Professional Documents
Culture Documents
2019
Abstract—This paper proposes a novel framework of reversible data hiding in encrypted JPEG bitstream. We first provide a JPEG
encryption algorithm to encipher a JPEG image to a smaller size and keep the format compliant to JPEG decoders. After an image owner
uploads the encrypted JPEG bitstreams to cloud storage, the server embeds additional messages into the ciphertext to construct a marked
encrypted JPEG bitstream. During data hiding, we propose a combined embedding algorithm including two stages, the Huffman code
mapping and the ordered histogram shifting. The embedding procedure is reversible. When an authorized user requires a downloading
operation, the server extracts additional messages from the marked encrypted JPEG bitstream and recovers the original encrypted bit-
stream losslessly. After downloading, the user obtains the original JPEG bitstream by a direct decryption. The proposed framework out-
performs previous works on RDH-EI. First, since the tasks of data embedding/extraction and bitstream recovery are all accomplished by
the server, the image owner and the authorized user are required to implement no extra operations except JPEG encryption or decryption.
Second, the embedding payload is larger than state-of-the-art works.
Index Terms—Reversible data hiding, information hiding, image recovery, JPEG encryption
achieved in the proposed method. First, the tasks of data em- plaintext as preprocessing. After that, the image owner en-
bedding, data extraction and bitstream recovery are all done by crypts the processed image and uploads it onto the server. Im-
the server. There are no extra computation burdens for own- age encryption should not be accounted as preprocessing, since
er/user except encryption/decryption. Second, we achieve a encryption is required in all RDH-EI methods. In [13], LSBs of
larger embedding payload than state-of-the-art works on JPEG some pixels are embedded into other pixels using traditional
RDH-EI. In the rest of the paper, we first introduce the previous RDH for plaintext images. Therefore, these LSBs are vacated
arts of RDH-EI in Section II. In Sections III, we briefly depict as spare rooms. The processed image is then encrypted and
the new framework. JPEG encryption and decryption algo- uploaded to the cloud. On cloud, the server embeds additional
rithms for both the owner and the user are proposed in Section bits into the encrypted image using the specified spare rooms,
IV. Section V provides the embedding, extraction and recovery
which provides a very high embedding rate. In [14], some
algorithms. Section VI provides the experimental results and
pixels are used to estimate the rest before encryption. After
analyses. The paper is concluded in Section VII.
encrypting the pixels and estimation errors, a final version of
the encrypted image is formulated. The server realizes data
II. PREVIOUS ARTS
hiding by modifying the estimation errors. In [15], patch-level
A. RDH-EI for Uncompressed Images sparse representation is used to explore the correlations of
RDH-EI was first realized in uncompressed nature images neighbor pixels. Another RDH-EI approach was realized by
[3]. The content owner encrypts the original image using a histogram shifting in the spatial permuted images [16]. In [17],
stream cipher algorithm and then uploads the encrypted image image transformation was proposed to encrypt one image to
onto the cloud. The cloud server embeds additional bits into another. Additional bits are embedded by RDH in plaintext
ciphertext by flipping three least significant bits (LSB) of half images. The preprocessing based methods in [8-17] can achieve
pixels in each block. On the recipient end, the authorized user much better embedding rates, but require extra RDH operations
decrypts the marked encrypted image and generates two can- before image encryption.
didates for each block by flipping LSBs again. Since the orig-
inal block of a nature image is smoother than the interfered B. RDH-EI for JPEG Bitstreams
block, one hidden bit can be extracted and the original block The aforementioned RDH-EI is for uncompressed images.
can be recovered. This method was improved in [4] using a side However, those methods are not useful in many applications
match algorithm to investigate the spatial correlation between because most images transmitted over Internet are compressed,
neighboring blocks. The flipping based approaches in [3] and e.g., the popular JPEG. As a consequence, some RDH-EI works
[4] were improved in [5] to reduce errors by comparing more were proposed for JPEG bitstreams [18-21].
neighbor pixels. However, when the pixels in a block have The first RDH-EI for JPEG bitstreams was proposed in [18].
