1 Introduction

Medical image fusion plays a crucial role in accurate diagnosis and treatment of diseases. Medical images of various modalities can provide different information. For example, computed tomography (CT) image give information on dense structures such as bones; and positron emission tomography (PET) image provide functional information while magnetic resonance (MR) imaging provide information on soft tissues. Image fusion helps the doctor for better diagnosis by combining the complimentary features in images of different modalities. As medical images of different modalities acquired by different devices are of high resolution for precise diagnosis, it impose huge storage cost to the health care providers. In addition, due to the exponential growth in medical images generated per day, the biggest challenge faced by the health care providers/industry is the storage, processing and management of this huge amount of medical images being generated.

In recent years, with the advent of cloud platform offering high end storage and computing facilities, health care industry is now shifting the medical data to the cloud environment [28]. Although cloud storage and computing relieves the healthcare providers from the burden of data storage, maintenance and processing cost, it also brings in several security threats since the outsourced data is stored in third party cloud servers. One of the major security challenges that need to be addressed is to protect privacy or confidentiality of data, when highly sensitive data like medical images are outsourced, especially when processing operations are to be performed on these data. Although traditional encryption schemes like AES provide data confidentiality, they will not support operations on the encrypted medical images.

Homomorphic encryption schemes are a special class of encryption schemes, which allow to perform some operations on the encrypted data without any knowledge of the decryption function. Image fusion techniques involve only linear operations and an additive homomorphic encryption scheme is sufficient for encrypting the medical images to be outsourced. The most popular additive homomorphic encryption schemes available in literature are Paillier [23] and secret sharing schemes [30]. Paillier scheme is computationally expensive due to the modular exponentiation operation over a finite field of large size. Moreover, the storage overhead of Paillier scheme is twice since the size of ciphertext is double that of plaintext. Secret sharing scheme (SSS) has lesser computational complexity compared to the Paillier scheme due to linear encryption and decryption operations. But in SSS [22, 34], different image shares generated from a single image need to be stored in storage devices of multiple non-colluding cloud service providers in order to provide adequate security. This brings in additional restrictions on storage. Furthermore, since size of each image share is same as the size of original image, the storage overhead increases with the number of image shares being stored.

As the encryption and decryption operations have to be done at the health service provider (client) side, it is desirable to have an additive homomorphic encryption scheme with low computational complexity. Moreover, since data outsourcing cost charged by the cloud depends on the amount of data stored in the cloud, it is required to minimize the storage overhead incurred due to the ciphertext expansion. This motivated us to design a low complex additive homomorphic encryption system based on Hill cipher [35] since it satisfies the requirements in terms of computational complexity and storage overhead. This is due to the fact that the encryption and decryption operations of Hill cipher are linear and as the size of ciphertext is same as that of plaintext, there is no storage overhead. However, original Hill cipher scheme is prone to known-plaintext attack. Hence, in order to use Hill cipher for secure image fusion, it is necessary to modify it in such a way that, it is computationally infeasible for an adversary, who has access to all data stored in the cloud and some knowledge about the plaintext, to retrieve the plaintext. But since such an adversary cannot have access to encrypting machine, chosen plaintext attack need not be considered as a valid attack. This assumption will not cause any loss of generality, due to the fact that in all practical applications, the client machine will be geographically separated from the cloud servers. This paper attempts to enhance the security of the Hill cipher so that it can withstand the known-plaintext attack, preserving additive homomorphism.

The major contributions of this work are listed below.

  1. 1.

    A symmetric key additively homomorphic encryption scheme based on affine Hill Cipher is proposed to provide confidentiality of outsourced data and to support linear operations in the encrypted domain.

    1. (a)

      In order to reduce the computational complexity involved in finding the inverse of the key matrix during decryption, self invertible matrices are used in this work.

    2. (b)

      In the proposed scheme, different random vectors are generated for different data blocks through a novel design method based on a combination of linear feedback shift registers (LFSR) which helps to improve security of Hill cipher based encryption scheme.

    3. (c)

      The method for reseeding the LFSR is designed so that randomness and security properties will be preserved while homomorphically combining the blocks. Through mathematical analysis, it is proved that the linear combination of encrypted blocks neither nullifies the effect of individual random vectors nor destroys the randomness properties.

  2. 2.

    The suitability of the proposed encryption scheme for encrypted domain MR-CT image fusion is analyzed through comparing simulation results in encrypted domain with those of plaintext domain in terms of various subjective and objective performance metrics. It is verified that encrypted domain image fusion provides same accuracy levels as that of plaintext domain image fusion.

  3. 3.

    Security of the proposed encryption scheme against cipher text only attack and known plaintext attack is established through cryptanalysis and in terms of resistance against different statistical attacks.

The rest of the paper is organized as follows. Section 2 presents the summary of related works while Section 3 details the system model and adversary model considered. Section 4 gives the description of the proposed homomorphic encryption scheme and Section 5 provides the detailed performance analyses. The security analyses is described in Section 6 followed by concluding remarks in Section 7.

2 Related work

In this section, the recent works on homomorphic encryption schemes and methods for securing medical images are discussed in detail.

The idea of processing encrypted data was first addressed by Rivest et al. [26]. Fully homomorphic encryption schemes which allow any computations on encrypted data was introduced by Gentry [10]. Several schemes [4, 5, 11] were proposed following this work. Even though many schemes with optimizations were proposed, these schemes still remain computationally complex and impractical. Whereas partially homomorphic encryption schemes support computations only for either multiplication or addition. RSA [27], Paillier [23] and Goldwasser-Micali [12] are some of the cryptosystems that support partial homomorphism. RSA is homomorphic over multiplication whereas the other two schemes are additively homomorphic which allow linear combination operations on the encrypted data.

Among the additive homomorphic encryption schemes, Paillier is the widely used for image processing works on encrypted domain [21, 25, 32]. The basic image scaling and cropping operations in encrypted domain is proposed in [21]. A reversible data hiding approach based on Paillier scheme, where the hidden data is directly embedded into the encrypted images is proposed in [32]. A digital watermarking scheme for secure transmission of medical images based on Paillier encryption is introduced in [25]. In this scheme, the encrypted watermark image is directly embedded into the encrypted image. However, the Paillier scheme suffers from the following issues. The storage overhead of Paillier scheme is twice as the size of ciphertext is double the plaintext size. Moreover, in Paillier scheme, to provide 128-bit security, the modulus required is a prime number of size 2048bits. Hence, this scheme has high computational complexity due to the modular exponentiation operations involved during encryption and decryption.

Some notable works for securing medical images during storage or/and transmission have been proposed in [8, 9, 31, 36]. A watermark embedding scheme based on Arnold transform for ensuring authentication of medical images is proposed in [31]. For confidentiality of medical images, the watermarked images are encrypted through chaos-based encryption in [36]. For secure transmission and storage of the medical images in the cloud server, the outsourced images are encrypted using elliptic curve cryptography, whose keys are chosen using hybrid swarm optimization in [9]. A hybrid encryption scheme developed from AES and RSA is used for securing medical data while transmission in IoT environment is presented in [8]. Even though all these works ensure secure storage or transmission of medical images, these schemes are not designed to support secure processing in encrypted domain.

