Verifiable Privacy Preservation Scheme for Outsourcing Medical Image to Cloud Through ROI Based Crypto-Watermarking

1. Introduction

With the explosive growth in the amount of multimedia content, as one of the most important computing paradigms emerged in recent years, cloud computing has become an effective means for user to manage data. By outsourcing the data to the cloud server, the large enterprises as well as individual users can dynamically increase their storage space without buying any storage devices, and it also can reduce the costs for purchasing hardware equipment, managing enterprise data and maintaining the system [1,2,3].

While enjoying the abundant storage and computation resources for cost saving and flexibility, the security and privacy of outsourced data also become great concerns for people. Because the cloud service providers (CSPs) are considered ‘‘honest but curious” under cloud environment, and many popular social network providers also exploit the outsourced personal image data to conduct behavioral advertising and preference analyses for improving user experience, some attackers also want to find the valuable information from the network. To provide privacy and security guarantees, people have proposed many kinds of schemes to protect the sensitive multimedia data outsourced to the cloud [4,5,6].

At present, encryption and digital watermarking are two widely used means for protection of images such as medical images in the cloud [7,8,9,10,11,12,13,14,15]. For the encryption scheme, Kanso et al. proposed a full and selective chaos-based image encryption scheme suitable for medical image encryption applications [9]. Fu et al. proposed medical encryption based on bit plane permutation and pixel substation [10]. Lima proposed fast medical images encryption scheme based on the cosine number transform [11]. For the watermarking algorithms, people usually apply reversible watermarking algorithm to embed watermarking into the medical image, the original image can be totally restored when the watermarking is extracted [12,13,14]. Moreover, some schemes can detect the tampers inside region of interest and recover original region of interest [14]. Regarding the above algorithms, encryption algorithms are effective and have better performance for protection of medical images, but they can’t identify and locate the tampered position when the encrypted image is modified; digital watermarking algorithms based scheme can offset the defects of encryption algorithm, but watermarked image is visually the same as the original image, it is not suitable for privacy protection, especially not suitable for outsourcing the images to the cloud.

Based on the characteristics of the encryption and digital watermarking algorithms, people have proposed crypto-watermarking scheme by combining watermarking and encryption algorithm to protect image [16,17,18,19,20,21,22,23,24]. One way of using crypto-watermarking scheme is that image is firstly encrypted, and then watermarking is embedded in encrypted domain [16,17,18,19,20,21]. For example, Priyanka et al. proposed a reversible information hiding scheme in encrypted domain, this scheme can securely transmit the media information over cloud architecture and prove rightful ownership of media using Chinese Remainder Theorem (CRT) based secret sharing algorithm [18]. Zhang et al. presented a reversible data hiding in reversible image transformation domain [19]. Priyanka recently gave a reversible data hiding scheme based on Shamir’s secret sharing for color images over cloud, the scheme permits the rightful owner to extract the information either directly from the cloud servers or after recovery of the media [20].

Another kind of crypto-watermarking scheme is that watermarking is firstly embedded into the original image, and then watermarked image is encrypted [22,23,24,25]. For example, Dalel Bouslimi et al. proposed a joint encryption/watermarking system for protection of medical images based on substitutive watermarking algorithm, the quantization index modulation and an encryption algorithm. The scheme can verify integrity of restored image even though the image is stored in encrypted form [23]. Sangita Zope-Chaudhari et al. showed a crypto-watermarking scheme by combining wavelet-based watermarking and multiplicative-transposition-based encryption to protect multispectral images [24]. Xiang et al. studied a crypto-watermarking scheme for resource-limited client, in the scheme, the client is responsible for embedding information, while cloud server implements encryption based on chaotic systems [25]. Recently, Gao et al. presented random grid and reversible watermarking based verifiable secret sharing scheme for outsourcing image into the cloud, in the scheme, original secret image is divided into some sub-images, and reversible watermarking is used for embedding hash value of the secret image into the image itself, then encryption are implemented to generate some sharing secrets, which are outsourced into the cloud, the scheme can restore the original secret image without any loss, and can verify the integrity of the restored image[26].

