Outsourcing chaotic selective image encryption to the cloud with steganography

Digital Signal Processing 43 (2015) 28–37

Contents lists available at ScienceDirect

Digital Signal Processing www.elsevier.com/locate/dsp

Outsourcing chaotic selective image encryption to the cloud with steganography Tao Xiang a,b,∗ , Jia Hu b , Jianglin Sun b a b

Key Laboratory of Dependable Service Computing in Cyber Physical Society, Chongqing University, Ministry of Education, Chongqing 400044, China College of Computer Science, Chongqing University, Chongqing 400044, China

a r t i c l e

i n f o

Article history: Available online 11 May 2015 Keywords: Selective encryption Outsourcing Cloud computing Chaos Steganography

a b s t r a c t This paper considers the problem where resource-limited client such as a smartphone wants to outsource chaotic selective image encryption to the cloud; meanwhile the client does not want to reveal the plain image to the cloud. A general solution is proposed with the help of steganography. The client first selects the important data to be selectively encrypted, embeds it into a cover image, and sends the stego image to the cloud for outsourced encryption; after receiving the encrypted stego image from the cloud, the client can extract the secret data in its encrypted form and get the selectively encrypted image. Theoretical analysis and extensive experiments are conducted to validate the correctness, security, and performance of the proposed scheme. It is shown that the client can fulfill the task of selective image encryption securely and save much overhead at the same time. © 2015 Elsevier Inc. All rights reserved.

1. Introduction Digital images play a fairly important role nowadays and they are everywhere, not only throughout the Internet and personal computers (PCs), but also in cellular network and smartphones. The prevalence of images facilitates our daily life greatly, but at the same time it brings security problems and challenges unprecedentedly. Image data are usually massive, multidimensional, and high-redundancy; therefore traditional encryption paradigm that treats plaintext as binary stream and encrypts on the entire bit stream is not suitable for image encryption, especially in real-time communication or resource-limited environment. For this reason, many researchers have been seeking for specific ciphers tailored for images, and chaotic image encryption is a good example [1–4]. However, the efficiency of many chaotic image ciphers is still unsatisfactory because a massive volume of data is to be handled and chaotic encryption is computationally extensive. In this circumstance, selective encryption is proposed to only selectively encrypt a portion of important data that is crucial for visualization. Because the volume of data to be encrypted is cut down, the encryption efficiency can be boosted significantly [5–7]. Even so, selective encryption is still a heavy task for some resource-limited devices such as smartphones. Smartphones have

*

Corresponding author at: College of Computer Science, Chongqing University, Chongqing 400044, China. E-mail address: [email protected] (T. Xiang). http://dx.doi.org/10.1016/j.dsp.2015.05.006 1051-2004/© 2015 Elsevier Inc. All rights reserved.

limited hardware capability and energy supply, so that they are not able to perform complicated encryption operations, or even an orthogonal transformation being needed for many selective encryption schemes [8]. Fortunately, the emergence of cloud computing [9] provides us an effective way out to solve this problem. As the cloud has much more powerful resources, resource-limited devices can outsource selective encryption to the cloud [10]. However, outsourcing in cloud computing results in serious problems regarding security and privacy, since the data should be transmitted to the cloud and will be handled by the cloud [11, 12]. The situation is even more serious in the case of outsourcing encryption because the plaintext to be encrypted is usually confidential. If the plaintext is sent to the cloud directly for encryption, the security of the plaintext can be easily compromised by the eavesdropping on communication link or the cloud. For this reason, how to let the cloud encrypt the plaintext and keep its security at the same time becomes a great challenge. Although there are many existing techniques based on homomorphic encryption [13,14] and secure multiparty computation [15,16] to allow the cloud performs computations securely, they are computationally intensive and thus not applicable for resource-limited client. In this paper, we consider the situation in which a resourcelimited client wants to outsource chaotic selective encryption of images to the cloud. The encryption consists of two phases: a permutation performed by a chaotic map and a bitwise exclusive OR (XOR) masking by another chaotic map. We propose a scheme to solve this problem with the help of steganography [17–22]. Our contributions can be summarized as follows:

T. Xiang et al. / Digital Signal Processing 43 (2015) 28–37

• To the best of our knowledge, we consider the outsourcing problem of chaotic selective encryption for the first time. We formally define the problem and make reasonable assumptions. • We present a general solution with the help of steganography, and it guarantees that the cloud fulfills the outsourced chaotic selective encryption and has no knowledge of the plain image meanwhile. • The proposed solution has little specific requirement on chaotic map and is thus generally suitable. Furthermore, the client can extract the embedded data in its encrypted form directly. • Theoretical analysis and extensive experiments are conducted to validate the correctness, security, and performance of the proposed scheme. It is shown that the proposed scheme saves much computational cost than traditional local encryption and maintains satisfied security at the same time. The rest of this paper is organized as follows. Section 2 gives the related work. Section 3 presents the problem, and some reasonable assumptions are also made there. Section 4 proposes the solution to the problem in detail. Its theoretical analyses are provided in Section 5. Experimental results are given in Section 6. Finally, Section 7 concludes the paper. 2. Related work Various general or problem-specific theories and techniques are proposed to ensure security and privacy of outsourcing in cloud computing. We review the related work as follows. Homomorphic encryption [13,14] is a widely explored cryptographic theory in cloud computing. It allows the cloud to carry out specific types of computations on ciphertext and generate an encrypted result which, when decrypted, matches the result of operations performed on the plaintext. For this reason, it can provide security and privacy for outsourced data computation and storage; for example, in [23], the authors proposed a homomorphic encryption method to enable direct operation over the encoded images. However, homomorphic encryption is not applicable for resourcelimited clients because it is usually performed by the client side with heavy computational overhead. Proxy re-encryption [24] is another promising way for secure data sharing in a cloud computing, as it can delegate the reencryption capability to the proxy, such as the cloud, and reencrypt the encrypted data by using the re-encryption key [25]. For example, in [26], a time-based proxy re-encryption scheme is proposed for secure data sharing in a cloud environment. Nevertheless, the client needs to encrypt data before outsourcing, which is usually not affordable for resource-limited clients; not even to mention the cost of key generation. Secure multiparty computation [15,16] is also often involved in protecting data security and privacy in cloud computing, because it enables multiple parties to jointly compute a function over their inputs, while at the same time keeping these inputs private. A great number of schemes based on secure multiparty computation are proposed for privacy-assured outsourcing of image processing [27–30]. Still, secure multiparty computation is not suitable for thin clients either because all parties are supposed to

