Professional Documents
Culture Documents
A R T I C LE I N FO A B S T R A C T
Keywords: This paper proposes a multilevel reversible data hiding scheme in encrypted domain by utilizing the controllable
Information security redundancy of learning with error public key cryptography. Messages can be embedded into multilevel sub-
Reversible data hiding regions of ciphertext by quantifying the encrypted domain and recoding its redundancy. We recode redundancy
Multilevel embedding based on the characteristics of cipher’s distribution. Extraction and decryption processes are separated by di-
Public key cryptography
viding the encrypted domain into multilevel sub-regions and introducing different quantification standards.
Learning with Error
Original plaintext can be losslessly recovered from the marked ciphertext by using the decryption key; with a
specific level data-hiding key, only the message hiding in the corresponding level can be extracted, while
plaintext and other messages remain secret. We provide theoretical analysis and experimental results on the
feasibility, reversibility, and security of the proposed scheme. The capacity and encryption blow up factor are
discussed. The experimental results demonstrate the maximum embedding rate can exceed 0.3000 bpb of ci-
phertext.
1. Introduction plaintext would diffuse through the entire encrypted domain. However,
data hiding requires the ciphertext to be modified; thus, the more the
Reversible data hiding in encrypted domain (RDH-ED) is an in- ciphertext is changed, the greater the distortion of the decrypted re-
formation hiding technique that aims to not only accurately embed and sults. The utilization of the redundancy in the cover media is the fun-
extract covert messages, but also restore the original cover losslessly. damental component of data hiding technique. Thereofore, the existing
RDH-ED is useful in applications in which distortion is unacceptable methods of RDH-ED can mainly be classified into two frameworks:
and ciphertext must be managed or identified by embedding private “vacating room before encryption (VRBE)” [2] and “vacating room
marks or error correction codes without knowing any information after encryption (VRAE)” [3]. The room, namely the redundancy, is
about the plaintext. Most importantly, no permanent change is allowed vacated for embedding in these two frameworks.
when the original plaintext and covert data are recovered in these ap- The VRBE framework creates embedding redundancy in the plain-
plications, such as ciphertext management or retrieval in the cloud text domain, so there is always an extra preprocessing step before en-
environment, imagery annotation for medical or military use. With cryption. The VRBE schemes are mainly based on three strategies:
increasing demand for information security and the development of lossless compression [4], difference expansion (DE) [5], and histogram
signal processing techniques in the encrypted domain, RDH-ED has shifting (HS) [6]. Most RDH methods [7–10] are derived from these
been an issue of great contention in the information security and en- three strategies. HS based methods have attracted much attention and
crypted signal processing field [1]. can be divided into three categories: histogram shifting (HS) [6], dif-
The difficulty of RDH-ED lies in embedding additional data into ference histogram shifting (DHS) [8] and prediction-error histogram
ciphertext without causing distortion of the decrypted result. We ana- shifting (PEHS) [9]. DHS and PEHS based methods have drawn much
lyze two aspects of this problem. The first is that once data is encrypted, more attention because of their large embedding capacities and high
the plaintext features (e.g., image pixels’ relativity) that traditional data reversibilities. In [11], a new framework of RDH-ED was proposed, in
hiding technologies use are lost. The second is that modern crypto- which a specific stream encryption algorithm was used to preserve
graphy algorithms require diffusibility, i.e., even one bit change of some of the correlation between the neighboring pixels. Different DHS
☆
This paper has been recommended for acceptance by Dinu Coltuc.
⁎
Corresponding author.
E-mail address: 15114873390@163.com (Y. Ke).
https://doi.org/10.1016/j.jvcir.2018.05.002
Received 28 October 2017; Received in revised form 19 April 2018; Accepted 4 May 2018
Available online 09 May 2018
1047-3203/ © 2018 Elsevier Inc. All rights reserved.
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144
and PEHS based RDH schemes can be performed directly in the en- The multilevel data-hiding process expands the applications of
crypted domain. However, the VRBE framework might be impractical RDH-ED, because it allows to embed multilevel covert messages into a
because it requires a preprocessing step to be performed before the marked ciphertext with multilevel data-hiding keys. With a specific
content encryption. level data-hiding key, only covert message of the corresponding level
The first VRAE method was proposed by Zhang for encrypted can be completely extracted, while the plaintext and other covert
images [12], and then [13–14] enhanced its capacity. Qian, et al. messages remain secret. It could provide the ciphertext owner with
proposed a similar method to embed data in an encrypted JPEG bit more flexible application scenarios, for example, the ciphertext owner
stream [15]. Liao, et al. [16] proposed embedding data in encrypted needs to embed additional remarks into a cover or marked ciphertext at
images based on the absolute mean difference between multiple different times, and additional remarks should not degrade the de-
neighboring pixels. Other VRAE schemes include compression sensing crypted result or other previously embedded remarks; Watermarks or
in the encrypted domain [17] and homomorphic public key encryption error correction codes are embedded into ciphertext in multiple levels
[18–24]. To adapt to practical applications, separable schemes have to enhance the robustness or to correct errors in data storage or
been proposed [17,25–27], in which the extraction and data decryption transmission.
processes can be separated. In separable schemes, covert messages can The rest of this paper is organized as follows. The following section
be extracted from marked ciphertext perfectly, but most schemes distort introduces Regev’s LWE algorithm and analyzes its controllable re-
the directly decrypted cover, so a reconstruction process is always dundancy in encryption. Section 3 introduces the methodology of the
needed to recover the original cover media by establishing a distortion multilevel RDH-ED. Section 4 describes the detailed process. In Section
function based on the neighboring pixels’ relativity or others. Thus, the 5, the three judging standards of RDH schemes, including the correct-
reversibility depends on the effect of the distortion function in the re- ness, security and efficiency, are discussed theoretically and verified
construction process. with experimental results. Finally, Section 6 summarizes the paper and
This paper proposes a RDH scheme in encrypted domain that be- discusses future investigations.
longs to neither VRBE nor VRAE. We attempt to discover and utilize the
redundancy that is produced in the encryption process of public key 2. Regev’s LWE algorithm
cryptography instead of vacating redundancy. Currently researches of
public key cryptography based RDH-ED are mainly based on Paillier The Learning with Errors (LWE) problem was first introduced by
homomorphic public key cryptosystem [20–24]. Probabilistic and Oded Regev in 2005′s STOC [29], and has become an amazingly ver-
homomorphic properties of Paillier cryptography allow us to conduct satile basis for cryptographic constructions due to its reliable security,
operations directly on ciphertext to embed data into the plaintext, simple algebraic structure and nearly linear operations [30].
which provides more flexible applications in RDH-ED field. The first
Paillier cryptography based RDH-ED was proposed by Chen et al. [23].
