Introduction

With the rapid development of 5G, big data, cloud computing technology, and artificial intelligence, the service model of "Internet + medical imaging" has gradually become popular, and it becomes an important driving force for the construction of the wisdom medical [1]. The "Internet + Medical Imaging" platform can help doctors and patients quickly and conveniently grasp diagnosis and treatment information, and provide a full range of medical services [2]. "Internet + medical imaging" promotes the development of the wisdom medical and realizes online and offline linkages between doctors and patients, while also bringing new challenges to the medical industry. Among them, the personal privacy problem of medical information is particularly prominent. To facilitate diagnosis, doctors often embed the personal information of patients into medical images directly. These medical images are transmitted and stored in the cloud environment, which will easily cause the leakage and tampering of personal information, and bringing great security risks. How to protect personal privacy information in medical images is an important factor restricting the development of "Internet + Medical Imaging" [3]. Medical image watermarking is an effective method to solve this problem [4]. The medical image watermarking is different from that of general images. In view of the sensitivity of medical images, the diagnosis information contained in the medical images cannot be changed when they are embedded with the watermark information. Therefore, the organic combination of digital watermarking technology and medical images can realize the protection of the "region of interest" information in the original medical images while hiding the personal information in the medical images. The research of medical images encryption watermarking algorithm has good anti-geometric attack and anti-conventional attack ability while taking into account better robustness. It achieves the dual purpose of protecting medical image data and patient privacy information. And it has extremely important theoretical research significance and practical application value [5, 6].

Literature survey

In recent years, there are a lot of research on digital watermarking of medical images, and medical watermarking algorithms had been widely developed and applied. By the spatial domain, Jobin Abraham [7] generated a fragile watermark that could better resist noise attacks, by the least significant bit (LSB) algorithm [8]. Ghassan N. Mohammed [9] proposed watermarking images algorithm based on DISB model, and in this method, two bits were embedded in each pixel of the original image. In the case of high watermark image quality, the proposed model had better robustness and was superior to the LSB algorithm. However, the robustness of this algorithm was poor in strong conventional attacks and geometric attacks. Akram Zeki [10] proposed an intermediate significant bit (ISB) watermark embedding method through pixel replacement. The algorithm had good robustness in compression and noise attacks, but it still could not effectively resist geometric attacks.

By the transform domain, various transformations such as DCT [11, 12], DFT [13, 14], DWT [15, 16] and SVD [17, 18] were mainly used to convert the original images into the frequency domain, and then inverted after embedding watermark. Compared with the spatial domain method, the transform domain methods could embed more information without destroying the value of the original images. However, although one single transform domain method could resist some conventional and geometric attacks, the robustness was still not satisfactory.

In order to improve the resistance of watermarking algorithm to conventional attacks and geometric attacks, and improve the robustness of the algorithm, the methods of hybrid domain [5, 6] were proposed on the basis of transform domain. At present, watermarking methods based on hybrid domains had become the mainstream of current watermarking algorithms. Hybrid transform domain technology could improve the overall anti-attack ability and robustness of the watermarking algorithms. At the same time, they also increased the computational complexity. Based on NSPD-DCT, Rui Wang [19] proposed a zero watermarking scheme against rotation attacks, and it had strong robustness to various attacks. Jing Liu [20] proposed an encrypted watermarking algorithm in the DTCWT-DCT domain combined with Henon Map. The algorithm could embed multiple watermarks at the same time, and has better anti-attack ability while taking into account encryption watermarks. Siming Xing [21] proposed an algorithm to improve the security of watermark information, by scrambling the watermark information with Arnold transform. The algorithm had good robustness against image processing attacks such as clipping attack and rotation attack. The DWT-SVD algorithm was proposed by Zermi Narima [22], applied DWT to retinal images and SVD to LL subbands. It had strong robustness against noise attack, but performed poorly for scaling attacks, rotation attacks. Balasamy K [23] proposed a watermarking method based on fuzzy region of interest (ROI) and DWT to embed encrypted watermark. This algorithm had high security and could resist conventional attacks, but it was less robust to geometric attacks. Kahlessenane Fares [24] proposed two watermarking methods "DCT-Schur" and "DWT-Schur", among which "DCT-Schur" had better robustness against JPGE compression attacks. "DWT-Schur" had stronger anti-attack ability to 0.01 Gaussian noise. These two methods were poor in anti-scaling attacks and anti-average filtering attacks. Based on RSA pseudo-random sequences and Curvelet-DCT, Fengming Qin [25] proposed a robust zero-watermark algorithm, which had better performance in both conventional attacks and geometric attacks. Bandelet-DCT was applied to extract the visual feature vectors of medical images, Yangxiu Fang [26] proposed a novel zero-watermarking algorithm for medical images. It combined Scale Invariant Feature Transform (SIFT) at the preprocessing step on the original medical image extracting the features and had strong robustness. Cheng Zeng [27] proposed a zero watermarking medical image based on KAZE-DCT, and it had good robustness against both common attacks and geometric attacks. Rohit Thanki [28] proposed a hybrid blind watermarking scheme. The scheme was based on DCuT and RDWT, which was robust against noise attacks and JPEG, and the embedded watermark was highly invisible. After that, Rohit Thanki [29] embedded the patient's secret identity into medical images by combining ridgewave transform(FIT) and SVD to realize identity recognition and authentication. And it used Arnold scrambling encryption method to encrypt medical images containing watermarks. This scheme improved the effective load capacity of existing watermarking schemes, and had better robustness to conventional attacks, but the resistance of this algorithm to geometric attack was not ideal. A novel blind Zero code named KeySplitWatermark was proposed by Celestine Iwendi [30]. It was based on watermark detection approach, and used keywords to make segments of the code to produce a key-dependent on the watermark, that could protect software against cyber-attacks. Based fractional-order radial harmonic Fourier moments (FoRHFMs), Zhiqiu Xia [31] proposed a zero-watermarking algorithm to achieve lossless copyright protection of medical images, that had high robustness to geometric attacks and common attacks. Baowei Wang [32] proved the feasibility of combining the zero-watermark algorithm with blockchain technology to improve the security of the zero-watermark algorithm. Using a deep learning-based chaotic logistic map, Ch. Rupa [33] proposed a secure multimedia transformation approach. It used ResNet model to perform classification for identifying the fake medical multimedia data, and could against various cyber-attacks and had high entropy levels.