The use of Arnold transform [31] to scramble the medical images to be fused suffers from known-plaintext attack (KPA) since the transform matrix used for encrypting the images to be fused need to be same to support fusion in encrypted domain. Similarly, chaos based encryption [36] is a one-time pad encryption, where the keystreams generated through chaotic map acts as a one-time pad. This method is also prone to KPA and the randomness properties of the keystream cannot be ensured while homomorphically combining the encrypted images. The elliptic curve cryptography adopted in [9] can be modified to support additive homomorphism as detailed in [33]. However, the storage overhead of this elliptic curve based scheme is double and has high computational complexity. The hybrid encryption scheme based on AES and RSA [8] cannot be used for encrypted domain processing since AES does not support homomorphism over encryption.

Hill cipher [35] is a potential candidate for additive homomorphic encryption system for encrypted domain image fusion due to the linearity in encryption and decryption operations. Moreover, it introduces no storage overhead and has less computational complexity. However, the original Hill cipher [35] is susceptible to KPA. A symmetric key additively homomorphic encryption scheme based on Hill cipher, namely iterated Hill cipher (IHC) is proposed in [6]. Although the authors claim it to be secure against KPA, later in [38], it is proved that IHC can be broken through KPA. Another version of Hill cipher that can withstand KPA is affine Hill cipher [37]. In this scheme, unique random vectors are added to the ciphertexts generated through original Hill cipher. Nevertheless, this scheme cannot be directly converted to provide additive homomorphism as the randomness properties of the random vector cannot be ensured while homomorphically combining the data.

In the proposed affine Hill cipher based homomorphic encryption scheme, the linearity in encryption process is retained in order to preserve additive homomorphism. The random vectors used for encryption are keystreams generated using linear feedback shift registers (LFSR) due to the good randomness properties and low structural complexity of LFSR. At the same time, care has been taken to preserve the randomness and security properties of the random vectors, while homomorphically combining the data.

3 System model and adversary model

3.1 System model

The system model considered is an end to end secure cloud based medical image fusion scenario as shown in Fig. 1, where the encrypted medical images of different modalities are outsourced to the cloud; the cloud fuses the images in encrypted domain and the fused encrypted image is accessed by the healthcare provider, who further decrypts the fused image. Multiscale decomposition method is a widely used technique for multi-modal image fusion [7]. In this method, the images of different modalities are decomposed using wavelets and the wavelet coefficients corresponding to images of different modalities are combined using appropriate fusion rule to obtain the fused coefficients. Then the final fused image is obtained by taking the inverse wavelet transform of the decomposed image consisting of fused coefficients. The fusion rule generally used are averaging, weighted averaging etc. which are linear operations [16]. In the system model considered, the preprocessing of images of different modalities includes image decomposition using appropriate wavelets and rounding off the pixel values based on the requirements of the encryption scheme. There is a need for additive homomorphic encryption scheme to facilitate image fusion in encrypted domain.

Fig. 1
figure 1

System Model for secure medical image fusion

Full size image

3.2 Adversary model

Cloud systems use distributed storage architecture for reliable data storage and securing data in distributed storage systems (DSS) assumes that the adversaries have access to only a subset of storage servers. The works on secure DSS [17, 24, 29] aims to resist ciphertext-only attack against adversaries who have access to only a limited number of servers in the DSS and is achieved through adding randomness to the data. But in practical DSS such as those with cloud storage, the storage servers may be distributed in the same geometrical environment. So in this work, we consider computationally bounded passive adversaries, who can eavesdrop on all the cloud servers. Also, based on the type of data stored, the adversary may have knowledge of some plaintexts with which he can try to mount a known-plaintext attack.

4 Proposed scheme for encrypted domain processing

The design of the proposed scheme for image fusion in encrypted domain is inspired from the Hill cipher [35] construction. In original Hill cipher, the encryption of a plaintext vector, m of length ‘p’ is done by multiplying it with a secret invertible random matrix, G of size p × p and the plaintext is decrypted by multiplying the ciphertext with the inverse of G matrix. The set of all possible keys or key space in the case of Hill cipher is the set of all possible invertible p × p matrices from the space of all p × p matrices. Iterated Hill cipher (IHC) [6] is proposed as a homomorphic encryption scheme and it extends the key space to the set of all p × p matrices. An initialization vector of length ‘p’ and the iteration number are kept secret in addition to G in the case of iterated Hill cipher. In IHC, the encryption and decryption are done using an iterative algorithm and the encoding results corresponding to the kth and (k − 1)th iteration form the ciphertext, where k is the number of iterations. Thus the size of ciphertext in the case of IHC will be double the size of plaintext, which will result in storage overhead. The authors claim that iterated Hill cipher can be made secure against known plaintext attack by changing the initialization vector during every encryption. But it is proved in [14] that this will spoil the homomorphic property offered by the encryption scheme. Furthermore, in [38], the authors showed that it can be broken through known plaintext attack even if the initialization vector is changed during every encryption. An improved version of the Hill cipher which can withstand known plaintext attacks is Affine Hill cipher [20, 37]. Affine Hill cipher construction relies on adding unique random vectors to the ciphertexts generated through original Hill cipher. But this scheme cannot be directly converted to support homomorphic operations since the randomness and security properties of the random vector cannot be ensured while homomorphically combining the image (data) blocks.

An affine Hill cipher based additive homomorphic encryption scheme is proposed in this paper to securely store the data in cloud and to support encrypted domain processing. While designing the scheme, care has been taken to preserve the randomness and security properties of the random vector, while homomorphically combining the data. In addition, in this work self invertible or involutory matrices are used as key matrix, G. This facilitates the use of same matrix, G for encryption and decryption and reduces the computational complexity involved in finding the inverse of G matrix during decryption.

The details of the proposed encryption scheme are as follows:

Encryption

The ciphertext, \(c_{i}\in {F_{q}^{p}}\) of length ‘p’ whose elements are chosen from finite field, Fq, corresponding to ith plaintext, \(m_{i}\in {F_{q}^{p}}\) is given by

$$ c_{i} = E_{K}(m_{i}) = G\cdot m_{i} + r_{i} $$
(1)

where \(G \in F_{q}^{p \times p}\) is a self-invertible matrix and \(r_{i}\in {F_{q}^{p}}\) is a random vector which is different for each plaintext.

Decryption

The plaintext, \(m_{i}\in {F_{q}^{p}}\) corresponding to the ciphertext, \(c_{i}\in {F_{q}^{p}}\) can be retrieved by

$$ m_{i} = D_{K}(c_{i}) = G.(c_{i}-r_{i}) $$
(2)

Homomorphic property

The encryption operation supports additivity and homogeneity properties which are the requirements for an additive homomorphic encryption scheme. Let \(m_{1}, m_{2}\in {F_{q}^{p}}\) represent two plaintext messages and \(r_{1}, r_{2}\in {F_{q}^{p}}\) represent the corresponding random vectors. Then homomorphic properties of the encryption scheme can be defined as

Additivity

$$\begin{array}{@{}rcl@{}} E_{K}(m_{1}) + E_{K}(m_{2}) &=& (G.m_{1} + r_{1}) + (G.m_{2} + r_{2})\\ &=& G.(m_{1} + m_{2}) + (r_{1} + r_{2})\\ &=& E_{K}(m_{1} + m_{2}) \end{array} $$
(3)

Homogeneity

$$\begin{array}{@{}rcl@{}} \beta.E_{K}(m_{1}) &=& \beta.(G.m_{1} + r_{1}) = G.\beta m_{1} +\beta r_{1} \\&=& E_{K}(\beta m_{1}) \end{array} $$
(4)

where βFq represents a scalar.