To enhance the capacity and broaden the application scenarios, Wu 2.1. Regev’s LWE cryptosystem
et al. proposed two RDH algorithms for the encrypted images in [21]. A
high-capacity algorithm based on Paillier cryptosystem is presented for Regev’s LWE cryptosystem is parameterized by the integers n (the
the scenario of data extraction after image decryption. The other one security parameter), d (the number of dimension of the public key
can operate data extraction in the encryption domain. In [20], Zhang space), q (the modulus), l (the length of plaintext in one encryption
et al. proposed to embed the same data twice in the reserved room of operation). If q is a prime, all of the operations in the cryptosystem are
the encrypted image and in the Pailler encrypted domain to realize the performed modulo q in , q ∈ (n2,2n2)≥ 2 , a real ε > 0 , and
d ≥(1 + ε )(1 + n)1ogq . We denote the noise probability distribution on
separability of decryption and data extraction. By using mirroring ci-
as χ , χ = ψαq , where the discrete Gaussian distribution ψαq =
phertext group (MCG) strategy [22], Xiang et al. proposed a novel se-
{「qx」mod q | x ∼N (0, α2)}, and 「qx」 denotes rounding qx to the
parable RDH-ED method without any pixel oversaturation in plaintext
nearest integer).
domain. However, the encryption blowup and computational cost are
Secret Key: Choose a matrix S ∈ × uniformly, where each ele-
high in homomorphic cryptography based RDH-ED, and a reconstruc-
ment of S is chosen independently and uniformly.
tion process is also needed to restore distortion in the directly decrypted
Public Key: Choose a matrix A ∈ × uniformly, where each ele-
plaintext from the marked ciphertext, e.g., [20,22–24]. To further en- ment of A is chosen independently and uniformly. Generate a noise
hance the efficiency, we propose to embed data into the ciphertext by matrix E ∈ ×
whose elements follow the distribution χ in-
recoding the redundancy in the encryption process of public key
dependently and output the pair (A,P = AT S + E ) ∈ nq × d × dq × l as the
cryptography rather than using homomorphic technique. Based on this public key.
idea, a multilevel RDH-ED is designed by recoding the encryption re- Encryption: The plaintext is m = (m1,m2,…m1) ∈ {0,1}l . Generate
dundancy of the learning with Error (LWE) public key cryptography. a ∈ {0,1}d uniformly and output the pair
We choose the LWE algorithm mainly because of its three advantages (u = Aa,c = PT a + m⌊q/2⌋) ∈ nq × lq as ciphertext.
for RDH-ED [28]: 1. sufficient controllable redundancy for embedding; Decryption: For the ciphertext (u, c), a quantization vector
2. strong security for privacy protection and information security, LWE h = c−S T u is calculated. Denote the decryption of (u, c) as
cryptosystem is so far one of the most promising post-quantum cryp- m′ = (m1′,m2′,…,ml′) , where mi′=0(i = 1,2,…,l) if the i-th element of h is
tosystem; and 3. brief structure and simple computation, which are closer to 0 than to ⌊q/2⌋; otherwise, mi′=1.
significant in practical applications. The methodology and proposed The correctness of the decryption is defined as follows:
scheme will be elaborated in detailed in following sections. By recoding h = c−S Tu = P Ta + m⌊q/2⌋−S TAa = E Ta + m⌊q/2⌋. Fig. 1 shows
the redundancy of the LWE encryption process to embed additional the distribution of integers in q , which has been divided into 4 regions
data, the proposed scheme has the following properties: 1. complete (I, II, III, and IV). We denote the i-th element of h as hi , so
reversibility, in which the original plaintext can be losslessly recovered h = (h1,h2,…,hl )T , and hi can be regarded as a point on the circle in Fig. 1
directly from the marked ciphertext and there is no reconstruction (the point A represents hi = ⌊q/4⌋). Because of the additive noise/
process; 2. separability of multilevel data extraction and decryption; errorE Ta , the exact locations of hi on the circle are uncertain. However,
and 3. accurate data decryption and extraction. More importantly, since by choosing a reasonable value of the standard deviation α , E Ta will
the proposed method directly recodes ciphertext for data hiding, we have a magnitude less than⌊q/4⌋, so m′ = (m1′,m2′,…,ml′) can be recovered
concentrate on the security of the data-hiding process, which is a sig- by rounding each hi back to either hi = 0 or hi = ⌊q/2⌋, whichever is
nificant part of the theoretical analysis and experimental results in closer modulo q. If hi is located in region I or IV, the decrypted bit
Section 5. mi′ = 0 ; if hi is located in region II or III, the decrypted bit mi′ = 1.
134
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144
0(q) decrypted bit, which is the same as the correctness in Section 2, and the
1st level sub-region number (e.g., 0, 1) indicates the 1st level embedded
data. For example, in Fig. 2, point B, which represents hi is located in
sub-region II.1; therefore, the decrypted bit is 1 because the region
number is II, and the embedded data is 1 because the 1st level sub-
region number is 1.
