Journal of Visual Communication and Image Representation 54 (2018) 133–144

Contents lists available at ScienceDirect

Journal of Visual Communication and

Image Representation
journal homepage: www.elsevier.com/locate/jvci

A multilevel reversible data hiding scheme in encrypted domain based on T

LWE☆
⁎
Yan Ke , Min-qing Zhang, Jia Liu, Ting-ting Su, Xiao-yuan Yang
Key Laboratory of Network and Information Security under Chinese People Armed Police Force (PAP), College of Cryptography Engineering in Engineering University of
PAP, Xi’an, China

A R T I C LE I N FO A B S T R A C T

Keywords: This paper proposes a multilevel reversible data hiding scheme in encrypted domain by utilizing the controllable
Information security redundancy of learning with error public key cryptography. Messages can be embedded into multilevel sub-
Reversible data hiding regions of ciphertext by quantifying the encrypted domain and recoding its redundancy. We recode redundancy
Multilevel embedding based on the characteristics of cipher’s distribution. Extraction and decryption processes are separated by di-
Public key cryptography
viding the encrypted domain into multilevel sub-regions and introducing different quantification standards.
Learning with Error
Original plaintext can be losslessly recovered from the marked ciphertext by using the decryption key; with a
specific level data-hiding key, only the message hiding in the corresponding level can be extracted, while
plaintext and other messages remain secret. We provide theoretical analysis and experimental results on the
feasibility, reversibility, and security of the proposed scheme. The capacity and encryption blow up factor are
discussed. The experimental results demonstrate the maximum embedding rate can exceed 0.3000 bpb of ci-
phertext.

1. Introduction
Reversible data hiding in encrypted domain (RDH-ED) is an in-
formation hiding technique that aims to not only accurately embed and
extract covert messages, but also restore the original cover losslessly.
RDH-ED is useful in applications in which distortion is unacceptable
and ciphertext must be managed or identified by embedding private
marks or error correction codes without knowing any information
about the plaintext. Most importantly, no permanent change is allowed
when the original plaintext and covert data are recovered in these ap-
plications, such as ciphertext management or retrieval in the cloud
environment, imagery annotation for medical or military use. With
increasing demand for information security and the development of
signal processing techniques in the encrypted domain, RDH-ED has
been an issue of great contention in the information security and en-
crypted signal processing field [1].
The difficulty of RDH-ED lies in embedding additional data into
ciphertext without causing distortion of the decrypted result. We ana-
lyze two aspects of this problem. The first is that once data is encrypted,
the plaintext features (e.g., image pixels’ relativity) that traditional data
hiding technologies use are lost. The second is that modern crypto-
graphy algorithms require diffusibility, i.e., even one bit change of
plaintext would diffuse through the entire encrypted domain. However,
data hiding requires the ciphertext to be modified; thus, the more the
ciphertext is changed, the greater the distortion of the decrypted re-
sults. The utilization of the redundancy in the cover media is the fun-
damental component of data hiding technique. Thereofore, the existing
methods of RDH-ED can mainly be classified into two frameworks:
“vacating room before encryption (VRBE)” [2] and “vacating room
after encryption (VRAE)” [3]. The room, namely the redundancy, is
vacated for embedding in these two frameworks.
The VRBE framework creates embedding redundancy in the plain-
text domain, so there is always an extra preprocessing step before en-
cryption. The VRBE schemes are mainly based on three strategies:
lossless compression [4], difference expansion (DE) [5], and histogram
shifting (HS) [6]. Most RDH methods [7–10] are derived from these
three strategies. HS based methods have attracted much attention and
can be divided into three categories: histogram shifting (HS) [6], dif-
ference histogram shifting (DHS) [8] and prediction-error histogram
shifting (PEHS) [9]. DHS and PEHS based methods have drawn much
more attention because of their large embedding capacities and high
reversibilities. In [11], a new framework of RDH-ED was proposed, in
which a specific stream encryption algorithm was used to preserve
some of the correlation between the neighboring pixels. Different DHS

☆
This paper has been recommended for acceptance by Dinu Coltuc.
⁎
Corresponding author.
E-mail address: 15114873390@163.com (Y. Ke).

https://doi.org/10.1016/j.jvcir.2018.05.002
Received 28 October 2017; Received in revised form 19 April 2018; Accepted 4 May 2018
Available online 09 May 2018
1047-3203/ © 2018 Elsevier Inc. All rights reserved.
Y. Ke et al.
and PEHS based RDH schemes can be performed directly in the en-
crypted domain. However, the VRBE framework might be impractical
because it requires a preprocessing step to be performed before the
content encryption.
The first VRAE method was proposed by Zhang for encrypted
images [12], and then [13–14] enhanced its capacity. Qian, et al.
proposed a similar method to embed data in an encrypted JPEG bit
stream [15]. Liao, et al. [16] proposed embedding data in encrypted
images based on the absolute mean difference between multiple
neighboring pixels. Other VRAE schemes include compression sensing
in the encrypted domain [17] and homomorphic public key encryption
[18–24]. To adapt to practical applications, separable schemes have
been proposed [17,25–27], in which the extraction and data decryption
processes can be separated. In separable schemes, covert messages can
be extracted from marked ciphertext perfectly, but most schemes distort
the directly decrypted cover, so a reconstruction process is always
needed to recover the original cover media by establishing a distortion
function based on the neighboring pixels’ relativity or others. Thus, the
reversibility depends on the effect of the distortion function in the re-
construction process.
This paper proposes a RDH scheme in encrypted domain that be-
longs to neither VRBE nor VRAE. We attempt to discover and utilize the
redundancy that is produced in the encryption process of public key
cryptography instead of vacating redundancy. Currently researches of
public key cryptography based RDH-ED are mainly based on Paillier
homomorphic public key cryptosystem [20–24]. Probabilistic and
homomorphic properties of Paillier cryptography allow us to conduct
operations directly on ciphertext to embed data into the plaintext,
which provides more flexible applications in RDH-ED field. The first
Paillier cryptography based RDH-ED was proposed by Chen et al. [23].
To enhance the capacity and broaden the application scenarios, Wu
et al. proposed two RDH algorithms for the encrypted images in [21]. A
high-capacity algorithm based on Paillier cryptosystem is presented for
the scenario of data extraction after image decryption. The other one
can operate data extraction in the encryption domain. In [20], Zhang
et al. proposed to embed the same data twice in the reserved room of
the encrypted image and in the Pailler encrypted domain to realize the
separability of decryption and data extraction. By using mirroring ci-
phertext group (MCG) strategy [22], Xiang et al. proposed a novel se-
parable RDH-ED method without any pixel oversaturation in plaintext
domain. However, the encryption blowup and computational cost are
high in homomorphic cryptography based RDH-ED, and a reconstruc-
tion process is also needed to restore distortion in the directly decrypted
plaintext from the marked ciphertext, e.g., [20,22–24]. To further en-
hance the efficiency, we propose to embed data into the ciphertext by
recoding the redundancy in the encryption process of public key
cryptography rather than using homomorphic technique. Based on this
idea, a multilevel RDH-ED is designed by recoding the encryption re-
dundancy of the learning with Error (LWE) public key cryptography.
We choose the LWE algorithm mainly because of its three advantages
for RDH-ED [28]: 1. sufficient controllable redundancy for embedding;
2. strong security for privacy protection and information security, LWE
cryptosystem is so far one of the most promising post-quantum cryp-
tosystem; and 3. brief structure and simple computation, which are
significant in practical applications. The methodology and proposed
scheme will be elaborated in detailed in following sections. By recoding
the redundancy of the LWE encryption process to embed additional
data, the proposed scheme has the following properties: 1. complete
reversibility, in which the original plaintext can be losslessly recovered
directly from the marked ciphertext and there is no reconstruction
process; 2. separability of multilevel data extraction and decryption;
and 3. accurate data decryption and extraction. More importantly, since
the proposed method directly recodes ciphertext for data hiding, we
concentrate on the security of the data-hiding process, which is a sig-
nificant part of the theoretical analysis and experimental results in
Section 5.
134
Journal of Visual Communication and Image Representation 54 (2018) 133–144
The multilevel data-hiding process expands the applications of
RDH-ED, because it allows to embed multilevel covert messages into a
marked ciphertext with multilevel data-hiding keys. With a specific
level data-hiding key, only covert message of the corresponding level
can be completely extracted, while the plaintext and other covert
messages remain secret. It could provide the ciphertext owner with
more flexible application scenarios, for example, the ciphertext owner
needs to embed additional remarks into a cover or marked ciphertext at
different times, and additional remarks should not degrade the de-
crypted result or other previously embedded remarks; Watermarks or
error correction codes are embedded into ciphertext in multiple levels
to enhance the robustness or to correct errors in data storage or
transmission.
The rest of this paper is organized as follows. The following section
introduces Regev’s LWE algorithm and analyzes its controllable re-
dundancy in encryption. Section 3 introduces the methodology of the
multilevel RDH-ED. Section 4 describes the detailed process. In Section
5, the three judging standards of RDH schemes, including the correct-
ness, security and efficiency, are discussed theoretically and verified
with experimental results. Finally, Section 6 summarizes the paper and
discusses future investigations.
2. Regev’s LWE algorithm
The Learning with Errors (LWE) problem was first introduced by
Oded Regev in 2005′s STOC [29], and has become an amazingly ver-
satile basis for cryptographic constructions due to its reliable security,
simple algebraic structure and nearly linear operations [30].
2.1. Regev’s LWE cryptosystem
Regev’s LWE cryptosystem is parameterized by the integers n (the
security parameter), d (the number of dimension of the public key
space), q (the modulus), l (the length of plaintext in one encryption
operation). If q is a prime, all of the operations in the cryptosystem are
performed modulo q in , q ∈ (n2,2n2)≥ 2 , a real ε > 0 , and
d ≥(1 + ε )(1 + n)1ogq . We denote the noise probability distribution on
 as χ , χ = ψαq , where the discrete Gaussian distribution ψαq =
{「qx」mod q | x ∼N (0, α2)}, and 「qx」 denotes rounding qx to the
nearest integer).
Secret Key: Choose a matrix S ∈ ×  uniformly, where each ele-
ment of S is chosen independently and uniformly.
Public Key: Choose a matrix A ∈ ×  uniformly, where each ele-
ment of A is chosen independently and uniformly. Generate a noise
matrix E ∈  ×
whose elements follow the distribution χ in-

