Reversible Data Hiding with Pixel Prediction and Additive Homomorphism for Encrypted Image

Yu, Chunqiang; Zhang, Xianquan; Tang, Zhenjun; Chen, Yan; Huang, Jingyu

doi:https://doi.org/10.1155/2018/9103418

Security and Communication Networks

On this page

Abstract Introduction Experimental Results Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2018 | Article ID 9103418 | https://doi.org/10.1155/2018/9103418

Reversible Data Hiding with Pixel Prediction and Additive Homomorphism for Encrypted Image

Chunqiang Yu,^1,2Xianquan Zhang ,^1,2,3Zhenjun Tang ,³Yan Chen,^1,2and Jingyu Huang⁴

Academic Editor: David Megias

Received01 May 2018

Revised27 Jun 2018

Accepted17 Jul 2018

Published04 Sept 2018

Abstract

Data hiding in encrypted image is a recent popular topic of data security. In this paper, we propose a reversible data hiding algorithm with pixel prediction and additive homomorphism for encrypted image. Specifically, the proposed algorithm applies pixel prediction to the input image for generating a cover image for data embedding, referred to as the preprocessed image. The preprocessed image is then encrypted by additive homomorphism. Secret data is finally embedded into the encrypted image via modular 256 addition. During secret data extraction and image recovery, addition homomorphism and pixel prediction are jointly used. Experimental results demonstrate that the proposed algorithm can accurately recover original image and reach high embedding capacity and good visual quality. Comparisons show that the proposed algorithm outperforms some recent algorithms in embedding capacity and visual quality.

1. Introduction

Data hiding is an important technology for embedding secret data into a meaningful cover medium (such as an image or a video) to generate a stego-medium with a small distortion [1, 2]. Reversible data hiding (RDH) is a branch of data hiding, which can restore the original image from the stego-image after extraction of the embedded data. This restoration property of RDH plays an important role in those data-sensitive applications, such as medical imagery, military imagery, and law forensics, in which the cover image must be accurately restored.

In the past years, various RDH algorithms have been proposed. Generally, these RDH algorithms can be classified into three categories: lossless compression based algorithms, difference expansion (DE) based algorithms, and histogram shifting (HS) based algorithms. Lossless compression based algorithms vacate space for embedding secret message by losslessly compressing the least significant bit (LSB) planes or quantization residuals [3, 4]. They can be applied to image authentication and watermarking, but their embedding capacities are limited. DE based algorithms usually shift the difference of neighboring pixels for creating a vacant least significant bit (LSB) and append one secret bit to the vacated LSB [5, 6]. The HS based algorithms firstly shift the bins of histogram of gray values [7] or the predicted errors [8–12] for generating vacated space and then embed secret data into the vacated space. This kind of algorithms can provide a good trade-off between embedding capacity and visual quality.

Image encryption is a useful technique for protecting image content [13, 14]. It can convert an original image, known as plaintext image, into a meaningless image called the encrypted image. Since it cannot observe any useful information from the encrypted image, image content security is achieved. In some application scenarios, such as cloud storage, there are many encrypted images and people would like to embed secret message into encrypted images for privacy protection. These applications require efficient RDH algorithms for encrypted images.

Recently, many researchers have developed various RDH algorithms in encrypted images since the encrypted images are widely generated and stored in cyberspace. For example, Zhang [15] proposed a famous RDH algorithm in encrypted image. This RDH algorithm divides the encrypted image into several blocks and embeds a secret bit into a block by flipping 3 LSBs of a half of pixels in the block. This algorithm extracts secret data by exploiting a fluctuation function in terms of spatial correlation in natural images. Zhang’ algorithm is the preliminary research of RDH algorithms in encrypted images, but this algorithm will cause bit errors in the recovered image and the extracted data for some cases. Hong et al. [16] exploited the spatial correlation using a different estimation equation and side match technique to achieve a low error rate. To reduce error rate, Liao and Shu [17] designed a useful metric for measuring block complexity by considering neighbor pixels in terms of the locations. In another work, Qin and Zhang [18] presented an RDH scheme with capability of image content protection. This scheme only alters three LSBs of selected pixels of encrypted image for secret bit embedding. The above-mentioned algorithms rely on spatial correlation of original image when extracting data, and their procedures of image recovery and data extraction are similar. For the encrypted JPEG images, Qian et al. [19] exploited the coding/decoding principle of the JPEG image to design a reversible data hiding scheme.

To separate data extraction from image decryption, Zhang [20] proposed to compress the encrypted images to vacate room for data hiding. In [21], Qian and Zhang exploited distributed source coding to improve the embedding capacity of the RDH algorithm [20]. However, their encryption disorganizes spatial correlation of pixels and thus it is difficult to vacate space for data hiding. In another study, Yi et al. [22] exploited block permutation conduct image encryption for preserving spatial redundancy and used adaptive block-level based prediction-error expansion to conceal secret bits in the encrypted image blocks. Tang et al. [23] proposed a reversible data hiding algorithm in encrypted domain by exploiting alpha channel of portable network graphics (PNG) image. In this RDH algorithm, secret data is divided into some segments. For each segment, one bit is embedded into the LSB of encrypted pixel and other bits are hidden in the corresponding element of the alpha channel. A common feature of the above RDH algorithms is that they all embed secret data after image encryption.