Next, when we have the ciphertext of LWE algorithm, we can embed
1bit additional data in the encrypted domain by adding or subtracting
3q/4 q/4(A: hi = q/4) the 1st level quantization step to or from the ciphertext to change the
location of hi to a proper 1st level sub-region within the same region;
thus, resulting that the changed hi would carry plaintext and covert
data with dual meanings. So far, we have the 1st level marked ci-
phertext. It should be noted that hi should be located in the same region
before and after embedding to guarantee that no error is introduced
into decrypted results.
q/2
Fig. 1. Distribution of integers in q . 3.2. Multilevel data hiding
For the 2nd level data hiding, based on the 1st level data hiding,
2.2. Controllable redundancy analysis
each 1st level sub-region is divided into two 2nd level sub-regions de-
noted as I.0.0, I.0.1; I.1.0, I.1.1; II.0.0, II.0.1; II.1.0, II.1.1; III.0.0,
Without additive noise, finding the secret key S with the public key
III.0.1; III.1.0, III.1.1; IV.0.0, IV.0.1; and IV.1.0, IV.1.1 (Fig. 3).
(A, P) would be easy: after approximately d equations, we can recover S
Therefore, the 2nd level quantization step is ⌊q/16⌋. The meanings of the
in polynomial time using the Gaussian elimination algorithm.
2nd level sub-region’s region number and the 1st level sub-region
Introducing additive noise, Gaussian elimination algorithm takes linear
number are the same as in Section 3.1. In addition, the 2nd level sub-
combinations of the d equations, which amplifies the noise to un-
region number (e.g., 0, 1) indicates the 2nd level embedded data.
manageable levels and leaves essentially no information about S in the
We can embed another 1bit additional data in the encrypted domain
elimination results. The best known cryptanalysis algorithms for LWE
by adding or subtracting the 2nd level quantization step to or from the
run in exponential time (even quantum algorithms do not appear to
1st level marked ciphertext to change the location of hi to a proper 2nd
help). Thus, the encryption blowup of LWE is not controllable as for
level sub-region within the same 1st level sub-region. For example, if
attackers. However, the secret-key keeper can obtain the quantization
point B in Fig. 2 needs to carry 1 bit of additional data “1” in the 2nd
vector h. The range of hi to recover mi′ takes up half of the integer
level data hiding, its 1st level marked ciphertext must subtract ⌊q/16⌋ to
domain q ; i.e., hi within ⌊q/2⌋ possible values only corresponds to 1 bit
make hi be located at point C (Fig. 3). We will then obtain the 2nd level
of plaintext, and the values of hi could be in control once we had the
marked ciphertext.
secret key S. Our scheme takes advantage of the redundancy of hi to
Similarly, we can achieve multilevel data hiding in the encrypted
embed covert data.
domain, and 1 bit of additional data can be embedded after the i-th
(i = 1, 2, 3, …) level data hiding. It should be noted that hi before and
3. Methodology
after the i-th (i = 2, 3, …) level data hiding should be located in the
same (i-1)-th level sub-region to guarantee that no error is introduced
3.1. The 1st level data hiding
into the (i-1)-th level data extraction results.
135
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144
0(q) System
parameters Key generation Key distribution
setting
.0 .0
(a)
.1 .1
Encryption key 1st level data-hiding key
.2 .2
LWE Original 1st level Covert
Plaintext
.3 .3 encryption ciphertext data hiding message 1
3q/4 q/4
.3 .3 1st level
marked
ciphertext
.2 .2
.0.3
.0.2
.0.3
.1. 0
.1.
.1. 1
.1.
.1. 2
3
2
.2
.1
0
.2. .0 .2. 1 …), which determines that log 2bi bits of additional data can be em-
.2. 1 .2. 2 bedded in the i-th level data hiding. The smallest quantization step of all
.2.32 .2.
.3.0 .2.3 of the t-level data-hiding processes is ⌊q/4b1 b2…bt ⌋. In the remainder of
.3.1 .3.0 the paper, we set b1 = b2 = … = bi = … = bt = b, and b is a power of 2
.3.1 to simplify the conversion process in practical applications.
.3.2 .3.2
.3.3 .3.3 The methodology of our scheme to perform data hiding in encrypted
3q/4 .3.3 .3.3 q/4
domain using the controllable redundancy of LWE algorithm is mainly
.3.2 .3.2
.3.1 .3.1 based on the methods described above. The detailed processes of the
.3.0 .3.0 multilevel reversible data hiding scheme in encrypted domain are de-
.2.3 .2.3
2
.2. .1 .2. scribed in the next section.
.2 .0 .2 2
.2 .2. .1
0
.1. .3
.1
2
.1 .2
1
4. Proposed scheme
.3
.1
.1.0
.1.
.0.3
.1.
.0.2
.0.1
.1.0
.0.0
1
.0.3
.0.2
.0.1
.0.0
136
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144
4.1. Initialization encrypted and embedded following a random distribution. Thus, the
exclusive-or sequence m of the plaintext p and Rp is calculated as:
Step 1: Setting the system parameters m = p ⊕ Rp (3)
Choose a security parameter n that is a power of 2, which de-
termines the other parameters. The modulus is a prime q ∈ (n2,2n2) ⩾ 2 . where m = (m1,m2,…,ml ),mi ∈ {0,1} is for LWE encryption.
