A Novel Medical Image Signcryption Scheme Using TLTS and Henon Chaotic Map

In tele-medicine, images based on patient diagnostic tests and reports are usually required to broadcast securely so that recipient can receive them without any error. For the secure communication of sensitive medical data, there is a need of authenticated and unforgeable cryptosystem. In this paper, we propose a novel signcryption technique for medical images that fulfills the necessary security requirements of sensitive medical data during its communication. The design of novel medical image signcryption scheme is empowered by the combination strategy of hybrid cryptography. It employs a technique of public key cryptography furnished with elliptic curve cryptography for the generation of secret encryption key. The proposed scheme uses elliptic curve for signcryption purpose and chaotic maps for performing encryption of the medical images. It gives a combined mechanism of key exchange, digital signature and chaotic image encryption. Image encryption phase contains permutation and diffusion for pixel scrambling. The proposed image signcryption scheme provides confidentiality, authentication, integrity, unforgability, forward secrecy and non-repudiation. The use of chaos-based symmetric image encryption scheme shows good results for key space analysis, key sensitivity, correlation analysis, number of pixel change rate, unified average changing intensity, entropy analysis and histogram analysis. On the basis of the results obtained from all these analyses, we believe that the proposed medical image signcryption scheme is efficient and robust, providing good security for sensitive medical images.

