A Hierarchical Authorization Reversible Data Hiding in Encrypted Image Based on Secret Sharing

Abstract

In the current distributed environment, reversible data hiding in encrypted domain (RDH-ED) cannot grant corresponding privileges according to users’ identity classes. To address this issue, this paper proposes a hierarchical authorization structure embedding scheme based on secret image sharing (SIS) and users’ hierarchical identities. In the first embedding, the polynomial coefficient redundancy generated in the encryption process of the SIS is utilized by the image owner. For the second, the participants are categorized into two parts. One is core users with adaptive difference reservation embedding, and the other is ordinary users with pixel bit replacement embedding. At the time of reconstruction, more than one core user must provide pixel differences, which grants more privileges to core users. The experimental results demonstrate that the average embedding rate (ER) of the test images is 4.3333 bits per pixel (bpp) in the (3, 4) threshold scheme. Additionally, the reconstructed image achieves a PSNR of +∞ and an SSIM of 1. Compared to existing high-performance RDH-ED schemes based on secret sharing, the proposed scheme with a larger ER maintains strong security and reversibility. Moreover, it is also suitable for multiple embeddings involving multilevel participant identities. In conclusion, the results underscore the efficacy of our technique in achieving both security and performance objectives within a complex distributed setting.

1. Introduction

Reversible data hiding in encrypted domain [1,2,3,4] (RDH-ED) allows for the embedding of additional data into encrypted carriers. RDH-ED has a wide range of applications in covert communication [5], copyright management [6], etc., and thus has attracted the extensive attention of researchers. According to the different sources of redundancy, RDH-ED can be divided into three types: Vacating Room after Encryption (VRAE), Vacating Room before Encryption (VRBE), and Vacating Redundancy in Encryption (VRIE). The VRAE schemes [7,8,9,10,11] embed additional data by modifying encrypted pixels. Since the correlation of the ciphertext is weak, the Shannon entropy is maximized, and the ER is limited. VRBE schemes [12,13,14,15,16] usually embed additional data into the redundancy generated by the correlation of pixels after prediction, compression, and coding. The ER is larger, but the preprocessing is so complicated that the application scenarios are limited. To solve the above problems, Ke et al. first proposed VRIE schemes [17,18], which applied learning with errors (LWEs) by quantifying the encrypted space and utilizing redundancy in the encryption process. VRIE schemes can integrate data hiding and cryptography organically, so that better security, reversibility, and ER can be obtained. However, cryptographic schemes for VRIE are too difficult.

With the wide application of cloud environments [19], designing RDH-ED for distributed scenarios has become a popular research topic. The $\left(k,n\right)$ threshold function of secret sharing [20] (SS) increases its suitability. In the $\left(k,n\right)$ scheme, the secret owner splits secrets into multiple secret shares and distributes them to n different users for management. Then, the receiver collects at least $k$ shares at random to reconstruct the secret. Most existing secret-sharing-class RDH-ED schemes [4,21,22,23,24,25,26] have been developed assuming that all participants hold equal weight and that every shared image possesses identical data hiding capabilities. Nevertheless, in real distributed settings, participants typically vary in their levels of authority, comprising senior executives and regular employees, each with distinct rights and duties. Consequently, the requirements for secret extraction should align with the corresponding privileges and necessities. For instance, within a bank environment, there exist senior managers and ordinary employees with varying privileges, where managers hold greater rights than regular employees. This rigid authorization structure proves inadequate for the dynamic and adaptable demands of multiparty computing scenarios. Therefore, there is a need to devise a hierarchical authorization framework that can cater to the flexible and evolving requirements of applications. Consequently, this paper proposes a hierarchical embedding scheme, which divides all participants into core users and ordinary users, both of which use different embedding methods. In the process of secret extraction and image reconstruction, a certain number of core users must be involved, so the core users are given greater privileges. The major contributions of the proposed scheme are as follows:

• We propose a hierarchical authorization structure RDH-ED for secret sharing through difference preservation. This innovative approach involves classifying participants’ identities into different levels, employing diverse embedding methods, necessitating core users’ participation in secret reconstruction, and granting core users enhanced privileges. These enhancements effectively meet the hierarchical authorization demands of RDH-ED in distributed scenarios.
• A polynomial embedding algorithm is developed for embedding copyright information into polynomial coefficients during secret distribution by the image owner. This functionality enables the authentication of the carrier image, thereby bolstering security and traceability.
• We propose a hierarchical embedding algorithm that segregates participants into core users and ordinary users. Core users utilize adaptive difference reservation embedding, while ordinary users employ pixel bit replacement embedding. This strategy ensures that core users play a pivotal role in secret recovery during reconstruction, elevating their authorization levels.
• Compared with the existing superior RDH-ED, our scheme boasts a higher embedding rate, lower expansion rate, enhanced security, and superior reversibility, showing significant performance enhancements compared to current solutions.

