Privacy-Enhanced and Verifiable Compressed Sensing Reconstruction for Medical Image Processing on the Cloud

The well-known compressed sensing reconstruction (<inline-formula> <tex-math notation="LaTeX">$\mathcal {CSR}$ </tex-math></inline-formula>) uses the sparse characteristics of the signal to obtain discrete samples with the compression (<italic>i.e</italic>. measurement) algorithm, and then perfectly reconstructs the signal through the reconstruction algorithm. Benefiting from the storage savings, the <inline-formula> <tex-math notation="LaTeX">$\mathcal {CSR}$ </tex-math></inline-formula> has been widely used in the field of large-scale image processing. However, the reconstruction process is computationally overloaded for resource-constrained clients. Therefore, designing a cloud-aided <inline-formula> <tex-math notation="LaTeX">$\mathcal {CSR}$ </tex-math></inline-formula> algorithm becomes a hot topic. In this paper, we investigate the existing secure <inline-formula> <tex-math notation="LaTeX">$\mathcal {CSR}$ </tex-math></inline-formula> algorithms within a cloud environment and propose a new privacy-enhanced and verifiable <inline-formula> <tex-math notation="LaTeX">$\mathcal {CSR}$ </tex-math></inline-formula> outsourcing algorithm for online medical image processing services. Compared with previous work, our new design can efficiently achieve more extensive security. Precisely, (1) our algorithm realizes the privacy preservation of the original image, as well as the input/output information of the reconstruction process under the chosen-plaintext attack, (2) our design is based on a malicious cloud server model and can verify the correctness of the cloud returned result with a probability of approximating 1, and (3) our algorithm is highly efficient and can make the local client achieve decent computational savings. The main technique of our design is a combination of linear transformation, permutation and restricted random padding which is concise and high-efficiency. We analyze the above claims with rigorous theoretical arguments and comprehensive experimental analysis.


I. INTRODUCTION
In recent years, the COVID-19 pandemic has greatly boosted the development of online diagnosis and treatment, in which paradigm, potential patients with the new coronary disease can first take CT images of their lungs with the medical data acquisition device, and then send the images to the doctor. After that, the doctor can judge the disease and present the corresponding treatment planning based on the received images. In this case, the resolution of the image will greatly affect the doctor's judgment. Low-resolution images could make the doctor present wrong judgments, The associate editor coordinating the review of this manuscript and approving it for publication was Zhipeng Cai. while high-resolution images will make the doctor's judgment more accurate. However, images with high qualities are usually too large to store. Generally, we can employ the compressed sensing reconstruction (CSR) algorithm [4], [5], [11] to solve this problem. The CSR is an efficient signal sampling technique proposed by Donoho et al. [4], [5], [11]. For any compressible image, it can accurately reconstruct the original image from a set of far fewer samples than those required by the Shannon-Nyquist sampling theorem [14]. Therefore, the acquisition device can sample the medical image with CSR algorithm and send the compressed image (i.e. sample) to the doctor. Since the size of a sample is always smaller than that of the original image, this method can evidently reduce the storage overhead [10]. Yet there still exist many practical concerns for CSR-based image processing. On one hand, in the current big data era, the scale of the tackled medical images is usually very large, the storage savings with CSR may not be enough for local resource-constrained medical institutes. On the other hand, the reconstruction processing of CSR is time-consuming, it may be overloaded for most data acquisition devices. Fortunately, the promising cloud computing paradigm exactly solve these two problems [8], [12]. That is, the resource-constrained data acquisition device can upload the compressed images to a resource-abundant cloud server and, meanwhile, the cloud server can assist the doctor in realizing the images reconstruction.
Although cloud computing can provide a flexible storage and processing infrastructure, many security issues arise [17], [21], [22], [27], [31]. First, the image data is usually private, the leakage of these data may cause significant property losses to the outsourcer (e.g. individuals or enterprises). Second, the cloud server is remote and thus out of control. It may grab valuable information from the received information and the intermediate calculated result, or even deliberately send a forged result to fool the outsourcer. Finally, due to some unforeseeable reasons, hardware damage or software errors may encounter when computing or transmitting the data. Therefore, it is of great significance to design a secure cloud-assisted CSR algorithm, which, besides achieving considerable computational savings on the local side, should assure the privacy of the outsourcer's sensitive information and the verifiability of the server returned result [16], [30], [35]. Along this direction, many different methods have been developed to securely outsource the CSR task to a remote cloud server [13], [23], [24], [34]. However, there still exist many security and efficiency issues, which will be discussed in the following separate subsection, needing to be further investigated.