system. These tools are based on imaging technology using signal processing to get the vision of internal body systems. Nowadays surgical operations are guided by sensors and artificial intelligence. These real time information systems collaborate in real time surgical operations. As medical data is mostly occurred in image format, therefore a rigorous security approach is required to secure it. In e-health care system, there are serious threats to data containing secret information of a patient's health reports. During the management and transmission of health-care data to third parties like private/public or hybrid clouds, there may occur many problems about the safety and security of this data. Thus we need an efficient and robust approach to provide secure transmission of sensitive medical data along-with its authentication over public networks.
Encryption and authentication are two essential primitives of cryptography. These are vastly used for maintaining privacy of communication. Authenticated encryption simultaneously offers encryption along with data authenticity and confidentiality of secret data. For this purpose authenticated encryption combines symmetric encryption scheme and message authentication code (MAC). Other methods used for protection and authentication are; sign-then-encrypt, encryptthen-sign, sign and encrypt and authenticated encryption with associated data (AEAD). But these cryptographic protocols take extra computational efforts. In 1997, Zheng [68] combined these primitives in a single operation and named it ''signcryption''. It takes less computational cost and effort. Signcryption provides confidentiality, integrity, authentication of information and non-repudiation. Therefore it is used in many applications like electronic transaction protocols, key management, routing protocols etc. It also plays an important role in cloud computing and internet of things.
Deng and Bao [15] proposed a signcryption scheme that decreases computational cost to 16% and commuicational cost to 85% in comparison with signature then encryption scheme. But their proposed scheme is less efficient than that of Zheng [68]. Mahmood and Dony [31] have proposed an enhanced segmentation based medical image encryption scheme. In this scheme medical images are divided into two segments, region of interest (ROI) and region of background (ROB). It uses AES and Gold code (GC) algorithm to reduce computational time and also to provide hybrid design of encryption. Wong [57] proposed the idea of a digital trust center in 1996. It provides confidentiality and authenticity of digital images in hospitals.
Many conventional approaches like AES, RSA etc, are not suitable to protect sensitive records in DICOM system due to large storage requirements and long computational time. In 2012 Mohamed et al. [35] proposed chaos based image encryption scheme and compared the simulation results with AES against NPCR, UACI, correlation among the pixels in cipher image, histogram analysis and encryption time. On the basis of the above security tests it was concluded that for digital multimedia data, the traditionally used cryptographic schemes are less suitable. Recently in 2017 Chen and Hu [10] used multiple chaotic mappings for adaptive medical image encryption. A digital image is a two dimensional sequence that has a large size in comparison to the text file. Therefore the traditional encryption algorithms like AES, DES and RSA suffer from the shortfalls like long encryption time and huge computational power [11], [40].
In 2013 Eldayem and Mohamed [17] proposed encryption strategy for the encryption of DICOM images. They used watermarking technique and MD5 hash function for integrity of images. Their proposed scheme provides patient authentication, image integrity and patient information confidentiality. Bhopi et al. [7] in 2016 proposed a method for the security of medical images. In this proposed work, medical image encryption (MIE) is taken in two stages. In the first stage rotation is performed row-wise, column-wise and diagonally using binary keys. In the second phase four chaotic logistic maps are used to generate pseudo random sequences. Pixel value permutation is performed with these generated sequences. Cao et al. [9] proposed a method of medical image encryption using edge maps. Their proposed method consists of bit plane decomposition, chaotic sequence generation and scrambling technique.
Singh and Singh [47] used elliptic curve cryptography for encryption, decryption and digital signature of cipher image to give the authenticity and integrity. Shukla et al. [46] proposed an image encryption scheme that uses elliptic curves ECC with smaller key size. It reduces storing and transmission requirements. Their proposed scheme used Elgamel elliptic curve encryption. This scheme also provides confidentiality, authentication and integrity. Many other methods based on chaos theory [4], [63], [64] using one time key [27], bit level permutation [28], DNA sequence operation [51], dynamic random growth technique [52] and perceptron model [50] are also proposed for the encryption of multi-media images. There are some non chaos based methods for image encryption that use compressive sensing [41], non adjacent coupled mapped lattices [66], [67], parallel computing system [53], synchronously updating Boolean networks based on matrix semi-tensor product theory [54] and JPEG compression algorithm [1]. All these methods do not provide information about the key distribution or the authentication, non repudiation, integrity, unforgeability, forward secracy etc. Currently Zia and Ali improved an elliptic curve based signcryption scheme for firewalls [70] and established the enhancement of a blind signcryption scheme based on elliptic curves [71] in 2019.
Recently it is observed that hackers and unauthorized parties steal medical records on a large scale and sell them to the dealers on dark web [39], [44]. This sensitive data then misused in identity theft and fraudulent activities. The medical history of United States (US) for past 10 years shows that almost 3000 breaches are occurred, each of them containing more than 500 sensitive medical records caused by hacking [14], [48]. For example a damage of $115 million as settlement is reported [25] due to a breach of 78 million American's customers medical data of Anthem (medical insurance company). A U.S. government task force released a report [19] in 2017 about the cybersecurity performance in health care sector. It shows a critical situation and a number of vulnerabilities in computer, networks and medical devices [36] used in health care sector. In [34] it is reported that there are two major vulnerabilities in the DICOM imaging standard in March, April 2019. Thus it is exposed that DICOM standard have major cybersecurity holes.
Contributions: Our research contributions aim to provide solution of many problems faced by e-healthcare system [16]. To achieve the objective, we design a novel medical image signcryption scheme empowered by the combination strategy of hybrid cryptography. It employs a technique of public key cryptography furnished with elliptic curve cryptography for the generation of secret encryption key. Then chaos-based symmetric, medical image encryption is performed by using that generated secret key. The combination of elliptic curve cryptography together with chaotic maps provides the effective protection measures for secure transmission of sensitive medical images on public networks with their authentication. In this work the proposed signcryption scheme provides confidentiality, unforgeability, integrity, non-repudiation and forward secrecy of authenticated health-care transmission system. The proposed signcryption approach not only essentially yields security requirements but also detects efforts/attacks by adversaries.
Paper organization: The rest of the article is organized as follows: in Section 2 preliminary material on elliptic curve, logistic and tent chaotic maps are described. In Section 3, we first describe the tent-logistic-tent chaotic map and then propose a new image signcryption scheme. Results and discussion with the help of examples and figures, the security analysis of the scheme and comparison with other schemes are discussed in Section 4. Finally the work is concluded in Section 5.

