A Compressive Sensing Based Image Encryption and Compression Algorithm With Identity Authentication and Blind Signcryption

Recently, a robust and secure image sharing scheme with personal identity information embedded was proposed based on Compressive Sensing, Secret Image Sharing and Diffie-Hellman Agreement. However, there exists a security flaw in this scheme. It cannot resist the man-in-the-middle attack in the authentication stage. Anyone can disguise himself as a legal person and get the information when exchanging the secret keys, which provides the possibility for information leakage, tampering, and other attacks. In this paper, we propose an image encryption and compression algorithm with identity authentication and blind signcryption based on Parallel Compressive Sensing (PCS), Secret Sharing(SS) and Elliptic Curve Cryptography (ECC). Firstly, Logistic-Tent system and PCS are employed to complete compression and lightweight encryption in the compression stage. Secondly, random sequences are generated based on Chebyshev map to construct four encryption matrices to perform the encryption process. Meanwhile, the participants’ identity authentication and blind signcryption can be achieved by using ECC. Finally, we prove the efficiency and security of the blind signcryption, which can authenticate the participants’ identity before restoring the original image. Experiments and security analysis demonstrate that the proposed scheme not only reduce the storage space and computational complexity effectively, but also has resistance against the man-in-the-middle attack, forgery attack and chosen-text attack.


I. INTRODUCTION
In recent years, big data and artificial intelligence bring great convenience to people through the Internet of Things. A large amount of image information can be stored and transmitted as quickly as possible. However, there are many problems during image transmission and storage, such as illegal personnel invasion, malicious tampering and legitimate personnel information forgery in the transmission process, and space limitation in the storage process. Meanwhile, there also exist the problems of information leakage, low transmission The associate editor coordinating the review of this manuscript and approving it for publication was Sedat Akleylek . efficiency and the low-security level. Encryption [1], [2] can make information chaotic and keep it secure. As we known, Elliptic Curve Cryptography (ECC) [3] is one of the best public key cryptosystems. It can be defined as the bilinear map among groups based on Weil pairing or Tate pairing [4], while the bilinear map has numerous applications in cryptography, such as identity when encryption. ECC has many advantages. For example, it provides an equivalent or higher level of security through using the key smaller than other public key cryptography, such as RSA or DSA [5]. ECC not only can be used for encryption [6]- [8], but also can be used for authentication [9], [10] and key management [11]. Based on ECC, many signcrytion schemes have been proposed [12]- [15], which achieve signature and encryption simultaneously. Meanwhile, when facing illegal data usage, none of copyright protection, access control and encryption are enough to ensure information security, so it is essential to turn to the Secret Sharing scheme(SS) [16], which can prevent information from being too centralized and ensure information with more security. SS was firstly put forward by Shamir and Blakley in 1979. The SS algorithm decomposes the secret information into a few meaningless shares or shadows. Only the legal participants can reconstruct the secret information through recovery algorithm. Many secure image sharing schemes were proposed [17]- [21]. By combining with Compressive Sensing (CS) [22], they achieved a higher level of security and smaller storage space than others. In recent years, CS [23]- [25] exploits far efficiency than the conventional sampling under the Shannon theorem and achieves compression and lightweight encryption simultaneously. Based on Parallel Compressive Sensing(PCS) [26], cryptographic specialists also focus on other technique to combine encryption and compression [27]. However, none of them can verify the participants' identity authentication and achieve tampering and forgery prevention. In [28], Wang et al. proposed an image compression scheme with personal identity information based on CS and Secret Image Sharing. But this scheme cannot resist the man-in-the-middle attack in the authentication stage, so anyone can disguise himself as a legal person to access the information.
This paper first gives a detailed introduction and analysis of the scheme in [28], and then proposes a CS based image encryption and compression algorithm with identity authentication and blind signcryption. Firstly, in the compression phase, Logistic-Tent system is adopted to generate the measurement matrix of PCS, and the original image is compressed by PCS. Then Chebyshev map and four matrices are employed to encrypt the compressed values. Secondly, the encrypted values are divided into many shadows under image sharing algorithm. Meanwhile, a bind signcrytion system is established based on ECC so that only at least t legitimate participants can obtain the shadows, while any illegal user cannot get the encrypted shadows. It provides the reliable guarantee for the shadows transmission and identity authentication of participants. When the combiner wants to obtain the original image, he must verify the equation of designcrytion, then decrypt the blind shadows, and finally obtain the original image by the inverse process of the algorithm. Our contributions can be listed as follows.
• The proposed scheme can withstand the man-inthe-middle attack, which cannot be tackled by the scheme in [28]. Meanwhile this scheme can resist the forgery attack and chosen-text attack.
• Space reduction. Combined with PCS, the proposed scheme can compress and encrypt image. What's more, it has lower storage and computational complexity.
• High security and PSNR. Through permutation, confusion, image sharing and the encrypted shadows, this scheme can achieve high visual security of the cipher image and high PSNR of the recovered image.
• Verifiability. The identity of participants and the shadows can be guaranteed by blind signcrytion, and the shadows are verified before recovery. These properties are strictly proved in this paper.
The rest of the paper is organized as follows. The analysis of existing problem in Wang's scheme is given in Section II. Section III introduces the basic knowledge, including CS, PCS, ECC, the model of Secret Sharing scheme, and two chaotic systems. After that, the proposed scheme is put forward in Section IV, which contains encoding phase and decoding phase. The procedures of the correctness proof and security analysis are described in Section V. Section VI gives experimental analysis and performance comparison with other methods. This paper is concluded in Section VII.

