Reversible data hiding in encrypted images based on ...

Multimed Tools Appl DOI 10.1007/s11042-016-4049-z

Reversible data hiding in encrypted images based on multi-level encryption and block histogram modification Zhaoxia Yin 1,2 & Andrew Abel 3 & Jin Tang 2 & Xinpeng Zhang 1 & Bin Luo 2

Received: 3 May 2016 / Revised: 2 October 2016 / Accepted: 5 October 2016 # Springer Science+Business Media New York 2016

Abstract In recent years there has been significant interest in reversible data hiding, and also in particular, reversible data hiding in encrypted images (RDH-EI). This means that additional data can be embedded into a previously encrypted image with no knowledge of the original image content. According to the held keys, legal receivers can get the embedded data or an image very similar to the original one, or, both the embedded data and an image exactly as the original one. In this paper, we propose and evaluate a RDH-EI framework. Firstly, we propose a multi-level encryption (MLE) scheme using both Josephus traversal based multi-granular encryption and a stream cipher. To reduce the quantity of side information required to embed into images together with additional data, we also present a block histogram modification (BHM) approach with self-hidden peak pixels to perform reversible data embedding and a location map marking scheme to perform histogram contraction and recovery. The experimental results demonstrate that, in comparison with other similar methods, the proposed framework achieves improvements in terms of the embedding payload, the decrypted image quality and the accuracy of image restoration.

* Xinpeng Zhang [email protected] Zhaoxia Yin [email protected] Andrew Abel [email protected]

1

School of Communication and Information Engineering, Shanghai University, Shanghai 200072, People’s Republic of China

2

Key Laboratory of Intelligent Computing & Signal Processing, Ministry of Education, Anhui University, Hefei 230601, People’s Republic of China

3

Computing Science and Mathematics, University of Stirling, Stirling, UK

Multimed Tools Appl

Keywords Signal processing in encrypted domain (SPED) . Reversible data hiding in encrypted images (RDH-EI) . Privacy protection

1 Introduction Data hiding, i.e. embedding additional data into multimedia, is of great research interest, particularly with regard to embedding data in such a manner that the cover medium itself is unaffected by the embedding process, and can carry information that is not perceptible to the naked eye. In combination with cryptography [33], image processing [9], and machine leaning [2], data hiding is promising for wide application in a range of aspects, including military, industry and medical research [10, 15, 20–26, 28, 29]. Data hiding in digital images is the most common application, and can be divided into non-reversible methods [5, 38], which are always desirable to minimize the distortion and evade the steganalysis [31, 32]; and reversible categories [4, 8, 13, 27], with the aim of reversible data hiding being to recover the original image error-free, which is of key interest in this paper. To date, there are two critical RDH technologies, i.e. difference expansion (DE) [8, 27] and histogram shifting (HS) [4, 13]. All of these methods explore redundant space in plaintext domain of natural images to embed data reversibly and achieve good embedding efficacy. However, this means that the data hider must have access to and see the original cover image during the embedding process. In popularity of cloud computing and cloud storage, multimedia owners often transmit data to a remote server for storage and further processing. Considering the needs of content security and privacy protection, the multimedia data should be encrypted before uploading. Thus, signal processing in the encrypted domain (SPED) arises at a very appropriate moment [3]. As a typical SPED topic, RDH-EI means embedding additional information into the cipher domain of an image without revealing the plaintext image content, and having the reversibility feature of extracting the embedded data and recovering the original image error-free.at the receiver side. The embedded data could be image labels, notations or authentication information and thus RDH-EI can play an important role in mass cypher-image data management and retrieval. Consequently, a number of RDH-EI methods have been proposed [1, 6, 7, 11, 12, 14, 16, 17, 19, 30, 35–37, 39]. The general framework of RDH-EI is sketched in Fig. 1. With or without some preprocessing, the Content-owner encrypts the original image by using an encryption key to conceal the principal content and an encrypted version is generated. Then, with the encrypted image, Data-hider embeds some additional data into the cipher domain directly. At the Receiver side, according to different held keys, legal receivers can extract the embedded data, i.e. the additional data error-free, or, decrypt the marked encrypted image to get an approximate image which is very similar to the original, or, perform recovery and generate a recovered image that is identical to the original one.

Fig. 1 General framework of RDH-EI

Multimed Tools Appl

In Zhang’s method proposed in 2011 [36], the original image is encrypted by stream cipher and the data hider can conceal one bit additional data by flipping the three LSB (least significant bits) of pixels within each blocks. On the receiver side, the marked encrypted image is decrypted at first. Then the three LSBs of each pixels is flipped to form a new block and the image-texture of each block can be estimated by a function. As we know, the spatial correlation in a natural image is stronger. Hence the original block is presumed to be much smoother than the adjusted one. If the block is properly classified by the function, the embedded bit can be extracted and the original block can be recovered. Obviously, the embedding payload of this method equals to the number of the blocks. Given a cover image with fixed size, the smaller the block size, the more bits can be carried. But at the same time, if an inappropriate block size is chosen, errors may occur during data extraction and image recovery. In other words, undersize block would reduce the precision of block classification and sacrifice reversibility. In order to solve this problem well, Hong et al. try unbalanced bit flipping to improve the embedding efficiency [7] and adopt side-match algorithm [6] to improve accuracy of block classification so that larger embedding payload and lower error rates are achieved. Some methods improve the embedding payload by vacating room before image encryption [1, 12, 19, 39]. However, it is impractical for the content owner to make space for data embedding because data embedding is supposed to be accomplished by the data hider in RDH-EI and it is ideal and reasonable for the content owner doing nothing but image encryption. Yin et al. proposed another method in 2014 [35] in which satisfactory embedding payload and good image quality are both achieved. Firstly, the original image is divided into multi-granularity and encrypted by granularity permutation. Then the additional data is embedded into each block in a sorted order with respect to block smoothness. However, leakage of the image histogram is inevitable since the original image is encrypted with pixel permutation and block permutation. In 2015, Liao and Sun [11] presented a more precise function to estimate the image-texture of each image block. Because the improved function can increase the accuracy of block classification, the error rate of data extraction and image recovery can be further reduced. Furthermore, a new adaptive judging function is proposed by Qin and Zhang’s [17]. Based on the distribution characteristic of different images, local contents is utilized to estimate the image-texture of each block in the data extraction and image recovery procedures, which decreases the errors of extracted bits and recovered blocks to some extent again. In addition, instead of flipping the LSBs of half pixels in the encrypted image, the LSBs of fewer pixels are flipped during data embedding in Qin and Zhang’s method, which leads to significant improvement of the visual quality of the approximate image. But in both of the two methods, as the payload increases, the error rate also increases. In summary, reversible data hiding in encrypted image is an emerging technology. In terms of evaluation criteria, higher embedding payload, better image quality and error-free data extraction and image restoration are desired. To meet these challenges, this paper presents a new RDH-EI method based on multi-level encryption and block histogram modification(BHM). Firstly, in traditional histogram modification approaches [4, 13], there is significant side information, including a location map for saturated pixels and the values of peak zero pairs, that have to be embedded together with the actual stream of message data. The quantity of side information limits the space for pure embedding payload. In addition, certain images have a limited payload, such as in images where the pixels have a very uniform distribution when viewed on a histogram, and so there are a lack of peak and zero pairs available for data to be embedded. To solve this problem, the BHM method divides images