A. ELLIPTIC CURVE CRYPTOGRAPHY
Elliptic curve cryptography (ECC) is an example of public key cryptography. It was developed by Koblitz [26] and Miller [33] independently in 1985. Then Washington [55] provided proof of various theories related to elliptic curves. It has gained a wide acceptance around 2004. ECC gives an efficient and secure public key cryptography implementation with relatively smaller key size than RSA.
Elliptic curves are a type of algebraic curves. ECC brainpool [8] and NIST (National Institute of Standard and Technology) [60] has provided many recommended ECC parameters of various bit sizes. In this paper we are using elliptic curves for the generation of symmetric key. An elliptic curve E(F p ) over a finite field F p is defined as the set of all points (x, y) satisfying the following equation, where the parameters a, b ∈ F p follow the relation There is a point O at infinity taken as identity element under addition. A point R = (x, y) is said to be a point on elliptic curve E(a, b) if it satisfies equation (1).
Let R 1 = (x 1 , y 1 ) and R 2 = (x 2 , y 2 ) be two distinct elliptic curve points, that satisfy the equation (1), then their addition is defined as: a line joining these point and its intersection with a line in same elliptic curve. The resulting point of addition R 3 = (x 3 , y 3 ) (the negative of R 3 ) can be obtained by performing the following calculations as shown in (2): where λ = y 2 − y 1 where λ = 3x 2 1 − a 2y 1 . Also there exists a base point G of elliptic curve E over finite field F with a prime order n that is Elliptic curve E(a, b) points along with a point O at infinity form a cyclic addition group. The equation of elliptic curve has the similarity with one used for calculating circumference of ellipse. Therefore these are called elliptic curves. Elliptic curves provide hard problems like elliptic curve discrete log problem (ECDLP), elliptic curve Diffie-Hellman problem (ECDHP) etc to use for cryptographic purposes. For given two points S and S * of an elliptic curve E, where S = bS * , (b < n). The (ECDLP) is that, it is computationally infeasible to find the integer b. The (ECDHP) is defined as: for given two elliptic curve points U and U * , where U = c 1 G, U * = c 2 G and (c 1 , c 2 < n), it is computationally infeasible to get the another point V = c 1 c 2 G. For further details on ECC see [12].

B. CHAOTIC MAPS
Chaotic maps [29] are used to produce non linear, complex, random sequences. Output of such maps is highly sensitive to initial conditions and control parameters. These parameters can be treated as secret keys when we use chaotic maps in cryptography. Due to this phenomenon of chaotic maps, it looks natural to use such type of structures in modern cryptography.

1) TENT MAP
Tent map [13] is the simplest chaotic iterative map. It is one dimensional map and also known as triangle map defined as, Here x 0 ∈ (0, 1) is the state variable and r ∈ (0, 2) is the control parameter. Although the chaotic map (4) is simple having linear equations but for certain parameter values, it shows highly complex and even chaotic behavior.

2) LOGISTIC MAP
Logistic map [32] is a type of chaotic system. It is one dimensional, discrete time and non-linear map with quadratic non-linearity. The state equation of logistic map with initial state w n is given by where w n ∈ (0, 1) is the state of the system at any time n and µ ∈ (0, 4) is the control parameter also known as bifurcation parameter. Term w n+1 expresses the next state and n shows the discrete time. For the values of µ between 3.567 and 4 the logistic map (5) behaves chaotically with infinite period. Lyapunov exponent is the measure of sensitive dependence on initial condition. For µ = 3.57 to 4 the value of lyapunov exponent is mostly positive, which shows that in this interval logistic map exhibits chaotic behavior.

3) HENON MAP
Henon map [23] is two dimensional discrete time non-linear chaotic map. It was proposed by Henon in 1976. The two dimensional invertible Henon map is defined as, where a and b are the control parameters of chaotic map (6). For a ∈ (0.54, 2), and b ∈ (0, 1), it shows chaotic behavior.

III. PROPOSED IMAGE SIGNCRYPTION SCHEME
In this section. first we introduce tent logistic tent map, then we use it in our proposed signcryption scheme for chaos-based image encryption.

A. TENT LOGISTIC TENT MAP
From the combination of tent and logistic chaotic maps, recently in [2] a new chaotic system namely the tent logistic tent map is introduced. In this system '+' and '×' are floating point addition and multiplication respectively. The exponentiation r σ is a multiplier that is employed for better distribution of state variables. The proposed system has more complex and chaotic characteristics than individual chaotic maps. This chaotic system is defined as, Here r ∈ (0, 4) is the control parameter and x 0 ∈ (0, 1) is the state variable. Here r 14 is selected experimentally to generate a balance between optimal chaotic behavior and speed of system. Tent and logistic chaotic maps have limited chaotic ranges as shown in FIGURE 1. Therefore, when we use their control parameters as secret keys they provide limited key space. Also it is known that they have periodic windows hence these are inclined towards parameter estimation attacks. To overcome the weaknesses of tent and logistic maps, they are combined to generate a new stronger chaotic system [2]. In this system logistic chaotic map plays main role while tent map plays the role of seed map. Hence generated chaotic system is called tent logistic tent system (TLTS). The proposed chaotic system shows chaotic behavior without window of periodicity in r ∈ (1.05, 4) as presented in FIGURE 2. The lypunouv exponent of this new system is also greater than tent and logistic maps. Hence it shows better results when used for cryptographic purposes.
In the proposed medical image signcryption scheme, the patient/user uses the public key of health-care authority to generate common secret encryption key 'K '. Then he takes encryption with the proposed chaos-based medical image encryption scheme using the secret key 'K '. He signs the cipher image and sends cipher image C, digital signature s and authentication parameter G to the authority. FIGURE 3 shows the proposed signcryption model, while FIGURE 4 and FIGURE 5 are the block diagrams of the proposed signcryption and unsigncryption schemes.
Health-care authority uses C, s and his private key s b to generate the common secret key 'K '. Then the authority takes symmetric decryption using that key to find the image, verifies it by using G and accept, if it is authenticated.