29

be involved in the computation and the computational overhead is usually symmetry for each party. There are some other researches on protecting images in cloud environment. In [31], traditional cryptographic techniques are used to encrypt plain images before being transmitted to the cloud. In [32], a lossy encrypted image compression method based on compressive sensing is developed for secure and effective image storage in the cloud. In [29], an image that needs to be uploaded to the cloud for template matching is masked with images obtained from social media sites and preprocessed by splitting the masked image into tiles. In [33], steganography is used to securely store images in cloud systems. From the above review, we can find that plenty of existing work focuses on secure data storage in cloud environment, and a fundamental approach for it is to let the data owner encrypt data before outsourcing, such as homomorphic encryption and proxy re-encryption; these techniques are obviously not suitable for the scenario considered in this paper where the client is resourcelimited. Secure multiparty computation supports secure computing between the client and the cloud, but the computational cost is still intensive for the client side. Although steganography [17–22] techniques are widely investigated and they are adopted in cloud system such as the work in [33], what they concerns is mainly about the data hiding during image distribution; the computation on the stego image such as encryption is not considered in existing literature. 3. Problem definition and assumptions 3.1. Problem definition In this paper, we consider the problem in the following scenario: A resource-limited client, such as a smartphone, wants to selectively encrypt a plain image by chaotic map and distribute the encrypted image to other user. However, the client does not have sufficiently computational power or energy supply to perform the encryption involving computationally extensive iterations of chaotic map; it therefore wants to outsource the selective encryption to the cloud which has much more powerful resources, but at the same time does not want to expose the plain image to the cloud. The problem can be illustrated in Fig. 1. 3.2. Assumptions 3.2.1. The client The client considered in this paper is a resource-limited terminal such as a smartphone. It has limited computational capability and power supply so that it cannot perform complicated calculations such as heavy encryption and signal processing, e.g. discrete cosine transform (DCT) and discrete wavelet transform (DWT). Therefore, the client can only process the image in spatial domain. The client is connected to the cloud via wireless link such as cellular network or Wi-Fi. In this circumstance, the client can only store and process images in spatial domain, i.e. pixel values; if he has the demand of image encryption, he can offload the encryption to the cloud. Even so, the client is assumed to be capable of doing lightweight encryption, say encrypting a short message such as secret key by fast stream cipher.

Fig. 1. The problem.

30

T. Xiang et al. / Digital Signal Processing 43 (2015) 28–37

Fig. 2. The framework of our scheme.

3.2.2. The cloud The cloud is supposed to be much powerful than the client, and can do complicated computations. The cloud and the client share a secret key to let them exchange messages securely via public communication link. We assume that the cloud is honest but curious, i.e. it follows the protocol specifications in our proposed framework and will not disclose any secret key to the third party, but it is curious about the content of the messages received from the client. In other words, the cloud is prone to peek at the image that is outsourced for encryption. 3.2.3. The user The user should have the capability of decryption to recover the plain image. Because the decryption involves the iteration of chaotic maps, generally speaking, its computation power should be stronger than the client, or at least not sensitive on energy consumption.

2)

3)

4. The proposed scheme In this section, we propose a scheme to solve the problem defined in the previous section. The basic idea is: the client first selects the important data of plain image and embeds it into a cover image, then he transmit the stego image to the cloud for outsourced encryption; after receiving the encrypted stego image, the client extracts the encrypted secret data and gets the selectively encrypted image, and then he can distributes it to other users. We give the general framework and the details on main steps as follows.

4)

4.1. General framework Suppose the client has a plain image M of size m × n to be outsourced for selective encryption under the key K , and he shares a secret key SK with the cloud. We can formulate the general framework of our scheme consisting of following stages as shown in Fig. 2. 1) Data preparation In this stage, the client chooses the important part of data to be selectively encrypted and mask it for visual security. The plain image M is denoted as the concentration of the 4 most significant bits (MSBs) H and the 4 least significant bits (LSBs) L, i.e. M = H || L. The 4 MSBs are important because they are critical for image visualization, and encrypting the 4 MSBs of an image is shown to get a good balance between security and efficiency [7]. Therefore, the client selects H as the important data of plain image M for encryption. In order to protect the

5)