Multimed Tools Appl

into smaller regions, and so the pixels are of less uniform distribution, meaning that more data can be embedded. In addition to this, BHM also employs self-hidden peak pixel values, meaning that only the seed to determine the location of peak pixels in each block needs to be sent, rather than the peak values of each block, again, reducing the side information substantially and allowing larger pure payload. To achieve RDH-EI based on BHM, the cover image is encrypted using multi-level image encryption (MLE) approach, which is a combination of a multi-granular Josephus traversal permutation and most significant bits (MSB) encryption using a standard stream cipher, as discussed in [6, 7, 14, 16, 36, 37]. Additional data can then be embedded into the least significant bits (LSB) using BHM. Depending on the key held by the legal receiver (either a decryption key, data hiding key, or both), either a very similar image to the original can be extracted (with the difference not expected to be visible to the naked eye), embedded data can be extracted without any knowledge of the original image, or both the embedded data and the original image can be fully recovered, error free. The results show that the proposed method is superior to other state-of-the-art research in terms of embedding payload, image quality and reversibility.

2 Proposed approach This section presents the proposed method in detail. First, we discuss our MLE approach in section 2.1. Then, the BHM is presented in section 2.2, where histogram contraction and location map marking is described and also data embedding and extraction using BHM based on self-hidden peak pixels. Finally, section 2.3 presents the RDH-EI method combining the techniques introduced in sections 2.1 and 2.2.

2.1 Multi-level encryption (MLE) By using a permutation encryption based on Josephus traversal [34], an image I can be encrypted to create Ie. As a further additional level of security, a stream cipher is also adopted to encrypt the m MSB of Ie to produce a fully encrypted image E.

2.1.1 Permutation based on Josephus traversing The Josephus problem is based on a historic plan to commit suicide in order, based on a ‘randomly’ generated sequence, with the aim being to be the last person chosen in the sequence, and therefore survive. In this research, the primary interest is to use this problem to define a sequence, known as a Josephus permutation sequence, containing the list of people in the order they are chosen to kill themselves, by recording this list, a Josephus traversing is therefore obtained. We use this traversing to generate the encrypted imageIe. To demonstrate this in the context of this research, firstly, the original image I of dimensions N −1 , with each block Bi being composed of Wa × Wb is divided into N non-overlapping blocks fBi gi¼0 u × v pixels. Multi-granularity encryption is utilized, firstly by using Josephus traversing to obtain N −1 , and then further randomly permuting the pixels in each block. the permuted blocks fBi gi¼0 The Josephus traversal is obtained with the aid of three parameters, as using the example above, we can see that three parameters are needed. These are the number of blocks in the sequence (N, from above), the starting position to begin counting from, represented in this case

Multimed Tools Appl

by js, and jc, the counting period. Using these parameters, a scrambled sequence of blocks, B can be identified with a Josephus permutation: ̅ B ¼ J ðN ; js ; jc Þ

ð1Þ

Where J is the Josephus permutation calculated by visualizing all blocks B in a ‘circle’, and then counting round them, starting from js, and continuing until the jc -th block is reached. This becomes the first image block of the traversal sequence, and is removed from the total list of blocks. The next block is then identified. To provide an example of this, assuming we have 9 blocks (N = 8), and we set js = 2 and jc = 3, then the total initial sequence of blocks B can be represented as: B ¼ ½B0 ; B1 ; B2 ; B3 ; B4 ; B5 ; B6 ; B7 ; B8

ð2Þ

Applying our example chosen parameters to Equation (1), i.e. J(9, 2, 3), produces a scrambled sequence: ̅ B ¼ ½B3 ; B6 ; B0 ; B4 ; B8 ; B5 ; B2 ; B7 ; B1

ð3Þ

In addition to this coarse block scrambling, we can also generate a full multi-granular encryption by generating an additional Josephus traversal for the pixel within each block, using the same approach. Thus, the encrypted image Ie is generated. This approach has strengths in that we can easily create very different sequences, and also that there is a lot of change in the order. However, the approach has the weakness of potentially being possible to identify js by comparing a number of generated sequences, and also that jc can potentially be identified if a number of initial values of the sequence B are known. However for the work presented in this paper, considering the multi-granular aspect, and the additional encryption and data hiding utilized, it was felt that this approach was both efficient and effective.

2.1.2 Stream cipher Let (i, j) represent a pixel location, and therefore pi , j an individual grey value, where pi , j ∈ {0, 1, 2, ... , 254, 255}. Based on this, pi , j can then be decomposed into 8 bit planes, which are given by: j k ð4Þ pti; j ¼ pi; j =2ðt−1Þ Q2 where ⌊.⌋ representing the floor function and % representing the modulo operator from mathematics. Pseudo-random bits rti; j are then generated using a standard stream cipher with an encryption key seed sr. The random bits are used to further encrypt each pixel using: t

̅ p i; j ¼ pti; j ⊕rti; j ;

m≤t ≤8

ð5Þ

In Equation (5), ⊕ represents the Exclusive OR (EOR) processing operation. It should be noted here that, we do not encrypt all eight bits of the grayscale image pixels, but only the m MSB.

