Next Article in Journal
Design and Experiment of a Moving Magnet Actuator Based Jetting Dispenser
Next Article in Special Issue
Fast Face Tracking-by-Detection Algorithm for Secure Monitoring
Previous Article in Journal
Hardware Prototyping and Validation of a W-ΔDOR Digital Signal Processor
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Reversible Data Hiding Scheme in Homomorphic Encrypted Image Based on EC-EG

Key Laboratory of Network and Information Security under Chinese People Armed Police Force (PAP), Engineering University of PAP, Xi’an 710086, China
*
Authors to whom correspondence should be addressed.
Appl. Sci. 2019, 9(14), 2910; https://doi.org/10.3390/app9142910
Submission received: 25 June 2019 / Revised: 11 July 2019 / Accepted: 18 July 2019 / Published: 20 July 2019

Abstract

:
To combine homomorphic public key encryption with reversible data hiding, a reversible data hiding scheme in homomorphic encrypted image based on EC-EG is proposed. Firstly, the cover image is segmented. The square grid pixel group randomly selected by the image owner has one reference pixel and eight target pixels. The n least significant bits (LSBs) of the reference pixel and all bits of target pixel are self-embedded into other parts of the image by a method of predictive error expansion (PEE). To avoid overflowing when embedding data, the n LSBs of the reference pixel are reset to zero before encryption. Then, the pixel values of the image are encrypted after being encoded onto the points of the elliptic curve. The encrypted reference pixel replaces the encrypted target pixels surrounding it, thereby constructing the mirroring central ciphertext (MCC). In a set of MCC, the data hider embeds the encrypted additional data into the n LSBs of the target pixels by homomorphic addition in ciphertexts, while the reference pixel remains unchanged. The receiver can directly extract additional data by homomorphic subtraction in ciphertexts between the target pixels and the corresponding reference pixel; extract the additional data by subtraction in plaintexts with the directly decrypted image; and restore the cover image without loss. The experimental results show that the proposed scheme has higher security than the similar algorithms, and the average embedding rate of the scheme is 0.25 bpp under the premise of ensuring the quality of the directly decrypted image.

1. Introduction

Data hiding (DH) and digital watermarking (DW) are two of the important contents of cyberspace security research, which have been greatly developed in recent years. Various new technologies and new methods for them emerge one after another. For example, Abdallah et al. [1,2] proposed some new algorithms for video watermarking. Yu et al. [3] summarized the current robust video watermarking algorithms for copyright protection. However, most steganography algorithms cause permanent distortion of the original carrier after embedding the data, which is not allowed in some areas where data authentication is required, such as privacy protection in the cloud environment, military combat map transmission, etc. [4]. Reversible data hiding (RDH) [5] takes data hiding and distortion-free recovery of the original carrier into account. Currently, RDH algorithms mainly include: lossless compression (LC) [6,7], difference expansion (DE) [8,9] and histogram shifting (HS) [10,11]. With the promotion of cloud services, for the purpose of privacy protection, users usually encrypt the uploaded data, so that the original data become incomprehensible ciphertext data. Reversible data hiding in encrypted image (RDH-EI) comes into being and has become the latest research hotspot. The RDH-EI requires that the carrier used for embedding be encrypted, and the carrier still be decrypted without error after extracting embedded data. RDH-EI is an important combination of signal processing technology and data hiding technology in encrypted domain. It has dual functions of privacy protection and secret information transmission for information security in data processing. There are two main applications in medical health. The first is the integrity protection of medical images. Medical images are mostly digital images that are easily copied, edited, or maliciously altered while being easy to store. A more mature technique for protecting image integrity information is digital signatures. The main principle is to generate non-repudiation hash values that are appended to original image and transmitted to the receiver. However, in reality, confidential communications often run the risk of being attacked by malicious attacks and analysis. The way to directly attach the hash value to the image is easily vandalized and replaced, thus increasing the difficulty of image authentication. On some special occasions, image reversible information hiding can be used as an important complementary technology to digital signatures, embedding image integrity information such as hash values into medical images. The receiver can not only recover the medical image reversibly, but also correctly extract the legal authentication information to protect the integrity of the medical image. The second is encrypted image management in telemedicine. Image-oriented telemedicine is widely used in the future information society. For the purposes of confidentiality and privacy protection, medical images sometimes need to be encrypted beforehand and sent to third parties such as the cloud for management. The sensitive information such as the medical record is embedded in encrypted image by means of RDH-EI, so that encrypted image management in telemedicine can be realized.
Zhang [12] firstly proposed RDH-EI, which encrypts images with stream ciphers, and then divides encrypted images into blocks that do not overlap each other. Each block has two groups. By flipping each pixel’s three least significant bits (LSBs) in the corresponding group, 1-bit information can be embedded. The receiver extracts extra data through the wave function. However, when the block is small, the error rate becomes high. Hong et al. improved Zhang’s method by using a wave function capable of edge matching in [13] and using unbalanced bit flipping in [14]. In [15], Zhang proposed a separable RDH-EI algorithm, which can extract additional data in both the encrypted domain and the plaintext domain. The above RDH-EI algorithms need to vacate room after encryption (VRAE) for data hiding, resulting in lower embedding capacity of the algorithm and higher error rate in the data extraction process. Ma et al. [16] proposed a RDH-EI algorithm by vacating room before encryption (VRBE). Zhang et al. [17] improved reversibility, embedding capacity, and image quality by exploiting prediction errors in data embedding.
The RDH-EI algorithms mentioned above are to encrypt images with symmetric cryptography because symmetric cryptography has lower computational complexity and faster encryption and decryption speed. However, because of using symmetric cryptography, each pair of senders and receivers must have different keys, which are required in the context of current multi-party cloud computing services. The amount of keys is huge, which makes it difficult to manage keys. For example, in a communication network with n users, each user must use n 1 keys to communicate with the remaining n 1 users, and the total number of keys in the system will be up to C 2 n = n ( n 1 ) / 2 . Such a large amount of keys will have insecurities in the various aspects of saving, transferring, using and destroying. In addition, both parties using symmetric cryptography must use the same key for encryption and decryption, thus the key must be transmitted over the secure channel before communication. If the key is stolen during the delivery process, or either party leaks the key, the encrypted data will be insecure. Because symmetric cryptography has the above shortcomings of designing the RDH-EI algorithms, we naturally use public key cryptography into the RDH-EI algorithms. The key amount of the public key cryptography is greatly reduced, and the key does not need to be transferred in advance. More importantly, with public key cryptography, we can perform homomorphic addition and homomorphic multiplication in the encrypted domain, which makes the embedding process of additional data more secure.
Differing from RDH-EI, Chen et al. [18] firstly proposed encrypted image-based reversible data hiding with public key cryptography (EIRDH-P). In EIRDH-P, the characteristics of public key cryptography overcome the shortcoming that symmetric encryption requires the safe channel to pass the key in advance. The algorithm embeds the 1-bit information into a pair of adjacent encrypted pixels. According to the homomorphic characteristics of the Paillier cryptosystem, the receiver obtains the secret information by comparing all the decrypted pixel pairs. The disadvantage of the Chen’s method is that there is an inherent overflow problem. Subsequently, Shiu et al. [19] and Wu et al. [20] improved Chen’s method by solving the overflow problem. The above inseparable algorithms limit the application scenario and scope of the algorithms, and the separable algorithms have more application scenarios. The receiver’s privilege determines different operations it can perform, for example the receiver can only extract additional data, the receiver can only decrypt the image, and the receiver can both decrypt the image and extract additional data.
In 2016, Zhang et al. [21] first proposed a separable EIRDH-P algorithm, which combines wet paper code (WPC) [22] with Paillier homomorphic encryption. Zhang’s method vacates room by histogram shrinking and uses WPC to embed additional data. Xiang et al. [23] proposed a RDH-EI algorithm based on mirroring ciphertext groups (MCGs) by using the homomorphic and probabilistic characteristics of the Paillier cryptosystem. In summary, using the homomorphic characteristics of public key cryptography for RDH-EI is the latest research hotspot, which we call reversible data hiding in homomorphic encrypted image (RDH-HEI). This paper proposes a RDH-HEI scheme based on EC-EG. Firstly, the cover image is segmented. The square grid pixel group randomly selected by the image owner has one reference pixel and eight target pixels. The n LSBs of the reference pixel and all bits of the target pixels are self-embedded into other parts of the image by a method of predictive error expansion (PEE). To avoid overflowing when embedding data, the n LSBs of the reference pixel are reset to zero before encryption. Then, the pixel values of the image are encrypted after encoded onto the points of the elliptic curve. The encrypted reference pixel replaces the encrypted target pixels surrounding it, thereby constructing the mirror central ciphertext (MCC). In a set of MCC, the data hider embeds the encrypted additional data into the n LSBs of the target pixels by homomorphic addition in ciphertexts, while the reference pixel remains unchanged. The receiver can achieve separation of additional data extraction from cover-image recovery, additional data extraction without any errors, and reversibility completely.
The rest of this paper is organized as follows. Section 2 briefly describes homomorphic EC-EG cryptosystem, its properties and reviews predictive error expansion for reversible data hiding in the plain domain. Implementation of the proposed RDH-HEI scheme is elaborated in Section 3. Simulation experiment and theoretical analysis are presented in Section 4. Finally, the conclusion is drawn in Section 5. It is important to note that a preliminary version [24] of this paper is in proceedings of the “11th Intelligent Networking and Collaborative Systems (INCoS-2019)”.