identical values, data extraction and image recovery in [3-5] This scheme begins with a JPEG encryption algorithm, in
may fail. A swapping and shifting based RDH-EI method was which the appended bits of Huffman codes are encrypted by a
proposed to overcome this drawback [6]. Machine learning was
stream cipher, and all Huffman codes are kept unchanged. After
also used in RDH-EI to improve the embedding capacity [7].
encryption, the JPEG file size is preserved and the format is
Although the methods in [2-7] have good embedding and
compliant to JPEG decoders. On cloud, the server selects the
recovery capabilities, data extraction must be done after image
decryption. This limitation makes the technique less useful in encrypted bitstreams of some blocks as candidates. Additional
cloud storage. Separable algorithms were proposed to resolve bits are encoded by LDPC-based error correction codes (ECC)
the problem [8]. With a pseudo-randomly generated matrix, the and embedded into the useful candidate bitstream by flipping
server compresses some LSB-planes of the encrypted pixels to the LSBs of the encrypted appended bits of the AC coefficients
fewer bits to generate spare rooms for hiding additional mes- in each candidate block. After the authorized user downloads
sages. Therefore, the hidden bits can be extracted directly from and decrypts the marked encrypted bitstream, LSBs of the
the marked encrypted image. On the recipient side, the original appended bits of useful candidates are flipped again to estimate
contents are recovered by estimating LSBs using MSBs of the additional bits using a predefined blocking artifact function
neighboring pixels. This method was improved in [9] by se- and an ECC decoder. Meanwhile, the original bitstream are
lecting appropriate bitplanes from the encrypted image. Dis- losslessly recovered according to the extracted bits. This
tributed source coding (DSC) is used to design RDH-EI in [10]. method is improved in [19], in which the embedding room was
The server compresses some selected bits in the encrypted reserved before bitstream encryption. Although the embedding
image to hide additional messages. A much higher capacity can capacity is larger, the preprocessing requires the image owner
be achieved using a Low-Density-Parity-Check (LDPC) based to do an additional computation. Another solution of reversibly
Slepian-Wolf encoder. This method was further improved in hiding data in encrypted JPEG bitstream was proposed in [20],
[11] using a progressive recovery algorithm, which achieves a in which image encryption and data embedding are combined
better embedding rate. In [12], an RDH-EI with higher em- together. By scrambling the JPEG structure, the image is en-
bedding capacity was proposed by maintaining some redun-
crypted and the additional bits are embedded. The method in
dancies during image encryption.
[20] cannot be used in cloud storage since the server is unable
Another type of RDH-EI is realized by preprocessing the
to embed bits into the encrypted bitstream.
original image. Some works require the image owner to vacate
spare rooms in the plaintext image before image encryption.
We name this additional operation of vacating spare rooms in
3
IEEE Transactions on Circuits and Systems for Video Technology, Feb. 2019
ECSi={DCC<i>, ACC<i, 1>, ACC<i, 2>,…, EOB} An example is shown in Fig. 6, in which (a) is the image
decoded from the original JPEG bitstream, and (b) is the en-
={[DCH<i>, DCA<i>], [ACH<i, 1>, ACA<i, 1>], crypted image decoded from the encrypted JPEG bitstream.
[ACH<i, 2>, ACA<i, 2>], …, EOB}. The original size of (a) is 512×512. After encryption, the size of
encrypted image (b) is 256×256. The size of the encrypted
A. JPEG Encryption image is specified by the owner.
Generally, JPEG encryption is required to be compliant to
popular decoders [23]. Therefore, we propose an algorithm to
encrypt the original JPEG bitstream to a new JPEG bitstream
using an encryption key. The encryption is symmetric, and the
secret key must be transmitted to the recipient over a reliable
channel. The encryption algorithm includes four steps.
Modified New
SOI EOI
JPEG Header Entropy Encoded Data
(a) (b)
…… Fig. 6. Constructing an encrypted JPEG bitstream, (a) is the original
…… image Lena, (b) the encrypted image.