dependently and output the pair (A,P = AT S + E ) ∈ nq × d × dq × l as the
public key.
Encryption: The plaintext is m = (m1,m2,…m1) ∈ {0,1}l . Generate
a ∈ {0,1}d uniformly and output the pair
(u = Aa,c = PT a + m⌊q/2⌋) ∈ nq × lq as ciphertext.
Decryption: For the ciphertext (u, c), a quantization vector
h = c−S T u is calculated. Denote the decryption of (u, c) as
m′ = (m1′,m2′,…,ml′) , where mi′=0(i = 1,2,…,l) if the i-th element of h is
closer to 0 than to ⌊q/2⌋; otherwise, mi′=1.
The correctness of the decryption is defined as follows:
h = c−S Tu = P Ta + m⌊q/2⌋−S TAa = E Ta + m⌊q/2⌋. Fig. 1 shows
the distribution of integers in q , which has been divided into 4 regions
(I, II, III, and IV). We denote the i-th element of h as hi , so
h = (h1,h2,…,hl )T , and hi can be regarded as a point on the circle in Fig. 1
(the point A represents hi = ⌊q/4⌋). Because of the additive noise/
errorE Ta , the exact locations of hi on the circle are uncertain. However,
by choosing a reasonable value of the standard deviation α , E Ta will
have a magnitude less than⌊q/4⌋, so m′ = (m1′,m2′,…,ml′) can be recovered
by rounding each hi back to either hi = 0 or hi = ⌊q/2⌋, whichever is
closer modulo q. If hi is located in region I or IV, the decrypted bit
mi′ = 0 ; if hi is located in region II or III, the decrypted bit mi′ = 1.
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144

0(q) decrypted bit, which is the same as the correctness in Section 2, and the
1st level sub-region number (e.g., 0, 1) indicates the 1st level embedded
data. For example, in Fig. 2, point B, which represents hi is located in
sub-region II.1; therefore, the decrypted bit is 1 because the region
number is II, and the embedded data is 1 because the 1st level sub-
region number is 1.
Next, when we have the ciphertext of LWE algorithm, we can embed
1bit additional data in the encrypted domain by adding or subtracting
3q/4 q/4(A: hi = q/4) the 1st level quantization step to or from the ciphertext to change the
location of hi to a proper 1st level sub-region within the same region;
thus, resulting that the changed hi would carry plaintext and covert
data with dual meanings. So far, we have the 1st level marked ci-
phertext. It should be noted that hi should be located in the same region
before and after embedding to guarantee that no error is introduced
into decrypted results.

q/2
Fig. 1. Distribution of integers in q . 3.2. Multilevel data hiding

For the 2nd level data hiding, based on the 1st level data hiding,
2.2. Controllable redundancy analysis
each 1st level sub-region is divided into two 2nd level sub-regions de-
noted as I.0.0, I.0.1; I.1.0, I.1.1; II.0.0, II.0.1; II.1.0, II.1.1; III.0.0,
Without additive noise, finding the secret key S with the public key
III.0.1; III.1.0, III.1.1; IV.0.0, IV.0.1; and IV.1.0, IV.1.1 (Fig. 3).
(A, P) would be easy: after approximately d equations, we can recover S
Therefore, the 2nd level quantization step is ⌊q/16⌋. The meanings of the
in polynomial time using the Gaussian elimination algorithm.
2nd level sub-region’s region number and the 1st level sub-region
Introducing additive noise, Gaussian elimination algorithm takes linear
number are the same as in Section 3.1. In addition, the 2nd level sub-
combinations of the d equations, which amplifies the noise to un-
region number (e.g., 0, 1) indicates the 2nd level embedded data.
manageable levels and leaves essentially no information about S in the
We can embed another 1bit additional data in the encrypted domain
elimination results. The best known cryptanalysis algorithms for LWE
by adding or subtracting the 2nd level quantization step to or from the
run in exponential time (even quantum algorithms do not appear to
1st level marked ciphertext to change the location of hi to a proper 2nd
help). Thus, the encryption blowup of LWE is not controllable as for
level sub-region within the same 1st level sub-region. For example, if
attackers. However, the secret-key keeper can obtain the quantization
point B in Fig. 2 needs to carry 1 bit of additional data “1” in the 2nd
vector h. The range of hi to recover mi′ takes up half of the integer
level data hiding, its 1st level marked ciphertext must subtract ⌊q/16⌋ to
domain q ; i.e., hi within ⌊q/2⌋ possible values only corresponds to 1 bit
make hi be located at point C (Fig. 3). We will then obtain the 2nd level
of plaintext, and the values of hi could be in control once we had the
marked ciphertext.
secret key S. Our scheme takes advantage of the redundancy of hi to
Similarly, we can achieve multilevel data hiding in the encrypted
embed covert data.
domain, and 1 bit of additional data can be embedded after the i-th
(i = 1, 2, 3, …) level data hiding. It should be noted that hi before and
3. Methodology
after the i-th (i = 2, 3, …) level data hiding should be located in the
same (i-1)-th level sub-region to guarantee that no error is introduced
3.1. The 1st level data hiding
into the (i-1)-th level data extraction results.

First, as shown in Fig. 2, the integer domain q is divided into 4

equal regions (I, II, III, and IV) as in Fig. 1, and each region is divided
into 2 equal sub-regions, which are denoted as I.0, I.1; II.0, II.1; III.0,
III.1; and IV.0, IV.1. Thus, the 1st level quantization step is ⌊q/8⌋.
0(q)
Second, we define the meaning of the number of sub-region when hi
is located in it: its region number (e.g., I, II, III and IV) indicates the .0.0 .0.0
.0.1 .0.1
0(q)
.1.0 .1.0
.0 .0
.1.1 .1.1
.1 .1
3q/4 q/4
.1.1 .1.1
3q/4 q/4 C
.1.0 .1.0
.1 .1

B: the decrypted bit

.0.1 .0.1 B
.0 .0 is 1, the embedded .0.0 .0.0
data is 1
q/2 q/2
Fig. 2. Partitioning of q for the 1st level data hiding. Fig. 3. Partitioning of q for the 2nd level data hiding.