II. THE PROCESS OF WANG's SCHEME
Wang's scheme in [28] is illustrated in this part, which contains the encryption process and decryption process, respectively. The encryption process includes agreement, constructing sensing matrix, sampling, quantization, sharing, and transmission; while the decryption process includes authentication, combination, anti-quantization and reconstruction. However, there exists drawback in this scheme and the analysis is given. The specific steps are as follows.

A. THE ENCRYPTION PROCESS (Encoding PHASE) 1) AGREEMENT
Step1: The distributor D publishes (P, f , g) among participant P i , holds (e, v) securely, where ev = 1(modP), P is a large integer. Meanwhile, the order of g modulo is f and satisfies g f = 1(modP). Step2: The participant P i randomly chooses an integer b i ∈ [1, f ], computes R i = g −b i (modP), and sends R i to the distributor by the public channel.
Step3: When receiving R i , the distributor D computes H i = (R i ) e (modP) and R 0 = g −e (modP), then publicly sends R 0 to the participant P i .
Step4: The participant P i computes H i = (R 0 ) b i (modP) by their own integer b i respectively. Denotes
Step2: A regularized sequence can be further generated from Z (d, l, µ, z 0 ) as follows: Step3: Compose a chaotic matrix M ×N from Q(d, l, µ, z 0 )as follows: is the measurement.

4) QUANTIZATION
Step1: Rearrange Y column by column as: Step2: is the mean of y, λ is the parameter to adjust the output boundary H , andȳ i ∈ (−H , H ). Step3: and E(·) denote the discretization and the binary coding operation, respectively. Denote , and send the bitstream to the local distributor by public channel.
and PINs is scaled down to (i − 1)g , ig .
Step2: From PINs , extract N t elements g(x, y) = x 0 , x 1 , x 2 , · · · , x y−1 , x y−2 , where the prime p = 251, x is a base and y is the size of the output vector.
Step4: For the matrix F and W i , the shadow I i are obtained by the following equation: Step5: Repeat steps (2) and (4) until the shadows {I 1 , I 2 , · · · , I n } are obtained.

6) TRANSMISSION
Transmit {I 1 , I 2 , · · · , I n } to n participants by the public channel.
B. THE DECRYPTION PROCESS OF WANG's scheme(Decoding PHASE)

1) AUTHENTICATION
The combiner verifies whether the equation holds or not. If yes, it means they are legitimate participants, otherwise, they are illegal participants.

2) COMBINATION
By Lagrange interpolation and the corresponding PIN s , the matrix F and I i can be reconstructed with no less than t verified shadows.

3) ANTI-QUANTIZATION
After the inverse operations and the decimal-to-binary conversion, the anti-quantizer is used to get the vectory and its matrix form is Y = vec −1 (y).

4) RECONSTRUCTION
Input (µ, z 0 ) to the Tent map, generate the sensing matrix, then the original image can be reconstructed by the OMP algorithm.
C. ANALYZE THE PROBLEM OF WANG's SCHEME However, in the authentication process of decryption, the algorithm is vulnerable to the man-in-the-middle attack, and cannot authenticate the legitimate participant so that illegal personnel can tamper or forge the information, and transmit the wrong information to the combiner. The detailed poof process is as follows.