6)

visual security of H , the client further XORs H with L to get the masked important information I , i.e. I = H ⊕ L. Data embedding In this stage, the client runs data embedding algorithm Steg(CI, I ) to obtain the stego image SI, while CI is a cover image, i.e. SI = Steg(CI, I ). At the end of this stage the client sends the stego image SI and the encryption of K with SK, i.e. E SK ( K ), to the cloud. E · (·) should be a fast encryption cipher such as RC4 to meet the requirement on the client. More details about the embedding algorithm will be given in Section 4.2. Outsourced encryption Upon receiving the request from the client, the cloud recovers K using SK; uses two predetermined chaotic maps f 1 , f 2 and the secret key K to encrypt stego image SI in spatial domain by Enc K ( f 1 , f 2 , SI); and get encrypted image ESI, i.e. ESI = Enc K ( f 1 , f 2 , SI). That is to say, although the client’s purpose is selective encryption, the cloud encrypts the whole image data SI. Then, the cloud send ESI back to the client. Please find more details in Section 4.3. Data extraction In this stage, after receiving ESI from the cloud, the client runs extraction algorithm Extract K (ESI) to obtain the embedded data EI, i.e. EI = Extract K (ESI). K is used to partially decrypt ESI, and the extraction is performed on partially encrypted domain. It is clear that EI is the encryption of I by the cloud as EI is extracted directly from the encrypted domain of ESI. More details will be given in Section 4.4. Data distribution If the client wants to distribute the image M to another user securely, he can just concatenate EI and L to get the selectively encrypted image C = EI|| R, and transmit C to the user via public channel. Since C is the encryption of M, its security is guaranteed. Data decryption In order to decrypt C , the user needs to obtain secret key K from the client via private channel, and split C into EI and L. In other words, the user should know which part of data is selectively encrypted. Then he runs decryption algorithm Dec K ( f 1 , f 2 , EI) to recover the plain data I , i.e. I = Dec K ( f 1 , f 2 , EI). The decryption algorithm Dec is very similar to Enc, which will be further discussed in Section 4.3. After I is recovered, the user can easily get M = ( I ⊕ L )|| L.

T. Xiang et al. / Digital Signal Processing 43 (2015) 28–37

31

Algorithm 1 Data embedding algorithm Steg.

Fig. 4. The data reorganization process.

4.2. SM2LSB embedding Steganography is a way to hide data in a cover image, and the cover image with embedded data is called stego image. The intended recipient can extract secret data from stego image, but the others are not aware of the existence of embedded data from stego image. The general design goal of steganography is maximizing embedding capability while keeping high security [17]. We focus on the steganography in spatial domain here. As the visual quality of an image is insensitive to the value of LSB, most steganographic systems in spatial domain embed data in LSBs. LSB substitution is the simplest way to embed 1-bit data in each pixel of a cover image [19]. Then LSB matching is proposed to reduce the probability of detection [18,20]. In order to increase embedding capability, 2LSB replacement is proposed to embed 2-bit data in a pixel [34]. Without compromising security requirement, we want to employ a steganographic system with high capability. In this way, the size of cover image can be reduced given the same volume of secret data to be embedded, and the communication cost between the client and the cloud can be saved then. In [21], single-match 2LSB (SM2LSB) embedding, a new embedding method is proposed for 2LSB steganography that makes fewer changes to the cover image with a lower probability of detection for the same amount of data in compare to 2LSB replacement. We adopt it as the steganographic system to embed the important data I of plain image into a cover image CI. The basic idea of SM2LSB is embedding 2-bit information into 2 LSBs of the cover image, and using the third LSB of cover image as a flag to indicate the mismatch position. The embedding diagram is shown in Fig. 3. There are generally two main steps given as follows in the embedding process: data reorganization and data embedding. In data reorganization, in order to embed 4 MSBs of plain image into 2 LSBs of cover image, we need to reorganize the important data I containing 4 bitplanes into I  containing only 2 bitplanes. The size of I  is k × k (which is the same with the size of cover image) in order to support chaotic encryption in later steps. Therefore, the sizes of I  should satisfy k2 ≥ 2 mn where k is the minimal integer satisfying this inequality. The reorganization process is illustrated in Fig. 4. First, we sequentially extract each bit of 4 bitplanes at (0, 0) of I , repeat this process in a raster scan order for all the coordinations of I , and buffer the extracted bits into a sequence. Then we use the sequence to construct the first and second bitplanes of I  . By doing so, we can avoid the situation of consecutive 0 s or 1 s in I  , which is vulnerable in steganalysis. In data embedding, the steganographic system based on SM2LSB in [21] considers the situations of match and mismatch

Require: CI, I Ensure: SI 1: Reorganize 4-bitplane image I to 2-bitplane image I  ; 2: for all pixel I  (i , j ) of I  do 3: Extract first and second LSBs of I  (i , j ) as i 0 and i 1 ; 4: Extract first, second, and third LSBs of CI(i , j ) as c 0 , c 1 , and c 2 ; 5: if i 0 = c 0 and i 1 = c 1 then 6: if c 2 = 0 then 7: c0 ← c0 ; 8: else 9: c1 ← c1 ; 10: end if 11: else if i 0 != c 0 and i 1 != c 1 then 12: if c 2 = 0 then 13: c1 ← c1 ; 14: else 15: c0 ← c0 ; 16: end if 17: else 18: if i 0 != c 0 then 19: c 2 ← 0; 20: else 21: c 2 ← 1; 22: end if 23: end if 24: end for 25: SI ← CI; 26: return SI;