A. RELATED WORK
In recent years, many scholars have studied the CSR algorithm in the field of information security [15], [28], [29], [33]. In this section, we will review the closely related work towards two lines: the progress of CSR theory and the progress of privacy-preserving CSR within a cloud environment.
For CSR theory, since Donoho [11] proposed the theory of CSR which consists of a sampling sub-algorithm with some measurement matrix and a reconstruction sub-algorithm with some sensing matrix, many scholars have tried to improve the quality of the reconstructed image with a sample as small as possible. Divekar and Ersoy [10] utilized compressed sensing technology to reduce the storage space of largescale data. That is, uploading the compressed sample to the cloud server instead of storing the complete image locally. According to their demonstration, compared with directly storing the original image, storing the compressed sample can save 50% of the storage space. But their work does not concern data security issues. Dai and Milenkovic [9] noticed the complexity of the reconstruction process and proposed a new method for reconstructing sparse signals with high reconstruction accuracy. Also, they did not consider achieving the computational task through cloud servers, and thus did not involve privacy issues. Another view is treating the CSR algorithm as a data encryption approach [19], [20]. They pointed out that if the measurement matrix was kept secret, the attacker was incapable of recovering the original data. For instances, Wang et al. [26] utilized the chaotic discrete wavelet transform basis and chaotic discrete cosine transform measurement matrix to specify the sampling and reconstruction sub-algorithms in CSR theory. Compared with the traditional measurement matrix method, this algorithm can improve the quality of reconstructed images with a small sample. At essentially the same time, Liu et al. [18] proposed an image visual privacy-preserving level evaluation method for the multilayer CSR model based on contrast and salient structural features, they used an improved Gaussian random measurement matrix to sample the images. Subsequently, Chai et al. [7] designed an efficient visually meaningful double color image sample algorithm with an optimized measurement matrix by SVD.
For the CSR within a cloud environment, many efficient and secure outsourcing CSR algorithms have been proposed. Firstly, Wang et al. [23], [24] considered two application scenarios about the outsourcing of CSR, one is to privacy-preserving store and reconstruct large-scale images on the cloud, and the other is outsourcing the storage and reconstruction of healthcare diagnostic signals to a cloud server. The encryption methods of their algorithms are similar and on basis of affine mapping technology. Although the security of their algorithms is robust, due to the multiple operations of dense matrix multiplications, the efficiency is poor, especially for large-scale applications. In addition, the cloud server in their designs is assumed to be semi-honest, so their schemes fail to fulfill the verifiability of the results returned from the cloud. Later, Zhang et al. [34] studied a new scenario that multiple non-colluding and semi-honest cloud servers parallelly sample and reconstruct the original signal, and designed a privacy-preserving method based on random permutations. However, the non-colluding assumption among multiple clouds is too strong in practice, and the verifiability is also missed. Subsequently, Hu et al. [13] presented an outsourcing scheme for image storage and reconstruction with a non-standard CSR algorithm. They designed a sparse 1 norm-preserving matrix transformation to realize the preservation of the measurement matrix and the sparse coefficient vector during the reconstruction process. However, their scheme does not consider the privacy of the sample. Also, it is designed under a semi-honest cloud and thus without verifiability. Under the assumption of a malicious cloud server, Zhang et al. [32] proposed a verifiable outsourcing algorithm for CSR. Their algorithm realizes the privacy of the original signal by keeping the employed orthogonal sparse base secret and achieves the verifiability of the server returned result by outsourcing the task twice. Essentially, their algorithm is an adaptation of the standard CSR algorithm without any encryption operation. The measurement matrix is public and the sparse coefficient vector in the reconstruction process is also not protected. More importantly, the outsourcer must perform the outsourcing algorithm twice to verify the correctness of the results returned from the cloud, which greatly reduces the efficiency of their algorithm. Recently, Wang et al. [25] proposed a low-complexity p-tensor product CSR outsourcing algorithm under the assumption of an honest cloud. They mainly consider the threats from outside attackers. For data security and user authentication, the cloud server uses asymmetric encryption to encrypt the sample and share the private key with the user for identity authentication. After the user is authenticated, the cloud performs a CSR service and returns the result to the user.