B. GLOBAL PARAMETERS
In this phase following parameters are selected and published: q: A large prime number, where q > 2 256 . E(a, b): The used elliptic curve over finite field F q ,   Here a and b are two integers that are smaller than q and satisfy 4a 3 + 27b 2 = 0 mod q. G: The base point of elliptic curve E(a, b) with order n.

O:
The point of E(a, b) at infinity. n: The order of G, i. e., nG = O. H : A one-way hash function. 71978 VOLUME 8, 2020

C. KEY GENERATION
Patient selects a random integer s a < n as his/her private key and computes public key P a = s a G.
Similarly health-care authority chooses a random integer s b < n as his/her private key and computes public key These public keys will be used at both the sender and the receiver ends to generate a common secret key K .

D. SIGNCRYPTION PHASE
For sending a medical image to health-care authority, the patient uses symmetric chaos-based image encryption scheme to generate cipher image. To signcrypt the medical image, following steps will be performed: 1) Select a random integer k ∈ F q , multiply it with health-care authority's public key P b to generate the secret key as, 2) Apply the hash function H (using SHA-256) on the components of secret key K = (k , k ), as: . . , 255 are used to get the parameters of the chaotic maps (6) and (7) as stated below: a) Compute the parameters r ∈ (0, 4) and x 0 ∈ (0, 1) of the chaotic map (7) from the two halves of 256-bits of H (k ) as follows: , similarly compute x 0 ∈ (0, 1) as: +b 126 ×2 127 +. . .+b 0 ×2 0 ). b) Generate the initial values, control parameters of Henon chaotic map (6) and the subkeys M 0 , N 0 (for encryption of the first pixel and the last pixel of pre-encrypted image D respectively). Use the output of H (k ) to get the values of a ∈ (0.54, 2), b, x 0 , y 0 ∈ (0, 1) and M 0 , N 0 ∈ [0, 255] as follows: Permutation: 5) Iterate the chaotic map (7) using the parameters from Step 2 (a) to obtain the sequence: , and sort sequence A in ascending order to form, compute permutation vector,

7)
Use T to permute the position of elements of the array Z . After applying permutation on Z it becomes, for Henon chaotic map (6) to generate two random sequences, 9) Convert the real number sequences x k and y k where k = 1, 2, . . . , MN into integer sequences using these relations: 12) Also find digital signature s as: 13) Calculate authentication parameter G as: 14) Send (C, s, G ) to the health-care authority.

E. UNSIGNCRYPTION PHASE
The health-care authority receives cipher image C, digital signature s and verification parameter G . Then it uses the following steps to get plain image I with its authentication. 1) Solve; to generate the secret key K . 2) Use hash function H to get sub-keys as described in Step (2) of above signcryption phase.

Decryption method:
3) Generate {x k } and {y k } two dimensional arrays of order M × N by following the Step (8) and Step (9) of above used signcryption phase. 4) To eliminate diffusion effects, apply Step (10) of the above mentioned scheme, by replacing G with C to obtain permuted array G.

5) Perform
Step (5, 6) of the signcryption phase to get permutation vector T , also calculate inverse permutation vector i.e., T −1 . 6) Apply T −1 on D to get original medical image I . 7) Take the hash value of plain image I , cipher image C and secret key K to find h as: h = H(I , C, K ).

8) Calculate another authentication parameter A as:
A = hG. 71980 VOLUME 8, 2020 The above signcryption and unsigncryption scheme is summarized in TABLE 1.

