Separable and error-free reversible data hiding in encrypted images

Signal Processing 123 (2016) 9–21

Contents lists available at ScienceDirect

Signal Processing journal homepage: www.elsevier.com/locate/sigpro

Separable and error-free reversible data hiding in encrypted images Dawen Xu a,n, Rangding Wang b a b

School of Electronics and Information Engineering, Ningbo University of Technology, Ningbo 315016, China CKC Software Lab, Ningbo University, Ningbo 315211, China

a r t i c l e i n f o

abstract

Article history: Received 6 July 2015 Received in revised form 23 October 2015 Accepted 16 December 2015 Available online 3 January 2016

Digital image sometimes needs to be stored and processed in an encrypted format to maintain security and privacy, e.g., cloud storage and cloud computing. For the purpose of content notation and/or tampering detection, the cloud servers need to embed some additional information directly in these encrypted images. As an emerging technology, reversible data hiding in the encrypted domain will be useful in cloud computing due to its ability to preserve the confidentiality. In this paper, a novel separable and error-free reversible data hiding scheme in encrypted images is proposed. After analyzing the property of interpolation technology, a stream cipher is utilized to encrypt sample pixels and a specific encryption mode is designed to encrypt interpolation-error of non-sample pixels. Then, the data-hider, who does not know the original image content, may reversibly embed secret data into interpolation-error using a modified version of histogram shifting and difference expansion technique. In order to adapt to different application scenarios, data extraction can be done either in the encrypted domain or in the decrypted domain. In addition, real reversibility is realized, that is, data extraction and image recovery are free of any error. Experimental results demonstrate the feasibility and efficiency of the proposed scheme. & 2016 Published by Elsevier B.V.

Keywords: Image encryption Reversible data hiding Privacy protection Histogram shifting Difference expansion

1. Introduction With the rapid developments occurring in mobile internet and cloud storage, privacy and security of personal data has gained significant attention nowadays. There are no guarantees that stored data will not be accessed by unauthorized entities, such as the cloud provider itself or malicious attackers. Several recent surveys also show that 88% potential cloud consumers are worried about the privacy of their data [1]. Under this specific circumstance, multimedia data are often encrypted to ensure confidentiality in communication and storage processes as n Corresponding author. Tel.: þ 86 13736187949; fax: þ86 574 87600352. E-mail address: [email protected] (D. Xu).

http://dx.doi.org/10.1016/j.sigpro.2015.12.012 0165-1684/& 2016 Published by Elsevier B.V.

well as to protect privacy. In other words, the consumers would like to give the untrusted cloud server only an encrypted version of the data. The cloud service provider (who stores the data) is not authorized to access the original content (i.e., plaintext). However, in many scenarios, the cloud servers or database managers need to embed some additional messages, such as labeling or authentication data, origin information, and owner identity information, directly into an encrypted data for tamper detection or ownership declaration or copyright management purposes. For example, patient's information can be embedded into his/her encrypted medical image to avoid unwanted exposure of confidential information. The capability of performing data hiding directly in encrypted images would avoid the leakage of image content, which can help address the security and privacy concerns with cloud computing. In [2], a novel technique is

10

D. Xu, R. Wang / Signal Processing 123 (2016) 9–21

proposed to embed a robust watermark in the compressed and encrypted JPEG2000 images using three different existing watermarking schemes. A Walsh–Hadamard transform based image watermarking algorithm in the encrypted domain using Paillier cryptosystem is presented in [3]. However, due to the constraints of the Paillier cryptosystem, the encryption of an original image results in a high overhead in storage and computation. Karim and Wong [4] proposed a universal reversible data embedding method in the encrypted domain, in which the coding redundancy is exploited by entropy coding the encrypted signal and the resulting codewords are modified for data embedding purposes. More recently, a novel unified data embedding-scrambling technique is proposed to achieve high payload and adaptive scalable quality degradation [5]. Data hiding in the encrypted version of H.264/AVC video stream is proposed in [6], intra-prediction modes, motion vector differences, and residual coefficients are encrypted with stream ciphers. Then, a data-hider may embed additional data in the encrypted domain by using codeword substituting technique. However, within the aforementioned schemes [2–6], the host image/video is permanently distorted caused by data embedding. In general, the cloud service provider has no right to introduce permanent distortion during data embedding in encrypted data. This implies that, for a legal receiver, the original plaintext content should be recovered without any error after image decryption and data extraction. To solve this problem, reversible data hiding (RDH) in encrypted domain is preferred. For the last few years, RDH is gaining popularity because of its increasing applications in some important and sensitive areas, i.e., military communication, medical diagnosis, and law-enforcement. Up till now, quite interesting researches, e.g., compression based [7,8], histogram modification based [9,10], difference expansion based [11,12], have been carried out in the field of RDH. For more details of these methods and other RDH methods, refer to the latest review of recent research [13]. Although RDH techniques have been studied extensively, these techniques are suitable for unencrypted covers rather than encrypted covers. Nowadays, RDH in encrypted domain has emerged as a new and challenging research field. In [14], Zhang divided the encrypted image into blocks, and each block carries one bit by flipping 3 Least Significant Bits (LSB) of each encrypted pixel in a set. Hong et al. [15] improved Zhang's method by adopting new smooth evaluation function and side-match mechanism to decrease the error rate of extracted bits. In both [14,15], data extraction and image recovery is achieved by using the spatial correlation in the decrypted image. Therefore, the encrypted image containing hidden data should be first decrypted before data extraction, which remains a major limitation to practical application. Similarly, Qian et al. [16] proposed a framework of RDH in an encrypted JPEG bitstream. To separate data extraction from image decryption, the method in [17] compressed the LSB of encrypted pixels to create a space for accommodating the additional data. Recently, Zhang et al. [18] further proposed an improved scheme, in which a part of encrypted data is losslessly compressed using Low Density Parity Check (LDPC) code