B. MOTIVATION AND OUR CONTRIBUTION
Based on our above investigation, most of the existing CSR outsourcing algorithms are designed without verifiability. Meanwhile, the verifiable outsourcing algorithm [32] does not concern the privacy of the sample and the key coefficient vector in the reconstruction process, and the employed verifiability method is low efficiency. These unsatisfactory facts motivate us to design a highly efficient, privacy-enhanced, and verifiable outsourcing algorithm for medical image processing within a fully malicious cloud environment.
In this paper, we focus on the setting that the medical institute aims to rent a resource-powerful cloud server to securely store and reconstruct the large-scale medical images with CSR technique, and design a new efficient and secure cloud-aided diagnosis algorithm. Precisely, compared with prior arts, our main contribution can be reflected as the following three aspects: 1) Our design is privacy-enhanced. Our design can not only protect the privacy of the original image, but also blind the sampled signal, the sensing matrix and the solution vector of the convex optimization problem. We argue the one-way privacy of the above information under the chosen-plaintext attack with rigorous theoretical analysis. 2) Our algorithm is designed under a malicious cloud server. With an intentionally designed random padding technique, our design enables the doctor to detect dishonest behaviors of the cloud with a probability of approximating 1. 3) Our algorithm is high-efficiency. Our privacy preservation approach is on basis of linear transformation, permutation and restricted random padding techniques, which can be efficiently implemented. We theoretically argue the computational savings achieved on the local side and experimentally evaluate the practical performance of our outsourcing algorithm by (1) comparing our design with Wang et al's algorithm [24] and (2) contrasting the time cost of outsourcing with the time cost without outsourcing. Theoretical and experimental analysis shows the high efficiency of our algorithm.

C. LAYOUT OF OUR PAPER
The rest of this article is arranged as follows: Section II briefly reviews the CSR theory and introduces the system model, the threat model and our design goals. In section III, we introduced some notations and mathematical concepts used in our design. Our outsourcing design of CSR for medical images is provided with a detailed description in section IV, and the correctness and security of the design are analyzed in section V. Section VI evaluates the efficiency of the proposed algorithm with rigorous theoretical argument and extensive experimental analysis. Finally, we conclude our paper in section VII.