F. CORRECTNESS
The health-care authority receives (C, s, G ) from patient. It calculates key by using its private key s b , patient's public key P a , received digital signature s and authentication parameter G .

IV. RESULTS AND DISCUSSIONS
For the performance evaluation of the proposed medical image signcryption scheme, test images are selected from open-access medical image repositories/Ayland.org [49] image database. The proposed scheme is then implemented on MATLAB R2016b, 64-bit and applied on medical data. The proposed method can be used for different types/sizes of medical images. Medical images along with their encryption results are shown in FIGURE 6. In this section, firstly we discuss the security features of chaos-based encryption, then signcryption attributes and possible attacks will be discussed.

A. SECURITY FEATURES OF CHAOS-BASED ENCRYPTION
In the proposed scheme a novel chaos-based encryption mechanism is adopted for secure transmission of medical image. FIGURE 6 shows the encryption results of various medical images. Performance evaluation tests like key space, key sensitivity, ability of resisting against differential attacks, histogram analysis, correlation analysis and information entropy are also employed in this section.

1) KEY SPACE ANALYSIS
Key space is considered as an important feature in any cryptosystem. It should be large enough to produce the ability to resist against brute force attacks. In the proposed encryption model, we have used two chaotic maps. For tent-logistic-tent map (7) control parameter r and initial state x 0 are used. Another chaotic map used in proposed encryption scheme is Henon map (6). It uses a and b as control parameters and two state variables x 0 and y 0 . M 0 is the key used for encryption of first pixel. According to IEEE floating format precision [56] each key component should be greater than 10 −15 . If the precision of these parameters is taken as 10 −15 , the key space size will be (10 15 ) 6 = 10 90 ≈ 2 299 . Alvarez and Li [5] identified that the adequate key space for image encryption scheme should be larger than 2 100 to oppose brute force attacks. The key space of our proposed scheme is large enough to resist against brute force attack. In order to decrypt the medical image correctly, the adversary has to guess all these six components.

2) KEY SENSITIVITY ANALYSIS
An image encryption scheme should be highly sensitive and conscious for its secret keys and a change of single-bit in any of its secret keys should crop an entirely different encrypted result [3]. Hence generated cipher image can not be decrypted by a changed key to give required results. Note that in our proposed scheme, we have used tent logistic tent map (7) with key components a = 1.4, b = 0.3, x 0 = 0.7666 and y 0 = 0.3 and Henon map (6) with r = 3.78 and x 0 = 0.5748. These maps are highly sensitive for initial conditions and control parameters as seen by their lyapunov exponent in FIGURE 2. For testing the key sensitivity, we take four medical images used in FIGURE 6 of size 256 × 256 as a test case, and modify only one key component i. e. x 0 from 0.7666 to 0.7666000000000001. FIGURE 7 shows the experimental results of key sensitivity for encryption process using slightly changed key. From here it can be seen that the encryption results are totally different. Similar results can be seen by making a small change in any other component of used secret key. Hence the obtained results show that the proposed scheme is highly sensitive to secret keys. VOLUME 8, 2020

3) STATISTICAL RANDOMNESS ANALYSIS
Encrypted image generated by any cryptographic encryption scheme, should be invulnerable to statistical attacks. The presence of randomness is essential not only for pseudo random number generators (PRNGs) [20] but also for the encrypted data [61]. Therefore the randomness is evaluated in the resulting encrypted data by using National Institute of Standard and Technology (NIST) statistical random test suite [65]. With the suggested parameters for input sequence, the p-value is expected to be greater than 0.01 to qualify for the randomness in the bit stream of encrypted data.
The results of NIST randomness tests [65] for CT Paranasal image are shown in TABLE 2.

4) CORRELATION ANALYSIS
The property of having high confusion and diffusion can be checked by a test of correlation among neighboring pixels in the plain image and their corresponding cipher image. For the calculation of correlation coefficients in horizontal, vertical and diagonal directions, the following relation [42] has been used, . (8) Here x t and y t are values of neighboring pixels in the image and n is the total number of pixels taken for calculation of correlation in equation (8). We have also analyzed correlation in the adjacent pixels of the plain images and cipher image in FIGURE (9, 10) respectively. From the results of TABLE 3 and FIGURE (9,10), it is seen that cipher image has very low correlation among neighboring pixels. Hence cipher images are revealing no information about the structure of plain image.