Medical images are a class of special images with specific characteristics and requirements. Any imperfects in image, especially in the region of interest (ROI) will result in misdiagnosis [27,28,29]. These strict specifications regarding the quality of medical images must be met when security and privacy are considered. In this paper, a novel verifiable privacy preservation scheme for outsourcing medical image to cloud through region of interest (ROI) based crypto-watermarking is proposed. In the scheme, data owner firstly calculates the hashes of the ROI blocks of medical image, and executes substitution of S-box for ROI and separation of bit plane. Secondly, data owner embeds the hashes into the separated bit plane images. Lastly, some hashes are transformed into the initial value and parameters of chaotic maps, and encryption for two bit plane images is implemented to get two sharing secrets, which are outsourced to the different cloud servers. For any authorized user who wants to access the image, he firstly gets secret key from the data owner, downloads the corresponding sharing secrets; and then he can decrypt the sharing secrets and extract the data embedded in the sharing secrets. Thus he can confirm whether the restored image is the same as the original one, and moreover, he can also locate the tampered parts if the sharing secrets are damaged. Large numbers of experiments show the effectiveness of proposed scheme.

The highlights of the paper lie in the following points:

(1) Compared with state-of-the-art schemes, the proposed crypto-watermarking scheme for medical image can verify the integrity of recovered image; it can also identify the tampered blocks inside ROI. This is especially suitable for the application of outsourcing medical image to the cloud.

(2) In the proposed scheme, the sharing secrets have good performance of privacy protection. Attackers can’t get any available information from the sharing secrets.

(3) The secret key of the scheme depends on image itself; different images use different secret keys. Damages to anyone of sharing secrets will affect the recovery of original image.

The rest of the paper is organized as follow: Section 2 introduces the reversible watermarking and S-box. Section 3 presents the proposed method in detail. The simulations and analyses are reported in Section 4. The conclusion is given in Section 5.

2. Preliminaries

In this section, some concepts and knowledge such as S-box and reversible watermarking used in the proposed scheme are first reviewed.

2.1. Reversible watermarking

Digital watermarking can be used for the copyright protection, tamper detection, traitor tracing of multimedia through embedding some specific data into the image [30,31,32,33]. Reversible watermarking, also known as lossless watermarking is a technique to embed the watermark into a digital content in a reversible way, the original multimedia can be totally restored when the digital watermarking is extracted, this characteristic makes it suitable for the protection of important multimedia data such as medical and military images. One of the most widely used algorithms is histogram shifting-based methods (HS) [32]; it is reviewed in the following.

For a gray image, the histogram of the image is first presented. Then the data pair $\left(h_z,h_p\right)$ is found, where, $h_p$ is a peak point of histogram, and $h_z$ is a zero point in the histogram. The histogram shifting based watermarking algorithm can be implemented in the following steps.

(1) Scan all the pixels of the image, if the pixel value satisfies the condition

$$h_z+1\le p\le h_p-1$$

(1)

then, let $p=p-1$, where, p is the value of the pixel.

(2) Watermarking embedding. Scan all the pixels, if the pixel value is equal to $h_p$, the watermarking is embedded according to formula (2)

$$\{\begin{array}{c}{h}_p=h_p-1 if w=1\\ h_p=h_p if w=0 \end{array}$$

(2)

where, w is watermarking bit.

The process of watermarking extraction and restoration of the original image are given in the following.

(1) Watermarking extraction. Scan all the pixels of the watermarked image, if the pixel value is equal to $h_p$, then extracted watermarking bit is 0; if the pixel value is equal to$h_p-1$, then bit 1 is extracted;

(2) Restoration of the original image. Scan all the pixels of the watermarked image, if the value of pixel is equal to$h_p-1$, then, let add the pixel value by 1, this operation restores the peak point of the image. Next, the original image will be lossless restored by formula (3)

$$p=p+1if h_z\le p\le h_p-2$$

(3)

Figure 1 illustrates the process of HS based watermarking embedding. The distribution of pixels of image is given in the Figure 1(a). It can be seen that pixel value 133 is the peak point, and the 234 is the zero point. Then, shift the pixels between 134 and 233 to the right and it results in distribution of pixel as described in Figure 1(b). After the shifting, the adjacent pixel value (134) of peak point is changed into the zero point, as shown in Figure 1(c). Thus, the watermarking embedding can be conducted through pixel value 133 and 134. Further, Figure 1(d) displays the histogram information embedding process more intuitively.

