Framework for Efficient Medical Image Encryption Using Dynamic S-Boxes and Chaotic Maps

Protecting patient privacy and medical records is a legal requirement. Traditional encryption methods fall short of handling the large volume of medical image data and their peculiar statistical properties. In this paper, we propose a generic medical image encryption framework based on a novel arrangement of two very efficient constructs, dynamic substitution boxes (S-boxes) and chaotic maps. The arrangement of S-box substitution before and after chaotic substitution is shown to successfully resist chosen plaintext and chosen ciphertext attacks. Special precautions are taken to fend off the reset attack against pseudorandom number generators. We show how to implement the generic framework using any key-dependent dynamic S-box construction method and any chaotic map. Experimental results show that the proposed framework successfully passes all security tests regardless of the chaotic map used for implementation. Based on speed analysis, we recommend the use of the classical Baker map or Henon map to achieve encryption throughput approaching 90 MB/s on a modern PC without hardware acceleration.


I. INTRODUCTION
The rapid development in networking and communication technology has led to significant advancement in multimedia and digital image communication. Medical images are important for assisting medical crews through diagnosis. Computed tomography (CT), magnetic resonance imaging (MRI), ultrasound, and X-ray, provide a visual representation of body organs and tissue to help diagnosis and treatment planning. This valuable information includes the physical characteristics of the internal body organs such as size, shape, intensity, and position. With the global growth interest in patient records, all these important data including medical images are stored in Pictureand-Communication Servers. Moreover, many healthcare providers may need to exchange these records using convenient public networks to have access to the patients' The associate editor coordinating the review of this manuscript and approving it for publication was Giacomo Verticale . health history. Medical images contain confidential information about patient health conditions. Therefore, there is a need to protect and secure patients' privacy when using storage and communication technologies with various applications platforms. As a matter of fact, medical images can be vulnerable to security threats including unauthorized data access and tampering. Encryption schemes are usually employed to protect stored and communicated images against these threats.
In addition to the high spatial correlation, medical images are characterized by their large volume. High resolution imaging and 3D imaging produce large volumes of data per second. Image data need to be encrypted in real time before storage or transmission. Therefore, medical images require more efficient encryption algorithms capable of handling high data transmission rates. The performance of recent medical image encryption schemes, such as [1]- [8] and generic image encryption schemes such as [9], [10] fall short of achieving real-time encryption speed. VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ In this paper, we take advantage of two of the most efficient encryption constructs, S-boxes and chaotic maps to propose a generic framework for medical image encryption. The proposed framework combines the desirable statistical properties and diffusion of chaotic maps and the confusion power of dynamic key-dependent S-boxes.
The special arrangement of S-box substitution before and after masking with the chaotic key stream is carefully designed to fend off chosen plaintext and chosen ciphertext attacks.
The proposed framework is especially designed to resist the very powerful PRNG-reset attack, to which most existing image encryption schemes are vulnerable. We provide detailed security analysis of the framework applicable to any chaotic map or dynamic S-box construction method.
Moreover, we demonstrate the applicability of the proposed framework to any chaotic map by studying the security and speed performance of the framework with a variety of classical and modern chaotic maps. Results show that the proposed framework achieves stronger security level and enhanced speed compared to existing medical image encryption schemes. We also show how the proposed framework can be easily adapted to take advantage of future efficient chaotic maps and key-dependent S-box construction methods.
The rest of the paper is organized as follows: Section 2 surveys existing medical image encryption schemes and covers in brief the necessary background and related work on dynamic key-dependent S-box construction techniques and image encryption schemes using chaotic maps. Section 3 describes the proposed image encryption framework and presents an implementation of the proposed framework using a new key-dependent S-box construction method. Section 4 evaluates the performance of the proposed image encryption framework using a variety of chaotic maps. Section 5 highlights the advantages of the proposed framework in comparison to related medical image encryption schemes. Finally, concluding remarks are drawn in Section 6.

II. BACKGROUND AND RELATED WORK
In this section, we present necessary background on the uses of dynamic key-dependent S-boxes and chaotic maps in image encryption schemes and review related medical image encryption schemes proposed in literature.