between 2 LSBs of the cover image and 2 bits of the secret message for embedding. It always assumes a single mismatch (SM) in embedding and changes the value of third LSB of cover image in certain cases to point to the index of the mismatch. If both 2 LSBs of cover image and 2 bits of secret message are match or mismatch, it changes one of cover image’s 2 LSBs according to the value of its third LSB which indicates the index of the mismatch; 0 for first LSB and 1 for second LSB. Otherwise, if they are different, it changes third LSB of cover image according to the index of mismatch; again 0 for first LSB and 1 for second LSB. The detailed embedding algorithm Steg can be found in Algorithm 1. 4.3. Chaotic encryption Chaotic image encryption is an active research for effectively protecting the security of image content [1,2]. A secure structure of chaotic image encryption usually includes two steps [2]: a multidimensional chaotic map is first employed to permutate the coordinates of pixels, and another one-dimensional chaotic map is utilized to mask the pixel values. We follow this structure here to guarantee the security of encryption. In our scheme, when the cloud receives stego image SI from the client, he does not know the existence of hidden data and takes the stego image as plain image requesting for encryption. The encryption procedures Enc are illustrated in Fig. 5. The cloud first uses the session key SK shared with the client to decrypt E SK ( K ) and get K , which will be used as the secret key for chaotic encryption. Then he iterates a predefined multi-dimensional chaotic map f 1 to permutate the pixel positions of SI. After that, he further runs another chaotic map f 2 and uses its output bits to XOR with each pixel value of the permutated SI, and get the encrypted stego image ESI. K securely controls the parameters and initial conditions of f 1 and f 2 . The decryption algorithm Dec is very similar to Enc, except that the permutation is inverse. Please note two things about the chaotic encryption in our framework. First, the selections of f 1 and f 2 are user specific, and any satisfied chaotic maps can be employed. Specifically, any twodimensional area-preserving chaotic map, such as the Cat map, can be served as f 1 ; any one-dimensional chaotic map, such as the logistic map, can be used as f 2 . Second, additional techniques such

32

T. Xiang et al. / Digital Signal Processing 43 (2015) 28–37

Fig. 3. The SM2LSB embedding diagram.

Fig. 5. The diagram of outsourced chaotic encryption Enc.

as post-processing on the discretized chaotic sequences or making key stream plaintext-independent may be required in order to guarantee the security of chaotic encryption. As these techniques do not conflict with our framework mechanism, they can be specified in the practical deployment and are beyond the scope of our discussion here. 4.4. SM2LSB extraction in encrypted domain After receiving the encrypted stego image ESI from the cloud, the client needs to extract the embedded data. Since the embedded data has been encrypted by the cloud, the client should extract the embedded data in its encrypted form. Although any bit of cover image’s 3 LSBs may change in SM2LSB embedding, the secret data is only embedded into 2 LSBs of cover image; the third LSB is just used as a flag to indicate the position of mismatch bit. For this reason, we can only partially decrypt the third LSB of encrypted stego image, and extract the secret data embedded in 2 LSBs in is encrypted form. The extraction procedures are given in Algorithm 2. Please note that in order to get 4-bitplane image EI from the encrypted stego image in Step 11 of in Algorithm 2, the size of plain image should be given since the 2 LSBs of cover image may not be fully embedded. Algorithm 2 Data extraction algorithm Extract. Require: ESI, K Ensure: EI 1: for all pixel ESI(i , j ) of ESI do 2: Iterate f 2 with K to partially decrypt the third LSB of ESI(i , j ) as s2 ; 3: Extract first and second LSBs of ESI(i , j ) as e 0 and e 1 ; 4: if s2 = 0 then 5: e0 ← e0 ; 6: else 7: e1 ← e1 ; 8: end if 9: EI (i , j ) ← e 1 ||e 0 ; 10: end for 11: Reorganize 2-bitplane image EI to 4-bitplane image EI; 12: return EI;

5. Analysis 5.1. Correctness The correctness of the proposed scheme ensures that the user with correct key can recover the plain image if all the parties follow the specification of the scheme. From the statements in

Section 4, it is easy to understand that the correctness can be guaranteed if the secret information can be correctly extracted from the encrypted stego image as given in Section 4.4. Please note that we have no requirement on the robustness of the steganographic system because it is widely accepted in steganography [17]. From the statements in Section 4.2, we know that if the client has stego image in its plain form, he can easily extract the secret information from the stego image. Specifically, if the third LSB of stego image is 0/1, he flips the value of the first/second bit of stego image and gets the secret information from 2 LSBs of stego image [21]. However, in our scheme, the stego image is encrypted by the cloud, and only the third LSB is partially decrypted. That is to say, the extraction is performed on the decrypted third LSB plane and 2 encrypted LSB planes. Although we only iterate f 2 to partially decrypt the third LSB as described in Algorithm 2, its value is recovered since f 1 in the encryption only changes pixel position but not pixel value. After obtaining the value of the third LSB in plain, we can extract the encrypted secret information in its encrypted form using the same method in [21]. This is because in the outsourced encryption as described in Section 4.3, only the XOR masking operation changes the values of 2 LSBs of stego image. Without loss of generality, we can simplify this masking as below:

mb ⊕ k b = e b

(1)

where b ∈ {0, 1}; m0 , m1 and e 0 , e 1 are the first and the second LSB of stego image and its encrypted image, respectively; kb is the corresponding bit of keystream used to mask mb . From (1), we can easily derive the following equation:

e b = mb ⊕ k b

(2)