The remainder of this paper is as follows: In Section 2, we introduce the existing pixel difference preservation SIS scheme. Then, we describe the proposed RDHEI-ED scheme based on SIS in detail and provide a specific example for understanding. Section 4 demonstrates the superior performance of the many experiments. Finally, this paper concludes with a summary.

2. Related Works

2.1. Shamir’s (k, n) Secret Sharing

Wu et al. first proposed an RDH-ED scheme [4] based on SS, which made full use of the threshold function. Priyanka et al. [21] used SS to embed extra data into color images. Soon after, Ke et al. [22] proposed an RDH-ED scheme based on the Chinese Remainder Theorem (CRT) and SIS, which obtains better separability, but its embedding rate is low. To solve the problem of the lack of diffusion characteristics in SISs, Hua et al. introduced two RDH-ED schemes [23,24] based on Cipher-Feedback Secret Sharing (CFSS), which solves the problem that the traditional secret-sharing-class RDH-ED cannot resist score reduction attacks, thus improving security. Yu et al. [25] introduce an innovative approach utilizing secret sharing and hybrid encoding. Through the development of an iterative encryption method specific to block-based encryption, the spatial correlation of the original block is meticulously preserved within the encrypted block. This enhancement significantly boosts both the embedding rate and security levels of the system. Qin et al. [26] proposed the RDH-ED scheme on the Galois Field (GF) (p) and GF (2⁸) based on SIS with difference preservation, which retained the same correlation between the original pixels and encrypted pixels. However, the participants needed to preselect thresholds, and abundant blocks were unembedded, so the ER and application scenarios were limited.

2.2. SIS Based on Pixel Difference Preservation

Shamir first proposed a $\left(k,n\right)$ secret sharing scheme [20] based on Lagrange interpolating polynomials.

Theorem 1.

For any $k$ different $\left(x_i,F\left(x_i\right)\right)$, $i=1,2,\dots ,n$, can be used to reconstruct a $k-1$ degree polynomial uniquely via Equation (1):

$$F(x)={\displaystyle \sum _{i=1}^{k}F}(x_i){\displaystyle \prod _{j=1,j\ne i}^k\frac{x-x_j}{x_i-x_j}}$$

(1)

The secret owner constructs Equation (2):

$$F\left(x\right)=s+C_{1}x+C_2{x}^2+\cdots +C_{k-1}{x}^{k-1}$$

(2)

where $s$ is the secret, and $C_1,C_2, \dots ,C_{k-1}$ are random numbers. The owner calculates shares $f_i=F\left(i\right)$, and distributes them to $n$ different users $P_i$. By collecting at least $k$ shares at random, we can reconstruct $F\left(x\right)$. Thus, all the coefficients of $F\left(x\right)$ can be reconstructed.

In order to keep the differences the same as possible between the original and encrypted pixels, Qin et al. proposed an SIS scheme [26] based on pixel difference preservation. Let the size of the image block be $2\times 2$, the pixels be $p_1,p_2,p_3$, and $p_4$, and the threshold be $\left(k,n\right)$. Equation (3) can be constructed as follows:

$$\left\{\begin{array}{l}{g}_1(x)=p_1+h_{1}x+h_2{x}^2+\dots +h_{k-1}{x}^{k-1}\mathrm{mod}251\\ g_z(x)=p_z+h_{1}x+h_2{x}^2+\dots +h_{k-1}{x}^{k-1}\mathrm{mod}251\end{array}\right.$$