A. DYNAMIC KEY-DEPENDENT S-BOXES
An S-box can be viewed as a function S : {0, 1} m → {0, 1} n , which substitutes m input bits with n output bits. S-boxes are used in encryption schemes as a simple and efficient way to introduce nonlinearity. A bijective S-box is an invertible n × n S-box. A dynamic S-box is a cryptographic block, with a variable substitution function that can be changed dynamically. If the substitution function can be controlled by a parameter, the parameter is called a key and the resulting dynamic S-box is called a key-dependent S-box.
Several key-dependent S-box construction methods can be found in literature. In [11], dynamic S-boxes are constructed by composing a random sequence of static S-boxes controlled by a chaotic map. In [12] a discrete chaotic system was proposed to drive the functional composition sequence, which is encoded into a key using Lehmer's code. The authors of [13], proposed a key-dependent S-box construction based on a complete order defined on the points of finite elliptic curves. The authors of [14] used a linear fractional transformation with randomized coefficients to transform an initial static S-box to a key-dependent dynamic S-box.

B. CHAOTIC SYSTEMS
Chaotic systems are dynamic systems that are highly sensitive to initial conditions and thus are ideal candidates for generating cryptographic pseudorandom sequences.
Chaotic sequences such as Henon map, Baker map, logistic map, and Arnold cat map, have been used in many encryption algorithms found in literature [6], [15]- [17]. There are several ways in which chaotic maps can be used in an image encryption scheme. Namely, chaotic sequences can control a scrambling process, a dynamic S-box construction, or a pixel value substitution using XOR or modular addition operations.
New chaotic maps with improved properties continue to be proposed in literature. In [18], a new 2D sine logistic modulation map is presented with wider chaotic range than the classical sine and logistic chaotic maps. In [19], the authors proposed a 2D sine-chaotification system to enhance the dynamic behavior of existing chaotic maps. They applied their system to enhance Henon map and 2D sine logistic map. Recently, [15] proposed a 2-dimensional logistic-modulated-sine-coupling-logistic (LSMCL) chaotic map. However, the composition of multiple simple chaotic systems to enhance chaotic performance usually comes at the cost of increased computation time.

C. COMBINING CHAOTIC MAPS AND DYNAMIC S-BOXES FOR IMAGE ENCRYPTION
Several image encryption schemes combine chaotic maps with S-boxes, to obtain the desirable properties of both components. In [20], the authors proposed an image encryption scheme based on a combination of chaotic maps and multiple dynamic S-boxes, along with block permutation. The image encryption scheme proposed by [21] also combines multiple dynamic S-boxes with a chaotic substitution. In [22], the authors combined a dynamic S-box with a 2D chaotic map for image encryption. The image encryption schemes in [23] and [24], also use dynamically constructed S-boxes, permutation and a chaotic key stream substitution. The scheme presented in [25], uses a similar structure to [24] but adds chaining of chaotic maps.
In [26], the authors proposed another encryption scheme combining permutation, S-box substitution and diffusion using chaotic maps. To improve diffusion, another scheme in [27] uses a few S-boxes and dynamically changes the S-boxes based on plain image pixels.

D. MEDICAL IMAGE ENCRYPTION SCHEMES
Several medical image encryption schemes have been proposed in literature. The authors in [5] introduced a medical image encryption system based on cosine number transform (CNT) defined over a chosen Galois field. Further in [4], the authors extended the use of CNT to 3D medical image method based and used 3 rounds of scrambling using Arnold cat map. In both schemes, the authors did not study the encryption speed, leaving the applicability of their methods to real-time encryption questionable.
An encryption system combining chaos and DNA was introduced by the authors of [6]. They used a scenario of two rounds with six steps to achieve the permutation, substitution and diffusion required for encryption. The main disadvantage of their system is the relatively low encryption speed.
In [28], the authors used tensor compressive sensing to combine 3D image compression and encryption and nonautonomous Lorenz system. Two main issues can be noted in this scheme. First, it is extremely slow due to its iterative nature. Second, the presented security analysis lacks some important tests such as plain image sensitivity analysis, which leaves it potentially susceptible to differential attacks.
The authors of [7] used an improved El-Gamal elliptic curve cryptosystem with multi-round of Arnold transformation for medical image encryption. To improve encryption speed and reduce the expansion of encrypted image size, they embedded multiple image pixels into a single point not necessarily on the elliptic curve. However, the use of multiround Arnold transformation is time consuming and as a result, the speed of their scheme was very limited. Moreover, in their effort to save space, they reused the same random number for encrypting all image blocks, which leaves the door wide opens attacks against El-Gamal cryptosystem. In [1], the authors used the same EL-Gamal elliptic curve cryptosystem, but with Mersenne Twister pseudo-random number generator. Their improved system had a much better encryption speed. However, the issue with the reuse of the same random number for encrypting all image blocks persists.
In [29], the authors presented a medical image encryption scheme, denoted MIE-BX based on high-speed scrambling, insertion of random pixels and pixel-adaptive diffusion. Their simulation results showed that their encryption speed can exceed traditional encryption methods such as AES. However, [2] pointed out a potential vulnerability in MIE-BX to an attack against PRNG known as the reset attack. In this attack the adversary resets the PRNG state causing it to generate the same sequence of numbers every time. The authors of [2] used this vulnerability to launch a chosenplaintext attack against MIE. To resolve this issue, they introduced a nonlinear operation on shuffled images. However, the computational overhead of the additional operation was not evaluated, and no speed analysis was presented by the authors.