which means if we flip a bit on the encrypted bit, it is equivalent to flip the bit on plaintext bit after decryption. This is exactly the theory to ensure that we can extract the secret information in its encrypted form, and the correctness of our whole scheme is guaranteed thereby. 5.2. Security Generally speaking, the security of our proposed scheme depends on two aspects: one is the security of chaotic encryption, the other is the security of steganographic system based on SM2LSB embedding. We discuss both of them as follows. In our scheme, we do not have any specific requirements on chaotic encryption algorithm, such as the selection of chaotic maps f 1 and f 2 , as long as it follows the general structure as given in Fig. 5. For this reason, the security of chaotic encryption algorithm is determined by the implementation of our scheme. In order to guarantee the security of the scheme, we require that many issues, such as the discretization of chaotic system, resistance to know/chosen plaintext attacks should be well concerned [35,36] in the implementation of our scheme. In our scheme, the cloud is supposed not to know the existence of hidden data unless he launches a successful detection, which is a well-accepted assumption in steganography [17]. The security of

T. Xiang et al. / Digital Signal Processing 43 (2015) 28–37

33

Fig. 6. The encryption results. (a) Plain image Lena; (b) cover image peppers; (c) stego image; (d) encryption of stego image; and (e) encryption of plain image.

steganographic system based on SM2LSB embedding in our scheme ensures that the cloud cannot detect the existence of embedded secret data intuitively or by steganalysis. As it has been proved in [21], for SM2LSB embedding, the average number of modifications per pixel is 0.375, which is much lower than 2LSB replacement. It has much better performance against many steganalysis methods, and more details on experimental results will be given in Section 6.2. Furthermore, the cloud cannot get useful information about plain image even he can detect the embedding and extract the embedded data, since the important data of plain image H is masked before data embedding. As it is stated in Section 4.1, H is XORed with L (i.e. I = H ⊕ L), the embedded data is I instead of H . Because the 4 LSBs of an image L is usually like high-frequency noise and when it is XORed with H , the visual security of I is protected. 5.3. Performance In the performance analysis of our scheme, we care about computational complexity and communication cost. Although three parties, i.e. the client, the cloud, and the user, are involved here, we only focus on the computational complexity of the client and the communication cost between the client and the cloud. This is because we assume that the client is a resource-limited device such as smartphone, and computational complexity as well as communication cost are of great importance to the client. First, we analyze the computational complexity at the client side. The computational overhead of the client mainly comes from data embedding and data extraction. In data embedding, the computational complexity of data reorganization is O (k2 ) where k2 is the size of cover image; the computational complexity of secret data embedding is still O (k2 ). In data extraction, the computational complexity is O (k2 ) although chaotic map is involved. This is because we only need to iterate f 2 to partially decrypt the third LSB of ESI; and unlike the permutation process where f 1 is usually iterated multiple times for each pixel, one iteration of f 1 can generate multiple bits to mask multiple pixels. To sum up, the total computational cost for the client is O (3k2 ). It will be shown in Section 6.3 that the outsourcing of chaotic encryption significantly saves the computational cost for the client. Then, we analyze the communication cost between the client and the cloud. It is easy to see that the communication cost is determined by the size of cover image. The size of cover image is further determined by the size of plain image, but the size of plain image should not be too large since the client in our scheme is resource-limited and cannot process an image of large size; therefore, the size of cover image in our scheme is generally not too large. By utilizing selective encryption, the communication payload between the client and the cloud is about 4 mn. Compared with whole encryption, i.e. embedding the whole image data M with the same steganographic system, the communication payload would approximately be 8 mn. Therefore, the selective encryption reduces the communication cost by about 50%.

6. Experimental results In this section, extensive experiments are conducted to validate and evaluate the proposed scheme. CVG-UGR [37] and ground truth [38] image databases are used in our experiments. In order to demonstrate the experimental results, a 256 × 256 grayscale Lena is taken as the plain image in the following statements. 6.1. Encryption results For the plain image Lena as shown in Fig. 6(a), a grayscale image peppers as shown in Fig. 6(b) is selected as the cover image, and its size is 363 × 363 for exactly fully embedding 4 MSB planes of the plain image. The stego image after embedding is shown in Fig. 6(c), and it is visually indistinguishable from the cover image. Fig. 6(c) is sent to the cloud for chaotic encryption, and the encrypted stego image is given in Fig. 6(d). After receiving Fig. 6(d) from the cloud, the client extracts the encrypted secrete information and gets the encryption of plain image as shown in Fig. 6(e). From these results we can find that it is feasible to outsource the selective chaotic image encryption to the cloud by steganography. 6.2. Steganalysis The most important requirements for steganographic systems are payload capacity, stego quality, undetectability, and resistance against active attacks. To evaluate the steganographic system in our scheme, the following experiments including peak signal-to-noise ratio (PSNR) [39,40], chi-square [41], difference image histogram (DIH) [42], and the steganalysis method to detect 2LSB embedding [43] are conducted. The results are compared with some multipleLSB steganographic techniques including 2LSB replacement and the steganographic method proposed in [44]. We define the embedding rate as the ratio of number of embedded bits to the number of pixel, i.e bit per pixel (bpp). It is clear that the embedding rate of our steganographic system is 2 bpp since 2 bits are embedded into a pixel. In steganalysis, we also set different embedding rates, such as 0.25 bpp, 0.5 bpp, 0.75 bpp, 1 bpp, 1.25 bpp, 1.5 bpp, 1.75 bpp, and 2 bpp, for analyzing the performance and the security of steganographic systems. When a cover image is not fully embedded at some embedding rate, we sequentially embed the secret data from the beginning of the cover image. 6.2.1. PSNR PSNR tests the difference between original image and the image after processing, and it is an objective criteria to evaluate the quality of an image. PSNR is widely used to measure the quality of stego image [39,40]. To observe the stego quality of each steganographic method under different embedding rate, the messages are embedded into 1000 cover images, and 1000 stego images are produced. The average results of PSNR between the cover and the stego images are