The dimension of the vectors in the public key space is 2) Generate a vector a ∈ {0,1}d randomly and output the original
d ⩾ (1 + ε )(1 + n)log 2q , ε > 0 . The noise distribution is χ = Ψαq , and ciphertext using LWE algorithm (u = Aa,c = P Ta + m⌊q/2⌋)
the standard deviation is α = o (1/ n logn) . The reasonable ranges of ∈ nq × lq .
these parameters are analyzed in detail in Section 5. Denote the total Step 2: Multilevel data hiding
′
number of levels of the multilevel data hiding as t and the number of Denote the i-th level covert message as ci ∈ {0,1}l of length l′. The i-th
the i-th level sub-region as b (i = 1, 2, 3,…, t), which is a power of 2 and level data-hiding keys are (S, RLi), i ∈ {1,2,…,t } .
is the band of the multi-band data to be embedded. Denote the length of 1) The exclusive-or sequence oi of the secret message ci and RLi are
the plaintext in one encryption operation as l and the length of the calculated as:
additional data in the i-th level data-hiding operation as l′; thus,
oi = ci ⊕ RLi (4)
l′ = l·log 2b .
l′
Step 2: Key generation where oi∈ {0,1} . Then, encode oi into a b-band vector
Choose the matrixes S ∈ nq × l and A∈nq × d uniformly, where each wi = (wi,1,wi,2,…,wi,l ) , wi,j∈ {0,1,…,b−1} , j∊{1,2…,l} for embedding.
element of S and A is chosen independently and uniformly. Generate a 2) The 1st level data hiding: The original ciphertext is (u, c), and the
noise matrix E ∈ dq × l , whose elements follow the distribution χ in- data to be embedded is w1. Calculate the quantization vector
dependently, and then output the pair (A,P = AT S + E ) ∈ nq × d × dq × l . h1 = c−S Tu , h1 = (h1,1,h1,2,…,h1,l )T . A vector that would affect the cover
′
Generate t + 1 pseudo-random sequences: Rp ∈ {0,1}l , RL1 ∈ {0,1}l , ciphertext’s change positively or negatively is denoted as
l′ l′ β = (β1,β2,…,βl )T (βj ∈ { +1,−1} ). The change quantity factor vector is
RL2 ∈ {0,1} ,…, RLt ∈ {0,1} . All the pseudo-random sequences are used
to randomly scramble the plaintext and all the covert messages before denoted as g1 = (g1,1,g1,2,…,g1,l )T .
LWE encrypting to realize separability of the decryption and the data Calculate the vectors β and g1:
extraction and to maintain the security of LWE encryption.
⎧+ 1,h1,j ∈ [0,⌊q/4⌋) ∪ [⌊q/2⌋,⌊3q/4⌋)
Step 3: Key distribution βj = − 1,h ∈ [⌊q/4⌋,⌊q/2⌋) ∪ [⌊3q/4⌋,q)
⎨ 1,j
In this paper, the keys are distributed as shown in Table 1 according ⎩ (5)
to their functions in the proposed system.
g1,j = w1,j−LC (h1,j,1,1) (6)
Definition 1. The function LC (hi, i, t), hi ∈ q , i, t∈ ∗, i⩽ t,
LC∈ {0,1,…,b−1} , which returns the number of the i-th level sub-region where g1,j ∈ {−b + 1,−b + 2,…,−1,0,1,…,b−1},j ∈ {1,2,…,l} .
in a t-level data hiding that an input quantization element hi locates in: Output the pair (u,c1′) as the 1st level marked ciphertext, where
c1′ = (c1,1 ′ ,…,c1,′ l )T :
′ ,c1,2
⎢ L (hi,t )modbi ⎥
LC (hi,i,t ) = ⎢
bi − 1 ⎥,hi ∈ q,i ∈ {1,2,…,t } (1)
c1,′ j = cj + βj ·g1,j ·⌊q/4b⌋,(j = 1,2,…,l) (7)
⎣ ⎦
where 3) The i-th level data hiding (i = 2, 3,…, t): The (i-1)-th level marked
ciphertext is (u,ci′− 1) , and the data to be embedded is wi. Calculate the
⎧
t
⎢ 4b hi ⎥,hi ∈ [0,q/4) quantization vector hi = ci′−S Tu,hi = (hi,1,hi,2,…,hi,l )T . Denote the
⎪ ⎣ q ⎦ change quantity factor vector as gi = (gi,1,gi,2,…,gi,l )T .Calculate the vector
⎪ t ⎢ 4bt hi ⎥ gi :
⎪ 2b −⎣ q ⎦−1,hi ∈ [q/4,q/2)
L (hi,t ) = gi,j = wi,j−LC (hi,j,i,i) (8)
⎨ ⎢ 4bt hi ⎥−2bt ,hi ∈ [q/2,3q/4)
⎪⎣ q ⎦
⎪ t 4bt hi where gi,j ∈ {−b + 1,−b + 2,…,−1,0,1,…,b−1},j ∈ {1,2,…,l} .
⎪ 4b −⎢ q ⎥−1,hi ∈ [3q/4,q) Output the pair (u,ci′) as the i-th level marked ciphertext, where
⎪ ⎣ ⎦ (2)
⎩ ci′ = (ci′,1,ci′,2,…,ci′,l )T :
q
ci′,j = ci′− 1,j + βj ·gi, j ·⎢ i ⎥,(j = 1,2,…,l)
⎢
⎣ 4b ⎥
⎦ (9)
Encryption key (P, A, Rp) and the recovered plaintext, which is denoted as p′:
Decryption key (S, Rp)
p′ = m′ ⊕ Rp (11)
1st level data-hiding key (S, RL1)
2nd level data-hiding key (S, RL2)
The i-th level data extraction:
… …
t-th level data-hiding key (S, RLt) For the t-th level marked ciphertext (u,ct′) , the i-th level covert
message can be extracted by using the i-th level data-hiding key (S, RLi).
137
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144
Calculate the quantization vector h′ = ct′−S Tu , where and that it is located at point F (I.2.1) in Fig. 7, which indicates that the
h′ = (h1′,h2′,…,hl′)T . Denote the i-th level extracted data from (u,ct′) as a decrypted bit is 0, the 1st level extracted data is 2, and the 2nd level
temporary vector w Temp,w Temp = (w1′,w2′,…,wl′),w′∈
j {0,1,…,b− extracted data is 1.
1},j ∈ {1,2,…,l} : In addition, to recover original plaintext and covert messages, we
w′j = LC (h′j ,i,t ),j = 1,2,…,l need a decryption key or multilevel data-hiding key, respectively, to
(12)
perform an exclusive-or calculation; that would not generally cause any
′
′
Encode w Temp into a binary sequence o Temp of length l′, o Temp
′ ∈ {0,1}l , error, so we do not review the exclusive-or steps.
and the recovered covert message ci′ is : Hence, the same region ensures the consistency of the decryption of
the multilevel marked ciphertext, and the multilevel sub-region’s
ci′ = o Temp
′ ⊕ RLi (13) numbers carry the information about the multilevel covert messages.