5) HISTOGRAM ANALYSIS
Image histogram displays the dispersion of pixels in an image [43]. The uniform dispersion can be observed by analyzing the shape of histogram, generated by plotting the pixels of image. The histograms of the original images are shown in FIGURE 11 and their corresponding encrypted image components are shown in FIGURE 12. From histogram analysis it is clear that, there does not exist any clue to mount a statistical attack on the encrypted image. However the histogram visual effects are not sufficient to validate the randomness of pixel value in cipher image [59], [66]. Therefore the histogram is also evaluated quantitatively by using chi-square (χ 2 ) test. Chi-square (9) can be defined as: where S indicates grayscale (S = 256 in this case), o i is the frequency of occurrence of each level observed on the histogram of cipher image, e i is the expected uniform distribution frequency of occurrence and M × N shows total length of image sequence in (10). The experimental chi-square value should be less than the theoretical value (293 with significance level 0.05) for an ideal image encryption system. TABLE 4 indicates the output of chi-square test and pass rate. The chi-square test is passed by all the test images. It is therefore clear that the redundancy of plain image is fully concealed, which demonstrates the inability of stability of statistical attacks.

6) ENTROPY ANALYSIS
This feature of analysis measures the randomness in a cipher image. It also tells us the average amount of information carried by cipher image. Let g be a cipher image then entropy value of g can be calculated by the formula [45]: Here in equation (11) P(g i ) shows the probability of appearing of symbol g i in cipher image g. For exact random source having 256 different symbols, the ideal value of entropy E(g) is 8. If the calculated value of entropy is significantly less than the ideal value of entropy in cipher image then it means that there is a possibility of predictability of plain image. In this scheme entropy values for cipher image g, is checked.
The calculated values of entropy for the plain images and their corresponding cipher images are shown in TABLE 5. In our example of proposed scheme, the entropy value of cipher images with 2 N as 255, using Matlab R2016b, turn out to be ≈ 8. Hence it is assumed that proposed scheme is robust having minimum information dissipation.

7) LOCAL SHANON ENTROPY
The randomness of a cipher image is usually measured with information entropy. Higher entropy values generally indicates a stronger encryption result. The values obtained from VOLUME 8, 2020    the GSE (global Shannon entropy) test sometimes does not represent the true randomness [59] in an image in comparison to GSE, local Shannon entropy is capable of capturing the randomness in local image block that could not be accurately reflected in GSE score. GSE is also considered incompatible for images of different sizes, thus inappropriate for universal measure. Local Shannon entropy tests the randomness of an image with the same parameters irrespective to the size of test image and offer relatively fair random comparison between multiple images. The local Shannon entropy can be measured by following these steps: (1) Take S k , non overlapping image blocks containing T B pixels each.    and variance in TABLE 6. The cipher image passes the test if result falls in the interval otherwise it fails, Also by using the standard parameters i. e., (k, T B ) = (30, 1936) the local Shannon entropy for various medical images is calculated and found in range as shown in TABLE 7. The cipher images obtained from proposed encryption scheme goes in the critical interval. It shows that the proposed image encryption scheme produces cipher images that results high randomness for non overlapping blocks.

8) DIFFERENTIAL ANALYSIS
An essential property of a good performance image encryption algorithm is that, images encrypted with that algorithm should be totally different from plain images. To check the difference in an encrypted image and making one pixel change in original image then encrypted image, we use number of pixel change rate (NPCR) and unified average changing intensity (UACI). The values of NPCR and UACI can be calculated by using (12) and (13); Here w and h show the width and height of the encrypted image respectively. X and X are cipher images generated by plain image and one pixel difference in plane image respectively. If X = X then D = 0 otherwise 1. To resist differential attacks, NPCR and UACI [29], [58] values should be large enough.
It can be seen from the experimental results shown in TABLE 8 and TABLE 9, that the proposed scheme gets high performance for NPCR and UACI. Therefore it will give well resistance against ''known plain text attacks'' and ''chosen plain text attacks''.