III. THE PROPOSED MEDICAL IMAGE ENCRYPTION FRAMEWORK
The purpose of medical images is to support medical diagnosis. Therefore, the slightest presence of noise may affect the accuracy of diagnosis. Therefore, the proposed medical image encryption framework assumes that the underlying channel is lossless. The main concern of the proposed framework is protecting patient privacy.
In this section, we first present the proposed image encryption generic framework and its associated encryption and decryption algorithms in detail. The implementation of this generic framework can be realized using a variety of chaotic maps and key-dependent S-box construction methods. Therefore, we dedicate the second subsection to specific implementations of the proposed framework.

A. GENERIC FRAMEWORK
The proposed image encryption framework is based on two generic components. The first generic component is a key-dependent S-box construction algorithm, denoted S Ks , where K S is the key. Given an α-bit initialization vector, N S ∈ {0, 1} α , S Ks (N S ) produces a bijective 8 × 8 S-box. The second generic component is a chaotic pseudorandom source, denoted C. Given a β-bit initialization vector, IV ∈ {0, 1} β , C (IV ) can generate a pseudorandom byte stream of arbitrary length. S and C can be realized by many existing key-dependent S-box construction methods and chaotic systems.
It is assumed that an encryption key is secretly shared by the communicating parties prior to the image communication session. The encryption key has two parts, K S , which controls the S-box construction and K C , which controls the generation of the chaotic sequence.
Given a plain image, I , to encrypt, the proposed framework works in two phases, as shown in Figure 1. During the preparation phase, a PRNG generates two nonce random numbers, N S and N C , then N S is AES encrypted using key K C to obtain the chaos initialization vector IV = AES Ks (N C ). S constructs a dynamic S-box, S = S Ks (N S ) and the initialized chaos source C (IV ) generates a pseudorandom byte stream, M , of the same size of the plain image, I .
During the encryption phase, the constructed S and M are utilized to transform plain image pixels to cipher VOLUME 8, 2020 image pixels. A plain image pixel is first XORed with the previous cipher image pixel, indicated by the z −1 in the block diagram. The result is then substituted using the S-box, S, then XORed with the corresponding value of the chaotic sequence, M . The result is finally substituted again using the same S-box, S, to produce the corresponding cipher image pixel. The nonce numbers N S and N C are stored in the cipher image header to facilitate decryption.
As shown in Figure 2, to decrypt a cipher image, N S and N C are extracted from its header and used along with the shared secret keys, K S and K C , to construct the corresponding chaotic sequence, M , and inverse S-box S −1 . Each cipher image pixel is substituted, XORed with the corresponding chaotic sequence value, substituted again, and finally XORed with the previous cipher image pixel. The encryption and decryption procedures are listed in Algorithm 1 and Algorithm 2, respectively.

B. FRAMEWORK REALIZATION
To demonstrate the application of the proposed generic framework, we present a sample implementation for the generic key-dependent S-box construction component, S, and the generic chaotic source component, C.