In summary, the data-hiding process is based on the encryption Thus, the necessary condition for maintaining the proposed scheme
redundancy, so it applied to the bits of the plaintext regardless of the ’correctness is that the magnitude of each element of E Ta must be less
types of the host media. The processes of decryption and different level than ⌊q/4⌋.
data extraction are separable from each other. Denote the element of matrix E as ei,j and the j-th element of a as aj,
where ei,j follows the distribution χ independently
d
5. Theoretical analysis and experimental results (i = 1,2,…,l,j = 1,2,…,d ). The i-th element of E Ta is ∑ j = 1 ei,j aj , which
d
follows a distribution N (0, ∑ j = 1 aj ·α ) .
5.1. Correctness
According to Section 4.2, a ∈ {0,1}d is generated randomly,
d d
The correctness of the proposed scheme includes the lossless de- so∑ j = 1 aj ≈ 2 . The i-th element of E Ta should follow the Gaussian
cryption of plaintext and the accurate extraction of the covert message, distributionN (0, d/2 ·α ) .
which are the fundamental principles and criteria of RDH-ED. To obtain a truncated inequality probability of a Gaussian dis-
tribution, let z ∼ N (0,1) . Then:
5.1.1. Decryption-error probability
+∞ 1 1 1 2 1
We first review the process of the scheme to analyze the necessary P (|z| ⩾ x ) ⩽ 2 ∫x exp ⎛− z 2⎞ ⩽ exp ⎛− x 2⎞
conditions for maintaining accuracy. 2π ⎝ 2 ⎠ x π ⎝ 2 ⎠ (14)
In the encryption process, if mi = 0, hi will be located in region I or The decryption-error probability of the proposed scheme is:
IV, and if mi = 1, hi will be located in region II or III. In the multilevel
d
data-hiding process, the cover ciphertext will add or subtract a multiple ⎛ ⎞
of the i-th level quantization step to change the location of hi within its d ⎜
∑ ei,j ⎟
q j=1 q 4α d q2
upper level sub-region, so hi will be located in the same upper level sub- P (| ∑ ei,j aj | ⩾ ) = P ⎜| |⩾ ⎟⩽ · exp ⎛− 2 ⎞
⎜ ⎟
4 d d q π ⎝ dα ⎠
region before and after the i-th (i = 1, 2,…) level data-hiding process j=1 ⎜ α 2 4α
2 ⎟
⎜ ⎟
(when i = 1, the “upper level sub-region” should be one of the four ⎝ ⎠
regions I, II, III, IV). (15)
For example, if the bit to be encrypted is m = 0, we set q = 937,
b = 4 and t = 2, and the two to-be-embedded bits are w1 = 2 and According to Eq. (15), a decryption error will occur if the total noise
w2 = 1. Then the LWE encrypted data c is 492. In the 1st level data exceeds ⌊q/4⌋. The smaller α becomes, the lower the probability of de-
hiding, the quantization element h is 225, which is located at point D in cryption error. On the other hand, if α is too small, the security of LWE
Fig. 7. According to Eqs. (1) and (2) and (5)(6), β = +1 and g1 = w1− algorithm might be seriously compromised because the distribution of
LC(225, 1, 1) = 2–3 = −1. We obtain the 1st level marked ciphertext the additive noise will be approximately 0 with a small deviation. Thus,
c1′ = 492 + (−1)·⌊937/16⌋ = 434 using Eq. (7). In the 2nd level data schemes based on LWE problem generally require αq > 2 n [29].
hiding, the quantization element h is 167, which is located at point E in Above all, the value of α directly determines both the security of our
Fig. 7. According to Eqs. (1) and (2) and (5)(6), β = +1 and g1 = w2– scheme and the probability of decryption failure. However, the condi-
LC(167, 2, 2) = 1–3 = −2. We obtain the 2nd level marked ciphertext tion α = o (1/ n logn) given in [29] cannot accurately provide a rea-
c1′ = 434 + (−2)·⌊937/64⌋ = 406 using Eq. (7). With the 2nd level sonable range of α ; therefore, we obtain reasonable ranges of α for
marked ciphertext, we can determine that quantization element h is 139 different n using experiments in the following section.
.2.2
Considering the efficiencies of the best known lattice reduction algo-
rithms, the secure dimension of the lattice must reach 500 (δ = 1.01)
.2 .2.3 175 [32,33]. In [28], the security parameter is set n∈ [100,320]. The lattice
dimension with n = 220 is 220log 2 (q)/log 2 (1.01) < 500 , resulting in a
drawback in security. However, an increase in n will result in a high
.3 D(225)
encryption blowup. To balance security and the efficiency of practical
use, we set n∈ [240,420] for the experiments in this paper
234 ( 240 × log 2 (q (n))/log 2 (1.01) > 500). The other parameters for the
proposed scheme are set as follows: q is the minimum prime between
Fig. 7. Location Change of h in a 2-bit version of 2-level data hiding. (n2,2n2) , d = ⌊1.25(1 + n)log 2q⌋, l = 8n , t = 1, 2, 3, and b = 2,4,8. By
138
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144
Fig. 8. Experiment of 2-bit version of 2-level data hiding on “Lena”. (a) Image “Lena”; (b) Bit-plane image of the original data; (c) Plaintext; (d)Randomly permuted
plaintext; (e) Covert message1; (f) Covert message2; (g)Original ciphertext by LWE; (h)The 1st marked ciphertext; (i) Extracted covert message 1 from the 1st marked
ciphertext; (j) Recovered plaintext from the 1st marked ciphertext; (k) The 2nd marked ciphertext; (l) Extracted covert message 1 from the 2nd marked ciphertext;
(m) Extracted covert message 2 from the 2nd marked ciphertext; (n) Recovered plaintext from the 2nd marked ciphertext; (o) Recovered image“Lena”; (p) Errors of
the recovered plaintext and the extracted covert messages in the 1st level data hiding; (q) Errors of the recovered plaintext and the extracted covert messages in the
2nd level data hiding.
