Homomorphic Encryption-Based Robust Reversible Watermarking for 3D Model

.


Introduction
Due to the development of outsourced storage in the cloud, reversible watermarking in an encrypted domain has been developed for security in the cloud [1][2][3][4]. However, the cloud cannot introduce distortion of original content during watermark embedding. Therefore, the reversible watermarking method is required [5,6]. In addition, the watermark carrier is vulnerable during transmission, and the embedded watermark is expected to resist common attacks [7,8]. Therefore, robust reversible watermarking in an encrypted domain has greatly attracted researchers for potential applications.
In general, watermarking can be divided into robust and fragile watermarking methods in terms of their robustness. Robust watermarking [9] is used to protect security and resist attacks, while fragile watermarking [10,11] is used to provide integrity authentication. For the occasions with high data security requirements, such as judicial authentication, medical images, etc., more researchers focus on fragile watermarking in the encrypted domain.
Reversible watermarking in the encrypted domain can be divided into reserving room before encryption (RRBE) and vacating room after encryption (VRAE). The RRBE method reserves embedding room before encrypting the original image [12][13][14][15]. For example, the vacated bits, which are reserved by self-embedding before encryption, can be substituted by the watermark in the encrypted domain [4]. With the development of reversible watermarking [16,17], the original image can be restored absolutely after extracting the watermark. The second type directly implements watermark embedding by modified the encrypted image [18,19] after encryption. For instance, Xiang divided the original image into patches to be encrypted, and then the histogram of statistical values was calculated in the encrypted domain for shifting to embed watermark [20].
However, these methods are only applied to images, and cannot be used in 3D models directly due to different structures between images and 3D models. Ke et al. proposed a robust watermarking method on the basis of self-similarity [21]. In that method, a 3D model is divided into patches, and watermark bits were embedded by changing the local vector length of a point in each patch. Feng et al. divided a 3D model into patches, then embedded a watermark into each patch by modulating angle quantization [22]. However, those methods are not reversible. Jiang et al. proposed a 3D model watermarking method on the basis of stream cipher encryption [1]. The watermark was embedded by flipping the least significant bits (LSBs) of the vertex coordinates. Since the original 3D models have high spatial correlation, the watermark can be extracted successfully. Shah proposed a watermarking method based on the homomorphic Paillier cryptosystem, which used VRAE framework to vacate space before encryption [2]. However, those methods are fragile to attacks and cannot protect their copyrights.
To our best of knowledge, although the aforementioned watermarking methods on encrypted 3D models have been developed, the research on robustness for encrypted 3D models is rarely reported. In this paper, in order to protect the security of a 3D model in the cloud, we proposed a homomorphic encryption-based robust reversible watermarking method. In this method, the original model is first divided into patches to facilitate patch encryption using the Paillier cryptosystem. Then, the watermark is embedded by constructing the symmetrical direction histogram and shifting histogram in the encrypted domain, and the robust interval is reserved during the histogram shifting. Last, the receiver extracts the watermark in the encrypted model or the decrypted model by constructing a direction histogram of patches, and restores the original model through the method of histogram shifting which is the opposite to the embedding process. The contributions of the paper are organized as follows.
(1) The proposed method can directly construct direction histogram in the encrypted model so that the watermark can be extracted and the original encrypted model can be restored in the encrypted domain.
(2) The proposed method is robust to several common attacks by reserving the robust interval during the histogram shifting for watermark embedding.
(3) The proposed method not only has higher security and capacity, but also has less distortion compared with the original model.
The rest of this paper is organized as follows. In the second part, the Paillier cryptosystem is briefly introduced. In the third part, the related robust reversible watermarking method flow is proposed. The experimental results are shown in Section 4. The conclusions of the thesis are discussed in Section 5.

Paillier Cryptosystem
The Paillier cryptosystem [23], which was proposed by Paillier Pascal in 1999, has homomorphism and probability. Homomorphism means that one arithmetic operation of two ciphertexts are equal to another arithmetic operation of two corresponding plaintext. Moreover, homomorphism includes addition and multiplication homomorphism. Probability means that different ciphertexts, which are obtained by encrypting the same plaintext with different parameters, can be decrypted to the same plaintext. The following describes the processes of key generation, encryption, and decryption, two properties, and the application of modular multiplication inverse (MMI) [24] in the Paillier cryptosystem. where , and gcd( ) ⋅ means the greatest common divisor of two inputs.
where [ ] E ⋅ denotes the encryption function. Due to the nature of the Paillier cryptosystem, for the same plaintext m , different ciphertexts c can be obtained by choosing different r . After decryption, different ciphertexts can be restored to the same plaintext m , which ensures the security of the ciphertext.