and used to carry the compressed data as well as the additional data. In summary, the embedding capacity of these methods [14–18] is relatively small and some errors occur during data extraction and/or image recovery. In order to achieve real reversibility, two major methods of reserving room before encryption (RRBE) are proposed [19,20]. Ma et al. [19] provided a RDH idea in encrypted images by reserving room before encryption. This method first empties out room by embedding LSBs of some pixels into other pixels with a traditional RDH method and then encrypts the image, so the positions of these LSBs in the encrypted image can be used for data hiding. Although the embedding capacity of this method is greatly improved, an additional RDH has to be implemented by the sender. Zhang et al. [20] proposed a reversibility improved RDH method in encrypted images. Prior to encrypting the image, room for data hiding is vacated by shifting the histogram of estimating errors. More recently, Cao et al. [21] proposed a method for high capacity separable reversible data hiding in encrypted images, which inherits the merits of RRBE based on patch level sparse representation. As can be seen from the foregoing analysis, many exploratory studies are currently ongoing to improve the overall performance. But there is still much room for improvement, especially in capacity and reversibility. Different from above schemes, in our recent paper [22], a novel scheme of reversible data hiding in encrypted images based on interpolation technique is proposed. Before encryption and data embedding, an interpolation technique is adopted to generate interpolation-error. Sample pixels, which are sampled to form the low-resolution image, are encrypted using a standard stream cipher. The additional data can be embedded in the encrypted image by modifying the histogram of interpolation-error. In contrast to the existing technologies [14–18] discussed above, our scheme in [22] can achieve excellent performance in the following prospects.

 It can achieve complete reversibility, i.e., no errors occur in data extraction and image recovery.

 It can be applied to two different application scenarios by extracting the hidden data either from the encrypted image or from the decrypted image. The main limitation of this scheme is that it has a relatively low level of security, since only sample pixels are encrypted and interpolation-errors are not encrypted. In this paper, we develop a more secure and reliable framework for reversible data hiding in encrypted domain. Compared with our preliminary paper [22], the new contribution of this paper is the utilization of specific encryption for interpolation-error. In addition, a more flexible embedding mechanism is adopted, which is more suitable for practical issues with different capacity requirements. The rest of the paper is organized as follows. In Section 2, we describe the proposed scheme, which includes image encryption, data embedding in encrypted image, data extraction and original image recovery. Experimental results and analysis are presented in Section 3. Finally in Section 4, conclusion and future work are drawn.

D. Xu, R. Wang / Signal Processing 123 (2016) 9–21

2. Proposed scheme In this section, a RDH method in encrypted version of images is illustrated, which is made up of image encryption, data embedding in encrypted image, data extraction and image recovery phases. More precisely, the content owner encrypts the original image using standard stream cipher with encryption key to produce an encrypted image. For example, to protect patient's privacy and possible spoof attack, medical images are required to be encrypted. Then, the data-hider without knowing the actual contents of the original images can embed some additional data into the encrypted image. Here, the data-

Image encryption and data embedding

Data extraction and image recovery in two scenarios

Fig. 1. The framework of proposed scheme (a) Image encryption and data embedding and (b) data extraction and image recovery in two scenarios.

11

hider can be a third party, e.g., a database manager or a cloud provider, who is not authorized to access the original content of the signal (i.e., plaintext). At the receiving end, maybe the content owner himself or an authorized third party can extract the embedded data either in encrypted or decrypted image. Based on this observation, the framework of the proposed scheme is shown in Fig. 1, where image encryption and data embedding are depicted in part (a), data extraction and image decryption are shown in part (b). 2.1. Preprocessing: generation of interpolation-error Assume the original image is an 8 bit gray-scale image with its size N  M and pixels X ði; jÞ A ½0; 255,1r i rN, 1 r j rM. In particular, we classify all pixels in an image into two categories, namely, (a) sample pixels (SP) and, (b) non-sample pixels (NSP). Here, the set of SP consists of the pixels in every other column and row, i.e., X ð2n  1; 2m  1Þ with n ¼ 1; 2; :::; N=2, m ¼ 1; 2; :::; M=2, as depicted in Fig. 2 (a), which is sampled to form the low-resolution image. Those sample pixels are utilized as the reference points to estimate the missing pixels of high resolution image. Correspondingly, NSP refers to the pixels in the original image except sample pixels. Many prediction methods [5] and interpolation techniques [23,24] have been proposed to estimate pixel values in spatial domain. In our work, an interpolation technique in [23], which is Zhang et al.'s [25] simplified method, is adopted for interpolation. The estimation of the missing high-resolution pixels X ði; jÞ A NSP can be obtained in two steps. In the first step, those missing pixels X ð2n; 2mÞ at the center locations surrounded by four sample pixels, which are marked as ‘①’ in Fig. 2(b), are interpolated. Next, the other missing pixels X ð2n  1; 2mÞ and X ð2n; 2m  1Þ marked as ‘②’ in Fig. 2(c) are interpolated with the help of the already estimated pixels X ð2n; 2mÞ. The details of interpolation can refer to [23,25]. In fact, as described in [23], the proposed RDH scheme does not rely on the specific interpolation algorithm. However, a better interpolation method can be employed to enhance stego-image quality and increase embedding capacity, as it can obtain a more accurate prediction value. After the interpolating operation, the interpolationerror of pixels belonging to NSP, denoted by Eði; jÞ, can be

Fig. 2. Illustration of image interpolation (a) Down-sampled pixels, (b) the first round of prediction and (c) the second round of prediction.

12

D. Xu, R. Wang / Signal Processing 123 (2016) 9–21

obtained via calculating the difference between the interpolated pixel values and the original pixel values. Þ Obviously there are totally 3ðNM differences. 4 The next step is to replace the gray value with its interpolation error for the pixels belonging to NSP. Each pixel with gray value falling into [0, 255] can be represented by 8 bits, bði;jÞ ð0Þ,bði;jÞ ð1Þ,…, bði;jÞ ð7Þ, such that
 X ði; jÞ mod 2; k ¼ 0; 1; :::; 7 ð1Þ bði;jÞ ðkÞ ¼ 2k where b U c is a floor function that maps a real number to the largest previous integer. Since the interpolation error Eði; jÞ can either be positive or negative, the problem of representing a number's sign can be to allocate one sign bit to represent the sign: set that bit (often the most significant bit) to 1 for a positive number, and set to 0 for a negative number. The remaining bits in the number indicate the magnitude (or absolute value). Hence only 7 bits (apart from the sign bit) can be used to represent the magnitude which can range from 0000000 (0) to 1111111 (127). Thus only Eði; jÞ falling with the range of  127 and þ127 can be stored in 8 bits once the sign bit (the eighth bit) is added. The distribution of these interpolation errors is illustrated in Fig. 3. It seems that the interpolation errors are concentrated in the vicinity of zero. To recover the original image perfectly, interpolation error Eði; jÞ is truncated into ½ 127  T n ; 127 ðT p þ 1Þ by using Eq. (2). The truncation process is to ensure that the shifted and expanded values are restricted in the range of [ 127, þ127], which will be described later. (