Some researchers [24–27] have proposed the idea of preprocessing image before encryption for data embedding. For example, Ma et al. [24] provided an RDH algorithm in encrypted images by reserving room before encryption. This algorithm first empties out room by embedding LSBs of some pixels into other pixels with a traditional RDH method, then encrypts the image, and finally uses the positions of these LSBs in the encrypted image to conceal secret data. Xu et al. [25] designed a specific encryption mode to encrypt interpolation-error of nonsample pixels and embedded secret data into interpolation-error using a modified version of histogram shifting and difference expansion technique. In another work, Nguyen et al. [26] used half of the pixels to classify the rest of the pixels into smooth and complex regions to provide room for embedding additional data. Agrawal and Kumar [27] divided original image into several consecutive sets, calculated mean of each set, stored it at the first element of its set before encryption, and finally embedded a secret bit into the encrypted pixels of one set except for the pixel holding the mean value in the set.

Recently, homomorphic encryption is introduced to RDH algorithms in encrypted images [28–32]. In [28], the exclusive-or values of two neighboring pixels are reserved after image encryption so as to carry the additional data to be embedded. This is done by using the same pseudorandom bits to encrypt two neighboring pixels. Actually, the homomorphic property is equipped in the scheme [28]. Chen et al. [29] used Paillier encryption [33] to encrypt each pixel and embedded a secret bit into a pair of adjacent encrypted pixels. Shiu et al. [30] proceed a pair of adjacent original pixels using difference expansion to obtain a pair of odd or even pixels and then used Paillier encryption to encrypt the proceeded pixels. Similar to [29], this algorithm also embeds a secret bit into a pair of adjacent encrypted pixels. A common weakness of the use of Paillier encryption in [29, 30] is data expansion. In another study, Li et al. [31] divided image into several crosses, adopted the same key to encrypt pixels in each cross, and accommodated for data hiding by using the difference histogram of the encrypted image. Xiao et al. [32] divided image into several blocks and conducted data hiding in each block via additive homomorphism and pixel value ordering strategy. Zhang et al. [34] proposed a lossless and reversible data hiding algorithm for ciphertext images encrypted by public key cryptography with probabilistic and homomorphic properties. This algorithm shows better performances than some previous algorithms [15, 16, 20] in terms of PSNR in directly decrypted image.

Although some useful homomorphism encryption-based RDH algorithms [29–31] for encrypted image have been reported. Their embedding capacity and visual quality are not desirable yet. For example, Chen’s method [29] and Shiu’s method [30] can only reach 0.5 bpp, and Li’ scheme [31] cannot reach 0.8 bpp for most test images. Aiming at these problems, we propose an error-free RDH algorithm in encrypted domain. Our algorithm not only perfectly recovers original images but also reaches high embedding capacity and good visual quality. Many experiments are conducted to validate our efficiency and the results demonstrate that our algorithm outperforms some recent algorithms. The remainder of this paper is organized as follows. Section 2 explains our algorithm and Section 3 discusses experimental results. Conclusions are finally drawn in Section 4.

2. Proposed Reversible Data Hiding

Our proposed algorithm consists of four components: image encryption with homomorphism, data embedding with additive homomorphism, data extraction, and image recovery. Details of these components will be explained in the following sections.

2.1. Image Encryption with Homomorphism

This component can be divided into two parts: the preprocessed image generation with prediction and homomorphism encryption. In our RDH algorithm, secret data will be embedded into the encrypted image by using additive homomorphism.

2.1.1. Preprocessed Image Generation with Prediction

Predictors [35–38] are widely used in RDH algorithms for plaintext image. In this paper, we select an accurate gradient selective prediction (AGSP) predictor [38] to determine the original pixel predictions, which are used to construct preprocessed pixels. The reason of our selection of AGSP predictor is that it can reach a good balance between predictor performance and computational cost. The AGSP predictor operates on the nine neighboring pixels (i.e., x₁, x₂, x₃, x₄, x₅, x₆, x₇, x₈, and x₉) of the current pixel x, as shown in Figure 1. The estimated gradients of four directions (i.e., horizontal, vertical, 45 degrees, and -45 degrees) are denoted by D₁, D₂, D_3, and D₄. The corresponding pixels of these gradients D₁, D₂, D_3, and D₄ are x₆, x₉, x₇, and x₅, respectively. Suppose that and are two smallest gradients among D₁, D₂, D₃, and D₄ and their corresponding pixels are and . The prediction of x can be calculated as follows:

Let I be an 8-bit grayscale uncompressed original image with H×W size and I(i,j) be the pixel value in the i-th row and j-th column of I, where 1 ≤ i ≤ H, 1 ≤ j ≤ W. As shown in Figure 2, the original image I is divided into four regions denoted as , , , and , where consists of all pixels used for embedding auxiliary information, consists of unused pixels, consists of pixels used for prediction, and consists of pixels used for embedding secret data. The sizes of , , , and will be described in Section 2.2. Those pixels of , , and are kept unchanged in this stage. The pixels of are scanned from left to right and top to down, as shown in Figure 2. For the pixel I(i,j) of , if it is located in a texture region, it may have a poor prediction. Here the local smoothness estimator is defined as the invariance denoted by Cp(i,j), which is used to determine whether I(i,j) is located in a smooth region or not. Consequently, Cp(i,j) can be determined as follows.where and are the maximum value and minimum value of the nine neighboring pixels of I(i,j), respectively. If Cp(i,j) is not bigger than a predefined threshold , I(i,j) and its neighboring pixels are highly correlative and it is considered as the pixel in smooth region. Otherwise, I(i,j) is viewed as the pixel in textural region. Note that T should be determined in terms of image content. In general, a small T value is good for smooth image and a big T value is suitable for textural image.

If I(i,j) is located in a textural region, I(i,j) is kept unchanged. If I(i,j) is located in a smooth region, we calculate the prediction of I(i,j) using AGSP predictor and denote it as I(i,j)′. Therefore, the prediction-error can be calculated as D(i,j)=I(i,j) − I(i,j)′. Since I(i,j) is close to its predictive value I(i,j)′, D(i,j) is small with a high probability. Consequently, the preprocessed pixel I_p(i,j) can be calculated as follows:where r (r≥1) implies how many bits can be embedded in the pixel and r will be introduced in Section 2.2. Further, (3) can be rewritten as Note that I_p(i,j) may cause underflow or overflow. To avoid this, a location map L₁ with H×W size is exploited to record the underflow or overflow pixels. Specifically, if I_p(i,j) >255 or I_p(i,j)<0, L₁(i,j)=1 and I(i,j) is kept unchanged. Otherwise, L₁(i,j)=0 and we use (3) to calculate I_p(i,j). Let F be the preprocessed image and F(i,j) (1 ≤ i ≤ H, 1 ≤ j ≤ W) be the pixel value in the i-th row and j-th column of F. Thus, F(i,j) can be obtained as follows.After the above calculation, the preprocessed image F is generated.

2.1.2. Homomorphism Encryption

Homomorphic encryption is an efficient encryption technology with the useful property that computation on ciphertext is equivalent to the computation on its plaintext. Here, a homomorphic encryption method [39] by addition modulo 256 is used. Suppose that m and c represent the plaintext and ciphertext. Thus, the homomorphic encryption and homomorphic decryption are described in (6) and (7), respectively,where k denotes encryption key and E(·,·) and D(·,·) are the encryption and decryption operations, respectively. An important property of the above encryption is the addition homomorphism in the plaintext domain. Let m₁ and m₂ be two different plain values whose corresponding random encryption keys are k₁ and k₂. Thus, we have the following equations:where is modular 256 addition. Especially, if k₂ is equal to zero, m₂ is considered as a given signal. Therefore, (8) and (9) can be rewritten asFrom (10) and (11), it can be found that addition operation can be done directly on the encrypted data without decryption.

In this work, we exploit the RC4 [40] controlled by an encryption key seed to generate a key matrix k(i,j) (1≤i≤H, 1≤j≤W), encrypt F(i,j) with the corresponding key k(i,j) by (6), and obtain the encrypted pixel C(i, j). After all pixels are processed, the encrypted image C is then available.

2.2. Data Embedding with Additive Homomorphism

Since the encrypted image C is generated using homomorphic encryption, we can embed secret data according to the property of additive homomorphism. Firstly, we convert a binary secret message into a sequence of secret digits in 2^r-ary notational system. Then, secret digits can be embedded into those pixels of the encrypted image C in except the marked pixels by L₁. Let a secret digit be s (0 ≤ s ≤2^r−1). For a pixel C(i,j), if Cp(i,j)>T, C(i,j) is kept unchanged; i.e., C(i,j)′=C(i,j). Otherwise, we use the key whose value is 0 to encrypt s and embed s into C(i,j) as follows.

Note that if (F(i,j) + s) ≥ 256, the decrypted result of (10) should be (F(i,j)+s) mod 256. To accurately recover the original image and extract secret data, those pixels satisfying (F(i,j) + s) ≥ 256 must be recorded. To do so, another location map L₂ is used here. Since 0 ≤ s ≤ 2^r−1, the location map L₂ records the pixels whose values are larger than or equal to 256 − s =256 − (2^r−1). Therefore, if F(i,j) ≥ 256−(2^r−1), L₂(i,j)=1 and C(i,j)′=C(i,j). Otherwise, L₂(i,j)=0 and s is embedded according to (12). Moreover, secret bits are not embedded into those pixels marked by L₁ and L₂. Note that the location map L₁ is generated in the process of image encryption, while the location map L₂ is generated during data hiding. Both location maps should be embedded into the cover image. To reduce the size of data embedded, lossless compression with arithmetic coding is exploited to compress the location maps.