1) INTIALIZATION
The parameters are the same as Wang's scheme. Firstly, the distributor D generates a larger integer P, such that P = pq, p = 2fp + 1, q = 2fq + 1,where p and q are two primes, f , p , q are distinct primes. Then let g be an integer with an order f , that is g f = 1(modP). Finally, (p, f , g) are published and (p, q) are securely kept.

2) AGREEMENT
Step1: The participant P i randomly chooses an integer b i ∈ [1, f ], computes R i = g −b i (modP), and then publicly sends R i to D. If the attacker E i captures R i , he randomly chooses an integer b i ∈ [1, f ], and modifies it to R i = g −b i (modP), then sends R i to the distributor D.
Step2: When receiving R i , D generates a key-pair, such that ev = 1 (modφ(P)), then computes 211678 VOLUME 8, 2020 and the integer R 0 = g −e (mod P), and sends R 0 to the attacker E i by the public channel.

3) AUTHENTICATION
In the authentication process, the authorized combiner obtains v from D by the secret channel, get H i = R i e = g −eb i (modP) and R i from the attacker E i by the public channel. Then the authorized combiner verifies whether the equa- the authorized combiner believes that E i is a legitimate participant, and the combiner will be able to further transmit information with the attacker E i . Therefore, the illegal personnel E i can invade in the system and tamper the information arbitrarily, or forge information and so on.

III. BASIC KNOWLEDGE A. COMPRESSVIE Sensing(CS) AND PARALLEL COMPRESSIVE Sensing(PCS)
As is well known, Nyquist-Shannon sampling theorem [23] uses the traditional method for signal processing which follows the ''sample-then-compress'' framework. CS [24], [25] combines signal sampling and compression simultaneously, which saves the computing resources of information acquisition and exploits far efficiency than Shannon theorem. So CS is suitable for some special high-speed signal acquisition and processing system. Assuming x is a natural image, x has the representation with ( is an orthogonal basis): x is called k-sparse when θ has only k non-zero entries, where k is the order of x, k N . And x can be precisely reconstructed in high probability with The mathematical representation is: where y denotes the random measurement values and is a random measurement matrix with the size of M × N . When satisfies the Restricted Isometry Property (RIP) [17], x can be reconstructed by solving the l 1 -norm problem.
where · 1 denotes the l 1 norm of a vector. Traditionally, CS operates on 1D signals. While sampling a multidimensional signal, the size of the measurement matrix is large, and the computational complexity dramatically increases. It is necessary to propose PCS [27], which requires lower storage and computational complexity than traditional CS. Firstly, a multidimensional signal X with N × N is sparsified in basis, such as DCT, DWT, then denoted as Finally, it can be sampled in a column-wise manner by the same measurement matrix : where θ = [θ 1 , θ 2 , · · · , θ N ] and its size is N × 1. The measurement values y = [y 1 , y 2 , · · · , y N ] with the size of M × N . Theoretically, when satisfies Restricted Isometry Property(RIP) [26], the original signal can be recovered column-by-column by the following equation: Many reconstruction algorithms can solve the equation, such as orthogonal matching pursuit(OMP), matching pursuit(MP) and convex optimization method. Compared with the traditional CS, PCS has lower storage and computational complexity. This theory has a wide range of applications in image reconstruction, medical imaging, radar imaging, channel coding, and so on.
In order to resist the chosen-plaintext attack, this proposed scheme combines the counter mode to construct the measurement matrix in the compression process and to construct the encryption matrices in the encryption stage.

B. ELLIPTIC CURVE Cryptography(ECC)
The elliptic Curve Cryptography (ECC) [3] is one of the best public key cryptosystems and provides an equivalent or higher level of security using smaller key than other public key cryptography, such as RSA or DSA [5]. The definition of ECC is based on the elliptic curve, which is a set of points that represents the Weierstrass equation: the simplified equation E p (a, b) is: where a, b are two constants that satisfy 4a 3 + 27b 2 = 0, and p is a prime or an integer shaped like 2 q . Elliptic Curve Cryptography(ECC) was proposed by Victor Miller(IMB) and Neil Koblitz in 1985 [3]. This security is based on the discrete logarithm problem. Suppose Q and G are two points on the elliptic curve, an integer d is found such that Q = dG. This process called Elliptic Curve Discrete Logarithm Problem. Its abbreviated form is ECCDLP [4], and it is computationally infeasible to find d. It can be used not only as the public key cryptography to encrypt information [5]- [8], but also as a signature system [9]- [15].