It could be found that these watermarking algorithms above could protect watermark information well in cloud environment, and they could resist Gaussian attack, median filter attack, JPGE compression and other conventional attacks well. The anti-geometric attack was the research focus and difficulty of watermarking algorithms. Most of these algorithms could resist two or more geometric attacks and had good robustness. Baowei et al. [32] combined blockchain technology with zero watermarking to further improve the security of the watermarking algorithm. Combined with the obfuscated sequence, [33] used ResNet-50 to realize the encryption conversion of information, which provides a new idea for the embedding and extraction of watermarks. But for the encryption of watermarks, [20, 23, 25,26,27] used chaos theory to encrypt, the algorithms were single and small key spaces, and had a risk of being cracked. Siming et al. [21], Thanki et al. [28], Thanki and Kothari [29] used Arnold transform to encrypt, which kept the image area invariant and had a certain degree of security. However, these methods retained the pixel characteristics of the original images and required a large amount of calculation. The evaluation criteria for measuring the degree of image scrambling were difficult to be unified, and it was periodic. For conventional attacks, [24, 28] had poor robustness to average filter attacks. Wang et al. [19], Siming et al. [21], Balasamy and Suganyadevi [23], Fares et al. [24], Fengming et al. [25], Thanki and Kothari [29], Zhiqiu et al. [31] had better robustness for low noise intensity (such as Gaussian noise intensity lower than 0.1), but when the noise intensity increased after reaching a certain level (such as the Gaussian noise intensity was higher than 0.2), the robustness of the algorithms were decreased. For geometric attacks, [23, 29] had low robustness under geometric attacks. Jing et al. [20], Siming et al. [21] could resist most types of geometric attacks, but they performed poorly on translation attacks. Narima et al. [22] had better robustness to rotation attacks (less than 5 degrees). When the rotation angle was increased, the robustness of the algorithms would decrease a lot. It could be seen that searching for medical watermarking algorithms that could effectively resist geometric attacks and high-intensity noise attacks had always been a puzzle for researchers. KeySplitWatermark [30] was too dependent on the programming language. If the code changed greatly or the programming languages was changed, it would cause great damage to the watermark. And resNet-50 network model [32] requires high computing power and takes a long time, and the robustness of the algorithm was greatly affected by adversarial example.

Based on these researches, and in order to balance encryption and attack resistance, this paper proposed a robust algorithm of tent-Henon-Map (THM) double chaotic cryptographic watermarking based on ridgelet-DCT. Based on the common watermarking technology, the algorithm combined the third party concept, chaos encryption technology to achieve the "zero watermarking" embedding of medical images and blind extraction of watermarking information. And it could effectively resist conventional attacks and geometric attacks while taking into account confidentiality, invisibility and robustness.

The main contributions in this paper were:

  1. 1.

