• Key Generation

Randomly pick up two large primes numbers *p* and *q*. Calculate *N* = *pq* and λ = *lcm*(*p* − 1, *q* − 1), where *lcm*(·) stand for the lowest common multiple. Afterwards, select *g* ∈ *Z*<sup>∗</sup> *<sup>N</sup>*<sup>2</sup> randomly, which satisfies

$$\gcd(L(\mathcal{g}^\lambda \text{mod} \mathcal{N}^2), \mathcal{N}) = 1 \tag{1}$$

where *L*(*u*)=(*u* − 1)/*N*, and gcd(·) means the greatest common divisor of two inputs. *ZN*<sup>2</sup> = 0, 1, 2, ... , *<sup>N</sup>*<sup>2</sup> <sup>−</sup> <sup>1</sup> and *Z*∗ *<sup>N</sup>*<sup>2</sup> are the numbers in *ZN*<sup>2</sup> which prime with *<sup>N</sup>*2. Finally, we get the public key (*N*, *g*) and corresponding private key λ.

• Encryption

Select a parameter *r* ∈ *Z*<sup>∗</sup> *<sup>N</sup>*<sup>2</sup> randomly. The plaintext *<sup>m</sup>* <sup>∈</sup> *ZN* can be encrypted to the corresponding ciphertext *c* by

$$\mathcal{L} = E[m, r] = \mathcal{g}^m \cdot r^N \text{mod}N^2 \tag{2}$$

where *E*[·] denotes the encryption function. Due to the nature of the Paillier cryptosystem, for the same plaintext *m*, different ciphertexts *c* can be obtained by choosing different *r*. After decryption, different ciphertexts can be restored to the same plaintext *m*, which ensures the security of the ciphertext.

• Decryption

The original plaintext *m* can be obtained by

$$m = D[c] = \frac{L(c^\lambda \text{mod} N^2)}{L(g^\lambda \text{mod} N^2)} \text{mod} N \tag{3}$$

Moreover, two important characteristics are described as follows (which has been applied in the proposed method).

• Lemma One

For two plaintexts *m*1, *m*<sup>2</sup> ∈ *ZN*, compute corresponding ciphertexts *c*1, *c*<sup>2</sup> with *r*1,*r*<sup>2</sup> according to Equation (1), respectively. The Equation *c*<sup>1</sup> = *c*<sup>2</sup> holds if and only if *m*<sup>1</sup> = *m*<sup>2</sup> and *r*<sup>1</sup> = *r*2.

• Homomorphic Multiplication

For ∀*r*1,*r*<sup>2</sup> ∈ *Z*<sup>∗</sup> *<sup>N</sup>*, two plaintexts *m*1, *m*<sup>2</sup> ∈ *ZN* and corresponding ciphertexts *E*[*m*1,*r*1], *E*[*m*2,*r*2] ∈ *Z*∗ *<sup>N</sup>*<sup>2</sup> satisfy

$$\mathbf{c}\_1 \cdot \mathbf{c}\_2 = E[m\_1, r\_1] \cdot E[m\_2, r\_2] = \mathbf{g}^{m\_1 + m\_2} \cdot (r\_1 \cdot r\_2)^N \mathbf{modN}^2 \tag{4}$$

$$D[c\_1 \cdot c\_2] = D[E[m\_1, r\_1] \cdot E[m\_2, r\_2] \text{mod}\text{N}^2] = m\_1 + m\_2 \text{mod}\text{N} \tag{5}$$

The original Paillier cryptosystem only has addition homomorphism and multiplication homomorphism. The subtraction homomorphism can be achieved through modular multiplication inverse (MMI).

• Modular Multiplication Inverse (MMI)

For two coprime integers *y* and *z*, the existence of an integer θ satisfies

$$
\theta \cdot y = 1 \\
\text{mod} z \tag{6}
$$

where θ is called the modular multiplicative inverse of *y*, and θ can be obtained according to the extended Euclidean method [25].