To exactly extract the secret data and recover the original image, some auxiliary information must be embedded into the encrypted image, including the size of secret digits, capacity parameter r, the threshold T, the sizes of two compressed location maps, and the two compressed location maps. As the size of secret digits is less than or equal to the number of pixels in the original image, log₂HW bits are enough to record it, where H and W are the height and width of the original image, respectively. Similarly, 2log₂HW bits are enough to save the sizes of two compressed location maps. Although a larger r will bring higher embedding capacity, it will also degrade image quality according to (3). To balance the embedding capacity and image quality, the r value should be less than or equal to 7. Therefore, 3 bits can represent the r value. As the range of T is , 8 bits can represent the T value. Let the size of compressed version of L₁ be l₁ and the size of compressed version of L₂ be l₂. Thus, the size of auxiliary information can be determined as follows.Table 1 presents the auxiliary information and their data sizes.

Here the auxiliary information is embedded into the 3 LSBs of the encrypted pixels in by using LSB replacement technique. Note that secret data and the 3 LSBs of the encrypted pixels in are firstly concatenated to construct the data for embedding into in our algorithm. As the 3 LSBs of the used encrypted pixels in are preserved in advance, they can be accurately recovered during image recovery.

Clearly, the number of pixels in is , where is the rounding function. The number of pixels in isThe number of pixels in is t₃=2×W+3×(H − − 2). Let the total number of the pixels marked by L₁ and L₂ in be t₄. Thus, the maximum pure embedding capacity (EC) of our RDH algorithm can be calculated as follows.Note that the data hiding keys of our algorithm are the r value and the T value. In addition, the encrypted image containing secret data is called the marked encrypted image in the following sections.

2.3. Data Extraction and Image Recovery

When the receiver obtains a marked encrypted image, he/she can conduct different operations according to the knowledge of keys. If only the encryption key is available, he/she can decrypt the marked encrypted image to directly retrieve the decrypted image, which is approximate to the original image. If both the encryption key and data hiding key are known, he/she can extract secret data exactly and recover the original image without errors. In this case, auxiliary information is firstly extracted from the 3 LSBs of pixels in . Then, the two compressed location maps are decompressed to retrieve the location maps L₁ and L₂. Next, we extract secret digits and recover the original pixels as follows.

If or or and L₁(i,j)=1, we directly decrypt with k(i,j) to recover the original pixel I(i,j) according to (7).

If and L₁(i,j)=0, we can obtain a decrypted pixel by k(i,j). Since the original pixels which belong to or have been recovered, Cp(i,j) can be calculated by AGSP predictor. If Cp(i,j) > T, I(i,j)=F(i,j)′. Otherwise, Cp(i,j) ≤ T and secret digits are embedded by additive homomorphism. Clearly, if L₂(i,j)=0, F(i,j)′= F(i,j)+s. Otherwise F(i,j)′=F(i,j). Clearly, I(i,j)=(F(i,j)+(2^r−1)×I(i,j)′)/2^r by (5), where I(i,j)′ is the prediction which can be calculated by AGSP predictor. For L₂(i,j)=1, its original pixel can be determined by I(i,j) =(F(i,j)+(2^r−1)×I(i,j)′)/2^r =, where is the floor rounding operation. For L₂(i,j)=0, since F(i,j)′=F(i,j)+s, its original pixel I(i,j)=(F(i,j)′−s+(2^r−1)×I(i,j)′)/2^r=. As 0 ≤ s ≤ 2^r−1, is 0. Therefore, I(i,j)=. Consequently, the original pixel can be uniformly rewritten asMeanwhile, if L₂(i,j)=0, F(i,j)′=F(i,j)+s=2^r×I(i,j) − (2^r−1)×I(i,j)′+s. It is clear that F(i,j)′-I(i,j)′=2^r×(I(i,j)- I(i,j)′)+s. Then the secret digit s can be extracted as follows.The recovered pixel I(i,j) is used to recover the next pixel and extract the next secret digit. Consequently, the entire original pixels in are recovered and all secret digits are extracted according to the above scheme. Then, the secret digits are converted into a sequence of binary data. Note that the binary data is constructed by secret bits and the 3 LSBs of the used pixels in . Consequently, the binary data is divided into two parts and the preserved 3 LSBs of the used pixels are used to replace the 3 LSBs of the corresponding pixels in . After that, the encrypted pixels in are recovered and then they are decrypted to restore the original pixels. Finally, the original image is restored by the recovered pixels of the four regions.

3. Experimental Results

Many experiments are carried out to validate our performances. In the experiments, for a given embedding capacity, the threshold T is varied from 0 to 255 until the embedding capacity is satisfied. Section 3.1 presents the performance of encryption, Section 3.2 discusses our embedding capacity and visual quality, and Section 3.3 analyzes comparisons with other RDH algorithms.