135
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144

0(q) System
parameters Key generation Key distribution
setting
.0 .0
(a)
.1 .1
Encryption key 1st level data-hiding key
.2 .2
LWE Original 1st level Covert
Plaintext
.3 .3 encryption ciphertext data hiding message 1
3q/4 q/4
.3 .3 1st level
marked
ciphertext
.2 .2

.1 t-th level 2nd level

.1 marked marked
2nd level Covert
data hiding message 2
.0 .0 ciphertext ciphertext

2nd level data-hiding key

q/2 (b)
Fig. 4. Partitioning of q for the 2-bit version of the 1-level data hiding.
Decryption key
3.3. A multi-bit version of multilevel data hiding
Decryption Plaintext
2
Because LWE algorithms have a key size of order n (where n is also
a size parameter of the lattice space) and an encryption blowup factor, 1st level data-hiding key
the extensive encryption redundancy can be quantified into multiple
bands within any a sub-region in the i-th (i = 1, 2, 3, …) level data Covert
1st level data extration
message 1
hiding. Therefore, we can perform a multi-bit version of multilevel data t-th level
hiding: marked 2nd level data-hiding key
In the 1st level data hiding, each region is divided averagely into b1 ciphertext
Covert
(b1=4 in Fig. 4) 1st level sub-regions, so the 1st level quantization step 2nd level data extration
message 2
is ⌊q/4b1 ⌋. The 1st level sub-region number (e.g., 0, 1, 2, …, b1-1) in-
.. .. ...
dicates the 1st level embedded data, which means that we can embed . .
log 2b1 bit of additional data in the encrypted domain by adding or t-th level data-hiding key
subtracting a multiple of the 1st level quantization step to or from the
Covert
ciphertext to change the location of hi to a proper 1st level sub-region t-th level data extration
message t
within the same region. Fig. 4 shows the partitioning of q for the 2-bit
(c)
version of the 1-level data hiding, and Fig. 5 shows the partitioning of
Fig. 6. Block diagrams of the proposed scheme: (a) Initialization; (b) Data en-
cryption and multilevel hiding; (c) Separable data decryption/ restoration and
0(q) multilevel data extraction.
.0.0
.0.1
.0.2
.0.0
.0.1

.0.3
.0.2
.0.3

.1. 0

q for the 2-bit version of the 2-level data hiding.

.1.01

.1.
.1. 1
.1.

.1. 2

We denote the number of the i-th level sub-region as bi (i = 1, 2, 3,

.1. .3

3
2

.2
.1

0
.2. .0 .2. 1 …), which determines that log 2bi bits of additional data can be em-
.2. 1 .2. 2 bedded in the i-th level data hiding. The smallest quantization step of all
.2.32 .2.
.3.0 .2.3 of the t-level data-hiding processes is ⌊q/4b1 b2…bt ⌋. In the remainder of
.3.1 .3.0 the paper, we set b1 = b2 = … = bi = … = bt = b, and b is a power of 2
.3.1 to simplify the conversion process in practical applications.
.3.2 .3.2
.3.3 .3.3 The methodology of our scheme to perform data hiding in encrypted
3q/4 .3.3 .3.3 q/4
domain using the controllable redundancy of LWE algorithm is mainly
.3.2 .3.2
.3.1 .3.1 based on the methods described above. The detailed processes of the
.3.0 .3.0 multilevel reversible data hiding scheme in encrypted domain are de-
.2.3 .2.3
2
.2. .1 .2. scribed in the next section.
.2 .0 .2 2
.2 .2. .1
0
.1. .3
.1
2

.1 .2
1

4. Proposed scheme
.3
.1
.1.0
.1.

.0.3

.1.
.0.2
.0.1

.1.0
.0.0

1
.0.3
.0.2
.0.1
.0.0

This section describes the 3 processes of the proposed scheme step

by step, including initialization, data encryption and multilevel hiding,
q/2 and data decryption/ restoration and multilevel data extraction. Block
Fig.5. Partitioning of q for the 2-bit version of the 2-level data hiding. diagrams of these steps are shown in Fig. 6.

136
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144

4.1. Initialization encrypted and embedded following a random distribution. Thus, the
exclusive-or sequence m of the plaintext p and Rp is calculated as:
Step 1: Setting the system parameters m = p ⊕ Rp (3)
Choose a security parameter n that is a power of 2, which de-
termines the other parameters. The modulus is a prime q ∈ (n2,2n2) ⩾ 2 . where m = (m1,m2,…,ml ),mi ∈ {0,1} is for LWE encryption.
The dimension of the vectors in the public key space is 2) Generate a vector a ∈ {0,1}d randomly and output the original
d ⩾ (1 + ε )(1 + n)log 2q , ε > 0 . The noise distribution is χ = Ψαq , and ciphertext using LWE algorithm (u = Aa,c = P Ta + m⌊q/2⌋)
the standard deviation is α = o (1/ n logn) . The reasonable ranges of ∈ nq × lq .
these parameters are analyzed in detail in Section 5. Denote the total Step 2: Multilevel data hiding
′
number of levels of the multilevel data hiding as t and the number of Denote the i-th level covert message as ci ∈ {0,1}l of length l′. The i-th
the i-th level sub-region as b (i = 1, 2, 3,…, t), which is a power of 2 and level data-hiding keys are (S, RLi), i ∈ {1,2,…,t } .
is the band of the multi-band data to be embedded. Denote the length of 1) The exclusive-or sequence oi of the secret message ci and RLi are
the plaintext in one encryption operation as l and the length of the calculated as:
additional data in the i-th level data-hiding operation as l′; thus,
oi = ci ⊕ RLi (4)
l′ = l·log 2b .
l′
Step 2: Key generation where oi∈ {0,1} . Then, encode oi into a b-band vector
Choose the matrixes S ∈ nq × l and A∈nq × d uniformly, where each wi = (wi,1,wi,2,…,wi,l ) , wi,j∈ {0,1,…,b−1} , j∊{1,2…,l} for embedding.
element of S and A is chosen independently and uniformly. Generate a 2) The 1st level data hiding: The original ciphertext is (u, c), and the
noise matrix E ∈ dq × l , whose elements follow the distribution χ in- data to be embedded is w1. Calculate the quantization vector
dependently, and then output the pair (A,P = AT S + E ) ∈ nq × d × dq × l . h1 = c−S Tu , h1 = (h1,1,h1,2,…,h1,l )T . A vector that would affect the cover
′
Generate t + 1 pseudo-random sequences: Rp ∈ {0,1}l , RL1 ∈ {0,1}l , ciphertext’s change positively or negatively is denoted as
l′ l′ β = (β1,β2,…,βl )T (βj ∈ { +1,−1} ). The change quantity factor vector is
RL2 ∈ {0,1} ,…, RLt ∈ {0,1} . All the pseudo-random sequences are used
to randomly scramble the plaintext and all the covert messages before denoted as g1 = (g1,1,g1,2,…,g1,l )T .
LWE encrypting to realize separability of the decryption and the data Calculate the vectors β and g1:
extraction and to maintain the security of LWE encryption.
⎧+ 1,h1,j ∈ [0,⌊q/4⌋) ∪ [⌊q/2⌋,⌊3q/4⌋)
Step 3: Key distribution βj = − 1,h ∈ [⌊q/4⌋,⌊q/2⌋) ∪ [⌊3q/4⌋,q)
⎨ 1,j
In this paper, the keys are distributed as shown in Table 1 according ⎩ (5)
to their functions in the proposed system.
g1,j = w1,j−LC (h1,j,1,1) (6)
Definition 1. The function LC (hi, i, t), hi ∈ q , i, t∈ ∗, i⩽ t,
LC∈ {0,1,…,b−1} , which returns the number of the i-th level sub-region where g1,j ∈ {−b + 1,−b + 2,…,−1,0,1,…,b−1},j ∈ {1,2,…,l} .
in a t-level data hiding that an input quantization element hi locates in: Output the pair (u,c1′) as the 1st level marked ciphertext, where
c1′ = (c1,1 ′ ,…,c1,′ l )T :
′ ,c1,2
⎢ L (hi,t )modbi ⎥
LC (hi,i,t ) = ⎢
bi − 1 ⎥,hi ∈ q,i ∈ {1,2,…,t } (1)
c1,′ j = cj + βj ·g1,j ·⌊q/4b⌋,(j = 1,2,…,l) (7)
⎣ ⎦
where 3) The i-th level data hiding (i = 2, 3,…, t): The (i-1)-th level marked
ciphertext is (u,ci′− 1) , and the data to be embedded is wi. Calculate the
⎧
t
⎢ 4b hi ⎥,hi ∈ [0,q/4) quantization vector hi = ci′−S Tu,hi = (hi,1,hi,2,…,hi,l )T . Denote the
⎪ ⎣ q ⎦ change quantity factor vector as gi = (gi,1,gi,2,…,gi,l )T .Calculate the vector
⎪ t ⎢ 4bt hi ⎥ gi :
⎪ 2b −⎣ q ⎦−1,hi ∈ [q/4,q/2)
L (hi,t ) = gi,j = wi,j−LC (hi,j,i,i) (8)
⎨ ⎢ 4bt hi ⎥−2bt ,hi ∈ [q/2,3q/4)
⎪⎣ q ⎦
⎪ t 4bt hi where gi,j ∈ {−b + 1,−b + 2,…,−1,0,1,…,b−1},j ∈ {1,2,…,l} .
⎪ 4b −⎢ q ⎥−1,hi ∈ [3q/4,q) Output the pair (u,ci′) as the i-th level marked ciphertext, where
⎪ ⎣ ⎦ (2)
⎩ ci′ = (ci′,1,ci′,2,…,ci′,l )T :
q
ci′,j = ci′− 1,j + βj ·gi, j ·⎢ i ⎥,(j = 1,2,…,l)
⎢
⎣ 4b ⎥
⎦ (9)