1) DYNAMIC S-BOX CONSTRUCTION COMPONENT
The proposed framework makes the following assumptions about the S-box construction component, S: 1) S is Output the decrypted image I D key-dependent, i.e., the generated S-box is determined by K S and N S , so that the decryption process can generate the inverse S-box from the same key, 2) S must be able to generate an unlimited number of S-boxes, to increase the key-space, and 3) S must be able to generate a dynamic S-box reasonably fast, so that a new S-box is constructed for each image in real time. Any key-dependent dynamic Sbox construction method satisfying these assumption, such as [12], [14], [25], [30]- [41], can replace the generic S-box component, S Ks (N S ), where K S and N S map to the key of the S-box construction method. For example, the method in [11] uses repetitive functional composition to construct a dynamic S-box from of a set of initial static S-boxes. The choice of which S-box to compose in each iteration is controlled by a chaotic map. The initialization of the chaotic map and the number of compositions can be mapped to N S and K S , respectively.
To use any key-dependent S-box construction method which has only one initialization parameter, such as [42], we propose the following modification to convert it to a two-parameter function. Let S(K ) be a key-dependent S-box construction method with one parameter, K . Define S Ks (N S ) = S (AES Ks (N S )). This introduces dependency on both K S and N S .
In this paper, we propose a new key-dependent S-box construction method based on Mersenne twister PRNG (MT19937) shown in Algorithm 3.
A sample S-box generated by the proposed method is shown in Figure 3. Standard security tests of S-boxes include nonlinearity (NL), linear approximation probability (LAP), differential uniformity (DU), strict avalanche criterion (SAC) and bit independence criterion (BIC) [43].
Cryptographic analysis of the sample S-box was verified using SageMath [44] and compared to recently proposed qualifying S-box construction methods in Table 1. The comparison shows that the S-boxes generated by the proposed method are similar to those generated by relevant methods. However, the proposed S-box construction method has two main advantages: 1) sufficiently large key space, since the internal state of the MT19937 consists of 19937 bits, and 2) the use of integer arithmetic allows faster construction of  j ← next random from R mod 256. 7.
a (j) ← true, s (i) = j 9. end for 10. Output s (0: 255) dynamic S-boxes and avoids potential implementation errors due to conversion from initialization bit vectors to floating point representation.

2) CHAOTIC SOURCE COMPONENT
The chaotic source component, C, can be implemented using any classical or modern chaotic map. For example, Table 2  lists a sample of four classical chaotic maps and four modern chaotic maps that are used to implement the proposed framework. The mapping between the initialization vector, IV, and the initial state is shown next to each chaotic map. The specific mathematical expression for this mapping depends on the actual implementation of the chaotic map. When the state of the chaotic map is represented as double-precision floating-point numbers, the initial state can be expressed as where b i is the ith bit of the initialization vector, IV .

VOLUME 8, 2020
To generate the chaotic keystream, the floating-point representation of the chaotic map state, (x k , y k ), is converted to an 8-bit integer number, m k , using the equation (2)

IV. PERFORMANCE ANALYSIS
To evaluate the security and performance of the proposed framework, we performed standard tests including statistical analysis, differential analysis, key sensitivity analysis, key space analysis, and speed analysis. Although necessary, these statistical tests are not sufficient and further analysis must be performed to show the resistance of the proposed framework to specific cryptanalysis scenarios [45], [46]. Therefore, we also analyzed the framework resistance to chosen-plaintext, chosen-ciphertext cryptanalysis, and the PRNG-reset attack. Figure 4 shows the sample medical images used for testing [47]- [49]. During the testing, we used the proposed S-box construction method based on MT19937 PRNG, whereas the chaotic map was varied among the list of maps defined in Table 2.

A. STATISTICAL ANALYSIS
Statistical analysis includes a set of tests which assess immunity to statistical ciphertext-only attacks.

1) HISTOGRAM TEST
The uniformity of an encrypted image histogram is a basic requirement for a strong encryption system to resist statistical attacks. For visual inspection, Figure 5 shows sample histograms of the encrypted CT scan image generated by the proposed framework for each of the evaluated maps. Histograms appear uniform indicating that the proposed framework passes this test. Histograms of the other medical images we tested exhibit similar uniformity. As a numeric metric of the uniformity of a histogram, Chisquare variance test (χ 2 ) is utilized. The test compares the variance of the histogram to the histogram of a completely random image. The test starts by calculating where f i is the frequency of gray level i in the encrypted image and E k = N 256, which is the expected frequency of gray level value for an image containing N pixels. Since the histogram of a gray level images has 255 degrees of freedom, the resulting X 2 is tested against the distribution χ 2 (255, α), where α is the significance level. The histogram passes the test if the p-value is greater than α, which indicates that the histogram uniformity is satisfactory.
Since chaotic maps are sensitive to the initialization vector, IV , which change with each encryption attempt, the quality of the resulting histogram may vary accordingly. To study this effect, the χ 2 test was repeated 1000 times for each of the chaotic maps. We reported the χ 2 test pass rate for each chaotic map in Table 3. Results indicate all the proposed  framework passes the histogram χ 2 test with very high probability with all the considered chaotic maps.