### **3. The Proposed Method**

In order to protect the security of 3D model in the cloud, a homomorphic encryption-based robust reversible watermarking method is proposed. Figure 1 shows the flowchart of the proposed method. Firstly, the original model is divided into patches, and vertices in each patch are encrypted using the Paillier cryptosystem. In the cloud, three direction values of each patch are computed, and the direction histogram is constructed for shifting to embed the watermark. At last, the watermark can be extracted from direction histogram, and the original 3D model can be restored by histogram shifting.

**Figure 1.** Flowchart of the proposed method.

#### *3.1. Preprocessing*

Because the input of the Paillier cryptosystem should be a positive integer, the vertex coordinates firstly are converted from decimal to positive integer.

3D models are consisted of vertex data and connectivity data. The vertex data includes the coordinates of each vertex in the spatial domain. The connectivity data reflects the connection relationship between vertices. A 3D model devil and its local region are illustrated in Figure 2. Each vertex and each face of the 3D model have a corresponding index number, respectively. For a 3D model *M*, let {*vi*} *NV <sup>i</sup>*=<sup>0</sup> represents the sequence of vertices, where *vi* = (*vi*,*x*, *vi*,*y*, *vi*,*z*) and *NV* is the number of vertices. Note that each coordinate *vi*,*j* <sup>&</sup>lt; 1, *<sup>j</sup>* <sup>∈</sup> *x*, *y*, *z* , and the significant digit of each coordinate is 6.

**Figure 2.** A 3D model devil; (**a**) original model, (**b**) local region.

Normally, uncompressed vertices are 32-bit floating point numbers with a precision of 6 digits. The first four significant digits of vertex coordinates can accurately display the 3D model. Therefore, the vertex coordinates are converted into an integer with four significant digits by using Equation (7).

$$\left| v'\_{i,j} = \left[ v\_{i,j} \cdot 10^4 \right]\_{\prime} \right| \quad j \in \{ x, y, z \} \tag{7}$$

Moreover, all vertex coordinates should be converted to positive integers for encryption by using Equation (8).

$$
v'\_{i,j} = v'\_{i,j} + 10000, \quad j \in \{x, y, z\} \tag{8}$$

After preprocessing, the pre-processed 3D model is computed, and denoted as *M* .

#### *3.2. Patch Dividing and Patch Encryption*

The section describes how to divide the model into several non-overlapping patches and perform encryption by using the Paillier cryptosystem.

#### 3.2.1. Patch Dividing

For the vertex of the 3D model, if two vertices *vi* and *vk* are connected by a edge, *vk* is a neighbor of *vi*. All neighbors of *vi* constitute the 1-ring neighborhood of *vi*, and all 1-ring neighborhood of the neighbors of the vertex *vi* constitute its 2-ring neighborhood. *N*(*vi*) is the 2-ring neighborhood of the vertex *vi*, and *N*(*vi*) is computed by

$$N(\upsilon\_i) = \langle \upsilon\_k | 0 \le \vert \upsilon\_i \upsilon\_k \vert \le 2, k = 0, 1, \dots, N\_V \rangle \tag{9}$$

where *NV* are the number of the vertices of the 3D model, and |*vivk*| represents the number of vertices between *vi* and *vk*. As illustrated in Figure 2, the blue vertices are the 1-ring neighborhood of the red vertex, and the green vertices are the 2-ring neighborhood of the red vertex.

When the 3D model is divided into patches, it is necessary to ensure patches do not overlap each other. Suppose that the unclassified and classified sets are *SY* and *SN*, respectively. *SY* = {*vi*} *NV <sup>i</sup>*=<sup>0</sup> and *SN* are initially empty. Suppose that the *l th* patch is denoted as *P*(*l*). A 3D model is divided into patches by the following rules, and initially *l* = 1.