• Decryption
The original plaintext m can be obtained by Moreover, two important characteristics are described as follows (which has been applied in the proposed method).

Lemma One
For two plaintexts The original Paillier cryptosystem only has addition homomorphism and multiplication homomorphism. The subtraction homomorphism can be achieved through modular multiplication inverse (MMI).

Modular Multiplication Inverse (MMI)
For two coprime integers y and z , the existence of an integer θ satisfies 1mod y z where θ is called the modular multiplicative inverse of y , and θ can be obtained according to the extended Euclidean method [25].

The Proposed Method
In order to protect the security of 3D model in the cloud, a homomorphic encryption-based robust reversible watermarking method is proposed. Figure 1 shows the flowchart of the proposed method. Firstly, the original model is divided into patches, and vertices in each patch are encrypted using the Paillier cryptosystem. In the cloud, three direction values of each patch are computed, and the direction histogram is constructed for shifting to embed the watermark. At last, the watermark can be extracted from direction histogram, and the original 3D model can be restored by histogram shifting.

Preprocessing
Because the input of the Paillier cryptosystem should be a positive integer, the vertex coordinates firstly are converted from decimal to positive integer.
3D models are consisted of vertex data and connectivity data. The vertex data includes the coordinates of each vertex in the spatial domain. The connectivity data reflects the connection relationship between vertices. A 3D model devil and its local region are illustrated in Figure 2  Normally, uncompressed vertices are 32-bit floating point numbers with a precision of 6 digits. The first four significant digits of vertex coordinates can accurately display the 3D model. Therefore, the vertex coordinates are converted into an integer with four significant digits by using Equation (7). 4 , Moreover, all vertex coordinates should be converted to positive integers for encryption by using Equation (8).
After preprocessing, the pre-processed 3D model is computed, and denoted as M′.

Patch Dividing and Patch Encryption
The section describes how to divide the model into several non-overlapping patches and perform encryption by using the Paillier cryptosystem.
where V N are the number of the vertices of the 3D model, and | | i k v v represents the number of vertices between i v and k v . As illustrated in Figure 2, the blue vertices are the 1-ring neighborhood of the red vertex, and the green vertices are the 2-ring neighborhood of the red vertex. When the 3D model is divided into patches, it is necessary to ensure patches do not overlap each other. Suppose that the unclassified and classified sets are Y S and N S , respectively.
and N S are initially empty. Suppose that the th l patch is denoted as ( ) l P . A 3D model is divided into patches by the following rules, and initially 1 l = .
Step 1: The first vertex i v is selected according to the order of vertex index, and i v and its 1ring neighborhood are used as the Step 2: Update the unclassified set and the classified set by using Equation (11).
is the union of two sets, and ( ) N v is put into the classified set for ensuring patches do not overlap each other.
Step 3: Determine whether the unclassified set Y S is empty. If Y S is empty, then the division of patches ends. If Y S is not empty, then continue to select the is empty. As illustrated in Figure 3, the local region of 3D model devil can be divided into five patches, and each color in Figure 3 represents a patch. where ( ) l C denotes the encrypted vertex coordinates, and [ ] E M′ represents the encrypted model.

Watermark Embedding
Firstly, three direction values of each patch in ciphertext are computed. Then, according to the possible values of the direction in ciphertext, the mapping table is constructed to map the direction values in ciphertext to the direction values in plaintext. The direction histogram is constructed by counting the direction values of all patches. Lastly, the watermark is embedded by histogram shifting.

Three Direction Values Calculation of Each Patch
In order to calculate three direction values of each patch, a vector ( ) M p is defined by using Equation (13).
which is calculated by Equation (14).
In the encrypted domain, without the private key λ , the encrypted vertex coordinates cannot by decrypted to obtain the vertex coordinate in plaintext, so the direction value ( ) ( )  (16) and (17), Since the direction value ( ) ( )  (18).
Then the direction value in ciphertext can be calculated by using Equation (20).
It can be derived to the following equation. ( ) mod ( ) mod According to Carmichael theory, the following equation holds.
Hence, the following equation holds.
According to Equations (22) and (24), Equation (20) can be simplified as   Table   Due to the spatial correlation of the 3D model, the vertex coordinates are relatively close in space. According to the experiments on multiple 3D model, the direction values are usually in a certain range, and the maximum direction value is usually related to the number of vertices in the patch. As illustrated in Figure

Constructing the Mapping
Hence, the mapping table can be constructed as illustrated in Figure 6, and the direction values in ciphertext can be mapped to the direction values in plaintext through the mapping table

Embedding Watermark by Histogram Shifting
In the proposed method, the watermark is embedded by shifting the direction histogram. In order to embed the watermark, the changed direction values should exceed the range of original histogram. Using ( ) where ( 1)

Watermark Extraction
Watermark extraction includes extracting the watermark in the encrypted model and extracting the watermark in the decrypted model.