To ensure additive homomorphism as given in (3) and (4), it is essential to design random vectors ‘ri’ properly. For (5) to hold, it is required that sum of random vectors r1 + r2 should yield a random vector with properties same as that of r1 and r2. Similarly for (4) to hold, the scalar multiple of random vector βr1 should also have same randomness properties as r1. During decryption operation to retrieve the plaintext, it is essential to have the knowledge of the effective resultant random vector. Since encryption and decryption are done at the client side, the client can remove the effect of the random vectors with the help of keys used for generating it.

Following section discusses how random vectors can be designed to satisfy these required properties.

4.1 Design of random vector

As the image fusion technique mainly involves averaging and weighted averaging operations, linear combination can be considered as the generalized operation that is required in the encrypted domain image fusion. In order to ensure homomorphism for linear operations, the set of random vectors used for encryption should be closed under linear combination operations. That means linear combinations of random vectors should yield random vectors of the same randomness properties. In order to satisfy these requirements, we are using a well-designed combination of LFSRs for generating random vectors. The proper design of the random vectors is important as the randomness properties offered by the LFSR keystream will be spoiled if the linear combination of random vectors yield a null vector while linearly combining ciphertexts. Therefore, the secret initial states of LFSR used for generating different random vectors should also be derived properly to retain the randomness properties of the random vector in the linearly combined ciphertext.

It is well known that keystream constituting one period of the LFSR output, satisfy Golomb’ s randomness properties [19]. Also linear combination of these output keystreams is a keystream generated from the linear combination of corresponding states.

Theorem 1

The keystreams generated by the LFSR satisfies superposition property.

Proof

(1) Additivity property –The sum of the keystreams is a new keystream generated by an initial state which is the sum of initial states corresponding to individual keystreams.

Let k(x) = k0 + k1x + k2x2 + ⋯ + kL− 1xL− 1 be the polynomial representation of initial state and g(x) = g0 + g1x + g2x2 + ⋯ + gLxL be the feedback polynomial of LFSR, where ki,giFq. Then the state of the L-length shift register of LFSR initially consists of values, k0,k1,k2,⋯ ,kL− 1, which are coefficients of k(x) and the tap weights of the feedback connections of the LFSR are decided by g0,g1,g2,⋯ ,gL, the coefficients of g(x). Hence, the output sequence with period qL − 1 generated by the LFSR can be represented as

$$ a(x)= {f(x)/g(x)},where f(x) = \sum\limits_{i = 0}^{L-1}\left( \sum\limits_{j = 0}^{i}k_{j}g_{i-j}\right)x^{i} $$
(5)

Suppose k1(x) = k10 + k11x + k12x2 + ⋯ + k1L− 1xL− 1 and k2(x) = k20 + k21x + k22x2 + ⋯ + k2L− 1xL− 1 are two different initial states of the LFSR with the same feedback polynomial g(x). Let a1(x) and a2(x) represent the output sequences generated by LFSR corresponding to intial states, k1(x) and k2(x) and feedback polynomial, g(x). Then using (5), a1(x) and a2(x) can be represented in terms of kij as

$$\begin{array}{@{}rcl@{}} a_{1}(x) &=& \left[\sum\limits_{i = 0}^{L-1}\left( \sum\limits_{j = 0}^{i}k_{1j}g_{i-j}\right)x^{i} \right] /g(x) \\ a_{2}(x) &=& \left[\sum\limits_{i = 0}^{L-1}\left( \sum\limits_{j = 0}^{i}k_{2j}g_{i-j}\right)x^{i} \right]/g(x) \end{array} $$
(6)

The sum of output sequences or keystreams, a1(x) + a2(x) of the LFSR can be expressed as

$$\begin{array}{@{}rcl@{}} a_{1}(x) + a_{2}(x) &=& \left[\sum\limits_{i = 0}^{L-1}\left( \sum\limits_{j = 0}^{i}(k_{1j} + k_{2j})g_{i-j}\right)x^{i} \right]/g(x)\\ &=& \left[\sum\limits_{i = 0}^{L-1}\left( \sum\limits_{j = 0}^{i}k_{3j}g_{i-j}\right)x^{i} \right]/g(x)\\ &=& a_{3}(x) \end{array} $$
(7)

where a3(x) is a keystream generated by the initial state k3(x) = k1(x) + k2(x). Equation 7 shows that the sum of keystreams result in another keystream, a3(x), which can be generated by an LFSR with initial state, k3(x), which is equal to the sum of the initial states, k1(x) and k2(x). □

Proof

(2) Homogeneity property –The scalar multiple of a keystream is a new keystream generated by an initial state which is the scalar multiple of the initial state corresponding to original keystream.

Let a(x) be the keystream generated by key, k(x). Then b(x) = βa(x) is the keystream generated by kβ(x) = βk(x)

$$\begin{array}{@{}rcl@{}} \beta\cdot a(x) &=& \beta \cdot \left[\sum\limits_{i = 0}^{L-1}\left( \sum\limits_{j = 0}^{i}\left( k_{j} \right)g_{i-j}\right)x^{i} \right] /g(x) \\ &=&\left[\sum\limits_{i = 0}^{L-1}\left( \sum\limits_{j = 0}^{i}\beta \cdot k_{j} g_{i-j}\right)x^{i} \right] /g(x)\\ &=&\left[\sum\limits_{i = 0}^{L-1}\left( \sum\limits_{j = 0}^{i}k_{\beta j} g_{i-j}\right)x^{i} \right] /g(x)\\ &=& b(x) \end{array} $$
(8)

Due to these properties of LFSR keystream, the random vectors for the proposed homomorphic encryption system are chosen as the output keystreams of an LFSR. The initial state of the LFSR, k(x) and the feedback polynomial g(x), which decide the feedback connections of the LFSR are kept secret and form part of the secret key of the proposed encryption scheme. The length of the random vector ‘p’ is to be chosen as a value close to an integral multiple of period of LFSR to ensure randomness properties, i.e., pc(qL − 1) , where ‘L’ is the length of LFSR and ‘c’ is a nonzero integer.

In the proposed scheme, it is required to generate different random vectors corresponding to different data blocks to retain homomorphism over linear operations. In order to facilitate generation of a distinct random vector corresponding to each distinct data block to be homomorphically combined, it is required to derive different initial states for the LFSR from the initial secret key through a proper design method. Therefore, next attempt in the design of proposed encryption scheme is to devise a method for generating multiple initial states from the initial secret key.

4.1.1 Properties of random vector

The random vector should be generated to satisfy the randomness and security properties.