2) CORRELATION TEST
The cross-correlation test measures the disparity between the encrypted image and the plain image. Obviously, the optimal correlation is zero.   The cross-correlation coefficient is performed as follows: where x and y are the plain image and the encrypted image, respectively, N is the number of image pixels, x j , and y = 1 N N j=1 y j . Table 4 shows that the correlation between encrypted images and plaintext images is near zero indicating that our scheme achieves high confusion.
One of the characteristics of a plain image is spatial correlation, i.e., correlation between neighboring pixels. An adversary can use the correlation between neighboring cipher pixels to infer some information about the plain image. Therefore, any encryption system must minimize such correlation. The spatial correlation distribution is depicted in Figure 6 for the plain and encrypted X-ray image, encrypted using Henon map. Results illustrate how the plain image strong spatial correlation was removed in the cipher image. Table 5 shows the values of correlation between the neighboring pixels in horizontal, vertical and diagonal directions for the encrypted images. The correlation coefficients for the encrypted images are almost zero, indicating that the proposed framework reduces the correlation between neighboring pixels to a satisfactory level.

3) ENTROPY TEST
A good encryption scheme must maximize randomness of the cipher image. To evaluate the randomness in the cipher image the global entropy test is carried out as follows where P j is the probability of occurrence of pixel intensity j. Table 6 shows that the global entropy for sample medical images encrypted with the proposed framework is near the value 8, which indicates a completely uniform distribution of pixel values. The local Shannon entropy (LSE) test considers the mean entropy of a set of randomly selected blocks of the image, thus estimating local randomness. LSE is calculated as follows: 1-Randomly select N B non-overlapping blocks, B 1 , B 2 , . . . , B N B from the cipher image, with block size T B pixels.
3-Compute the mean (LSE) as follows: According to [50], the mean value of LSE of a random image is 7.9024693 with N B = 30 and T B = 1963. The confidence interval for LSE, with confidence level α = 0.05, is (7.901901305, 7.903037329).
The LSE results shown in Table 6 indicate that images encrypted with the proposed scheme satisfy the randomness hypothesis at confidence level α = 0.05.

4) NIST RANDOMNESS TEST SUITE
A standard set of randomness hypothesis tests was proposed by NIST in [51]. When the p-value of each test is greater than α, we may conclude that the tested sequence appears to be random with confidence level α. We performed the tests on a sample of cipher images corresponding to the MRI-3D image encrypted with classical Baker map and enhanced sinechaotified Henon map. The results of the tests listed in Table 7 shows that the cipher images pass all randomness tests at α = 0.01 confidence level.

5) TEXTURE ANALYSIS
Image encryption quality can also be quantified through applying a set of texture analysis statistics to the resulting encrypted images [52]. First, we compute an 8 × 8 graylevel co-occurrence matrix (GLCM) of the encrypted image I C using the following expression 160440 VOLUME 8, 2020   Then, we calculate the contrast, correlation, energy, and homogeneity of p(i, j), Correlation Energy Homogeneity High quality encryption should generate a pseudorandomlike cipher image with a uniform gray-level cooccurrence matrix. By applying (8)(9)(10)(11) to a uniform cooccurrence matrix we obtain contrast = 10.5, correlation = 0, energy = 0.015625 and homogeneity = 0.389397. Results shown in Table 8 show that the proposed framework effectively increases contrast and lowers correlation, energy, and homogeneity to near optimal levels, indicating high encryption quality.

B. DIFFERENTIAL ANALYSIS
Differential attacks exploit the difference between cipher images to infer information about plain images. To resist differential attacks, an encryption scheme should produce widespread changes in the cipher images corresponding to a small change in the plain image.
To verify the resistance to differential attacks, we induce a change in one bit of the original image and measure the changes in the resulting encrypted image. We calculate the Unified Averaged Changed Intensity (UACI) and Number of Pixels Change Rate (NPCR) using the following formulae where I C1 is the cipher image corresponding to the original plain image, I C2 is the cipher image corresponding to the changed plain image, MN is the number of image pixels, and An encryption scheme shows immunity against deferential attacks if UACI value is close to 33.4635% and the NPCR value is close to 99.6094% [53]. We use the randomness test proposed in [54] to judge if the resulting NPCR and UACI are distinguishable from a random change, with significance VOLUME 8, 2020  level α = 0.01. Table 9 shows the UACI and NPCR confidence intervals corresponding to each of the sample images used for testing.
We repeated the plain image sensitivity tests 1000 times for each image with each of the chaotic maps. For each test, the value of just one randomly chosen bit of the plain image is flipped. Table 10 lists the mean values of NPCR and UACI as well as the test pass percentage for α = 0.01. The results indicate that the proposed framework is immune to differential cryptanalysis.
To visually inspect the difference between two cipher images I C1 and I C2 , we calculate the difference image using the following formula As shown in Figure 7 (e), the difference image is randomlike, which indicates that the proposed framework has strong diffusion capability and thus resists differential cryptanalysis.