II. PROBLEM STATEMENT
Before presenting our design, we introduce some preliminaries about CSR.

A. COMPRESSED SENSING RECONSTRUCTION
Compressed sensing is a non-adaptive linear measurement process, which improves the shortcomings of traditional sampling that discards part of the data [6], [11]. Suppose there is a signal (e.g., a medical image) x ∈ R n which is usually not sparse. The signal x is called compressible, if there exists some orthogonal basis D ∈ R n×n (the classic orthogonal basis includes discrete cosine transform, Fourier transform, discrete wavelet transform [1]) such that x can be expressed as where s ∈ R n is a sparse projection coefficient vector.
Obviously, x and s are equivalent representations of the same signal.
Sampling process: Choose a measurement matrix A ∈ R m×n (m n) satisfying the restricted isometry property (RIP) [3], and then calculate the compressed sample y ∈ R m as below: Generally, the most commonly used measurement matrices are independent and identically distributed Gaussian random matrices, as well as random Bernoulli matrices and Toplitz matrices [1]. Reconstruction process: This step reconstructs the sparse coefficient vector s from the measurement sample y by solving an 1 minimization problem: min s 1 subject to y = Hs, where H = AD ∈ R m×n is the sensing matrix.  client C, the disease diagnosis doctor D and the cloud server S. Limited by the storage and computing capabilities, the medical image acquisition device and disease diagnosis doctor use compressed sensing technology to reduce storage, and at the same time leverage resource-rich cloud servers to achieve reconstruction tasks. However, due to the potential untrustworthiness of cloud servers, a tailored encryption technology must be designed to ensure the privacy of information. First, the medical image acquisition client C adopts compressed sensing technology to obtain the patient's image sample data. That is, C samples the medical image x ∈ R n with an m × n (m n) measurement matrix A and obtains the sample y = Ax. Simultaneously, it calculates the sensing matrix H = AD, where D ∈ R n×n is some orthogonal sparse matrix. In order to protect the patient's data privacy, the medical image acquisition client C generates a secret key sk and encrypts the information z = (H, y) to z = (H , y ). Then it uploads z to the cloud S for storage and image reconstruction. After receiving the image query request from the disease diagnosis doctor D, the cloud S performs the medical image reconstruction task. That is, it calculates s = CSR (z ), and sends s to the doctor D. Finally, after receiving s , D employs the key sk shared with the client C to decrypt s and gets s = CSR(z). Followed by the verification of its correctness, D further restores the original medical image x = Ds.
Precisely, our secure medical image compression and reconstruction outsourcing algorithm can be formalized as 2) THREAT MODEL In the above system, threats mainly come from the untrusted cloud server. Generally, based on the different behaviors of cloud servers, untrusted cloud servers can be divided into three categories: lazy, honest and curious (i.e. semi-honest), and malicious (dishonest and curious). After receiving the assigned computation task, to save the expensive computational resource, a 'lazy' server may not perform the specified operations completely and return an intermediate result or even a random result to the doctor. An honest and curious server will perform the specified task honestly. However, it may be curious about the patient's private data and try to recover the valuable part from the input and output of the computation task. For a malicious server, it not only is curious about the patient's sensitive information, but also may arbitrarily deviate from the specifications. For example, it could falsify a result to deceive the doctor.
Furthermore, according to the different abilities of cloud servers, there are mainly three attack models: 1) Ciphertext-only attack (COA) Model. In COA model, the cloud server only knows the encryption algorithm and the ciphertext to be decrypted, and tries to recover the corresponding plaintext. 2) Known-plaintext attack (KPA) Model. In KPA model, except the encryption algorithm and the ciphertext to be decrypted, the cloud server also owns several plaintexts and their corresponding ciphertexts. 3) Chosen-plaintext attack (CPA) Model. In CPA model, the cloud server can adaptively choose several plaintexts and obtain their corresponding ciphertexts. It tries to recover the plaintext of the ciphertext to be decrypted. Overall, there are nine possible combined threat models according to different behaviors and attack abilities of cloud servers. Clearly, an outsourcing algorithm designed under the malicious cloud with a CPA model is also secure under other threat models, but not vice versa. Therefore, in terms of security, it is more meaningful to design the outsourcing algorithm under the 'malicious server + CPA' threat model.

C. DESIGN GOALS
Our goal is to design a correct, high-efficiency and secure medical image compression and reconstruction outsourcing algorithm MIOA CSR under the 'malicious server + CPA' threat model. We formalize their strict definitions as follows.
In the query and response phase of the above experiment, the adversary A can adaptively choose t = poly(κ) inputs {z i } 1≤i≤t and capture their corresponding ciphertext {σ z i } 1≤i≤t by repeatedly invoking the oracle algorithm ProbEnc. Subsequently, in the challenge phase, the adversary A receives the ciphertext σˆz of some challenge plaintext z. Then, A tries to calculate a resultz on basis of its collected information in the query and response phase. Ifz =ẑ, the experiment outputs 1, otherwise, it outputs 0. Experiment Query and response : Challenge : z ← Domain(CSR). sk ← KeyGen(CSR,ẑ, 1 κ ). σˆz = (CSR ,ẑ ) ← ProbEnc(CSR,ŝ k,ẑ).
Similarly, in the query and response phase, the adversary A can adaptively choose t = poly(κ) inputs {z i } 1≤i≤t , and obtain their corresponding t three-tuples of (z i , σ z i , δ i ) 1≤i≤t with the oracle access to the algorithms ProbEnc and ProbVer&Dec. In the challenge phase, given a challenge plaintextẑ, the adversary A captures σˆz andŝ output by the algorithms ProbEnc and Compute. Then, according to the collected information in the previous stage, A tries to calculate a valueŝ. Ifŝ = CSR(ẑ), the experiment outputs 1. Otherwise, the experiment outputs 0.
where negl(κ) is a negligible function in the parameter κ.

