Lossless Reversible Data Hiding in Encrypted Image for Multiple Data Hiders Based on Pixel Value Order and Secret Sharing

Abstract

Reversible data hiding in encrypted images (RDH-EI) is instrumental in image privacy protection and data embedding. However, conventional RDH-EI models, involving image providers, data hiders, and receivers, limit the number of data hiders to one, which restricts its applicability in scenarios requiring multiple data embedders. Therefore, the need for an RDH-EI accommodating multiple data hiders, especially for copyright protection, has become crucial. Addressing this, we introduce the application of Pixel Value Order (PVO) technology to encrypted reversible data hiding, combined with the secret image sharing (SIS) scheme. This creates a novel scheme, PVO, Chaotic System, Secret Sharing-based Reversible Data Hiding in Encrypted Image (PCSRDH-EI), which satisfies the $(k,n)$ threshold property. An image is partitioned into N shadow images, and reconstruction is feasible when at least k shadow images are available. This method enables separate data extraction and image decryption. Our scheme combines stream encryption, based on chaotic systems, with secret sharing, underpinned by the Chinese remainder theorem (CRT), ensuring secure secret sharing. Empirical tests show that PCSRDH-EI can reach a maximum embedding rate of 5.706 bpp, outperforming the state-of-the-art and demonstrating superior encryption effects.

1. Introduction

Reversible data hiding (RDH) has evolved into a compelling methodology, facilitating the embedding of confidential data within various forms of media. This spans sectors such as military, medical, national governance, and copyright-protected content [1]. Traditional RDH research, conducted in the realm of plaintext, primarily revolves around three data embedding techniques: histogram shifting [2], difference expansion [3], and lossless compression [4]. The overarching objective of these methodologies is to augment the embedding rate while enhancing the visual quality of the carrier images.

In summary, Reversible Data Hiding (RDH) technology is a robust tool for reversibly embedding confidential data without damaging the original carrier. Its applications are expansive, and it proves particularly beneficial in sensitive sectors where data security is imperative. However, for content-sensitive scenarios, it is necessary to employ encryption techniques to develop an Encrypted Domain Reversible Data Hiding (RDH-EI) method, suitable for information-sensitive situations. These encryption techniques secure image content by transforming the original image into an unintelligible version using an encryption key.

RDH in encrypted images (RDH-EI) is especially advantageous in sensitive fields where data security is paramount. Despite its limitation in multiple data hider scenarios, the inherent reversibility of RDH technology makes it an optimal choice for situations demanding zero tolerance for image loss. An encrypted domain RDH-EI method, suitable for content-sensitive scenarios, can be developed using encryption techniques.

The traditional RDH-EI model restricts the number of data providers and data hiders to a single entity, limiting its applicability in multiple data hider scenarios. However, the crucial feature of reversibility permits perfect reconstruction of the original carrier during covert data extraction. This attribute renders RDH technology an ideal choice for scenarios necessitating zero tolerance for image loss, such as satellite imagery in the military, government images in judicial determinations, and medical imaging in healthcare.

RDH-EI is a subset of Reversible Data Hiding in Encrypted Domain (RDH-ED) [5], effectively resolves the issue of embedding and extracting confidential data from encrypted images. In this technique, the encrypted image data serves as the carrier. The data can be embedded into the encrypted image without causing any pixel loss in the carrier image during extraction.

As shown in Figure 1, according to the differences in secret data embedding models, we divide RDH-EI into three categories.

(a)

Vacating Room After Encryption (VRAE). In the framework of VRAE, Puech et al. [6] first proposed the method of vacating room after AES encryption, in which additional data can only be extracted according to the local standard deviation of the image before decryption of the token image; subsequently, Zhang et al. [5] vacated space by flipping the three lowest significant bits after encryption based on stream ciphers, and secret data can only be extracted using the fluctuation function defined by the local characteristics of the image after decryption of the token image; in order to achieve the separability of the algorithm, Zhang et al. [7] first proposed a separable scheme by losslessly compressing the ciphertext image to generate redundancy, but its embedding capacity is low.

(b)

Vacating Room Before Encryption (VRBE). The VRBE mode is used to generate redundancy by using image correlation or other pre-processing operations before image encryption, and its implementation methods are mainly based on lossless compression [8], pixel prediction [9,10,11], and frequency domain transformation [12].

(c)

Vacating Room In Encryption (VRIE). (1) Homomorphic encryption-based VRIE. Zhang et al. [13] proposed the RDH-EI scheme based on VRIE by quantizing the encrypted domain after LWE encryption and using the redundancy generated by ciphertext expansion to embed secret data; Huang et al. [14] used prediction error to free up redundant space during stream cipher encryption to enhance the embedding capacity. In recent years, Chen et al. [15] proposed an algorithm based on Paillier public key encryption, which uses the homomorphic property to embed information in the ciphertext domain, and the decrypted plaintext still maintains the relevant properties of the embedded information, but there is partial pixel overflow after embedding the information; Wu et al. [16] improved the method of the literature [15] by solving the overflow problem, and the security of the homomorphic encryption algorithm relies on long keys, which increases the computational overhead and brings about severe data scaling. (2) Secret Sharing-based VRIE. Secret sharing techniques are widely applied in edge computing [17], data sharing [18], and outsourcing computing [19]. Thien and Lin [20] first proposed the concept of secret image sharing in 2002, which is based on the idea of secret sharing (SS) proposed by Shamir [21] in 1979. This technique can effectively solve the data extension problem of the RDH-EI algorithm based on homomorphic encryption, and Wu et al. [22] first proposed the RDH-ED algorithm based on secret sharing encryption, which splits the carrier image into multiple shadow images of the same size as the carrier image with secret sharing encryption, and then embeds the secret data into the shadow images by means of difference expansion and prediction error histogram translation. The problems of high encryption overhead and serious data expansion are effectively solved. As an important multi-party secure cryptosystem, this method uses a threshold function to address important data shares multiplied by different shares stored at different users. Chen et al. [23] further reduced the time complexity by embedding secret data into a pair of pixels using the additive homomorphism property of multiple secret sharing and combining the difference expansion. Ke et al. [24] proposed a separable RDH-ED based on the Chinese residue theorem separable RDH-ED, which achieves separability by combining two embedding methods. In 2022, Xiong et al. [25] proposed an RDH-EI scheme, which uses Asmuth-Bloom’s secret sharing scheme based on the CRT to divide the pixels into several secret share subgraphs, but the embedding efficiency (0.5 bpp) of this method still has room for optimization.

To solve the problems of low embedding efficiency, low embedding capacity, complex auxiliary information for embedding, and the limited number of embedding parties in RDH-EI, we propose a lossless RDH-EI method for multiple data hiders based on PVO and secret sharing. Compared with the existing RDH-EI based on secret sharing, we put forward a new method for the first time, which combines an Arnold cat map and a logistic equation [26] with a CRT-based secret sharing scheme and adds PVO technology, which improves the embedding rate and encryption efficiency while improving security. In addition, unlike other RDH-EI that requires auxiliary information and guiding images, the proposed method in this paper does not need to send guiding images. However, the data hider can automatically convert the shadow image into the guide image by using the data embedding key, which can significantly improve the embedding efficiency.

Main contributions of this paper. This paper describes the main contributions of a lossless RDH-EI (Reversible Data Hiding in Encrypted Images) method for multiple data hiders, based on PVO (Pixel Value Order) and secret sharing. The following are the key contributions of the proposed method:

Novel PCSRDH-EI Method: This paper introduces an innovative lossless RDH-EI method, which allows for multiple data hiders to embed data in encrypted images without any loss. This method is based on the PVO chaotic system and secret sharing, achieving a maximum embedding rate and surpassing existing methods, as well as significantly improving encryption efficiency and effect.

Enhanced Security with Combined Techniques: Combining stream encryption and secret sharing technology, this paper ensures a secure environment for data hiders to embed their data without fear of leaks. Additionally, the proposed scheme guarantees lossless data embedding and extraction, preserving the original image digital assets and enabling full recovery.

No Extra Guide Parameters Required: The proposed scheme does not require any extra guide parameters. By embedding/extracting the key, the data hider can transform the shadow image into an guide image that does not expose the original content information, thereby improving the usability of the scheme.

Organization of this paper. We divide our paper into five sections. Section 1 describes the research area and the existing schemes’ shortcomings and details the paper’s main contributions. Section 2 presents the specific details of the proposed scheme. In Section 3, we give a precise analysis and demonstration of our scheme. Section 4 presents the scheme’s effectiveness and a detailed comparison with the state-of-the-art encryption techniques. In Section 5, we give a summary and outlook of our work.

2. PCSRDH-EI Method

In this section, we provide a detailed description of our proposed method. As depicted in Figure 2, our model involves three key participants: an image owner, a minimum of three data hiders, and at least one receiver. The primary stages of our method encompass image encryption, shadow image creation, data embedding, data extraction, and carrier image recovery.

During the Image Encryption phase, the image owner divides the image into blocks and implements coarse-grained disruption encryption between these blocks. They further apply fine-grained encryption algorithms and the PVO algorithm within the blocks to enhance the security of the encrypted image.