(d)

2.2. S-boxes

Substitution boxes (S-boxes) are the most essential parts of modern cryptographic applications. S-boxes are multi-input and multi-output boolean functions that map binary input to binary output values [34]. S-boxes with high cryptographic features have been used in encryption to resist differential cryptanalysis. The Rijndael S-box shown in Table 1 is a square matrix, which the Advanced Encryption Standard (AES) crptographic algorithm is based on. In order to enhance the security of algorithm, the Rijndael S-box is used for substitution of pixel in the proposed scheme.

3. Proposed scheme

In order to protect privacy of the data, data owner often encrypts data before it is outsourced to the cloud. Some roles based on real application for outsourced data management are data owner, authorized user and cloud server, as depicted in Figure 2.

Data owner：He has some set of files $\mathrm{C}=\left(F_1,F_2,\cdots ,F_n\right)$. He wants to outsource these files to the cloud server in the encrypted form. And he also hopes that these files can be searched by a series of keywords $=\left(w_1,w_2,\cdots ,w_m\right)$ . In order to protect the file from attacks, he hopes to create secure ranked searchable index from keyword and store them on the cloud server.

Authorized user: He hopes to get the files relevant to certain or some keywords submitted to cloud server, the cloud server selects the corresponding files, and he can download the files from the cloud, and then decrypt it.

Cloud server: It stores the files and keyword index. When it receives the request from the user, it can inquiry index and return the search results according to some ranked relevance criteria.

In this paper, what we concern is how to outsource the image to the cloud safely, such that for authorized user, he can verify the integrity of the file when he downloads the file. The detailed scheme is given in next subsections.

3.1. Generation of sharing secret

To generate the sharing secret, the following steps are followed to achieve the goal.

(1) Manually partition the original image into ROI and non-ROI sections, and the coordinate of upper left of the ROI is given by $\left(x_1,y_1\right)$, and the coordinate in lower right is recorded by $\left(x_2,y_2\right)$.

(2) Divide ROI into some no overlapping sub-blocks with the size of $16\times 16$, the corresponding number of block is $\mathrm{m}=\frac{\left(y_2-y_1\right)\times (x_2-x_1)}{256}$. Next, the 256-bits hash is calculated for every block. These hashes are represented by $H_1,H_2,\cdots ,H_m$.

(3) Transform every $H_i,\left(i=1,2,\cdots ,m\right)$ expressed by$h_1,h_2,\cdots ,h_{256 }$ into 128-bits by formula (4).

$$h_i^{\text{'}}=h_i�h_{i+128},i=1,2,\cdots ,128$$

(4)

(4) Conduct substitution of pixels value for the ROI using S-box. Firstly, for every pixel value p in ROI, extract its high 4-bits and low 4-bits, respectively, they can be named $H_{bits}$ and $L_{bits}$. Next, replaces the pixel value of ROI with the value of S-box in the coordinate position of $\left(H_{bits},L_{bits}\right)$. $H_{bits}$stands for the row, and$L_{bits}$stands for column in the S-box. The generated image after S-box substitution is expressed by $I_{SROI}$.

(5) Bit plane separation. Separate the image$I_{SROI}$ into two images $I_{SROI-MSB}$ and $I_{SROI-LSB}$, where, $I_{SROI-MSB}$ is generated by the most significant bits (MSBs), which is the high 4-bits of the$I_{SROI}$, and $I_{SROI-LSM}$ is generated by the least significant bits (LSBs), which is the low 4-bits of the $I_{SROI}$. The process of bit plane separation is depicted in Figure 3.

(6) Embed the hashes$H_i,i=1,2,\cdots ,m$ of 128 bits into the two images,$I_{SROI-LSB}$ and $I_{SROI-MSB}$ based on HS method. The produced images are labeled by $I_{SROI-LSB-HE}$ and $I_{SROI-MSB-HE}$.

(7) Select secret key for image diffusion. Select the number$\mathrm{t}=\frac{\left(y_2-y_1\right)\times (x_2-x_1)}{512}$, the following steps are used to generate two sharing secret images.