    Based on ridgelet-DCT, it proposed a new feature extraction method of medical images which did not require any modification to the original image. The algorithm had better invisibility and robustness, and at the same time it could resist conventional attacks and geometric attacks.

  2. 2.

    It had low requirements on the quality of the original image, and had a high embedding rate and good payload. And the embedding of the watermark could be achieved by using a key stored in a third party, without selecting the region of interest, which could effectively protect patient privacy. It did not need the original image to extract the watermarks, only to use the key and the embedded watermark image to extract the watermark and decrypt it.

  3. 3.

    Combined the advantages of Tent Map and Henon Map, a THM double chaotic encryption system was proposed. The encryption system was sensitive to the initial values, easy to implement, and had a large key space, which enhanced the security of the watermark.

The fundamental theory

Ridgelet transform theory

The radon transform

Radon transform was proposed by Radon in 1917. It has good anti-noise performance and is widely used in medical image processing. The function \(g(x,y)\) represents the pixel of the point \((x,y)\) in image I, and map a certain straight line \(t = x\cos \theta + y\sin \theta\) in the space to a point \((t,\theta )\) in Radon space, then the two-dimensional Radon transform of the image is shown as Eq. (1).

$$R(t,\theta ) = \iint\limits_{I} {g(x,y)\eta (x\cos \theta + y\sin \theta - t)dxdy}$$
(1)

Among them,\(\eta ( \cdot )\) is the Dirac function, \(t\) is the distance \((x,y)\) to the origin, and \(\theta\) is the angle between X-axis and the line which perpendicular to the line \(t\) from the origin. It can be understood that Radon transform is the projection of image \(I\) in \(t - \theta\) space, and each point in the \(t - \theta\) space corresponds to a straight line in the image space. And it can also be understood as the projection on the horizontal axis after the image is rotated \(\theta\) clockwise, as shown in Fig. 1.

Fig. 1
figure 1

Radon transformation of medical images ((a) original image; (b) the result after Radon transformation)

Full size image

Ridgelet transform

Ridgelet transform performs Randon transform on the image firstly, maps one-dimensional odd-specificity in the image into a point in the Randon domain, and then detects the singularity with one-dimensional wavelets. That can more effectively represent the singular features in the image with orientation. Ridgelet transform is more suitable for analyzing signals with straight line or hyperplane singularity. It can sparsely express image features and achieve high approximation accuracy while taking into account anti-noise ability. Its mathematical model is:

$$RT_{g} \left( {a,b,\theta } \right) = \int_{{R^{2} }} {\psi_{a,b,\theta } \left( w \right)g\left( w \right)dw}$$
(2)

Among them, \(\psi (w) = a^{{ - \frac{1}{2}}} \psi \left( {\frac{x\cos \theta + y\sin \theta - b}{a}} \right)\) is called the ridge function, \(RT_{f} \left( {a,b,\theta } \right) = \int_{{R^{2} }} {\psi \left( w \right)g\left( w \right)dw}\) is the continuous Ridgelet transformation of \(g(w)\) on \({R}^{2}\). In the two-dimensional case, the two can be connected through the radon transform. The inverse transformation of ridgelet transform is expressed as:

$$g\left( w \right) = \int_{0}^{2\pi } {\int_{ - \infty }^{\infty } {\int_{0}^{\infty } {RT_{g} \left( {a,b,\theta } \right)\psi \left( w \right)\frac{da}{{a^{3} }}db\frac{d\theta }{{4\pi }}} } }$$
(3)

The chaos theory

Tent chaos

Tent chaos is an 1D chaos with linear mapping. It is suitable for image data encryption design due to that it has large secret key space, sensitivity to initial values, unrepeatability, uncertainty and unpredictability. The mathematical model is:

$$x_{n + 1} = \left\{ \begin{gathered} \frac{{x_{n} }}{\alpha },0 < x_{n} \le \alpha \hfill \\ \frac{{1 - x_{n} }}{1 - \alpha },\alpha \le x_{n} < 1 \hfill \\ \end{gathered} \right.$$
(4)

When ɑ ϵ (0,1) and xn ϵ (0,1), tent map is in a state of chaos. The initial value \(x_{0}\) will be different from the system parameter ɑ to avoid the formation of the system cycle Usually.