Step 1: The first vertex *vi* is selected according to the order of vertex index, and *vi* and its 1-ring neighborhood are used as the *P*(*l*). Vertices in *P*(*l*) are sorted by

$$P^{(l)}(p) = \begin{cases} \ v\_{l\prime} & p = 1 \\ \ v\_{k\prime} & p = 2, 3, \dots N\_l \end{cases} \tag{10}$$

where *Nl* is the number of vertices in *P*(*l*).

Step 2: Update the unclassified set and the classified set by using Equation (11).

$$S\_N = S\_N \cup N(v\_i), \quad S\_Y = S\_Y - N(v\_i) \tag{11}$$

where *SN* ∪ *N*(*vi*) is the union of two sets, and *SY* − *N*(*vi*) is the vertex set that exist in *SY* but not in *N*(*vi*). *N*(*vi*) is put into the classified set for ensuring patches do not overlap each other.

Step 3: Determine whether the unclassified set *SY* is empty. If *SY* is empty, then the division of patches ends. If *SY* is not empty, then continue to select the (*l* + 1) *th* patch from Step 1, until *SY* is empty.

As illustrated in Figure 3, the local region of 3D model devil can be divided into five patches, and each color in Figure 3 represents a patch.

**Figure 3.** Patch dividing of 3D model devil.

#### 3.2.2. Patch Encryption

Let *<sup>P</sup>*(*l*)(*p*, *<sup>j</sup>*), *<sup>j</sup>* <sup>∈</sup> *x*, *y*, *z* be the *j*-axis coordinates of the *pth* vertex in *P*(*l*). Referring to Equation (2), an integer *r*1(*l*) ∈ *Z*<sup>∗</sup> *<sup>N</sup>* can be randomly selected to encrypt *<sup>P</sup>*(*l*)(*p*, *<sup>j</sup>*) with the public key (*N*, *<sup>g</sup>*).

$$\mathbb{C}^{(l)}(p,j) = E[P^{(l)}(p,j), r\_1(l)] = \mathbb{g}^{P^{(l)}(p,j)} \cdot r\_1(l)^N \bmod N^2 \tag{12}$$

where *p* ∈ [1, *Nl*], *j* ∈  *x*, *y*, *z* , *C*(*l*) denotes the encrypted vertex coordinates, and *E*[*M* ] represents the encrypted model.

#### *3.3. Watermark Embedding*

Firstly, three direction values of each patch in ciphertext are computed. Then, according to the possible values of the direction in ciphertext, the mapping table is constructed to map the direction values in ciphertext to the direction values in plaintext. The direction histogram is constructed by counting the direction values of all patches. Lastly, the watermark is embedded by histogram shifting.

#### 3.3.1. Three Direction Values Calculation of Each Patch

In order to calculate three direction values of each patch, a vector *M*(*p*) is defined by using Equation (13).

$$M(p) = \begin{cases} 1 & \text{if } p = 2, 3, \dots \\ -1 & \text{if } p = 1 \end{cases} \tag{13}$$

Suppose that *<sup>d</sup>*(*l*)(*j*), *<sup>j</sup>* <sup>∈</sup> *x*, *y*, *z* denotes the *j*-axis direction value of the *l th* patch *P*(*l*), which is calculated by Equation (14).

$$d^{(l)}(j) = \sum\_{p=2}^{N\_l} \left[ P^{(l)}(p, j) \cdot M(p) + P^{(l)}(1, j) \cdot M(1) \right] \tag{14}$$

In the encrypted domain, without the private key λ, the encrypted vertex coordinates cannot by decrypted to obtain the vertex coordinate in plaintext, so the direction value *d*(*l*)(*j*) cannot be directly calculated. In the proposed method, the direction value in ciphertext can be calculated using the MMI method. *C*(*l*) represents the encrypted patch corresponding to the original patch *P*(*l*). In order to calculate the direction value in ciphertext, the modular multiplicative inverse <sup>θ</sup>*C*(*l*)(*p*,*j*) of *<sup>C</sup>*(*l*)(*p*, *<sup>j</sup>*) should be calculated through the extended Euclidean method. θ*C*(*l*)(*p*,*j*) satisfies

$$\theta\_{\mathbb{C}^{(l)}(p,j)} \cdot \mathbb{C}^{(l)}(p,j) = 1 \text{mod}N^2 \tag{15}$$