4.2. Data encryption and multilevel data hiding

4.3. Separable data decryption and multilevel data extraction
Step 1: Data encryption
Denote the plaintext as p ∈ {0,1}l and the encryption key as (P, A, Data decryption:
Rp). For the t-th level marked ciphertext (u,ct′) with the decryption key
1) To realize the separability of the decryption and the data ex- (S, Rp), the quantization vector h′ = ct′−S Tu is calculated, where
traction and to maintain the security of the encryption, the data must be h′ = (h1′,h2′,…,hl′)T . Denote the decryption of (u,ct′) as a vector
m′ = (m1′,m2′,…,ml′)T :
Table 1
⎧ 0,h′j ∈ [0,⌊q/4⌋) ∪ [⌊3q/4⌋,q)
Key distribution. m′j = ,j = 1,2,…,l
⎨ 1,h′j ∈ [⌊q/4⌋,⌊3q/4⌋)
Use of the key Key’s constituent ⎩ (10)

Encryption key (P, A, Rp) and the recovered plaintext, which is denoted as p′:
Decryption key (S, Rp)
p′ = m′ ⊕ Rp (11)
1st level data-hiding key (S, RL1)
2nd level data-hiding key (S, RL2)
The i-th level data extraction:
… …
t-th level data-hiding key (S, RLt) For the t-th level marked ciphertext (u,ct′) , the i-th level covert
message can be extracted by using the i-th level data-hiding key (S, RLi).

137
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144

Calculate the quantization vector h′ = ct′−S Tu , where and that it is located at point F (I.2.1) in Fig. 7, which indicates that the
h′ = (h1′,h2′,…,hl′)T . Denote the i-th level extracted data from (u,ct′) as a decrypted bit is 0, the 1st level extracted data is 2, and the 2nd level
temporary vector w Temp,w Temp = (w1′,w2′,…,wl′),w′∈
j {0,1,…,b− extracted data is 1.
1},j ∈ {1,2,…,l} : In addition, to recover original plaintext and covert messages, we
w′j = LC (h′j ,i,t ),j = 1,2,…,l need a decryption key or multilevel data-hiding key, respectively, to
(12)
perform an exclusive-or calculation; that would not generally cause any
′
′
Encode w Temp into a binary sequence o Temp of length l′, o Temp
′ ∈ {0,1}l , error, so we do not review the exclusive-or steps.
and the recovered covert message ci′ is : Hence, the same region ensures the consistency of the decryption of
the multilevel marked ciphertext, and the multilevel sub-region’s
ci′ = o Temp
′ ⊕ RLi (13) numbers carry the information about the multilevel covert messages.
In summary, the data-hiding process is based on the encryption Thus, the necessary condition for maintaining the proposed scheme
redundancy, so it applied to the bits of the plaintext regardless of the ’correctness is that the magnitude of each element of E Ta must be less
types of the host media. The processes of decryption and different level than ⌊q/4⌋.
data extraction are separable from each other. Denote the element of matrix E as ei,j and the j-th element of a as aj,
where ei,j follows the distribution χ independently
d
5. Theoretical analysis and experimental results (i = 1,2,…,l,j = 1,2,…,d ). The i-th element of E Ta is ∑ j = 1 ei,j aj , which
d
follows a distribution N (0, ∑ j = 1 aj ·α ) .
5.1. Correctness
According to Section 4.2, a ∈ {0,1}d is generated randomly,
d d
The correctness of the proposed scheme includes the lossless de- so∑ j = 1 aj ≈ 2 . The i-th element of E Ta should follow the Gaussian
cryption of plaintext and the accurate extraction of the covert message, distributionN (0, d/2 ·α ) .
which are the fundamental principles and criteria of RDH-ED. To obtain a truncated inequality probability of a Gaussian dis-
tribution, let z ∼ N (0,1) . Then:
5.1.1. Decryption-error probability
+∞ 1 1 1 2 1
We first review the process of the scheme to analyze the necessary P (|z| ⩾ x ) ⩽ 2 ∫x exp ⎛− z 2⎞ ⩽ exp ⎛− x 2⎞
conditions for maintaining accuracy. 2π ⎝ 2 ⎠ x π ⎝ 2 ⎠ (14)
In the encryption process, if mi = 0, hi will be located in region I or The decryption-error probability of the proposed scheme is:
IV, and if mi = 1, hi will be located in region II or III. In the multilevel
d
data-hiding process, the cover ciphertext will add or subtract a multiple ⎛ ⎞
of the i-th level quantization step to change the location of hi within its d ⎜
∑ ei,j ⎟
q j=1 q 4α d q2
upper level sub-region, so hi will be located in the same upper level sub- P (| ∑ ei,j aj | ⩾ ) = P ⎜| |⩾ ⎟⩽ · exp ⎛− 2 ⎞
⎜ ⎟

region before and after the i-th (i = 1, 2,…) level data-hiding process
(when i = 1, the “upper level sub-region” should be one of the four
regions I, II, III, IV).
For example, if the bit to be encrypted is m = 0, we set q = 937,
b = 4 and t = 2, and the two to-be-embedded bits are w1 = 2 and
w2 = 1. Then the LWE encrypted data c is 492. In the 1st level data
hiding, the quantization element h is 225, which is located at point D in
Fig. 7. According to Eqs. (1) and (2) and (5)(6), β = +1 and g1 = w1−
LC(225, 1, 1) = 2–3 = −1. We obtain the 1st level marked ciphertext
c1′ = 492 + (−1)·⌊937/16⌋ = 434 using Eq. (7). In the 2nd level data
hiding, the quantization element h is 167, which is located at point E in
Fig. 7. According to Eqs. (1) and (2) and (5)(6), β = +1 and g1 = w2–
LC(167, 2, 2) = 1–3 = −2. We obtain the 2nd level marked ciphertext
c1′ = 434 + (−2)·⌊937/64⌋ = 406 using Eq. (7). With the 2nd level
marked ciphertext, we can determine that quantization element h is 139
4 d d q π ⎝ dα ⎠
j=1 ⎜ α 2 4α
2 ⎟
⎜ ⎟
⎝ ⎠
(15)
According to Eq. (15), a decryption error will occur if the total noise
exceeds ⌊q/4⌋. The smaller α becomes, the lower the probability of de-
cryption error. On the other hand, if α is too small, the security of LWE
algorithm might be seriously compromised because the distribution of
the additive noise will be approximately 0 with a small deviation. Thus,
schemes based on LWE problem generally require αq > 2 n [29].
Above all, the value of α directly determines both the security of our
scheme and the probability of decryption failure. However, the condi-
tion α = o (1/ n logn) given in [29] cannot accurately provide a rea-
sonable range of α ; therefore, we obtain reasonable ranges of α for
different n using experiments in the following section.

0(937) 5.1.2. Parameters setting and experiments on α

Before we obtain reasonable values of α, all of the other parameters
58 in the experiments must be confirmed. The security parameter n is the
basis of our scheme, so it is necessary to discuss and confirm it first.
LWE can be considered as Bounded Distance Decoding (BDD) problem
117 F(139) on a lattice, so we can estimate the security level of the LWE parameters
.0 with lattice basis reduction theory as introduced in [31]. Solving the
0
.2. LWE problem with given parameters is equivalent to solving Shortest
.1 1
.2. E(167) Vector Problem (SVP) in a lattice with a dimension nlog 2 (q)/log 2 (δ ) .