34

T. Xiang et al. / Digital Signal Processing 43 (2015) 28–37

illustrated in Fig. 7. It shows that our steganographic system is better than the method in [44] because more LSBs of cover image are changed there; 2LSB replacement gets the best PSNR since only 2 LSBs of the cover image are changed. However, the PSNR of our steganographic system is close to that of 2LSB replacement, and the PSNR values under different embedding rates are all grater than 40 db, which fall in the acceptable range of steganography applications [45].

Fig. 7. The PSNR of stego images.

6.2.2. Chi-square steganalysis Chi-square steganalysis is a commonly used statistical attack which was proposed in [41]. It is based on statistical analysis of pairs of pixel values (PoVs) exchanged during message embedding. We use chi-square steganalysis to estimate the embedding rate of the steganographic system in our scheme, as well as some other steganographic systems. The results are demonstrated in Fig. 8. As it can be seen, the detected probability of embedding should be 0 for a cover image without any embedded data as shown in Fig. 8(a). Fig. 8(b) indicates that 2LSB replacement is easily to be detected by chi-square steganalysis. Fig. 8(c) gives the result of our steganographic system, and it is clearly that chi-square steganalysis can hardly detect the

Fig. 8. The results of chi-square steganalysis. (a) Cover image; (b) 2LSB replacement; (c) our proposed method; and (d) method in [44].

T. Xiang et al. / Digital Signal Processing 43 (2015) 28–37

Fig. 10. The result of 2LSB steganalysis.

Fig. 9. The result of DIH steganalysis.

embedding. The performance of the method in [44] is comparable with ours as demonstrated in Fig. 8(d). 6.2.3. DIH steganalysis A reliable steganalysis technique was proposed in [42] based on the difference image histogram (DIH), DIH distinguishes between cover image and stego image using the measure of weak correlation between LSB plane and remained bitplanes. We use DIH steganalysis to estimate the steganographic embedding rate here. Given different embedding rates, one thousand stego images are generated by our steganographic system, 2LSB replacement, and the method in [44], respectively. The average detection rates are shown in Fig. 9. We can observe that the steganographic technique in this paper has a lower detection rate than 2LSB replacement. When the embedding rate is 2 bpp, the detection rate is reduced by 34.6%, which means the our steganographic technique is more undetectable by DIH steganalyser. 6.2.4. 2LSB steganalysis Embedding in 2LSB causes more complicated changes to the cover image and makes it harder to detect. A number of 2LSB steganalysis methods have been proposed to detect 2LSB embedding [43,34]. 2LSB steganalysis method proposed in [43] constructs a weighted stego image and estimates the message length based on least square method, and it is a fast and accurate method of detection. Here, we use it for finding the probability of detection. 2LSB detection method in [43] is applied on 1000 stego image generated by different steganographic technique at different embedding rate. To compare the average difference in detection among different steganographic techniques, we observe the relationship between the threshold of detection and the true positive rates. As shown in Fig. 10, we can find that the probability of detection of our steganographic technique is reduced by 43.4% in compare to 2LSB replacement in average. In the other words, with the same true positive rate, the threshold of detection of our steganographic technique is reduced by 43.4%. 6.3. Computational cost In order to validate the performance of our proposed outsourcing encryption scheme, we compare the computational cost of the client using our scheme with the one using traditional local encryption. In our scheme, the computational cost of the client mainly comes from steganography, i.e. data embedding and data

35

Table 1 Computational cost. Traditional local encryption

Outsourced encryption with steganography Data embedding

Data extraction

Total

0.2887

0.0432

0.1446

0.1878

extraction. In traditional local encryption, the computational cost of the client is determined by the encryption algorithm itself. To be fair, we adopt the same chaotic encryption algorithm in our scheme for local encryption. We take 1000 images from image database, encrypt them in local and by outsourcing respectively, and get the results as tabulated in Table 1. It is clear that the computational cost of data embedding is much less than that of encryption; so is the computational cost of data embedding. However, data extraction takes more computational overhead than data embedding because it needs to iterate the chaotic map f 2 to partially decrypt the third LSB of encrypted stego image. Even so, the total cost of data embedding and extraction is much less than that of encryption, which proves the significant saving of computational cost for the client by using our scheme. 6.4. Communication cost We compare the communication cost of our scheme with that of using full encryption (i.e. embedding the entire plain image into cover image). It is obvious that the communication cost between the client and the cloud is determined by the size of cover image. Different sizes of plain images are taken into consideration, and the results are given in Table 2. Compared with full encryption, it is found that our scheme can reduce the communication cost by about 50%, which is consistent with our theoretical analysis in Section 5.3. The communication cost is saved by selective encryption in our scheme. Because only 4 MSBs of plain image are chosen as important data to be embedded into cover image, the size of secret data in our scheme is only 50% of that in full encryption. However, the actual communication cost saving is not exactly 50% because it may not be fully embedded into the 2 LSBs of a cover image. 7. Conclusions In this paper, we have proposed a scheme to let resourcelimited client such as a smartphone outsources chaotic selective image encryption to the cloud; the scheme ensures that the cloud