In the Shadow Image Generation phase, the image owner partitions the encrypted image into numerous shadow images and distributes them to a predetermined number of data hiders. This measure ensures that no individual data hider can access the entire image, thereby augmenting the security of the scheme.

During the Data Embedding stage, each data hider employs the embedding secret key to produce the embedding guide map and embeds the confidential data within their respective shadow images. This procedure ensures the dispersion of the embedded data across multiple shadow images, which further bolsters the scheme’s security.

In the Embedded Data Extraction and Image Recovery phase, the receiver employs the secret extraction key to retrieve the embedded data from the shadow images. Upon amassing a minimum of ’k’ secret shares, the receiver can flawlessly recover the carrier image by integrating these shares with the encryption key.

2.1. Image Encryption

The image owner splits a carrier image of size $H\times W$ into non-overlapping sub-blocks of size $2\times 2$ and the number $\lceil \mathrm{H}/2\times \mathrm{W}/2\rceil$, where $\mathrm{H}$ is the height of the image and $\mathrm{W}$ is the width of the image. $i_{h,w}$ is the pixel value at location $(h,w)$, where $I_{h,w}\in [0,255],1\le h\le \mathrm{H},1\le \mathrm{w}\le \mathrm{W}$. Each block has a number in order, numbered in the range 1,2,...,$\lceil \mathrm{H}/2\times \mathrm{W}/2\rceil$. This section divides encryption into two main steps: coarse-grained and fine-grained. The encryption unit of coarse-grained encryption is a 2 × 2 non-overlapping sub-block, the encryption algorithm is Arnold’s cat map, and the target of fine-grained encryption is the four pixels inside the non-overlapping sub-block, which is implemented as Algorithm 1.

Algorithm 1 Image encryption.

Input: The original image $\mathrm{I}(H\times W)$, coarse-grained encryption key $K_c\leftarrow (p,q)$, fine-grained encryption key $K_f\leftarrow \left(\eta ,x_0,\forall \right)$.

Output: The encrypted image $I^{\prime }$

1. Initialize $h\leftarrow 0,w\leftarrow 0,s\leftarrow 0,t\leftarrow 0$

2. Use $K_c$ to encrypt the original image $\mathrm{I}$ by Equation (2) and obtain $I^{*}$

3. Use $K_f$ to generate the fine-grained encryption stream $\sigma$ by Equation (3)

4. while $h\le H$ do

5.       While $w\le W$ do

6.             $I_{h,w}^{\prime }=I_{h,w}^{*}+\left({\sigma }_{s,t}mod256\right)+256$

7.             $w\leftarrow w+1$

8.             $s=\lfloor h/2\rfloor$, $t=\lfloor w/2\rfloor$

9.       end while

10. $h\leftarrow h+1$

11. $s=\lfloor h/2\rfloor$, $t=\lfloor w/2\rfloor$

12. end while

13. Return $I^{\prime }$

Secret key definition. The implementation of encryption or decryption methods, as described in the work by [27], requires both the sender and the recipient of the image to possess a secret key $SK$. This unique key consists of two parts: a coarse-grained encryption key denoted as $K_c\leftarrow (p,q)$ and a fine-grained encryption key denoted as $K_f\leftarrow \left(\eta ,x_0,\forall \right)$. This secret key is generated from 65 hexadecimal digits (260 bits), ranging from P1 to P52, and used to compute the initial conditions and control parameters of the chaotic mapping using the expression indicated below:

$$\begin{array}{cc}\hfill K_{c1}& ={\left(P_1,P_2,\dots ,P_{13}\right)}_{10}\hfill \\ \hfill K_{c2}& ={\left(P_{14},P_{15},\dots ,P_{26}\right)}_{10}\hfill \\ \hfill K_{f1}& =\frac{{\left(P_{27},P_{38},\dots ,P_{39}\right)}_{10}}{2^{52}+1}\times {10}^{-8}\hfill \\ \hfill K_{f2}& =\frac{{\left(P_{40},P_{41},\dots ,P_{52}\right)}_{10}}{2^{52}+1}\hfill \\ \hfill K_{f3}& ={\left(P_{53},P_{54},\dots ,P_{65}\right)}_{10}\hfill \end{array}$$

(1)

In which $K_{c1}$, $K_{c2}$, $K_{f3}$ belong to $(0,2^{52})$, and $K_{f1}$, $K_{f2}$ belong to $(0,1)$.

Coarse-grained encryption. Before the image owner splits the image into shadow images, the image needs to be scrambled to ensure its security. Since the fine-grained encryption only needs to satisfy the randomness to generate the scrambling table, and the test sets used in this paper are square matrix, i.e., $H=W$, this paper uses a two-dimensional Arnold’s cat map to generate the scrambling table. For the case of $H\ne W$, other similar random number sorting algorithms can be used to generate the scrambling table, which this paper will not discuss. The image owner uses the coarse-grained encryption key $K_c\leftarrow (p,q)$ as the secret seed key and performs

$$\left[\begin{array}{c}{x}_{n+1}\hfill \\ y_{n+1}\hfill \end{array}\right]\leftarrow \left[\begin{array}{cc}1\hfill & p\hfill \\ q\hfill & pq+1\hfill \end{array}\right]\left[\begin{array}{c}{x}_n\hfill \\ y_n\hfill \end{array}\right]modN$$

(2)

where $\left(x_n,y_n\right)$ is the position coordinates of the image block in the original image, $\left(x_{n+1},y_{n+1}\right)$ is the transformed position, $mod$ is the modulus operation, and N is the size of the image; the image must be square. Otherwise, it does not have the condition of the Arnold transform, for rectangular images can also be converted into a square way for topological reasoning. Each coordinate has a unique new coordinate corresponding to it after permutation, which means that each image block has a unique position to mark the position after permutation, and the image encryption procedure is formulated by

$1\le t\le \lceil \mathrm{H}/2\times \mathrm{W}/2\rceil$, which is the t-th encrypted image block. I is the carrier image and $I^{*}$ is the coarse-grained encrypted image.

Fine-grained encryption. In the proposed scheme, there is no restriction on the specific scrambling method, and we take the enlarged 1D logical mapping as an example. 1D logical mapping only needs to save the seed key, the enlargement factor, and the length of the generated 1D stream, which significantly saves the storage space and the efficiency of crucial transmission. The image owner uses the fine-grained encryption key $K_f\leftarrow \left(\eta ,x_0,\forall \right)$ to generate a random stream by

$$x_{r+1}=\eta x_r\left(1-x_r\right)$$

(3)

Furthermore, the generated sequence $x=\left(x_1,x_2,\cdots x_{\lceil \mathrm{H}/2\times \mathrm{W}/2\rceil }\right)$ is enlarged by a factor of ∀ and rounded down, to obtain the size $\lceil \mathrm{H}/2\times \mathrm{W}/2\rceil$, and perform the following encryption operation:

$$I_{h,w}^{\prime }=I_{h,w}^{*}+\left({\sigma }_{s,t}mod256\right)+256$$

(4)

where $I_{h,w}^{\prime }$ is the result of the image owner’s encryption using the key $K_f$, where i and j denote rows and columns, respectively, where $h=1,2,\dots ,\mathrm{H},w=1,2,\dots ,W$. $I_{h,w}$ and $I_{h,w}^{\prime }$ are the ciphertext and plaintext at $(h,w)$, respectively.

Moreover, $T_{f_{s,t}}$ is the key corresponding to the $(s,t)$ th image block in $T_f$, where $s=[h/2],t=$$\lceil w/2\rceil$, at the block level, the image owner uses fine-grained encryption by

$$I^{\prime }\left(I^{\prime \left(1\right)},I^{\prime \left(2\right)},\cdots ,I^{\prime (\lceil \mathrm{H}/2\times \mathrm{W}/2\rceil )}\right)=En{c}_{\mathrm{fine}}\left(I^{*},K_f\right)$$

(5)

where $I^{*}$ is the block-level data after coarse-grained encryption, $I^{\prime }$ is the block-level data after coarse-grained encryption, and $1\le t\le \lceil \mathrm{H}/2\times \mathrm{W}/2\rceil$ is the t-th encrypted image block.

2.2. Shadow Image Generation

Since the encryption algorithm in this paper employs a permutation algorithm between blocks, there is no scrambling algorithm for pixels between blocks. The RDH algorithm based on histogram shifting (HS) can meet the user’s needs. When the data hider receives the encrypted share, the secure multi-party embedding is performed under the guidance of the dealer. The data distributor can collect encrypted secret data and initiate the embedding phase in a practical application with multiple users and messages. By involving data distributors, communication between multiple data hiders can be avoided. Data hiding based on histogram embedding can be performed on encrypted domains, achieving the high visual quality of the tagged images. Watermark embedding is divided into three main steps. Algorithm 2 demonstrates the detailed algorithmic process in the form of pseudo-code.

Algorithm 2 Shadow image generation.