testing large amount of sample data under different conditions with n= data as covert messages (Fig. 8(e)-(f)). Covert message 1 is for the 1st
240, 260, 280, …, 420, we obtained the upper limit of α, which is level data hiding, and covert message 2 is for the 2nd level data hiding.
denoted asα max , and represents the decryption error that will occur if α Then, we encrypt the exclusive-or results using the LWE algorithm to
in the experiments is greater than α max . The lower limit value, which is obtain the original ciphertext as shown in Fig. 8(g).
denoted asα min , is set to 2 n / q to ensure that the necessary deviation is The 1st level data hiding: we embed the covert message 1 into the
generated by the additive noise. original ciphertext, and obtain the 1st level marked ciphertext as shown
The processes of the experiment to obtain a reasonable α are as in Fig. 8(h). With the 1st level marked ciphertext, the covert message 1
follows. We take a 2-bit version of 2-level data hiding implementation is extracted as shown in Fig. 8(i), and the original plaintext is recovered
on image Lena as an example to test the reasonability of as shown in Fig. 8(j).
α = 6.1250 × 10−4 . To show the experimental processes visually and The 2nd level data hiding: we embed the covert message 2 into the
intuitively, we set n = 240 , q = 57601, l = 8n , b = 4 , and t = 2 to en- 1st level marked ciphertext, and obtain the 2nd level marked ciphertext
crypt a 240 × 240 binary image with a length of 7200 bytes, embed as shown in Fig. 8(k). With the 2nd level marked ciphertext, the covert
14,400 bytes additional data at each level. message 1 and the covert message 2 are extracted as shown in Fig. 8(l)-
The 512 × 512 plaintext test image of Lena is shown in Fig. 8(a); (m), and the original plaintext is recovered as shown in Fig. 8(n). To
each pixel’s gray value within [0255] is represented by 8 bits. We then recover the entire image Lena, we repeat the above processes to the
divided the image into bit planes (Fig. 8(b)). First, we segment the bit- other blocks of the bit-plane image. The recovered image is shown in
plane image into several non-overlapping 240 × 240 blocks and then set Fig. 8(l).
α = 2.8452 × 10−3 on the first block. The bit values of the original data’s We make bit-by-bit comparisons between the plaintext and the de-
first block are shown in a 240 × 240 binary image in Fig. 8(c). Next, we crypted data, and between the covert messages and the extracted data
calculate an exclusive-or result of the plaintext and the binary pseudo- after each level data hiding as shown in Fig. 8(p)-(q). The results in-
random data (Fig. 8(d)) and generate two 4-band randomly-permuted dicate that both the decryption and extraction are lossless, which also
139
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144
Table 3
PSNR (dB) for the five representative schemes.
[11] [23] [22] [20] [21]
140
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144
Table 4
PSNR (dB) in directly decrypted images using the proposed scheme.
Embedding level t Log2b n
240 260 280 300 320 340 360 380 400 420
In summary, the distribution function of the 1st level marked ci- entropy is used here to prove the security of image encryptions which
phertext, denoted as F c1′ (x ) , can be calculated: usually maximize the entropy. We calculated the average information
entropies of the original ciphertext and the marked ciphertext, denoted
⎢ ⎥ as H and H’. Hideal is the theoretical ideal maximum entropy. The dif-
F c1′ (x ) = P (c1,′ j < x ) = Pλ (0)·Fc (x ) + Pλ (1)[Fc (x −⎢q/4b⎥)
⎣ ⎦ ferent colors in the histograms represent the different test groups.
⎢ ⎥ The experimental results demonstrate that the histograms did not
F (x −⌊q (b− 1)/4b⌋)+⎤
+ Fc (x + ⎢q/4b⎥)] + …+Pλ (b−1) ⎡
c
⎢ Fc (x + ⌊q (b−1)/4b⌋) ⎥ change significantly after embedding, and the recoding of the original
⎣ ⎦ ⎣ ⎦ ciphertext equivalent to coarse random scrambling, which contributes
1 x x + ⌊q/4b⌋ x −⌊q/4b⌋ ⎞ to the encryption, so the average information entropy of the marked
= · + Pλ (1) ⎜⎛ + ⎟ + …+ Pλ (b
b q ⎝ q q ⎠ ciphertext is not less than the original one. The conclusion remains the
same when we repeat the experiments in different embedding rates.
x + ⌊q (b−1)/4b⌋ x −⌊q (b−1)/4b⌋ ⎞
−1) ⎜⎛ + ⎟ (b) Mean
⎝ q q ⎠ If ci ∼ U (a,b) , the ideal mean of ci should be (b−a)/2 . To test the
x 2x x 2x 1 b−1 mean of the marked ciphertext, we apply the proposed scheme to
= + (Pλ (1) + Pλ (2) + …+Pλ (b−1)) = + · ·
bq q bq q b 2 sample data with different embedding capacities, which can be directly
x
= = Fc (x ) determined by the value of t·log 2b .
q (22) Fig. 11 shows the relationship between the means of the test data
The result shows that the 1st level marked ciphertext follows the (asterisks) and the ideal means in q (horizontal lines) for n = 240,
280, 320, 360 and 420, and t·log 2b = 0,1,2,…,6, where t·log 2b = 0 in-
uniform distribution in q like the original ciphertext. Similarly way,
we can prove that Fc′i (x ) = Fc′i − 1 (x ) = x / q=Fc (x ) , i = 2, …,t. dicates that t = 0 or b = 1, namely, no additional data is embedded.
Fig. 9. The test images. (a) Lena; (b) Baboon; (c) Crowd; (d) Tank; (e) Peppers; (f) Plane.