3) VERIFIABILITY
Verifiability points to that the doctor D can detect the dishonest behaviors of the cloud with a non-negligible probability.

4) EFFICIENCY
Without outsourcing, the client must reconstruct the sparse transformation coefficient vector by itself. We denote the time cost is t o . With the algorithm MIOA CSR , the time-consuming reconstruction task is outsourced to the cloud server S. However, the outsourcing process causes additional encryption and decryption operations, the time cost of which we denote as t c . Intuitively, an efficient outsourcing algorithm should assure that t o is substantially larger than t c .

III. PREPARATORY KNOWLEDGE
In this section, we will introduce the terms and some basic mathematical tools that used in the rest of our paper.
Its corresponding n × n permutation matrix P π is expressed as: where e π(i) (i = 1, 2 · · · n) is a row vector, only the entry of π(i) is 1, and the rest are 0. Example 1: Given a permutation π,

IV. SECURELY OUTSOURCING IMAGE COMPRESSION AND RECONSTRUCTION A. DESIGN RATIONALE
Clearly, the key of our design is to come up with an efficient and secure blind technique to outsource the convex optimization problem (3). To avoid the cloud server obtaining any useful sensitive information, the designed technique should simultaneously ensure the privacy of the input (y, H) and the output s. Naturally, we can construct an equivalent convex optimization problem with a decent encryption approach min s 1 subject to y = H s .
where y , H and s refer to the ciphertext of y, the ciphertext of H and the ciphertext of s respectively. Naturally, to protect the information in y and H, we can employ the technique in [23], [24] by simultaneously left-multiplying the two sides of the equation in (3) by an invertible matrix M. However, this simple operation can not be directly applied to blind the output s and needs to be adapted according to the technique used to protect s. For the privacy of s, since s is sparse, we need to conceal the number, the position, and the value information of the non-zero entries in s. Meanwhile, our encryption approach should ensure the plaintext objective function and the ciphertext objective function to achieve the optimal value for the same value of s. First, we confuse the number of the non-zero entries by adding a random vector r at the end of s. Then, we perform a permutation P on s to hide the position information of the entries in the actual output s. Finally, we multiply s by a random real a to protect the value information of each entry in the actual output s. Correspondingly, we adapt the dimensions of y and H with a random matrix B to make the equation in (3)  That is, corresponding to the blinded convex optimization problem (4), we have With this method, the medical image acquisition client C can outsource the blinded convex optimization problem (4) instead of the problem (3) to the cloud server.

1) SAMPLE ALGORITHM: SAMPLE
The medical image acquisition client C selects a measurement matrix A ∈ R m×n (m n) and an orthogonal matrix D. For any given medical image signal x ∈ R n , C samples x and calculates the sensing matrix H with A and D. I.e. the sample y = Ax and the sensing matrix H = AD.

2) KEY GENERATION ALGORITHM: KeyGen
For any given input matrix H = (h ij ) 1≤i≤m,1≤j≤n ∈ R m×n and vector y = (y i ) 1≤i≤m ∈ R m , denote λ = max{log H , log y , log D , log x }, where log H = max 1≤i≤m,1≤j≤n ( log |h ij | + 1) (resp. log y = max 1≤i≤m ( log |y i | + 1), log D = max 1≤i≤n,1≤j≤n ( log |d ij | + 1), log x = max 1≤i≤n ( log |x i | + 1)) represents the maximum bit size of the entries in H (resp. y, D, x). Given a positive constant (i.e., verifiability parameter) k, the key generation algorithm KeyGen performs as follows: 1) Choose a random real number a = 0 with the bit size of its integer part and its decimal part being equal to λ. 2) Generate two random matrices B = (b ij ) 1≤i,j≤k ∈ R k×k and M = (m ij ) 1≤i,j≤m+k ∈ R (m+k)×(m+k) and a vector r ∈ R k , out of which, each non-zero entry is with λ bits that is chosen randomly and uniformly.

3) CLIENT ENCRYPTION ALGORITHM: ProbEnc
With the secret key sk = (B, M, P, r, a), the medical image acquisition client C encrypts the sensing matrix H and the sample vector y into and sends (H , y ) to the cloud server S. Meanwhile, C sends D and part of secret key (P, r, a) to the disease diagnosis doctor D with a secure channel.