2. Related Knowledge

2.1. Elliptic Curve

The image trajectory of elliptic curve is not an ellipse, but a cubic curve on a plane. However, it is a problem that people find when studying the arc length of an ellipse.
Definition 1.
Elliptic curve is a plane curve determined by the cubic Weierstrass equation:
y 2 + a x y + b y = x 3 + c x 2 + d x + e
The points on the curve satisfy the equation. If the coefficient is a , b , c , d , e F P , the number of points on the curve is finite, and all the points on the curve plus an artificial infinity point constitute the set E ( F p ) and the number of points in E ( F p ) is recorded as # E ( F P ) ( p + 1 2 p # E ( F P ) p + 1 + 2 p ) .
When constructing a cryptosystem, the following elliptic curve is mainly used:
y 2 = x 3 + a x + b ( x , y , a , b F P )
Figure 1 shows the distribution of points on the elliptic curve when a = 4 , b = 20 , p = 33331 .
Theorem 1.
The set E ( F p ) of points on the elliptic curve forms an Abel group for the addition defined below:
1. 
O + O = O
2. 
( x , y ) E ( F P ) , ( x , y ) + O = ( x , y )
3. 
( x , y ) E ( F P ) , ( x , y ) + ( x , y ) = O
4. 
(addition rule)If ( x 1 , y 1 ) + ( x 2 , y 2 ) = ( x 3 , y 3 ) is satisfied when x 1 x 2 , then
x 3 = λ 2 x 1 x 2 y 3 = λ ( x 1 x 3 ) y 1 , λ = y 2 y 1 x 2 x 1
5. 
(multiple point rule) ( x 1 , y 1 ) E ( F P ) , y 1 0 , If 2 ( x 1 , y 1 ) = ( x 2 , y 2 ) is satisfied, then
x 2 = λ 2 2 x 1 y 2 = λ ( x 1 x 2 ) y 1 , λ = 3 x 1 2 + a 2 y 1