C. KEY SENSITIVITY ANALYSIS
To resist related-key attacks, an encryption scheme should be sensitive to changes in the encryption key. Both the encryption process and the decryption process should be sensitive to the key. To measure the key sensitivity of the proposed encryption process, we start with an initial encryption key, K , then make a slight one-bit change to the key to obtain a related encryption key, K = K ⊕ 1. A plain image, I , is encrypted with K and with K to obtain I C1 and I C2 , respectively. We then calculate the correlation, the NPCR and the UACI for I C1 and I C2 .
The proposed framework has two encryption keys, the S-box construction key, K S and the chaotic map key, K C . Therefore, we test the scheme's sensitivity to each of them.
Results of encryption key sensitivity analysis, with respect to the dynamic S-box key are presented in Table 11. Results include correlation coefficient, UACI and NPCR for three medical images encrypted using two related dynamic S-box keys K S and K S . Results indicate high sensitivity to changes in dynamic S-box key.
Results of chaotic map encryption key sensitivity analysis are presented in Table 12. Each row indicates the results for one of the investigated chaotic maps, including the correlation coefficient, the UACI and the NPCR for three medical images encrypted using two related chaotic maps keys K C and K C such that K C ⊕ K C = 1. Results indicate high sensitivity to changes in chaotic map keys.
As shown in Figure 8 and Figure 9, the difference between the two images encrypted with related S-box keys or related chaotic map keys is a random image, which indicates that the proposed framework is highly sensitive to slight changes in encryption keys.   To illustrate the sensitivity of the decryption process to the key, we encrypt the plain image with key, K , then decrypt the resulting cipher image with K to obtain the decrypted image I D . Results of decryption shown in Figure 8 and Figure 9 appear random, which indicates that the decryption process is highly sensitive to both keys, K S and K C .

D. KEY SPACE ANALYSIS
The simplest cryptanalysis attack consists of a blind search for the encryption key in the set of all such possible keys. Therefore, it is necessary to make the key space large enough to deter brute-force attacks.
The encryption key of the proposed framework consists of two components, namely, the dynamic S-box key, K S and chaotic map key, K C . This composite encryption key gives our scheme a clear advantage in comparison with traditional chaotic encryption schemes, in which the encryption key is limited to chaotic map parameters. For the used 2D-chaotic maps, the initialization has at least 2 × 53 significant bits, giving a key space of 2 106 .
Theoretically a dynamic S-box is chosen from a set of (256!) S-boxes. This increases the key space by a factor of ∼10 1167 . Practically the key space of the dynamic S-box is limited by its construction algorithm. The proposed S-box construction method uses a 128-bit key. Together with the chaotic map key, the resulting key space is beyond the reach of brute-force attacks. A powerful adversary with a classical computer capable of attempting 10 12 keys per second would need more than 10 50 years. VOLUME 8, 2020

E. RESISTANCE TO CHOSEN-PLAINTEXT AND CHOSEN-CIPHERTEXT ATTACKS
In a chosen-plaintext attack, the adversary has temporary access to the encryption oracle and can feed it with  carefully chosen plaintext to reveal some information about the encryption key. Therefore, immunity against chosenplaintext attacks precludes known-plaintext attacks, in which the adversary exploits knowledge of one or more plaintextciphertext pairs. In a chosen-ciphertext attack, the adversary gains temporary access to the decryption oracle and can feed it with carefully chosen ciphertext to infer some information about the encryption key.
A common chosen-plaintext attack uses an all-white or an all-black image and attempt to detect any non-random patterns in the cipher image or any non-uniformity in its histogram.
As shown in Figure 10, the resulting cipher images have no visible patterns and their histograms are uniform. Moreover, Table 13 demonstrates that the histogram χ 2 -test, the spatial correlation, and the entropy of the encrypted all-black image match the characteristics of a pseudorandom image.
The rest of this subsection discusses the special precautions taken to make the proposed framework resist chosen-plaintext and chosen-ciphertext attacks.
As noted in [46], a chaotic map key, K C , may be recoverable by an algebraic attack if the adversary gains access to the chaotic sequence. Therefore, the proposed framework employs four mechanisms to protect the chaotic sequence. First, the feedback mechanism complicates the form of plaintext needed to expose the chaotic mask. Second, the nonce initialization generates a different chaotic sequence for each encryption attempt. Third, AES encryption of nonce initialization enables resistance to the reset attack against the PRNG [2]. Fourth, the last S-box substitution adds another line of defense to the chaotic map.
To demonstrate the effectiveness of these mechanisms, let's assume that an adversary attempts a chosen-plaintext attack by choosing a plain image p k , ∀1 ≤ k ≤ #I and obtains the corresponding cipher image c k = S (S (p k ⊕ c k−1 ) ⊕ m k ). To cryptanalyze the chaotic mask, , an all-black image is not suitable to expose m k , due to the feedback mechanism.
Instead, the adversary may use a special plain image satisfying p k ⊕c k−1 = η to obtain m k = S −1 (c k ⊕S (η)), such that S (η) can be guessed as a constant ∈ {0, 1, . . . , 255}. In this case, the adversary would be left with m k = S −1 (c k ⊕ ), where both m k and S −1 are still unknown. Since c k ⊕ has a uniform random distribution, the adversary must guess the entire S-box while simultaneously cryptanalyzing m k . Therefore, the second S-box adds an extra layer of security to the chaotic map against cryptanalysis.
Under the conditions of a reset attack, if the adversary can reset the encryption PRNG during a chosen-plaintext attack, the resulting chaotic sequence m k and S-box S may be fixed across multiple chosen-plaintext encryption attempts. This powerful attack may allow the adversary to recover m k and cryptanalyze it to obtain the chaotic map initialization, IV . However, since IV = AES K C (N S ), the secret key, K C , remains protected by AES.