141
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144
Table 5
Distribution ratio of g1,j.
g1,j (w1,j,LC (h1,j ) ) Pg(g1,j)
-(b-1) (0,b-1)
{ q q
} {2
b· Fσ ⎡ ·b⎤−Fσ ⎡ (b−1)⎤ = · 1−Fσ ⎡ (b−1)⎤
⎣ 4b ⎦ ⎣ 4b ⎦ b ⎣ 4b ⎦
q
}
-(b-2) (0,b-2),(1,b-1)
·{F ⎡ (b−1)⎤ } + ·{F ⎡ } = ·{1−F ⎡⎣ }
2 q q 2 q q 2 q
σ b⎤−F ⎡ (b−1)⎤−Fσ ⎡ (b−2)⎤ (b−2)⎤
b ⎣ 4b ⎦ σ ⎣ 4b ⎦ B σ
⎣ 4b ⎦ ⎣ 4b ⎦ b σ 4b ⎦
… … …
-2 (0,2),(1,3),…, (b-3,b-1) 2 q q 2 q q
·{Fσ [ b]−Fσ [ (b−1)]} + ·{Fσ [ (b−1)]−Fσ [ (b−2)]}
2
+ ...+ ·{Fσ [
3q 2q
]−Fσ [ ]}
b 4b 4b b 4b 4b b 4b 4b
2 q 2q 2 2q
= ·{Fσ [ b]−Fσ [ ]} = ·{1−Fσ ( )}
b 4b 4b b 4b
-1 (0,1),(1,2),…, (b-2,b-1) 2·{Fσ [qb/4b]−Fσ [q/4b]}/ b = 2·{1−Fσ (1/4b)}/ b
0 (0,0),(1,1),…, (b-1,b-1) 2·{Fσ [qb/4b]−Fσ [0]}/ b = 2·{1−1/2}/b = 1/b
… … …
b-1 (b-1,0) b·{Fσ (1/4b)−Fσ (0)} = 2·{Fσ (q/4b)−1/2}/ b
Table 6
Distribution rate of λ .
λ Pλ
0 1
b
1 1 1
·
b 2 { q
+ Fσ ⎡ (b−1)⎤−Fσ ⎡ ⎤
⎣ 4b ⎦
q
⎣ 4b ⎦ }
2
·{ ( )}
1 1 q q
+ Fσ ⎡ (b−2)⎤−Fσ ·2
b 2 ⎣ 4b ⎦ 4b
… …
b-1 1 1
·
b 2 { q q
+ Fσ ⎡ ⎤−Fσ ⎡ (b−1)⎤
⎣ 4b ⎦ ⎣ 4b ⎦ }
Fig. 10. Histograms for n = 240 with Hideal = 15.8138, n = 320 with Hideal = 16.6440, and n = 420 with Hideal = 17.4285. (a) Original ciphertext with n = 240,
H = 15.6784; (b) Marked ciphertext with n = 240, H’ = 15.7142; (c) Original ciphertext with n = 320, H = 16.5732; (d) Marked ciphertext with n = 320,
H’ = 16.6175; (e) Original ciphertext with n = 420, H = 17.3375; (f) Marked ciphertext with n = 420, H’=17.3965.
142
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144
Table 7
Embedding rates of plaintext (bpb).
[2] [11] [20] Algorithm 1 in[21] Algorithm 2 in [21] [22] [23] [24] Proposed
Lena 0.0625 0.0074 0.1210 126.8750 1.50 0.0175 0.0625 0.0625 1–6
Baboon 0.0625 0.0020 0.1210 126.8750 1.50 0.0078 0.0625 0.0623 1–6
Crowd 0.0625 0.0150 0.1210 126.8750 1.50 0.0175 0.0625 0.0625 1–6
Tank 0.0625 0.0075 0.1210 126.8750 1.50 0.0311 0.0625 0.0623 1–6
Peppers 0.0625 0.0056 0.1210 126.8750 1.50 0.0155 0.0625 0.0623 1–6
Plane 0.0625 0.0120 0.1210 126.8750 1.50 0.0233 0.0625 0.0623 1–6
Average 0.0625 0.0825 0.1210 126.8750 1.50 0.0201 0.0625 0.0623 1–6
Table 9
Performance comparison.
Algorithm Embedding domain Extraction domain Blowup factor ER of ciphertext(bpb) Embedding level
143
Y. Ke et al. Journal of Visual Communication and Image Representation 54 (2018) 133–144
algorithms (e.g., [29,31,34]). However, only the secret key owner (4) (Apr. 2011) 255–258.
can operate multilevel data hiding in our scheme because of his [13] J. Zhou, W. Sun, L. Dong, X. Liu, O.C. Au, Y.Y. Tang, Secure reversible image data
hiding over encrypted domain via key modulation, IEEE Trans. Circuits Syst. Video
access to the controllable redundancy. Future investigation will Technol. 26 (3) (2016) 441–452.
focus on 1) extending the application to allow a trusted third party [14] X. Wu, W. Sun, High-capacity reversible data hiding in encrypted images by pre-
to embed multilevel messages by modifying the key distribution diction error, Signal Process. 104 (11) (2014) 387–400.
[15] Z. Qian, X. Zhang, S. Wang, Reversible data hiding in encrypted JPEG bitstream,
strategy and introducing LWE based proxy re-encryption tech- IEEE Trans. Multimedia 16 (5) (2014) 1486–1491.
nology, and 2) increasing the efficiency by optimizing encryption [16] X. Liao, C. Shu, Reversible data hiding in encrypted images based on absolute mean
blowup factor and the recoding method of the redundancy. difference of multiple neighboring pixels, J. Vis. Commun. Image Represent. 28 (4)
(2015) 21–27.
[17] D. Xiao, S.-K. Chen, Separable data hiding in encrypted image based on compressive
Conflict of interest sensing, Electron. Lett. 50 (8) (2014) 598–600.
[18] M. Kuribayashi, H. Tanaka, Fingerprinting protocol for images based on additive
homomorphic property, IEEE Trans. Image Process. 14 (12) (2005) 2129–2139.