For the *l th* patch, the vectors *<sup>M</sup>*(*l*) <sup>1</sup> and *<sup>M</sup>*(*l*) <sup>2</sup> are defined by using Equations (16) and (17), respectively.

$$\mathcal{M}\_1^{(l)}(p,j) = \begin{cases} \mathcal{C}^{(l)}(p,j) & \text{if } p = 2, 3, \dots \text{N}\_l \\ \theta\_{\mathcal{C}^{(l)}(p,j)} & \text{if } p = 1 \end{cases} \tag{16}$$

$$M\_2^{(l)}(p,j) = \begin{cases} \theta\_{\mathbb{C}^{(l)}(p,j)} & \text{if } p = 2, 3, \dots \text{N}\_l \\ \mathbb{C}^{(l)}(p,j) & \text{if } p = 1 \end{cases} \tag{17}$$

Since the direction value *d*(*l*)(*j*) may be negative, two direction values *c* (*l*) *<sup>d</sup>*<sup>1</sup> (*j*) and *<sup>c</sup>* (*l*) *<sup>d</sup>*<sup>2</sup> (*j*) are re-defined. If *d*(*l*)(*j*) is positive, *c* (*l*) *<sup>d</sup>*<sup>1</sup> (*j*) is the ciphertext corresponding to *<sup>d</sup>*(*l*)(*j*). If *<sup>d</sup>*(*l*)(*j*) is negative, *c* (*l*) *<sup>d</sup>*<sup>2</sup> (*j*) is the ciphertext corresponding to *<sup>d</sup>*(*l*)(*j*). *<sup>c</sup>* (*l*) *<sup>d</sup>*<sup>1</sup> (*j*) and *<sup>c</sup>* (*l*) *<sup>d</sup>*<sup>2</sup> (*j*) can be calculated by Equation (18).

$$\begin{cases} c\_{d1}^{(l)}(j) = M\_1^{(l)}(1,j)^3 \prod\_{p=2}^{N\_l} M\_1^{(l)}(p,j) \text{mod}N^2\\ c\_{d2}^{(l)}(j) = M\_2^{(l)}(1,j)^3 \prod\_{p=2}^{N\_l} M\_2^{(l)}(p,j) \text{mod}N^2 \end{cases} \tag{18}$$

After *c* (*l*) *<sup>d</sup>*<sup>1</sup> (*j*) and *<sup>c</sup>* (*l*) *<sup>d</sup>*<sup>2</sup> (*j*) are calculated, *<sup>d</sup>*(*l*)(*j*) is obtained by querying the mapping table. The following is the corresponding equation derivation and proof. To facilitate understanding, a patch consisting of four vertices is used as an example. Suppose that *P*1, *P*2, *P*3, *P*<sup>4</sup> denote the *j*-axis coordinate of the *pth* vertex as illustrated in Figure 4, and *c*ˆ1, *c*ˆ2, *c*ˆ3, *c*ˆ4 is the ciphertext corresponding to *P*1, *P*2, *P*3, *P*4. θ1, θ2, θ3, θ<sup>4</sup> is the modular multiplicative inverses corresponding to *c*ˆ1, *c*ˆ2, *c*ˆ3, *c*ˆ4, which satisfies

$$\begin{cases} \theta\_1 \cdot c\_1 = \theta\_1 \cdot g^{P\_1} \cdot r\_1^N = 1 \text{mod}N^2 \\ \theta\_2 \cdot c\_2 = \theta\_2 \cdot g^{P\_2} \cdot r\_1^N = 1 \text{mod}N^2 \\ \theta\_3 \cdot c\_3 = \theta\_3 \cdot g^{P\_3} \cdot r\_1^N = 1 \text{mod}N^2 \\ \theta\_4 \cdot c\_4 = \theta\_4 \cdot g^{P\_4} \cdot r\_1^N = 1 \text{mod}N^2 \end{cases} \tag{19}$$