9) NOISE AND DATA LOSS ATTACKS
The perfect encryption scheme ought to diminish the noise effects caused by differences in pixels in the dectypted image. For checking the capability of our proposed scheme in opposing noise and data loss attacks, we take a medical image FIGURE 6(g) of size 256×256 as test case. In the encryption result of test image we replace 1%, 2% and 5% pixels with the dark part as shown in the FIGURE 8 (a, b, c). The decryption results of noised cipher images are also shown in FIGURE 8(d, e, f). From the FIGURE 8 it is clear that when the cipher image endure salt and pepper noise or data loss attacks, the decrypted image obtained by using our encryption scheme maintain vast majority of original image information containing only a small portion of uniformly distributed noise.
The peak signal to noise ratio (PSNR) provides a quantitative measure for the distinction between the original plain image I P and its decryption result I D . The cumulative squared error between the decrypted image and the original image can be measured by using mean square error (MSE). For an image of size MN the PSNR and MSE values can be calculated using VOLUME 8, 2020 The least value of MSE (15) shows the minimum error by using the proposed encryption scheme. While the PSNR (14) measure is usually employed to calculate the ability of rehabilitation. The greater value of PNSR indicates the higher fidelity of decrypted image towards its original plain image [62]. If I D and I P are similar then the calculated value of PSNR approaches to infinity. The value above 30 db shows that I D and I P are not sensible for PSNR. For the values above 35 db, it is difficult to differentiate between the original image and decrypted image. For checking the cipher image's robustness against noise attacks, we add 1%, 2% and 5% noise in cipher image of FIGURE 6 (g), as shown in FIGURE 8 (a, b,  c). The calculated values of PSNR for these modified cipher images are 25.34, 22.78 and 19.36 respectively. By observing the test results it can be seen that the encryption technique gives good performance for anti data loss and noise attacks.

10) COMPUTATIONAL COMPLEXITY
It is determined by analyzing the encryption scheme and sequence generation method. We analyze the complexity of various image encryption schemes by using the identical approach as adopted in [22] and then compare their complexities with our proposed encryption scheme. The overall complexity of our proposed encryption scheme is O (3MN log 2 (MN ) + 14MN   tion one time floating point operation indicates one bit level operation. By comparing the complexity of our proposed scheme in TABLE 10, with the schemes presented in [21], [22], [30], it can be seen that computational complexity of our proposed image encryption schemes exceeds by [21], [22]. It shows that the internal structure of proposed scheme is complex, hence resists against various attacks.

11) SPEED PERFORMANCE ANALYSIS
Beside the security features, the running time of an encryption algorithm is also considered an important feature. For this purpose the encryption part of the purpose scheme is tested on a personal computer having Windows 8.1 operating system, 4 GB of memory and intel core i3, 3110M with 2.4 GHz processor. The implementation of image encryption part is carried out on MATLAB R2016b (64 bit). The calculated  In the proposed scheme the main time taken step is diffusion, where by using Henon map we have performed two dimensional (row-wise and column-wise) diffusion using chaotic generated matrices. Although the process is time consuming but it ensures good security results in cipher image.

B. SIGNCRYPTION ATTRIBUTES
The security components of proposed signcryption scheme are:

1) CONFIDENTIALITY
Confidentiality means to secure the message containing plain image from unauthorized sources. The proposed scheme is secure from unauthorized access as if some unauthorized party/user wants to find secret key component k or k . It is almost infeasible because for this he/she has to solve ECDLP and ECDHP.

2) AUTHENTICATION
Authentication is the method by which receiver can authenticate the user by following the verification method. The authentication process works by using the comparison of hash values. If the comparison returns true results, then it means that the user and his sent medical image is authenticated.
In our proposed scheme the patient calculates hash value of image I , cipher image C and key K , then multiply with base point of elliptic curve G to get authentication parameter G . Patient sends this G to health-care authority. The authority decrypt C with K to get image I . The authority also calculates hash value of I , C and K , and multiply it with G to get A . The patient along with his sent image I will be authenticated if G = A .

3) INTEGRITY
In this process data is maintained in its actual form, that could not be changed by adversary during its communication. In our proposed scheme h = H (I , C, K ) and s = k h + P a mod q are used in signcryption stage. If a fake user changes some contents of cipher image, then new cipher image will become C , so he sends (C , s, G ) the related image I is also changed, but one way hash function makes it in-feasible. Also the change will be detected at the time of verification, hence changed cipher image will be rejected. In this way the integrity of original image will be confirmed.

4) UNFORGEABILITY
In our proposed signcryption scheme, a fake user can try to forge the signcryption scheme as following: 1) He chooses k 1 and multiply it with health-care authority's public key P b to get secret key K f . 2) He takes the forged image I and encrypt it with the hashed key as C = E H (K f ) (I ).