.2.2
Considering the efficiencies of the best known lattice reduction algo-
rithms, the secure dimension of the lattice must reach 500 (δ = 1.01)
.2 .2.3 175 [32,33]. In [28], the security parameter is set n∈ [100,320]. The lattice
dimension with n = 220 is 220log 2 (q)/log 2 (1.01) < 500 , resulting in a
drawback in security. However, an increase in n will result in a high
.3 D(225)
encryption blowup. To balance security and the efficiency of practical
use, we set n∈ [240,420] for the experiments in this paper
234 ( 240 × log 2 (q (n))/log 2 (1.01) > 500). The other parameters for the
proposed scheme are set as follows: q is the minimum prime between
Fig. 7. Location Change of h in a 2-bit version of 2-level data hiding. (n2,2n2) , d = ⌊1.25(1 + n)log 2q⌋, l = 8n , t = 1, 2, 3, and b = 2,4,8. By

138
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144

Fig. 8. Experiment of 2-bit version of 2-level data hiding on “Lena”. (a) Image “Lena”; (b) Bit-plane image of the original data; (c) Plaintext; (d)Randomly permuted
plaintext; (e) Covert message1; (f) Covert message2; (g)Original ciphertext by LWE; (h)The 1st marked ciphertext; (i) Extracted covert message 1 from the 1st marked
ciphertext; (j) Recovered plaintext from the 1st marked ciphertext; (k) The 2nd marked ciphertext; (l) Extracted covert message 1 from the 2nd marked ciphertext;
(m) Extracted covert message 2 from the 2nd marked ciphertext; (n) Recovered plaintext from the 2nd marked ciphertext; (o) Recovered image“Lena”; (p) Errors of
the recovered plaintext and the extracted covert messages in the 1st level data hiding; (q) Errors of the recovered plaintext and the extracted covert messages in the
2nd level data hiding.

testing large amount of sample data under different conditions with n=
240, 260, 280, …, 420, we obtained the upper limit of α, which is
denoted asα max , and represents the decryption error that will occur if α
in the experiments is greater than α max . The lower limit value, which is
denoted asα min , is set to 2 n / q to ensure that the necessary deviation is
generated by the additive noise.
The processes of the experiment to obtain a reasonable α are as
follows. We take a 2-bit version of 2-level data hiding implementation
on image Lena as an example to test the reasonability of
α = 6.1250 × 10−4 . To show the experimental processes visually and
intuitively, we set n = 240 , q = 57601, l = 8n , b = 4 , and t = 2 to en-
crypt a 240 × 240 binary image with a length of 7200 bytes, embed
14,400 bytes additional data at each level.
The 512 × 512 plaintext test image of Lena is shown in Fig. 8(a);
each pixel’s gray value within [0255] is represented by 8 bits. We then
divided the image into bit planes (Fig. 8(b)). First, we segment the bit-
plane image into several non-overlapping 240 × 240 blocks and then set
α = 2.8452 × 10−3 on the first block. The bit values of the original data’s
first block are shown in a 240 × 240 binary image in Fig. 8(c). Next, we
calculate an exclusive-or result of the plaintext and the binary pseudo-
random data (Fig. 8(d)) and generate two 4-band randomly-permuted
data as covert messages (Fig. 8(e)-(f)). Covert message 1 is for the 1st
level data hiding, and covert message 2 is for the 2nd level data hiding.
Then, we encrypt the exclusive-or results using the LWE algorithm to
obtain the original ciphertext as shown in Fig. 8(g).
The 1st level data hiding: we embed the covert message 1 into the
original ciphertext, and obtain the 1st level marked ciphertext as shown
in Fig. 8(h). With the 1st level marked ciphertext, the covert message 1
is extracted as shown in Fig. 8(i), and the original plaintext is recovered
as shown in Fig. 8(j).
The 2nd level data hiding: we embed the covert message 2 into the
1st level marked ciphertext, and obtain the 2nd level marked ciphertext
as shown in Fig. 8(k). With the 2nd level marked ciphertext, the covert
message 1 and the covert message 2 are extracted as shown in Fig. 8(l)-
(m), and the original plaintext is recovered as shown in Fig. 8(n). To
recover the entire image Lena, we repeat the above processes to the
other blocks of the bit-plane image. The recovered image is shown in
Fig. 8(l).
We make bit-by-bit comparisons between the plaintext and the de-
crypted data, and between the covert messages and the extracted data
after each level data hiding as shown in Fig. 8(p)-(q). The results in-
dicate that both the decryption and extraction are lossless, which also

139
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144

Table 2 5.2.1. Probability distribution function

α max and α min from experiments. In this section, we focus on the changes of the ciphertext by the
n αmax αmin n αmax αmin data-hiding process step by step to determine the probability distribu-
tion function of the marked ciphertext.
240 6.4085× 10−4 5.3791× 10−4 340 5.6370× 10−4 3.6011× 10−4 Because the original LWE ciphertext generally has a uniform dis-
260 6.0607× 10−4 4.7705× 10−4 360 5.3065× 10−4 2.9279× 10−4 tribution (i.e., ci ∼ U (0,q) ), we denote the distribution function of ci as
280 6.5059× 10−4 4.2686× 10−4 380 5.1778× 10−4 2.6999× 10−4 Fc (x ) = x / q,x ∈ (0,q) . We then deduce the distribution function of the
300 6.3564× 10−4 4.4184× 10−4 400 4.9746× 10−4 2.5000× 10−4 1st level marked ciphertext, which is denoted as F c1′ (x ) . The distribution
320 5.8777× 10−4 3.4936× 10−4 420 4.8155× 10−4 2.3236× 10−4 function of the i-th level marked ciphertext can be obtained by iteration.
The distribution function of c1,′ j can be deduced according to Eq. (7):
c1,′ j = cj + βj ·g1,j ·⌊q/4b⌋ (j = 1, 2,…, l). In Section 5.1, the i-th element of
demonstrate that α = 6.1250 × 10−4 is a reasonable value for n = 240 . d
All of the processes above were repeated to obtain different rea- E Ta , ∑ j = 1 ei,j aj , i = 1,2,…,l, follows a Gaussian distribution with a
sonable values of α , and we recorded the upper limit α max in Table 2. d
mean of 0 and a standard deviation of σ = ∑ j = 1 aj ·α . We denote the
The reasonable ranges of α should be [λα min,γα max ](λ > 1,γ < 1) . d d
distribution function as Fσ (x ) . The deviation of ∑ j = 1 ei,j aj is
of ∑ j = 1 ei,j aj
within (0,⌊q/4⌋) ∪ (⌊3q/4⌋,q) to guarantee the correctness, so we can
5.1.3. Correctness experimental results of images obtain the probability based on the symmetry of the Gaussian dis-
The PSNR (Peak Signal-Noise Ratio) of a directly decrypted image tribution:
measures the distortion caused by data hiding. We compared our d d
⎡ q ⎤ ⎡ 3q ⎤ 1
method to five representative schemes [20–23] and [11]. The optimal P ⎢ ∑ ei,j aj ∈ ⎛0, ⎞ ⎥ = Fσ (0) = P ⎢ ∑ ei,j aj ∈ ⎛ ,q⎞ ⎥ = 1−Fσ (0) =
⎝ 4 ⎠ ⎝ 4 ⎠ 2
PSNRs presented in each scheme are shown in Table 3. It demonstrates ⎣ j=1 ⎦ ⎣ j=1 ⎦
that there is distortion being introduced into the directly decrypted (16)
images in [11,22,23] and the reversible scheme of [20]. The lossless d
If ∑ j = 1 ei,j aj ∈ (0,q/4) , h1,j ∈ [0,⌊q/4⌋) ∪ [⌊q/2⌋,⌊3q/4⌋) . If
scheme of [20] and [21] have the lossless recovery of plaintext directly
d
from decryption. PSNRs of directly decrypted images under different ∈ (3q/4,q) , h1,j ∈ [⌊q/4⌋,⌊q/2⌋) ∪ [⌊3q/4⌋,q) . Using Eqs. (5) and
∑ j = 1 ei,j aj
parameter-settings in our scheme are shown in Table 4. (16), we can deduce the probability of βj :
The PSNRs after each level data hiding are all “∞ ” in Table 4, which P (βj = 1) = P (βj = −1) = 1/2 (17)
indicates that the original images can be recovered with no error after
the i-th level embedding in the log 2b -bit version of the t-level data Denote the probability that the value of the function LC is y as
hiding (i ≤ t). The embedding capacity (EC) of our scheme is de- PLC (y ) ; namely, PLC (y ) = P(LC (x ,) = y ):
termined by the value of t·log 2b , namely, 1 bit of plaintext data can load
q q
t·log 2b bits of additional data in the encrypted domain. And all the PLC (y ) = 2·⎧Fσ ⎡ (y + 1)⎤−Fσ [ ·y]⎫,y ∈ {0,1,…,b−1}
covert messages of the t-level data hiding can be accurately extracted. ⎨
⎩ ⎣ 4b ⎦ 4b ⎬⎭ (18)
The test images are shown in Fig. 9. The probability of each to-be-embedded bit of w1 is
P (w1,j = 0) = P (w1,j = 1) = …=P (w1,j = b−1) = 1/ b (19)
5.2. Security According to Eq. (6): g1,j = w1,j−LC (h1,j,1,1) , j ∈ {1,2,…,l} . We denote
the probability of g1,j = x as Pg (x ), and Pg (x ) = P(g1,j = x). This provides
The security of the data-hiding process is a significant part of the the distribution rate of g1,j using discrete convolution (Table 5) in dif-
theoretical analysis because the proposed method must recode the ci- ferent cases.
phertext directly. The security includes two main aspects: one is The probabilities of different change quantities after embedding can
maintaining the security of the encryption algorithm, and the other is be calculated as:
the undetectability of the hidden data. A crucial criterion of the security
q
of current image encryption and public- key algorithms is to ensure that P (c1,′ j = cj + λ·⎢ ⎥ ) = P (βi = 1)·Pg (λ ) + P (βj = −1)·Pg (−λ )
the encrypted data follows a uniform distribution, so the marked ci- ⎢
⎣ 4b ⎥
⎦ (20)
phertext should follow the same distribution to maintain the hardness.
q
As for the undetectability, it requires the marked ciphertext to be in- P ⎛c1,′ j = cj−λ·⎢ ⎥ ⎞ = P (βi = −1)·Pg (λ ) + P (βj = +1)·Pg (−λ )
⎝ ⎢
⎣ 4 ⎥⎠
b⎦ (21)
distinguishable from the original ciphertext when analyzed by either
human visual system or analysis methods. Therefore, the changes of the where λ ∈ {0,1,…,b−1} .
statistical features of the ciphertext after embedding indicate the un- By substituting the probabilities in Table 5 into Eqs. (20) and (21), it
detectability. According to above analysis, we then discuss the prob- can be deduced that P (c1,′ j = cj + λ·⌊q/4b⌋) = P (c1,′ j=cj−λ·⌊q/4b⌋) , which
ability distribution and statistical features of the data after embedding is denoted asPλ . We can then obtain the distribution rate of λ, which is
to analyze the security of the proposed scheme [28]. shown in Table 6.