**Figure 4.** The patch with four vertices. (**a**) *M*(*p*) correspond to the vertex. (**b**) The encrypted coordinate.

Then the direction value in ciphertext can be calculated by using Equation (20).

$$\begin{cases} \begin{aligned} \boldsymbol{c}\_{d1}(j) &= M\_1(1,j)^3 \prod\_{p=2}^{N\_l} M\_1(p,j) \text{mod}N^2 = \boldsymbol{\theta}\_1^{\cdot 3} \cdot \boldsymbol{\p}\_2 \cdot \boldsymbol{\p}\_3 \cdot \boldsymbol{\p}\_4 \\\ \boldsymbol{c}\_{d2}(j) &= M\_2(1,j)^3 \prod\_{p=2}^{N\_l} M\_2(p,j) \text{mod}N^2 = \boldsymbol{\p}\_1^{\cdot 3} \cdot \boldsymbol{\theta}\_2 \cdot \boldsymbol{\theta}\_3 \cdot \boldsymbol{\p}\_4 \end{aligned} \end{cases} \tag{20}$$

It can be derived to the following equation.

$$\begin{cases} c\_{d1}^{(l)}(j) = g^{P\_2 + P\_3 + P\_4} \cdot r\_1^{\text{3N}} \cdot \theta\_1 \text{mod}N^2\\ c\_{d2}^{(l)}(j) = g^{3P\_1} \cdot r\_1^{\text{3N}} \cdot \theta\_1 \cdot \theta\_2 \cdot \theta\_3 \text{mod}N^2 \end{cases} \tag{21}$$

According to Carmichael theory, the following equation holds.

$$\begin{cases} \text{ g}^{N\lambda} = 1 \text{mod}N^2\\ r\_1^{N\lambda} = 1 \text{mod}N^2 \end{cases} \tag{22}$$

Hence, the following equation holds.

$$\text{g}^{N\lambda} \cdot r\_1^{N\lambda} = 1 \text{mod}N^2 \tag{23}$$

According to Equations (19) and (23), Equation (24) can be derived.

$$\begin{cases} \theta\_1 = \operatorname{g}^{N\lambda - P\_1 \cdot r\_1 N(\lambda - 1)} \operatorname{mod} N^2 \\ \theta\_2 = \operatorname{g}^{N\lambda - P\_2 \cdot r\_1 N(\lambda - 1)} \operatorname{mod} N^2 \\ \theta\_3 = \operatorname{g}^{N\lambda - P\_3 \cdot r\_1 N(\lambda - 1)} \operatorname{mod} N^2 \\ \theta\_4 = \operatorname{g}^{N\lambda - P\_4 \cdot r\_1 N(\lambda - 1)} \operatorname{mod} N^2 \end{cases} \tag{24}$$

According to Equations (22) and (24), Equation (20) can be simplified as

$$\begin{cases} c\_{d1}^{(l)}(j) = \mathcal{g}^{3N\lambda + P\_2 + P\_3 + P\_4 - 3P\_1 \bmod N^2} \\ c\_{d2}^{(l)}(j) = \mathcal{g}^{3N\lambda + 3P\_1 - P\_2 - P\_3 - P\_4 \bmod N^2} \end{cases} \tag{25}$$

#### 3.3.2. Constructing the Mapping Table

Due to the spatial correlation of the 3D model, the vertex coordinates are relatively close in space. According to the experiments on multiple 3D model, the direction values are usually in a certain range, and the maximum direction value is usually related to the number of vertices in the patch. As illustrated in Figure 5, the blue line shows the change in the maximum direction value when the number of vertices in the patch changes. The red line is the fitted curve of the blue line, and its fitting function *F*(*Nl*) satisfies

$$F(N\_l) = 1.925 \cdot (N\_l - 1)^3 - 60.6 \cdot (N\_l - 1)^2 + 528 \cdot (N\_l - 1) - 609 \tag{26}$$