Eði; jÞ ¼

Eði; jÞ þ ð127 þ T n Þ   Eði; jÞ  127  ðT p þ 1Þ

if Eði; jÞ o  127  T n if Eði; jÞ 4 127  ðT p þ 1Þ

ð2Þ In order for reversibility, a binary array, i.e., location map L1 , is introduced to record the positions of the points, in which “1” for Eði; jÞ2 = ½  127  T n ; 127  ðT p þ 1Þ and “0” for

others. More precisely, if Eði; jÞ2 = ½ 127  T n ; 127 ðT p þ 1Þ, the corresponding element is marked as “1” in the location map; otherwise, the element is marked as “0”. The location map L1 , which is mainly composed of zero, can be compressed with a lossless compression algorithm (e.g., arithmetic coding, run-length encoding) and then is saved as a part of side information and transmitted to the receiver side in order to recover the original grayscale values. In fact, location map is used widely in several state-of-the-art RDH algorithms such as difference expansion based algorithm [11], histogram shifting based algorithm [10] or interpolation based algorithm [23]. As known, it can also be embedded in the marginal area by using LSB replacement just like Luo et al.'s method [23]. More detailed information can be found in [23]. In our scheme, two capacity-dependent integer-valued parameters T n and T p are involved, where T n is the negative threshold value, i.e., T n o 0, and T p is the non-negative threshold value, i.e., T p Z0. For recovering data, threshold values T n and T p should also be transmitted to the receiver side. After applying the above interpolation method, the rearranged image X ði; jÞ consists of two parts: SP and interpolation-error of NSP. 2.2. Image encryption In general, image encryption is performed by the content owner. Different from our preliminary work [22], both SP and interpolation-error of NSP are encrypted to improve the security. Since the reference points (i.e., SP) are stored directly without prediction, they can be encrypted using a standard stream algorithm. First, each pixel belonging to SP can be represented by 8 bits as Eq. (1). Then, the bitwise exclusive-or (XOR) operation is performed between the original bits bði;jÞ ðkÞ and pseudo-random bits r ði;jÞ ðkÞ as

Fig. 3. The distribution of original interpolation-error (a) Lena, (b) Peppers, (c) Baboon, (d) Barbara, (e) Boat, (f) Truck, (g) Airplane and (h) Man.

D. Xu, R. Wang / Signal Processing 123 (2016) 9–21

13

error Eði; jÞ as follows.

follows. Ben ði;jÞ ðkÞ ¼ bði;jÞ ðkÞ  r ði;jÞ ðkÞ

ð3Þ

E0 ði; jÞ ¼  mod ðr 2 ði; jÞ  ðEði; jÞ  ðT n  1ÞÞ ; 127 þ 2T n Þ þ ðT n 1Þ

ð5Þ Pseudo-random bits are generated via a standard stream cipher determined by the encryption key Enkey_0 . In the next step, Ben ði;jÞ ðkÞ are concatenated orderly as the 7 P encrypted SP, i.e., Ben ði;jÞ ðkÞ U 2k . k¼0

To avoid the information leakage, interpolation-error of NSP are also be encrypted to further improve the security performance. According to the combination of histogram shifting and expansion proposed by Sachnev et al. [26], the interpolation errors belonging to ½T n ; T p  can be expanded to embed data, while the interpolation errors lying outside the interval ½T n ; T p  are going to be shifted to make room for the expansion. As a result, in order not to reduce the embedding capacity, interpolation errors within ½T n ; T p  are not encrypted. In summary, interpolation errors are encrypted in the following manner. If Eði; jÞ A ½T n ; T p , then E0 ði; jÞ ¼ Eði; jÞ, where E0 ði; jÞ denotes the encrypted version of interpolation error. If Eði; jÞ A ½T p þ1; 127  ðT p þ 1Þ, generate a pseudorandom number r 1 ði; jÞ A ½0; 127  2 ðT p þ 1Þ with the encryption key Enkey_1 , and encrypt interpolation error Eði; jÞ as follows.    E0 ði; jÞ ¼ mod Eði; jÞ  T p þ 1 þr 1 ði; jÞ ; 127 2ðT p þ 1Þ   þ 1Þ þ T p þ 1

ð4Þ

It is worth emphasizing that the encrypted value is still in the range ½T p þ 1; 127  ðT p þ 1Þ. Similarly, if Eði; jÞ A ½ 127  T n ; T n 1, generate a pseudo-random number r 2 ði; jÞ A ½0; 127 þ T n þ ðT n 1Þ with the encryption key Enkey_2 , and encrypt interpolation

As can be seen, the encrypted value is still in the range ½  127  T n ; T n  1. After encryption, the corresponding histogram of interpolation errors is shown in Fig. 4. By comparing Figs. 3 and 4, it can be seen that the distribution of interpolation errors is protected by encryption. Finally, the ultimate version of encrypted image, denoted by X en ði; jÞ, is formulated by combining encryption version of SP and interpolation-error of NSP. Anyone without the encryption key, such as a potential attacker or the data hider, cannot access the content of original image, thus privacy of the content owner is being protected in a trustworthy fashion. Since only XOR and modulo operations are to be performed, the main advantage of the encryption algorithm is that it is simple and can be operated at a high speed. 2.3. Data embedding in encrypted image After receiving the encrypted image, the data-hider can embed some additional information by modifying a small portion of the encrypted image. Due to the absence of encryption key, the data hider cannot obtain the plaintext image. In other words, data embedding operation must be carried out in the encrypted domain. Ni et al.'s histogram shifting-based algorithm [9] is an important work of RDH, in which the data embedding process is performed in three steps: (1) identify peak and zero points of the host image histogram; (2) vacate space for data embedding by shifting the bins between the peak and zero points with one level, and; (3) embed the secret data by modifying the peak point bins. The performance of

Fig. 4. The distribution of encrypted interpolation-error (a) Lena, (b) Peppers, (c) Baboon, (d) Barbara, (e) Boat, (f) Truck, (g) Airplane and (h) Man.