3) Then he computes h and s as:
He also computes authentication parameter and sends (C , G 1 , s ) to health-care authority. The health-care authority receives (C , s , G 1 ) from fake user. It tries to find key by using its private key s b , patient's public key P a , received digital signature s and authentication parameter G 1 .
Hence the forged key is not rightly generated and image I cannot be decrypted rightly.

5) NON-REPUDIATION
Non-repudiation means that the sender cannot deny from something he had sent. In case of denial of sending the message by the sender, the recipient may send (C, s, G ) requiring the judge to verify it. In judge verification process, the judge can decide that signature is generated by the sender if the equation holds. In our proposed signcryption scheme, digital signature s = k h + s a VOLUME 8, 2020  contains private key s a of the sender. Digital signature cannot be generated without sender's compliance. Therefore sender cannot deny from sending at any stage.

6) FORWARD SECRECY
It means that attacker cannot recover sender's previous message even if he gets access to the sender's private key s a and (C, s, G ). Because a random number k is used for key generation. Which is known only to the sender. For the generation of secret key anyone has to solve the following equation: Here P b is the public key of receiver and k is the random number chosen by the sender. Attacker does not know about k, hence cannot find key K and decrypt C to get plain image I .
Our proposed scheme shows good result against authentication, confidentiality, integrity, unforgeability and forward secrecy. The comparison of signcryption attributes of proposed scheme with other signcryption schemes is shown in TABLE 12.

7) ANALYSIS OF COMPUTATIONAL COST
In proposed signcryption scheme, we have calculated computational cost for sender and receiver. TABLE 13 gives a comparison for operations used by the sender and receiver, while TABLE 14 shows average computational time of mainly used operations. Sender uses only 2 elliptic curve point multiplications, while receiver takes 3 elliptic curve point multiplications hence it is more efficient than the schemes presented in [15], [18], [24].
The elliptic curve point multiplication requires 83 ms, while modular exponentiation needs 220 ms as average computational time on infineon's SLE66CUX640P [6]. The computational time is calculated in TABLE 14 and compared with other signcryption schemes. Our proposed scheme provides some added functions like forward secrecy and non repudiation without using another protocols with less computational cost.

C. MAN IN THE MIDDLE ATTACK
We consider an unauthorized user say ''Mallory'' insert himself in communication between patient and health-care authority. He intercepts (C, s, G ) sent by patient. Then produces his own secret key and uses it for the generation of cipher image (C ), signature (s ) and authentication parameter (G ). He alters patient sent parameters (C, s, G ) by his generated tuple (C , s , G ) and sends it to the health-care authority. The authority works for the the generation of secret key K * to decrypt received C . This key does not provide any help to reveal the secret image. Also the signature generated by the attacker will not be verified by signcryption algorithm. Hence it can be seen that, man in the middle attack is not applicable for the proposed scheme.

V. CONCLUSION
In this research, a novel medical image signcryption scheme is proposed. It uses hybrid cryptographic technique for the signcryption of image based data. Firstly patient uses his private key and health-care authority's public key to make symmetric encryption key and then he uses its hash value for chaos based medical symmetric image encryption. The health-care authority also uses the same key for decryption. Hash value of cipher image is signed and exchanged for authentication of communication.
The proposed signcryption scheme provides confidentiality, authentication, integrity, unforgability and nonrepudiation. While chaos-based symmetric image encryption is checked against key space analysis, key sensitivity, correlation analysis, NPCR and UACI, local and global Shannon entropy analysis, histogram analysis, noise and data loss attacks, complexity and speed performance.
On the basis of results obtained from all these analysis, we believe that the proposed signcryption scheme is efficient and robust, providing good security for sensitive medical images.
TAHIR SAJJAD ALI received the M.Phil. degree from Riphah International University, Islamabad, Pakistan. He is currently pursuing the Ph.D. degree with the Faculty of Computing, Capital University of Science and Technology, Islamabad. His research interests include chaos theory and its applications in information security, cryptanalysis of image encryption schemes, and algebraic cryptography.
RASHID ALI (Member, IEEE) received the Ph.D. degree from the Faculty of Information and Mathematics, University of Passau, Germany, in 2011. He is currently working as an Associate Professor with the Faculty of Computing, Capital University of Science and Technology, Pakistan. He is mainly involved in the research work on algebraic cryptography, cryptanalysis, and fixed point theory in fuzzy metric spaces.