Input: The encrypted image $I^{\prime }$, share generation key $K_g=(\vartheta ,Mb)$, number of shadow images n

Output: The shadow images $\tau$, position correspondence table $\varpi$

1. Initialize $h\leftarrow 0,w\leftarrow 0$

2. while $h\le H/2$ do

3.       While $w\le W/2$ do

4.             ${\delta }_1\leftarrow x[h,w]$, ${\delta }_2\leftarrow x[h+1,w]$, ${\delta }_3\leftarrow x[h,w+1]$, ${\delta }_4\leftarrow x[h+1,w+1]$

5.             Record the original position $[{\delta }_1,{\delta }_2,{\delta }_3,{\delta }_4]$ in $\varpi [h,w]$

6.             Sort $x[h,w]$ by Equation (6) to get $\{{\delta }_1^{\prime },{\delta }_2^{\prime },{\delta }_3^{\prime },{\delta }_4^{\prime }\}$ and $x^{\prime }[h,w]$

7.             Computes $d_{max}={\delta }_4^{\prime }-{\delta }_3^{\prime }$, $d_{min}={\delta }_1^{\prime }-{\delta }_2^{\prime }$

8.             $w\leftarrow w+1$, $t=\lceil w/2\rceil$

9.      end while

10. $h\leftarrow h+1$, $s=\lceil h/2\rceil$

11. end while

12, while $h\le H$ do

13.       While $w\le W$ do

14.             While $i\le n$ do

15.                   ${\tau }_i(h,w)=\vartheta \left(x(h,w)\right)modM{b}^{\left(i\right)}$

16.                   $i\leftarrow i+1$

17.             end while

18.             $w\leftarrow w+1$

19.      end while

20.      $h\leftarrow h+1$

21. end while

22. Return $\tau$

2.2.1. Pixel Value Order

Intra-block ascending mapping. For a block of $2\times 2$ pixels $\delta =({\delta }_1,{\delta }_2,{\delta }_3,{\delta }_4)$, the image owner computes the new block of pixels utilizing an ascending ordering algorithm:

$$\left({\delta }_1^{\prime },{\delta }_2^{\prime },{\delta }_3^{\prime },{\delta }_4^{\prime }\right)\leftarrow PVO\left({\delta }_1,{\delta }_2,{\delta }_3,{\delta }_4\right)$$

(6)

where the set $\left({\delta }_1^{\prime },{\delta }_2^{\prime },{\delta }_3^{\prime },{\delta }_4^{\prime }\right)$ to the set $\left({\delta }_1,{\delta }_2,{\delta }_3,{\delta }_4\right)$ is a full projection and satisfies

$${\delta }_1^{\prime }\le {\delta }_2^{\prime }\le {\delta }_3^{\prime }\le {\delta }_4^{\prime }$$

(7)

Therefore, the two largest values ${\delta }_4^{\prime }$ and ${\delta }_3^{\prime }$ can predict the value of the other with the value of one, and ${\delta }_1$ and ${\delta }_2^{\prime }$ can also predict the value of the other with the value of one, and their prediction differences are

$$\left\{\begin{array}{c}{d}_{max}={\delta }_4^{\prime }-{\delta }_3^{\prime }\hfill \\ d_{min}={\delta }_1^{\prime }-{\delta }_2^{\prime }\hfill \end{array}\right.$$

(8)

$d_{\max }$ and $d_{min}$ are the maximum and minimum prediction errors in the image chunks, respectively. For the result of $I^{\prime }$ after the fine-grained encryption of the image, and after repeating the same PosCon-operation, we can obtain $d_{\max }$ and $d_{min}$ for all chunks of the whole image, and calculate the histograms of the maximum prediction error and minimum prediction error accordingly.

In addition, the image owner uses 00,01,10,11 to denote the original pixel positions (1,2,3,4) matched by the scrambled pixels, respectively, and saves the original position correspondence table $\varpi$ corresponding to the scrambled image pixels.

2.2.2. Key Generation

Shadow recovery key generation. For the secret sharing scheme with a $\left(k,n\right)$ threshold, we choose a set of modules $Mb=\left\{{Mb}^{\left(1\right)},{Mb}^{\left(2\right)},\cdots ,{Mb}^{\left(n\right)}\right\}$, where the elements in Mb satisfy $\left\{128<{Mb}^{\left(1\right)}<{Mb}^{\left(2\right)}<\cdots <{Mb}^{\left(n\right)}\le 251<Mp\right\}$, satisfying the following conditions:

$$gcd\left(M{b}^{\left(i\right)},M{b}^{\left(j\right)}\right)=1,i\ne j$$

(9)

$$gcd\left(M{b}^{\left(j\right)},Mp\right)=1,i=1,2,\dots ,n$$

(10)

$$Mp=\prod _{i=1}^{k}M{b}^{\left(i\right)}$$

(11)

In addition, we set the secret key $\vartheta$ to satisfy the following relation:

$$\vartheta \in {\mathbb{Z}}_{\left({\prod }_{i=1}^{k}M{b}^{\left(i\right)}\right)\left(2^8-1\right)}$$

(12)

$$gcd\left(M{b}^{\left(i\right)},\vartheta \right)=1,i=1,2,\dots ,n$$

(13)

Then, the shadow image is generated by $K_g\leftarrow (\vartheta ,Mb)$.

Embedding key generation. The randomly chosen integer $\vartheta$ is the secret key, and using the equivalence property of congruence since $\vartheta$ is the amplification parameter, the following two calculations have equivalence conditions under $modb$:

$$x\vartheta modb\iff x(\vartheta modb)modb$$

(14)

Therefore, firstly, $\vartheta$ is converted into the residue form of $a_i=\vartheta mod{Mb}_i$, and the secret parameter $\vartheta$ can be guaranteed not to be revealed without exposing a certain number of ${Mb}_i$. The generated key is $K_a\leftarrow (\mathrm{Mb},\mathrm{a},\Delta ,\chi ),\Delta$ is the threshold parameter which determines the embedding payload, pixels exceeding the threshold $\Delta$ are panned, and those within the threshold $\Delta$ are embedded. The size of $\Delta$ will affect the visual quality of the labeled image. For example, when increasing, the embedding payload will increase, but the visual quality will decrease.

2.2.3. Shadow Image Generation

Unlike the scheme proposed by Xiong et al. [25] which only adds large random numbers (only addition), the secret sharing scheme used in this paper uses the method of adding perturbations first and then scaling up (a combination of addition and multiplication) to improve security. For a single pixel value, $x(h,w),h=1,2,\dots ,H,w=1,2,\dots ,W$, an image of size $H\times W$, and the encryption key $K_g=(\vartheta ,Mb)$, let us calculate

$$\begin{array}{c}\vartheta \left(x(h,w)\right)={\tau }_1(h,w)modM{b}^{\left(1\right)}\\ \vartheta \left(x(h,w)\right)={\tau }_2(h,w)modM{b}^{\left(2\right)}\\ \dots \\ \vartheta \left(x(h,w)\right)={\tau }_n(h,w)modM{b}^{\left(n\right)}\end{array}$$

(15)

where ${\tau }_1\left(h,w\right){\tau }_2\left(h,w\right),\dots ,{\tau }_n(h,w)$ represent the secret shares split by the pixel values at position (h,w) in the image, and the n secret shadow images after splitting $({\tau }^{\left(1\right)},{\tau }^{\left(2\right)},\cdots ,{\tau }^{\left(n\right)})$ are sent to the corresponding data embedders ${DH}^{\left(i\right)}$ for $i=1,2,\dots ,n$.

2.3. Data Embedding

Since the same noise is added to each image sub-block during fine-grained encryption, the differences between pixels do not change, which means that additional information can be embedded in the DH embedding data using homomorphic embedding. A module homomorphic embedding approach is adopted in this paper, in which any shadow image after image segmentation is used as a carrier. The additive homomorphic property of secret sharing is taken advantage of so that the data hider can embed all extra data into the shadow image independently. This algorithm can extract the extra data rapidly from the newly generated shadow image. It is convenient for multiple users to tag, manage, and retrieve secret texts independently too improve the embedding efficiency, i.e., to embed as much data as possible with fewer modifications. Importantly, each data hider owns an independent shadow image and can produce the embedding instruction and data embedding images independently. Consequently, the embedding capacity scales linearly with the number of data hiders, such that the overall capacity is obtained by multiplying the capacity of a single image by the number of hiders involved. Algorithm 3 demonstrates the detailed algorithmic process in the form of pseudo-code.

Algorithm 3 Distributed data embedding.

Input: The secret share of the i-th embedding party ${\tau }_i$, data embedding key $K_a\leftarrow (\mathrm{Mb},\mathrm{a},\Delta ,\chi )$, data to be embedded $c_i\leftarrow \{c_{i_0},c_{i_1}\}$.