36

T. Xiang et al. / Digital Signal Processing 43 (2015) 28–37

Table 2 Communication cost. The size of plain image

32

64

128

256

512

1024

2048

The size of cover image in full encryption The size of cover image in our scheme Communication cost saving (%)

64 46 48.34

128 91 49.46

256 182 49.46

512 363 49.73

1024 725 49.87

2048 1449 49.94

4096 2897 49.98

is not aware of the existence of plain image during the encryption. In our scheme, the client selects the 4 MSB planes of plain image for selective encryption and embeds them into the 2 LSB planes of a cover image using SM2LSB steganographic embedding, and then sends the stego image to the cloud; the cloud uses two chaotic maps to encrypt the stego image and returns the encrypted stego image back to the client; the client extracts the embedded data in its encrypted form and then gets the selective encryption of plain image. The scheme is a general solution and any satisfied chaotic encryption scheme can be incorporated. We theoretically analyze the correctness, security, and performance of our scheme. Extensive experiments demonstrate that through the proposed scheme, the client can efficiently outsource computationally intensive encryption to the cloud while concealing the plain image from the cloud. Acknowledgments The work in this paper was supported by the Natural Science Foundation Project of CQ CSTC (No. cstc2013jcyjA40001), the Fundamental Research Funds for the Central Universities (No. CDJZR13185501), and the Program for New Century Excellent Talents in University (No. NCET-12-0589). References [1] J. Fridrich, Symmetric ciphers based on two-dimensional chaotic maps, Int. J. Bifurc. Chaos 8 (6) (1998) 1259–1284. [2] G. Chen, Y. Mao, C.K. Chui, A symmetric image encryption scheme based on 3D chaotic cat maps, Chaos Solitons Fractals 21 (2004) 749–761. [3] X. Wang, L. Teng, X. Qin, A novel colour image encryption algorithm based on chaos, Signal Process. 92 (4) (2012) 1101–1108. [4] A. Kassem, H.A.H. Hassan, Y. Harkouss, R. Assaf, Efficient neural chaotic generator for image encryption, Digit. Signal Process. 25 (2014) 266–274. [5] H. Cheng, X. Li, Partial encryption of compressed images and videos, IEEE Trans. Signal Process. 48 (8) (2000) 2439–2451. [6] M. Grangetto, E. Magli, G. Olmo, Multimedia selective encryption by means of randomized arithmetic coding, IEEE Trans. Multimedia 8 (5) (2006) 905–917. [7] T. Xiang, K.-W. Wong, X. Liao, Selective image encryption using a spatiotemporal chaotic system, Chaos 17 (2007) 023115. [8] M. Podesser, H.-P. Schmidt, A. Uhl, Selective bitplane encryption for secure transmission of image data in mobile environments, in: IEEE Nordic Signal Processing Symposium, NORSIG, Tromso–Trondheim, Norway, 2002. [9] M. Armbrust, A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, M. Zaharia, A view of cloud computing, Commun. ACM 53 (4) (2010) 50–58. [10] K. Kumar, J. Liu, Y.-H. Lu, B. Bhargava, A survey of computation offloading for mobile systems, Mob. Netw. Appl. 18 (1) (2013) 129–140. [11] H. Takabi, J.B. Joshi, G.-J. Ahn, Security and privacy challenges in cloud computing environments, IEEE Secur. Priv. 8 (6) (2010) 24–31. [12] Z. Xiao, Y. Xiao, Security and privacy in cloud computing, IEEE Commun. Surv. Tutor. 15 (2) (2013) 843–859. [13] C. Gentry, Fully homomorphic encryption using ideal lattices, in: ACM Symposium on Theory of Computing, STOC, Maryland, USA, 2009, pp. 169–178. [14] C. Gentry, Computing arbitrary functions of encrypted data, Commun. ACM 53 (3) (2010) 97–105. [15] A.C.-C. Yao, Protocols for secure computations, in: IEEE Symposium on Foundations of Computer Science, FOCS, Chicago, IL, USA, 1982, pp. 160–164. [16] A.C.-C. Yao, How to generate and exchange secrets, in: IEEE Symposium on Foundations of Computer Science, FOCS, Toronto, ON, Canada, 1986, pp. 162–167. [17] N. Provos, P. Honeyman, Hide and seek: an introduction to steganography, IEEE Secur. Priv. 1 (3) (2003) 32–44.