Randomness property

If N image blocks are to be linearly combined during image fusion, it is required to have at least N linearly independent random vectors for encryption. This is to ensure that, when ciphertext blocks are linearly combined, the corresponding random vectors obtained through linear combination operation will not yield a null vector so that the security of encryption operation is retained. From the previous discussions on LFSR theory it can be clearly seen that, linearly independent initial states of an LFSR will result in linearly independent random vectors. Also, since each state of an LFSR of length L forms a L-dimensional vector in a vector space V over Fq, there can be only L linearly independent initial states. Therefore, the minimum possible length of LFSR ‘L’ has to be chosen as at least N ie, Length of LFSR, LN, where N is the number of data blocks to be combined. Now, in order to ensure that the generated random vectors are linearly independent, the initial state si of LFSR corresponding to each message block mi where 1 ≤ iN, can be derived from the initial key k = (k0,k1,k2,⋯ ,kL− 1) by a cyclic shifting operation. To complete the design of random vector for encryption, it is required to arrive at the number of cyclic shifting operations that can be performed on a vector of length ‘L’ so that the set of shifted vectors remain linearly independent.

Theorem 2

For an LFSR of length L, the set of L initialstates generated by cyclically shifting an initial secret keyk(x) are linearly independent if gcd (k(x),xL − 1)is a polynomial of degree zero.

Proof

Let the initial state of LFSR which acts as the secret key be represented as k = (k0,k1,k2,⋯ ,kL− 1) , where kiFq. Then define a shift operator, T : VV by

$$ T(k_{0},k_{1},k_{2},\cdots,k_{L-1})=(k_{L-1},k_{0},k_{1},\cdots,k_{L-2}) $$
(9)

If the initial secret key, k and its L − 1 shifted versions are arranged as rows of a matrix, K, it will form a L × L circulant matrix as shown in (10).

$$ K=\left[\begin{array}{c} k\\ Tk \\ {\vdots} \\ T^{L-2}k \\ T^{L-1}k \end{array}\right]=\left[\begin{array}{ccccc} k_{0}&k_{1} & {\cdots} &k_{L-2} & k_{L-1}\\ k_{L-1}&k_{0} &{\cdots} & k_{L-3} &k_{L-2} \\ \vdots&{\vdots} & {\ddots} & {\vdots} &{\vdots} \\ k_{2}&k_{3} &{\cdots} & k_{0} & k_{1}\\ k_{1}&k_{2} & {\cdots} & k_{L-1} &k_{0} \end{array}\right] $$
(10)

All the ‘L’ initial states obtained by taking the cyclic shifted versions of k(x) will be linearly independent if the circulant matrix is full rank.

Let U denote the circulant matrix whose entries are

$$ U_{ij}=\left\{\begin{array}{c} 1, j-i\equiv 1(mod L)\\ 0, j-i\not\equiv 1(mod L) \end{array}\right. $$
(11)

Then the L × L circulant matrix K corresponding to k is given by \(K={\sum }_{i = 0}^{L-1}k_{i}U^{i}\) where U0 = I, the identity matrix of size L × L and U1 is obtained by cyclically shifting each row of U0 with shift operator T. Now, if K is invertible over Fq, then there exists a circulant matrix \(M={\sum }_{i = 0}^{L-1}m_{i}U^{i}\), where miFq such that K.M = I.

If \(k(x)={\sum }_{i = 0}^{L-1}k_{i}x^{i}\) be the polynomial representation of circulant matrix, K, then finding the inverse of K is equivalent to finding a polynomial \(m(x)={\sum }_{i = 0}^{L-1}m_{i}x^{i}\) in Fq[x] such that

$$ k(x).m(x) \equiv 1 [mod(x^{L}-1)] $$
(12)

The congruence modulo (xL − 1) follows from the equality UL = I. Using Extended Euclidean algorithm, (12) can be written as

$$ k(x).m(x) + t(x). (x^{L}-1) = 1 $$
(13)

Thus the L × L circulant matrix will be of full rank if gcd (k(x),(xL − 1)) = v, where v is a non-zero integer in Fq. In general, if degree of gcd (k(x),(xL − 1)) is ‘s’ , then the rank of circulant matrix is ‘ Ls’ . So if s = 0, then the matrix K will be full rank and all the rows are linearly independent. □

So for encrypting N image blocks, the length of LFSR should satisfy LsN where s = degree of gcd (k(x),(xL − 1)) for the initial secret key polynomial, k(x).

Security property

If the initial states of the LFSR for generation of random vectors are derived from initial secret key by simple linear shifting operations, it can cause security leakage as discussed below:

Let c1 and c2 be the ciphertexts corresponding to plaintexts m1 and m2, which are to be linearly combined in the encrypted domain. Then the data blocks m1 and m2 will be encrypted with the same self-invertible matrix, G and random vectors r1 and r2 respectively as

$$ c_{1} = G.m_{1} + r_{1} $$
(14)
$$ c_{2} = G.m_{2} + r_{2} $$
(15)

where r2 = TR(r1), TR represents the right shift.

If \(c_{2}^{\prime }\) represents the ciphertext obtained by left shifting c2, then

$$ c_{2}^{\prime} = T_{L}(c_{2}) = T_{L}(G \cdot m_{2}) + T_{L}(r_{2}) $$
(16)

where TL represents the left shift.

Therefore,

$$\begin{array}{@{}rcl@{}} c_{1} - c_{2}^{\prime} &=& G \cdot [m_{1} - T_{L}(m_{2})] + r_{1}- T_{L}(r_{2})\\ &=& G \cdot [m_{1} - T_{L}(m_{2})], \end{array} $$
(17)

Thus the effect of random vector can be removed from ciphertext. So to enhance the security, the LFSR initial state needed for generating successive random vectors are derived by shifting the previous initial state and multiplying with a random element from Fq. This helps to prevent the security leakage while preserving linear independence and there by randomness properties.

figure c

Algorithm 1 gives the procedure for generating random vectors. The inputs to the algorithm are initial secret key of LFSR, k1 and feedback polynomial, g(x) and initial seed α1 to generate random multiplier αi. Output is random vector, ri used for encrypting each data block, mi. In this algorithm, LFSR-PRNG refers to the pseudorandom number generator based on LFSR which outputs ‘N’ random elements to form random vectors, ri used for encryption based on the initial state, k1 and the feedback polynomial g(x). LFSR-State refers to LFSR state updation with initial state α1 and outputs a single random element. TRi(k1) in the algorithm indicates right shift of the initial state k1 by ‘i’ bits.

4.2 Design of key matrix

Random invertible matrices are used as key matrix in original Hill cipher. However, the complexity in finding such a matrix increases with increase in the size of the matrix and field size, q. Moreover, during decryption the inverse of the matrix needs to be computed which will increase the decryption time and complexity. In order to overcome these problems, in this work we make use of self-invertible or involutory matrix [1] as key matrix. A matrix, G is said to be self-invertible if G− 1 = G. Let G be a p × p involutory matrix, which can be written as \(G=\left [\begin {array}{cc} G_{11} & G_{12} \\ G_{21} & G_{22} \end {array}\right ]\), where Gij,1 ≤ i,j ≤ 2 are matrices of order p/2 × p/2. An involutory matrix over any field will satisfy the following properties.