(3)

where $z$ = 2, 3, 4, $h_1,h_2,\dots ,h_{k-1}$ are random numbers. Equation (4) can be obtained as follows:

$$\left\{\begin{array}{l}{g}_1(x)+251r_1=p_1+h_{1}x+h_2{x}^2+\dots +h_{k-1}{x}^{k-1}\\ g_z(x)+251r_z=p_z+h_{1}x+h_2{x}^2+\dots +h_{k-1}{x}^{k-1}\end{array}\right.$$

(4)

where $r_1$ and $r_z$ are nonnegative integers; thus,

$$\Delta =g_1(x)-g_z(x)=(g_1(x)+251r_1)\mathrm{mod}251-(g_z(x)+251r_z)\mathrm{mod}251$$

(5)

Mostly because of the high similarity between pixels in an image block, thus $\left|g_1\left(x\right)-g_z\left(x\right)\right|<128$, $r_1=r_z$, and $p_1-p_z=g_1\left(x\right)+251r_1-g_z\left(x\right)-251r_z=g_1\left(x\right)-g_z\left(x\right)$$=\Delta$. However, when $\left|g_1\left(x\right)-g_z\left(x\right)\right|\ge 128$, $r_1-r_z=\pm 1$. When $r_1-r_z=1$, $p_1-p_z=$$g_1\left(x\right)+251r_1-g_z\left(x\right)+251r_z=\Delta +251$; when $r_1-r_z=-1$, $p_1-p_z=g_1\left(x\right)+251r_1-g_z\left(x\right)$$+251r_z=\Delta -251$. Thus, Equation (6) can be obtained as follows:

$$p_1-p_z=\left\{\begin{array}{l}{g}_1\left(x\right)-g_z\left(x\right), if |g_1\left(x\right)-g_z\left(x\right)|<128,\\ g_1\left(x\right)-g_z\left(x\right)+251, if g_1\left(x\right)-g_z\left(x\right)\le -128,\\ g_1\left(x\right)-g_z\left(x\right)-251, if g_1\left(x\right)-g_z\left(x\right)\ge 128.\end{array}\right.$$

(6)

Therefore, it can be determined whether “$g_1\left(x\right)-g_z\left(x\right)$” is equal to “$p_1-p_z$“ based on $\left|g_1\left(x\right)-g_z\left(x\right)\right|$. This scheme ensures complete consistency in pixel correlation between the encrypted image and the original image. By leveraging this scheme to implement RDH-ED, it can effectively address the limitations of pixel correlation destruction in the ciphertext, which typically results in low embedding rates. Moreover, this scheme exhibits minimal construction complexity and offers robust operability.

3. Proposed RDHEI-ED Scheme

3.1. The Procedures of Hierarchical Authorization Structure RDH-ED

Data transmission in cloud environments is fraught with security risks, increasing the susceptibility to attacks. It is imperative to safeguard both the data and transmission processes to enhance security measures. Consequently, data concealment within carriers is essential for secure transmission. Furthermore, image owners seek to ensure the integrity of carrier images, necessitating the effective protection of these images through embedded authentication mechanisms. The procedures of the proposed scheme are shown in Figure 1. The content owner distributes the carrier image to multiple participants via SIS based on pixel difference preservation. At the time of secret sharing, the copyright information of the image can be embedded into the polynomial coefficients. The participants are categorized into core users and ordinary users based on their status level. Core users usually play more important roles than ordinary users, so they need to be given more rights. Therefore, this section designs a hierarchical authorization structure based on identity levels. As illustrated in Figure 1, core users employ the difference preservation embedding algorithm, while ordinary users utilize the pixel replacement embedding algorithm. During the image reconstruction and secret extraction phase, core users are indispensable, granting them greater authority within the process.

In simple terms, an image block is chosen for description. As shown in Figure 2, core users must retain the differences in the original pixels to perform accurate reconstruction. To improve the ER, adaptive difference coding embedding is adopted to increase the number of embeddable blocks. Ordinary users replace the $z$th ($z=2,3,4$) pixel with additional data directly. After extracting the secrets, the first original pixel can be reconstructed from the $k$ shares. Then, the $z$th pixel can be obtained based on the differences provided by the core users. The process of secret sharing and data embedding is shown in Algorithm 1.