2.2. Elliptic Curve Public Key Cryptography

Elliptic curve discrete logarithm problem (ECDLP) means that x is determined by a given P and Q, that is to say, if P E ( F P ) is the set, then x N makes Q = x P true. The elliptic curve discrete logarithm problem is more difficult to deal with than the discrete logarithm problem on the finite field, and the security is also higher.
Definition 2.
Suppose that E is an elliptic curve and G is a point on E. If n N exists, n G = O is established, then n is said to be the order of point G, where O is the infinity point.
Implementation of elliptic curve ElGamal (EC- EG):
Key generation: Select the base field F p , the elliptic curve E p , and encode the plaintext information m to the point M ( m ) on the curve. Select the generator G (base point) of E p as the public parameter. The user selects the private key s k F P ( s k < n ) and the public key is p k = s k G .
In cryptography, describe an elliptic curve on an F p , commonly used to six parameters: T = ( p , a , b , G , n , h ) (p, a and b are used to determine an elliptic curve, h is the integer part of the number # E ( F P ) of all points on the elliptic curve divided by n). The choice of these parameters directly affects the security of encryption. The parameter values generally require the following conditions to be met:
  • p is of course larger and safer, but the larger is p, the slower is the calculation speed. p is about 200 bits to meet general safety requirements:
  • p n × h ;
  • p t 1 ( mod n ) , 1 t < 20 ;
  • 4 a 3 + 27 b 2 0 ( mod p ) ;
  • n is a prime number; and
  • h 4 .
Encryption: Bob selects a random integer r ( r < n ) and calculates the ciphertext as
C ( m ) = ( C 1 , C 2 ) = ( r G , M ( m ) + r p k )
Decryption: Alice calculates M ( m ) = C 2 s k C 1 to complete the decryption.
Homomorphic addition: After encoding the plaintext ( m 1 , m 2 ) to the two points ( M ( m 1 ) , M ( m 2 ) ) on E p , the ciphertext is calculated according to Equation (6) using random integer ( r 1 , r 2 ) .
C ( m 1 ) = ( C 11 , C 21 ) = ( r 1 G , M ( m 1 ) + r 1 p k ) C ( m 2 ) = ( C 12 , C 22 ) = ( r 2 G , M ( m 2 ) + r 2 p k )
According to p k = s k G in Key generation, the homomorphic addition can be expressed as
C ( m 1 ) + C ( m 2 ) = C 21 + C 22 s k C 11 s k C 12 = M ( m 1 ) + r 1 p k + M ( m 2 ) + r 2 p k r 1 s k G r 2 s k G = M ( m 1 ) + M ( m 2 )
That is, the sum of the two ciphertexts is equal to the sum of the plaintexts after decryption.

2.3. Rhombus Pattern Based PEE

The rhombus prediction error extension [25] is to divide the image pixels into overlapping pixel groups. Pixels of a group are further divided into “×” and “•” sets. Pixels of “×” set are used for data embedding and pixels of “•” set are used for prediction. Figure 2 illustrates that a pixel p i , j in the “×” set is predicted by its four neighboring pixels ( p i , j 1 , p i , j + 1 , p i 1 , j , p i + 1 , j ) in the “•” set. The embedding, extraction and recovery procedures are given as follows.

2.3.1. The Embedding Procedure

The predicted value p i , j is the average of four adjacent pixel values of p i , i and is calculated by Equation (8).
p i , j = p i , j 1 + p i , j + 1 + p i 1 , j + p i + 1 , j 4
The prediction error e i , j is the difference between the original pixel p i , j and the predicted value p i , j and is calculated by Equation (9).
e i , j = p i , j p i , j
The difference expansion method [26] is employed to expand the prediction error e i , j for data embedding. Equation (10) is used for PEE.
e i , j = 2 × e i , j + b
where e i , j is the modified prediction error after data embedding and b is one bit of the message to be embedded. Thus, each group can embed one bit of information. The modified pixel value P i , j after data embedding is calculated by Equation (11).
P i , j = e i , j + p i , j

2.3.2. Overflow or Underflow Processing

The PEE data embedding may cause overflow or underflow. L _ m a p can be used to avoid embedding into pixels that cause overflow or underflow. Substituting p i , j from Equation (9) and e i , j from Equation (10) into Equation (11), we get
P i , j = e i , j + p i , j + b
According to Equation (12), it is clear that pixels that do not cause overflow or underflow satisfy the condition in Equation (13).
0 e i , j + p i , j 254
The L _ m a p to record the positions of invalid groups can be created by pre-processing the original image. Each group of the original image is checked for Equation (13) and records the row and column binary data of invalid groups. The L _ m a p is compressed and then self-embedded into to the image.

2.3.3. Extraction and Recovery Procedures

The extraction procedure is the inverse of the embedding procedure. Since the “•” pixels do not change, the receiver has the same predicted pixel value p i , j of “×” pixels as the image owner. Given the modified pixel value P i , j and the modified prediction error e i , j , Equation (14) is used to calculate which additional data have been embedded.
e i , j = P i , j p i , j
Then, the embedded information is calculated by Equation (15).
b = e i , j mod 2
Equation (16) is used for calculating the original prediction error e i , j .
e i , j = e i , j 2
Finally, the original pixel value p i , j is recovered as
p i , j = p i , j + e i , j

3. Proposed Scheme

3.1. Overall Framework of the Proposed Scheme

The overall framework of RDH-HEI based on EC-EG is shown in Figure 3. Firstly, the image is divided into non-overlapping A , B , C , and then the space is reserved by the PEE algorithm. The image owner encodes the pixel values of image onto the points of the elliptic curve. Finally, the MCC is constructed after encrypting image with the public key p k . The data hider divides the encrypted image into non-overlapping A E , B E , C E in the same way as the image owner, scrambles the additional data with the hidden key k 2 and then encrypts it with p k . Finally, the data hider embeds the encrypted additional data into the n LSBs of the target pixels by homomorphic addition in ciphertexts. The addition operation embeds the encrypted additional data into the lower n bits of the target pixel. When the receiver owns the private key s k and the hidden key k 2 of the data hider, the homomorphic subtraction in ciphertexts is used to extract the encrypted information, which is then decrypted by s k and the additional data are restored by k 2 . When the receiver only has the private key s k of the image owner, a directly decrypted image containing additional data can be obtained. When has the private key s k , the self-embedded key k 1 , and the hidden key k 2 , the receiver can extract additional data after decryption and restore the cover image losslessly.

3.2. Room Reserving

3.2.1. Image Partition

Before the cover image is segmented, the pixel values of the image must be encoded to the points of the elliptic curve. Then, it can be encrypted using EC-EG. The grayscale image has a pixel value between 0 and 255. It is necessary to map the pixel values one by one to the points on the elliptic curve. The image owner divides the cover image into three non-overlapping blocks A , B , C , as shown in Figure 4.

3.2.2. Self-Reversible Embedding

Self-reversible embedding is to embed all bits of the target pixels in A, n LSBs of the reference pixels in A and the LSB in B into C through the PEE algorithm. A r _ m a p is the set of locations of reference pixels in A, and the image owner sends n and A r _ m a p as shared parameters to the data hider and receiver. More importantly, L _ m a p is scrambled by the self-embedding key k 1 , and is embedded into B by replacing the LSB for data extraction and image recovery to achieve complete reversibility.