C. SECRET SHARING SCHEME
In order to prevent information from being too centralized and ensure information with more security, it is essential to employ the Secret Sharing scheme(SS). SS was first presented by Shamir and Blakley in 1979 [16], also known as Shamir's threshold algorithm. VOLUME 8, 2020 In this scheme, a secret a 0 can be divided into n non-overlapping parts, and the sharing values are generated by t −1 degree polynomial interpolation as follows: where a 0 , a 1 , · · · + a t−1 ∈ Z p , a 0 is the secret, and p is a large prime number. Then the sharing values are transmitted to n receivers. The secret a 0 can be recovered from any t(t < n) shadows by Lagrange interpolation [17] as follows: where j = 1, 2, · · · , t. By the Secret Sharing scheme, the proposed scheme can achieve secret image sharing.

D. CHAOTIC MAPS
To expand the key space and increase the key security, two chaotic maps are employed in this scheme. In the CS phase of the proposed scheme, the Logistic-Tent map [27] is employed to construct a measurement matrix, which is the combination of Logistic map and Skew Tent map, and has superior performance than them. The dynamic equations are as follows:

1) LOGISTIC MAP
The definition of the one dimension generalized logistic map is as follows: When µ ∈ [3.57, 4], the map becomes chaotic state.
where the in initial value t 0 ∈ (0, 1), and the control parameter r ∈ (0, 4]. In the encryption phase of this scheme, Chebyshev map also plays an important role when generating chaotic sequences, and constructing four encryption matrices, which can be defined by equation (13).

IV. THE PROPOSED SCHEME
Based on Wang's scheme, this paper proposes a compressive sensing based image encryption and compression algorithm, which can reduce the storage space, authenticate the legitimate participant and perform blind signcryption. Meanwhile, this algorithm can resist the man-in-the-middle attack, forgery attack and chosen-text attack. This scheme contains the encoding phase and decoding phase.

A. THE ENCODING PHASE
The encoding phase employs Logistic-Tent, Chebyshev map, PCS, ECC and Secret Sharing scheme. There are four major stages, including the compression stage, encryption stage, sharing stage and blind signcryption stage. In the compression phase, Logistic-Tent system is adopted to generate the measurement matrix of PCS, and the original image is compressed by PCS. In the encryption stage, Chebyshev map and four matrices are employed to encrypt the compressed values. And in the sharing stage, the encrypted values are divided into many shadows under image sharing algorithm. In the blind signcryption stage, identity authentication and blind signcryption can be realized by ECC. The specific flow chart (FIGURE 1) is as follows.

1) COMPRESSION STAGE
In the compression stage, this algorithm employs the compression method in [27], which combines PCS and the counter mode, and can be immune to the chosen-plaintext attack. The detail steps are as follows.
Step1: The plain image P with the size N × N is decomposed by the first-level DWT to obtain the low frequency coefficient LL 1 and the high frequency coefficients LH 1 , HL 1 , HH 1 . Then LL 1 is decomposed by the second-level DWT to obtain LL 2 , LH 2 , HL 2 , HH 2 . Denote LH 1 , HL 1 , HH 1 and LL 2 , LH 2 , HL 2 , HH 2 as X i .
Step3: Set the threshold and calculation formula, generate υ i = 1 − t n 0 +jh , υ i ∈ (−1, 1), and construct different Step4: For the high frequency coefficients LH 1 , HL 1 , HH 1 and LH 2 , HL 2 , HH 2 , compute Y i = i X i . Meanwhile, the low frequency coefficient LL 2 remains unchanged, and the compressed image Y i is obtained.

2) ENCRYPTION STAGE
Based on the compressed image Y i and Chebyshev map, this part proposes an encryption algorithm which contains the permutation and diffusion processes. Firstly, input the key pairs which have some features of the original image into a Chebyshev map, and obtain random sequences. Then construct four matrices to realize the processes of permutation and diffusion. The encrypted image Y i can be achieved by the detail steps.
Step1: Compute s = M ×M i=1 p i , where p i is i-th pixel value of plain image. Divide s into many groups and every three data as a group. Sum the groups and denote each of them as λ 0 , then computeλ = λ 0 10 −n , where λ ∈ (0, 1).
Step2: Iterate Chebyshev map 3MN+h times with (k, u 0 +λ) to get the sequence A = (b 1 , b 2 , · · · , b 3MN+h ), where k is the parameter and u 0 is the initial value of Chebyshev map.

VOLUME 8, 2020
Denote and generate the cyclic matrix: Step4: Permutation. Y i is the permutated image. For matrix A 1 , by rearranging it in ascending order to obtain the index matrix A 1 , the compressed image Y i is permutated under the index matrix A 1 . The permutated image is denoted as Y i .
Step5: Diffusion. Y i is the encrypted image, which can be calculated by the equations, and the specific steps are as follows: if A 1 = 0.31 ∼ 0.4 or 0.61 ∼ 0.8, Other intervals, Y i = ⊕Y i ⊕ R.

4) BLIND SIGNCRYPTION STAGE
To prevent attackers from capturing the shadows and generating some fake shadows, it must complete the blind signcrytion, which includes five processes: the initial stage, send request, identity verification, send feedback and blind signcryption. This process consists of participants P 1 , P 2 , · · · , P ω , distributor D and combiner. The notation and definition can be described as TABLE 1.
Step1 (The initial stage): The distributor first generates the parameters of E p (a, b), G, and n.
Step2 (Send request): P 1 , P 2 , · · · , P ω randomly choose an integer k i ∈ [1, n − 1] respectively, and compute Step3 (Identity verification): When the distributor receives R i , t i , ID i , he verifies whether the equation t i · G = R i · H (ID i r i ) + Q i holds or not. If yes, it means P i is the legitimate participant, then this participant is allowed to save the shadow M i ; otherwise, P i is the illegal participant, and cannot keep the shadow M i . When the combiner wants to access the shadows, he must execute the following procedure.
Step4 (Send feedback): The combiner randomly chooses an integer l ∈ [1, n − 1], computes L = (l · G) mod p, and sends L to participants by public channel.
Step5 (Blind signcryption): When participant P i receive L, he uses the private key d i and L to encrypt the shadow by Then send M i , S i and R i to the combiner by public channel.

B. THE DECODING PHASE
The decoding phase contains four stages: verification, reorganization, decryption and restoration stage. Firstly, the blind shadows must be verified by the combiner. Then the original shadows are conserved by at least t participants. By the inverse operations of permutation and diffusion, Y i can be recovered. Finally, with the help of the measurement matrix and reconstruction algorithm OMP, the column vector X i can be restored, and the plain image can be obtained by the inverse operation of the wavelet decomposition. The flow chart is shown as FIGURE2.

1) VERIFICATION AND REORGANIZATION
Step1: When the combiner receives M i , S i and R i , he verifies whether the equation M i · Q i + S i · G · L = R i holds or not. If it holds, this means M i is complete and correct, and the combiner decrypts the shadows by M i = Q i · l · M i −1 mod p, and conserves M i (i = 1, 2, · · · , ω). Otherwise, the message has been tampered. Re-transmission is needed until it is equal, or the combiner rejects M i , S i and R i .
Step2: Any t participants can reconstruct Y i with the help of their shadows M i and Lagrange interpolation.
Step3: Generate the cyclic matrix R based on b 1 , b 2 , · · · , b MN . Based on the exclusive or operation again, Y i can be obtained, which can be calculated by Step4: For matrix A 1 , rearrange it in ascending order, then get the index matrix A 1 . Y i can be obtained under the index matrix A 1 and Y i .

3) RESTORING STAGE
To recover the plain image, the OMP algorithm, the measurement matrix i and the inverse operation of wavelet decomposition are employed to acquire the plain image.
Step1: Choose the initial value (r, t 0 ) for the Logistic-Tent map, generate the sequence N i = (N i−1 + 1) mod 2 n . Compute r i = N i × 2 −n + r mod 4 and where h is the distance. Set threshold and the calculation formula, generate υ i , where υ i = 1 − t n 0 +jh , υ i ∈ (−1, 1), and construct the measurement matrix i .
Step3: With the help of the measurement matrix i and OMP algorithm, the column vector X i can be restored, and then the plain image P can be obtained by the inverse operation of the wavelet decomposition.

V. CORRECTNESS PROOF AND SECURITY ANALYSIS
Theorem 1: The equation for verifying the identity of participants is correct.
In the identity verification process, the distributor must verify whether the equation t i · G = R i · H (ID i r i ) + Q i holds or not. If yes, it means they are legitimate participants; otherwise, they are illegal participants.
Proof: In fact, This proof process is valid, and can verify the identity of participants. Theorem 2: The algorithm of blind signcryption is available.
In the designcryption process, when the combiner receives otherwise, the message has be tampered. Re-transmission is needed until they are equal, or the combiner rejects M i , S i and R i . Proof: In fact, This proof process is also valid, which means M i is complete and correct, and the combiner conserves M i , (i = 1, 2, · · · , ω).
Theorem 3: The security of blind signcrytion is based on ECCDLP, and all of the parameters are safe. This algorithm is immune to chosen-text attack.
As we known, solving the large integer decomposition and solving discrete logarithm problem in prime fields have the same difficulty, but solving the elliptic curve discrete logarithm problem is more difficult than the above two problems. The security of RSA depends on the length of modulus, while the security of the elliptic curve discrete logarithm problem depends on the number of points on the elliptic curve. Researchers have shown that the attack resistances of the elliptic curve cryptosystem implemented with 160bit length infield GF (2160) is equivalent to RSA with 1024 bit modulus. While ensuring the same security, ECC has a shorter key length and smaller storage space than others.
Proof: If attacker wants to obtain l from M i = Q i · l · M i −1 mod p, to obtain k i from R i = (k i · G) mod p, to obtain d i and k i from t i = d i + k i · H (ID i r i ), to obtain l from L = (l · G) mod p and to obtain d i from Q i = (d i · G) mod p, these are all equivalent to solving the elliptic curve discrete logarithm problem (ECCDLP). Therefore, all of the parameters are safe in this scheme, and it means that this algorithm is immune to the chosen-text attack. Theorem 4: The algorithm of identity verification can prevent the man-in-the-middle attack.
In the identity verification process, when the participant P i sends R i , t i , ID i to the combiner, if the attacker E i captures R i , t i , ID i and modifies those to R i , t i , ID i , and then he sends R i , t i , ID i to the combiner. When the combiner receives R i , t i , ID i , he verities whether the equation t i · G = R i · H ID i r i + Q i holds or not.
Proof: if In this equation, Q i is the public key of participant, and cannot be changed. The equation does not hold, and it means that there are illegal participants. This process can effectively prevent the man-in-the-middle attack. Theorem 5: The algorithm of blind signcryption can prevent the forgery attack.
In the blind signcryption, if the attacker captures M i , S i , L i , modifies those to M i , S i , L i , and then he sends them to the combiner. When the combiner receives M i , S i , L i , he verities whether the equation M i · Q i + S i · G · L = R i holds or not.
Proof: if is the public key of attacker. It does not hold, which means that M i are incorrect shadows. Re-transmission is needed until they are equal. This procedure can effectively prevent the forgery attack.

VI. EXPERIMENTAL ANALYSIS AND PERFORMANCE COMPARISON
To demonstrate the security and the efficiency of the proposed scheme, numerical experiments and performance comparisons are given in detail in this section, under the Matlab R2016a platform, a desktop machine with 3.4 GHz and 8GB memory. Five test images with 512×512(Lena, Boat, Photography, Peppers, and Saturn) are employed. This section includes the aspects of PSNR, key space, key sensitivity, performance comparison, and so on. In the compression stage, the key pairs r, t 0 of the Logistic-Tent map are the secret keys, where r = 3.0321, t 0 = 0.6122. In the encryption stage, the secret keys are k = 4, u 0 = 0.62354987 and λ, where λ is the characteristic of the plain image. Input the key pairs (k, u 0 + λ) of Chebyshev map to generate random sequence, where the random sequence has 3 × 256 × 256 + 3000 random data. The threshold scheme (6,8) is used in the sharing stage. Meanwhile, in the identity authentication and blind signcryption stage, when the encryption key of ECC is 200bit, it can ensure security and better than 176bit [33].
In the restore process, the OMP algorithm is employed to deal with the inverse operation of CS.

A. PSNR
The peak signal-to-noise ratio (PSNR) is used to evaluate the image quality of the reconstructed image. A larger value of the PSNR implies smaller distortion.
where mean square error(MSE) can be calculated by where X xy and X xy are the pixel value of original image and the reconstructed image, respectively. In this scheme, all plain images P with 512×512 are first compressed to a quarter, then encrypted and get the encrypted image Y i with a size of 256×256. The PSNR values of Lena, Boat, Photography, Peppers and Saturn are 31.5463dB, 30.8446dB, 32.6072dB, 32.0609dB, 37.8722dB, respectively.

B. HISTOGRAM ANALYSIS
The histogram is one of the criteria in the cipher text to analyze the value distribution of an image, which is uniform and has random behavior in an ideal state. In the simulation, we choose five images to encrypt, the histograms of the original images and the encrypted images are shown in FIGURE 3. For the original images, the pixel value distribution is relatively concentrated, and the histogram distributions are not uniform at all. But for the encrypted images, they have uniform histograms by the effective image encryption algorithm.

C. CORRELATION ANALYSIS
Correlation analysis [7] is the relationships among pixels and their neighboring pixels for a natural image at horizontal, vertical and diagonal directions. The values of those relationships can be shown in

D. INFORMATION ENTROPY
Information entropy indicates the randomness of an information source, which definition is as follows: where s 1 , s 2 , · · · , s 2 N −1 are the sources, and p(s i ) is the probability of s i . Accordingly, the entropy of cipher image with 256 gray levels in an effective algorithm should ideally be 8. To explain the information entropy of the original image and the cipher image, the images in the 1st and 2nd columns of FIGURE 3 are selected as the test images, and then corresponding values of entropy for different images can be obtained.    image when little bit changes in the original image or the initial value. Lena is chosen to analyze the key sensitivity. In the ideal state, the average of NPCR is about 0.9961, and the average of UACI is about 0.3346 [8]. Suppose that P 1 (i, j) and P 2 (i, j) are the (i, j) th pixel of the image P i and P 2 . This character is called resisting differential attack. where

1) SENSITIVITY ANALYSIS OF PLAINTEXT AND DIFFERENTIAL ATTACK
In this experiment, we randomly change two-bit, four-bit, sixbit, eight-bit in the original image of Lena, From TABLE 4, the NPCR and UACI of the encrypted image are close to 0.9961 and 0.3346, respectively. This means the key sensitivity has satisfactory effect to resist differential attack.

2) SENSITIVITY ANALYSIS OF KEY
For Lena, when we encrypt the same image with different initial values in a tiny change of 10 −11 , 10 −12 , 10 −13 and 10 −15 , the NPCR and UACI of the encrypted image are shown in the following   UACI values are all close to 0.9961 and 0.3346, respectively, which means it is in the ideal state and can resist differential attack.

G. RESIST KNOWN/CHOSEN PLAINTEXT ATTACK
In this scheme, in the compression process, the measurement matrix i is generated by (r, t 0 ) in the Logistic-Tent map and iteration, where t 0 and t 1 are the secret keys, r and k are the control parameters of chaotic systems. Meanwhile, in the encryption process, A 1 , A 2 , A 3 are generated by the Chebyshev map with the initial value u 0 + λ, where λ is the character of the original image, A 1 decides the indexes of permutation, A 2 and A 3 decide the diffusion value. If an attacker intercepts a part of plaintext and the corresponding cipher text, he cannot get r, t 0 , k, u 0 and λ. Therefore, this scheme can resist known/chosen plaintext attack, so any attacker cannot obtain the key even if he obtains plaintext.

H. THE PERFORMANCE AND COMPARISON
The security of this scheme is based on CS, Secret Sharing and the difficulty of solving the ECDLP. For other schemes in [27] and [28], they can complete compression and encryption, but cannot resist the man-in-the-middle attack. The schemes in [7] and [30] can complete encryption, but cannot satisfy identity authenticity and resist the man-in-the-middle attack. For this proposed scheme, it has superior performance, which not only completes compression, encryption and image sharing, but also has the characters of identity authenticity and against the man-in-the-middle attack. The detailed comparisons are shown in TABLE 6.

VII. CONCLUSION
Based on Parallel Compressive Sensing, Secret Sharing and Elliptic Curve Cryptographic, this paper proposes an image encryption and compression algorithm, which achieves compression, encryption, identity authentication, and blind signcryption. The proposed algorithm can resist various attacks, such as the man-in-the-middle attack, forgery attack and chosen-text attack. Meanwhile, the proposed scheme has lower storage and computational complexity, high security and PSNR. By blind signcrytion, the identity of participants and the shadows can be guaranteed, and the verifiability is strictly proved in this paper. Numerical experimental results, proofs and security analysis demonstrate that the scheme is secure and more practical when compared with other existing schemes.