Algorithm 1: Secret sharing and data embedding

Input: original image, k1, k, n   1:  Split the image into blocks of size 2 × 2;   2:  Scramble image blocks using scrambled key;   3:  Generate session key using users’ identity numbers and pseudorandom number generator;   4:  Scan the image blocks to obtain the size M;   5:  l←1;   6:  while l < M do   7:  Scan image block to obtain pixels a, b, c, d;   8:  Encrypt extra secrets using AES;   9:  Construct the polynomial f(x);   10:  Calculate f(x) by substituting session key as x to generate then distribute shares to participant P;   11:  if P == core users   12:     Implementing difference preserving embedding;   13:  else   14:     Implementing pixel bit replacement embedding;   15:  end if   16:  l←l + 1;   17: end while Output: Share images with extra secrets embedded

3.2. Image Preprocessing

To maintain high security, firstly, $512\times 512$ grayscale images are divided into nonoverlapping blocks with a size of $2\times 2$. Then, all the blocks and pixels in each block are scrambled. All the blocks are scrambled with the key “Scrkey1”, and the pixels in each block are scrambled with the key “Scrkey2”.

3.3. Session Key Generation

According to the $n_1$ core users’ (U_c) identity numbers $i_1${$i_1=1,2,\dots ,n_1$}, the $n_2$ ordinary users’ (U_g) identity numbers $i_2${$i_2=n_1+1,n_1+2,\dots ,n_1+n_2$}, and the seed key $h_i$, a pseudorandom number generator is utilized to generate $n_1$ flag numbers $I{D}_{cor}=\{i{d}_1,i{d}_2,\dots ,i{d}_{n_1}\}$ and $n_2$ flag numbers $I{D}_{gen}=\{i{d}_{n_1+1},i{d}_{n_1+2},\dots ,i{d}_{n_1+n_2}\}$ as session keys, where $i{d}_i\ne i{d}_j$.

3.4. Encrypted Image Generation

SIS is used to embed the authentication to carriers. Let the image block pixels be $a,b,c,d$ after block and pixel scrambling, the first embedded secret $S_1={\left\{0,1\right\}}^N$.

3.4.1. Polynomial Construction

$S_1$ are encrypted with AES by the encryption key “key1” and then every 8 bits of encrypted $S_1$ are converted to a decimal to generate $E\left(S_1\right)=\left\{b_1,b_2, \dots ,b_{k-1}\right\}$. Then, Equation (7) is constructed on GF (251).

$$\left\{\begin{array}{l}\begin{array}{c}{f}_1(x)=a+b_{1}x+b_2{x}^2+\dots +b_{k-1}{x}^{k-1}\mathrm{mod}251\\ f_2(x)=b+b_{1}x+b_2{x}^2+\dots +b_{k-1}{x}^{k-1}\mathrm{mod}251\\ f_3(x)=c+b_{1}x+b_2{x}^2+\dots +b_{k-1}{x}^{k-1}\mathrm{mod}251\end{array}\\ f_4(x)=d+b_{1}x+b_2{x}^2+\dots +b_{k-1}{x}^{k-1}\mathrm{mod}251\end{array}\right.$$

(7)

3.4.2. Secret Share Generation

For core users, substitute $x_i\in I{D}_{cor}=\{i{d}_1,i{d}_2,\dots ,i{d}_{n_1}\}$ into Equation (7) to compute $n_1$ shares, and then distribute them to corresponding users.

For ordinary users, substitute $x_i\in I{D}_{gen}=\{i{d}_{n_1+1},i{d}_{n_1+2},\dots ,i{d}_{n_1+n_2}\}$ into Equation (7) to compute $n_2$ shares and distribute them to corresponding users.

Since this process is carried out on GF (251), original pixels greater than 250 are directly replaced with 250. To accurately reconstruct the original image, pixels exceeding 250 need to be labeled. Given the rarity of pixels above 250 in grayscale images, we assign values of 1, 2, 3, 4, and 5 to represent the positions of pixels 251, 252, 253, 254, and 255, respectively, while using 0 to denote the positions of other pixels. This approach generates a location map of the carrier image. With the majority of the location map populated by 0 values, we employ an arithmetic coding algorithm to compress it. The compressed location map and length can be embedded as payload_1 into the polynomial coefficients.