3.2.3. Vacating Room

After self-reversible embedding, all bits of the target pixels P t and n LSBs of the reference pixels p r are saved in C. The image owner sets n LSBs of the reference pixels P r to zero, and then the additional data are embedded into n LSBs of the target pixels P t that have been set to zero by homomorphic addition in ciphertexts. This operation can also avoid overflow when embedding data into the encrypted domain. Figure 5 describes the proposed scheme more intuitively.

3.3. Image Encryption

After vacating room, the image owner randomly selects an integer r i , j , i = 1 , 2 , , M , j = 1 , 2 , , N for each pixel p i , j , and encrypts the image with the public key p k to obtain the ciphertexts.
M ( C P i , j ) = ( C 1 i , j , C 2 i , j ) = ( r i , j G , M ( P i , j ) + r i , j p k )

3.4. Construction of Mirroring Central Ciphertext

As shown in Figure 5, the image owner constructs the MCC by replacing the ciphertexts of the target pixels with the ciphertext of the reference pixel, which is C t = C r . In a square grid, all target pixels become mirror of the reference pixel. All target pixels have the same ciphertext and the n LSBs that have been set to zero as the reference pixels.

3.5. Data Hiding

The data hider first scrambles the extra information with the hidden key k 2 . Then, it groups the scrambled additional data w, and each group has n bits, which is recorded as w 0 , w 1 , , w n 1 . From this, the decimal value of each dataset can be calculated as:
S w = i = 0 n 1 w i × 2 i , ( S w = 0 , 1 , , 2 n 1 )
To enhance confidentiality, the data hider can choose a random integer r S w ( r S w < n ) for each S w and encrypt it with EC-EG to get the ciphertext C S w .
M ( c S w ) = ( r S w G , M ( S w ) + r S w p k )
According to the method of room reserving, the encrypted image is divided into non-overlapping A E , B E , C E . The data hider embeds additional data into the encrypted domain as following:
M ( c t ) = M ( c t ) + M ( c S w ) = ( r t G , M ( t ) + r t p k ) + ( r S w G , M ( S w ) + r S w p k ) = M ( t ) + r t p k + M ( S w ) + r S w p k s k r t G s k r S w G = M ( t ) + M ( S w )
Among them, c t is the encrypted target pixel with hidden data. Suppose that a group contains 3 bits of data, which are n = 3 , ( w 0 w 1 w 2 ) = ( 100 ) . Then, we can calculate S w = 1 , c S w = E ( 1 , r S w ) . As shown in Figure 5e, the data hider performs homomorphic addition in ciphertexts to embed 3 bits of additional data into the corresponding M C C [ c t = E ( 160 , r r ) , c r = E ( 160 , r r ) ] , and then obtains the corresponding c t = E ( 161 , r S w + r r ) .

3.6. Data Extraction

3.6.1. Extract the Embedded Data from Encrypted Image

As shown in Figure 5h,i, when having the shared parameter n, A r _ m a p , the private key s k and the hidden key k 2 , the receiver extracts additional data from the received encrypted image with hidden data by using homomorphic subtraction in ciphertexts. The steps are as follows:
Step 1. The received image is divided into blocks in the same way as the process of room reserving. As shown in Figure 5e, the legal receiver extracts the square grid with hidden data.
Step 2. In the MCC, the encrypted target pixels with hidden data are M ( c t ) = M ( c r ) + M ( c S w ) . M ( C S w ) is extracted by the homomorphic subtraction, which is M ( c S w ) = M ( c t ) M ( c r ) .
Step 3. Use M ( S w ) = M ( c S w ) + r S w p k s k r S w G to decrypt M ( C S w ) to M ( S w ) and decode to get S w .
Step 4. The receiver can use w i = S w 2 i , i = 0 , 1 , , n 1 to get w 0 , w 1 , , w n 1 , and then use the hidden key k 2 to perform scrambling recovery. Finally, we can extract additional data.

3.6.2. Extract the Embedded Data from Decrypted Image

As shown in Figure 5f,g, when the receiver only has the private key s k of the image owner, a directly decrypted image with hidden data is obtained from M ( P i , j ) = M ( C i , j ) + r i , j p k s k r i , j G , where C i , j is the ciphertexts with hidden data and P i , j is the corresponding plaintexts with hidden data. According to the method of room reserving, the directly decrypted image is divided into three parts of A D , B D , C D , and M ( S w ) = M ( P t ) M ( P r ) can be obtained by plaintext subtraction in the target pixel pair of the square grid, where P t and P r are the target pixels and reference pixels in the directly decrypted image, respectively. Finally, we can obtain additional data with the method in Steps 3 and 4 in Section 3.6.1.

3.7. Image Restoration

When the receiver has the private key s k , a self-embedded key k 1 and the hidden key k 2 , additional data can be extracted after decryption and the original image can be restored. The directly decrypted image is obtained by decrypting with the private key s k , and the directly decrypted image is divided into three parts of A D , B D , C D according to the method of room reserving. Since the additional data are hidden in P t of A D , the hidden key k 2 can be used for scrambling recovery after the additional data are extracted. The receiver extracts self-embedded data from B D and C D to restore the original image.
L _ m a p is extracted from the LSB of B D , and the self-embedded key k 1 is used to scrambling recovery. Finally, according to the extraction step of the PEE, all the self-embedded data can be extracted from C D and the data extracted from C D is used to complete the recovery of the A D . The original image of reversible recovery has thus been obtained.