3.1. Encryption Performance

Eight images sized 512×512 as shown in Figure 3 are used to test the perceptual security and the statistical security of the proposed encryption scheme. For space limitation, we encrypt eight images with r=1 to obtain the encrypted versions, as shown in Figure 4. Clearly, the encrypted images are meaningless images, and we cannot observe any useful details of the original images from Figure 5. This verifies that the proposed encryption scheme is effective.

(a) Lena

(b) Airplane

(c) Barbara

(d) Baboon

(e) Peppers

(f) Boats

(g) Man

(h) Tiffany

(a) Lena

(b) Airplane

(c) Barbara

(d) Baboon

(e) Peppers

(f) Boats

(g) Man

(h) Tiffany

(a) Lena

(b) Airplane

(c) Barbara

(d) Baboon

(e) Peppers

(f) Boats

(g) Man

(h) Tiffany

To quantitatively measure the performance of the proposed encryption scheme, the objective metrics including entropy and correlation coefficient are used. The information entropy is an important measure of randomness, which is defined as follows.where E=, e₁, …, and P(e_i) is the possibility of occurrence of e_i. In general, the bigger the entropy, the more secure the algorithm. For grayscale images, L=256 and the theoretical maximum value of entropy is 8. Table 2 presents the entropies of the encrypted images. It is found that all values are close to 8. This means that our encryption scheme is secure.

Here, the well-known correlation coefficient is exploited to measure correlation among an image pair. It is defined aswhere X and Y denote the matrices of the original image and the encrypted image, respectively, Cov means the covariance, and D means the variance. Table 2 illustrates the correlation coefficients between the original images and the encrypted images. It can be seen that the correlation coefficients are all almost 0. This means that there is almost no correlation between the encrypted image and the original image, indicating security of our encryption scheme.

3.2. Embedding Capacity and Visual Quality

When T=255, all pixels except those marked pixels by L₁ and L₂ in of the encrypted image can be used for data hiding. Obviously, the maximum pure embedding capacity of each image is determined by the parameter r, as shown in (12). Tables 3–6 list the pure embedding rate and PSNR of the directly decrypted images with different r values. For space limitation, the directly decrypted images with r=1 are shown in Figures 5(a)–5(h). It is found that their visual qualities are satisfactory and their PSNR values are 30.6759, 32.3934, 28.458, 23.2063, 32.1131, 32.3676, 30.2753, and 30.7629. It can be also seen that there exists a maximum embedding rate for each image. In Tables 3–6, the texts in bold are the maximum embedding rates of the test images. For Lena, Airplane, Barbara, Baboon, Peppers, Boats, Man, and Tiffany, their maximum pure embedding rates are 1.947, 1.8433, 1.452, 1.002, 1.5292, 1.8122, 1.6755, and 1.7007 bpp when r=3, r=3, r=2, r=2, r=3, r=3, r=2, and r=3, respectively. Figure 6 presents the embedding rate of different test images under different r values. As r increases, the embedding rate also increases and reaches maximum value when r=2 or r=3. A bigger r means more pixels marked by L₁ and L₂ and then more auxiliary information should be recorded, which will decrease the pure embedding rate. In addition, the embedding rate and visual quality are both closely related to image contents. It is observed that smooth images will generally have bigger embedding rate and better visual quality than the textural images. That is the reason why the EC and PSNR of Barbara and Baboon are smaller than those of other test images.

Table 7 lists the PSNRs of the eight decrypted images containing embedded data under different embedding rates when r=1. Clearly, a high embedding rate will lead to a low PSNR. This is because more secret bits embedded will introduce more distortions on the encrypted images. Moreover, the PSNRs of the textural image Baboon are smaller than those of other test images. The reason is that the used prediction in our RDH algorithm is more effective in smooth images than textural images.

3.3. Performance Comparisons

In this section, we compare the proposed algorithm with some recent popular RDH algorithms [22, 26, 27, 30, 31]. Figure 7 is the PSNR comparison among the assessed algorithms under different test images when r=1. It is observed that the PSNRs of the proposed algorithm are bigger than those of the compared algorithms [26, 27, 30] under any embedding rate for all test images. The RDH algorithm reported in [27] has lower performance than other algorithms due to the fact that it embeds several bits into hundreds of pixels. When the embedding rate is small, the PSNRs of the proposed algorithm are not always bigger than those of the compared algorithms [22, 31]. However, when the embedding rate is big, such as 0.8 and 0.9, the proposed algorithm will reach good performance. Specifically, for Lena, Peppers, and Tiffany, the PSNRs of the proposed algorithm are bigger than those of [22] when the embedding rate is bigger than 0.4 bpp. For Barbara, Baboon, Boats, and Man, the PSNRs of the proposed algorithm are bigger than those of [22] when the embedding rate exceeds 0.2 bpp. Moreover, the PSNRs of the proposed algorithm are bigger than those of [31] for all test images except Lena and Baboon.