3.5. Marked Image Generation after Data Embedding

3.5.1. Difference Reservation Embedding

The embedding rules of the core users are shown in Figure 3 and

Table 1. Coding rules of core users.

|d|max	dcmax	|d| Coding Bits	Data Hiding Bits
[0, 1]	000	1	15
[2, 3]	001	2	12
[4, 7]	010	3	9
[8, 15]	011	4	6
[16, 31]	100	5	3
[32, 63]	101	6	0

. $d_z$ is the difference between the $z$th pixel and the first pixel, and $|d{|}_{max}$ is the maximum of the absolute value of $d_z$. According to Equation (6), due to the strong correlation in the $2\times 2$ image blocks, $|d{|}_{max}$ is less than 64 in most of the blocks. Therefore, $|d{|}_{max}$ can be classified into seven different levels. For the blocks of ${\left|d\right|}_{max}\le 63$, $|d{|}_{max}$ can be encoded by 3 bits. $d{c}_{max}$ is the corresponding encoding of $|d{|}_{max}$. Since $d_z$ may be positive or negative, “1” is used to represent a positive value, and “0” is negative. According to Table 1, when ${\left|d\right|}_{max}\in [32, 63]$, the block is unembeddable, and can be labeled according to Table 1 without risking pixel overflow. When ${\left|d\right|}_{max}\ge 64$, pixel overflow will occur. Consequently, for these pixel blocks of ${\left|d\right|}_{max}\ge 64$, we preserve the pixels unchanged. Additionally, a location map is employed to distinguish blocks using 1 for embeddable blocks and 0 for others. This location map undergoes compression through arithmetic coding, with the compressed positional map and its length embedded into the embeddable pixels as payload_2.

3.5.2. Pixel Bit Replacement Embedding

Every 8 bits of the secret $S_3={\left\{0,1\right\}}^N$ are converted to a decimal with AES encrypted by the encryption key “key3” to generate E(S₃). For each block share, the first pixel is kept as the label pixel, and the other three pixels are replaced with E(S₃).

3.6. Data Extraction and Image Recovery

The process of data extraction and image recovery is shown in Algorithm 2. The receiver collects any more than or equal to $k_1$ core shares and $k_2$ ordinary shares, where $k_1+k_2\ge k$, and $k_1\ge 1$.

For core users, payload_2 should be extracted first. For the blocks of ${\left|d\right|}_{max}\le 63$, the four pixels are converted to binary values; then, the corresponding differences can be extracted according to the difference classes, and additional data can be obtained. After decryption, the secrets can be obtained.

For ordinary users, the last three pixels of each block can be extracted directly, and the secrets can be obtained after decryption.

For the image owner, the label pixel could be recovered by the Lagrange interpolation formula since the $k_1+k_2$ users could provide $k$ label pixel shares, and E(S₁) could be extracted. After decryption, $S_1$ can be obtained. Then, all the original pixels could be recovered by the pixel differences provided by the core users and the payload_1.

Algorithm 2: Secret extraction and image reconstruction

Input: Share images with extra secrets embedded, k1, k, n   1: l←1;   2: while l < M do   3:    if P == core users   4:             Obtain the first pixel and the three differences;   5:             Extract the extra secret;   6:    else   7:             Obtain the first pixel;   8:             Extract the extra secret;   9:       Recovering the first original pixel using the first share pixel by Theorem 1;   10:      Use the three differences and the first original pixel to obtain the original three pixels.   11:    end if   12:    l←l + 1;   13:    end while Output: Extra secret, reconstructed image

3.7. Instance of the Proposed Scheme

For clarity, an example of a core user is shown in Figure 4. Let the marked pixels be $\left\{65,70,66,63\right\}$. The differences between the $z$th and the first pixel are $+5$, $+1$, and $-2$, respectively. Because the maximum absolute value is 5, the corresponding class code is 010, and the corresponding difference codes are 1101, 1001, and 0010. Therefore, the embeddable space is 9 bits. After embedding “101010101”, the marked pixels are $\left\{65,91,37,85\right\}$. The receiver first converts the data to binary values and subsequently calculates the three differences according to the class. Therefore, the secrets, labeled pixels, and differences can be obtained.

4. Experimental Results and Comparisons

The experiments were implemented in MATLAB R2021b with a CPU (i7-11800H) @ 2.30 GHz. The test data are shown in Figure 5, and all the images are $512\times 512$ 8-bit grayscale images named Jetplane, Peppers, Goldhill, Baboon, Boats, and Airplane.