4. Simulation Experiment and Theoretical Analysis

4.1. Analysis of Embedded Capacity and PSNR

The 8-bit gray-scale images of 512 × 512 size were selected in the experiment conducted by Java8 and MATLAB R2015b. Peak signal-to-noise ratio (PSNR) was calculated by Equation (22), which is the most commonly used criterion for evaluating image quality after embedding data.
P S N R = 10 × log 10 255 2 M S E
MSE is the mean square error between the cover image and the embedded image.
M S E = 1 M × N i = 0 M 1 j = 0 N 1 p ( i , j ) c ( i , j ) 2
where M × N denotes the size of the image, p ( i , j ) denotes pixel value of the cover image and c ( i , j ) denotes pixel value of the embedded image. Through the size of PSNR value, we can clearly know whether the image with hidden data will be observed by the naked eye. Table 1 shows the embedding capacity and PSNR values of the Lena image under different n. Under the same embedding capacity, the PSNR value increases correspondingly with the increase of n. However, when n = 4, the PSNR value of the image is instead decreased because the distortion introduced by constructing the MCC becomes large. Table 2 shows the PSNR values and embedding capacities of the four images with the optimal parameter n = 3 . Moreover, the maximum size of images’ L _ m a p is shown in Table 3. Different stages of Lena, F-16, Man and Hill images using the proposed scheme are shown in Figure 6.

4.2. Performance Comparison

Currently, reversible data hiding in homomorphic encrypted image mostly utilizes the Paillier cryptosystem. Table 4 summarizes some of the literature on the reversible data hiding in encrypted image using homomorphic property. Li et al. [27], using VRAE; our scheme; and Xiang et al. [23], using VRBE, could keep the amount of data transmitted unchanged. All of the algorithms in Table 4 have separable properties. In our proposed scheme, after the space is reserved and encrypted, the MCC is constructed. The extra information is embedded into the bit plane of the corresponding plaintext by homomorphic addition. The receiver extracts extra information by homomorphic subtraction in ciphertexts. Zhang et al. [21] used WPC coding to perform two information embedding. The computational complexity is O ( k 3 ) and k is the embedded capacity. Our algorithm and the one in [27] use homomorphic addition in ciphertexts to embed information. Xiang et al. [23] used Homomorphic multiplication in ciphertexts to embed information. The computational complexity of them is O ( k ) .
Zhang et al. [21] combined WPC coding and Paillier homomorphic encryption to embed additional information into the corresponding bit plane of the ciphertext. In the encrypted domain, the embedded information is protected by the WPC encoding mechanism, and the receiver cannot extract the embedded information without the key. However, when the receiver receives the ciphertext image, the same method can be used to forge the information, and the original embedded information may be overwritten or replaced. Xiang et al. [23] used the homomorphic and probabilistic properties of Paillier encryption to protect the embedded extra information. In [27], a high-capacity RDH-HEI algorithm is proposed by using the SHE homomorphism. The image owner divides the image pixels into groups of three, and then encrypts them with SHE, and the ciphertext expansion is small. The data hider sorts the absolute differences of each set of ciphertext pixels and generates an absolute difference histogram, embedding additional data by moving the ciphertext absolute difference histogram. The proposed scheme uses the homomorphic addition feature of EC-EG to protect the embedded extra information. When there is no shared parameter, the receiver cannot find the ciphertext embedded with the information, let alone extract, tamper or replace the additional information.
Figure 7 shows the PSNR performance comparison between the proposed scheme and the ones in [21,23,27]. The method in [27], the data are first embedded into the pixel position close to the peak. The method is that three encrypted adjacent pixels are selected as a group, and each group calculates two absolute differences, which are sorted according to the sum of two absolute differences of each group. The image distortion is reduced, thus its performance is generally higher than the scheme in our paper. The method in [21] uses the histogram shrinking to reserve the embedding space. However, the distortion caused by this method increases with the increase of the embedding capacity. The method in [23] is the same as the one in [21]. As the embedding capacity increases, the number of histogram shifts increases when the data are self-embedded. In addition, the distortion introduced by constructing MCGs is also getting larger and larger, which leads to faster performance degradation of the algorithm. In general, the performance of our scheme is better than the one in [21,23] when the embedded capacity is high.

4.3. Analysis of Security

On the one hand, the additional data after encryption are embedded in the bit plane of the target pixel and are protected by the EC-EG homomorphic property. On the other hand, in the existing public key cryptosystem, the one with the highest encryption strength per bit is the difficulty of the ECC math problem, thus it is safe to encrypt images with EC-EG compared to using Paillier to encrypt images. At present, the method to attack the discrete logarithm problem on ECC is only the baby step giant step (BSGS), and its computational complexity is O ( exp ( log P max ) ) . P m a x is the maximum prime factor of the order of the exchange group composed of ECC. At the same time, different elliptic curves can be obtained by changing the parameters. Therefore, ECC has a rich group structure and multiple selectivity, and can be flexibly applied.
To verify the theoretical security of EC-EG encryption, the method of statistical analysis can test the anti-attack performance of encryption algorithm in chaos and diffusion from different angles. For this reason, we specify it from three aspects: histogram analysis of encrypted image, correlation analysis of adjacent pixels and information entropy analysis [28].

4.3.1. Histogram Analysis of Encrypted Image

The histogram of the encrypted image should be uniformly distributed, which is obviously different from the histogram of the original image. In mathematical calculation, the variance of encrypted image is much smaller than that of original image. If h i s t i ( i = 0 , 1 , , 255 ) represents the histogram of an image, the equation for calculating the variance is:
S = 1 256 i = 0 255 ( h i s t i 1 256 i = 0 255 h i s t i )
The histograms and variances of the images in Figure 6a,b,f,g,k,l,p,q are shown in Figure 8, in which the histogram of the encrypted image is evenly distributed.

4.3.2. Correlation Analysis of Adjacent Pixels

To test the correlation of two pixels that are vertically adjacent, horizontally adjacent, and diagonally adjacent, the following test was performed. In order not to lose generality, we used a random function to select any 1000 pairs of adjacent pixels in the image. The correlation coefficient of the original image should be close to 1, and the correlation coefficient of the encrypted image should be much smaller than 1, indicating that the correlation between the cover image and the encrypted image is completely separated. The correlation coefficient ( r x y [ 1 , 1 ] ) (−1 indicates a negative correlation, and 1 indicates a positive correlation) of the adjacent pixels of the image is:
r x y = cov ( x , y ) D ( x ) D ( y )
In Equation (25),
E ( x ) = 1 N i = 1 N x i D ( x ) = 1 N 1 i = 1 N ( x i E ( x ) ) cov ( x , y ) = 1 N 1 i = 1 N ( x i E ( x ) ) ( y i E ( y ) )
In the above equation, the gray values of two adjacent pixels of the image are represented by x and y, respectively. Table 5 shows adjacent pixel correlation coefficients of the images in Figure 6a,b. The adjacent pixel correlation of the encrypted image is much smaller than the original image. Besides, horizontal adjacent pixel correlation scatter plot of the images in Figure 6a,b,f,g,k,l,p,q are draw in Figure 9. The pixels of the encrypted image exhibit irregular characteristics.