(a) Lena

(b) Airplane

(c) Barbara

(d) Baboon

(e) Peppers

(f) Boats

(g) Man

(h) Tiffany

Comparisons of the average PSNR of the eight test images among different algorithms are shown in Figure 8. Clearly, our average PSNRs are all bigger than those of the compared algorithms [26, 27, 30, 31] under different embedding rates. Our average PSNRs are all bigger than those of the compared algorithm [22] when the embedding rate is bigger than 0.2 bpp. Our proposed algorithm has better performance than the compared algorithms in terms of PSNR. This is contributed by our efficient strategies as follows. Firstly, during preprocessing image generation, image pixels are classified into four regions, i.e., , , , and , and only those pixels in and will be changed and the pixels in and are kept unchanged. It is clear that fewer pixels changed will lead to better visual quality. Secondly, for those pixels in , data embedding is conducted by additive homomorphism, i.e., adding a number s smaller than 2^r to pixel, which will not greatly change the pixel value. For example, if r=1, s is 0 or 1. If r=2, s may be 0, 1, 2, or 3. Thirdly, the location maps are compressed by arithmetic coding. This operation can reduce the amount of auxiliary information. Finally, auxiliary information is embedded into those pixels in by the LSB replacement technique, which introduces slight distortion on the image.

Moreover, the RDH algorithm [22] is not secure enough. In this algorithm, the users include image provider, data-hider, and receiver. The image provider encrypts input image by block permutation and stream encipher, where the block permutation only scrambles pixel positions and does not change pixel value. This means that the histogram of the original image is preserved after block permutation. During data embedding, data-hider must firstly decrypt the encrypted image by stream decipher (a reverse process of stream encipher), then conducts data embedding, and finally performs stream encipher again. In practice, image provider and data-hider are different persons, and the image provider will generally expect that anyone including the data-hider cannot observe any information of the encrypted image. However, as data-hider can decrypt encrypted image by stream decipher, he/she can obtain a scrambled image whose histogram is the same as the original image. Consequently, he/she can further exploit those histogram-based image hashing algorithms [41, 42] to retrieve the original image of the scrambled image. This is a security loophole. For the proposed algorithm and other compared algorithms, image decryption is not needed during data embedding, and therefore there is no such security issue.

Computational time of the assessed algorithms is also compared. All RDH algorithms are coded in MATLAB R2011a and run on a computer with an Intel i5 CPU with 3.40 GHz, 4.00 GB memory, and Windows 10 operating system. Table 8 lists the running time of different algorithms under the different images. Note that the running time consists of image encryption, data embedding, image decryption, and secret extraction and image recovery for all the algorithms. From Table 8, it is found that the algorithm reported in [27] has the fastest speed and the algorithm reported in [30] has the lowest speed. The algorithm reported in [30] is time-consuming. This is due to the high complexity of Paillier encryption adopted in the algorithm [30]. The proposed algorithm and the algorithm in [26] have similar running time performances, which are both better than those of [22, 31].

4. Conclusions

In this paper, a reversible data hiding with pixel prediction and additive homomorphism for encrypted image has been proposed. The proposed algorithm constructs a preprocessed image from the original image by using pixel prediction before encryption, then encrypts the preprocessed image by additive homomorphism, and embeds secret data into the encrypted image via modular 256 addition. The proposed algorithm uses homomorphic encryption, but it does not lead to data expansion. Experimental results have demonstrated that the proposed algorithm can accurately recover original image and reach high embedding capacity and good visual quality. Comparisons have shown that the proposed algorithm outperforms some recent RDH algorithms in embedding capacity and visual quality.

Data Availability

The images used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (61562007, 61762017, 61363034, and 81701780), Guangxi “Bagui Scholar” Teams for Innovation and Research, the Guangxi Natural Science Foundation (2017GXNSFAA198222, 2015GXNSFDA139040, and 2017GXNSFBA198221), the Project of Guangxi Science and Technology (GuiKeAD17195062), the Project of the Guangxi Key Lab of Multi-Source Information Mining & Security (16-A-02-02, 15-A-02-02), and Guangxi Colleges and Universities Key Laboratory of Cloud Computing and Complex Systems (15202).