ECSs(1) ECSs(2) ECSs(n)
…… B. JPEG Decryption
Fig. 5. New JPEG Bitstream On the recipient end, the authorized user decrypts the enci-
In Step One, with an encryption key Kenc, the image owner phered JPEG bitstream J* using a decryption key Kdec. Gener-
pseudo-randomly selects n entropy-coded segments from the ally, the decryption Kdec is identical to Kenc. The decryption
original JPEG bitstream J, where 1<n<N. Let these segments procedure is reverse to encryption, also containing three steps.
be ECSs(i), i=1, 2, …, n. Correspondingly, the remaining seg- In Step One, the user extracts N-n encrypted segments from
the reserved application APPn in the JPEG header JH*. With
5
IEEE Transactions on Circuits and Systems for Video Technology, Feb. 2019
the decryption key Kdec, the user uses the stream cipher to de- active category A, corresponding to the run/size pairs of
crypt these segments back to ECSr(j), where j=1, 2, …, N-n. {1/1, …, 1/10, 2/1, …, 2/10, …, 15/1, …, 15/10}.
In Step Two, n segments ECSs(i)* (i=1, 2, …, n) are extracted The server also extracts the AC Huffman codes {ACH<s(i), 1>,
from J*. The user reads [DCH<s(i)>*, DCA<s(i)>*] from all seg- ACH<s(i), 2>, …} from ECSs(i)*, where i=1,2,…,n. From these
ments ECSs(i)*, and decodes them into the values of {ds(1)', codes, the server finds all codes that belong to the active cate-
ds(2)',…, ds(n)'}. The original DC coefficients {ds(1), ds(2),…, ds(n)} gory A. Assuming there are p kinds of such codes used in J*, we
of the selected segments are reconstructed by denote them as U={u1, u2, …, up}, where U⸦A and 0≤p≤150.
Correspondingly, there must be 150−p AC Huffman codes that
𝑑𝑠(𝑖) = ∑𝑖𝑘=1 𝑑𝑠(𝑘) ′, 𝑖 = 1,2, … , 𝑛 (2) are not used in J*. Let the category of these codes be N={n1,
The user re-encodes these DC coefficients into [DCH <s(i)>
, n2, …, nq}, where N=A−U and q=150−p.
DCA<s(i)>] by Huffman codes, and reconstructs the original Next, the server further divides the codes in U into 13 groups
ECSs(i). {U4, U5, …, U16}, such that the length of each code in Uk is
In Step Three, the user rearranges all segments of ECSs(i) and equal to k bits, where Uk={u1(k), u2(k), …, upk(k)}, k=4,5,…,16,
ECSr(j) and reconstructs the original entropy encoded data. and ∑16𝑘=4 𝑝𝑘 = 𝑝. In the same way, the server also divides N
After modifying the JPEG header to specify the original image into 13 groups {N4, N5, …, N16}, where Nk={n1(k), n2(k), …,
size H×W, the original JPEG stream J is finally decrypted. nqk(k)} and ∑16
𝑘=4 𝑞𝑘 = 𝑞.
With these groups, the server maps the codes in Uk with the
V. DATA EMBEDDING AND EXTRACTION codes in Nk. If pk<qk, each code in Uk is mapped with πk codes in
After the user uploads an encrypted JPEG bitstream J* onto N k,
the cloud, the server embeds additional messages into the ci- ui(k)←{n(i−1)∙πk+1(k), …, ni∙πk(k)} (3)
phertext to generate a marked encrypted JPEG bitstream. Be- where πk=2⌊log2(qk/pk+1)⌋−1 and i=1, 2, …, pk.
cause the embedding procedure is reversible, the original en- Otherwise, codes in Uk and Nk are mapped by one-to-one
crypted JPEG bitstream can be losslessly recovered. The em- manner,
bedding procedure is depicted in Fig. 7, including two stages. In
Stage One, with a Huffman code mapping algorithm, we loss- uj(k)←nj(k) (4)
lessly embed a part of additional messages into J* to generate where j=1, 2, …, qk. The mapping in (4) is equivalent to a
an intermediate bitstream JM*. In Stage Two, the other mes- special case of πk=1 in (3).
sages are reversibly embedded into JM* using an ordered em- Accordingly, the server modifies the Huffman Table in the
bedding algorithm, and a marked encrypted bitstream JE* is JPEG header JH* to record the mapping relationships. The
finally generated. run/size values of πk codes in Nk are replaced with the run/size
A. Stage One: Code Mapping Based Embedding values of the mapped code in Uk. Therefore, one run/size value
in the modified Huffman Table may have several Huffman
According to Table K. 5 in JPEG Standard [25], there are 162
codes. A new JPEG header JH*' is therefore constructed.