  1. 1.

    The determinant of an involutory matrix is ± 1, i.e., |G| = ± 1.

  2. 2.

    The square of an involutory matrix is an identity matrix, i.e., G2 = I

Assuming |G| = − 1 and from G− 1 = G, the involutory matrix G can be obtained by solving the equation, G12G21 = I − (G11)2, since G22 = −G11.

figure d

Algorithm 2 give the steps for generating involutory key matrix, G. The inputs to the algorithm are the size of matrix, p and a random element, γ, where γFq. In this algorithm, the subblocks, G12 and G21 of the matrix are generated from the factors of I − (G11)2.

4.3 Key space

The secret key for the proposed encryption scheme consists of the self invertible matrix, \(G \!\in \! F_{q}^{p \times p}\), the initial states, k1, α1 of two LFSRs and the feedback polynomial g(x) of LFSR.

4.4 Proposed secure medical image fusion

The complete schematic of the proposed encrypted domain MR-CT/PET image fusion over cloud is shown in Fig. 2. As mentioned in Section 3.1, we have considered DWT based MR-CT/PET image fusion using averaging rule. The hospital (client) computes the DWT of captured MR and CT/PET images using Haar wavelet. Then the client generates the encrypted MR and CT/PET images from their decomposed images using proposed Hill cipher based encryption scheme. For encryption, these decomposed images are first divided into blocks, and passed through pre-processsing operation. Pre-processing of image is required to ensure that the pixel values are integers after decomposition and averaging during fusion. Encrypted image blocks are sent to cloud for long term storage and image fusion. The cloud performs the encrypted domain image fusion of the encrypted MR and CT/PET image vectors. In order to retrieve the final fused image, the health care provider (client) access the encrypted version of the fused MR-CT/PET image from the cloud. The client then performs the decryption of the fused image vectors and post-process the decrypted DWT fused coefficients in order to match the results in the plaintext domain. The post processed fused image thus obtained after decryption is in DWT domain. Then the final fused MR-CT/ PET image is generated by computing the inverse DWT of the post processed image.

Fig. 2
figure 2

Flow Diagram for proposed secure medical image fusion

Full size image

The detailed steps of the proposed encrypted domain MR-CT image fusion with the required mathematical expressions are shown in Algorithm 3. Since single level Haar wavelet decomposition involves division by 2 and averaging the encrypted image blocks involves another division by 2, the original image pixels are preprocessed by multiplying with 4. The pixels of the corresponding encrypted MR and CT image vectors are added and multiplied with multiplicative inverse of 2 to obtain average of the encrypted image vectors. The effect of the preprocessing done before encryption is removed after decryption in the post processing step. In a similar manner, the steps for the proposed encrypted domain MR-PET image fusion can be obtained by replacing CT images with PET images.

figure e

5 Performance analysis

In this section, the accuracy of encrypted domain image fusion is analyzed in terms of subjective and objective performance metrics.

5.1 Simulation results and analysis

To evaluate the performance of the proposed encryption scheme, the fusion of medical images of different modalities are considered. Simulations of the proposed scheme are performed on PC with Intel(R) Xeon(R) CPU E3-1226 v3 3.3 GHz 16GB RAM running on Windows 10 Professional equipped with MATLAB R2015b environment.

For simulation, we have used standard MR, CT and PET image datasets from the Harvard university site which are available at http://www.med.harvard.edu/aanlib/home.html. MR and CT images of size 512 × 512 are first decomposed using single level 2D Haar wavelet. The decomposed MR and CT images to be encrypted are divided into 64 blocks and each block is encrypted by multiplying with self-invertible G matrix of size 4096 × 4096 which is followed by the addition of the random vector of length 4096. We have also considered the fusion of MR and PET images of size 512 × 512, where MR images are gray-scale and PET images are colour. As PET images provide functional information with low spatial resolution and MR images provide the tissue information with high resolution, the fusion of MR-PET image helps in better diagnosis.

The pixels of the image can be represented using an 8-bit integer since each pixel takes a value in the range 0 to 255. Hence the field size, q should be at least 257, which is the nearest prime ≥ 255. However, the field size should be large enough to accommodate the result of processing for preserving the accuracy of computation in encrypted domain. For example, if two encrypted image blocks are added, the resultant pixel can take value in the range 0 to 510. So in order to preserve this value on decryption, q should be a prime number ≥ 510. Since the final value of the pixels on decryption could be negative or positive, care should be taken to choose q such that it is at least twice greater than the range of values involved. Thus to ensure the correctness of the computation in encrypted domain, all the modulo operations have to be done using a prime number at least ≥ 4080 (= 255*4*4). In this paper, all simulations for image fusion are done by choosing q = 4091. Table 1 shows the in-detail simulation parameters used in this paper.

Table 1 Simulation parameters
Full size table

The original MR, CT image, their decomposed images, encrypted images before and after fusion and decrypted fused image are shown in Fig. 3. From Fig. 3, it is clear that the encrypted images after fusion will not leak any information about the original images.

Fig. 3
figure 3

Original MR and CT images, its decomposed and encrypted versions, encrypted and decrypted fused MR-CT images

Full size image

5.1.1 Subjective analysis

Since accuracy is an important parameter, the efficiency of the proposed homomorphic encryption scheme in fusing MR and CT images is evaluated by comparing the accuracy of the encrypted domain (ED) image fusion with that of the plaintext domain (PD) fusion. The subjective analysis of secure MR-CT image fusion for different data sets is shown in Fig. 4, which includes the MR and CT images and the corresponding fused images in plaintext domain (PD) and encrypted domain (ED). The subjective analysis of secure MR-PET image fusion for different data sets is shown in Fig. 5.

Fig. 4
figure 4

Example images a MR image, b Registered CT image, c Fused image in PD, and d Fused image in ED

Full size image
Fig. 5
figure 5

Example images a MR image, b PET image, c Fused image in PD, and d Fused image in ED

Full size image

5.1.2 Objective analysis

The performance of the encrypted domain image fusion is also analyzed using objective performance measures. There are two classes of objective performance measures, one requires a reference image while the other one does not require reference image. As it is difficult to obtain an ideal fused image as a reference image, non-reference metrics such as entropy (H), Standard Deviation (SD) and mutual information (MI) are used to evaluate the quality of a fused image [3]. Feature Mutual Information (FMI) metric [13] is another non-reference metric which calculates the amount of information conducted from the source images to the fused image. Table 2 shows the H, SD, MI and FMI values of plaintext domain (PD) and encrypted domain (ED) image fusion for different datasets. It should be noted from Figs. 45 and Table 2 that the encrypted domain results match with the plaintext domain results.