2.2 Block histogram modification (BHM) Classical histogram modification based RDH techniques function by identifying peak and zero pairs in an image histogram, and then using peak pixels to embed data by

Multimed Tools Appl

shifting the histogram of all the values toward the zero point [13]. Since the maximal embedding capacity equals the number of peak pixels, more peak and zero pairs are required to enhance the payload [4]. There are three limitations. The first is, for most natural images, only a small number of non-overlapping peak and zero pairs can be found. The second is that the values of chosen peak and zero pairs must then be embedded into the image as side information. Last and most important, to deal with overflow and underflow during the histogram shifting process, the location map of saturated pixels (0 or 2l − 1 for a l bits grayscale image) should be embedded into the cover image too, reducing pure payload. To overcome these problems, a reversible data hiding based on BHM is presented in this section.

2.2.1 Location map marking First, we discuss histogram contraction and location map marking which are both commonly used to ensure that there are no saturated pixels present thus preventing overflow and underflow during the modification process [35]. The original image should be preprocessed by modifying saturated pixels and the corresponding side information can be noted in a location map H as following. All pixels p in each block B are visited sequentially, i.e. all n o uv−1 N −1 −1 ¼ qi; j are visited, assuming N blocks, with each block of dimension fBi gNi¼0 j¼0

i¼0

u × v pixels. If pi , j ∈ {0, 2l − 1}, this means a saturated pixel has been detected, and accordingly the location map vector H has a value of ‘1’ appended to it. If a pixel is close to saturation, i.e., pi , j ∈ {1, 2l − 1 − 1}, ‘0’ is appended to H. The pixel pi , j is then modified using 0 Equation (6) to produce the modified pixel pi; j 8 l < 2 −1−1; 0 pi; j ¼ 1 ; : pi; j ;

pi; j ¼ 2l −1 pi; j ¼ 0 otherwise

ð6Þ

As a result, the location map H marks only values that are either saturated or within one bit of saturation. This means that the dimensionality of H can be significantly lower than using a full binary map [19,21. In other words, less side information has to be embedded and more space could be reserved to carry additional data. An example of our block based histogram contraction and location map marking approach is shown in Fig. 2. For simplicity, this example considers an image of 12 × 12 pixels, with each pixel using four bits of data, i.e. l = 4. Figure 2 shows firstly an original image (a), which we have divided into 3 × 3 blocks. To prevent overflow or underflow during BHM, we must perform histogram contraction. The result of applying histogram contraction to Fig. 2a can be seen in Fig. 2b. The shaded regions indicate where a value of 0 or 2l − 1 (where l = 4) was identified and changed. As a result, a location map needs to be created to indicate where values where changed. The traditional approach was to create a binary map to embed into the image as side information, and this can be seen in Fig. 2c. It can be seen that, for a 12 × 12 image, a location map of 12 × 12 bits must also be created. Figure 2d shows the result of applying our new location map marking approach to Fig. 2a. It can be seen that as discussed above, if a pixel has its value changed, then

Multimed Tools Appl

Fig. 2 Example of proposed location map marking approach for 4-bits pixels. (a) shows the pixel values of a 4bits image divided into 3 × 3 blocks, with a number of saturated pixels. (b) shows the effect of histogram contraction, with shaded regions indicating where histogram contraction has occurred. (c) shows the traditional location map, with 1 bit for every pixel. (d) shows result of applying our new location map marking approach, showing a much smaller location map than (c)

the location map is marked with a ‘0’ if a pixel is within one bit of saturation, the location map is marked with a ‘1’, otherwise, the location map is not marked. This then results in a much smaller location map.

2.2.2 Data embedding of BHM based on self-hidden peak points In the case of an 8 bit greyscale image, the identification of each peak pixel value can result in 8 additional bits being embedded in addition to the message, resulting in a reduction in potential payload available for data hiding. In this section, we propose BHM based on self-hidden peak points. Step 1. For each image block Bi, two basic pixels bi , L, bi , R are randomly selected and the n ouv−3 . remaining u × v − 2 pixels are denoted by pi; j j¼0

Step 2. Two peaks in each block are determined, with gi , L and gi , R identified as equations (7) and (8): gi;L ¼ min bi;L ; bi;R

ð7Þ

gi;R ¼ max bi;L ; bi;R

ð8Þ

Multimed Tools Appl

Step 1. Concatenates H and the additional data A to form a string of message bits X, and then n o uv−3 N −1 scans the non-basic pixels pi; j (i.e. excluding the two pixels used to j¼0

i¼0

determine peak values) to conceal each bit x extracted from X according to Equations (9) and (10).

e ̅ p i; j ¼

(

̅ p i; j −x;

̅ p i; j ¼ g i;L

̅ p i; j þ x; ̅ q i; j ¼ g i;R

8 > g i;L < ̅ p i; j < g i;R p i; j ; > > : ̅ p i; j þ 1; ̅ p i; j > g i;R

ð9Þ

ð10Þ

If a scanned pixel pi; j is equal to the value of gi , L or gi , R, a bit x extracted from X is pi; j according to Equation (9). Otherwise, pixels that don’t embedded by modifying qi; j to e match gi , L or gi , R are either maintained or shifted by one unit using Equation (10). A schematic of BHM is shown in Fig. 3. From Fig. 3 we can see that for a scanned pixel pi; j equaling to the value of gi , L or gi , R, if a bit of value 0 is to be embedded, the value of e qi; j remains unchanged from qi; j . However, if a value of 1 is to be embedded, then depending if the value of pi; j matches that of gi , L or gi , R, the value is shifted by ±1. A worked example of this will be shown later. If pi; j is between the peak values, i.e., g i;L < pi; j < g i;R , then it remains unchanged. However, if pi; j is below gi , L, then it is shifted by −1, and by +1 if above gi , L. Again, a simplified worked example of this will be demonstrated. The resulting embedded blocks, then n oN −1 ei . This embedded image can then be decrypted by make up the final embedded image B i¼0

a legal receiver holding the generated data hiding key Kd, which consists of the parameters u, v and may also contain the seed Sd used to randomly select basic pixels. By this we mean that rather than embedding the peak values gi , L , gi , R, we choose two pixels of each block randomly to use as the basis pixels and indicate peak values, and then can pass the seed Sd used to generate these locations as part of a data hiding key. The peak values are therefore hidden within the image data, and are known to be self-hidden.

