have been traversed, skip to Step (12), otherwise repeat Steps (9)-(10); Step 12: Output ciphertext image DC. Fig. 2 shows the ALCencryption described in C++ language.

Algorithmic Complexity
In the C++ language description of the ALCencryption algorithm, the time complexity of statements 13, 14 and 15-21 is O(n), while the time complexity of statements 24-41 is O(n * n), so the time complexity of the ALCencryption algorithm is T(n) = O(n + n + n + n * n) = O(n 2 ). The space complexity of the ALCencryption algorithm is the memory space required to store the array of image pixels, that is, S(n) = O(n).

Experimental Results and Analysis
The proposed ALCencryption algorithm is implemented in OpenCV 2.4, MATLAB R2014b, DCMTK in Windows 7 platform. The system configuration includes Intel core i5-7200 processor operating at 2.5 GHz and 4 GB RAM.
We comprehensively considered the image type, image size, image bit depth and other factors, and selected 10 medical images downloaded from http://www.barre.nom.fr/medical/samples/ as test samples, as shown in Tab. 1. Fig. 3 represents the sample DICOM images and Fig. 4 represents the corresponding encrypted ones.

Histogram Analysis
The histogram of a DICOM image is a function of image brightness level, which describes the number of pixels and frequency of each brightness level [22]. The abscissa of the histogram is the brightness level, and the ordinate is the frequency or number of pixels of the brightness level.
During the period of encryption, image pixel values vary widely due to the diffusion effect, the histograms of plain and encrypted DICOM images in Figs. 5 and 6 are completely different from each other. Since the histogram of the encrypted image is evenly distributed without revealing any information about the image, it can be concluded that the proposed ALCencryption algorithm can completely resist the attack of statistical analysis.

Pixel Correlation Analysis
The correlation coefficients of two adjacent pixels reflect the statistical characteristics of the image [23]. Therefore, the correlation coefficient of ciphertext image should be close to zero to withstand the statistical attack [24]. We encrypted the D_CT_1 grayscale medical image and D_US_9 color medical image, randomly selected 3000 pairs of adjacent pixel points from the plaintext image and ciphertext image, and calculated the correlation coefficient of adjacent pixels in the horizontal, vertical and diagonal directions according to formula (7)- (11).
The correlation distribution of original and encrypted DICOM image sample is illustrated in Fig. 7. From Tab. 2, we see that adjacent pixels are strong correlated in the original DICOM image and almost irrelated in the encrypted DICOM image, our method shows smaller pixel correlation coefficients than other methods in the literature [6,25,26], which is higher than that in the literature [27]. It could be inferred that the proposed algorithm breaks the correlation between the pixels in each direction, and the statistical characteristics of the original image are randomly diffused to the cipher image, which can safely resist statistical analysis.

Information Entropy Analysis
The closer the information entropy is to the image bit depth, the better the randomness of the image pixel is. Using formula (12), we can calculate the image information entropy of the original image and the encrypted image, and the calculated results are shown in Tab. 3. Our encrypted DICOM images have larger entropy than the original one and method [6,[26][27][28], which is equal to the information entropy of the method [27], which means the encrypted image is more random and more secure.

Key Sensitivity Analysis
Key sensitivity is an important index to measure the strength of encryption algorithm. For an effectively encrypted system, a small change in any one key should result in a completely different output. We take K 1 as the correct key, K 1 and K 2 parameters were set as follows: K 1 = Key C = 0.678, Key L = 0.567, µ = 3.894762, k = 3.0, a = 32, b = 21, K 2 = Key C = 0.678 + 10 −16 , Key L = 0.567, µ = 3.894762, k = 3.0, a = 32, b = 21. The waveform of key changes when decrypted D_MR_5 image using K 1 and K 2 is shown in Fig. 8. It can be seen from the waveform diagram that the difference of key is obvious when the key changes only 10 −16 .

Key Space Analysis
If the key space is large enough, then the cryptographic system can resist violent attacks. Our proposed algorithm uses 10 keys and controlled parameters, namely x i , x j , a, b, k, µ, Key L , Key C , Key LC and Key CL are computed in the accuracy of 10 −16 . So the total key space is (10 16 ) 10 = 10 160 . Our key space is larger than the existing works [6,25,26] and smaller than literature [25,27], which is sufficiently large to resist all presently known brute-force attacks, as shown in Tab. 4.