4) SERVER COMPUTING ALGORITHM: COMPUTE
After receiving (H , y ), the cloud server S performs the specified computation task of solving the blinded convex optimization problem, i.e., min s 1 subject to y = H s .
Then, it returns the solution vector s with the minimum 1 norm to the disease diagnosis doctor D.

5) VERIFICATION AND DECRYPTION ALGORITHM: ProbVer&Dec
After receiving s , the disease diagnosis doctor D calculates Then, D verifies whether the vector formed by the last k entries of s equals to r. If they are same, D accepts the result s and takes the vector formed by the first n entries of s as the actual s. Otherwise, it rejects.

6) RECOVER ALGORITHM: RECOVER
After obtaining s, the disease diagnosis doctor D uses the matrix D shared by the medical image acquisition client C to recover Here, x is the actual high-resolution medical image that the disease diagnosis doctor D wanted.

V. CORRECTNESS AND SECURITY ANALYSIS
In this section, we will theoretically analyze the correctness, input/output privacy, verifiability of the proposed algorithm MIOA CSR .

A. CORRECTNESS
Theorem 1: According to Definition 1, our outsourcing algorithm MIOA CSR is correct for any input matrix H ∈ R m×n and vector y ∈ R m .
Proof: Assumeŝ is the output of the algorithm Compute, if the cloud server S is honest,ŝ satisfies the problem (4). That is,ŝ = aP ŝ r . Then 1 a P −1ŝ = ŝ r , and the verification and decryption algorithm ProbVer&Dec will outputŝ. Hence, substitute (y , H ) in problem (4) with equation (5), we get Sinceŝ = aP ŝ r , the equation (7) is equivalent to Due to that P is a permutation matrix and a is a non-zero real, the equation (8) is further equivalent to which shows thatŝ is the solution of problem (3).

B. INPUT AND OUTPUT PRIVACY
In this section, we will prove that our algorithm MIOA CSR satisfies input and output privacy. Precisely, we will argue the one-way privacy of the input information (H, y) and the output vector s under the CPA model Theorem 2: According to Definition 2, for any input matrix H ∈ R m×n and vector y ∈ R m , our outsourcing algorithm MIOA CSR satisfies the input and output privacy.
Proof: (1) Input privacy. In the experiment Exp input A [CSR, 1 κ ], CSR represents the computation task of compressed sensing reconstruction, and κ = mnλ. In the Query and response phase, the adversary A can adaptively choose With each new input, the KenGen algorithm will generate different sk randomly and independently, so the adversary will not get any useful information at this phase. In the Challenge phase, the adversary tries to recover the challenge target (H, y) after receiving its ciphertexts (H , y ). Next, we analyze the probability that the H (resp.y) can be successfully recovered by the adversary. Through the ProbEnc algorithm, we have Clearly, the adversary can recover H (resp. y) after obtaining H 0 0 B (resp. y Br ).
If the adversary wants to recover H, then the adversary must know the correct product M −1 H P. So the probability Pr H of the adversary successfully recovering H is Similarly, to recover y, the adversary must know the correct M. Then, the probability Pr y that the adversary successfully recovers y is  (2) Output privacy. We need to argue our algorithm protects the positions, the values and the number of non-zero entries of the output s. In the experiment Exp output A [CSR, 1 κ ], the adversary A can adaptively obtain t three-tuples for i = 1, · · · , t. In the Challenge phase, given a ciphertext (H , y ) encrypted from some plaintext information (H, y), and the adversary can get the output resultŝ from Compute algorithm, and attempts to recoverŝ from the information inferred in the first phase. Since, for different inputs, the KenGen algorithm will re-generate new keys randomly and independently, the adversary will not get any useful information at the Query and response phase. According to the decryption algorithm, we have That is, the adversary needs to know the (a, P) to recover the correct s. Thus, the success probability Pr s that the adversary recovers the correct s is |{(a, P −1 ) | a and P is constructed as in sec.IV-B2}| = 1 |{(a, P) | a and P is constructed as in sec.IV-B2}| which is negligible.