Fig. 3 The schematic of BHM

Multimed Tools Appl

Furthermore, we provide a very simple worked example of our complete process, including histogram contraction, location map marking, side information creation, self-hidden pixel peak identification, and data embedding. For purposes of clarity, this example consists of a single 4 × 4 block, with each pixel containing 3 bits of data. This is shown in Fig. 4, starting from the initial image in Fig. 4a. Here, there are two saturation pixels (i.e. 0 and 7) that need to be shifted, and two values within 1 bit of saturation (i.e. 1 and 6). These are marked with the shaded pixels in Fig. 4b. It can be seen that the values of ‘0’ and ‘7’have been shifted by one value to prevent any overflow. A location map is generated by this process, and this can be seen in Fig. 4c. Here, we see that the 4 shaded bits identified in Fig. 4b are marked with our location map marking technique, with shifted values denoted by a’0’and values within 1 bit denoted with a’1′. Please note that all other bits are not marked. Then a shifted image and a compact location map are generated. The next stage is to select two basic pixels to serve as peak values. As discussed, these can be fixed locations, or generated by a seed (passed to the receiver with the data hiding key). These pixels do not have data embedded in them and remain unchanged. The shaded pixels in Fig. 4d show our chosen pixels. Figure 4e shows the combined message X to be embedded, which is created from the concatenation of the additional data A and the location map H. To embed this message, we then have to perform BHM to shift values above and below the peak values. The result of this is shown in Fig. 4f, with the shaded regions showing changes from Fig. 4d, with blue shading showing where pixels are shifted down by one value, and yellow shading where pixels are shifted up by one value. Pixels shaded in pink show where the value either matches a peak, or is between the peak values, and so remain unchanged. Finally, data can then be embedded. 8 bits of data can be embedded into any

Fig. 4 A single block 3 bit example of a 4 × 4 image block, showing (a) original image, with saturated and near saturated pixels shaded (b) image after histogram contraction, (c) location map (H), (d) chosen basic pixels (shaded in green), (e) data to be embedded (A), and the combined 8 bits to be embedded, (f) BHM performed on values in the shaded regions, showing basic pixels (green), pixels shifted down by 1 (blue), shifted up by 1 (yellow), and unchanged pixels (pink) (g) data embedded into image, with green denoting where ‘1’ is embedded, and blue where ‘0’ is embedded

Multimed Tools Appl

peak values (excluding the basic pixels) in the image, remaining unchanged if a ‘0′ is embedded, and shifted by 1 if a ‘1′ is embedded. To embed the message stream specified in Fig. 4e, the shaded regions in Fig. 4g show where data has been embedded, with green shading showing where a ‘1′ has been embedded, and blue where a ‘0′ has been embedded, producing the final embedded image.

2.2.3 Data extraction & image recovery of BHM Given an image with data embedded as described in the previous section, this section describes the process of data extraction and image recovery. By this it is meant that the side information H and embedded message A can be extracted error free from the image using the information provided by the data hiding key kd = {u, v, sd}. n ouv−3 ei . Since we already know the location of the Considering the pixels e pi; j in block B j¼0

self-hidden peak pixel values according to the seed sd used to randomly select basic pixels and these pixels are left untouched, only the non-basic pixels are considered. Message bits x can be extracted from each block using Equation (11) and the non-basic pixels can be recovered according to Equation (12) . 8 e e < 0; ̅ p i; j ¼ g i;R p i; j ¼ gi;L or ̅ x¼ e e : 1; ̅ p i; j ¼ g i;L −1 or ̅ p i; j ¼ gi;R þ 1

ð11Þ

8 e e > > g i;L < ̅ p i; j < g i;R ̅ p ; > < i; j e e ̅ p i; j ¼ ̅ p i; j < gi;L p i; j þ 1; ̅ > > > e :e p i; j > g i;R ̅ p i; j − 1 ; ̅

ð12Þ

Essentially, this means that if the value of non-basic pixel is equal to either peak, then it is assumed that data is embedded, and therefore a ‘0’ is extracted. If the value is equal to either gi , L − 1 or gi , R + 1, then a ‘1’ is extracted. The first { |H| } extracted bits consist of the location map H, and the remaining |A| bits are therefore the additional data. This then returns Bi ={ bi , L, bi;R ; pi; j guv−3 j¼0 , with all data removed and histogram modification undone. Finally, the original image can be recovered by using the location map H to undo the histogram contraction process. Considering all pixels in block Bi together to be n 0 ouv−1 (as discussed in section 2.2.1) if a pixel is close to saturation (i.e. pi; j j¼0 l 0 pi; j ∈ 1; 2 −1−1 ), it should be modified using Equation (13) according to h, the first nonprocessed bit extracted from location map H. 8 0 0 > p þ 1; pi; j ¼ 2l −1−1 and ðh ¼ 0Þ > < i;0 j 0 pi; j ¼ 1 and ðh ¼ 0Þ pi; j ¼ pi; j − 1 ; > > : p0 ; otherwise i; j

ð13Þ

Multimed Tools Appl

Equation (13) identifies the final unmodified pixel values in block B, with data extracted and histogram contraction reversed. The original image can therefore be recovered error free.