Table 3
PSNR (dB) for the five representative schemes.
[11] [23] [22] [20] [21]

Lossless scheme Reversible scheme Algorithm 1 Algorithm 2

Lena 51.48 42.85 53.07 ∞ 42.32 ∞ ∞

Baboon 51.26 42.85 42.90 ∞ 43.65 ∞ ∞
Crowd 51.77 42.85 52.45 ∞ 44.11 ∞ ∞
Tank 51.48 42.82 48.24 ∞ 42.57 ∞ ∞
Peppers 51.40 42.85 52.52 ∞ 43.25 ∞ ∞
Plane 51.65 42.84 52.52 ∞ 43.94 ∞ ∞

140
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144

Table 4
PSNR (dB) in directly decrypted images using the proposed scheme.
Embedding level t Log2b n

240 260 280 300 320 340 360 380 400 420

The 1st level 1 1 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞

2 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞
3 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞
2 1 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞
2 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞
3 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞
3 1 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞
2 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞

The 2nd level 1 1 – – – – – – – – – –

2 – – – – – – – – – –
3 – – – – – – – – – –
2 1 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞
2 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞
3 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞
3 1 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞
2 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞

The 3rd level 1 1 – – – – – – – – – –

2 – – – – – – – – – –
3 – – – – – – – – – –
2 1 – – – – – – – – – –
2 – – – – – – – – – –
3 – – – – – – – – – –
3 1 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞
2 ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞

In summary, the distribution function of the 1st level marked ci- entropy is used here to prove the security of image encryptions which
phertext, denoted as F c1′ (x ) , can be calculated: usually maximize the entropy. We calculated the average information
entropies of the original ciphertext and the marked ciphertext, denoted
⎢ ⎥ as H and H’. Hideal is the theoretical ideal maximum entropy. The dif-
F c1′ (x ) = P (c1,′ j < x ) = Pλ (0)·Fc (x ) + Pλ (1)[Fc (x −⎢q/4b⎥)
⎣ ⎦ ferent colors in the histograms represent the different test groups.
⎢ ⎥ The experimental results demonstrate that the histograms did not
F (x −⌊q (b− 1)/4b⌋)+⎤
+ Fc (x + ⎢q/4b⎥)] + …+Pλ (b−1) ⎡
c
⎢ Fc (x + ⌊q (b−1)/4b⌋) ⎥ change significantly after embedding, and the recoding of the original
⎣ ⎦ ⎣ ⎦ ciphertext equivalent to coarse random scrambling, which contributes
1 x x + ⌊q/4b⌋ x −⌊q/4b⌋ ⎞ to the encryption, so the average information entropy of the marked
= · + Pλ (1) ⎜⎛ + ⎟ + …+ Pλ (b
b q ⎝ q q ⎠ ciphertext is not less than the original one. The conclusion remains the
same when we repeat the experiments in different embedding rates.
x + ⌊q (b−1)/4b⌋ x −⌊q (b−1)/4b⌋ ⎞
−1) ⎜⎛ + ⎟ (b) Mean
⎝ q q ⎠ If ci ∼ U (a,b) , the ideal mean of ci should be (b−a)/2 . To test the
x 2x x 2x 1 b−1 mean of the marked ciphertext, we apply the proposed scheme to
= + (Pλ (1) + Pλ (2) + …+Pλ (b−1)) = + · ·
bq q bq q b 2 sample data with different embedding capacities, which can be directly
x
= = Fc (x ) determined by the value of t·log 2b .
q (22) Fig. 11 shows the relationship between the means of the test data
The result shows that the 1st level marked ciphertext follows the (asterisks) and the ideal means in q (horizontal lines) for n = 240,
280, 320, 360 and 420, and t·log 2b = 0,1,2,…,6, where t·log 2b = 0 in-
uniform distribution in q like the original ciphertext. Similarly way,
we can prove that Fc′i (x ) = Fc′i − 1 (x ) = x / q=Fc (x ) , i = 2, …,t. dicates that t = 0 or b = 1, namely, no additional data is embedded.

5.2.2. Statistic features 5.3. Efficiency

(a) Histogram
We tested several groups of sample data to obtain histograms of the RDH-ED based on public-key cryptosystem (e.g., [20–24]) has an
ciphertext before and after embedding. Fig. 10 shows the results for encryption blowup factor which is caused by the encryption principle
n = 240, 320, and 420, b = 4, and t = 3. In addition, information rather than the embedding methods while stream encryption based

Fig. 9. The test images. (a) Lena; (b) Baboon; (c) Crowd; (d) Tank; (e) Peppers; (f) Plane.

141
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144

Table 5
Distribution ratio of g1,j.
g1,j (w1,j,LC (h1,j ) ) Pg(g1,j)

-(b-1) (0,b-1)
{ q q
} {2
b· Fσ ⎡ ·b⎤−Fσ ⎡ (b−1)⎤ = · 1−Fσ ⎡ (b−1)⎤
⎣ 4b ⎦ ⎣ 4b ⎦ b ⎣ 4b ⎦
q
}
-(b-2) (0,b-2),(1,b-1)
·{F ⎡ (b−1)⎤ } + ·{F ⎡ } = ·{1−F ⎡⎣ }
2 q q 2 q q 2 q
σ b⎤−F ⎡ (b−1)⎤−Fσ ⎡ (b−2)⎤ (b−2)⎤
b ⎣ 4b ⎦ σ ⎣ 4b ⎦ B σ
⎣ 4b ⎦ ⎣ 4b ⎦ b σ 4b ⎦
… … …
-2 (0,2),(1,3),…, (b-3,b-1) 2 q q 2 q q
·{Fσ [ b]−Fσ [ (b−1)]} + ·{Fσ [ (b−1)]−Fσ [ (b−2)]}
2
+ ...+ ·{Fσ [
3q 2q
]−Fσ [ ]}
b 4b 4b b 4b 4b b 4b 4b
2 q 2q 2 2q
= ·{Fσ [ b]−Fσ [ ]} = ·{1−Fσ ( )}
b 4b 4b b 4b
-1 (0,1),(1,2),…, (b-2,b-1) 2·{Fσ [qb/4b]−Fσ [q/4b]}/ b = 2·{1−Fσ (1/4b)}/ b
0 (0,0),(1,1),…, (b-1,b-1) 2·{Fσ [qb/4b]−Fσ [0]}/ b = 2·{1−1/2}/b = 1/b
… … …
b-1 (b-1,0) b·{Fσ (1/4b)−Fσ (0)} = 2·{Fσ (q/4b)−1/2}/ b

Table 6
Distribution rate of λ .

λ Pλ

0 1
b
1 1 1
·
b 2 { q
+ Fσ ⎡ (b−1)⎤−Fσ ⎡ ⎤
⎣ 4b ⎦
q
⎣ 4b ⎦ }
2
·{ ( )}
1 1 q q
+ Fσ ⎡ (b−2)⎤−Fσ ·2
b 2 ⎣ 4b ⎦ 4b
… …
b-1 1 1
·
b 2 { q q
+ Fσ ⎡ ⎤−Fσ ⎡ (b−1)⎤
⎣ 4b ⎦ ⎣ 4b ⎦ }

schemes (e.g., [2,11,25]) have a high encryption speed with no data

expansion. However, RDH-ED based on public-key cryptosystem has a
smaller cost of key storage and management. It is better suited for
smaller sized files or occasions where the memory and computational
cost is not on the client side, such as in cloud. In this paper, we do not
intend to reduce the blowup of LWE but utilize it to increase the em-
bedding capacity. Thus, we will discuss the efficiency in these two as-
pects: encryption blowup and embedding capacity.
5.3.1. Encryption blowup factor
We denote the encryption blowup factor of our scheme as lEN, which
must meet the condition that q∈ (2lEN − 1,2lEN], q is the minimum prime in
(n2, 2n2), i.e., 1 bit plaintext will be encrypted into lEN bit ciphertext.
Take the experiment in Fig. 8 as an example, the test image Lena has a
Fig. 11. Means with different embedding capacities.
size of 256 kB (equal to 512 × 512 × 8 bits), after LWE encryption, the
corresponding uncompressed ciphertext has a size of 4 MB (equal to
512 × 512 × 8 × 16 bits), the encryption blowup factor is 16,
becauseq = 56701 ∈ (215,216].
Under the condition of non-quantum computing, to reach the same
security level of LWE based schemes using n = 240, RSA algorithm has
a blowup factor 384; Elliptic Curves Cryptography (ECC) has a blowup
factor 32; Paillier homomorphic encryption based RDH-ED (e.g.,

Fig. 10. Histograms for n = 240 with Hideal = 15.8138, n = 320 with Hideal = 16.6440, and n = 420 with Hideal = 17.4285. (a) Original ciphertext with n = 240,
H = 15.6784; (b) Marked ciphertext with n = 240, H’ = 15.7142; (c) Original ciphertext with n = 320, H = 16.5732; (d) Marked ciphertext with n = 320,
H’ = 16.6175; (e) Original ciphertext with n = 420, H = 17.3375; (f) Marked ciphertext with n = 420, H’=17.3965.

142
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144

Table 7
Embedding rates of plaintext (bpb).
[2] [11] [20] Algorithm 1 in[21] Algorithm 2 in [21] [22] [23] [24] Proposed

Lena 0.0625 0.0074 0.1210 126.8750 1.50 0.0175 0.0625 0.0625 1–6
Baboon 0.0625 0.0020 0.1210 126.8750 1.50 0.0078 0.0625 0.0623 1–6
Crowd 0.0625 0.0150 0.1210 126.8750 1.50 0.0175 0.0625 0.0625 1–6
Tank 0.0625 0.0075 0.1210 126.8750 1.50 0.0311 0.0625 0.0623 1–6
Peppers 0.0625 0.0056 0.1210 126.8750 1.50 0.0155 0.0625 0.0623 1–6
Plane 0.0625 0.0120 0.1210 126.8750 1.50 0.0233 0.0625 0.0623 1–6
Average 0.0625 0.0825 0.1210 126.8750 1.50 0.0201 0.0625 0.0623 1–6

Table 8 In consideration of the encryption blowup, we calculate the ER of

Embedding rates of ciphertext (bpb).
t·log 2b n t·log 2b
240 280 320 360
1 0.0625 0.0588 0.0588 0.0588
6 0.3750 0.3529 0.3529 0.3529
Blowup factor 16 17 17 17
[20–24]) have a blowup factor 128–256. Under the condition of
quantum computing, schemes based on RSA, ECC or Paillier homo-
morphic encryption can no longer keep security while LWE based
schemes remain secure. What’s more, LWE is based on linear operations
among matrices, resulting in a better encryption speed than RSA, ECC
or Paillier homomorphic encryption [30].
5.3.2. Embedding capacity
We denote the band of the covert message as b. In a (log2b)-bit
version of the t-level data-hiding process, 1 bit plaintext data can the-
oretically load a maximum of t·log 2b bits of additional data in the en-
crypted domain.
The value of t·log 2b cannot be set infinitely large, because the
quantization step of the sub-region ⌊q/4bt ⌋ will narrow when increasing
b or t, and the embedding recoding will have an increasing effect on the
ciphertext during the data-hiding process. It could reduce the hardness
of the LWE algorithm, because the randomly sequences are pseudo-
random, which are generated by pseudo-random generators that might
be less satisfactory than the output of LWE algorithm. Thus, to achieve a
balance between security and embedding efficiency, we can either
choose a high-randomicity generator or limit the value of t and b to a
security level. According to Section 5.1, α min is set to 2 n / q to ensure
that a security deviation can be generated by the additive noise.
Therefore, the magnitudes of ⌊q/4bt ⌋ in experiments are set bigger than
the security deviation.
We compared our embedding rates (ER) with seven schemes
([2,11,20–24]). The optimal ER (bit per bit, bpb) presented in the seven
schemes are shown in Table 7. According to the experimental results in
Section 5.1.3, t·log 2b are 1, 2, or 3 in the 1-level data hiding, 2, 4, or 6 in
the 2-level data hiding, 3 or 6 in the 3-level data hiding. Therefore, the
ERs of proposed scheme are 1–6 in Table 7.
ciphertext of our scheme:
ER =
lEN (23)
420
where lEN is the encryption blowup factor. The ERs of ciphertext re-
0.0556
0.3333
present the embedding bits per bit of ciphertext, which indicates the
18 redundancy utilizing ability of a method. As shown in Table 8, the
blowup factor of the proposed scheme is 16–18 and the ER of ciphertext
can exceed 0.3000 bpb.
The performance of the proposed scheme is compared with that of
Ref. [2,11,20–24] in Table 9. The results demonstrate that the em-
bedding domain of the proposed multilevel RDH-ED is the LWE en-
cryption domain, and the data extraction is separable from decryption.
The blowup factor of the proposed scheme is larger than stream en-
cryption based RDH-ED (e.g., [2] and [11]), smaller than the other
public-key encryption based RDH-ED (e.g., [20–24]). The ER of ci-
phertext is higher than most existing separable schemes.
6. Conclusion
This paper proposes a scheme of multilevel reversible data hiding in
encrypted domain. Multilevel messages can be embedded by recoding
the redundancy that exists in ciphertext. The theoretical analysis con-
centrated on correctness, security and efficiency of the proposed
scheme. The experimental results demonstrate that the proposed
scheme guarantees complete reversibility of plaintext’s recovery, and
that 1 bit original data load multi-bit additional data in the encrypted
domain without reducing the encryption security. The main contribu-
tions of this paper can be summarized as follows:
1. We propose to embed additional data in the encrypted domain by
utilizing the redundancy that exists in the encryption processes of
public key cryptography algorithms. The proposed scheme is ap-
plied to the bits of the plaintext regardless of the types of the host
media.
2. A multilevel RDH-ED is designed by quantifying the LWE-encrypted
domain and recoding the controllable redundancy of ciphertext,
which achieved completely reversible plaintext recovery and se-
parability of the data extraction and decryption processes.
3. The proposed data-hiding method is suitable for existing LWE

Table 9
Performance comparison.
Algorithm Embedding domain Extraction domain Blowup factor ER of ciphertext(bpb) Embedding level

[2] Stream cipher encrypttion Separable 1 0.0625 Single level

[11] Stream cipher encrypttion Separable 1 0.0825 Single level
[20] Paillier encryption Separable 128 0.0009 Single level
Algorithm 1 in [21] Paillier encryption Plaintext domain 256 0.4956 Single level
Algorithm 2 in [21] Paillier encryption Ciphertext domain 256 0.0059 Single level
[22] Paillier encryption Separable 128 0.0002 Single level
[23] Paillier encryption Separable 128 0.0005 Single level
[24] Paillier encryption Separable 128 0.0005 Single level
Proposed LWE encryption Separable 16–18 0.0625–0.3333 Multilevel

143
Y. Ke et al.
algorithms (e.g., [29,31,34]). However, only the secret key owner
can operate multilevel data hiding in our scheme because of his
access to the controllable redundancy. Future investigation will
focus on 1) extending the application to allow a trusted third party
to embed multilevel messages by modifying the key distribution
strategy and introducing LWE based proxy re-encryption tech-
nology, and 2) increasing the efficiency by optimizing encryption
blowup factor and the recoding method of the redundancy.
Conflict of interest
None.
Acknowledgements
This work was supported by National Key R&D Program of China
under Grant No. 2017YFB0802000, and the National Natural Science
Foundation of China under Grant No.61379152 and Grant
No.61403417. The authors also gratefully acknowledge the helpful
comments and suggestions of the reviewers.
References
[1] M. Barni, T. Kalker, S. Katzenbeisser, Inspiring new research in the field of signal
processing in the encrypted domain, IEEE Signal Process Mag 30 (2) (2013) 16.
[2] K. Ma, W. Zhang, X. Zhao, N. Yu, F. Li, Reversible data hiding in encrypted images
by reserving room before encryption, IEEE Trans. Inf. Forensics Security 8 (3)
(2013) 553–562.
[3] Y.-Q. Shi, X. Li, X. Zhang, H. Wu, Reversible data hiding: advances in the past two
decades, IEEE Access 4 (5) (2016) 3210–3237.
[4] J.M. Barton, Method and apparatus for embedding authentication information
within digital data, U.S. Patent 5 (1997) 646–997.
[5] J. Tian, Reversible data embedding using a difference expansion, IEEE Trans.
Circuits Syst. Video Technol. 13 (8) (2003) 890–896.
[6] Z. Ni, Y.-Q. Shi, N. Ansari, W. Su, Reversible data hiding, IEEE Trans. Circuits Syst.
Video Technol. 16 (3) (2006) 354–362.
[7] Y. Qiu, Z. Qian, L. Yu, Adaptive reversible data hiding by extending the generalized
integer transformation, IEEE Signal Process. Lett. 23 (1) (2016) 130–134.
[8] S.-K. Lee, Y.-H. Suh, and Y.-S. Ho, “Reversible image authentication based on wa-
termarking”, in Proc. IEEE Int. Conf. Multimedia Expo (ICME), Toronto, ON,
Canada, pp. 1321–1324, 2006.
[9] X. Li, B. Yang, T. Zeng, Efficient reversible watermarking based on adaptive pre-
diction-error expansion and pixel selection, IEEE Trans. Image Process. 20 (12)
(2011) 3524–3533.
[10] G. Xuan, X. Tong, J. Teng, X. Zhang, Y.Q. Shi, Optimal histogrampair and predic-
tion-error based image reversible data hiding, Proc. Int. Workshop Image-Forensics
Digit, Watermarking (IWDW), Shanghai, China, 2012, pp. 368–383.
[11] F.J. Huang, J.W. Huang, Y.Q. Shi, New framework for reversible data hiding in
encrypted domain, IEEE Trans. Inf. Forensics Secur. 11 (12) (2016) 2777–2789.
[12] X. Zhang, Reversible data hiding in encrypted image, IEEE Signal Process Lett. 18
144
Journal of Visual Communication and Image Representation 54 (2018) 133–144
(4) (Apr. 2011) 255–258.
[13] J. Zhou, W. Sun, L. Dong, X. Liu, O.C. Au, Y.Y. Tang, Secure reversible image data
hiding over encrypted domain via key modulation, IEEE Trans. Circuits Syst. Video
Technol. 26 (3) (2016) 441–452.
[14] X. Wu, W. Sun, High-capacity reversible data hiding in encrypted images by pre-
diction error, Signal Process. 104 (11) (2014) 387–400.
[15] Z. Qian, X. Zhang, S. Wang, Reversible data hiding in encrypted JPEG bitstream,
IEEE Trans. Multimedia 16 (5) (2014) 1486–1491.
[16] X. Liao, C. Shu, Reversible data hiding in encrypted images based on absolute mean
difference of multiple neighboring pixels, J. Vis. Commun. Image Represent. 28 (4)
(2015) 21–27.
[17] D. Xiao, S.-K. Chen, Separable data hiding in encrypted image based on compressive
sensing, Electron. Lett. 50 (8) (2014) 598–600.
[18] M. Kuribayashi, H. Tanaka, Fingerprinting protocol for images based on additive
homomorphic property, IEEE Trans. Image Process. 14 (12) (2005) 2129–2139.
[19] N. Memon, P.-W. Wong, A buyer-seller watermarking protocol, IEEE Trans. Image
Process. 10 (4) (2001) 643–649.
[20] X.-P. Zhang, J. Loong, Z. Wang, et al., Lossless and reversible data hiding in en-
crypted images with public key cryptography, IEEE Trans. Circuits Syst. Video
Technol. 26 (9) (2016) 1622–1631.
[21] H.-T. Wu, Y.-M. Cheung, J.-W. Huang, Reversible data hiding in paillier crypto-
system, J. Vis. Commun. Image R. 40 (2016) 765–771.
[22] S.-J. Xiang, X. Luo, Reversible data hiding in homomorphic encrypted domain by
mirroring ciphertext group, IEEE Trans. Circuits Syst, Video Technol, 2017 (in
press).
[23] Y.-C. Chen, C.-W. Shiu, G. Horng, Encrypted signal-based reversible data hiding
with public key cryptosystem, J. Visual Commu. Image Represent. 25 (5) (2014)
1164–1170.
[24] C.-W. Shiu, Y.-C. Chen, W. Hong, Encrypted image-based reversible data hiding
with public key cryptography from difference expansion, Signal Process. Image
Commun. 39 (2015) 226–233.
[25] X. Zhang, Separable reversible data hiding in encrypted image, IEEE Trans. Inf.
Forensics Secur. 7 (2) (2012) 826–832.
[26] Z. Yin, B. Luo, W. Hong, Separable and error-free reversible data hiding in en-
crypted image with high payload, The Sci. World J. 2014 (2014) Art. no. 604876.
[27] H.-Z. Wu, Y.-Q. Shi, H.-X. Wang, et al., Separable reversible data hiding for en-
crypted palette images with color partitioning and flipping verification, IEEE
Transactions on Circuits and Systems for Video Technology, to be published. Doi:
10.1109/TCSVT. 2016. 2556585.
[28] Y. Ke, M.-Q. Zhang, J. Liu, Separable multiple bits reversible data hiding in en-
crypted domain, in: Digital Forensics and Watermarking – 15th International
Workshop, IWDW 2016, Beijing, China, 470–484, 2016.
[29] O. Regev, On lattices, learning with errors, random linear codes and cryptography,
J. ACM 56 (6) (2009) 34.
[30] O. Regev. The learning with errors problem, in: Proc of Int Conf on Public Key
Cryptography (PKC2007), Berlin, Germany, 2007, pp. 315–329.
[31] D. Micciancio, O. Regev, Lattice-based Cryptography, in: D.J. Bernstein,
J. Buchmann (Eds.), Post-Quantum Cryptography, Springer, Berlin, Heidelberg,
Germany, 2008, pp. 147–191.
[32] Nicolas Gama, Phong Q. Nguyen, Predicting lattice reduction, in: Advances in
cryptology-Eurocrypt 2010: 27th Annual International Conference on the Theory
and Applications of Cryptographic Techniques. Istanbul, Turkey, pp. 31–51, Apr.
2008.
[33] M. Ruckert, M. Schneider. “Estimating the security of latticed-based cryptosys-
tems”, (2010) [Online] Available: http://eprint.icur.org/2010/137.pdf.
[34] V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors
over rings, Journal of the Acm 60 (6) (2013) Art. no. 43.