Table 2 Quantitative Evaluation Results based on source images and fused image in PD and ED
Full size table

The fused image quality in ED is also analyzed using objective measures relying on reference image, considering PD fused image as the reference image. Maximum difference (MD), Average difference (AD), Normalized absolute error (NAE) , Mean-square error (MSE) [2], Image quality index (IQI) [39], Normalized correlation coefficient (NCC), Structural content (SC) and Structural similarity index (SSIM) [3] are used to evaluate the quality of the fused image in ED with respect to PD. Table 3 shows the values of these parameters corresponding to different datasets. The very low values of MD, AD, NAE and MSE ranging from 10− 13 to 10− 28 indicates that the difference between ED fused image and PD fused image are negligibly small. Moreover NCC, SC and SSIM values corresponding to all datasets are equal to the maximum value, 1 and IQI is also close to 1. This indicates that ED and PD fused images are very close to each other.

Table 3 Quantitative Evaluation Results of the fused image in ED considering PD fused image as reference image
Full size table

6 Security analysis

In this section, the security of the proposed scheme is first evaluated through resistance against various statistical attacks, which is then followed by mathematical cryptanalysis.

6.1 Histogram analysis

A good encryption scheme should generate a uniformly distributed histogram corresponding to the encrypted image. This prevents the adversary from acquiring any information about the original image from the histogram of the encrypted image. The original MR and CT images, their encrypted versions and fused MR-CT image in ED along with their histograms are shown in Fig. 6. From Fig. 6, it is clear that the proposed encryption scheme completely randomizes the plaintext since the histogram of the encrypted image follows uniform distribution. Moreover, the uniform distribution of the histogram of the ED fused image also indicates that no information is leaked after ED image fusion. Hence the proposed scheme is secure against histogram attack.

Fig. 6
figure 6

Original MR and CT images, its encrypted versions and their corresponding histograms

Full size image

6.2 Correlation analysis

Usually the correlation of neighboring pixels of the plaintext image will be very high. In order to resist statistical attacks by exploiting the correlation between adjacent pixels, the encrypted image should have low correlation coefficients. The correlation analysis of the encrypted images using proposed scheme is performed by taking into consideration all possible adjacent cases (horizontal, vertical and diagonal). The correlation coefficient is computed using the following equations.

$$ Corr_{x,y} = \frac{Cov(x,y)}{ \sqrt{V(x)} \times \sqrt{V(y)}} $$
(18)
$$ Cov(x,y) = \frac{1}{N}\sum\limits_{i = 1}^{N}(x_{i} - \bar{x})(y_{i} - \bar{y}) $$
(19)
$$ V(x) = \frac{1}{N}\sum\limits_{i = 1}^{N}(x_{i} - \bar{x})^{2} $$
(20)
$$ \bar{x} = \frac{1}{N}\sum\limits_{i = 1}^{N}x_{i} $$
(21)

where x and y are values of two neighbouring pixels; and \(\bar {x}\) and \(\bar {y}\) are the mean values. Cov(x,y) and V (x) represent the covariance and variance respectively. Table 4 shows the correlation coefficients of adjacent pixels for original plaintext MR and CT/PET image; their encrypted versions before and after fusion corresponding to different datasets. It is clear from Table 4 that the correlation coefficients of encrypted MR and CT/PET images are very low compared to original MR and CT/PET images. This reveals that the proposed scheme completely randomizes the pixels and no statistical information is leaked from the encrypted image. Moreover, the very low values of correlation coefficients of the encrypted domain fused image indicate that the encrypted domain fusion will not leak any information about the original fused image, resisting correlation attacks.

Table 4 Correlation coefficients of MR and CT/PET images in plaintext domain (PD) and encrypted domain (ED); and fused MR-CT/PET image in ED
Full size table

6.3 Key sensitivity analysis

Key sensitivity is an important parameter used to quantify the security of an encryption scheme. A good encryption scheme will provide totally different ciphertexts when encrypted with keys which are differing only in a few bits. The key sensitivity of the proposed scheme is first analyzed by decrypting the image with a key different from the encryption key by only 1 bit. Even though there is only one-bit change in key, it is observed that the decrypted image is completely random. The two commonly used parameters to analyze the key sensitivity are number of pixels change rate, NPCR and unified average changing intensity, UACI. The NPCR and UACI values are computed using the following expressions.

$$ NPCR = \frac{{\Sigma}_{i,j}D(i,j)}{W \times H}\times 100 \% $$
(22)
$$ D(i,j)=\left\{\begin{array}{c} 0, c_{1}(i,j) = c_{2}(i,j)\\ 1, c_{1}(i,j) \neq c_{2}(i,j) \end{array}\right. $$
(23)
$$ UACI = \frac{1}{W \times H} \left[{\Sigma}_{i,j}\frac{\left|c_{1}(i,j)-c_{2}(i,j)\right|}{255} \right]\times 100\% $$
(24)

Here c1 and c2 are two cipher images obtained by encrypting plain images with two different keys, k1 and k2 such that k1 and k2 differ in only one bit. W and H are width and length of the image. The results of NPCR and UACI values for different MR images are shown in Table 5. The encryption scheme provides high key sensitivity if NPCR value is above 99.5% and UACI value lies between 33.3% to 33.8% [40]. The results in Table 5 show that the proposed encryption scheme provides high key sensitivity.

Table 5 Key sensitivity analysis
Full size table

6.4 Cryptanalysis

The secrecy of the data blocks stored in cloud, when the adversary gets access to all the ciphertexts, is mathematically analyzed in this section. It is also assumed that adversary can have knowledge about some data blocks, which is a valid assumption in scenarios where adversary knows the type of data being stored. Thus, the adversary knowing only the ciphertexts can mount a ciphertext only attack whereas the adversary having access to some plaintexts in addition to ciphertexts can mount a known-plaintext attack.

6.4.1 Ciphertext only attack

Since in the proposed homomorphic encryption scheme, the random vectors are designed properly to retain the randomness properties under linear combination operations, no attempt of the adversary on ciphertexts can remove the effect of random vectors. Also the random vectors are designed in such a way that for a message of block length ‘p’ , the random vectors have Hamming weight ≈ p/2, so that no information about the matrix G chosen for encryption is leaked. Hence, the adversary is left with the only option of brute force attack to retrieve the data. The probability that the adversary retrieves the original data block through brute force attack can be evaluated from the keyspace of the proposed encryption scheme.

Theorem 3

The adversary observing data stored in the DSS succeeds in retrieving the original data blocks with a probability \(1/\left (g_{p}{\sum }_{i = 0}^{p}\frac {1}{g_{i}g_{p-i}} \right )\cdot \left ({\prod }_{j = 1}^{r}(q^{d_{j}}-1) \right )\)

Proof

In order to extract the original message block, mi from corresponding ciphertext block ci, where the relationship between mi and ci is through p × p matrix G and p × 1 vector, ri as shown in (1), the adversary need to try all combinations of encrypting matrix, G and random vector ri for a successful attack.

The key space for G is formed by all the p × p self-invertible invertible matrices over Fq. Finding the number of self-invertible or involutory matrices is equivalent to finding the number of matrices satisfying G2I = 0 due to property 2 of involutory matrix mentioned in Section 4.2. The number of matrices that satisy the condition, G2I = 0 over a finite field is given as Theorem 1 in [15]. Hence the number of p × p involutory matrices, |G| over Fq is given by

$$ \left|G \right| = g_{p}\sum\limits_{i = 0}^{p}\frac{1}{g_{i}g_{p-i}} $$
(25)

where \(g_{i}= {\prod }_{k = 0}^{i-1}(q^{i}-q^{k}), 0 < i <p\) and g0 = 1.