[18] T. Sharp, An implementation of key-based digital signal steganography, in: International Workshop on Information Hiding, IH, Pittsburgh, PA, USA, 2001, pp. 13–26. [19] C.-K. Chan, L. Cheng, Hiding data in images by simple LSB substitution, Pattern Recognit. 37 (3) (2004) 469–474. [20] A.D. Ker, Improved detection of LSB steganography in grayscale images, in: International Workshop on Information Hiding, IH, Toronto, ON, Canada, 2004, pp. 97–115. [21] O. Khalind, B. Aziz, Single-mismatch 2LSB embedding steganography, in: IEEE International Symposium on Signal Processing and Information Technology, ISSPIT, Athens, Greece, 2013, pp. 000283–000286. [22] A. Nissar, A. Mir, Classification of steganalysis techniques: a study, Digit. Signal Process. 20 (16) (2010) 1758–1770. [23] M. Gomathisankaran, X. Yuan, P. Kamongi, Ensure privacy and security in the process of medical image analysis, in: IEEE International Conference on Granular Computing, GrC, Beijing, China, 2013, pp. 120–125. [24] M. Blaze, G. Bleumer, M. Strauss, Divertible protocols and atomic proxy cryptography, in: International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT, Espoo, Finland, 1998, pp. 127–144. [25] P.-S. Chung, C.-W. Liu, M.-S. Hwang, A study of attribute-based proxy reencryption scheme in cloud environments, Int. J. Netw. Secur. 16 (1) (2014) 1–13. [26] Q. Liu, G. Wang, J. Wu, Time-based proxy re-encryption scheme for secure data sharing in a cloud environment, Inf. Sci. 258 (2014) 355–370. [27] N. Hu, S. Ching, S. Cheung, T. Nguyen, Secure image filtering, in: IEEE International Conference on Image Processing, ICIP, Atlanta, GA, USA, 2006, pp. 1553–1556. [28] J. Bringer, H. Chabanne, A. Patey, Privacy-preserving biometric identification using secure multiparty computation: an overview and recent trends, IEEE Signal Process. Mag. 30 (2) (2013) 42–52. [29] A. Nourian, M. Maheswaran, Privacy aware image template matching in clouds using ambient data, J. Supercomput. 66 (2) (2013) 1049–1070. [30] S. Rane, P.T. Boufounos, Privacy-preserving nearest neighbor methods: comparing signals without revealing them, IEEE Signal Process. Mag. 30 (2) (2013) 18–28. [31] Q.-A. Kester, L. Nana, A.C. Pascu, A novel cryptographic encryption technique for securing digital images in the cloud using AES and RGB pixel displacement, in: European Modelling Symposium, EMS, Manchester, UK, 2013, pp. 293–298. [32] C. Song, X. Lin, X.S. Shen, Secure and effective image storage for cloud based e-healthcare systems, in: IEEE Global Communications Conference, GLOBECOM, Atlanta, GA, USA, 2013, pp. 653–658. [33] K. Murakami, R. Hanyu, Q. Zhao, Y. Kaneda, Improvement of security in cloud systems based on steganography, in: International Joint Conference on Awareness Science and Technology and Ubi-Media Computing, iCAST-UMEDIA, Aizuwakamatsu, Japan, 2013, pp. 503–508. [34] A.D. Ker, Steganalysis of embedding in two least-significant bits, IEEE Trans. Inf. Forensics Secur. 2 (1) (2007) 46–54. [35] S. Li, C. Li, G. Chen, N.G. Bourbakis, K.-T. Lo, A general quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks, Signal Process. Image Commun. 23 (3) (2008) 212–223. [36] C. Li, K.-T. Lo, Optimal quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks, Signal Process. 91 (4) (2011) 949–954. [37] The CVG-UGR image database, http://decsai.ugr.es/cvg/dbimagenes/, 2014. [38] Ground truth database, http://www.cs.washington.edu/research/imagedatabase/ groundtruth/, 2014. [39] S.-M. Kim, Z. Cheng, K.-Y. Yoo, A new steganography scheme based on an index-color image, in: International Conference on Information Technology: New Generations, ITNG, Las Vegas, NV, USA, 2009, pp. 376–381. [40] C.-C. Chang, P.-Y. Pai, C.-M. Yeh, Y.-K. Chan, A high payload frequency-based reversible image hiding method, Inf. Sci. 180 (11) (2010) 2286–2298. [41] A. Westfeld, A. Pfitzmann, Attacks on steganographic systems, in: International Workshop on Information Hiding, IH, Dresden, Germany, 2000, pp. 61–76. [42] T. Zhang, X. Ping, Reliable detection of LSB steganography based on the difference image histogram, in: IEEE International Conference on Acoustics, Speech, and Signal Processing, ICASSP, Hong Kong, 2003, pp. 545–548. [43] C. Niu, X. Sun, J. Qin, Z. Xia, Steganalysis of two least significant bits embedding based on least square method, in: ISECS International Colloquium on Computing, Communication, Control, and Management, CCCM, Sanya, China, 2009, pp. 124–127.

T. Xiang et al. / Digital Signal Processing 43 (2015) 28–37

[44] A. Daneshkhah, H. Aghaeinia, S.H. Seyedi, A more secure steganography method in spatial domain, in: International Conference on Intelligent Systems, Modelling and Simulation, ISMS, Kuala Lumpur, Malaysia, 2011, pp. 189–194. [45] F.A.P. Petitcolas, R.J. Anderson, Evaluation of copyright marking systems, in: IEEE International Conference on Multimedia Computing and Systems, ICMCS, Florence, Italy, 1999, pp. 574–579.

Tao Xiang received the B.Eng., M.S. and Ph.D. degrees in computer science from Chongqing University, China, in 2003, 2005, and 2008, respectively. He is currently a Professor of the College of Computer Science at Chongqing University. Dr. Xiang’s research interests include cloud security, wireless security, multimedia security, and cryptography. He has

37

published over 40 papers on international journals and conferences. He also served as a referee for numerous international journals. Jia Hu received the B.Eng. degree in computer science from Chongqing University, China, in 2012. She is currently a M.S. candidate of the College of Computer Science at Chongqing University. Her research interest is multimedia security. Jianglin Sun received his B.Eng., M.S. degrees in Computer Science from Chongqing University, China, in 2005 and 2010, respectively. He is now a Ph.D. candidate of the College of Computer Science at Chongqing University. His research interests include cryptography and multimedia security.