14

D. Xu, R. Wang / Signal Processing 123 (2016) 9–21

histogram shifting-based algorithm is highly dependent on the occurrence of the most frequent pixel value and the local characteristics of the host image (i.e., peak and zero points). In this paper, both bidirectional histogram shifting [27] and difference expansion based methods are unified in a common framework and applied to embed additional data into encrypted interpolation-error of NSP. Our data embedding algorithm in the encrypted domain can be described as follows. Step 1: Generate the histogram of interpolation-error from the encrypted image. Step 2: Embed data by modifying the histogram of interpolation-error through expansion and shifting. Specifically, for each encrypted interpolation-error E0 ði; jÞ, the embedding operation is formulated as 8 0 if E0 ði; jÞ A ½T n ; T p  > < 2 U E ði; jÞ þ w

E~ ði; jÞ ¼

E0 ði; jÞ þ T p þ 1 > : E0 ði; jÞ þ T n

if E0 ði; jÞ 4T p if E0 ði; jÞ oT n

ð6Þ

where E~ ði; jÞ denotes the marked interpolation-error, w A f0; 1g is the current to-be-embedded message bit. Here, the bins in ½T n ; T p  are expanded to embed data, and those in ½  127 T n ; T n  1 [ ½T p þ1; 127  ðT p þ 1Þ are shifted outwards to create vacancies. Obviously, for this interpolation-error expansion based embedding algorithm, the capacity C is equal to C¼

Tp X

hðlÞ

Fig. 5. Three examples of interpolation-error expansion and shifting (a) T n ¼  1,T p ¼ 0, (b) T n ¼  1,T p ¼ 1, and (c) T n ¼  2,T p ¼ 1.

ð7Þ

l ¼ Tn

where hðlÞ is the number of occurrence when the interpolation-error is equal to l. Obviously, the larger expansion range ½T n ; T p  results in higher capacity and distortion, and vice versa. In general, pairs of thresholds ½T n ; T p  can be [ 1, 0], [1, 1], and [2, 1]. For example, when T n ¼ 1 and T p ¼ 0, the first step is to empty  2 and þ1 by shifting the bins between [2,  126] leftward and [1, 126] rightward by one level, respectively. Next, two cases should be addressed for one bit embedding. Specifically, the relationship between E0 ði; jÞ and E~ ði; jÞ is given as follows. 8 0 > E ði; jÞ ¼ 0-E~ ði; jÞ A f0; 1g > > > 0 < E ði; jÞ ¼  1-E~ ði; jÞ A f  1; 2g > E0 ði; jÞ 4 0-E~ ði; jÞ ¼ Eði; jÞ þ 1 > > > : E0 ði; jÞ o  1-E~ ði; jÞ ¼ Eði; jÞ  1 To better illustrate this case, a graphical representation of interpolation-error expansion and shifting is shown intuitively in Fig. 5(a) [28]. If bins  1 and 0 cannot provide enough embeddable locations, increase T p by 1, i.e., T n ¼  1 and T p ¼ 1. The relationship between E0 ði; jÞ and E~ ði; jÞ is given as follows. 8 0 E ði; jÞ ¼ 0-E~ ði; jÞ A f0; 1g > > > > 0 ~ > > < E ði; jÞ ¼ 1-E ði; jÞ A f2; 3g 0 E ði; jÞ ¼  1-E~ ði; jÞ A f  1; 2g > > > E0 ði; jÞ 4 1-E~ ði; jÞ ¼ Eði; jÞ þ 2 > > > : 0 E ði; jÞ o  1-E~ ði; jÞ ¼ Eði; jÞ  1

Similarly, a graphical representation of interpolationerror expansion and shifting is given in Fig. 5(b). As another example, when T n ¼  2 and T p ¼ 1, a graphical representation is shown in Fig. 5(c). Note that the original interpolation-error Eði; jÞ has been truncated to ½  127  T n ; 127  ðT p þ1Þ, so even after histogram shifting, the interpolation-error E~ ði; jÞ is still within the range [  127, 127]. This means that overflow/underflow does not occur here. After data embedding, the data hider can construct the marked encrypted image, denoted by X en ði; jÞ, by combining encryption version of SP and marked interpolationerror of NSP. 2.4. Data extraction and original image recovery In this scheme, the hidden data can be extracted either in encrypted or decrypted domain, as shown in Fig. 1(b). Furthermore, our method is also reversible, where the hidden data could be removed to obtain the original image. We will first discuss the extraction in encrypted domain followed by decrypted domain. 1) Scheme I: Encrypted domain extraction In order to protect the users' privacy, the database manager (e.g., a cloud server) does not have sufficient permissions to access original video content due to the absence of encryption key. But the manager sometimes

D. Xu, R. Wang / Signal Processing 123 (2016) 9–21

need to note and mark the personal information in corresponding encrypted images as well as to verify their integrity. In this case, both data embedding and extraction should be manipulated in encrypted domain. As shown in Fig. 1(b), encrypted image containing hidden data is directly sent to the data extraction module. Once the ~ can be location map L2 is obtained, the embedded data w extracted as ~ ¼ E~ ði; jÞ mod 2E~ ði; jÞ A ½2T n ; 2T p þ 1 w

ð8Þ 0

The encrypted interpolation-error E ði; jÞ can be further recovered from the marked and encrypted interpolationerror E~ ði; jÞ as 8j k   ~ > if E~ ði; jÞ A 2T n ; 2 T p þ 1 > > E ði; jÞ=2 < ð9Þ E0 ði; jÞ ¼ E~ ði; jÞ  T p  1 if E~ ði; jÞ 42T p þ1 > > > : E~ ði; jÞ  T ~ if E ði; jÞ o2T n n Since the whole process is entirely operated in encrypted domain, it effectively avoids the leakage of original image content. Furthermore, both the original encrypted image and the hidden message can be perfectly restored, as the embedding and extraction rules are reversible. With the encryption key, the content owner can further decrypt the image to get the original cover image. The detailed decryption procedure is described as follows. Step 1: With the encryption key Enkey_0 , the original pixels X ði; jÞ A SP can be obtained. Because of the symmetry of the XOR operation, the decryption operation is symmetric to the encryption operation. That is, the encrypted data can be decrypted by performing XOR operation with generated pseudorandom bits, and then two XOR operations cancel each other out. Since the pseudorandom bits depend on the encryption key, the decryption is possible only for the authorized users. Step 2: Once X ði; jÞ A SP is obtained, the estimation of X ði; jÞ A NSP, denoted by X 0 ði; jÞ A NSP, can be calculated using the above-mentioned interpolation technology as discussed in Section 2.1. Step 3: With the encryption keys Enkey_1 and Enkey_2 , the encrypted interpolation-error E0 ði; jÞ can be decrypted in the following manner.