As mentioned in Section 4.1, each random vector, ri of length ‘p’ is generated using LFSR with an initial state consisting of ‘L’ symbols and feedback polynomial of degree L, where L is related to p and q as pc(qL − 1), for a non zero integer c. The initial state and feedback polynomial form the part of the secret key. The key space corresponding to the random vector generation includes all possible combinations of feedback polynomial, g(x) and initial state of LFSR, k(x) from which consecutive states for reseeding the LFSR circuit are derived. It is well known from LFSR theory that for generating keystream with maximum length, the feedback polynomial should be primitive. The number of primitive polynomials of degree ‘L’ over finite field, Fq is ϕ(qL − 1)/L, where ϕ represents the Euler totient function. The initial state of LFSR which acts as the seed should satisfy the condition that the degree of polynomial corresponding to gcd (k(x),xL − 1) is zero (see Theorem 2). The number of such initial states, k(x) is given by \({\prod }_{j = 1}^{r}(q^{d_{j}}-1)\), where dj is the degree of fj(x) which corresponds to the irreducible factors of xL − 1 [18]. Therefore, the key space corresponding to LFSR circuit which generates the random vectors is \({\phi } (q^{L}-1)/L\cdot {\prod }_{j = 1}^{r}(q^{d_{j}}-1)\). It should be noted that it is only required to satisfy LsN, for linear independence of random vectors where ‘ s’ is the degree of polynomial which is gcd (k(x), (xL − 1)). So it is possible to choose the full key space of k(x) without any restriction for a sufficiently large value of L. Therefore, in general, the total keyspace is at least \(\left | G \right |\cdot {\phi } (q^{L}-1)/L\cdot {\prod }_{j = 1}^{r}(q^{d_{j}}-1)\). Hence the probability that an adversary succeeds in retrieving the key with brute force attack on keyspace is at least \(1/\left | G \right |\cdot {\phi } (q^{L}-1)/L\cdot {\prod }_{j = 1}^{r}(q^{d_{j}}-1)\). □

Considering a small field size, q = 257, block size, p = 16, length of LFSR, L = 11, the keyspace is approximately 21119 and for a larger field size, q = 4091, the keyspace becomes approximately 21677. Therefore, the average computational complexity of the adversary in mounting a successful ciphertext only attack is at least O(21118) and O(21676) for q = 257 and q = 4091 respectively. The computational complexity of the adversary in mounting a ciphertext only attack further increases with increase in block size, p.

6.4.2 Known-plaintext attack

In scenario where an adversary knows the type of data and possess some plaintext blocks to be homomorphically combined, the attack boils down to known plaintext attack (KPA). In KPA, the attacker can retrieve the key, G with the help of ‘p’ plaintext blocks if he succeeds in removing the effect of random vector, ri from the ciphertext. It is possible to separate the effect of G matrix and random vector, ri by making the plaintext part zero through linear combination of known plaintext pieces. The cryptanalysis of the iterated Hill cipher detailed in [38] mounts a known-plaintext attack which uses the idea of generating an all zero plaintext by taking the linear combination of known plaintexts in such a way that the result of linear combination is zero. The steps in the cryptanalysis [38] can be summarized as follows.

  1. 1.

    Represent ciphertext, c in terms of plaintext vector, m and random vector, r as \(c=\left [\begin {array}{cc}A_{1} & A_{2} \end {array}\right ].\left [\begin {array}{c} m\\ r \end {array}\right ]=A_{1}.m + A_{2}.r\), where A1 and A2 are 2p × p matrices and c is of length 2p.

  2. 2.

    If m is all zero vector, then ciphertexts can be considered as codeword, r generated by matrix A2 and finding a parity check matrix, H such that H.A2 = 0 will help to remove the random vector, r from ciphertext.

  3. 3.

    All zero plaintext vector, m = 0 can be obtained by taking the linear combination of any ‘2p’ plaintexts. It is well known that by taking ‘2p’ samples, ‘p’ linearly independent samples can be obtained with high probability.

  4. 4.

    Homomorphically create encryption of zero by taking the linear combination of corresponding ciphertexts using the same coefficients.

  5. 5.

    Arrange these ciphertexts as columns of a matrix, C and find H matrix such that HC = 0.

  6. 6.

    Using the H matrix, the random vector, r can be removed from ciphertext and the A1 matrix can be found from the knowledge of any ‘p’ linearly independent plaintext message blocks.

Theorem 4

If each message block is encrypted with different random vector, then the proposed homomorphic encryption scheme is secure to known-plaintext attack

Proof

If same random vector is used for encrypting every message block, then the adversary will be able to retrieve the G matrix and random vector, r using any p + 1 known plaintexts. In the proposed encryption scheme, since the random vector is changed during each encryption, it will not be feasible to retrieve encryption matrix G in KPA. It can be proved that our encryption scheme is resistant to the known-plaintext attack on iterated Hill cipher. The arguments are as follows:

Using step 1, our encryption scheme can be represented as \(c=\left [\begin {array}{cc} G &I \end {array} \right ] \cdot \left [\begin {array}{c} m\\r \end {array} \right ]=Gm + Ir\), where G is a p × p self-invertible matrix and I is a p × p identity matrix. For mounting the aforementioned cryptanalysis on our scheme, the attacker should be able to find a parity check matrix such that H.I = 0. Since the null space of Identity matrix is zero, the attacker cannot find such a matrix, H. As a result, the attacker will not succeed in decoupling the G.m from random vector. Thus the proposed homomorphic encryption scheme resists known-plaintext attack given in [38]. □

Since mounting a known-plaintext attack by separating the contribution of the random vector ri and matrix G is not possible, the key can be retrieved only by guessing the random vector and then finding the key matrix G by solving linear equations. Attacker can mount a KPA with ‘p’ plaintext-ciphertext pairs (mi,ci). From relationship between plaintext-ciphertext pairs ‘p’ linear equations can be formed with (p2 + p) unknowns, where p2 unknowns are from G matrix and p unknowns are from random vector, ri. Since with inclusion of additional plaintext-ciphertext pairs new unknowns are also added in the form of random vectors, increasing number of equations will not directly give a solution. Hence a successful attack need following steps.

  1. 1.

    Pick ‘p’ plaintext-ciphertext pairs (mi,ci).

  2. 2.

    Check whether the message matrix is invertible. If so, proceed to step (3); else return to step (1).

  3. 3.

    Choose one set of initial keys k1, α1 and feedback polynomial g(x).

  4. 4.

    From p equations between pairs (mi,ci) solve for G matrix.

  5. 5.

    Repeat steps (3) and (4) for all possible sets of keys k1, α1 and g(x) and form the table of possible solutions of G.

  6. 6.

    Pick a new plaintext-ciphertext pair (mj,cj).

  7. 7.

    Try with all possible solutions of G from the table and solve for G.