2.3 RDH-EI based on BHM & MLE Based on the BHM and MLE approaches presented before, we introduce the proposed RDH-EI method. Based on our MLE approach, the content owner can firstly encrypt an image. A data hider can then embed data into the encrypted image using BHM. Finally, depending on the keys held by the data receiver, the content can be processed differently. The framework of our proposed method can be seen in Fig. 5. It can be seen in Fig. 5 that there are three main aspects of this approach, which can be divided into three main roles. Firstly, the content owner has the role of encrypting the original image using MLE, and generating the encrypted image. The content key kc can be used both in image encryption and image decryption. The data hider then embeds additional data into the encrypted image by making use of BHM and a data hiding key kd. Thus the marked-encrypted image is generated. Finally, one or both of the keys kc and kd can be sent to a legal receiver along with the markedencrypted image. Depending on the keys held by the receiver, either the additional embedded data A alone, an approximate version of the image I′, or both A and the recovered image I can be gotten.

Fig. 5 Overall framework of the proposed RDH-EI method

Multimed Tools Appl

2.3.1 Image encryption by content owner The role of the content owner is to encrypt the original image using the MLE approach defined in section 2.1. The original grayscale image I is divided into N non-overlapping blocks fBi gNi¼1 , and these are then scrambled using a permutation encryption based on Josephus traversing (as discussed in section 2.1.1). This is then followed by a finer stage of encryption, where each pixel within each block is also scrambled using the same approach. In addition to this, a stream cipher is used to encrypt the m most significant bits (MSB) of each pixel as described in more detail in section 2.1.2. This produces the fully encrypted image I ¼ fBi gNi¼1 . The content key κc = {u, v, js, jc, sr, m}, where, u and v are the dimensions of each block, js and jc are for the coarse and fine Josephus traversal or the seeds needed to generate them, and also sr is the seed value for the stream cipher.

2.3.2 Image embedding by data hider As can be seen in Fig. 5, the data hider receives image I, and can then embed additional data A into it. Firstly, the data hider extracts l LSB bits of each encrypted pixel to create a cover signal denoted as I l , where l = 8 − m (m MSB bits have been encrypted by stream cipher introduced in section 2.1.2). Then 0 histogram contraction (introduced in section 2.2.1) is employed on I l to generate the shifted image I l 0 and the location map vector H. In I l , there are no saturated pixels which are equal to 0 or 2l − 1. 0 Additional data A is then embedded into each block of I l using the proposed BHM. As discussed previously, this is a new approach developed by the authors, with two basic pixels in each block chosen to indicate peak values. Only the information needed to choose these basic pixels (either a random seed integer, or the location values) needs to be sent together with block size u , v and l via a data hiding key κd. As covered fully in section 2.2.2, the location map H and the additional data A is 0 0 concatenated to form a stream of message bits X, and this is embedded into I to create Ie . l

l

0 0 A marked encrypted image Ie can be generated by combining Ie l with the m MSB ofI.

2.3.3 Data extraction and image reconstruction by legal receiver 0 Finally, as shown in Fig. 5, there are a number of options for processing the image Ie by a legal receiver. If the receiver has the data hiding key kd , then the embedded data A can be extracted, but neither the original image I nor the approximate version I′ could be recovered. If the receiver has 0 only the content key k , then Ie can be decrypted without extracting the embedded data, to return

c

l

the approximate version I′. The content key can be used to reverse the Josephus permutation based multi-granular encryption, and the random seed used to generate the stream cipher bits can be used to reverse the MSB encryption. This process does not reveal any of the embedded data. Finally, if the receiver possesses both keys, then the original image I can be fully restored (hence the use of the term ‘reversible’ data hiding), and the embedded data can also be extracted.

3 Experiments and results To evaluate the performance of the proposed algorithms, different types of experiments are conducted in this section. We firstly show the performance of multi-level

Multimed Tools Appl

encryption based on stream cipher and Josephus traversing. Furthermore, the performance of the proposed RDH-EI is analyzed and compared with some classical methods such as 2011, Zhang[24] and et, al., 2012, Hong [6] and some state-of-theart methods such as and, Shu, 2015, Liao [11] and and, Qin, 2015, Zhang [17] using several commonly used test images and UCID datasets [18].

3.1 Performance of multi-level encryption Histogram distribution of cipher images plays an important role in the evaluation of image encryption. Figure 6 shows the histograms corresponding to the associated gray level pixel values before and after image encryption. The histograms of the original images are shown in the top row, the previous encryption approach [6, 11, 17, 36] in the middle row (Since the same image encryption scheme being adopted in these methods, the results are the same), and our new MLE approach in the bottom row. It can be seen that our encryption method has a very similar uniform appearance as the other approaches with regard to histogram distribution. In addition to histogram analysis, entropy analysis is another normally used metric to measure an image encryption algorithm and is also adopted here. The information entropy of nine standard grey images and the corresponding entropy of encrypted version with different parameter values are listed in Table 1, as well as the theoretical maximum entropy for eight bits signal, i.e., the upper bound. As well known, larger entropy often means better encryption. From Table 1 we can see that the entropy of cipher image increases and is approaching the maximum entropy with the rise of parameter m, where m means that the m MSB bit-planes are encrypted by stream cipher descripted in Section 2.1.2 after multi-level permutation addressed in Section 2.1.1

Fig. 6 The gray-level frequency histograms. The first row shows the frequency distributions of original images, and the second row shows the associated histograms of the cipher-image in Ref. [6, 11, 17, 36], which all use the same encryption method. The last row shows the corresponding results of our proposed MLE encryption method

Multimed Tools Appl Table 1 Entropy analysis of the proposed image encryption Images

Lena

Pepper

Sailboat

Tiffany

Man

Jet

Boat

Baboon

Splash

Original entropy

7.45

7.59

7.48

6.60

7.53

6.70

7.19

7.36

7.25

Cipher entropy (m = 2)

8.00

7.98

7.94

7.85

7.94

7.75

7.90

7.97

7.88

Cipher entropy (m = 3)

8.00

7.99

7.99

7.98

7.97

7.98

7.98

8.00

7.95

Cipher entropy (m = 4) Maximum entropy

8.00 8.00

8.00 8.00

8.00 8.00

8.00 8.00

7.99 8.00

8.00 8.00

7.98 8.00

8.00 8.00

7.99 8.00

3.2 Performance of the proposed RDH-EI method We demonstrate the performance of our RDH-EI approach in Fig. 7 with a number of standard images. The first and second rows show the original and the encrypted images (using MLE). The encrypted images with embedded data (using BHM) are shown in the third row. Finally, we can obtain the decrypted marked-images which are shown in the last row of Fig. 7. It can be seen that these look very similar to the original images if we decrypt the encrypted image directly with the content encryption key. If receivers have only the data hiding key κd they can