Output: The i-th embedded shadow image ${\mathbb{S}}_i$

1. Initialize $h\leftarrow 0,w\leftarrow 0$

2, while $h\le H/2$ do

3.       While $w\le W/2$ do

4.             ${\delta }_1\leftarrow {\tau }_i^{\prime }[2h,2w]$, ${\delta }_2\leftarrow {\tau }_i^{\prime }[2h+1,2w]$

5.             ${\delta }_3\leftarrow {\tau }_i^{\prime }[2h,2w+1]$, ${\delta }_4\leftarrow {\tau }_i^{\prime }[2h+1,2w+1]$

6.             ${\dot{\delta }}_j={\delta }_j{a}^{\left(i\right)}modM{b}^{\left(i\right)},\mathrm{j}=1,2,3,4$

7.             Compute $d_{max}[h,w]$, $d_{min}[h,w]$ by Equations (17) and (18)

8.             Embed $c_{i_1}[h,w]$ into ${\delta }_4^{\prime }$ by Equation (19) and $c_{i_0}[h,w]$ into ${\delta }_1^{\prime }$ by Equation (20)

9.             ${\mathbb{S}}_i[2h,2w]\leftarrow {\delta }_1^{\prime }$, ${\mathbb{S}}_i[2h+1,2w]\leftarrow {\delta }_2$

10.             ${\mathbb{S}}_i[2h,2w+1]\leftarrow {\delta }_3$, ${\mathbb{S}}_i[2h+1,2w+1]\leftarrow {\delta }_4^{\prime }$

11.             $w\leftarrow w+1$

12.      end while

13. $h\leftarrow h+1$

14. end while

15. Return ${\mathbb{S}}_i$

Upon receiving the image to be embedded ${\tau }^{\left(i\right)}$, ${DH}^{\left(i\right)}$ divides it into non-overlapping $2\times 2$ sub-blocks. We denote the block at position $(h,w)$ as $\{{\delta }_1[h,w],{\delta }_2[h,w],{\delta }_3[h,w],{\delta }_4[h,w]\}$ (for ease of writing, we abbreviate it as $\{{\delta }_1,{\delta }_2,{\delta }_3,{\delta }_4\}$) and embed $c_i[h,w]\leftarrow \{c_{i_0},c_{i_1}\}$). Specifically, $c_{i_0}[h,w]$ is embedded into ${\delta }_1$ while $c_{i_1}[h,w]$ is embedded into ${\delta }_4$. To obtain a difference histogram that encodes the image difference information, we employ the secret extraction key $K_a$ as follows:

$${\dot{\delta }}_j={\delta }_j{a}^{\left(i\right)}modM{b}^{\left(i\right)},\mathrm{j}=1,2,3,4$$

(16)

Prediction error recovery. For a single $2\times 2$ pixel block, the four elements within the block perform sum and mode operations using the same cryptographic secret key. This means that the difference between any two pixels within the block should satisfy the ascending ordering, and thus the true prediction error is recovered in the following manner:

$$d_{max}[h,w]=\left\{\begin{array}{c}{\dot{\delta }}_4-{\dot{\delta }}_3,if:{\dot{\delta }}_4-{\dot{\delta }}_3\ge 0\\ {\dot{\delta }}_4-{\dot{\delta }}_3+M{b}^{\left(i\right)},if:{\dot{\delta }}_4-{\dot{\delta }}_3<0\end{array}\right.$$

(17)

$$d_{min}[h,w]=\left\{\begin{array}{c}{\dot{\delta }}_1-{\dot{\delta }}_2,if:{\dot{\delta }}_1-{\dot{\delta }}_2\le 0\\ {\dot{\delta }}_1-{\dot{\delta }}_2-M{b}^{\left(i\right)},if:{\dot{\delta }}_1-{\dot{\delta }}_2>0\end{array}\right.$$

(18)

The difference histograms are mainly concentrated around the value of 0, and the prediction error statistics of ciphertext images are the same as those of plaintext images, so the prediction error statistics of ciphertext images retain the statistical characteristics of plaintext. The prediction error histogram of a raw image is generally Laplacian, so we can use the histogram shifting technique to hide the data in the ciphertext image.

Histogram embedding. We perform the translation embedding in two prediction error histograms of the ciphertext image. It is worth noting that, in addition to the 0 value, several histograms of its nearby values are also high, so we utilize multiple histogram embeddings to increase the embedding capacity. In addition, due to the unique nature of module homomorphic secret sharing in this paper, the selected module bases are less than 252. Therefore, the data overflow before secret sharing will not affect the embedding flags and results after secret sharing in the all-position embeddable histogram translation embedding method.The image owner can use an additional auxiliary information table to cooperate with data embedding and extraction. Therefore, the histogram panning embedding method based on secret sharing can effectively solve the problem of possible overflow and underflow during the data panning process.

We set the storage threshold at $\Delta$, pixels exceeding the threshold $\Delta$ are shifted, those within the threshold $\Delta$ are embedded, and according to the prediction error $d_{\max }$, the data $c_1$ are embedded by shifting the maximum value ${\delta }_4$, the maximum value of possible embedding is $\chi$, and the data embedding algorithm $\mathrm{embed}\left(\tau \right)$ is executed, so the data embedding is performed by

$${\delta }_4^{\prime }\leftarrow \left\{\begin{array}{cc}{\delta }_4+c_1[h,w]\Delta \hfill & \mathrm{if}0\le d_{\max }[h,w]\le \Delta \hfill \\ {\delta }_4+\chi \Delta \hfill & \mathrm{else}\hfill \end{array}\right.$$

(19)

According to the equation prediction error $d_{\min }$, embedding the data $c_0$ by shifting the minimum ${\delta }_1$, the data embedding is performed by

$${\delta }_1^{\prime }\leftarrow \left\{\begin{array}{cc}{\delta }_1-c_0[h,w]\Delta \hfill & \mathrm{if}-\Delta \le d_{min}^{\left(i\right)}\le 0\hfill \\ {\delta }_1-\chi \Delta \hfill & \mathrm{else}\hfill \end{array}\right.$$

(20)

The embedding algorithm is executed on all image blocks of the image to obtain the labeled image ${\mathbb{S}}^{\left(i\right)}=\mathrm{embed}\left({\tau }^{\left(i\right)}\right)$, and send it to the corresponding ${\mathrm{receiver}}^{\left(i\right)},i=1,2,\cdots n$.

2.4. Data Extraction

When the secret data are embedded into the encrypted shadow share, the receiver can collect the tagged encrypted shadow images from different data hiders. Upon receiving the extraction secret key $K_a^{\left(i\right)}$ that corresponds to the ${Share}^{\left(i\right)}$ of the i-th shadow image, the i-th receiver can recover the embedded data individually. At position $(h,w)$ of ${\mathbb{S}}^{\left(i\right)}$, the block is denoted as $\{{\delta }_1[h,w],{\delta }_2[h,w],{\delta }_3[h,w],{\delta }_4[h,w]\}$ (for ease of writing, we abbreviate it as $\{{\delta }_1,{\delta }_2,{\delta }_3,{\delta }_4\}$). We extract $w[h,w]\leftarrow \{c_0^{\prime }[h,w],c_1^{\prime }[h,w]\}$, wherein $c_0^{\prime }[h,w]$ is extracted into ${\delta }_1$, and $c_1^{\prime }[h,w]$ is extracted into ${\delta }_4$. Moreover, we can obtain $d_{max}[h,w]$ and $d_{min}[h,w]$ using the same method as in Equations (16)–(18).

Iterating through all the storage blocks of the block, we obtain the computational prediction error $d_{max}[h,w]$ and $d_{min}[h,w]$. From the nature of the $2\times 2$ pixel-based block, it is known that there are two positions within the block where the data can be embedded, and the possible embedded data are ${\tilde{w}}_0$ by Equation (21) and ${\tilde{w}}_1$ by Equation (22).

$${\tilde{w}}_0[h,w]=\left\{\begin{array}{cc}⌊d_{max}^{\left(i\right)}(h,w)/\Delta ⌋\hfill & \mathrm{if}\Delta <d_{max}^{\left(i\right)}(h,w)\le \chi \Delta \mathrm{and}{d}_{min}^{\left(i\right)}(h,w)/\Delta \ne 0\hfill \\ \left(d_{max}^{\left(i\right)}(h,w)/\Delta \right)-1\hfill & \mathrm{if}\Delta <d_{max}^{\left(i\right)}(h,w)\le \chi \Delta \mathrm{and}{d}_{min}^{\left(i\right)}(h,w)/\Delta =0\hfill \\ 0\hfill & \mathrm{if}0<d_{max}^{\left(i\right)}(h,w)\le \Delta \hfill \\ NULL\hfill & \mathrm{if}\chi \Delta <d_{max}^{\left(i\right)}(h,w)\hfill \end{array}\right.$$

(21)

$${\tilde{w}}_1[h,w]=\left\{\begin{array}{cc}⌊|d_{min}^{\left(i\right)}(h,w)/\Delta |⌋\hfill & \mathrm{if}\Delta <\left|d_{min}^{\left(i\right)}(h,w)\right|\le \chi \Delta \mathrm{and}{d}_{min}^{\left(i\right)}(h,w)/\Delta \ne 0\hfill \\ \left|d_{min}^{\left(i\right)}(h,w)/\Delta \right|-1\hfill & \mathrm{if}\Delta <\left|d_{min}^{\left(i\right)}(h,w)\right|\le \chi \Delta \mathrm{and}{d}_{min}^{\left(i\right)}(h,w)/\Delta =0\hfill \\ 0\hfill & \mathrm{if}0<\left|d_{min}^{\left(i\right)}(h,w)\right|\le \Delta \hfill \\ NULL\hfill & \mathrm{if}\chi \Delta <\left|d_{min}^{\left(i\right)}(h,w)\right|\hfill \end{array}\right.$$

(22)

Iterate over all blocks and recover all embedded data. Algorithm 4 demonstrates the detailed algorithmic process in the form of pseudo-code.