The number of possibilities of the key set k1, α1 and g(x) are given by \({\phi } (q^{L}-1)/L\cdot {\prod }_{j = 1}^{r}(q^{d_{j}}-1)\cdot (q-1)^{L-1}\), where ϕ(qL − 1)/L, \({\prod }_{j = 1}^{r}(q^{d_{j}}-1)\) and (q − 1)L− 1 represent the number of possible feedback polynomials, g(x), initial states, k(x) and α1 values for LFSR respectively. So in step (5) attacker has \({\phi } (q^{L}-1)/L\cdot {\prod }_{j = 1}^{r}(q^{d_{j}}-1)\cdot (q-1)^{L-1}\) possible solutions for G and he has to try all these possibilities to solve for G in step (7). Therefore, the keyspace of the known-plaintext attack is \(2\cdot {\phi } (q^{L}-1)/L\cdot {\prod }_{j = 1}^{r}(q^{d_{j}}-1)\cdot (q-1)^{L-1}\). Considering a small field size, q = 257, block size, p = 16, length of LFSR, L = 11, this keyspace is approximately 2175 and for a larger field size, q = 4091, the keyspace becomes approximately 2263 . Therefore, the average computational complexity of the adversary in mounting a successful known-plaintext attack boils down to O(2174) and O(2262) for q = 257 and q = 4091 respectively. It should be noted that an adversary can successfully mount this KPA only if he possesses p + 1 plaintext-ciphertext pairs. Since the number of data blocks, N is chosen to be at most equal to L in order to preserve the randomness properties in the homomorphically combined data blocks, it will be infeasible for an adversary to have so much information about the plaintext data. In MR-CT image fusion described in Section 4.4, N = 2 since the average of corresponding MR and CT image blocks are taken for fusion. Moreover, it is only required to use same G for encrypting data blocks to be homomorphically combined. So the aforementioned attack possibility can be prevented by using different keys for different sets of data blocks to be homomorphically combined.

6.5 Storage overhead and computational complexity

Storage overhead and computational complexity are two important parameters that determine the efficiency of the proposed encryption scheme. The storage overhead can be expressed in terms of the ciphertext expansion ratio, which is defined as the ratio of the size of ciphertext to the size of the plaintext. In the proposed encryption scheme, since the size of ciphertext is same as the size of plaintext, this scheme will not introduce any storage overhead.

The computational complexity of the encryption scheme can be expressed in terms of number of additions and multiplications. For encrypting a message block of size p, it is first multiplied with a G matrix of size p × p, which is then followed by the addition of a random vector of size p. Multiplying the message block with matrix G involves p2 multiplications and (p2p) additions in Fq while addition by the random vector involves p additions. So, the computational complexity for encrypting each message block includes p2 modular multiplications and p2 modular additions. Since the decryption operation also involves similar operations, the computational complexity of decryption is same as that of encryption. The bit complexity of modular multiplication and modular addition operation are O((logq)2) and O(logq) respectively. Thus, the computational complexity of encryption and decryption process for the proposed scheme is O(p2(logq)2) bit multiplications and O(p2.logq) bit additions.

6.6 Comparison with existing homomorphic encryption scheme

Paillier encryption [23] is the most popular additive homomorphic encryption scheme where addition of two plaintexts is realized by multiplying the corresponding ciphertexts. The plaintexts are represented as elements of Zn, where Zn denotes the set of integers modulo n and ciphertexts are represented as an integer modulo n2, where n is a product of two large primes. So the size of the ciphertext will be double the size of plaintext and this will result in storage overhead. The security relies on the decisional composite residuosity assumption which in turn depends on the computational difficulty in integer factorization. So to provide 128-bit security, ‘n’ should be of 2048 bits, which also results in huge data expansion.

For the proposed encryption scheme, the field size, q required to provide 128-bit security is only 257. Even though q = 257 is sufficient for providing 128-bit security, the computational complexity of proposed scheme is compared using q = 4091 since this value is used for encrypted domain image fusion. The computational complexity of encryption and decryption of a message block of size, p = 16 using Paillier and proposed encryption scheme for providing 128-bit security is compared in Table 6. Since q = 4091, each element of message block can be represented using 12 bits. Message block of size p = 16 can be considered as a single message consisting of 192 bits in Paillier encryption scheme since message, mZn, where n = 2048. The encryption process and decryption process in Paillier scheme requires ‘1’ exponentiation and ‘1’ modular multiplication operations. Each exponentiation needs 2 ⋅(log2y) modular multiplications, where ‘y’ represents the exponent. In Paillier scheme, yZn which implies (log2y) = 2048. So each exponentiation operation is equivalent to 4096 modular multiplications. The bit complexity of modular multiplication operation is O((log2n)2), where n is modulus value. In Paillier scheme, since modulus is taken with respect to n2, the number of bit multiplications involved for single modular multiplication is (2049)2. So the computational complexity of encryption and decryption for this scheme is O(4097.(2049)2). In the proposed scheme, modular operations are done with respect to q, where q is of 12 bits since q = 4091. Therefore, the number of bit multiplications is 122.p2 and the number of bit additions is 12.p2, considering the bit complexity of modular addition operation is O(log2n). So the computational complexity of encryption and decryption for the proposed scheme is O(122.162) bit multiplications and O(12.162) bit additions. Thus computational complexity of the proposed encryption scheme is lesser compared to Paillier cryptosystem for comparable security levels; Also the storage overhead is double for Paillier encryption whereas there is no storage overhead for our proposed encryption scheme for comparable security which is an important advantage in cloud storage scenario.

Table 6 Comparison of the computational complexity of Paillier and proposed encryption scheme for 128-bit security
Full size table

7 Conclusion

In this paper, an affine Hill cipher based additive homomorphic encryption scheme is proposed to support encrypted domain image fusion over cloud. The security of the affine Hill cipher is enhanced through the addition of random vectors. We designed an algorithm for generating random vectors using a combination of LFSRs and verified that these vectors preserve the randomness and security properties while homomorphically combining the encrypted image blocks during fusion. Through mathematical analysis, it is established that the proposed scheme resists possible ciphertext only attack and known-plaintext attack at the cloud side. The security of the proposed scheme is also analyzed in terms of resistance against statistical attacks. The performance of the encrypted domain (ED) medical image fusion is analyzed in terms of various non-reference and reference based objective metrics. The reference based metrics: NCC, SC, SSIM values are equal to 1 and IQI values are 0.999; and MD, AD, NAE and MSE values varies from 10− 13 to 10− 28. The closeness of the values of non-reference metrics: H, SD, MI and FMI corresponding to PD and ED results show that the proposed encrypted domain image fusion provides same accuracy levels as that of plaintext domain image fusion. Moreover, the proposed homomorphic encryption scheme does not introduce any storage overhead due to ciphertext expansion and it offers very low computational complexity. These desirable features make this scheme a suitable candidate for privacy preserving cloud storage and computing applications. Although our proposed homomorphic encryption scheme gives good performance in encrypted domain image fusion, it can support only block-level encryption operations. In our future work, we will focus on pixel level homomorphic encryption so that DWT can also be computed in encrypted domain, which helps to further reduce the client computational complexity.