References

X. Zhang and S. Wang, “Efficient steganographic embedding by exploiting modification direction,” IEEE Communications Letters, vol. 10, no. 11, pp. 781–783, 2006.
View at: Publisher Site | Google Scholar
X. Zhang, Z. Sun, Z. Tang, C. Yu, and X. Wang, “High capacity data hiding based on interpolated image,” Multimedia Tools and Applications, vol. 76, no. 7, pp. 9195–9218, 2017.
View at: Publisher Site | Google Scholar
J. Fridrich, M. Goljan, and R. Du, “Lossless data embedding: new paradigm in digital watermarking,” EURASIP Journal on Applied Signal Processing, vol. 2002, pp. 185–196, 2002.
View at: Google Scholar
M. U. Celik, G. Sharma, A. M. Tekalp, and E. Saber, “Lossless generalized-LSB data embedding,” IEEE Transactions on Image Processing, vol. 14, no. 2, pp. 253–266, 2005.
View at: Publisher Site | Google Scholar
J. Tian, “Reversible data embedding using a difference expansion,” IEEE Transactions on Circuits and Systems for Video Technology, vol. 13, no. 8, pp. 890–896, 2003.
View at: Publisher Site | Google Scholar
A. M. Alattar, “Reversible watermark using the difference expansion of a generalized integer transform,” IEEE Transactions on Image Processing, vol. 13, no. 8, pp. 1147–1156, 2004.
View at: Publisher Site | Google Scholar | MathSciNet
Z. Ni, Y.-Q. Shi, N. Ansari, and W. Su, “Reversible data hiding,” IEEE Transactions on Circuits and Systems for Video Technology, vol. 16, no. 3, pp. 354–361, 2006.
View at: Publisher Site | Google Scholar
X. Ma, Z. Pan, S. Hu, and L. Wang, “High-fidelity reversible data hiding scheme based on multi-predictor sorting and selecting mechanism,” Journal of Visual Communication and Image Representation, vol. 28, pp. 71–82, 2015.
View at: Publisher Site | Google Scholar
H.-T. Wu, S. Tang, J. Huang, and Y.-Q. Shi, “A novel reversible data hiding method with image contrast enhancement,” Signal Processing: Image Communication, vol. 62, pp. 64–73, 2018.
View at: Publisher Site | Google Scholar
L. Luo, Z. Chen, M. Chen, X. Zeng, and Z. Xiong, “Reversible image watermarking using interpolation technique,” IEEE Transactions on Information Forensics and Security, vol. 5, no. 1, pp. 187–193, 2010.
View at: Publisher Site | Google Scholar
S. Weng, G. Zhang, J.-S. Pan, and Z. Zhou, “Optimal PPVO-based reversible data hiding,” Journal of Visual Communication and Image Representation, vol. 48, pp. 317–328, 2017.
View at: Publisher Site | Google Scholar
W. He, K. Zhou, J. Cai, L. Wang, and G. Xiong, “Reversible data hiding using multi-pass pixel value ordering and prediction-error expansion,” Journal of Visual Communication and Image Representation, vol. 49, pp. 351–360, 2017.
View at: Publisher Site | Google Scholar
Z. Tang, F. Wang, and X. Zhang, “Image encryption based on random projection partition and chaotic system,” Multimedia Tools and Applications, vol. 76, no. 6, pp. 8257–8283, 2017.
View at: Publisher Site | Google Scholar
Z. Tang, J. Song, X. Zhang, and R. Sun, “Multiple-image encryption with bit-plane decomposition and chaotic maps,” Optics and Lasers in Engineering, vol. 80, pp. 1–11, 2016.
View at: Publisher Site | Google Scholar
X. P. Zhang, “Reversible data hiding in encrypted image,” IEEE Signal Processing Letters, vol. 18, no. 4, pp. 255–258, 2011.
View at: Publisher Site | Google Scholar
W. Hong, T.-S. Chen, and H.-Y. Wu, “An improved reversible data hiding in encrypted images using side match,” IEEE Signal Processing Letters, vol. 19, no. 4, pp. 199–202, 2012.
View at: Publisher Site | Google Scholar
X. Liao and C. Shu, “Reversible data hiding in encrypted images based on absolute mean difference of multiple neighboring pixels,” Journal of Visual Communication and Image Representation, vol. 28, pp. 21–27, 2015.
View at: Publisher Site | Google Scholar
C. Qin and X. Zhang, “Effective reversible data hiding in encrypted image with privacy protection for image content,” Journal of Visual Communication and Image Representation, vol. 31, pp. 154–164, 2015.
View at: Publisher Site | Google Scholar
Z. Qian, X. Zhang, and S. Wang, “Reversible data hiding in encrypted JPEG bitstream,” IEEE Transactions on Multimedia, vol. 16, no. 5, pp. 1486–1491, 2014.
View at: Publisher Site | Google Scholar
X. P. Zhang, “Separable reversible data hiding in encrypted image,” IEEE Transactions on Information Forensics and Security, vol. 7, no. 2, pp. 826–832, 2012.
View at: Publisher Site | Google Scholar
Z. Qian and X. Zhang, “Reversible data hiding in encrypted images with distributed source encoding,” IEEE Transactions on Circuits and Systems for Video Technology, vol. 26, no. 4, pp. 636–646, 2016.
View at: Publisher Site | Google Scholar