Huffman codes for AC coefficients of luminance component.
After the mapping relationships are identified in JH*', each
Each code represents one run/size pair. Hence, there are 162
code in the mapping is used to represent log2(πk+1) additional
run/size pairs, including the pairs ranging from 0/1 to 15/10, a
bits. Then, according to the additional bits M1 to be embedded,
pair 0/0 (EOB), and a zero-run-length (ZRL) pair 15/0. This
the server substitutes the used AC Huffman code with the
information is recorded as the Huffman Table in the JPEG
mapped codes. Thus, a part of the AC Huffman codes in
header. Generally, only a part of the AC Huffman codes are
ECSs(i)* are modified to carry additional messages.
used during JEPG compression. According to this fact, the
For example, in an encrypted JPEG bitstream J*, an AC
server can employ the unused codes to represent additional bits
Huffman code “111010” is used, and the code “111011” is not
to be embedded.
used. Assuming πk=1 (k=6), a mapping relationship can be
The server first extracts the Huffman table from the header
constructed by “111010”←“111011”. After modifying the
JH* of the encrypted JPEG bitstream J*, and constructs 162 AC
Huffman Table in the JPEG header, the run/size value “3/1” has
Huffman codes. These codes are separated into two categories,
two Huffman codes “111010” and “111011”. We use “111010”
the frozen codes F and the active codes A. The frozen category
and “111011” to represent one additional bit “0” and “1”, re-
F contains 12 AC Huffman codes corresponding to the run/size
spectively. Therefore, when embedding a bit “1” into the bit-
pairs of {0/0, 0/1, …, 0/10, EOB, ZRL}, which are not used
stream, the server replaces “111010” with “111011”.
during data embedding. The other 150 codes constitutes the
*
Huffman Code Bitstream JM Entropy Ordered Bitstream
J* JE*
Mapping Substitution Decoding Embedding Modification
After sequentially modifying the AC Huffman codes to hide bitstreams, more (R, V) pairs in an image when R gets smaller.
the additional bits, a marked encrypted bitstream JM* is finally The results in Fig. 8 show that the distributions are independent
constructed, from the quality factors. Fig. 8 also shows that around 70%
pairs have the run value R=0. As a result, for any quality factor
JM*={SOI, JH*', ECSs(1)*', …, ECSs(n)*', EOI}
based bitstream we use pairs with R=0 to carry more bits.
where ECSs(i)*' (i=1,2,…,n) represents the marked entro- Table III. Categories of different V and the VLI codes
py-coded segments constructed in Stage One. V S VLI Codes
The embedding capacity CM of this stage can be evaluated by
–1, 1 1 0,1
𝐶𝑀 = ∑16
𝑘=4 𝛾𝑘 ∙ log 2 (𝜋𝑘 + 1) (5) –3, –2, 2, 3 2 00, 01, 10, 11
where γk represents the number of used codes in JM*
satisfying –7, …, –4, 4, …, 7 3 000, … ,111
the mapping relationships. –15, …, –8, 8, …, 15 4 0000, … ,1111
The marked bitstream JM* can still be decoded directly by the –31, …, –16, 16, …, 31 5 00000, … ,11111
popular JPEG decoders. Meanwhile, the decoded image is –63, …, –32, 32, …, 63 6 000000, … ,111111
identical to that decoded from J*, since the embedding proce- –127, …, –64, 64, …,127 7 0000000, … ,1111111
dure is lossless to the content. To make an explicit description, –255, …, –128, 128, …, 255 8 00000000, … ,11111111
we summarize the embedding steps in Table II. –511, …, –256, 256, …, 511 9 000000000, … ,111111111
Table II. Embedding Steps of Stage One –1023, …, –512, 512, …, 1023 10 0000000000, … ,1111111111
Input: Encrypted JPEG Bitstream J*, Additional Message M1
Output: Marked Encrypted Bitstream JM*
1. Extract JPEG header JH* and all entropy-coded segments
ECSs(i)* from J*
2. Construct 162 AC Huffman codes, and divide them into two
categories: the frozen codes and the active codes.