C. VERIFIABILITY
In this section, we will prove that our verification algorithm can detect that the cloud server returns an incorrect result with a probability approximate to 1. Theorem 3: According to Definition 3, for any input matrix H ∈ R m×n and vector y ∈ R m , our outsourcing algorithm MIOA CSR is (1 − 1 2 λk )-verifiable. Proof: According to Definition 3, we need to prove For the equation (13), it can be directly obtained by the correctness of our algorithm. If s = CSR (z ), s is not the solution of the blinded convex optimization problem (4). According to the ProbVer&Dec algorithm, if and only if the vector formed of the last k entries of the decrypted s in equation (6) exactly equals to r, s can pass the verification. Thus, the probability that the cloud server can forge r is less than 1 2 λk , which proves the equation (14).

VI. EFFICIENCY ANALYSIS
In this section, we will argue the efficiency of the proposed algorithm from theoretical and experimental perspectives.

A. THEORETICAL ANALYSIS
For the first step, we present a strict theoretical analysis. Theorem 4: According to Definition 4, for any input matrix H ∈ R m×n (m < n) and vector y ∈ R m , our outsourcing algorithm MIOA CSR is β-Efficient with Proof: For any input matrix H ∈ R m×n with m < n, without outsourcing, the convex optimization problem of compressed sensing reconstruction algorithm needs more than O(n 3 ) multiplications [13], [23].
Next, we calculate the local client's added cost t total with our outsourcing algorithm. On the local side, compared with non-outsourcing, the time-consuming convex optimization problem is avoidable yet the additional cost t client incurs during the outsourcing process which mainly consists of three parts: the cost t KeyGen of Algorithm KeyGen, the cost t ProbEnc of Algorithm ProbEnc, and the cost t VeDec of Algorithm ProbVer&Dec. Therefore, the total cost t total = t KeyGen + t ProbEnc + t VeDec .
1) Estimation of t KeyGen . In the key generation stage, the medical image acquisition client C need to generate two random matrices B and M, a vector r, a permutation matrix P and a real number a. Therefore t KeyGen = O(n + (m + k) 2 + k 2 ) random generation operations. Thus, the total cost is t ProbEnc = O((m + k)(mn + k 2 )) multiplications. 3) Estimation of t VeDec . In the verification and decryption stage, the dominant step is to calculate s = 1 a P −1 s , which requires O(n+k) swap operations. Thus, the total cost is t VeDec = O(n + k) swaps. Overall, the local time cost is t total = t KeyGen + t ProbEnc + t VeDec = O((m + k)(mn + k 2 )) multiplications. Since k is some given constant, the efficiency factor is Next, we analyze the storage savings achieved by the algorithm for the local client. Assuming that there are medical images x 1 , · · · , x , without CSR and outsourcing algorithm, the local client only needs to store these original medical images x i ∈ R n (i = 1, · · · , ), which are about nλ bits. With CSR and outsourcing algorithm, the local client needs to store verification and decryption secret keys (a i , P i , r i )(i = 1, · · · , ) which are about (λ+(n+k) log(n+ k) + kλ) bits, and the orthogonal matrix D ∈ R n×n which are about n 2 λ bits. Hence, in this case, the storage complexity is (λ + (n + k) log(n + k) + kλ) + n 2 λ. By solving the equation nλ ≥ (λ + (n + k) log(n + k) + kλ) + n 2 λ, we have that, if ≥ n 2 n − 1 − k − (n + k) log(n + k)/λ , the proposed CSR outsourcing algorithm can save storage space. It must be pointed out that, in practice, the scale of medical images is usually very large. Consequently, the local client can achieve considerable storage savings in practical applications.