Algorithm 4 Data extraction.

Input: The i-th embedded shadow image ${\mathbb{S}}_i$, data extraction key $K_a\leftarrow (\mathrm{Mb},\mathrm{a},\Delta ,\chi )$.

Output: The extracted data $c^{\prime }$

1. Initialize $h\leftarrow 0,w\leftarrow 0$

2, while $h\le H/2$ do

3.       While $w\le W/2$ do

4.             ${\delta }_1\leftarrow {\mathbb{S}}_i^{\prime }[2h,2w]$, ${\delta }_2\leftarrow {\mathbb{S}}_i^{\prime }[2h+1,2w]$

5.             ${\delta }_3\leftarrow {\mathbb{S}}_i^{\prime }[2h,2w+1]$, ${\delta }_4\leftarrow {\mathbb{S}}_i^{\prime }[2h+1,2w+1]$

6.             ${\dot{\delta }}_j={\delta }_j{a}^{\left(i\right)}modM{b}^{\left(i\right)},\mathrm{j}=1,2,3,4$

7.             Compute $d_{max}[h,w]$, $d_{min}[h,w]$ by Equations (17) and (18)

8.             Extract $c_1^{\prime }[h,w]$ from ${\delta }_4^{\prime }$ by Equation (21)

9.             Extract $c_0^{\prime }[h,w]$ from ${\delta }_1^{\prime }$ by Equation (22)

10.             $w\leftarrow w+1$

11.      end while

12. $h\leftarrow h+1$

13. end while

14. Return $c^{\prime }$

2.5. Image Recovery

Algorithm 5 demonstrates the detailed algorithmic process of image recovery in the form of pseudo-code. After receiving the secret shares of $\mathit{k}$, the image owner first uses the inverse theorem based on the residual theorem of the Chinese Remainder to obtain the fine-grained encrypted digital image data. For the share of the hth row and wth column of the image ${\mathbb{S}}_1\left(h,w\right),{\mathbb{S}}_2\left(h,w\right),\dots ,{\mathbb{S}}_k\left(h,w\right)$, ${\mathbb{S}}_4^{\left(i\right)}(h,w)$ and ${\dot{\mathbb{S}}}_1^{\left(i\right)}(h,w)$ can be recovered by

$${\dot{\mathbb{S}}}_4^{\left(i\right)}(h,w)=\left\{\begin{array}{cc}{\mathbb{S}}_4^{\left(i\right)}(h,w)-⌊d_{max}^{\left(i\right)}(h,w)/\Delta ⌋\Delta modM{b}_i& \mathrm{if}{\tilde{w}}_0=⌊d_{max}^{\left(i\right)}(h,w)/\Delta ⌋\\ {\mathbb{S}}_4^{\left(i\right)}(h,w)-d_{max}^{\left(i\right)}(h,w)+\Delta modM{b}_i& \mathrm{if}{\tilde{w}}_0=\left(d_{max}^{\left(i\right)}(h,w)/\Delta \right)-1\\ {\mathbb{S}}_4^{\left(i\right)}(h,w)modM{b}_i& \mathrm{if}{\tilde{w}}_0=0\\ {\mathbb{S}}_4^{\left(i\right)}(h,w)-\Delta \chi modM{b}_i& \mathrm{if}{\tilde{w}}_0=NULL\end{array}\right.$$

(23)

$${\dot{\mathbb{S}}}_1^{\left(i\right)}(h,w)=\left\{\begin{array}{cc}{\mathbb{S}}_1^{\left(i\right)}(h,w)+⌊|d_{min}^{\left(i\right)}(h,w)/\Delta |⌋\Delta modM{b}_i& \mathrm{if}{\tilde{w}}_1=⌊|d_{min}^{\left(i\right)}(h,w)/\Delta |⌋\\ {\mathbb{S}}_1^{\left(i\right)}(h,w)-d_{min}^{\left(i\right)}(h,w)-\Delta & \mathrm{if}{\tilde{w}}_1=\left|d_{min}^{\left(i\right)}(h,w)/\Delta \right|-1\\ {\mathbb{S}}_1^{\left(i\right)}(h,w)modM{b}_i& \mathrm{if}{\tilde{w}}_1=0\\ {\mathbb{S}}_1^{\left(i\right)}(h,w)+\Delta \chi modM{b}_i& \mathrm{if}{\tilde{w}}_1=\mathrm{NULL}\end{array}\right.$$

(24)

The secret can be recovered by executing the following secret recovery algorithm:

$$\begin{array}{c}\tilde{I}(h,w)={\displaystyle \sum _{i=1}^k}{M}_i{\mathbb{S}}_{\mathrm{i}}(h,w)M_i^{-1}modMp\\ M_i=Mp/M{b}_i\\ M_i{M}_i^{-1}=1modMp\end{array}$$

(25)

Algorithm 5 Image recovery.

Input: The i-th embedded shadow image ${\mathbb{S}}_i$, data extraction key $K_a\leftarrow (\mathrm{Mb},\mathrm{a},\Delta ,\chi )$, decryption key $K_c$ and $K_f$, position correspondence table $\varpi$.

Output: Recovered image

1. Initialize $h\leftarrow 0,w\leftarrow 0$

2, while $h\le H/2$ do

3.       While $w\le W/2$ do

4.             ${\delta }_1\leftarrow {\mathbb{S}}_i^{\prime }[2h,2w]$, ${\delta }_2\leftarrow {\mathbb{S}}_i^{\prime }[2h+1,2w]$

5.             ${\delta }_3\leftarrow {\mathbb{S}}_i^{\prime }[2h,2w+1]$, ${\delta }_4\leftarrow {\mathbb{S}}_i^{\prime }[2h+1,2w+1]$

6.             ${\dot{\delta }}_j={\delta }_j{a}^{\left(i\right)}modM{b}^{\left(i\right)},\mathrm{j}=1,2,3,4$

7.             Compute $d_{max}[h,w]$, $d_{min}[h,w]$ by Equations (17) and (18)

8.             Recover ${\dot{\mathbb{S}}}_4^{\left(i\right)}[h,w]$ by Equation (23) and ${\dot{\mathbb{S}}}_1^{\left(i\right)}[h,w]$ by Equation (24)

9.             Recover $\dot{\mathbb{S}}[h,w]$ by Equation (25)

10.             $w\leftarrow w+1$

11.      end while

12. $h\leftarrow h+1$

13. end while

14. Recovery I by Equation (26)–(28)

15. Return I

After recovering the secret sub share, a fine-grained decryption algorithm is executed, and it is decrypted by

$$I^{*}(h,w)=\tilde{I}(h,w)-256-\left(T_{f_{s,t}}mod256\right)$$

(26)

where $\tilde{I}(h,w)$ is the decryption result obtained by the image owner using the secret recovery algorithm, $I_{i,j}$ and $I_{i,j}^{\prime }$ are the $(h,w)$ ciphertext and plaintext, respectively. $T_{f_{s,t}}$ is the key corresponding to the $(s,t)$ image block in $T_f$, where $s=\lceil h/2\rceil ,t=\lceil w/2\rceil$. After finishing the coarse-grained decryption, the IO executes the coarse-grained decryption algorithm using the key $K_c$ and finishes the decryption to obtain the lossless carrier image I:

$$\left[\begin{array}{c}{x}_{n+1}\hfill \\ y_{n+1}\hfill \end{array}\right]=\left[\begin{array}{cc}pq+1\hfill & \hfill -p\\ -q\hfill & \hfill 1\end{array}\right]\left[\begin{array}{c}{x}_n\hfill \\ y_n\hfill \end{array}\right]modN$$

(27)

$$I\left(I^{\left(1\right)},I^{\left(2\right)},\cdots ,I^{\left(\right[H/2\times W/2\left]\right)}\right)={Dec}_{\mathrm{coarse}}\left(I^{*},K_c\right)$$

(28)

The method proposed in this paper has significant social impact in fields such as military imagery, remote healthcare, and forensic investigation. These fields demand the assurance of data security and integrity, which the proposed method can improve and ensure. As a multi-party secure cryptographic system, it can enhance data disaster recovery through secret sharing properties and have a positive effect on data security.

3. Demonstration and Analysis

3.1. Method Demonstration

In the last section, we introduced the specific details of our proposed protocol. To better understand the proposed method, in this chapter, we show the whole method in distributions. That is, the image encryption example diagram, secret split example diagram, data embedding example diagram, and data extraction example diagram; additionally, the extraction of feature images is integrated into the overall framework.

We will give a concrete example of the protocol and give an analysis and security proof of the protocol. We will take four 2 × 2 image blocks as an example and set the parameters of (k, n) secret sharing as 4 and 5.

Image encryption. As shown in Figure 3, let an image with 16 original pixels be I. The image is divided into four 2 × 2 dot blocks ($I^{\left(1\right)},I^{\left(2\right)},I^{\left(3\right)},I^{\left(4\right)}$), and pixels of the same color are grouped together in the image encryption example diagram:

$$\left\{\begin{array}{c}{I}^{\left(1\right)}=\left(I_1^{\left(1\right)},I_2^{\left(1\right)},I_3^{\left(1\right)},I_4^{\left(1\right)}\right)=(159,152,151,158)\hfill \\ I^{\left(2\right)}=\left(I_1^{\left(2\right)},I_2^{\left(2\right)},I_3^{\left(3\right)},I_4^{\left(4\right)}\right)=(152,152,154,153)\hfill \\ I^{\left(3\right)}=\left(I_1^{\left(3\right)},I_2^{\left(3\right)},I_3^{\left(3\right)},I_4^{\left(3\right)}\right)=(151,158,153,160)\hfill \\ I^{\left(4\right)}=\left(I_1^{\left(4\right)},I_2^{\left(4\right)},I_3^{\left(4\right)},I_4^{\left(4\right)}\right)=(156,156,155,156)\hfill \end{array}\right.$$

(29)

The image owner uses the coarse-grained Arnold image permutation algorithm $En{c}_{coarse}(I,K_c)$ to obtain $I^{*}$:

$$\left\{\begin{array}{c}{I}^{*\left(1\right)}=\left(I_1^{*}\left(1\right),I_2^{*\left(1\right)},I_3^{*\left(1\right)},I_4^{*}\left(1\right)=(155,156,156,156)\right.\hfill \\ I^{*\left(2\right)}=\left(I_1^{*\left(2\right)},I_2^{*\left(2\right)},I_3^{*\left(3\right)},I_4^{*}\right)=(151,153,158,160)\hfill \\ I^{*\left(3\right)}=\left(I_1^{*\left(3\right)},I_2^{*\left(3\right)},I_3^{*\left(3\right)},I_4^{*\left(3\right)}\right)=(152,152,153,154)\hfill \\ I^{*\left(4\right)}=\left(I_1^{*\left(4\right)},I_2^{*\left(4\right)},I_3^{*\left(4\right)},I_4^{*}\left(4\right)=(151,152,158,159)\right.\hfill \end{array}\right.$$

(30)

The image owner uses the fine-grained image scrambling algorithm $En{c}_{fine}(I^{*},K_f)$, where the encryption key $K_f=427,311,455,340$, and obtains $I^{\prime }$:

$$\left\{\begin{array}{c}{I}^{\prime \left(1\right)}=\left(I_1^{\prime \left(1\right)},I_2^{\prime \left(1\right)},I_3^{\prime \left(1\right)},I_4^{\prime \left(1\right)}\right)=(582,583,583,583)\hfill \\ I^{\prime \left(2\right)}=\left(I_1^{\prime \left(2\right)},I_2^{\prime \left(2\right)},I_3^{\prime \left(2\right)},I_4^{\prime \left(2\right)}\right)=(462,464,459,471)\hfill \\ I^{\prime \left(3\right)}=\left(I_1^{\prime \left(3\right)},I_2^{\prime \left(3\right)},I_3^{\prime \left(3\right)},I_4^{\prime \left(3\right)}\right)=(597,597,598,599)\hfill \\ I^{\prime \left(4\right)}=\left(I_1^{\prime \left(4\right)},I_2^{\prime \left(4\right)},I_3^{\prime \left(4\right)},I_4^{\prime \left(4\right)}\right)=(491,492,498,499)\hfill \end{array}\right.$$

(31)

Shadow image generation: As shown in Figure 4, the image owner randomly picks the module $Mb$ and the random mapping parameter $\mathrm{A}=996,601$, as well as the secret key $K_a\leftarrow (\mathrm{Mb},\mathrm{a},\Delta \chi )$ for the module $Mb$ inverse of the random parameter $\mathrm{A}$:

$$Mb=\left(M{b}_1,M{b}_2,M{b}_3,M{b}_4,M{b}_5\right)=(131,137,139,149,153)$$

(32)

$$a=A^{-1}modMb=\left(a^{\left(1\right)},a^{\left(2\right)},a^{\left(3\right)},a^{\left(4\right)},a^{\left(5\right)}\right)=(39,87,115,72,97)$$

(33)

The image owner sends the split secret data $I^{\prime }$ and the embedding secret key $K_a$ to the corresponding data hider using a trusted channel. ${\tilde{I}}^{(1\sim 5)}$ is the secret share map of the difference information obtained by $D{H}^{(1\sim 5)}$ with $K_a^{(1\sim 5)}$:

$$\left\{\begin{array}{c}{\tilde{I}}^{\left(1\right)}=\left(I_1^{\left(1\right)},I_1^{\prime \left(2\right)},I_1^{\prime \left(3\right)},I_1^{\prime \left(4\right)}\right)a^{\left(1\right)}modM{b}^{\left(1\right)}=(98,99,105,106)\\ {\tilde{I}}^{\left(2\right)}=\left(I^{\prime \left(1\right)},I_2^{\prime \left(2\right)},I_2^{\prime \left(3\right)},I_2^{\prime \left(4\right)}\right)a^{\left(2\right)}modM{b}^{\left(2\right)}=(80,81,87,88)\\ {\tilde{I}}^{\left(3\right)}=\left(I^{\prime \left(1\right)}{}_3^{\left(1\right)},I_3^{\prime \left(2\right)},I_3^{\prime \left(3\right)},I^{\prime }{}_3^{\left(4\right)}\right)a^{\left(3\right)}modM{b}^{\left(3\right)}=(74,75,81,82)\\ {\tilde{I}}^{\left(4\right)}=\left(I^{\prime }{}_4^{\left(1\right)},I_4^{\prime \left(2\right)},I_4^{\prime \left(3\right)},I_4^{\prime \left(4\right)}\right)a^{\left(4\right)}modM{b}^{\left(4\right)}=(44,45,51,52)\\ {\tilde{I}}^{\left(5\right)}=\left(I^{\prime \left(1\right)},I_1^{\prime \left(2\right)},I_1^{\prime \left(3\right)},I_1^{\prime \left(4\right)}\right)a^{\left(5\right)}modM{b}^{\left(5\right)}=(32,33,39,40)\end{array}\right.$$

(34)

As shown in Figure 5, we can see that $\left|d_{max}^{(1\sim 5)}\right|=\left|d_{min}^{(1\sim 5)}\right|=1$; both are less than or equal to $\Delta$. Therefore, the data hider performs the data embedding operation for both the highest and lowest bits to obtain the shadow image share after embedding the data and sends the secret share to the corresponding SSCP:

$$\left\{\begin{array}{c}\mathrm{Share}{}^{\left(1\right)}=(110-0\times \Delta ,63,43,127+1\times \Delta )=(110,63,43,128)\\ \mathrm{Share}{}^{\left(2\right)}=(108-0\times \Delta ,34,1,64+1\times \Delta )=(108,34,1,65)\\ \mathrm{Share}{}^{\left(3\right)}=(78-0\times \Delta ,49,14,124+1\times \Delta )=(78,49,14,125)\\ \mathrm{Share}{}^{\left(4\right)}=(42-0\times \Delta ,141,69,9+1\times \Delta )=(42,141,69,10)\\ \mathrm{Share}{}^{\left(5\right)}=(65-0\times \Delta ,24,84,43+1\times \Delta )=(65,24,84,44)\end{array}\right.$$

(35)

As shown in Figure 6, receiver ${}^{(1\sim 5)}$ recovers the secret share map that represents the image difference information and obtains $W=[0,1]$ after receiving the embedding data recovery request using $K_a^{(1\sim 5)}$. The shadow image recovery and image decryption are the reverse of the above steps and will not be repeated.

3.2. Method Analysis

Definition 1.

The coarse-fine-grain encryption method combined with PVO performs the encryption and decryption of the image correctly.

Proof. 

For an image I, let us suppose the initial position of pixel points is $(x_n,y_n)$; according to the coarse-grained encryption and decryption method is Equations (2) and (27), there is

$$\left[\begin{array}{cc}pq+1\hfill & \hfill -p\\ -q\hfill & \hfill 1\end{array}\right]\left[\begin{array}{c}{x}_{n+1}\hfill \\ y_{n+1}\hfill \end{array}\right]modN=\left[\begin{array}{cc}pq+1\hfill & -p\hfill \\ -q\hfill & 1\hfill \end{array}\right]\left[\begin{array}{cc}1\hfill & p\hfill \\ q\hfill & pq+1\hfill \end{array}\right]\left[\begin{array}{c}{x}_n\hfill \\ y_n\hfill \end{array}\right]modN$$

(36)

and there is

$$\left[\begin{array}{cc}pq+1\hfill & \hfill -p\\ -q\hfill & \hfill 1\end{array}\right]\left[\begin{array}{cc}1\hfill & p\hfill \\ q\hfill & pq+1\hfill \end{array}\right]=\left[\begin{array}{cc}1\hfill & 0\hfill \\ 0\hfill & 1\hfill \end{array}\right]$$

(37)

It can be easily seen that

$$\left[\begin{array}{cc}1\hfill & 0\hfill \\ 0\hfill & 1\hfill \end{array}\right]\left[\begin{array}{c}{x}_n\hfill \\ y_n\hfill \end{array}\right]=\left[\begin{array}{c}{x}_n\hfill \\ y_n\hfill \end{array}\right]$$

(38)

Thus, the coarse-grained encryption is lossless and reversible.

Moreover, the fine-grained encryption uses a one-dimensional logical chaotic system to generate a fixed sequence with the same initial value $x_o$ and parameter $\mu$. Therefore, the random numbers added to the image pixel blocks can be recovered by generating the same sequence, so fine-grained encryption is lossless and reversible.

Furthermore, $\left({\delta }_1,{\delta }_2,{\delta }_3,{\delta }_4\right)\leftarrow PVO\left({\delta }_1,{\delta }_2,{\delta }_3,{\delta }_4\right)$, where the set $\left({\delta }_1,{\delta }_2,{\delta }_3,{\delta }_4\right)$ and where the set $\left(delt{a}_1,{\delta }_2,{\delta }_3,{\delta }_4\right)$ to the set $\left({\delta }_1,{\delta }_2,{\delta }_3,{\delta }_4\right)$ is a full projection. The position of the original pixel can be restored losslessly according to the position relationship table if the position relationship table is saved with 8 bits. The position of the original pixel can be restored losslessly according to the position relationship table. Therefore, the correctness of the encryption and decryption combined with the coarse–fine-grained encryption method of PVO is proved. □

Definition 2.

This secret-sharing method can correctly split the encrypted image into multiple shadow images and recover the shadow image into the carrier image. The message hider embeds the message, and the receiver retrieves the embedded secret without affecting the lossless recovery of the carrier image.

Proof. 

Let the encryption key of the secret sharing algorithm be $K_g=(\vartheta ,\mathrm{Mb})$, the original data are x, and the image owner performs the secret splitting algorithm with Equation (15), where $b_1,b_2,b_3,\cdots b_k$ are two mutually prime positive integers, and in the embedding phase of the data hider, there are

$$\left\{\begin{array}{c}\widetilde{r_1}=r_1+\Delta \mathrm{w}\left(modM{b}_1\right)\\ \widetilde{r_2}=r_2+\Delta \mathrm{w}\left(modM{b}_1\right)\\ ⋮\\ \\ \widetilde{r_{\mathrm{k}}}=r_{\mathrm{k}}+\Delta \mathrm{w}\left(modM{b}_{\mathrm{k}}\right)\end{array}\right.$$

(39)

There must be a unique solution for the embedded data, i.e.,

$$T=x\vartheta +\mathrm{w}\equiv B_1{B}_1^{-1}\left(r_1+\mathrm{w}\right)+\cdots +B_k{B}_k^{-1}\left(r_k+\mathrm{w}\right)(modB)$$

(40)

In case the image owner needs to recover the carrier image, there is

$$x=\frac{B_1{B}_1^{-1}\left(r_1+\Delta w\right)+\cdots +B_k{B}_k^{-1}\left(r_k+\Delta w\right)(modB)-\Delta w}{\vartheta }$$

Thus, the splitting and recovery of secret sharing are non-destructive and reversible. Thus, definition 2 is proved. □

Definition 3.

The proposed scheme in this paper exhibits a threshold property of (k, n), which implies that s colluding parties with less than k information embedders would still fail to reconstruct the images encrypted using PVO’s coarse–fine-grained encryption method.

Proof. 

We take the example of each data hider having a single shadow image, assuming there are n data hiders. Let $K_g=(\vartheta ,\mathrm{Mb})$ be the encryption key of the secret sharing algorithm, and let $I(h,w)\in [0,255]$ be the original pixel values. To ensure that the split shadow images still take the form of images, with a maximum single-channel pixel value of 255, the elements of $M_b$ must satisfy the following:

$$\begin{array}{c}\left\{128<M{b}^{\left(1\right)}<M{b}^{\left(2\right)}<\cdots <M{b}^{\left(n\right)}\le 251<Mp\right\}\\ gcd\left(M{b}^{\left(i\right)},M{b}^{\left(j\right)}\right)=1,i\ne j\\ gcd\left(M{b}^{\left(j\right)},Mp\right)=1,i=1,2,\dots ,n\\ gcd\left(M{b}^{\left(i\right)},\vartheta \right)=1,i=1,2,\dots ,n\end{array}$$

(41)

Assuming the image owner sets a (k,n) threshold during the key generation stage, $x\vartheta$ must satisfy the following relationship to achieve the threshold property:

$$\prod _{i=1}^{k-1}M{b}^{\left(i\right)}<x\vartheta <\prod _{i=1}^{k}M{b}^{\left(i\right)}$$

(42)

However, the size of the pixel values x changes after fine encryption. Therefore, different random $\vartheta$ must be set to achieve a dynamically compatible threshold scheme when setting different values of k:

$$\prod _{i=1}^{k-1}M{b}^{\left(i\right)}/x<\vartheta <\prod _{i=1}^{k}M{b}^{\left(i\right)}/x$$

(43)

This allows for $(k,n)$ threshold secret sharing. Thus, definition 3 is proved. □

4. Experiments and Numerical Results

The six test images, including “Lena”, “Baboon”, “Barbara”, “Goldhill”, and “Peppers”, are from the dataset used for the experiments. All test images are grayscale images with a size of 512 × 512. The experimental environment was as follows: host configuration CPU AMD 5800X, memory 32 GB, operating system Windows 11, programming language python 3.9, and MATLAB 2022b.

4.1. Performance of Image Encryption

According to the guideline [28], we conduct multiple experiments to ensure the security of image encryption by testing image randomness, similarity metrics, graphic correlation, and noise robustness.

Image randomness. The intruder shares two secret images at the same time. To the naked eye, the shadow image must look like noise. In addition, the shadow images can be evaluated in a histogram; the more uniform the histogram distribution, the more secure the proposed scheme is. As shown in Figure 7, the first line is the encryption effect of Lena, Baboon, Barbara, Goldhill, and Peppers, and the second line is the encryption result after coarse-grained encryption, which exhibits a strong regularity among pixels, but it is visually impossible to tell what the original image is. The third line is the encryption result after fine-grained encryption. From the line, we can see that after the fine-grained encryption, the statistical features of the gray pixels of the carrier image can be effectively concealed.

In addition, we propose two evaluation metrics for the similarity metric, which can be measured by the peak signal-to-noise ratio (PSNR) shown in Equation (44) and the structural similarity (SSIM) shown in Equations (45) and (46). PSNR evaluates the similarity of images and MSE denotes mean square error:

$$\left\{\begin{array}{c}PSNR=10\times {log}_{10}\left(\frac{{255}^2}{MSE}\right)dB\hfill \\ MSE=\frac{1}{W\times H}\sum _{i=1}^W\sum _{j=1}^H{\left[S^{\prime }(i,j)-S(i,j)\right]}^2\hfill \end{array}\right.$$

(44)

$$SSIM\left(S,S^{\prime }\right)=\frac{\left(2{\mu }_S{\mu }_{S^{\prime }}+c_1\right)\left(2{\sigma }_{S{S}^{\prime }}+c_2\right)}{\left({\mu }_S^2+{\mu }_{S^{\prime }}^2+c_1\right)\left({\sigma }_S^2+{\sigma }_{S^{\prime }}^2+c_2\right)}$$

(45)

$$\left\{\begin{array}{c}{c}_1={(0.01\times L)}^2,c_2={(0.03\times L)}^2,\\ \left\{x,y\mid S,S^{\prime }\mathrm{and}x\ne y\right\},\{L\mid 0\le L\le 255\},\\ {\mu }_x=\frac{1}{W\times H}\sum _{i=1}^W\sum _{j=1}^{H}x(i,j),{\sigma }_x=\sqrt{{\sigma }_x^2}\\ {\sigma }_x^2=\frac{1}{W\times H-1}\sum _{i=1}^W\sum _{j=1}^H{\left(x(i,j)-{\mu }_x\right)}^2,\\ {\sigma }_{xy}=\frac{1}{W\times H-1}\sum _{i=1}^W\sum _{j=1}^H\left(x(i,j)-{\mu }_x\right)\left(y(i,j)-{\mu }_y\right)\end{array}\right.$$

(46)

Furthermore, we use the one-dimensional grayscale entropy of an image to the amount of average information in an image. The one-dimensional entropy indicates the amount of information contained in the aggregated features of grayscale distribution in the image so that $p_i$ denotes the proportion of pixels with a grayscale value i in the image. The one-dimensional grayscale entropy of a grayscale image is defined as, for an image, the closer the information entropy is to 8, the more confusing the image is. As can be seen from

Table 1. PSNR, entropy, and SSIM for the encrypted image.

Test Images	Coarse-Grained Encrypted Image			Coarse-Grained Encrypted Image			Restored Image
	PSNR (dB)	Entropy	SSIM	PSNR (dB)	Entropy	SSIM	PSNR (dB)	Entropy	SSIM
Lena	12.272	7.234	0.030	8.913	7.999	0.011	∞	7.234	0
Baboon	12.614	7.358	0.032	9.526	7.999	0.011	∞	7.358	0
Barbara	11.666	7.466	0.029	9.104	7.999	0.012	∞	7.466	0
Goldhill	11.28	7.478	0.0327	9.040	7.999	0.011	∞	7.4777	0
Peppers	9.942	7.571	0.0182	8.430	7.999	0.012	∞	7.571	0

, the information entropy of the images after fine-grained encryption can reach 7.999 information entropy, indicating that the proposed encryption effect can meet the security requirements. As shown in Figure 8, the histogram also shows that the statistical properties of the original pixels are effectively masked after encryption, which has statistically solid properties before fine-grained encryption:

$$H=\sum _{i=0}^{255}{p}_{i}log{p}_i$$

(47)

Graphic Correlation. Pixel values in plain images are highly similar to their neighbors, whether located horizontally, vertically, or diagonally. This strong correlation poses a risk for statistical attacks, necessitating efficient cryptosystems to create non-correlated encrypted images. Graphic correlation is a visual inspection of an image’s pixel correlation, with the horizontal axis indicating pixel intensity and the vertical axis showing neighbor pixel values.

As shown in Figure 9, we conducted thorough experiments to validate the correlation between pixels. We performed a block-by-block analysis of the graphic correlation of both the original image and the image encrypted with our fine-grained encryption system. The results revealed a significant similarity between the pixel values of the original image and its neighboring pixels, creating a severe vulnerability to statistical attacks. Additionally, the correlation pattern over the 45-degree line in the original image was observed to be strong. The closer the pattern was to this line, the higher the pixel correlation. Nevertheless, we observed that our fine-grained encryption system generated an encrypted image. A visual inspection of its graphic correlation revealed strong non-correlation in the horizontal, vertical, and 45-degree directions. This is due to most neighboring pixels possessing different intensity values.

Noise Robustness. The transmission channel may cause encrypted images to suffer from noise attacks or interference, making it difficult to recover the plain image. Therefore, evaluating noise robustness is necessary for chaos-based image cryptosystems. Our selected algorithms employ substitution–permutation networks, stream encryption, and one-per-one pixel encryption, providing certain advantages against noise. With these principles and bulk image data, the original plain image can still be reconstructed with high visual quality even during the encryption process. To further enhance the noise robustness of our method, we have adopted an error correction algorithm. In this algorithm, if the first pixel value of a 2 × 2 image block is greater than the second pixel value, the second pixel value is assigned to the first pixel. Similarly, if the third pixel value is greater than the fourth pixel value, the fourth pixel value is assigned to the third pixel. We test the visual effects of our proposed algorithm under different levels of noise ($1\%$, $10\%$, $30\%$, $50\%$) to demonstrate its ability to resist noise attacks, as shown in Figure 10. The test results indicate that our proposed algorithm with error correction capability has a stronger resistance against noise attacks than the recovery based on pure chaotic systems, as indicated by the MES results.

The randomness of shadow images. Assuming that an attacker can share two shadow images simultaneously, both must be indistinguishable noise classes. In addition, shadow images can be evaluated in histograms; the more uniform the distribution of the histograms, the safer the proposed scheme. As can be seen from Figure 11, the histogram distribution is approximately the same under different module bases, and no valid information can be distinguished from the shadow image.

Figure 12 shows the shadow image under different module bases and the data obtained by embedding the secret key. It can be seen that the shadow image is sufficiently able to show the correlation between pixels. For the convenience of the display, the pixel box in the upper right corner corresponds to the pixel value of the first 2 × 2 sub-block in the upper leftmost corner. It can be seen that each data hider recovers a different guide image, but all generate the same different histogram.

4.2. Comparison with the State of the Art

To better measure our proposed method, we introduce an embedding rate formula. In order to show the embedding strategy more clearly, the embedding rate used to evaluate the embedding capacity of the proposed scheme and other related schemes is calculated as follows:

$$ER\left(bpp\right)=\frac{\mathrm{Total}\mathrm{number}\mathrm{of}\mathrm{embedded}\mathrm{bits}\mathrm{of}\mathrm{the}\mathrm{image}}{H\times W}$$

(48)

It can be seen that the embedding capacity is related to the embedding step size and embedding size. The larger the step size, the larger the embedding capacity, and the more pronounced the influence on the visual effect.

The statistical histograms of the ciphertext prediction errors for five images are shown in Figure 13. Since the plaintext prediction error and ciphertext have the same statistical error, we can use the histogram transfer formula Equations (17) and (18) to hide the data in the ciphertext images. In addition, the prediction error histograms of the ciphertext images of “Lena”, “Goldhill”, and “Peppers” are mainly around the value of 0, while the prediction difference histograms of Baboon and Barbara are far from the value of 0 of the three images mentioned above. It can also be seen from the table that Baboon and Barbara are different from “Lena”, “Goldhill”, and “Peppers" in terms of having lower embedding rates.

Table 2. Embedding rate of proposed scheme.

Embedding Amount	Theoretical Embedding Rate				Actual Embedding Rate
	1 bit	2 bit	3 bit	4 bit	1 bit	2 bit	3 bit	4 bit
1 bit	0.5	1.5	1.5	1.5	0.346	1.038	1.305	1.419
2 bit	-	3	3	3	-	2.316	2.613	2.838
3 bit	-	-	6	6	-	-	5.226	5.679

shows the theoretical embedding rate/actual embedding rate. We conducted tests on the actual embedding rate by employing Lena plots and set the three-out-of-four threshold. It is known from the algorithm proposed in this paper that, for each block, the pixel corresponding to the maximum value and the pixel corresponding to the minimum value of the four-pixel blocks can perform embedding, i.e., half of the pixels can perform embedding after deciding whether the value in the pixel can be embedded in the data according to different thresholds. In addition, the size of the embedding amount should be less than the threshold value, and this paper uses the embedding amount of bits 1, 2, 3 corresponding to the threshold bits 1, 2, 3, 4, respectively. The table shows that the embedding rate is obtained at 1.038, 2.316, and 5.226, depending on how the embedding amount and threshold bits are selected. It can be seen that the proposed method in this paper is linear in the growth of the embedding amount. This growth is in line with the increase in the corresponding embedding amount and the number of threshold bits.

We compare the embedding rate of the proposed method with several state-of-the-art methods. As shown in

Table 3. Embedding rate among the proposed scheme and state-of-the-art schemes.

Image Name	[10]	[11]	[23]	[29]	[30]	Ours
Lena	0.973	1.575	0.5	3.5	5.3	5.676
Baboon	0.872	0.728	0.5	3.5	5.3	4.776
Barbara	0.96	1.265	0.5	3.5	5.3	5.367
Goldhill	0.963	1.542	0.5	3.5	5.3	5.583
Peppers	0.976	1.545	0.5	3.5	5.3	5.703
Average	0.959	1.331	0.5	3.5	5.3	5.421

, the embedding rate of the proposed method is significantly higher than those of the prior art methods. Furthermore, the embedding rate of the method varies with the different histograms of the image. The closer the value in the difference histogram is to zero, the higher the embedding rate is. Images with smooth textures can obtain higher embedding rates, while images with complex textures have lower embedding rates, such as the image Baboon.

This paper and other methods exploit the correlation of natural images, such as MSB prediction [10,11], and differential extension [23], all of which have embedding rates that vary with the redundancy of the images. In addition, the method proposed in this paper does not require data compression. However, it performs data embedding by recovering histograms that retain pixel difference information through the adaptive generation of bootstrap maps that automatically generate embedding secret keys, from which high embedding rates are obtained.

In the scheme comparison, as shown in

Table 4. Feature comparison among the proposed scheme and state-of-the-art schemes.

Scheme	Separable	Vacating Room	Encryption Strategy	Multi-Data Hider	Availability of Guidance Information
[10]	Yes	Before	Stream cipher	No	Yes
[11]	Yes	Before	Stream cipher	No	Yes
[23]	No	Before	Secret sharing	No	Yes
Ours	Yes	Before	Stream cipher+ Secret sharing	Yes	No

, all the compared algorithms use the Vacating room approach to achieve an embedding efficiency higher than 0.5 bpp. Among them, [10,11,23] use the Vacating room approach before encryption to increase the embedding capacity. In addition, the proposed method in this paper uses a combination of stream encryption and secret sharing based on chaos, which is more secure than other state-of-the-art algorithms, single stream encryption [10,11], and single secret sharing [23]. In addition, this paper innovatively proposed a way of generating guidance graphs by shadow images, which reduces the scheme’s complexity and the variety of information transfer.

5. Conclusions

This study addresses several key issues, including reversible information hiding in encrypted domains in various data-embedding scenarios, improved encryption effectiveness, and enhanced information-embedding capability. We propose a lossless RDH-EI method based on PVO and secret sharing for multiple data hiders, which addressed the problem of secure and efficient data embedding in encrypted images. The method ensures lossless embedding and extraction, and the original image’s digital assets can be fully recovered. The proposed PVO-based secret sharing scheme achieves a high embedding rate and is significantly better than existing encryption techniques in terms of efficiency and effect. The combined stream encryption with the secret sharing approach significantly improves the security of the method, ensuring that the data hiders can embed their data securely without any fear of data leakage. Moreover, the proposed scheme does not require any extra guide parameters, which enhances its usability.