3. Extract all AC Huffman codes from ECSs(i)*, and find the
active codes that are used in J*.
4. Mapping the used active codes with the unused using (3) and
(4) to represent additional bits.
5. Record the mapping by modifying JH* to generate a new
JPEG header JH*'.
6. Date embedding: according to M1, substitute the codes in all
ECSs(i)* with the mapped codes to generate ECSs(i)*'.
Fig.8. Average amount of ZRV pairs corresponding to R using dif-
7. Integrate JH*' with ECSs(i)*' to generate the marked JM*.
ferent quality factors
B. Stage Two: Ordered Embedding When hiding additional data into a JPEG bitstream by his-
In Stage Two, the server embeds more additional bits into the togram shifting, the length of the bitstream may increase, in-
marked encrypted JPEG bitstream JM* generated in Stage One, cluding the Huffman code increment and the VLI increment.
using an algorithm of ordered embedding based on histogram According to Table I, if we modify the value of a non-zero AC
shifting. Generally, there are two goals of histogram shifting coefficient to another while keeping S unchanged, the length of
based RDH in JPEG bitstream. The first goal is to embed as encoded bits does not change. Otherwise, if we modify a coef-
many payloads as possible, while the second the reason is to ficient from one size to another, length of the encoded bits will
reduce the bitstream length increment as far as possible. change. For example, when changing an AC coefficient from –
In JPEG standard, the zigzag scanned AC coefficients in 4 to –5, lengths of the Huffman code and encoded bits keep
each block are turned into (R, V) pairs, where R stands for unchanged. However, when we change a coefficient from –7 to
zero-run-length and V the value of a non-zero coefficient. –8, lengths of the Huffman code and the VLI code will increase.
According the value V of each AC coefficient, the size of V is The bitstream increment caused by data embedding is also
identified as S. According to the relationships between V and S, related to Pi, i.e., the position of the last non-zero coefficient
shown in Table III, all (R, V) pairs are turned into (R/S, V). Each (using zigzag order) in each block, where i=1,…,n and 2≤Pi≤64.
R/S is represented by a Huffman code according to the To evaluate the influence of Pi, we use histogram shifting to
pre-defined Huffman Table, i.e., Table K.5 of JPEG Standard. embed bits into the blocks with Pi≤T, where 2≤T≤64. Let the
Correspondingly, the value V is encoded by varia- differential payload be the embedding payload minus the bit-
ble-length-integer (VLI) codes. The table of VLI codes is also stream increment. Fig. 9 shows the relationships between the
shown in Table III. differential payload and T. The figure indicates that, when
On the aspect of embedding payload, we arbitrarily choose embedding bits into the blocks with small Pi, the differential
30 images from the BOSSbase image dataset [26], and com- payload is positive, meaning that the embedding payload is
press these images by the toolbox of “Independent JPEG Group” larger than bitstream increment. This is the reason why we sorts
(IJG) [27] using different quality factors (QF). After averaging all blocks {B1, B2, … Bn} to {Bo(1), Bo(2), … Bo(n)} s.t. Po(1)≤
the number of (R, V) pairs corresponding to different R in all Po(2)≤…≤Po(n) and embed L bits into wL blocks with small Pi.
7
IEEE Transactions on Circuits and Systems for Video Technology, Feb. 2019
𝐶𝐸 = ∑𝑛𝑖=1 𝜌𝑖 (7)
Therefore, the maximal embedding capacity of the two stages is
𝐶𝑚𝑎𝑥 = 𝐶𝑀 + 𝐶𝐸 = ∑16 𝑛
𝑘=4 𝛾𝑘 ∙ log 2 (𝜋𝑘 + 1) + ∑𝑖=1 𝜌𝑖 (8)
0, 𝑖𝑓 |𝑣𝑗 ′| = 1
𝑏𝑘 = { (11)
1, 𝑖𝑓 |𝑣𝑗 ′| = 2
where k=1,2,…,L.