Extracting Watermark in an Encrypted Domain and Restore the Original Encrypted Model
The watermarked model is firstly divided into patches, and the direction values in ciphertext is calculated and mapped to the direction values in plaintext using the MMI method and the mapping table. Then, the direction histogram is constructed, and the watermark is extracted from direction histogram. Finally, with the embedding key The original encrypted model can be restored by histogram shifting, which is reverse to the embedding process. In order to restore the original encrypted model, the modular multiplicative

Extracting Watermark in Decrypted Model
With the private key, the watermarked model can be decrypted. With the embedding key, the watermark can be extracted and the original 3D model can be restored. Firstly, the watermarked model is divided into patches and the direction values of each patch are calculated by using Equation (14). Then, the direction histogram is constructed and the watermark is extracted from direction histogram by using Equation (32). Finally, with the embedding key, the original model can be restored by using Equation (35).
The decrypted model with watermark may be vulnerable to some common attacks such as noise interference during transmission. Since the robust interval during histogram shifting is reserved, the proposed method is robust to common attacks, such as Gaussian noise, translation, scaling, etc. As illustrated in Figure 8, the 0-bit area and the 1-bit area are separated by the robust interval of size ( ) l T N . After the decrypted watermarked model is attacked slightly, it will cause a small range fluctuation of the direction values. However, if the direction values do not enter the error area, the receiver can still correctly extract the watermark. In order to improve the accuracy of watermark extraction after being disturbed, the watermark is extracted by using

Experimental Results and Discussion
The proposed method processed 3D model and implemented the watermark method in MATLAB R2016b under Window 7. We implemented the following experiment on 40 3D models and calculated the average of 40 3D models. Figure 9 shows six models used in the experiment. The quality of the decrypted watermarked model is evaluated by the signal-to-noise ratio ( SNR). The higher the value SNR , the better the imperceptibility after embedding watermark. SNR is computed as where , ,  In addition, the bit error rate (BER) is used to measure the error rate of the extracted watermark. The lower the value, the higher the accuracy of the extracted watermark. of the extracted watermark, we changed the value of β to perform on 40 tested models and calculated their average. The relationship between the value of β and the distortion SNR is illustrated in Figure 10a. As β increases, SNR gradually decreases. When β = 588, SNR of the decrypted model is slightly greater than 30 dB. Based on imperceptible considerations, in order to obtain better model quality, the value of β cannot exceed 588. The relationship between the value of β and BER is shown in Figure 10b. When 528 β ≥ , the watermark was correctly extracted without being attacked. Therefore, the value of b cannot be less than 528.

The Value of t
As shown in Figure 7, the 0-bit area and 1-bit area are separated by the robust interval of size ( 1) l t N ⋅ − . If the robust interval is large, the robustness is high. However, as t increases, the quality of the decrypted model is reduced. Therefore, t needs to be adjusted according to the actual application scenario. If higher robustness is required, a greater value of t can be assigned. If better quality of decrypted model is required, a smaller value of t is set. In order to choose a suitable value, experiments were conducted on 40 models to test the robustness with different values of t .
As illustrated in Figure 11, the BER of watermark extraction is low under Gaussian noise (0.01).
By increasing t , the BER could be reduced. When 50 t = , the watermark could be extracted correctly. Therefore, when higher robustness is required, the value of t can be assigned to be 50.