15

interpolation error according to the location map L1 . (

Eði; jÞ ¼

Eði; jÞ  ð127 þ T n Þ   Eði; jÞ þ 127  ðT p þ 1Þ

if Eði; jÞ o 0 & ði; jÞ A L1 if Eði; jÞ 4 0& ði; jÞ A L1

ð11Þ

Step 4: The obtained via

original

pixels

X ði; jÞ A NSP

can

X ði; jÞ ¼ X 0 ði; jÞ þ Eði; jÞ

be ð12Þ

2) Scheme II: Decrypted Domain Extraction In scheme I, both data embedding and extraction are performed in encrypted domain. However, in some cases, users want to decrypt the image first and then extract the hidden data from the decrypted image when it is needed. For example, with the encryption key, an authorized user wants to achieve the decrypted image containing the hidden data, which can be used to trace the source of the data. In this case, data extraction after image decryption is suitable. As shown in Fig. 1(b), the received encrypted image containing hidden data is first passed through the decryption module. The whole process of decryption and data extraction is comprised of the following steps. a) Generating the marked decrypted image. To form the marked decrypted image X″ which is made up of SP and NSP, the following steps should be done. Step 1: Since sample pixels X ði; jÞ A SP are not changed in the embedding process, its position can be still accurately located and pixel values can be maintained. With the encryption key Enkey_0 , the original pixels X ði; jÞ A SP can be obtained, as previously described. This means that the same set of interpolated pixels can be obtained in the decoding process. Step 2: Once X ði; jÞ A SP is obtained, the estimation of X ði; jÞ A NSP, denoted by X 0 ði; jÞ A NSP, can be obtained using the same interpolation technology as discussed in Section 2.1. As long as at extraction one has the same interpolation-error, the reversibility of the scheme is ensured. Step 3: Although the encrypted interpolation-error E0 ði; jÞ in ½  127  T n ; T n  1 [ ½T p þ 1; 127  ðT p þ1Þ are shifted outwards during embedding procedure, the

     8 mod E0 ði; jÞ  ðT p þ 1Þ  r 1 ði; jÞ ; 127  2ðT p þ 1Þ þ 1 þ T p þ 1 > <   0   Eði; jÞ ¼  mod  E ði; jÞ  ðT n  1Þ r 2 ði; jÞ; 127 þ 2T n þ ðT n 1Þ > : E0 ði; jÞ

  if E0 ði; jÞ A T p þ1; 127  ðT p þ 1Þ 0 if E ði; jÞ A ½  127  T n ; T n  1   if E0 ði; jÞ A T n ; T p ð10Þ

Step 4: According to Eq. (2), interpolation error Eði; jÞ ranging out of ½ 127  T n ; 127 ðT p þ 1Þ has been truncated. To restore the pixels X ði; jÞ A NSP, the following inverse operation should be done on the

marked interpolation-error E~ ði; jÞ is still within the range [ 127, 127]. Since overflow/underflow does not occur, the marked and decrypted interpolationerror E″ði; jÞ should be calculated in the following manner.

16

D. Xu, R. Wang / Signal Processing 123 (2016) 9–21

8

    > mod E~ ði; jÞ  2ðT p þ 1Þ  r 1 ði; jÞ ; 127  2ðT p þ 1Þ þ 1 þ2 T p þ 1 > > > < 



 E″ði; jÞ ¼  mod  E~ ði; jÞ  ð2T n  1Þ r 2 ði; jÞ; 127 þ 2T n þ ð2T n 1Þ > > > >~ : E ði; jÞ

Step 4: According to Eq. (2), interpolation error Eði; jÞ ranging out of ½  127  T n ; 127  ðT p þ1Þ has been truncated. To restore the pixels X″ði; jÞ A NSP, the following inverse operation should be done on the interpolation error according to the location map L1 . ( E″ði; jÞ ¼

E″ði; jÞ  ð127 þ T n Þ   E″ði; jÞ þ 127  ðT p þ 1Þ

if E″ði; jÞ o 0 & ði; jÞ A L1 if E″ði; jÞ 4 0& ði; jÞ A L1

ð14Þ

if E~ ði; jÞ 4 2T p þ1 if E~ ði; jÞ o2T n   if E~ ði; jÞ A 2T n ; 2T p þ 1

ð13Þ

~ can be extracted and the Step 3: The hidden data bit w original interpolation-error Eði; jÞ can be recovered according to the following equations. ~ ¼ E″ði; jÞ mod 2 E″ði; jÞ A ½2T n ; 2T p þ 1 w 8 > < E″ði; jÞ=2 Eði; jÞ ¼ E″ði; jÞ  T p  1 > : E″ði; jÞ  T n

ð19Þ

  if E″ði; jÞ A 2T n ; 2 T p þ1 if E″ði; jÞ 4 2T p þ1 if E″ði; jÞ o 2T n ð20Þ

Step 5: The marked pixels X″ði; jÞ A NSP can be further obtained via X″ði; jÞ ¼ X 0 ði; jÞ þ E″ði; jÞ

ð15Þ

Since E″ði; jÞ is the modified interpolation error value, overflow/underflow may occur. To restore the original image perfectly, the positions ði; jÞ such that X″ði; jÞ2 = ½0; 255 should also be recorded in a location map L3 . At the same time, X″ði; jÞ   is adjusted from ½256; 256 þT p  to ½256  T p þ 1 ; 255 or from ½T n ;  1 to ½0;  1  T n  by (     if X″ði; jÞ A 256; 256 þ T p E″ði; jÞ  T p þ 1 E″ði; jÞ ¼ if X″ði; jÞ A ½T n ;  1 E″ði; jÞ  T n ð16Þ