2) RESISTANCE TO CHOSEN-CIPHERTEXT ATTACKS
The first S-box protects the chaotic map against chosenciphertext attacks, in a way similar to the role played by the second S-box in protecting the chaotic map against chosen-plaintext attacks. For instance, if the adversary chooses an all-black cipher image c k = 0, ∀1 ≤ k ≤ #I , and obtains a decrypted image, p k = S −1 S −1 (0) ⊕ m k , the adversary needs to solve m k = S (p k ) ⊕ S −1 (0), where both m k and S are unknown. The adversary must cryptanalyze both the chaotic map and the S-box simultaneously, which strengthens the chaotic map against chosen-ciphertext attacks.   To measure the speed of the proposed encryption framework, it was implemented in Java and run on JavaSE 1.8 virtual machine on a PC with Intel Core i7-4790 @ 3.6GHz base speed and 32GB of RAM. The encryption parameters were set to a 128-bit key, K S . The program was then used to encrypt the three medical image sets of varying sizes as specified in Table 14.
Encryption throughput is calculated as the size of data encrypted per second. Figure 11 shows the average encryption throughput for the proposed framework with each of the chaotic maps. As shown in Figure 11, the baker map achieves the best performance with encryption throughput averaging at 89 MB/s.
With such a throughput, the proposed encryption framework is well suited for real-time encryption and decryption of medical image data. For instance, the MRI image set consisting of three hundred and sixty-one images totaling 94.6 MB can be encrypted in less than 1.1 seconds. However, more sophisticated chaotic maps involving one or more sine operations, consume dramatically more time, which renders them unsuitable for real-time applications. For instance, the sine-chaotified sine-logistic 2D map (SC-SLM), the slowest among the evaluated chaotic maps, takes about 19.2 seconds to encrypt the 94.6-MB MRI image set.
Next, we study the effect of image size on the encryption throughput. For instance, in Figure 12, the encryption throughput for the proposed framework with Baker map is shown for images of varying size. The figure reveals that encryption throughput is almost constant regardless of the image size. This conforms with our earlier analysis that the complexity of Algorithm 1 is O(n).
As shown in Table 15, the encryption time of the proposed framework with Baker map is broken down into three major components. The first component is the S-box construction   time, which approximately takes 28 µs, independent of the image size. The second component is the chaotic mask generation time, which takes a time linear in the size of the plain image. The last component is the substitution and XORing of pixels, which increases linearly with image size. The overhead of the proposed S-box construction method is relatively negligible, considering the additional security gained, which justifies the design of the proposed framework.

V. PERFORMANCE COMPARISON
To demonstrate the competitiveness of the proposed framework and highlight its advantages, we present comprehensive comparisons with related medical image encryption schemes. The comparisons presented here include statistical analysis, differential analysis, and encryption speed.   Table 16 compares the entropy and spatial correlation of cipher images generated by the proposed framework with those reported by other schemes. The results indicate that the proposed framework achieves a correlation value that is very close to the ideal value and in harmony with the results of the other schemes. Table 17 compares the plain image sensitivity of the proposed framework with related schemes. Results show that the proposed framework achieves some of the best values of UACI and NPCR among related schemes. These results indicate that the proposed scheme offers high immunity against differential attacks. Table 18 compares the encryption speed of the proposed framework with related image encryption schemes. For fairness, the software and hardware specifications reported by each of the schemes are indicated next to each scheme. Apparently, the proposed framework performs much faster than its competitors.