4.1. Security Analysis

The parameter settings are $k=3$, $n=4$, and $k_1=1$. The encrypted image mentioned in this section is the first secret share, and the marked image is the first secret share after embedding the extra data again.

4.1.1. Keyspace

When the key space is large enough, it can effectively resist attacks such as brute force cracking. In the proposed scheme, the original image is $512\times 512$, and each block is $2\times 2$. Thus, the total number of blocks is 65,536, and possible situations for block scrambling are $65536!$. Because each image block has four pixels, there are $4!$ cases of pixel scrambling. Therefore, the whole key space of block and pixel scrambling is $65536!\times 4{!}^{65536}$, which is much larger than 2¹⁰⁰, so it can efficiently resist brute force attacks.

4.1.2. Histogram

A more uniform histogram corresponds to a better security scheme and can resist statistical analysis attacks more effectively. Figure 6a–d show the original image, encrypted image, marked image, and reconstructed image of Baboon. (e)–(h), (i)–(l), and (m)–(p) are the corresponding plane histogram, scatter histogram, and 3D histogram, respectively. As shown in Figure 6, the histograms of the encrypted image and marked image are uniform and gentle, and the distributions of the original image and reconstructed image are the same. Our experimental verification reveals that the histograms of labeled images display lower homogeneity than those of encrypted images. This disparity is attributed to the embedded secrets not being true random numbers, influencing the distribution of histograms to a certain degree. However, the histograms of the marked images exhibit significant homogeneity. This signifies that while the embedding process does have an impact on security, the extent of this impact remains within acceptable limits. Due to the encryption of the coefficients used in constructing the polynomials, the encrypted data exhibit a high level of uncorrelation. Furthermore, these encrypted data are distributed to participants through secret sharing, providing an additional layer of double encryption protection. These measures ultimately contribute to achieving a uniform histogram distribution. Therefore, attackers cannot obtain any relevant information from the pixel distributions.

4.1.3. Relevant Parameters

• Shannon Entropy

The more uniformly the pixels are distributed, the closer to 8 the entropy is. The calculation is shown in Equation (8).

$$H\left(X\right)=-\Sigma P\left(x\right) lo{g}_{2}P\left(x\right)$$

(8)

where $H\left(X\right)$ denotes the entropy of random $X$, and $P\left(x\right)$ is the probability of $x$. If each pixel in the image has equal probability, the entropy could reach a maximum of 8. The entropies of the different images are shown in Figure 7, from which it can be seen that the entropies of encrypted shares and marked shares are both close to 8, and the entropy of the proposed scheme is much closer to 8 than that of Qin et al.’s scheme [26], which indicates that the proposed scheme can resist entropy analysis attacks more effectively.

2.

PSNR and SSIM

The larger the peak signal-to-noise ratio (PSNR) is, the less distorted the image will be. When $PSNR>35 \mathrm{dB}$, we cannot detect any distortion; when $PSNR<10 \mathrm{dB}$, there is a large difference between the contrast images. The closer to 1 the structural similarity (SSIM) is, the more similar the contrastive images are. An SSIM value of 1 indicates that two images are the same. The PSNR and SSIM can be calculated as follows:

$$MSE={\displaystyle \frac{1}{X\times Y}}{\displaystyle \sum _{i=0}^{X-1}{\displaystyle \sum _{j=0}^{Y-1}(P\left(i,j\right)-P^{\prime }\left(i,j\right))}}$$

(9)

$$PSNR=10{\log }_{10}{\displaystyle \frac{255}{MSE}}$$

(10)

$$SSIM\left(X,Y\right)={\displaystyle \frac{(2M_X{M}_Y+Cons1)(2C_{XY}+Cons2)}{(M_X^2+M_Y^2+Cons1)(C_X^2+C_Y^2+Cons2)}}$$

(11)

In the context provided, the original image X is compared with image Y using specific pixels P(i, j) and P′(i, j). The mean values of X and Y are denoted as M_X and M_Y, respectively, while the standard deviations of X and Y are represented by C_X and C_Y, respectively. The covariance of X and Y is indicated as C_XY. Cons1 and Cons2 are two small numbers to avoid division by 0. The six images in Figure 4 were tested, and the results are shown in Figure 8. The average PSNR and SSIM values of the encrypted image and the original image are close to 4.7988 and 0.0154, respectively, and the average values of the marked image and original image are close to 7.5858 and 0.0243, respectively. Smaller PSNR and SSIM values indicate large differences between the encrypted image, marked image, and original image. Thus, the proposed scheme has strong security.