Fig. 7 The demonstration of our RDH-EI method with 4 sample images. From top to bottom rows: original images, encrypted images, encrypted images with embedded data, and directly decrypted images

Multimed Tools Appl

Fig. 8 The pure embedding payload with l = 5 and l = 6 of the proposed RDH-EI method performed on UCID

extract the embedded data from the encrypted image completely error free. Receivers with both keys can extract embedded data error free, and completely recover the original image. To evaluate RDH-EI, there are four commonly used key criteria: pure embedding payload, quality of the approximate image (directly decrypted image),error rate of the extracted bits and the reversibility of the original image. The payload is often measured with the number of embedded bits or bpp (bits per pixel). The image quality is often evaluated by peak signal to noise ratio (PSNR). As discussed in this paper, RDH-EI is an emerging technology. However, small payload is one of the limitations which keep it away from practical applications. Take Lena as an example, the maximum payload of RDH-EI proposed by [37] is 8596 bits, about 0.0328 bpp. In order to determine the embedding payload performance of the proposed algorithm, 1338 natural images from UCID datasets have been used in our experiments and the result is shown in Fig. 8. The mean pure payload of the UCID images is 0.13 bpp, with a peak value of 0.51 bpp. In addition, it can be seen in Fig. 8 that the pure payload varies depending on different cover images, and actually, most of the natural images have good performance. Table 2 Comparison of maximum pure payload and the corresponding approximate image quality (Lena)

Lena

Maximum pure payload Corresponding PSNR with error-free (bits) of I′ (dB)

Zhang [36]

1024

37.94

Hong et al. [6]

1764

37.94

Liao and Shu [11]

1764

37.94

Qin and Zhang [17] 1764

38.59

Proposed

50.96

19,736

Multimed Tools Appl

Table 3 Comparison of maximum pure payload and the corresponding approximate image quality (Man)

Man

Maximum pure payload Corresponding PSNR with error-free (bits) of I′ (dB)

Zhang [36]

625

Hong et al. [6]

1024

37.94

Liao and Shu [11] 625 Qin and Zhang [17] 1024

37.94 38.43

Proposed

50.95

37.94

8483

In order to further prove our proposed method, we compare the maximum pure payload and the corresponding approximate image quality in detail, and take a smooth image (Lena) and a textured image (Man) as examples. The results are shown in Tables 2, and 3. It can be clearly seen in these tables that both a higher pure payload and better image quality are achieved. In terms of the maximum pure payload with error-free extraction of Lena, 2011, Zhang achieved 1024 bits; this was improved to 1764 bits by et, al., 2012, Hong, and, Shu, 2015, Liao and and, Qin, 2015, Zhang while the proposed method achieves 19,736 bits. In terms of the corresponding approximate image quality, because we choose BHM to achieve RDH rather than flipping LSBs, which is adopted by the other four methods, the proposed method can improve the PSNR of the approximate image from about 38 dB to 50.9 dB. In addition, to compare the number of incorrectly extracted bits and the reversibility of the original images, we implement all of the methods on 1338 images from UCID and calculate the average error rate of extracted bits and the corresponding reversibility of the original images. The results are shown in Tables 4, and 5 and illustrated in Fig. 9. From Table 4 and Table 5 we can see that, for most methods the reversibility of the original images increases and the error rate decreases with the increase of block size. While the error rate of the proposed method is always 0, the average error rate of Zhang [36] is 26.33 %, and Hong et al. [6] 13.01 %, and, Shu, 2015, Liao 13.7 % when the block size is set to 4, and 2011, Zhang 1.58 %, Hong et al. [6] 1.25 %, and, Shu, 2015, Liao 0.76 % with block size 24. Accordingly, from Table 5 and Fig. 9, it’s also obvious that the reversibility of the proposed method is independent from block size and remains 100 %.

3.3 Computational complexity and comparison In the proposed method, the computing complexity of the proposed data embedding method is insignificant because Eq. (9) and Eq. (10) only needs a simple algebraic calculation. In terms Table 4 Comparison of the average error rate of extracted bits on UCID under the same block size (%) Error rate Block size

Zhang [36]

Hong et al. [6]

Liao and Shu [11]

Proposed

4

26.33

13.01

13.7

0

8

10.11

5.59

5.74

0

12 16

5.17 3.17

3.13 1.96

2.84 1.62

0 0

20

2.17

1.87

1.39

0

24

1.58

1.25

0.76

0

Multimed Tools Appl Table 5 Comparison of the reversibility of the original images on UCID under the same block size (%) Reversibility Block size

Zhang [36]

Hong et al. [6]

Liao and Shu [11]

Proposed

4

73.67

86.99

86.3

100

8

89.89

94.41

94.26

100

12

94.83

96.87

97.16

100

16

96.83

98.04

98.38

100

20

97.83

98.13

98.61

100

24

98.42

98.75

99.24

100

of encryption/decryption time, apart from stream cipher adopted by other reported techniques, permutation could be more time-consuming. The computational time of the proposed method and and, Shu, 2015, Liao are tested on a serve with 2.6 GHz CPU, 8 GB memory and windows 10. The type of system is 64 bits and the version of MATLAB is 2014b. We randomly selected 500 nature images from UCID to test the average embedding time of the proposed method and and, Shu, 2015, Liao with full payload. It is obvious in Fig. 10 that, the total computational time of and, Shu, 2015, Liao tremendously exceeds that of the proposed method and the opposite happens in terms of encryption/decryption time. That’s because, apart from stream cipher adopted by and, Shu, 2015, Liao, we added block permutation and pixel permutation in each block in the proposed image encryption method. Numerically, the mean stream cipher time of and, Shu, 2015, Liao is 0.107 s and the proposed method needs 1.352 s to encrypt an image by combining stream cipher and permutation. However, the total computational time of the proposed framework is 7.71 s while and, Shu, 2015, Liao needs about 159.22 s.

4 Conclusion This paper proposed and evaluated a new RDH-EI method. Firstly, the smaller location map and BHM using a self-hidden peak pixels technique contribute to reduce the quantity of side information and improve the pure payload. We then combine these techniques with the

Fig. 9 Line chart of the reversibility comparison on UCID with the same block size

Multimed Tools Appl Fig. 10 Computational Time of the proposed method and Liao and Shu [11]

proposed MLE scheme using Josephus traversal and stream cipher an integrated RDH-EI framework. The results demonstrate that the distortion of the decrypted images is smaller, lossless recovery was achieved in every evaluated case, and the payload is larger, which is better than other state-of-the-art research used for comparison. Like most of the RDH methods in cipher domain and plaintext domain introduced in Section 1, the proposed RDH-EI method is classified as a fragile data hiding method. That’s because the marked encrypted image cannot resist the geometric and signal processing attacks. In other words, the embedded data cannot be extracted exactly when the received image has been attacked. Consequently, as a kind of fragile data embedment, the proposed method is suitable for applications such as tamper detection or image owner authentication. Furthermore, during data embedding, additional data are embedded into all of the blocks on equal terms by using BHM. However, the payload of an image block often depends on the block-texture. In other words, RDH based on BHM performs better for smooth blocks. Hence, the performance can be further improved by considering blocktexture. This could be the next work.

Acknowledgment This research work is supported by National Science Foundation of China (61502009, 61525203, 61472235), China Postdoctoral Science Foundation (2016 M591650), BShu Guang^ project supported by Shanghai Municipal Education Commission and Shanghai Education Development Foundation, Natural Science Foundation of Anhui Province (CN) (1508085SQF216), Key Program for Excellent Young Talents in Colleges and Universities of Anhui Province (gxyqZD2016011), and the BSino-UK^ Higher Education Research Partnership for PhD studies^ joint-project (2013-2015) funded by the British Council China and the China Scholarship Council (CSC).

References 1. Cao X, Du L, Wei X, Meng D, Guo X (2015) High capacity reversible data hiding in encrypted images by patch-level sparse representation. IEEE Trans On Cybernetics. doi:10.1109/TCYB.2015.2423678 2. Chen B, Shu H, Coatrieux G, Chen SX, Coatrieux JL (2015) Color image analysis by quaternion-type moments. Journal of Mathematical Imaging and Vision 51(1):124–144 3. Erkin Z, Piva A, Katzenbeisser S, Lagendijk RL, Shokrollahi J, Neven G, Barni M (2007) Protection and retrieval of encrypted multimedia content: when cryptography meets signal processing. EURASIP J Inf Secur 2007:1–20 4. Gao X, An L, Yuan Y, Tao D, Li X (2011) Lossless data embedding using generalized statistical quantity histogram. IEEE Transactions on Circuits and Systems for Video Technology 21(8):1061–1070

Multimed Tools Appl 5. Hong W, Chen TS (2012) A novel data embedding method using adaptive pixel pair matching. IEEE Transactions on Information Forensics and Security 7(1):176–184 6. Hong W, Chen TS, Wu HY (2012) An improved reversible data hiding in encrypted images using side match. IEEE Signal Processing Letters 19(4):199–202 7. Hong W, Chen TS, Chen J et al (2013) Reversible data embedment for encrypted cartoon images using unbalanced bit flipping. In: Advances in swarm intelligence. Springer, Berlin, pp. 208–214 8. Hu Y, Lee HK, Li J (2009) DE-based reversible data hiding with improved overflow location map. IEEE Transactions on Circuits and Systems for Video Technology 19(2):250–260 9. Li J, Li X, Yang B, Sun X (2015a) Segmentation-based image copy-move forgery detection scheme. IEEE Transactions on Information Forensics and Security 10(3):507–518 10. Li X, Sun X, Liu Q (2015b) Image integrity authentication scheme based on fixed point theory [J]. IEEE Trans Image Process 24(2):632–645 11. Liao X, Shu C (2015) Reversible data hiding in encrypted images based on absolute mean difference of multiple neighboring pixels. J Vis Commun Image Represent 28:21–27 12. Ma K, Zhang W, Zhao X, Yu N, Li F (2013) Reversible data hiding in encrypted images by reserving room before encryption. IEEE Transactions on Information Forensics and Security 8(3):553–562 13. Ni Z, Shi YQ, Ansari N, Su W (2006) Reversible data hiding. IEEE Transactions on Circuits and Systems for Video Technology 16(3):354–362 14. Ou, B., Li, X., and Zhang, W. (2015) PVO-based reversible data hiding for encrypted images. Signal and Information Processing (ChinaSIP), 2015 I.E. China Summit and International Conference on IEEE. 831–835 15. Pandey R, Singh AK, Kumar B et al (2016) Iris based secure NROI multiple eye image watermarking for teleophthalmology[J]. Multimedia Tools and Applications:1–17. doi:10.1007/s11042-016-3536-6 16. Qian Z, Zhang X, Wang S (2014) Reversible data hiding in encrypted JPEG Bitstream. IEEE Trans on Multimedia 16(5):1486–1491 17. Qin C, Zhang X (2015) Effective reversible data hiding in encrypted image with privacy protection for image content. J Vis Commun Image Represent 31:154–164 18. Schaefer G, Stich M (2004) UCID-an uncompressed color image database. Proc. SPIE, Storage and Retrieval Methods and Applications for Multimedia:472–480 19. Shiu CW, Chen YC, Hong W (2015) Encrypted image-based reversible data hiding with public key cryptography from difference expansion. Signal Process Image Commun 39:226–233 20. Singh AK (2016a) Improved hybrid technique for robust and imperceptible multiple watermarking using medical images. Multimedia Tools and Applications: An International Journal, Springer. doi:10.1007/s11042- 016-3514-z 21. Singh AK (2016b) Improved hybrid algorithm for robust and imperceptible multiple watermarking using digital images [J]. Multimedia Tools and Applications:1–18. doi:10.1007/s11042-016-3514-z 22. Singh AK, Dave M, Mohan A (2014a) Wavelet based image watermarking: futuristic concepts in information security [J]. Proceedings of the National Academy of Sciences, India Section A: Physical Sciences 84(3):345–359 23. Singh AK, Dave M, Mohan A (2014b) Hybrid technique for robust and imperceptible image watermarking in DWT–DCT–SVD domain[J]. National Academy Science Letters 37(4):351–358 24. Singh AK, Dave M, Mohan A (2015a) Robust and secure multiple watermarking in wavelet domain [J]. Journal of Medical Imaging and Health Informatics 5(2):406–414 25. Singh AK, Kumar B, Dave M et al (2015b) Multiple watermarking on medical images using selective discrete wavelet transform coefficients [J]. Journal of Medical Imaging and Health Informatics 5(3):607–614 26. Singh AK, Kumar B, Dave M et al (2015c) Robust and imperceptible dual watermarking for telemedicine applications[J]. Wirel Pers Commun 80(4):1415–1433 27. Tian J (2003) Reversible data embedding using a difference expansion. IEEE Transactions on Circuits and Systems for Video Technology 13(8):890–896 28. Wang J, Lian S, Shi YQ (2015a) Hybrid multiplicative multi-watermarking in DWT domain [J]. Multidim Syst Sign Process 1-20. doi:10.1007/s11045-015-0363-2 29. Wang J, Lian S, Wang J (2015b) Hybrid additive multi-watermarking and decoding[J]. Multimedia Systems 21(4):345–361 30. Wu X, Sun W (2014) High-capacity reversible data hiding in encrypted images by prediction error. Signal Process 104:387–400 31. Xia Z, Wang X, Sun X, Wang B (2014) Steganalysis of least significant bit matching using multi-order differences. Security and Communication Networks 7(8):1283–1291 32. Xia Z, Wang X, Sun X, Liu Q, Xiong N (2016a) Steganalysis of LSB matching using differences between nonadjacent pixels. Multimedia Tools and Applications 75(4):1947–1962 33. Xia Z, Wang X, Sun X, Wang Q (2016b) A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data. IEEE Transactions on Parallel and Distributed Systems 27(2):340–352 34. Xiang D, Xiong Y (2005) Digital image scrambling based on josephus traversing. Computer Engineering and Applications 41(10):44–46

Multimed Tools Appl 35. Yin ZX, Luo B, Hong W (2014) Separable and error-free reversible data hiding in encrypted image with high payload. Sci World J. doi:10.1155/2014/604876 36. Zhang X (2011) Reversible data hiding in encrypted image. IEEE Signal Processing Letters 18(4):255–258 37. Zhang X (2012) Separable reversible data hiding in encrypted image. IEEE Transactions on Information Forensics and Security 7(2):826–832 38. Zhang X, Wang S (2006) Efficient steganographic embedding by exploiting modification direction. IEEE Commun Lett 10(11):781–783 39. Zhang W, Ma K, Yu N (2013) Reversibility improved data hiding in encrypted images. Signal Process 94:118–127

Zhaoxia Yin was born in China in 1983 and received her Ph.D. degree from Anhui University in 2014. She is an ACM member, associate chair of academic committee of CCF YOCSEF Hefei, and is currently working as a post-doctoral research fellow at the post-doctoral research station of Electronic Science and Technology in Shanghai University, and is also a lecturer in the Key Laboratory of Intelligent Computing & Signal Processing, Ministry of Education, Anhui University. Her primary research focus is on information hiding research, and she has published many SCI/EI indexed papers in journals, edited books and refereed conferences.

Andrew Abel received his B. Sc. and Ph.D. from Stirling University in Scotland, UK in 2007 and 2013 respectively, after conducting pioneering research into developing cognitive multimodal signal-image processing algorithms for enabling next-generation multi-modal hearing-aid and listening device technologies. His interdisciplinary research has led to research publications in leading journals and international Conferences. Since 2012, he has been employed as a postdoctoral RA and RF at Stirling University, working on the testing of novel MEMS/CMOS microphone technology, and more recently on the development of next generation hearing aid technology aimed at developing hearing aids that can Bsee^.

Multimed Tools Appl

Jin Tang was born in Anhui province of China in 1976. He received his BEng in Automation in 1999, and PhD in Computer Science in 2007 from Anhui University, Hefei, China. He has published some 100 papers in journals, edited books and refereed conferences. Some papers were published on the Pattern Recognition journal, CVPR, IJCAI, and AAAI conferences. He is at present a professor at Anhui University of China. His current research interests include image and graph matching, pattern recognition and computer vision.

Xinpeng Zhang received the B.S. degree in computational mathematics from Jilin University, China, in 1995, and the M.E. and Ph.D. degrees in communication and information system from Shanghai University, China, in 2001 and 2004, respectively. Since 2004, he has been with the faculty of the School of Communication and Information Engineering, Shanghai University, where he is currently a Professor. His research interests include information hiding, image processing and digital forensics. He has published over 200 papers in these areas.

Multimed Tools Appl

Bin Luo was born in Anhui province of China in 1963. He received his BEng. Degree in electronics and MEng. degree in computer science from Anhui university of China in 1984 and 1991, respectively. From 1996 to 1997, he worked as a British Council visiting scholar at the University of York under the Sino-British Friendship Scholarship Scheme (SBFSS). In 2002, he was awarded the Ph.D. degree in Computer Science from the University of York, the United Kingdom. He joined the University of York as a research associate from 2000 to 2004. He was a short term research fellow of British Telecom in 2006. He served as a visiting fellow of the University of New South Wales, Australia in 2008. He was a TCT Exchange Fellow at the Nanyang Technological University, Singapore. He has published some 200 papers in journals, edited books and refereed conferences. Some papers were published on the IEEE T-PAMI, Pattern Recognition journal, CVPR, IJCAI, and AAAI conferences. He is at present a professor at Anhui University of China. His current research interests include graph spectral analysis, image and graph matching, statistical pattern recognition.