VI. CONCLUSION AND FUTURE WORK
By efficiently employing cryptographic primitives, the proposed medical image encryption framework achieves 1) an exceptional throughput suitable for real-time encryption, and 2) an enhanced resistance to chosen-plaintext, chosenciphertext and reset attacks. The security and efficiency advantages of the proposed framework can be extended to any classic, modern or future chaotic map. Moreover, the proposed framework can employ a class of efficient key-dependent S-box construction methods including the proposed key-dependent S-box construction method based on MT19937 PRNG, which offers a larger key space and faster construction times. When the proposed framework was tested with eight classical and modern chaotic maps, the best encryption throughput obtained was about 90 MB/s, achieved with Baker map and Henon map. However, the proposed framework requires a lossless communication channel, which is desirable for accurate medical diagnosis. An interesting prospect for research extending this work is to investigate how the proposed framework may benefit from hardware acceleration for implementing cryptographic primitives. Developing efficient embedded implementation for medical imaging devices supporting DICOM standard is another proposed future work. He is currently an Assistant Professor with the College of Computer and Information Technology, Taif, Saudi Arabia. He is also a member of the CES Laboratory (Computer and Embedded System), National School of Engineers, University of Sfax. His current research interests include over several areas related to wireless sensor networks, cybersecurity, and multirobot system coordination. He has several publications in several highquality international journals and conferences.
Dr. Cheikhrouhou has received several me awards, including the Governor Prize from the Governor of Sfax in 2005. He is currently a Professor with the Department of Computer Engineering, College of Computer and Information Sciences, King Saud University, Riyadh, Saudi Arabia. He is also involved in many research projects as a Principal Investigator and a Co-Principal Investigator. He is also affiliated with the Center of Smart Robotics Research, CCIS, King Saud University. He has authored or coauthored more than 200 publications, including the IEEE/ACM/Springer/Elsevier journals, and flagship conference papers. He has two U.S. patents. His research interests include image and speech processing, smart healthcare, machine learning, and AI.
Dr. Muhammad was a recipient of the Japan Society for Promotion and Science (JSPS) fellowship from the Ministry of Education, Culture, Sports, Science and Technology, Japan. He received the Best Faculty Award of the Computer Engineering Department, KSU, from 2014 to 2015. He has supervised more than 15 Ph.D. and Master Theses. He is currently a Professor with the Department of Software Engineering, College of Computer and Information Sciences, King Saud University, Riyadh, Saudi Arabia. He is also an Adjunct Professor with the School of Electrical Engineering and Computer Science, University of Ottawa. His research interests include cloud networking, smart environment (smart city, smart health), AI, deep learning, edge computing, the Internet of Things (IoT), multimedia for health care, and multimedia big data. He has authored or coauthored more than 250 publications, including refereed journals, conference papers, books, and book chapters. Recently, he co-edited a book on Connected Health in Smart Cities (Springer). He has one U.S. patent (in process).
Dr. Hossain is a Senior Member of ACM. He was a recipient of a number of awards, including the Best Conference Paper Award and the 2016 ACM Transactions on Multimedia Computing, Communications, and Applications (TOMM), the Nicolas D. Georganas Best Paper Award, the 2019 King Saud University Scientific Excellence Award (Research Quality), and the Research in Excellence Award from the College of Computer and Information Sciences (CCIS), King Saud University (three times in a row). He has served as the Co-Chair, the General Chair, the Workshop Chair, the Publication Chair, and the TPC for more than 12 IEEE and ACM conferences and workshops. He also is the Co-Chair of the Third IEEE ICME workshop on Multimedia Services and Tools for smart-health (MUST-SH 2020). He has served as a Guest Editor for IEEE Communications Magazine, IEEE Network, the IEEE TRANSACTIONS ON  He is currently an Associate Professor with the Electronics and Electrical Communications Engineering Department, Faculty of Electronic Engineering, Menoufia University. He is also an Assistant Professor with the Electrical Engineering Department, College of Engineering, Taif University, Saudi Arabia. His areas of interest include image processing, watermarking, image encryption, and cryptography. VOLUME 8, 2020