4.1.4. Pixel Correlation

The smaller the pixel correlation of the encrypted image is, the more secure the scheme. Experiments tested the correlation of Baboon’s first encrypted image and marked image from the horizontal, vertical, 45°, and 135° perspectives. Figure 9 shows the pixel correlation of the first encrypted image and Figure 10 shows the pixel correlation of the first marked image. As shown in Figure 7 and Figure 8, the pixel correlation of both the encrypted and marked images is close to 0, which indicates that the proposed scheme has high security.

4.2. Embedding Rate

The embedding capacity (EC) is the total bits of additional data embedded in the carrier. The embedding rate (ER) is the average number of bits embedded per pixel. The ER of the proposed scheme consists of the polynomial embedding rate (ER₁), core user embedding rate (ER₂), and ordinary user embedding rate (ER₃). The payload_1 and payload_2 must be embedded into the carrier to determine the reversibility. Therefore, the total payload denoted as payload_total can be calculated as $payload\_total=payload\_1+payload\_2$. If we denote the embedded capacity of the core user as EC₂, as the number of encrypted pixels increases to $512\times 512\times n$ after SIS, the ER can be calculated as follows:

$$ER=E{R}_1+E{R}_2+E{R}_3={\displaystyle \frac{EC-payload\_total}{512\times 512\times n}}$$

(12)

$$E{R}_1={\displaystyle \frac{8\times (k-1)\times 512\times 512-payload\_1}{2\times 2\times 512\times 512\times n}}$$

(13)

$$E{R}_2={\displaystyle \frac{E{C}_2-payload\_2}{2\times 2\times 512\times 512\times n}}$$

(14)

$$E{R}_3={\displaystyle \frac{24\times (k-k_1)\times 512\times 512}{2\times 2\times 512\times 512\times n}}$$

(15)

Firstly, the six images in Figure 4 are tested at different thresholds, and the results are shown in

Table 2. ER of different images at different thresholds.

Maximum Embedding Rate (bpp)	k = 2		k = 3		k = 4
	n = 2	n = 3	n = 3	n = 4	n = 4	n = 5
Goldhill	4.2532	2.9202	5.5865	4.2534	6.2531	5.0532
Baboon	4.1226	2.7897	5.4561	4.1228	6.1227	4.9227
Boats	4.1956	2.8664	5.5288	4.1954	6.1954	4.9951
Airplane	4.3332	3.0003	5.6666	4.3331	6.3334	5.1334
Peppers	4.3450	3.0121	5.6783	4.3450	6.3448	5.1450
Jetplane	4.3329	2.9996	5.6664	4.3331	6.3331	5.1330

. For $k=n$, the ER is larger, but the threshold function is not used. For common thresholds (3, 4) and (4, 5), the proposed scheme also has an excellent embedding performance. To illustrate the superiority of the proposed scheme, it is compared with current similar perfect schemes, and the results are shown in Figure 11 and

Table 3. Percentage increase in the ER of the proposed program in the (3, 4) scheme.

Test Image	Scheme [4]	Scheme [24]	Scheme [26]	Scheme [27]
Goldhill	140%	74%	186%	144%
Baboon	162%	312%	667%	136%
Boats	129%	57%	185%	140%
Airplane	75%	20%	86%	148%
Jetplane	109%	38%	190%	148%
Peppers	138%	73%	175%	149%

. The average ER of the proposed scheme is maximized at six different thresholds. The comparison schemes are all based on SIS. Wu et al. proposed two schemes [4], and the one with the larger ER was chosen for comparison. Chen et al.’s scheme [27] has an ER of $7/n$, which decreases with the increasing $n$. Hua et al. proposed the CFSS RDH-ED [23] and MSS RDH-ED [24], which embed extra data by predicting encrypted image pixels. Because the correlation of encrypted pixels is small, the ER is limited. Qin et al.’s scheme [26] utilized difference protection SIS to maintain the same correlation between encrypted pixels and original pixels. The threshold needs to be preselected, and many unembeddable blocks exist, which leads to a good embedding performance.