Henon map

Henon Map is a discrete nonlinear dynamic 2D chaotic system generated by variables x and y simultaneous iteration. Its mathematical model is:

$$\left\{ {\begin{array}{*{20}c} {x_{n + 1} } \\ {y_{n + 1} } \\ \end{array} \begin{array}{*{20}c} { = 1 - \alpha x_{n}^{2} + y_{n} } \\ { = \beta x_{n + 1} \quad \quad } \\ \end{array} } \right.$$
(5)

Among them, ɑ and β are the system parameters. When ɑ = 1.4 and β = 0.3, the system is in a chaos. Henon mapping is easy to implement and more complex chaotic structure. And it has the characteristics of pseudo-randomness and initial value sensitivity, which is suitable for encrypting images. However, the existence of "blank area" and "stable area" are two problems faced when using Henon mapping for image encryption, as shown in Fig. 2.

Fig. 2
figure 2

The bifurcation diagram of Henon Map

Full size image

Design of THM dual chaotic systems

In order to make up for the shortage of henon chaos and tent chaos, a tent-henon map (THM) dual chaotic system is designed in this paper. THM double chaos system has the characteristics of easy to implement, fast calculation speed, large key space, sensitive initial values, etc. It can produce chaotic sequences that are difficult to predict, and the application is more flexible. Tent chaotic matrix \(T_{1}\) and Henon chaotic matrix \(H_{1}\) are transformed into binary matrices \(T_{2}\) and \(H_{2}\) by Eq. (6) and Eq. (7).

$$T_{2} (i,j) = \left\{ {\begin{array}{*{20}c} {T_{1} (i,j) = 0} \\ {T_{1} (i,j) = 1} \\ \end{array} \begin{array}{*{20}c} , \\ , \\ \end{array} \begin{array}{*{20}c} {T_{1} (i,j) < T_{average} } \\ {T_{1} (i,j) \ge T_{average} } \\ \end{array} } \right.$$
(6)
$$H_2\left(i,j\right)=\left\{\begin{array}{l}H_1\left(i,j\right)=0,H_1\left(i,j\right)<H_{average}\\H_1\left(i,j\right)=1,H_1\left(i,j\right)\geq H_{average}\end{array}\right.$$
(7)

Then \(T_{2}\) and \(H_{2}\) are obtained by XOR operation. The encryption key \(key_{THM}\) is obtained by Eq. (8).

$$Key_{THM} = T_{2} \oplus H_{2}$$
(8)

The proposed algorithm

The main steps of the algorithm

The algorithm was a watermarking algorithm based on ridgelet-DCT transform domain and THM double chaotic encryption system. In the feature extraction stage, based on human visual features, in the ridgelet-DCT domain, a new perceptual hash feature sequence that could represent image features was determined by setting a threshold parameter and participated in the watermarking operation. The algorithm organically combined watermarking technology with chaotic encryption, third-party concepts and cryptography, for improving the security of medical image transmission and better protection of patient privacy. While it made the watermark resistant to conventional attacks and geometric attacks, and had strong robustness.

  • Step 1: ridgelet-DCT transform was performed on the original medical images \(I\). And then in the transformed domain, it obtained the feature vector \(V_{img}\) of the medical image. \(V_{img}\) was converted into a binary hash feature sequence \(V_{h}\), by setting the threshold parameter k.

  • Step 2: A binary matrix Wb was obtained by the transform of watermark image W. By setting the initial values of the tent diagram and Henon diagram, two chaotic sequences were generated. After binarization, the encryption matrix \(key_{THM}\) was obtained by logical XOR calculation of them.

  • Step 3: The encrypted watermark We was obtained by the matrix Wb and \(key_{THM}\).

  • Step 4: Through the encrypted watermark We of the image and the binary feature Vh of the medical image, the binary logic sequence \(key\) was calculated and stored on the third-party platform.

  • Step 5: The feature sequence \(V^{\prime}_{h}\) of medical image \(I^{\prime}\) required to extract watermark was extracted by using the method of Step 1. The encrypted watermark matrix \(W^{\prime}_{e}\) was obtained by logical operation with \(key\) stored in the third party.

  • Step 6: The final watermarking result was obtained by decrypting \({W}_{e}^{^{\prime}}\) with the encryption key \(key_{THM}\).

Feature extraction based on ridgelet-DCT transform domain

The medical image feature extraction algorithm based on the ridgelet-DCT transform domain was proposed in this paper. It takes into account the advantages of Ridgelet algorithm with better sparse expression ability, high approximation accuracy, and DCT transform with robustness, ergodicity, and strong anti-conventional attack ability. And ridgelet-DCT transform was used to find visual features suitable for medical images. A human brain image (128 × 128) was randomly selected for conventional attack and geometric attack, as shown in Fig. 3.

