**1. Introduction**

Due to the development of outsourced storage in the cloud, reversible watermarking in an encrypted domain has been developed for security in the cloud [1–4]. However, the cloud cannot introduce distortion of original content during watermark embedding. Therefore, the reversible watermarking method is required [5,6]. In addition, the watermark carrier is vulnerable during transmission, and the embedded watermark is expected to resist common attacks [7,8]. Therefore, robust reversible watermarking in an encrypted domain has greatly attracted researchers for potential applications.

In general, watermarking can be divided into robust and fragile watermarking methods in terms of their robustness. Robust watermarking [9] is used to protect security and resist attacks, while fragile watermarking [10,11] is used to provide integrity authentication. For the occasions with high data security requirements, such as judicial authentication, medical images, etc., more researchers focus on fragile watermarking in the encrypted domain.

Reversible watermarking in the encrypted domain can be divided into reserving room before encryption (RRBE) and vacating room after encryption (VRAE). The RRBE method reserves embedding room before encrypting the original image [12–15]. For example, the vacated bits, which are reserved by self-embedding before encryption, can be substituted by the watermark in the encrypted domain [4]. With the development of reversible watermarking [16,17], the original image can be restored absolutely after extracting the watermark. The second type directly implements watermark embedding by modified the encrypted image [18,19] after encryption. For instance, Xiang divided the original image into patches to be encrypted, and then the histogram of statistical values was calculated in the encrypted domain for shifting to embed watermark [20].

However, these methods are only applied to images, and cannot be used in 3D models directly due to different structures between images and 3D models. Ke et al. proposed a robust watermarking method on the basis of self-similarity [21]. In that method, a 3D model is divided into patches, and watermark bits were embedded by changing the local vector length of a point in each patch. Feng et al. divided a 3D model into patches, then embedded a watermark into each patch by modulating angle quantization [22]. However, those methods are not reversible. Jiang et al. proposed a 3D model watermarking method on the basis of stream cipher encryption [1]. The watermark was embedded by flipping the least significant bits (LSBs) of the vertex coordinates. Since the original 3D models have high spatial correlation, the watermark can be extracted successfully. Shah proposed a watermarking method based on the homomorphic Paillier cryptosystem, which used VRAE framework to vacate space before encryption [2]. However, those methods are fragile to attacks and cannot protect their copyrights.

To our best of knowledge, although the aforementioned watermarking methods on encrypted 3D models have been developed, the research on robustness for encrypted 3D models is rarely reported. In this paper, in order to protect the security of a 3D model in the cloud, we proposed a homomorphic encryption-based robust reversible watermarking method. In this method, the original model is first divided into patches to facilitate patch encryption using the Paillier cryptosystem. Then, the watermark is embedded by constructing the symmetrical direction histogram and shifting histogram in the encrypted domain, and the robust interval is reserved during the histogram shifting. Last, the receiver extracts the watermark in the encrypted model or the decrypted model by constructing a direction histogram of patches, and restores the original model through the method of histogram shifting which is the opposite to the embedding process. The contributions of the paper are organized as follows.

(1) The proposed method can directly construct direction histogram in the encrypted model so that the watermark can be extracted and the original encrypted model can be restored in the encrypted domain.

(2) The proposed method is robust to several common attacks by reserving the robust interval during the histogram shifting for watermark embedding.

(3) The proposed method not only has higher security and capacity, but also has less distortion compared with the original model.

The rest of this paper is organized as follows. In the second part, the Paillier cryptosystem is briefly introduced. In the third part, the related robust reversible watermarking method flow is proposed. The experimental results are shown in Section 4. The conclusions of the thesis are discussed in Section 5.

#### **2. Paillier Cryptosystem**

The Paillier cryptosystem [23], which was proposed by Paillier Pascal in 1999, has homomorphism and probability. Homomorphism means that one arithmetic operation of two ciphertexts are equal to another arithmetic operation of two corresponding plaintext. Moreover, homomorphism includes addition and multiplication homomorphism. Probability means that different ciphertexts, which are obtained by encrypting the same plaintext with different parameters, can be decrypted to the same plaintext. The following describes the processes of key generation, encryption, and decryption, two properties, and the application of modular multiplication inverse (MMI) [24] in the Paillier cryptosystem.