4.3. Reversibility

4.3.1. Relevant Parameters

The reversibility of the procedure can be classified into two main aspects: (1) The original image can be recovered completely. (2) Extra data could be extracted losslessly. All test images were tested, and the results are shown in

Table 4. MSEs, PSNRs, and SSIMs for different test images.

Test Image	MSE	PSNR	SSIM
Goldhill	0	+∞	1
Baboon	0	+∞	1
Boats	0	+∞	1
Airplane	0	+∞	1
Peppers	0	+∞	1
Jetplane	0	+∞	1

. The mean squared errors (MSEs) are all 0, the PSNRs are all +∞, and the SSIMs are all 1, which indicates that there is no difference between the reconstructed images and the original images. Since the polynomial coefficients can be recovered correctly based on Theorem 1, the labeled pixels can be recovered accurately. In addition, core users can determine the difference between the $z$th pixel and the label pixel; thus, the original image can be recovered completely, which indicates that the proposed scheme is completely reversible.

4.3.2. Error Map for Secret Extraction

The error map shows the results of the bit-by-bit comparisons between the processed and original data. Figure 12a–c show the error maps of the extracted S₁, S₂, and S₃ and the original S₁, S₂, and S₃ at threshold (3, 4). The values are all 0, which indicates that the proposed scheme can extract secrets accurately.

4.4. Data Extension

The data extension rate is the ratio between the encrypted image size and the original image size, and is calculated as follows:

$$Expansion rate={\displaystyle \frac{Total bits of encrypted image}{Total bits of original image}}$$

(16)

In this paper, the carrier image is encrypted into $n$ shares by SIS, with each user holding one share. Thus, the relative data expansion rate is 1 for a single embedder, but the total expansion rate depends on the threshold. When $n$ is not too large, the total expansion rate is acceptable.

Table 5. Comparison of the data expansion rates.

Scheme	Type	Encryption	Relative Expansion Rate	Total Expansion Rate
Ke et al. [22]	VRIE	Homomorphic encryption	256	256
Hua et al. [23]	VRAE	Secret sharing	1/(r − 1)	n/(r − 1)
Qin et al. [26]	VRAE	Secret sharing	1	n
Chen et al. [28]	VRBE	Multi-secret sharing	1	1
Proposed	VRIE + VRAE	Secret sharing	1	n

shows the comparison results of the different schemes. Schemes [22,28] generate only one encrypted image, and their relative expansion rate is equal to the total expansion rate. However, the scheme [22] uses homomorphic encryption, which generates a large data expansion. Scheme [28] utilizes multi-secret share and lightweight encryption methods, and the data expansion rate is 1. Schemes [23,26] and the proposed scheme generate secret shares via SIS, and all the relative expansion rates are 1, but the total expansion rate depends on the threshold $n$. Therefore, the data expansion of the proposed scheme could be within an acceptable range by controlling the threshold.

5. Conclusions

In the current distributed environment, most existing RDH-ED schemes cannot grant corresponding privileges to multilevel identity participants. However, the identities of participants usually have different classes in real distributed environments, and they need to be given corresponding permission. Accordingly, we propose a multiple embedding scheme based on SIS and users’ multilevel identities. Specifically, the participants are divided into core users and ordinary users. For the core users, adaptive difference reservation embedding based on SIS is utilized, which grants more important permission to core users. For ordinary users, pixel bit replacement embedding is used to obtain a better ER. Moreover, the image copyrights are embedded in the polynomial coefficient redundancy generated during the SIS process, which ensures the integrity of the carrier images. The experimental findings demonstrate that our proposed scheme excels in terms of the ER, security, and reversibility, accommodating multiple embeddings across diverse participant identities.

However, our scheme has certain limitations. Maintaining an exact correlation between ciphertext and plaintext pixels through secret sharing makes it less resilient to selective ciphertext attacks. Moreover, cases where a participant defects under the threshold condition can lead to secret leakage. In future research endeavors, we recommend exploring strategies such as attribute encryption and digital signatures to bolster security measures and mitigate these identified shortcomings.