Step 6: The marked decrypted image can finally be formulated by substituting E~ ði; jÞ with X″ði; jÞ. No visible distortions can be observed in the marked decrypted images, as show in later experimental results. a) Data extraction and image recovery. After generating the marked decrypted image, the authorized user can further extract the hidden data and recover the original image. The corresponding extracting and recovering process is described as follows. Step 1: Generating the estimation of pixels belonging to NSP, i.e.,X 0 ði; jÞ A NSP, using the same interpolation technology as given in Section 2.1. Step 2: The interpolation errors are calculated by E″ði; jÞ ¼ X″ði; jÞ  X 0 ði; jÞ

ð17Þ

Note that some errors whose positions belong to the location map L3 should be further adjusted as follows ( E″ði; jÞ ¼

  E″ði; jÞ þ T p þ1 E″ði; jÞ þ T n

Step 4: The original pixels of X ði; jÞ A NSP can be recovered via X ði; jÞ ¼ X 0 ði; jÞ þ Eði; jÞ

ð21Þ

Step 5: The original image can be recovered successfully by replacing the marked pixel X″ði; jÞ A NSP with its original value X ði; jÞ A NSP.

3. Experimental results and analysis Eight well-known standard gray images, i.e., Lena, Baboon, Barbara, Peppers, Boat, Truck, Airplane, and Man are considered for experimental purposes. The size of all images is 512  512  8. The secret data is a binary sequence created by pseudo random number generator. 3.1. Security of encryption algorithm For an image encryption scheme, the security depends on cryptographic security and perceptual security. Cryptographic security denotes the security against cryptographic attacks, which relies on the underlying cipher. In the proposed scheme, the secure stream cipher is used to encrypt sample pixels, which has been proved its security against attack. In addition, to preserve the histogram of interpolation errors from leakage, two pseudo-random sequences r 1 ði; jÞ and r 2 ði; jÞ are used to encrypt interpolation errors. With respect to the histogram of encrypted interpolation errors as shown in Fig. 4, it can be observed that the modified distribution (excluding the range of ½T n ; T p ) appears to be uniform, which suggests that a statistical analysis would not be effective for the evaluation of the original image content. Note that, without the

    if X″ði; jÞ A 256  T p þ1 ; 255 & ði; jÞ A L3 if X″ði; jÞ A ½0;  1  T n  & ði; jÞ A L3

ð18Þ

D. Xu, R. Wang / Signal Processing 123 (2016) 9–21

17

Fig. 6. Original images.

Fig. 7. Encrypted images (a) Lena, PSNR ¼ 9.93 dB, (b) Baboon, PSNR ¼10.57 dB, (c) Barbara, PSNR ¼ 8.68 dB, (d) Peppers, PSNR ¼ 8.72 dB, (e) Boat, PSNR ¼ 9.43 dB, (f) Truck, PSNR ¼ 10.08 dB, (g) Airplane, PSNR ¼ 8.96 dB, (h) Man, PSNR ¼8.06 dB.

encryption keys, the data hider or an unauthorized third party would have difficulty in accessing the plaintext data. As a result, security and privacy protection are guaranteed. Perceptual security refers to the encrypted image is unintelligible. The proposed scheme encrypts sample pixels and partial interpolation errors. To investigate the scrambling effect, T n ¼ 1 and T p ¼ 0 is taken as an

example. The original images are given in Fig. 6, and their corresponding encrypted results are shown in Fig. 7. As can be seen, the visual information of the image is damaged, which means that there is no visual information available for the data-hider. In addition, Peak Signal to Noise Ratio (PSNR) values of eight encrypted images are 9.93 dB, 10.57 dB, 8.68 dB, 8.72 dB, 9.43 dB, 10.08 dB,

18

D. Xu, R. Wang / Signal Processing 123 (2016) 9–21

Fig. 8. Decrypted images containing hidden data (a) Lena, PSNR ¼49.99 dB, (b) Baboon, PSNR ¼ 49.58 dB, (c) Barbara, PSNR ¼ 49.76 dB, (d) Peppers, PSNR ¼ 49.83 dB, (e) Boat, PSNR ¼ 49.86d B, (f) Truck, PSNR ¼ 49.6 5dB, (g) Airplane, PSNR ¼ 49.99 dB, (h) Man, PSNR ¼49.77 Db.

Fig. 9. PSNR values of eight decrypted images.

the original image. In other words, the degradation of the image quality should be maintained at an acceptable range, whether or not the hidden data is removed. Since the embedding scheme is reversible, the original cover content can be perfectly recovered after extraction of the hidden data. At the same time, in the experiments, no visible artifacts can be observed in all of the decrypted images containing hidden data. Similarly, T n ¼ 1 and T p ¼ 0 is taken as an example. The decrypted images with hidden data are shown in Fig. 8. Besides subjective observation, PSNR results are also given in Fig. 8. We can see that PSNR values are all above 49.5 dB. It is almost impossible to detect the degradation in image quality caused by data hiding. More results based on other parameters, i.e., {T n ¼  1,T p ¼ 0}, {T n ¼ 1,T p ¼ 1}, and {T n ¼ 2,T p ¼ 1}, are given in Fig. 9. 3.3. Embedding capacity

8.96 dB, and 8.06 dB, respectively. Similar results are obtained for other parameters, e.g., {T n ¼ 1,T p ¼ 1}, and {T n ¼ 2,T p ¼ 1}. Due to space limitations, we do not list the results of all images. In general, scrambling performance of the described encryption system is more than adequate. To further improve the scrambling performance, the content owner may select q% interpolation errors in ½T n ; T p  randomly according to the encryption key. With the increase of q, the scrambling effect can also be improved. 3.2. Stego image quality The encrypted image containing hidden data provided by the server should be decrypted by the authorized user. Therefore, the visual quality of the decrypted image containing hidden data is expected to be equivalent or very close to that of

Obviously, the embedding capacity in each image is determined by the T p number of interpolation errors within P ½T n ; T p , i.e., C ¼ hðlÞ. As the side information is extrel ¼ Tn mely small with respect to the capacity, the side bits are not counted in the following experimental results. For eight standard gray images, the embedding rates are shown in Fig. 10. We can observe that the embedding capacity of the proposed scheme depends strongly on the characteristics of the original cover image, as each image has a different number of interpolation errors associated with the embedding process. As expected, for image of higher spatial activity (e.g., Baboon, Truck), the prediction accuracy decreases and hence low embedding rate is achieved. On the other hand, image of lower spatial activity (e.g., Lena, Airplane) achieves higher embedding rate due to higher pixel prediction accuracy. In addition, higher capacities can

D. Xu, R. Wang / Signal Processing 123 (2016) 9–21

Fig. 10. Embedding rates of eight standard images.