B. THEORETICAL COMPARISON WITH PREVIOUS ALGORITHMS
In this following subsection, we will compare our algorithm with existing CSR outsourcing algorithms in both security and efficiency.  [32] just employs the standard CSR algorithm to realize the protection of x under the malicious cloud server model. As they stated, the CSR algorithm inherently protects the privacy of x without any encryption operation in an outsourcing setting. That is, the local client can directly send (y, H) to the cloud S and keep the matrices A and D secret. Therefore, Zhang et al. [32] don't care about the input privacy of (y, H) and the output privacy of s. Wang et al. [23], [24] subsequently proposed two outsourcing CSR algorithms for image reconstruction and healthcare services under the semi-honest cloud server model. Their algorithms are designed for general signals and are closely related to our work. These two outsourcing algorithms utilize similar encryption techniques and simultaneously realize the privacy preservation of y, H, s and x. As a summary, we compare the security of the above algorithms with that of our algorithm in Table 2.
In terms of efficiency, it is unfair and meaningless to compare two algorithms towards to different privacy preservation goals. From  [13], [32] are evidently different from those of ours, so we only compare our algorithm with Wang's algorithms [23], [24]. As mentioned above, Wang et al.'s two algorithms utilize similar encryption techniques. Without loss of generality, Table 3 shows the theoretical efficiency comparison between our algorithm and Wang's latest version [24], where t KenGen , t ProbEnc , t VeDec and t total denote the time cost of the key generation stage, the time cost of the problem encryption stage, the time cost of the result verification and decryption stage, and the total cost of these three stages on the local side, respectively. Since the verifiability parameter k is a constant independent of m, n, it can be seen that, for each stage, our algorithm is more theoretically efficient than Wang's algorithm [24].

C. EXPERIMENTAL ANALYSIS AND COMPARISON
Finally, we evaluate the actual performance of our algorithm with extensive experiments and the comparison with Wang et al.'s algorithm [24].

1) EXPERIMENTAL ENVIRONMENT AND METHODOLOGY
In our experiments, we simulate the operations of medical image acquisition client C, disease diagnosis doctor D and cloud server S on a Windows 10 machine with Intel(R) Core(TM) i5-8500T 2.11GHz CPU and 8GB RAM by using Matlab R2019b.
Our experiments are proceeded as two parts: In the first part, we mainly focus on the efficiency of our algorithm. We compare the local client's time cost of our outsourcing algorithm with that of the original algorithm without outsourcing. In the second part, we mainly compare the local client's time cost of our algorithm with that of Wang et al.'s algorithm [24].

2) EXPERIMENTAL RESULTS AND ANALYSIS
In our experiments, we choose the size n of the medical images x to be 500, 1000, 1500, 2000, and 2500 respectively, and set m = 2 5 n, k = 50. Table 4 lists the time cost of each stage and several important ratios that are used to measure the performance of the algorithm, out of which, t original represents the time cost of solving the original convex optimization problem, t KeyGen and t ProbEnc refer to the client C's time cost of key generation stage and the cost of encryption stage respectively, t VeDec denotes the doctor D's time cost in the verification and decryption stage, t total = t KeyGen +t ProbEnc + t VeDec is the total time cost of C and D induced by our outsourcing design, and t cloud represents the time for the cloud server S to solve the encrypted convex optimization problem.
As reflected in the table, the total time cost t total on the local side is always far less than t original that refers to the time cost of directly solving the convex optimization problem without outsourcing, and the ratio t original /t total becomes larger and larger, which indicate that, as the enlargement of the image size n, the local client can achieve more computational savings and our outsourcing algorithm becomes more efficient. At the same time, the ratio t cloud /t original is close to 1, which means that the time cost t cloud of solving the encrypted convex optimization problem is approximate to that of solving the original convex optimization problem. This shows that our outsourcing algorithm with encryption does not cause too much additional lease fee to rent the cloud server compared with the algorithm of directly outsourcing without encryption.
In addition, we experimentally compare our algorithm with Wang et al.'s algorithm [24]. We also choose the size n of the medical images x to be 500, 1000, 1500, 2000, and 2500, and record the time costs of the two algorithms on the local side. Visually, we plot the comparison results in Fig.2 and Fig.3.      which shows that the local client's time cost of our algorithm is far less than that of Wang's algorithm. Fig.3 compares the speedup ratio t original /t client of the two algorithms under the same experimental settings, which shows that our algorithm can achieve more computational savings than Wang et al.'s algorithm.

VII. CONCLUSION
In this paper, we design a secure outsourcing algorithm for CSR of medical images. This algorithm enables the medical institute and the doctor to securely store and reconstruct the medical images with the help of a cloud server. In addition to keeping the privacy of the original image and the input/output information of the reconstruction process, our design also can enable the doctor to detect the correctness of the result sent from the cloud with a probability of approximating 1. Finally, we theoretically and experimentally analyze the efficiency of the proposed outsourcing algorithm.