Therefore, the direction values are all within a certain range. When the number of vertices of the patch changes, the direction values does not exceed *F*(*Nl*). Moreover, in order to obtain robustness, the robust interval *T*(*Nl*) is designed in the process of histogram shifting. The robust interval *T*(*Nl*) is related to the number of the patch, which is defined by

$$T(N\_l) = t \cdot (N\_l - 1) \tag{27}$$

where *t* represents the strength of robustness. Hence, the change of direction values is *F*(*Nl*) + *T*(*Nl*) at most.

Suppose that *dp* denotes the absolute of direction values, then *dp* ∈ [0, 2*F*(*Nl*) + *T*(*Nl*)]. With the public key, and the ciphertext *cdp* corresponding to *dp* can be calculated by

$$\varepsilon\_{d\_p} = g^{d\_p} \text{mod}N^2, \quad d\_p = 0, 1, 2, \dots, 2F(N\_l) + T(N\_l) \tag{28}$$

**Figure 5.** The blue line represents relationship between the maximum direction value and the number of vertices of the patch, and the red line is the fitted curve of the blue line.

Hence, the mapping table can be constructed as illustrated in Figure 6, and the direction values in ciphertext can be mapped to the direction values in plaintext through the mapping table *cdp* . The mapping method is described as follows: *cdp* is a ciphertext set obtained by encrypting all possible values *dp*. When *c* (*l*) *<sup>d</sup>*<sup>1</sup> (*j*) matches the value *cdp* [*m*] in *cdp* , it indicates *<sup>d</sup>*(*l*)(*j*) <sup>≥</sup> 0, and *<sup>d</sup>*(*l*)(*j*) = *dp*[*m*]. When *c* (*l*) *<sup>d</sup>*<sup>2</sup> (*j*) matches the value *cdp* [*m*] in *cdp* , it indicates *<sup>d</sup>*(*l*)(*j*) <sup>&</sup>lt; 0, and *<sup>d</sup>*(*l*)(*j*) = <sup>−</sup>*dp*[*m*], where *m* ∈ [0, 2*F*(*Nl*) + *T*(*Nl*)), and *dp*[*m*] represents the *mth* value in the mapping table. Therefore, without the private key, the direction values in plaintext can be obtained by querying the mapping table.

**Figure 6.** The mapping table.

3.3.3. Constructing the Symmetrical Direction Histogram

In the proposed method, the direction values in ciphertext are first calculated using the MMI method. Then, according to all possible direction values, the mapping table can be constructed, so the direction values in ciphertext can be mapped to direction values in plaintext. Last, the direction histogram can be constructed by counting all direction values. The direction histogram of all patches with six vertices is shown as Figure 7. It is found that most direction values are concentrated in the central area, and only a small part of the direction values are beyond the central area. Moreover, the direction histogram is symmetrical visually.

**Figure 7.** The direction histogram of patches with seven vertices.

#### 3.3.4. Embedding Watermark by Histogram Shifting

In the proposed method, the watermark is embedded by shifting the direction histogram. In order to embed the watermark, the changed direction values should exceed the range of original histogram. Using *F*(*Nl*) and *T*(*Nl*) as embedding keys, the embedded function *B*(*Nl*) is defined by Equation (29) to change the direction values.

$$B(N\_l) = \left\lceil \frac{F(N\_l) + T(N\_l)}{N\_l - 1} \right\rceil = t + 528 + q(N\_l - 1) \tag{29}$$

where ϕ(*Nl* − 1) is the function about *Nl* − 1, ϕ(*Nl* − 1) will not change, and · means to round up. Suppose that β = *t* + 528, and *B*(*Nl*) can be changed by modifying β. Moreover, three bits can be embedded by changing three direction values of a patch. Suppose that *<sup>C</sup>*(*l*) *<sup>w</sup>* denotes the encrypted patch with watermark. If the watermark bit '0 needs to be embedded, the vertex coordinate is not changed, which means *<sup>C</sup>*(*l*) *<sup>w</sup>* = *C*(*l*). If the bit '1 needs to be embedded, the ciphertext *C*(*l*)(*p*, *j*) in the patch *<sup>C</sup>*(*l*) *<sup>w</sup>* is changed by Equation (30) to obtain *<sup>C</sup>*(*l*) *<sup>w</sup>* (*p*, *j*).