19

for embedding. Fig. 10 illustrates the embedding capacity for three cases, i.e., {T n ¼  1,T p ¼ 0}, {T n ¼ 1,T p ¼ 1}, and {T n ¼  2,T p ¼ 1}, which demonstrates the effectiveness of T n and T p on improving the embedding capacity. It is obvious that there is no perfect solution to achieve high payload and low distortion simultaneously. The more flexible capacity control is achieved in our framework, which is helpful to make a tradeoff between the capacity and the visual quality according to the different practical requirements. Besides eight standard images, i.e., Lena, Baboon, Barbara, Peppers, Boat, Truck, Airplane, and Man, another 60 images are randomly selected from a popular gray-scale image database [29] for testing. PSNR values of 60 decrypted images are given in Fig. 11, and the corresponding embedding rates of 60 test images are shown in Fig. 12. 3.4. Comparison and discussion

Fig. 11. PSNR values of 60 decrypted images.

Fig. 12. Embedding rates of 60 test images.

be also achieved by applying multiple-layer embedding strategy, which is not considered here. As also can be seen, the parameters T n and T p can be used for adjusting the embedding capacity flexibly. When a low capacity is needed, e.g., for content authentication purpose, we can narrow the embedding range, e.g., T n ¼  1 and T p ¼ 0. In this way, a higher quality of stegoimage can be achieved, as depicted in Fig. 9. On the other hand, we can change the parameters to achieve a higher capacity, e.g., T n ¼ 2 and T p ¼ 1. Since the embedding range is larger, more interpolation errors can be exploited

Limited research has been carried out on reversible data hiding in encrypted image. As mentioned in Section 1, all methods in [14–18] may introduce some errors on data extraction and/or image recovery, while the complete reversibility can be achieved in the proposed method. More importantly, these methods are designed to carry only small payloads. Take Zhang's method [14] as instance, the embedding rate is 0.0156 bpp associated with block size 8  8. If error correction mechanism is introduced, the actual embedding rate will be further decreased. It can be observed that our method achieves significantly higher embedding rate. For methods in [19,20], completely errorfree data extraction and image recovery can be obtained. But histogram shifting should be done prior to encrypting the image. Instead, the image is firstly encrypted in our method, which tends to be more reasonable. In addition, in [20], a large portion of pixels are utilized to estimate the rest p% pixels. The cost is considerably expensive because p is usually smaller than 20. But in our proposed scheme, only 25% of the pixels are stored to predict the remaining 75%, which promises a larger embedding capacity. This has also been demonstrated by the experimental results, which is shown in Fig. 13. Herein, T n ¼  1 and T p ¼ 0. As the latest work, Cao et al.'s method [21] outperforms previous methods significantly in terms of the embedding rate and the image quality. The experimental results of comparison with the state-of-the-art method in [21] is also given in Fig. 14. Here, the embedding rate of 0.1 bpp is taken as an example. As can be seen, except Airplane, the experimental results are mostly close to the most state-ofthe-art method. In addition, compared with our previous work [22], security has been enhanced as illustrated in Figs. 3 and 4, since both SP and interpolation-error of NSP are encrypted.

4. Conclusion and future work In this paper, an algorithm to reversibly embed secret data in encrypted images is presented, which consists of image encryption, data embedding and data extraction

20

D. Xu, R. Wang / Signal Processing 123 (2016) 9–21

distortion model and design the code construction to efficiently approach the bound for reversible data hiding in encrypted domain is an interesting direction for future work. Moreover, future work also aims at designing more efficient reversible data hiding scheme in encrypted videos [33].

Acknowledgment

Fig. 13. Embedding rate comparison with [20].

This work is supported by the National Natural Science Foundation of China (61301247 and 61170137), Zhejiang Provincial Natural Science Foundation of China (LY13F020013 and LZ15F020002), Public Welfare Technology Application Research Project of Zhejiang Province (2015C33237), Open Fund of Zhejiang Provincial Top Key Discipline (xkxl1405).

References

Fig. 14. PSNR comparion for the directly decrypted images.

three phases. A stream cipher is utilized to encrypt sample pixels and a specific encryption mode is designed to encrypt interpolation-error of non-sample pixels, which results in high-level of security. The data-hider can embed the secret data into the encrypted image by using histogram shifting and difference expansion, even though he does not know the original image content. Since the embedding process is done on encrypted data, our scheme preserves the confidentiality of content. Two capacitydependent parameters are introduced to flexibly adjust the embedding capacity according to the specific application at hand. Data extraction is separable from image decryption, i.e., the additional data can be extracted either in encrypted domain or decrypted domain. Furthermore, this algorithm can achieve real reversibility, and high quality of marked decrypted images. One of the possible applications of this method is image annotation in cloud computing where high image quality and reversibility are greatly desired. Although RDH and cryptography have been studied extensively and many techniques are available, RDH in encrypted domain is a highly interdisciplinary area of research. Technical research in this field has only just begun, and there is still an open space for research in this interdisciplinary research area. In future, considerable more effort is needed to determine the optimal modification on the histogram for achieving the maximum embedding rate. In [30–32], code construction approaching the theoretical rate-distortion bound of reversible data hiding has been studied. How to establish the rate-