1) Divide$H_{1,\mathrm{...},t}$of 128-bits, expressed by $h_1{h}_2\cdots h_{128}$ into two sections, every section has 64 bits, then convert $h_1{h}_2\cdots h_{64}$ into some integers, respectively.

$$\{\begin{array}{l}u=\begin{array}{ll}\begin{array}{cc}\begin{array}{cc}{h}_1{h}_2{h}_3& \end{array}& \end{array}& \end{array}\\ k=h_4{h}_5{h}_6{h}_7\\ N_0=h_8{h}_9{h}_{10}{h}_{11}{h}_{12}{h}_{13}{h}_{14}{h}_{15}{h}_{16}{h}_{17}{h}_{18}{h}_{19}\\ x_0={10}^{-14}\times h_{20}{h}_{21}\cdots h_{64}\end{array}$$

(5)

Obviously,$u\in \left[0,7\right]$,$k\in \left[0,15\right]$,$N_0\in \left[0,4095\right]$,$x_0\in [0,0.35184372088831]$.Then, u,$N_0$ and k are transformed with the following constraints.

$$\{\begin{array}{c}u=u+0.5212882 if u=0\\ k=\{\begin{array}{cc}k& \begin{array}{cc}8\le k\le 15& \end{array}\\ k+12& 0\le k<8\end{array} \\ \\ N_0=\{\begin{array}{c}{N}_0\begin{array}{ccc}& 3000\le N_0\le 4096& \end{array}\\ N_0+1000\begin{array}{cc}& N_0<3000\end{array}\end{array}\end{array}$$

(6)

Next, iterate chaotic Sine-Sine system (SSS) defined in the formula (7) for $N_0+N$ times, and then dispose these elements by formula (8).

$$x_{n+1}=u\times \sin (\pi \times x_n)\times 2^k-floor\left(u\times \sin (\pi \times x_n\right)\times 2^k)$$

(7)

$$x_i=\mathrm{mod}(\left(abs\left(x_i\right)-floor\left(abs\left(x_i\right)\right)\times {10}^{14},256\right),i=1,2,\cdots ,N_0+N$$

(8)

Here, N is the number of pixel in image. $abs\left(x\right)$ stands for the absolute value of x.$floor\left(x\right)$ is equal to the value of x to the nearest integers less than or equal to x, $\mathrm{mod}\left(\mathrm{x},\mathrm{y}\right)$ generates the remainder after division.

Lastly, arrange the last N integers from $N_0+1$ to $N_0+N$into a matrix $A$ with the same size as that of the image to be diffused, where $A\left(i,j\right)=reshape[(N_0+1:N_0+N),\surd N,\surd N$), here, $reshape$ represents the conversion of a one-dimensional array into a two-dimensional matrix with size of $\surd N$×$\surd N$. For example, N=9 and one-dimensional array is (1,2,3,4,5,6,7,8,9), the matrix A=[1,2,3;4,5,6;7,8,9] with size of 3×3 is generated by the reshape process.

2) For other 64-bits$h_{65}{h}_{66}\cdots h_{128}$of$H_i$, use the procedures as the same of 1) to generate a matrix $B$, here, the chaotic map used is Chebyshev-Chebyshev system (CCS) defined in formula (9)

$$x_{n+1}=\cos (\left(u+1\right)\times \arccos (x_n)\times 2^k-floor\left(\cos (\left(u+1\right)\times \arccos (x_n\right)\times 2^k)$$

(9)

The better performances of chaotic CCS and SSS for encryption can be found in Reference [35,36].

3) Obtain sharing secret from the diffusion of the $I_{SROI-MSB-HE}$ by the following diffusion equation.

$$I_{\mathrm{SROI}-\mathrm{MSB}-\mathrm{HE}}^{\text{'}}\left(i,j\right)=\mathrm{mod}(I_{SROI-MSB-HE}\left(i,j\right)\oplus A\left(i,j\right),256)\otimes B\left(i,j\right)$$

(10)

where,$i=1,2,\cdots L$,$j=1,2,\cdots W$. $W$ and L are the length and width of image, respectively. $\oplus$ is the arithmetic plus operator, and $\otimes$ is the bit-level XOR operator. The generated $I_{SROI-MSB-HE}^{\prime }$is one of the sharing secrets.

In the same way, the second sharing secret image can be derived using$H_{t+1,\mathrm{...},m}$and$I_{SROI-LSB-HE}$. Then, the tow shares are outsourced to different cloud servers.

3.2. Restoration of original secret image

For authorized users, when they want to access the image from the cloud, the data owner will give them the secret key in a secret way. Then, the following steps are used to restore the original secret image.

(1) Download two sharing secrets $S_1$ and $S_2$from two cloud servers.

(2) Use the same key as that used in the generation procedures of sharing secrets to generate matrices using chaotic maps (7) and (9). Then implements the inverse operation of formula (10) between the matrices and sharing secret, thus two images $I_i^{‴}, i=1, 2$ with the size of $L\times W$ are produced.

(3) Extract the watermarking $H_1^{\prime },H_2^{\prime },\cdots ,H_m^{\prime }$ from $I_i^{‴}, i=1,2$ using HS based reversible watermarking algorithm to get two images$I_i^{″}, i=1,2$, and then produce one image $I^{″}$using the formula$I^{″}=I_1^{″}+I_2^{″}$.

(4) Implement inverse S-box replacement of ROI for image $I^{″}$ to produce image I.

(5) Use the same method as Step 2 in the phase of generation of sharing secret to obtain$H_1^{″},H_2^{″},\cdots ,H_m^{″}$. And then compare these hash values with the watermarking data extracted in Step 3, thus, we can locate whether the corresponding block in ROI is tampered. Moreover, the position of tampered parts can be located.

4. Experimental results and discussions

The experiment was conducted by MATLAB version 12b. The medical data from 6,970 fully sampled brain MRIs obtained on 3 and 1.5 Tesla magnets. In this section, six 256-grey scale test images with the size of $512\times 512$ are given in Figure 5.

4.1. Experimental results

Firstly, the ROI is described for every test image, the coordinates of upper left and lower right of test image are given in Table 2. As an example, for image IM-0001-0012, the separated bit plane image of MSBs and LSBs following the S-box substitution are given in Figure 6 (a-b). Figure 6(c-d) displays the two sharing secrets outsourced to the cloud.

4.2. Security analysis of the proposed scheme

A good encryption algorithm should have large key space to resist brute force attacks, and also should be sensitive to key. In this section, some security analyses are presented.

1) Key space analysis

It can be seen from the scheme that the medical image is safely outsourced to the cloud. Because different sharing secret is outsourced to the different cloud server, anyone, including cloud server itself can’t obtain useful information about the image, and different sharing secret can only be decrypted by specific secret key. For example, the 128-bit secret key “50192EC81EFD534ED830D3BE68F0B53F” is used to generate sharing secret Figure 6(c); another secret key used for generating sharing secret Figure 6(d) is “8437EBF46D99CB55A00D77FCDF143369”. In the meantime, the secret key highly depends on the image itself. Moreover, based on the characteristic of hash function, for any two different images, the secret keys used for generating sharing secret are different. This is a one-time pad from the point of encryption. The coordinate of the ROI, S-boxes, and hash of the image constitute the secret space of the scheme, combining to form the secret key with the size of more than $2^{512}$. This ensures the security of the scheme.

2) Key Sensitivity Analysis

Here, we test the key sensitivities in the process of generation of sharing secret. For this test, the secret key is changed only one bit, and then conducts encryption. Result of this encryption is compared with the sharing secret generated by correct key. Key sensitivity is measured by NPCR (number of pixels change rate) and UACI (unified average changing intensity), which are expressed by formula (11). W and L are the width and length of the sharing secret, $c_k\left(i,j\right),\mathrm{k}=1,2$ are pixel values of two sharing secrets generated by different secret keys.

$$\begin{gathered} NPCR=\frac{1}{W\times L}{\displaystyle \sum }_{i=0}^L{\displaystyle \sum }_{j=0}^{W}D\left(i,j\right)\times 100\% \\ D\left(i,j\right)=\{\begin{array}{c}0\begin{array}{cc}& c_1\left(i,j\right)=c_2\left(i,j\right)\end{array}\\ 1\begin{array}{cc}& c_1\left(i,j\right)\ne c_2\left(i,j\right)\end{array}\end{array} \\ UACI=\frac{1}{W\times L}{\displaystyle \sum }_{i=0}^L{\displaystyle \sum }_{j=0}^W\frac{\left|c_1\left(i,j\right)-c_2\left(i,j\right)\right|}{255} \end{gathered}$$

(11)

All the tests are implemented based on modification of the last bit of the secret key. The corresponding values of NPCR and UACI for test images are summarized in Table 3. In reference [37], the expected values of NPCR and for a 256-Grayscale image are 99.6094% and 33.4635%. Obviously, the average values of UACI and NPCR are 33.465% and 99.61%, the proposed scheme has high sensitivity to the secret key in the encryption process.

3) Analysis against Known-Plaintext Attack and Chosen Cipher text Attack

In the known-plaintext attack, attackers attempt to find secret keys by obtained plaintext and the corresponding cipher text. For chosen-cipher text, attackers try to find plain text information by obtaining the decryption of chosen cipher texts. In the proposed scheme, attackers can’t obtain any plain image in the cloud, and they also can’t decrypt anyone of the sharing secret using incorrect keys. Even if the attacker knows the correct keys, owing to he does not know how to implement the encryption/decryption operations, he also cannot decrypt the image correctly.

4) Analysis against collude attack

Obviously, it can be seen from the scheme that the sharing secrets are in the different cloud servers, and they use different keys for generating sharing secret. The final verification and acknowledgement of the original image can be achieved by data owner or user. So, even if different servers can collude to use false sharing secret to act as real one, the data owner can also distinguish the true from the false of the restored original image, because only the owner possesses the private key for restoring original image. This makes it difficult for several servers to collude to cheat data owner or user.

4.3. Privacy protection analysis

Privacy in the cloud includes data privacy, index privacy and keyword and enquiry privacy. Here, we only discuss data privacy; others are outside of the paper.

Data privacy means the data in the cloud is secure and anyone including CSPs can’t obtain the plaintext of the data.

In the proposed scheme, medical images are stored in the cloud in the encrypted sharing secret form. The histograms of the sharing secrets generated by image IM-0001-0012 are shown in Figure 7. Obviously, the histograms of the sharing secrets are nearly distributed uniformly; they don’t provide any clues to statistical attack. On the other hand, adjacent pixels of a meaningful image have high correlation. In order to test the correlation between two adjacent pixels, 16384 pairs of two adjacent pixels for sharing secret are randomly selected to calculate the correlation coefficient by the following formulas (12).

$$\begin{gathered} E\left(x\right)=\frac{1}{N}{\displaystyle \sum }_{i=1}^N{x}_i \\ D\left(x\right)=\frac{1}{N}{\displaystyle \sum }_{i=1}^N{(x_i-E\left(x_i\right))}^2 \\ \mathrm{cov}(x,y)=\frac{1}{N}{\displaystyle \sum }_{i=1}^N\left(x_i-E\left(x_i\right)\right)\left(y_i-E\left(y_i\right)\right). \\ {r}_{xy}=\frac{\mathrm{cov}(x,y)}{\sqrt{D\left(x\right)}\sqrt{D\left(y\right)}} \end{gathered}$$

(12)

where x and y are grey values of two adjacent pixels in the image. The outcomes of sharing secret images are listed in Table 4. It can be seen that the correlation of adjacent pixels in the sharing secret images are very low. One can’t obtain any useful information from the sharing secrets. The scheme has better performance of privacy protection.

4.4. Tampers localization of restored image.

From the description of the proposed scheme, we know that the user can verify the integrity of ROI for the restored image, and locate the position of the tampered image. In order to give a total understanding of tampers localization, the example illustrates the verification process for the restored image.

For example, for the second sharing secret image generated from image IM-0001-0012, see the image block in blue color in Figure 8(a), the first pixel value is changed to 111 from the original value 106; the second pixel is changed to 100 from 97. Obviously, the sharing secret is tampered. Next the tampered image block will be located.

Firstly, the two sharing secrets are decrypted, and then hashes of the original image blocks are extracted, the data is represented by $H_i,i=1,2,\cdots N$. N is the total number of block.

Secondly, conduct the superposition of two sharing secret to produce one image by plus the pixels of the corresponding position, and then carry out the reversible substitution of S-box for the ROI. The restored image is shown in Figure 8(b).

Lastly, for the restored image, calculate the hashes of every block in ROI, these values are marked by $H_i^r,i=1,2,\cdots N$It is found that the hash value of $H_{253}$ is different from the value of $H_{253}^{\prime }$ by comparing $H_i,i=1,2,\cdots N$ and $H_i^r,i=1,2,\cdots N$,:

$$\begin{gathered} H_{253}=2\mathrm{A}6692938\mathrm{C}21\mathrm{F}29\mathrm{A}8351\mathrm{F}6\mathrm{CEAD}689398 \\ {H}_{253}^{\prime }=69\mathrm{C}19839984065\mathrm{D}2\mathrm{A}0\mathrm{D}4\mathrm{DFFF}776629\mathrm{CB} \end{gathered}$$

(13)

Thus, the tampered part is located, which is shown in blue color in Figure 8(c).

It can be seen that although there is no distinct difference between restored image and the original one visually, the original image is not lossless restored.

In order to test the effectiveness of the proposed scheme, some images with large ROI in COVID-19 images [38,39,40] are used for test. Some typical images are shown in Figure 9.

Similarly, the proposed scheme can perform well on these medical images with large ROI. It should be noted that, large ROI means time-consuming for the proposed scheme. As it need calculate hashed of more image blocks.

4.5. Comparison Analysis of Performance

Up to now, people have proposed many effective ways to protect medical image. Some comparisons with other state-of-art methods on integrity verification, tampers localization and error in image recovery (ROI) are given in Table 5 and Table 6.

(1)

Comparison with the existing encryption algorithms

Most of available encryption schemes for medical images have no integrity verification ability for restored one from the encrypted image. When the encrypted image is tampered, even if the secret key is correct, one can’t make sure whether the restored image is the same as the original one. This will affect the application of medical images. Some comparisons in integrity verification and tamper localization are summarized in Table 5.

(2)

Comparison with the existing Crypto-Watermarking algorithms

Digital watermarking can provide performance of integrity verification, especially for reversible watermarking based crypto-watermarking schemes, but some methods can’t achieve totally reversibility. The comparison results are done in Table 6.

(3)

Comparison with newly proposed verifiable secret sharing for outsourcing images into cloud

Different from the scheme proposed in [30], the scheme in this paper aims at ROI in medical image, and the hashes of blocks in ROI are embedded into the two bit planes, we can verify the integrity of the restored image, and moreover, the tampered sections in ROI can also be located, this is the better performance that reference [30] has not.

In addition to, the generation process of sharing secrets are different between the proposed scheme and reference [30], and the proposed scheme needs some secret keys to recover the original secret image, but the secret keys are located on the sharing secrets in reference [30].

Obviously, because the special characteristics and requirements of medical images must be met, any compromise on the quality of medical images could result in misdiagnosis. The proposed scheme has better privacy protection, and it can restore the original medical image in reversible operation, verify the integrity of ROI and locate the tampers inside ROI. These better performances outperform many protection schemes for medical images. The proposed scheme can be used for outsourcing medical image to the cloud.

5. Conclusions

Medical images are more typical than any other ordinary images, since it can be used for diagnosis purpose. Such images need security and confidentiality; it also needs to be totally restored when it is used. Region of interest (ROI) are the most important parts for diagnostic in medical image. A novel verifiable privacy preservation scheme for outsourcing medical image to cloud through ROI based crypto-watermarking is proposed in the paper. In the proposed scheme, data owner carries out substitution of S-box for the ROI, separation the image, watermarking embedding and image diffusion based on chaotic maps, and outsources to generated two sharing secrets to the cloud servers. For any authorized user, he can download shares from cloud server, and can lossless recover the original medical image through a series of decryption operations. Furthermore, the user can verify whether the original image is completely reconstructed, and even can locate the tampered parts inside ROI if anyone of the sharing secrets is damaged. Large numbers of experiments show the effectiveness of proposed scheme and better performances compared with most existing methods.

Next, under the condition that the tampers are located in restored image, the restoration technology of the tampered parts inside ROI in medical image by using crypto-watermarking, will be researched.