$$C\_w^{(l)}(p,j) = \begin{cases} C^{(l)}(p,j) \cdot g^{\mathbb{R}[N\_l]} = g^{\mathbb{P}^{(l)}(p,j) + \mathbb{B}[N\_l]} \cdot r\_1(k)^N \text{mod}N, & \text{if } d^{(l)}(j) \in [0, f(N\_l)) \text{ and } p = 2, 3, \dots, N \\\ C^{(l)}(p,j) \cdot g^{\mathbb{R}[N\_l]} = g^{\mathbb{P}^{(l)}(p,j) + \mathbb{B}[N\_l]} \cdot r\_1(k)^N \text{mod}N, & \text{if } d^{(l)}(j) \in (-f(N\_l), 0) \text{ and } p = 1 \end{cases} \tag{30}$$

where *C*(*l*) *<sup>w</sup>* (*p*, *<sup>j</sup>*) is the encrypted patch with watermark. Suppose that *<sup>P</sup>*(*l*) *<sup>w</sup>* (*p*, *j*) denotes the decrypted patch with watermark. The operation in ciphertext is equivalent to change the coordinates *P*(*l*)(*p*, *j*) to *<sup>P</sup>*(*l*) *<sup>w</sup>* (*p*, *j*) in plaintext.

$$P\_w^{(l)}(p,j) = \begin{cases} P^{(l)}(p,j) + B(\mathcal{N}\_l), & \text{if } d^{(l)}(j) \in [0, F(\mathcal{N}\_l)) \text{ and } p = 2, 3, \dots, N \\\ P^{(l)}(p,j) + B(\mathcal{N}\_l), & \text{if } d^{(l)}(j) \in (-F(\mathcal{N}\_l), 0) \text{ and } p = 1 \end{cases} \tag{31}$$

Suppose that *d* (*l*) *<sup>w</sup>* (*j*) denotes the direction value with watermark. After embedding the bit '0 , *d* (*l*) *<sup>w</sup>* (*j*) is still in the range ( −*F*(*Nl*), *F*(*Nl*) ), so ( −*F*(*Nl*), *F*(*Nl*) ) is called the 0-bit area. After embedding the bit '1 , *d*(*l*)(*j*) will be changed by the size of *F*(*Nl*) + *T*(*Nl*) for making *d* (*l*) *<sup>w</sup>* (*j*) within the range (−2*F*(*Nl*) − *T*(*Nl*),−*F*(*Nl*) − *T*(*Nl*)] or [*F*(*Nl*) + *T*(*Nl*), 2*F*(*Nl*) + *T*(*Nl*)). (−2*F*(*Nl*) − *T*(*Nl*),−*F*(*Nl*) − *T*(*Nl*)] and [*F*(*Nl*) + *T*(*Nl*), 2*F*(*Nl*) + *T*(*Nl*)) are called the 1-bit area. Finally, the encrypted model with

watermark can be obtained. For example, after embedding 1000 bits, the direction histogram is shown in Figure 8. When embedding the bit '0 , the direction values are still in the 0-bit area. When embedding the bit '1 , the direction values will be shifted into the 1-bit area. Moreover, the 0-bit area and the 1-area are separated by the robust interval of size *T*(*Nl*). Hence, the watermark is embedded successfully.

**Figure 8.** The watermarked histogram. After embedding the watermark, the original direction histogram can be divided into 0-bit area and 1-bit area. The 0-bit area and 1-bit area are separated by the robust interval of size *T*(*Nl*).