[1] L. Zhou, V. Varadharajan, M. Hitchens, Achieving secure role-based access control on encrypted data in cloud storage, IEEE Trans. Inf. Forensics Secur. 8 (12) (2013) 1947–1960. [2] A.V. Subramanyam, S. Emmanuel, M.S. Kankanhalli, Robust watermarking of compressed and encrypted JPEG2000 images, IEEE Trans. Multimed. 14 (3) (2012) 703–716. [3] P.J. Zheng, J.W. Huang, Walsh–Hadamard transform in the homomorphic encrypted domain and its application in image watermarking, in: Proceedings of the 14th Information Hiding Conference, Berkeley, California, 2012, pp. 1–15. [4] M. Karim, K. Wong, Universal data embedding in encrypted domain, Signal Process. 94 (2014) 174–182. [5] R.M. Rad, K.S. Wong, J.M. Guo, A unified data embedding and scrambling method, IEEE Trans. Image Process. 23 (4) (2014) 1463–1475. [6] D.W. Xu, R.D. Wang, Y.Q. Shi, Data hiding in encrypted H.264/AVC video streams by codeword substitution, IEEE Trans. Inf. Forensics Secur. 9 (4) (2014) 596–606. [7] J. Fridrich, M. Goljan, R. Du, Lossless data embedding – new paradigm in digital watermarking, EURASIP J. Appl. Signal Process. 2002 (2) (2002) 185–196. [8] M.U. Celik, G. Sharma, A.M. Tekalp, E. Saber, Lossless generalized – LSB data embedding, IEEE Trans. Image Process. 14 (2) (2005) 253–266. [9] Z.C. Ni, Y.Q. Shi, N. Ansari, W. Su, Reversible data hiding, IEEE Trans. Circuits Syst. Video Technol. 16 (3) (2006) 354–362. [10] X.L. Li, B. Li, B. Yang, T.Y. Zeng, General framework to histogramshifting-based reversible data hiding, IEEE Trans. Image Process. 22 (6) (2013) 2181–2191. [11] J. Tian, Reversible data embedding using a difference expansion, IEEE Trans. Circuits Syst. Video Technol. 13 (8) (2003) 890–896. [12] I.C. Dragoi, D. Coltuc, Local-prediction-based difference expansion reversible watermarking, IEEE Trans. Image Process. 23 (4) (2014) 1779–1790. [13] A. Khan, A. Siddiqa, S. Mubib, S.A. Malik, A recent survey of reversible watermarking techniques, Inf. Sci. 279 (2014) 251–272. [14] X.P. Zhang, Reversible data hiding in encrypted image, IEEE Signal Process. Lett. 18 (4) (2011) 255–258. [15] W. Hong, T.S. Chen, H.Y. Wu, An improved reversible data hiding in encrypted images using side match, IEEE Signal Process. Lett. 19 (4) (2012) 199–202. [16] Z.X. Qian, X.P. Zhang, S.Z. Wang, Reversible data hiding in encrypted JPEG bitstream, IEEE Trans. Multimed. 16 (5) (2014) 1486–1491. [17] X.P. Zhang, Separable reversible data hiding in encrypted image, IEEE Trans. Inf. Forensics Secur. 7 (2) (2012) 826–832. [18] X.P. Zhang, Z.X. Qian, G.R. Feng, Y.L. Ren, Efficient reversible data hiding in encrypted images, J. Vis. Commun. Image Represent. 25 (2) (2014) 322–328. [19] K.D. Ma, W.M. Zhang, X.F. Zhao, et al., Reversible data hiding in encrypted images by reserving room before encryption, IEEE Trans. Inf. Forensics Secur. 8 (3) (2013) 553–562.

D. Xu, R. Wang / Signal Processing 123 (2016) 9–21

[20] W.M. Zhang, K.D. Ma, N.H. Yu, Reversibility improved data hiding in encrypted images, Signal Process. 94 (2014) 118–127. [21] X.C. Cao, L. Du, X.X. Wei, D.M. Meng, X.J. Guo, High capacity reversible data hiding in encrypted images by patch-level sparse representation, IEEE Trans. Cybern., no. 99, pp. 1,1 http://dx.doi.org/10. 1109/TCYB.2015.2423678. [22] D.W. Xu, R.D. Wang, Reversible data hiding in encrypted images using interpolation and histogram shifting, in: International Workshop on Digital-forensics and Watermarking (IWDW 2014), 2014, Taipei, Taiwan, LNCS 9023, pp. 230–242. [23] L.X. Luo, Z.Y. Chen, M. Chen, Reversible image watermarking using interpolation technique, IEEE Trans. Inf. Forensics Secur. 5 (1) (2010) 187–193. [24] C. Yüzkollar, Ü. Kocabiçak, Region based interpolation error expansion algorithm for reversible image watermarking, Appl. Soft Comput. 33 (2015) 127–135. [25] L. Zhang, X. Wu, An edge-guided image interpolation algorithm via directional filtering and data fusion, IEEE Trans. Image Process. 15 (8) (2006) 2226–2238. [26] V. Sachnev, H.J. Kim, J. Nam, et al., Reversible watermarking algorithm using sorting and prediction, IEEE Trans. Circuits Syst. Video Technol. 19 (7) (2009) 989–999.

21

[27] D.W. Xu, R.D. Wang, Y.Q. Shi, An improved reversible data hidingbased approach for intra-frame error concealment in H.264/AVC, J. Vis. Commun. Image Represent. 25 (2) (2014) 410–422. [28] B. Ou, X.L. Li, Y. Zhao, et al., Pairwise prediction-error expansion for efficient reversible data hiding, IEEE Trans. Image Process. 22 (12) (2013) 5010–5021. [29] Miscelaneous gray level images. Available from: 〈〈http://decsai.ugr. es/cvg/dbimagenes/g512.php〉. [30] W.M. Zhang, B. Chen, N.H. Yu, Improving various reversible data hiding schemes via optimal codes for binary covers, IEEE Trans. Image Process. 21 (6) (2012) 2991–3003. [31] S.J. Lin, W.H. Chung, The scalar scheme for reversible information embedding in gray-scale signals: capacity evaluation and code constructions, IEEE Trans. Inf. Forensics Secur. 7 (4) (2012) 1155–1167. [32] W.M. Zhang, X.C. Hu, X.L. Li, N.H. Yu, Recursive histogram modification: establishing equivalency between reversible data hiding and lossless data compression, IEEE Trans. Image Process. 22 (7) (2013) 2775–2785. [33] D.W. Xu, R.D. Wang, Efficient reversible data hiding in encrypted H.264/AVC videos, J. Electron. Imaging 23 (5) (2014) 1–14.