None.
[19] N. Memon, P.-W. Wong, A buyer-seller watermarking protocol, IEEE Trans. Image
Process. 10 (4) (2001) 643–649.
Acknowledgements [20] X.-P. Zhang, J. Loong, Z. Wang, et al., Lossless and reversible data hiding in en-
crypted images with public key cryptography, IEEE Trans. Circuits Syst. Video
Technol. 26 (9) (2016) 1622–1631.
This work was supported by National Key R&D Program of China [21] H.-T. Wu, Y.-M. Cheung, J.-W. Huang, Reversible data hiding in paillier crypto-
under Grant No. 2017YFB0802000, and the National Natural Science system, J. Vis. Commun. Image R. 40 (2016) 765–771.
Foundation of China under Grant No.61379152 and Grant [22] S.-J. Xiang, X. Luo, Reversible data hiding in homomorphic encrypted domain by
mirroring ciphertext group, IEEE Trans. Circuits Syst, Video Technol, 2017 (in
No.61403417. The authors also gratefully acknowledge the helpful press).
comments and suggestions of the reviewers. [23] Y.-C. Chen, C.-W. Shiu, G. Horng, Encrypted signal-based reversible data hiding
with public key cryptosystem, J. Visual Commu. Image Represent. 25 (5) (2014)
1164–1170.
References [24] C.-W. Shiu, Y.-C. Chen, W. Hong, Encrypted image-based reversible data hiding
with public key cryptography from difference expansion, Signal Process. Image
[1] M. Barni, T. Kalker, S. Katzenbeisser, Inspiring new research in the field of signal Commun. 39 (2015) 226–233.
processing in the encrypted domain, IEEE Signal Process Mag 30 (2) (2013) 16. [25] X. Zhang, Separable reversible data hiding in encrypted image, IEEE Trans. Inf.
[2] K. Ma, W. Zhang, X. Zhao, N. Yu, F. Li, Reversible data hiding in encrypted images Forensics Secur. 7 (2) (2012) 826–832.
by reserving room before encryption, IEEE Trans. Inf. Forensics Security 8 (3) [26] Z. Yin, B. Luo, W. Hong, Separable and error-free reversible data hiding in en-
(2013) 553–562. crypted image with high payload, The Sci. World J. 2014 (2014) Art. no. 604876.
[3] Y.-Q. Shi, X. Li, X. Zhang, H. Wu, Reversible data hiding: advances in the past two [27] H.-Z. Wu, Y.-Q. Shi, H.-X. Wang, et al., Separable reversible data hiding for en-
decades, IEEE Access 4 (5) (2016) 3210–3237. crypted palette images with color partitioning and flipping verification, IEEE
[4] J.M. Barton, Method and apparatus for embedding authentication information Transactions on Circuits and Systems for Video Technology, to be published. Doi:
within digital data, U.S. Patent 5 (1997) 646–997. 10.1109/TCSVT. 2016. 2556585.
[5] J. Tian, Reversible data embedding using a difference expansion, IEEE Trans. [28] Y. Ke, M.-Q. Zhang, J. Liu, Separable multiple bits reversible data hiding in en-
Circuits Syst. Video Technol. 13 (8) (2003) 890–896. crypted domain, in: Digital Forensics and Watermarking – 15th International
[6] Z. Ni, Y.-Q. Shi, N. Ansari, W. Su, Reversible data hiding, IEEE Trans. Circuits Syst. Workshop, IWDW 2016, Beijing, China, 470–484, 2016.
Video Technol. 16 (3) (2006) 354–362. [29] O. Regev, On lattices, learning with errors, random linear codes and cryptography,
[7] Y. Qiu, Z. Qian, L. Yu, Adaptive reversible data hiding by extending the generalized J. ACM 56 (6) (2009) 34.
integer transformation, IEEE Signal Process. Lett. 23 (1) (2016) 130–134. [30] O. Regev. The learning with errors problem, in: Proc of Int Conf on Public Key
[8] S.-K. Lee, Y.-H. Suh, and Y.-S. Ho, “Reversible image authentication based on wa- Cryptography (PKC2007), Berlin, Germany, 2007, pp. 315–329.
termarking”, in Proc. IEEE Int. Conf. Multimedia Expo (ICME), Toronto, ON, [31] D. Micciancio, O. Regev, Lattice-based Cryptography, in: D.J. Bernstein,
Canada, pp. 1321–1324, 2006. J. Buchmann (Eds.), Post-Quantum Cryptography, Springer, Berlin, Heidelberg,
[9] X. Li, B. Yang, T. Zeng, Efficient reversible watermarking based on adaptive pre- Germany, 2008, pp. 147–191.
diction-error expansion and pixel selection, IEEE Trans. Image Process. 20 (12) [32] Nicolas Gama, Phong Q. Nguyen, Predicting lattice reduction, in: Advances in
(2011) 3524–3533. cryptology-Eurocrypt 2010: 27th Annual International Conference on the Theory
[10] G. Xuan, X. Tong, J. Teng, X. Zhang, Y.Q. Shi, Optimal histogrampair and predic- and Applications of Cryptographic Techniques. Istanbul, Turkey, pp. 31–51, Apr.
tion-error based image reversible data hiding, Proc. Int. Workshop Image-Forensics 2008.
Digit, Watermarking (IWDW), Shanghai, China, 2012, pp. 368–383. [33] M. Ruckert, M. Schneider. “Estimating the security of latticed-based cryptosys-
[11] F.J. Huang, J.W. Huang, Y.Q. Shi, New framework for reversible data hiding in tems”, (2010) [Online] Available: http://eprint.icur.org/2010/137.pdf.
encrypted domain, IEEE Trans. Inf. Forensics Secur. 11 (12) (2016) 2777–2789. [34] V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors
[12] X. Zhang, Reversible data hiding in encrypted image, IEEE Signal Process Lett. 18 over rings, Journal of the Acm 60 (6) (2013) Art. no. 43.
144