Feasibility of the Watermarking
In order to show the feasibility of the proposed watermarking method, the 3D model devil with 30,000 vertices was tested, and other models had similar results. The watermark was a 1024-bit pseudo-random sequence. Firstly, the original model was divided into patches and the encrypted model was obtained by encrypting the 3D model with the public key as illustrated in Figure 12. Secondly, with the embedding key, the watermark was embedded to obtain the watermarked model as illustrated in Figure 12c. Then, the directly decrypted model (as shown in Figure 12d) is obtained by decrypting the encrypted model; SNR of the decrypted model was 30.93. Lastly, the watermark was extracted and the model was restored (as shown in Figure 12e), and the SNR of the restored model approaches infinity, which shows that the restored model was exactly the same as the original model. Figure 12f shows that all watermark bits were correctly extracted. The experimental results showed that the proposed method achieved reversibility of embedding and extraction, and the restoration of the original model. Figure 13 shows five decrypted 3D models had less distortion compared to the original 3D model, and Figure 13f shows the SNR of the decrypted models were close to 30, which denotes the proposed method can obtain good quality.

Robustness Analysis
In order to compare the robustness under attacks, several attacks were performed on the decrypted 3D model. Table 1 shows the bit error rate of watermark extraction under different attacks. The robustness against the translation attacks was tested. As shown in Table 1, the method perfectly resisted translation attacks. When the model was subjected to a translation attack, the vertex coordinates of the patch increased by a certain value at the same time. According to Equation (14), when the vertex coordinates in a patch are changed by the same size, it can be known that its direction values will not change. Therefore, the watermark can be extracted correctly.

Robustness Against Scaling Attacks
The robustness against scaling attacks was tested by different levels (0.8, 1.2, 1.5) on the decrypted 3D model. As shown in Table 1, the proposed method was robust to scaling attacks. When the model was attacked, the vertex coordinates of the patch were multiplied by a certain coefficient at the same time. According to Equation (14), its direction values also increased or decreased accordingly. As illustrated in Figure 7, the direction values of most patches were concentrated in the central area. Therefore, when the scaling size was increased, most of the vertices were still in the original area, and only a small number of vertices were offset. On this condition, the robustness was high. When the scaling size was decreased, the 1-bit area was easily shifted to the 0-bit area, which affected the accuracy of extracting the watermark. Therefore, the robustness was much higher when the 3D model was amplified compared with other levels of attacks.

Robustness to Gaussian Noise Attacks
The robustness against Gaussian noise attacks was tested by performing different degrees (0.005, 0.01, 0.02) on the decrypted 3D model. As shown in Table 1, the robustness against Gaussian noise attacks was high. When the model was attacked by Gaussian noise, the vertex coordinates were slightly disturbed. According to Equation (14), its direction values were also slightly modified. As illustrated in Figure 7, the direction values of most patches were concentrated in the central area, and only a few vertices were in the non-central area. Therefore, when the model was slightly disturbed, the direction values of the central area were slightly disturbed, and only a few direction values of non-central area were shifted.
However, the proposed method cannot resist the attacks of cropping and simplification, it is because those attacks will influence the order of the vertices. Moreover, the proposed method cannot resist salt and pepper noise, mainly because the attack obviously changes the relative position between vertices.

Compared with the Existing Watermark Method in an Encrypted Domain.
To our knowledge, few effective robust reversible watermarking methods for 3D model in the encryption domain has been reported in the literature. In order to show the effectiveness of the proposed method, Jiang [1] is extended to the encrypted 3D model. From Table 2, the proposed method has a slightly higher embedding capacity compared with the Jiang [1], and it is mainly because a patch has three coordinate axes and three bits can be embedded. To sum up, the proposed method has good security and robustness, and the decrypted 3D model has low distortion.

Conclusions
In this paper, a robust reversible three-dimensional (3D) model watermarking method based on homomorphic encryption is presented for protecting the copyright of 3D models. The 3D model is divided into non-overlapping patches, and the vertex in each patch is encrypted by using the Paillier cryptosystem. On the cloud side, three direction values of each patch are computed, and the symmetrical direction histogram is constructed for shifting to embed watermark. In order to obtain robustness, the robust interval is designed in the process of histogram shifting. The watermark can be extracted from the direction histogram, and the original encrypted model can be restored by histogram shifting. Experimental results show that the decrypted 3D models have less distortion compared with the existing methods, which denotes the proposed method can embed more secret data without increasing the 3D models distortion. Moreover, the proposed method can resist a series of attacks compared to the existing watermarking methods on encrypted 3D model. Thus, the proposed method is efficient to protect copyright of 3D models in the cloud when the cloud administrator does not know the content of the 3D models, but the existing methods have no ability.
In the future, we will investigate the following two possible research directions. (1) Reduce the distortion of the directly decrypted 3D model. (2) Further improve the robustness against more kinds of attacks, such as cropping and salt and pepper noise.