4.3.3. Information Entropy Analysis

If there is L kinds of gray values m i ( i = 0 , 1 , , L 1 ) in an image, and the probability of occurrence of each gray value is p ( m i ) ( i = 0 , 1 , , L 1 ) , according to the theorem of Shannon, the information amount of the image is
H ( m ) = i = 0 L 1 p ( m i ) log 2 p ( m i ) , i = 0 L 1 p ( m i ) = 1
where H is the information entropy of an image. When the probability of occurrence of each gray value in the image is equal, the information entropy of the image is the largest, and the information entropy indicates how much information is contained in one image.
The information entropy of the image can measure the distribution of the gray value. The result shows that the larger is the information entropy, the more consistent is the gray distribution. For an ideal random image, the information entropy is equal to 8. In Table 6, the experimental results confirm the conclusion of theoretical analysis. Below, we briefly prove it.
Theorem 2.
For information entropy H, there is H ( m ) 8 .
Proof of Theorem 2. 
The known power mean inequality is
a 0 p 0 a 1 p 1 a L 1 p L 1 p 0 a 0 + p 1 a 1 + + p L 1 a L 1
In the inequality in Equation (28), the range of p i is 0 < p i < 1 ( i = 0 , 1 , , L 1 ) , and satisfies Equation (29).
i = 0 L 1 p ( m i ) = 1
If and only if a 0 = a 1 = = a L 1 is established, the equal sign in the inequality in Equation (28) is established. When p i = 1 / L ( i = 0 , 1 , , L 1 ) , the following geometric-arithmetic mean inequality is obtained from Equation (28).
a 0 a 1 a L 1 L a 0 + a 1 + + a L 1 L
According to the logarithmic nature of Equation (27), we can calculate the following.
H ( m ) = i = 0 L 1 log 2 ( 1 p ( m i ) ) p ( m i ) = log 2 ( 1 p ( m 0 ) ) p ( m 0 ) log 2 ( 1 p ( m 1 ) ) p ( m 1 ) log 2 ( 1 p ( m L 1 ) ) p ( m L 1 )
Then, we apply Equation (28) to Equation (31).
H ( m ) log 2 p ( m 0 ) × 1 p ( m 0 ) + p ( m 1 ) × 1 p ( m 1 ) + + p ( m L 1 ) × 1 p ( m L 1 ) = log 2 L
When the gray level L = 256 = 2 8 , Theorem 2 is established. According to i = 0 L 1 p ( m i ) = 1 and a 0 = a 1 = = a L 1 , the equal sign in Theorem 2 is established at p ( m i ) = 1 / 256 ( i = 0 , 1 , , 255 ) . □

5. Conclusions

The scheme in this paper uses the method of constructing MCC after EC-EG encryption to perform reversible data hiding in encrypted image. The scheme realizes the separation of additional data extraction and cover image restoration, and improves the embedding capacity under the premise of completely recovering the cover image. The experimental results show that the PSNR value of the scheme is improved in the image due to the self-embedded data by PEE algorithm. The main contributions of this paper can be summarized as follows:
  • A novel method of reversible data hiding in homomorphic encrypted image based on EC-EG is proposed.
  • By constructing MCC, the embedded capacity is improved.
  • By performing histogram analysis of encrypted image, correlation analysis of adjacent pixels and information entropy analysis, we proved the statistical security of the encryption scheme in this paper.
  • However, the method of vacating room before encryption increases the risk of plaintext leakage. Therefore, it should be improved in the future to be a reversible data hiding scheme in homomorphic encrypted image that does not require preprocessing of plaintext.

Author Contributions

Conceptualization, N.Z. and M.Z.; methodology, N.Z.; software, H.W.; validation, M.L.; formal analysis, Y.K.; investigation, N.Z. and M.L.; resources, M.Z.; data curation, N.Z. and H.W.; writing—original draft preparation, N.Z.; writing—review and editing, M.Z. and X.A.W.; visualization, H.W.; supervision, M.Z. and X.A.W.; project administration, M.Z. and X.A.W.; funding acquisition, M.Z. and X.A.W.

Funding

This research was funded by National Natural Science Foundation of China under grant number 61872384, 61772550, U1636114, and 61572521, National Cryptography Development Fund of China under grant number MMJJ20170112, Natural Science Basic Research Plan in Shaanxi Province of China under grant number 2018JM6028, and National Key Research and Development Program of China under grant number 2017YFB0802000.