Meanwhile, the original (R, V) pairs with R=0 in wL DCT
blocks are recovered by
𝑣𝑖′ + 1 𝑖𝑓 𝑣𝑖 ′ < −2
−1 𝑖𝑓 − 2 ≤ 𝑣𝑖 ′ ≤ −1
𝑣𝑖 = (12)
1 𝑖𝑓 1 ≤ 𝑣𝑖 ′ ≤ 2
{𝑣𝑖′ − 1 𝑖𝑓 𝑣𝑖′ > 2 (a)
the original image. Fig. 12(b) shows the results of attacking the B. Performance of Data Hiding
encryption algorithm proposed in [18], which reveals the con- When embedding additional messages into the encrypted
tour of the original images. These experiments indicate that the JPEG bitstream, the payloads is related to the sizes of the en-
proposed method has better security than [18]. crypted JPEG images. The original JPEG bitstream are en-
crypted to four kinds of smaller sized images, including
128×192, 192×256, 256×256, and 256×384. We define the
differential payload as DP to evaluate the gap between em-
bedding payload C and bitstream increment E, i.e. DP=C−E.
Table V shows the embedding payloads corresponding to dif-
(a) ferent sizes and DP values. The results indicate that the em-
bedding payload increases when the size of an encrypted image
gets larger. When a small payload C is embedded into the en-
crypted bitstream, the differential payload DP achieves the best
DPmax. Large embedding payloads can also be achieved when
DP approaches DP0=0 or minimum DPmin.
In Table VI, we provide another group of experimental re-
sults of bitstream sizes using DPmax. The original bitstreams are
generated by compressing 512×512 images using a quality
factor 80. After encrypting them to ciphertexts corresponding
to 256×256 encrypted images, sizes of the encrypted bitstreams
(b) are close to the original bitstreams. After embedding the secret
Fig. 12. Attacking JPEG encrypted bitstream of Airplane and Baboon, messages into the encrypted bitstreams, there is a slight size
(a) is the attack to our method, and (b) the attack to [18] increment in each marked encrypted bitstream.
The propose encryption algorithm is also secure against the In Fig. 13(a)~(d), the relationships between the embedding
popular ciphertext-only attack. During JPEG bitstream en- payload C and the bitstream increment E. The increment values
cryption, we pseudo-randomly select n entropy-coded segment stand for the increased bits of the entire file, including all parts
from the bitstream to construct a new JPEG bitstream, which of the whole bitstream. We use the images Lena, Peppers, Lake
can be decoded to smaller sized ciphertext image. Since only a and Airplane to implement the proposed JPEG RDH-EI. We
part of Huffman codes are available an adversary has no in- encrypt each JEPG to the sizes of 128×192, 192×256, 256×256,
formation of the original size. It is difficult for an adversary to and 256×384, respectively. Quality factor of these JPEG im-
find the original orders of all blocks from 𝐶𝑁𝑛 ∙ 𝑛! possibilities, ages are 80. The dash line on each figure is used as a reference
as long as the block number N large enough. Therefore the key to show the case when C=E. Results show that the embedding
space is large enough to ensure security. payload is larger than the bitstream increment in most embed-
ding payloads.
(a) (b)
(c) (d)
Fig. 13. Embedding Payload vs. Bitstream Increment, (a) the original JPEG image Lena, (b) Peppers, (c) Lake, (d) Airplane
We also compare the proposed method with JPEG RDH-EI DPmax, DP0, and DPmin, which indicates that the embedding
methods in [18], [19], and [21]. We use the proposed method to payloads increases when the quality factor get larger.
encrypt a bitstream to ciphertext bitstream corresponding to
256×256 sized images. Table VII shows that proposed method
can achieve a much larger payload than [18], [19], and [21].
Table VII. Comparison of Embedding Capacity (Bits)
Images [18] [19] [21] Proposed
Lena 750 798 1364 3667
Baboon 750 1555 768 7547
Man 750 1809 1368 4856
Peppers 750 960 1026 4253
Lake 750 1032 1023 4964