S. Yi, Y. Zhou, and Z. Hua, “Reversible data hiding in encrypted images using adaptive block-level prediction-error expansion,” Signal Processing: Image Communication, vol. 64, pp. 78–88, 2018.
View at: Publisher Site | Google Scholar
Z. Tang, Q. Lu, H. Lao, C. Yu, and X. Zhang, “Error-free reversible data hiding with high capacity in encrypted image,” Optik - International Journal for Light and Electron Optics, vol. 157, pp. 750–760, 2018.
View at: Publisher Site | Google Scholar
K. Ma, W. Zhang, X. Zhao, N. Yu, and F. Li, “Reversible data hiding in encrypted images by reserving room before encryption,” IEEE Transactions on Information Forensics and Security, vol. 8, no. 3, pp. 553–562, 2013.
View at: Publisher Site | Google Scholar
D. Xu and R. Wang, “Separable and error-free reversible data hiding in encrypted images,” Signal Processing, vol. 123, pp. 9–21, 2016.
View at: Publisher Site | Google Scholar
T.-S. Nguyen, C.-C. Chang, and W.-C. Chang, “High capacity reversible data hiding scheme for encrypted images,” Signal Processing: Image Communication, vol. 44, pp. 84–91, 2016.
View at: Publisher Site | Google Scholar
S. Agrawal and M. Kumar, “Mean value based reversible data hiding in encrypted images,” Optik - International Journal for Light and Electron Optics, vol. 130, pp. 922–934, 2017.
View at: Publisher Site | Google Scholar
X. Zhang, “Commutative reversible data hiding and encryption,” Security and Communication Networks, vol. 6, no. 11, pp. 1396–1403, 2013.
View at: Publisher Site | Google Scholar
Y.-C. Chen, C.-W. Shiu, and G. Horng, “Encrypted signal-based reversible data hiding with public key cryptosystem,” Journal of Visual Communication and Image Representation, vol. 25, no. 5, pp. 1164–1170, 2014.
View at: Publisher Site | Google Scholar
C.-W. Shiu, Y.-C. Chen, and W. Hong, “Encrypted image-based reversible data hiding with public key cryptography from difference expansion,” Signal Processing: Image Communication, vol. 39, pp. 226–233, 2015.
View at: Publisher Site | Google Scholar
M. Li, D. Xiao, Y. Zhang, and H. Nan, “Reversible data hiding in encrypted images using cross division and additive homomorphism,” Signal Processing: Image Communication, vol. 39, pp. 234–248, 2015.
View at: Publisher Site | Google Scholar
D. Xiao, Y. Xiang, H. Zheng, and Y. Wang, “Separable reversible data hiding in encrypted image based on pixel value ordering and additive homomorphism,” Journal of Visual Communication and Image Representation, vol. 45, pp. 1–10, 2017.
View at: Publisher Site | Google Scholar
P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” in Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, pp. 223–238, 1999.
View at: Google Scholar | MathSciNet
X. Zhang, J. Long, Z. Wang, and H. Cheng, “Lossless and Reversible Data Hiding in Encrypted Images with Public-Key Cryptography,” IEEE Transactions on Circuits and Systems for Video Technology, vol. 26, no. 9, pp. 1622–1631, 2016.
View at: Publisher Site | Google Scholar
M. J. Weinberger, G. Seroussi, and G. Sapiro, “The LOCO-I lossless image compression algorithm: principles and standardization into JPEG-LS,” IEEE Transactions on Image Processing, vol. 9, no. 8, pp. 1309–1324, 2000.
View at: Publisher Site | Google Scholar
X. Wu and N. Memon, “Context-based, adaptive, lossless image coding,” IEEE Transactions on Communications, vol. 45, no. 4, pp. 437–444, 1997.
View at: Publisher Site | Google Scholar
J. Jiang, B. Guo, and S. Y. Yang, “Revisiting the JPEG-LS prediction scheme,” IEE Proceedings-Vision, Image and Signal Processing, vol. 147, pp. 575–580, 2000.
View at: Google Scholar
H. Tang and S.-I. Kamata, “A gradient based predictive coding for lossless image compression,” IEICE Transaction on Information and Systems, vol. 89, no. 7, pp. 2250–2256, 2006.
View at: Publisher Site | Google Scholar
A. V. Subramanyam, S. Emmanuel, and M. S. Kankanhalli, “Robust watermarking of compressed and encrypted JPEG2000 images,” IEEE Transactions on Multimedia, vol. 14, no. 3, pp. 703–716, 2012.
View at: Publisher Site | Google Scholar
B. Schneier, Applied Cryptography: Protocols, Algorithms and Source Code, John Wiley and Sons, Indianapolis, IN, USA, 2007.
View at: Publisher Site | MathSciNet
Z. Tang, X. Zhang, X. Li, and S. Zhang, “Robust image hashing with ring partition and invariant vector distance,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 1, pp. 200–214, 2016.
View at: Publisher Site | Google Scholar
Z. Tang, X. Zhang, and S. Zhang, “Robust perceptual image hashing based on ring partition and NMF,” IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 3, pp. 711–724, 2014.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2018 Chunqiang Yu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1659

Downloads

1013

Citations