Acknowledgments

The authors gratefully acknowledge the helpful comments and suggestions of the reviewers.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Abdallah, E.E.; Hamza, A.B.; Bhattacharya, P. MPEG video watermarking using tensor singular value decomposition. In Image Analysis & Recognition, Proceedings of the International Conference, ICIAR, Montreal, QC, Canada, 22–24 August 2007; Springer: Berlin, Germany, 2007. [Google Scholar] [CrossRef]
  2. Abdallah, E.E.; Hamza, A.B.; Bhattacharya, P. Video watermarking using wavelet transform and tensor algebra. Signal Image Video Process. 2010, 4, 233–245. [Google Scholar] [CrossRef]
  3. Yu, X.Y.; Wang, C.Y.; Zhou, X. A survey on robust video watermarking algorithms for copyright protection. Appl. Sci. 2018, 8, 1891. [Google Scholar] [CrossRef]
  4. Ke, Y.; Zhang, M.Q.; Su, T.T. A novel multiple bits reversible data hiding in encrypted domain based on R-LWE. J. Comput. Res. Dev. 2016, 53, 2307–2322. [Google Scholar]
  5. BARTON. Method and Apparatus for Embedding Authentication Information within Digital Data. U.S. Patent 5646997, 8 July 1997.
  6. Fridrich, J.; Goljan, M.; Du, R. Lossless data embedding-new paradigm in digital watermarking. Eur. Assoc. Signal Process 2002, 2002, 185–196. [Google Scholar] [CrossRef]
  7. Celik, M.; Sharma, G.; Tekalp, A. Lossless generalized–LSB data embedding. IEEE Trans. Image Process. 2005, 14, 253–266. [Google Scholar] [CrossRef] [PubMed]
  8. Kim, H.J.; Sachnev, V.; Shi, Y.Q. A novel difference expansion transform for reversible data embedding. IEEE Trans. Inf. Forensics Secur. 2008, 4, 456–465. [Google Scholar]
  9. Thodi, D.M.; Rodriguez, J.J. Expansion embedding techniques for reversible watermarking. IEEE Trans. Image Process 2007, 16, 721–730. [Google Scholar] [CrossRef]
  10. Ni, Z.; Shi, Y.Q.; Ansari, N.; Su, W. Reversible data hiding. IEEE Trans. Circuits Syst. Video Technol. 2006, 16, 354–362. [Google Scholar]
  11. Lee, S.K.; Suh, Y.H.; Ho, Y.S. Reversible image authentication based on watermarking. In Proceedings of the 2006 IEEE International Conference on Multimedia and Expo, Toronto, ON, Canada, 9–12 July 2006; pp. 1321–1324. [Google Scholar]
  12. Zhang, X.P. Reversible data hiding in encrypted image. IEEE Signal Process. Lett. 2011, 18, 255–258. [Google Scholar] [CrossRef]
  13. Hong, W.; Chen, T.S.; Wu, H.Y. An improved reversible data hiding in encrypted images using side match. IEEE Signal Process. Lett. 2012, 19, 199–202. [Google Scholar] [CrossRef]
  14. Hong, W.; Chen, T.S.; Chen, J. Reversible data embedment for encrypted cartoon images using unbalanced bit flipping. In International Conference in Swarm Intelligence; Springer: London, UK, 2013; pp. 208–214. [Google Scholar]
  15. Zhang, X.P. Separable reversible data hiding in encrypted image. IEEE Trans. Inf. Forensics Secur. 2012, 7, 826–832. [Google Scholar] [CrossRef]
  16. Ma, K.D.; Zhang, W.M.; Zhao, X.F. Reversible data hiding in encrypted images by reserving room before encryption. IEEE Trans. Inf. Forensics Secur. 2013, 8, 553–562. [Google Scholar] [CrossRef]
  17. Zhang, W.M.; Ma, K.D.; Yu, N.H. Reversibility improved data hiding in encrypted images. Signal Process. 2014, 94, 118–127. [Google Scholar] [CrossRef]
  18. Chen, Y.C.; Shiu, C.W.; Horng, G. Encrypted signal-based reversible data hiding with public key cryptosystem. J. Vis. Commun. Image Represent. 2014, 25, 1164–1170. [Google Scholar] [CrossRef]
  19. Shiu, C.W.; Chen, Y.C.; Hong, W. Encrypted image-based reversible data hiding with public key cryptography from difference expansion. Signal Process. Image Commun. 2015, 39, 226–233. [Google Scholar] [CrossRef]
  20. Wu, X.T.; Chen, B.; Weng, J. Reversible data hiding for encrypted signals by homomorphic encryption and signal energy transfer. J. Vis. Commun. Image Represent. 2016, 41, 58–64. [Google Scholar] [CrossRef]
  21. Zhang, X.P.; Long, J.; Wang, Z.C. Lossless and reversible data hiding in encrypted images with public-key cryptography. IEEE Trans. Circuits Syst. Video Technol. 2016, 26, 1622–1631. [Google Scholar] [CrossRef]
  22. Fridrich, J.; Goljan, M.; Lisonek, P. Writing on wet paper. IEEE Trans. Signal Process. 2005, 53, 3923–3935. [Google Scholar] [CrossRef]
  23. Xiang, S.J.; Luo, X.R. Reversible data hiding in homomorphic encrypted domain by mirroring ciphertext group. IEEE Trans. Circuits Syst. Video Technol. 2017, 10, 1051–1062. [Google Scholar] [CrossRef]
  24. Zhou, N.; Wang, H.; Liu, M.M. Reversible data hiding algorithm in homomorphic encrypted domain based on EC-EG. In Intelligent Networking and Collaborative Systems; Springer: Berlin, Germany, 2019. [Google Scholar]
  25. Sachnev, V.; Kim, H.J.; Nam, J. Reversible watermarking algorithm using sorting and prediction. IEEE Trans. Circuits Syst. Video Technol. 2009, 19, 989–999. [Google Scholar] [CrossRef]
  26. Tian, J. Reversible data embedding using a difference expansion. IEEE Trans. Circuits Syst. Video Technol. 2003, 13, 890–896. [Google Scholar] [CrossRef] [Green Version]
  27. Li, Z.X.; Dong, D.P.; Xia, Z.H. High-capacity reversible data hiding for encrypted multimedia data with somewhat homomorphic encryption. IEEE Access 2018, 6, 60635–60644. [Google Scholar]
  28. Sun, X.H. Image Encryption Algorithms and Practices with Implementations in C#; Science Press: Beijing, China, 2013. [Google Scholar]
Figure 1. Distribution of points on an elliptic curve.
Figure 1. Distribution of points on an elliptic curve.
Applsci 09 02910 g001
Figure 2. Pixel prediction procedure for a group.
Figure 2. Pixel prediction procedure for a group.
Applsci 09 02910 g002
Figure 3. Overall framework of the proposed scheme.
Figure 3. Overall framework of the proposed scheme.
Applsci 09 02910 g003
Figure 4. Image partition and self-reversible embedding.
Figure 4. Image partition and self-reversible embedding.
Applsci 09 02910 g004
Figure 5. n = 3 is used as an example to illustrate the program flow.
Figure 5. n = 3 is used as an example to illustrate the program flow.
Applsci 09 02910 g005
Figure 6. Different stages of images Lena, F-16, Man and Hill with 4095 bits of hidden data under n = 3 and PSNR values of the Directly decrypted image are 54.719 dB, 44.913 dB, 47.637 dB and 54.526 dB, respectively: (a) Lena’s original image; (b) Lena’s encrypted image; (c) Lena’s encrypted image with hidden data; (d) Lena’s directly decrypted image; (e) Lena’s restored image without loss; (f) F-16’s original image; (g) F-16’s encrypted image; (h) F-16’s encrypted image with hidden data; (i) F-16’s directly decrypted image; (j) F-16’s restored image without loss; (k) Man’s original image; (l) Man’s encrypted image; (m) Man’s encrypted image with hidden data; (n) Man’s directly decrypted image; (o) Man’s restored image without loss; (p) Hill’s original image; (q) Hill’s encrypted image; (r) Hill’s encrypted image with hidden data; (s) Hill’s directly decrypted image; and (t) Hill’s restored image without loss.
Figure 6. Different stages of images Lena, F-16, Man and Hill with 4095 bits of hidden data under n = 3 and PSNR values of the Directly decrypted image are 54.719 dB, 44.913 dB, 47.637 dB and 54.526 dB, respectively: (a) Lena’s original image; (b) Lena’s encrypted image; (c) Lena’s encrypted image with hidden data; (d) Lena’s directly decrypted image; (e) Lena’s restored image without loss; (f) F-16’s original image; (g) F-16’s encrypted image; (h) F-16’s encrypted image with hidden data; (i) F-16’s directly decrypted image; (j) F-16’s restored image without loss; (k) Man’s original image; (l) Man’s encrypted image; (m) Man’s encrypted image with hidden data; (n) Man’s directly decrypted image; (o) Man’s restored image without loss; (p) Hill’s original image; (q) Hill’s encrypted image; (r) Hill’s encrypted image with hidden data; (s) Hill’s directly decrypted image; and (t) Hill’s restored image without loss.
Applsci 09 02910 g006
Figure 7. PSNR performance comparison.
Figure 7. PSNR performance comparison.
Applsci 09 02910 g007
Figure 8. The histograms and variances of the images in Figure 6a,b,f,g,k,l,p,q.
Figure 8. The histograms and variances of the images in Figure 6a,b,f,g,k,l,p,q.
Applsci 09 02910 g008
Figure 9. Horizontal adjacent pixel correlation scatter plot of the images in Figure 6a,b,f,g,k,l,p,q.
Figure 9. Horizontal adjacent pixel correlation scatter plot of the images in Figure 6a,b,f,g,k,l,p,q.
Applsci 09 02910 g009
Table 1. Embedding capacity and PSNR values under different n.
Table 1. Embedding capacity and PSNR values under different n.
Embedding Capacity (bits)PSNR (dB)
n = 1n = 2n = 3n = 4
Lena409551.68153.44854.71945.353
819048.76551.1351.78643.472
12,28546.99349.02249.61841.04
16,38045.65848.01248.3240.132
24,57043.03445.68445.88537.97
32,76040.8244.30144.45636.384
36,85539.98343.63443.9235.609
49,14038.21942.0942.66734.353
65,52035.82940.0341.14632.611
Table 2. Embedding capacity and PSNR values under n = 3 .
Table 2. Embedding capacity and PSNR values under n = 3 .
Embedding Capacity (bits)PSNR (dB)
LenaF-16ManHill
409554.71944.91347.63754.526
819051.78643.71544.15850.866
12,28549.61842.89642.48648.695
16,38048.3242.1241.42246.843
24,57045.88540.95640.27744.61
32,76044.45639.95639.3142.919
36,85543.9239.57438.89742.353
49,14042.66738.59937.7340.561
65,52041.14637.72736.52739.135
Table 3. Maximum size of images’ L _ m a p .
Table 3. Maximum size of images’ L _ m a p .
Image(bits)
Lena33
F-16670
Man755
Hill128
Table 4. Performance comparison of RDH-HEI.
Table 4. Performance comparison of RDH-HEI.
LiteratureFeatures
SeparableComputational Complexity of Data HidingProtection Mechanism of the Hidden Data
Method in [21]Yes O ( k 3 ) WPC mechanism
Homomorphic and probabilistic
Method in [23]Yes O ( k ) Mechanism of Paillier
Method in [27]Yes O ( k ) SHE(R-LWE-based)
Homomorphic Mechanism
The proposed schemeYes O ( k ) of EC-EG
Table 5. Adjacent pixel correlation coefficients of the images in Figure 6a,b.
Table 5. Adjacent pixel correlation coefficients of the images in Figure 6a,b.
ImageAdjacent Pixel Correlation Coefficients
HorizontalVerticalDiagonal
(a) Original image0.9620.9750.947
0.9720.9740.942
0.9590.9720.94
0.960.980.941
(b) Encrypted image0.056−0.041−0.012
−0.019−0.034−0.089
−0.05−0.0060.02
−0.009−0.0420.023
Table 6. Information entropy of cover image and encrypted image.
Table 6. Information entropy of cover image and encrypted image.
ImageInformation Entropy
Cover ImageEncrypted Image
Lena7.445 0757.999 386
F-166.705 8887.999 290
Man7.192 5887.999 236
Hill7.094 8697.999 246