Differential Attack Analysis
The sensitivity of encryption algorithms to differential attacks can be quantitatively evaluated by NPCR (number of pixels change rate) and UACI (unified average changing intensity). We compute those two values from encrypted DICOM image samples according to formula (13), (14) as shown in Tab. 5. In general, the larger the value of NPCR and UACI, the better the sensitivity of the algorithm. Our method is superior to the literature [6,22,27] in both NPCR and UACI and lower than literature [26] in UACI of some samples from Tab. 5, hence it can effectively resist differential attacks. where

Chosen-Plaintext Attack
As we all know, once the cryptosystem has the ability to resist selected plaintext attacks, then it can also resist known plaintext and known ciphertext attacks. With the same key set and plaintext image, different ciphertext images are usually generated when the encryption algorithm is repeated for different times. We used the same key set and algorithm to encrypt D_OT_3 DICOM image twice to obtain two ciphertext images in Fig. 9. The first and second encrypted D_OT_3 DICOM image are referred to as DE 1 (Fig. 9b) and DE 2 (Fig. 9c), respectively. In order to prove the difference between the two images, we calculate |DE 1 -DE 2 | use pixel-to-pixel difference. The difference image and its histogram (Figs. 9d and 9h) illustrate that the two cipher images obtained by changing the encryption times are completely different. It shows that our algorithm can resist the Chosen-Plaintext Attack.

Figure 9:
Chosen plain text attack analysis: (a, e) the D_OT_3 image and its histogram, (b, f) the first encrypted D_OT_3 image and its histogram, (c, g) the second encrypted image and its histogram, (d, h) difference image (b, c) and its histogram

Time Analysis
Under the same operating environment of Windows platform, we encrypted the DICOM sample images in Tab. 1 for 100 times to calculate the average encryption time. The results are shown in Tab. 6. As can be seen from Tab. 6, the ALCencryption algorithm is obviously superior to the algorithm in literature [6,26] in encryption and decryption time. With the increase of image pixels, the key generation time and encryption time of the ALCencryption algorithm increase slowly, because scrambling and key generation are carried out at the same time, the optimal iteration times are selected to reduce the time cost of scrambling, and the number of Logistic and Chebyshev mapping iterations did not increase.
We applied the ALCencryption algorithm to the Android platform to analyze the encryption and decryption time of DICOM images. The hardware and software required for the experiment include Android Smartphone platform, Kirin 960 processor operating at 2.4 GHz, 4 GB RAM, and Android 9.0 OS. In order to verify the efficiency of our algorithm applicable to the Android platform, 17 medical images of different sizes were encrypted for 100 times in the same operating environment, and the average time of encryption and decryption was calculated. The calculated results are shown in Tab. 7. As can be seen from Tab. 7, the encryption and decryption time is within 10 ms if the image size is less than 100 KB. When the image size is 512 KB, the average encryption time is 206.6 ms and the average decryption time is 191.1 ms. It can be seen from the above data that the encryption and decryption time does not increase as the image size doubles. When the image size increased from 256 K to 2. From the above data, it can be seen that the encryption and decryption time required by the algorithm increases significantly, but the encryption and decryption time is less than 0.7 s. Since the size of most medical images is less than 3 M, the speed advantage of this algorithm is obvious. When the image size is 12.5 MB and 15.3 MB, the encryption time needs 4.51 s and 5.58 s respectively, and the decryption time needs 3.86 s and 4.79 s respectively, which increases significantly, mainly because the image pixel matrix gets larger, the scrambling period of Arnold mapping increases, and the xor operation of pixel point diffusion increases. Although images of more than 10 MB are relatively few in actual use, the algorithm encryption and decryption speed is also fast for mobile phones with weak computing power.

Conclusions
In order to ensure the security of medical image in storage and network transmission, we proposed a hybrid mapping algorithm of ALCencryption for medical image encryption based on Logistic, Chebyshev and improved Arnold mapping. It is proved that the algorithm has high security from the aspects of encryption and decryption effect, histogram analysis, pixel correlation analysis, information entropy analysis, key sensitivity, key space, differential attack and selective plaintext attack. According to the optimal scrambling degree of Arnold mapping, the iteration times are determined, which does not only reduce the iteration frequency and time, but also makes the image scrambling effect the best. In future, the proposed algorithm will be implemented on Picture Archiving and Communication Systems to ensure the safe and efficient transmission of DICOM images.