Fig. 3
figure 3

The results under different attacks: (a) The brain image; (b) Gaussian noise attack with 1%; (c) JPEG compression attack with 4%; (d) Median filter attack with [3 × 3] and 10 times; (e) Rotation attack with clockwise 5◦; (f) Translation attack with left 5% (g) Translation attack with down 7%; (h) Scaling attack with 95%; (i) Cropping attack with Y direction 10%

Full size image

These images were transformed by ridgelet-DCT, and the coefficient data were extracted. It could be found that although these data had certain changes, their symbols were basically guaranteed to remain unchanged, as shown in Table 1. Based on the threshold, and set the values greater than the threshold to 1, others into 0. And it obtained the feature sequence of the brain image in the ridgelet-DCT transform domain, as "11,001,000,000". By Table 1 it could be found that, after transformation, symbol sequences of all attacked images were basically consistent with the original image.

Table 1 The ridgelet-DCT coefficients under different attacks
Full size table

According to the conclusions drawn in Table 1, this paper randomly selected a large number of medical images for the same test, and calculated the correlation coefficients between the 32-bit feature hash sequences of these images. Figure 4 showed 8 medical images selected randomly and Table 2 showed the correlation coefficient values between them. It could be found that the correlation coefficients between different medical images were all less than 0.5. Therefore, we could take the feature hash sequence transformed by ridgelet-DCT as the feature vector of medical image, and associated it with watermarking, so as to realize the zero-watermarking algorithm.

Fig. 4
figure 4

Tested images ( (I1) Brain; (I2) Orbit; (I3) Internal auditory canal; (I4) Knee; (I5) Foot; (I6) Spine; (I7) Coccygeal vertebra; (I8) Shoulder)

Full size image
Table 2 The correlation coefficients between different medical images
Full size table

Watermark encryption and embedding

Before embedding the watermark, the THM double chaos system was used to encrypt the watermark and the encrypted watermark was obtained. The watermarking encryption scheme was shown in Fig. 5, and the watermarking embedding algorithm was shown in Fig. 6.

Fig. 5
figure 5

The watermarking encryption scheme

Full size image
Fig. 6
figure 6

The watermarking embedding algorithm

Full size image

  • Step 1: Selecting the initial values, It selected the initial values of Tent chaos as x0 = 0.36 and α = 0.98, and iterated 300 times to generate the Tent Map chaotic sequence and converted it into a \(300 \times 300\) matrix \(T_{1}\). It set the initial values of Henon chaos as \(\alpha = 1.4\) and \(\beta = 0.314\) to iterate 300 times, and generates the Henon Map chaotic matrix H1.

  • Step 2: It transformed \(T_{1}\) and \(H_{1}\) into binary matrices \(T_{2}\) and \(H_{2}\), by Eq. (6) and Eq. (7).

  • Step 3: It done logical XOR of \(T_{2}\) and \(H_{2}\) to get the encryption key keyTHM, by Eq. (8).

  • Step 4: The binary watermark matrix \(W_{b}\) and the encryption key \(key_{THM}\) were logically XORed to obtain the encrypted watermark , by Eq. (9).

$$W_{e} = W_{b} \oplus key_{THM}$$
(9)

  • Step 5: Used the feature extraction method to perform ridgelet-DCT transformation on the original image \(I\) and extracted the feature vector \(V_{img} (i)\), \(i = 1,2, \cdots ,32\), by Eq. (10).

$$V_{h} (i) = \left\{ {\begin{array}{*{20}c} 1 \\ 0 \\ \end{array} \begin{array}{*{20}c} {} \\ {} \\ \end{array} \begin{array}{*{20}c} {,V_{img} (i) \ge k \times mean(V_{img} )} \\ {,V_{img} (i) < k \times mean(V_{img} )} \\ \end{array} } \right.$$
(10)

Here, \(k\) was the threshold parameter, which transformed the feature vector \(V_{img}\) into a binary feature hash Vh.

  • Step 6: With binary feature hash \(V_{h}\) and the encrypted watermark \(W_{e}\), it generated binary henon sequences key by Eq. (11), the algorithm flow was shown in Fig. 6.

$$key = V_{h} \oplus W_{e}$$
(11)

Watermark extraction and decryption

The algorithm proposed realizes the embedding of zero watermark and the blind extraction of watermark. The specific steps were shown in Fig. 7.

Fig. 7
figure 7

The watermarking extraction and decryption algorithm

Full size image

  • Step 7: To obtain binary feature vector \(V^{\prime}_{h}\), it performed the operation on the image \(I^{\prime}\) as Step 5.

  • Step 8: It obtained the encrypted watermark \(W^{\prime}_{e}\) by Eq. (12).

$$W^{\prime}_{e} = key \oplus V^{\prime}_{h}$$
(12)

  • Step 9: It obtained the watermark decryption key keyTHM in steps 1–3, and performed the following operations with the extracted encrypted watermark \({W}_{e}^{^{\prime}}\) to obtain the decrypted watermark by Eq. (13).

$$W^{\prime} = key_{THM} \oplus W^{\prime}_{e}$$
(13)

Finally, it accorded to the degree of correlation between W and W' to determine the patient's personal information.

Experiment and analysis

In this paper, Matlab 2021a was used as the software platform, and the original image was the "brain" image and a meaningful image as the original watermark. By slightly changing the initial values of the THM chaotic system, the sensitivity and security of the algorithm were verified. (a) (b) (c) in Fig. 9 were the embedded watermarked image, the watermark image, and the encrypted watermark image.

The sensitivity analysis

In this paper, the THM double chaos system was designed based on the characteristics of Tent Map's large secret key space and Henon Map's high complexity and suitable for two-dimensional images. The chaotic system could generate chaotic sequences that were difficult to predict, simple, flexible, sensitive to initial values, fast calculation speed, and large key space. The key space of THM was \(10^{116}\) which was much larger than that of low-dimensional chaotic systems and other double chaotic algorithms, as shown in Table 3. The THM double chaotic system changed the dynamic behavior of a single chaotic system, made up for the deficiency of the blank window in the chaotic region. And it avoided periodic degradation of low chaotic system, and effectively resisted model exhaustive attacks and reconstruction attacks.

Table 3 The comparison of key space
Full size table

THM double chaotic system was highly sensitive and highly dependent on the key. Even minor change in the key could not get the correct decryption result, and the resulting images encryption would fall into chaos. In this paper, the initial values of Tent chaos were set as \(x_{0} = 0.36\), \(\alpha = 0.98\) and \(N = 300\), and the initial values of Henon chaos were set as \(x_{0} = 0\), \(y_{0} = 0\) and the initial parameters were \(\alpha = 1.4\) and \(\beta = 0.314\). While keeping other parameters unchanged, the initial parameter of henon map was changed to \(\alpha=1.4+10^{-16}\), the initial parameter of tent map was changed to \(x_0=0.36+10^{-16}\) or \(\alpha=0.98+10^{-16}\). They all could not get the correct watermark image, as shown in Fig. 8. It showed that the THM double chaos encryption system proposed in this paper had high security and could protect the security of watermark image data better.

Fig. 8
figure 8

Sensitivity analysis of encryption algorithm ( (a) the medical image of the watermark; (b) the correctly decrypted watermark; (c) the encrypted image; (d) the error decryption result with \(a = 1.4 + 10^{ - 16}\); (e) the error decryption result with \(a = 0.36 + 10^{ - 16}\); (f) the error decryption result with \(\alpha = 0.98 + 10^{ - 16}\))

Full size image

Conventional attacks

Gaussian noise attacks

Under the attacks of Gaussian noise, this paper added different intensity noises to the "human brain" medical image, as shown in Fig. 9.

Fig. 9
figure 9

The images and watermark results under different Gaussian noise attacks ((a) 5% noise intensity; (a1) the watermark result of (a); (b) 50% noise intensity; (b1) the watermark result of (b))

Full size image

When the threshold coefficient was set \(k = 1\), the NC value results of watermark extracted under Gaussian noise attacks were obtained, as shown in Table 4. When the noise intensity was less than 1%, the NC values were 1, and it was less than 5%, the NC values were higher than 90%. Even though the noise intensity reached 50%, the images had been severely distorted and difficult to be accurately recognized by the naked eye. The NC values were still higher than 0.6. It indicated that the algorithm proposed was robust against Gaussian noise.

Table 4 Results of Gaussian noise attacks
Full size table

Median filter attacks

In this paper, median filtering attacks of [3,3], [5,5], [7,7] and [9,9], and 1, 10 and 20 times were carried out on the original image respectively. Parts of the attack results and extracted watermark were shown in Fig. 10. It set the threshold parameter as k = 1, the NC values calculated by the algorithm proposed are all 1, as shown in Table 5. That shows that the algorithm had good resistance to median filtering attacks.

Fig. 10
figure 10

The images and watermark results under different median filtering attacks ((a) 10 times of [5,5]; (a1) the watermark result of (a); (b) 20 times of[9,9]; (b1) the watermark result of (b))

Full size image
Table 5 Results of median filtering attacks
Full size table

JPEG attacks

Due to the large data volume of medical images, they must be compressed for storage in order to save the limited storage space, reduce storage costs, improve image transmission speed and reduce communication costs. As an international compression standard, JPEG compression was a common method of medical image compression. It set the threshold parameter as k = 1, in this paper. 4%, 8%, 15%, 20% and 40% JPEG compression of the original image were carried out respectively, as shown in Fig. 11. The values of NC were always set to 1, when the original image was compressed to 40%. It showed that the algorithm had a better ability with anti-JPEG attacks and robustness, as shown in Table 6.

Fig. 11
figure 11

The images and watermark results under different JPEG compression attacks ((a) 4% JPEG compression; (a1) the watermark result of (a); (b) 8% JPEG compression; (b1) the watermark result of (b))

Full size image
Table 6 Results of JPEG compression attacks
Full size table

Geometrical attacks

Rotation attacks

It rotated clockwise and counterclockwise by 5° each time on the original image, and partial results were shown in Fig. 12. When the threshold parameter \(k = 3\) was set, the NC values were shown in Table 7. It could be found that the algorithm had better robustness when the rotation angles were less than 10°. When the rotation angles were between 10° and 30°, the NC values were greater than 0.76 and 082. When it was rotated to 45°, the NC values could still be above 0.6. It showed that the algorithm had good ability on anti-rotation attack and robustness, and it had a better effect on counterclockwise rotation attacks than clockwise rotation attacks.

Fig. 12
figure 12

The images and watermark results under rotation attacks ((a) Clockwise rotation 25°; (a1) the watermark result of (a); (b) Contrarotate 25°; (b1) the watermark result of (b))

Full size image
Table 7 Results of rotation attacks
Full size table

Translation attacks

Translation attacks on the original image were selected to verify the robustness of the algorithm, and the threshold parameter was set as \(k = 2\). Left–right translation attacks and up-down translation attacks were carried out on the original image, then the watermark information was extracted, and the results were shown in Tables 8 and  9. They showed that the effect of the algorithm on the right translation attacks was better than that on the left. Among them, the NC values were all higher than 0.9 when left and right distance were within 5%. When the distance of left and right translation reached 20%, the NC values could still be higher than 0.67. It showed that the algorithm could resist translation attack better and had good robustness. (a), (b), (a1) and (b1) in Fig. 13 showed the attack results and watermarking results with 10% translation on the left and right.

Table 8 Results of left and right translation attacks
Full size table
Table 9 Results of up and down translation attacks
Full size table
Fig. 13
figure 13

The images and watermark results under translation attacks ((a) left distance 10%; (a1) the watermark result of (a); (b) right distance 10%; (b1) the watermark result of (b); (c) down distance 22%; (c1) the watermark result of (c); (d) up distance 18%; (d1) the watermark result of (d))

Full size image

It could be found from Table 9 that when down distance 12%, the NC values were still 1. And when down distance 22%, the NC values were greater than 0.9. With up distance 8%, the NC values had dropped to 0.72. When up distance 22%, the NC values were greater than 0.5. It indicated that the algorithm had good resistance to up and down translation attacks and good robustness. And the algorithm was resistant to downward translation attacks far better than resisting upward translation attacks. (c), (d), (c1) and (d1) in Fig. 13 showed the attack results and watermarking results with down distance 22% and up distance 18%.

Scaling attacks

The scaling attacks were carried out on the original image, and the threshold parameter was settd as \(k = 1.5\). The partial results were shown in Fig. 14. According to Table 10, the scaling parameters ranged from 0.2 to 8.0, and the NC values were still 1. It showed that the algorithm was very robust to scaling attacks.

Fig. 14
figure 14

The results under scaling attacks ((a) scaling factor 0.2; (a1) the result of (a); (b) scaling factor 8.0; (b1) the result of (b))

Full size image
Table 10 Results of scaling attacks
Full size table

Cropping attacks

The original image was sheared in the Y-axis direction and the X-axis direction respectively, and part of the results were shown in Fig. 15. It could be found that the algorithm had better anti-attack effect for Y-axis cropping when the threshold parameter was k = 12 as shown Table 11. When the original image was cropped less than 12%, the NC values were 1. When it was cropped 35%, the NC value was bigger than 0.9, and cropped 40%, the NC could still reach 0.7689.

Fig. 15
figure 15

The images and watermark results under scaling attacks ((a) Y Direction 40%; (a1) the watermark result of (a); (b) X Direction 23%; (b1) the watermark result of (b))

Full size image
Table 11 Results of cropping attacks
Full size table

When the X-axis was cropped, the threshold parameter was \(k = 2.5\), and the anti-attack effect of the algorithm was the best. Then the original image was cropped less than 12%, the NC values were greater than 0.9. When it was cropped 23%, the NC value could be greater than 0.6. And, when it was cropped 40%, the NC could still reach 0.5531. This indicated that the algorithm proposed in this paper had good robustness to cropping attack, and the results in the Y-axis direction were better than those in the X-axis direction.

Algorithms comparison

This paper compared the NC values of [20, 25,26,27, 36, 37] under different attacks. The results under conventional attacks were shown in Table 12, and the results under geometric attacks were shown in Table 13.

Table 12 Different algorithms comparison
Full size table
Table 13 Different algorithms comparison
Full size table

It could be seen from Fig. 16(a) that under Gaussian noise attacks, when noise intensity was 1%, the anti-Gaussian noise ability of the algorithm, [20] and [25, 26] were higher than that of [27] and [36, 37]. When the noise intensity was 10%, the ability of our algorithm was slightly lower than [26] and [37] and better than other algorithms. When the noise intensity was 25%, our NC value was still greater than 0.7, the anti-Gaussian noise ability of the algorithm decreased, and it was better than [27] and [36].

Fig. 16
figure 16

Comparison of NC values under Gaussian noise attacks and JPEG compression attacks ((a) median filter attacks (b) JPEG compression attacks)

Full size image

For JPEG attacks, it could be found that other algorithms change to a certain extent with the increase of attacks, but for our algorithm and [26], the NC values were still 1, which was superior to other algorithms, as shown in Fig. 16(b). And for mean filtering attacks, it could be found that our algorithm was superior to other algorithms, as shown in Fig. 17(a).

Fig. 17
figure 17

Comparison of NC values under median filter attacks attacks and rotation(clockwise) attacks ((a) Gaussian noise attacks (b) rotation(clockwise) attacks)

Full size image

It was a difficult problem for watermark algorithm to resist geometric attack. This paper used rotation (clockwise), scaling, down translation, left translation and cropping to compare the robustness of the algorithm with other methods, and their NC values were shown in Table 13. From Fig. 17(b), it could be found that when the rotation angle was less than 10°, the NC values of our algorithm and [26] were 1, greater than others. When the rotation angle reached 40°, it was better than [25, 27] and [36].

For scaling attacks, the anti-attack ability of our algorithm and [25, 26] were significantly better than other algorithms, as shown in Fig. 18(a). For down translation attacks, when the attack strength reached 20%, NC value of us was still 0.9, greater than others, as shown in Fig. 18(b). For left translation attacks, the anti-attack ability of our algorithm was better than [25] and [36, 37], as shown in Fig. 19(a). And as the cropping attacks strength increased at 35%, anti-attack ability of our algorithm was better than other algorithms, as shown in Fig. 19(b).

Fig. 18
figure 18

Comparison of NC values under scaling attacks and down translation attacks ((a) scaling (b) down translation)

Full size image
Fig. 19
figure 19

Comparison of NC values under left translation attacks and cropping attacks ((a) left translation (b) cropping)

Full size image

It selectd 5 algorithms with better performance, and compared the computational cost of the time required by the algorithms for embedding and extracting watermarks under the same conditions, as shown in Fig. 20. It could be found that the computational cost of our algorithm was lower than other algorithms.

Fig. 20
figure 20

Comparison of computation cost

Full size image

Therefore, through the above comparison, it could be found that the algorithm proposed in this paper was significantly better than other algorithms in median filtering, JPEG and cropping attacks. And its performance in rotation attack and left translation attack were in the middle level of all. When the NC values of other algorithms decreases as the attack increases, the NC values of our algorithm were all greater than 0.7. This shown that the anti-attack capability of the algorithm was more comprehensive and balanced, and it could better resist high-intensity conventional attacks and geometric attacks, and the algorithm had good robustness while taking into account the low computational cost.

Conclusions

In this paper, a new medical image watermarking algorithm based on ridgelet-DCT transform domain and THM double chaos encryption was proposed. The algorithm combined double chaos encryption, zero watermarking and coefficient invariance in transform domain. The watermark could be extracted and embedded without selecting the region of interest. The algorithm was based on image encryption in the ridgelet-DCT transform domain, and considering that the ridgelet transform had good sparse expression ability, high approximation accuracy, and DCT transform had good robustness and anti-traditional attack ability. The algorithm has taken advantage of THM double chaos system, which had the characteristics of high complexity, sensitive initial values, large secret key space and it was difficult to crack. While improving the security of watermark information, it had good robustness against conventional attacks and geometric attacks. And the algorithm also had low computational cost and good balance. The algorithm also had some limitations. Under the attacks of rotation attacks and left translation attacks, the robustness of the algorithm was not good enough. And it had poor robustness for complex geometric attacks (such as ripple attack, squeeze attack, etc.). That need to be further improved and perfected.