Share and Cite

MDPI and ACS Style

Zhou, N.; Zhang, M.; Wang, H.; Liu, M.; Ke, Y.; Wang, X.A. Reversible Data Hiding Scheme in Homomorphic Encrypted Image Based on EC-EG. Appl. Sci. 2019, 9, 2910. https://doi.org/10.3390/app9142910

AMA Style

Zhou N, Zhang M, Wang H, Liu M, Ke Y, Wang XA. Reversible Data Hiding Scheme in Homomorphic Encrypted Image Based on EC-EG. Applied Sciences. 2019; 9(14):2910. https://doi.org/10.3390/app9142910

Chicago/Turabian Style

Zhou, Neng, Minqing Zhang, Han Wang, Mengmeng Liu, Yan Ke, and Xu An Wang. 2019. "Reversible Data Hiding Scheme in Homomorphic Encrypted Image Based on EC-EG" Applied Sciences 9, no. 14: 2910. https://doi.org/10.3390/app9142910

APA Style

Zhou, N., Zhang, M., Wang, H., Liu, M., Ke, Y., & Wang, X. A. (2019). Reversible Data Hiding Scheme in Homomorphic Encrypted Image Based on EC-EG. Applied Sciences, 9(14), 2910. https://doi.org/10.3390/app9142910

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop