A Novel Reversible Data Hiding Method for 3D Model in Homomorphic Encryption Domain

: Reversible data hiding in the encrypted domain (RDH-ED) is a technique that protects the privacy of multimedia in the cloud service. In order to manage three-dimensional (3D) models, a novel RDH-ED based on prediction error expansion (PEE) is proposed. First, the homomorphic Paillier cryptosystem is utilized to encrypt the 3D model for transmission to the cloud. In the data hiding, a greedy algorithm is employed to classify vertices of 3D models into reference and embedded sets in order to increase the embedding capacity. The prediction value of the embedded vertex is computed by using the reference vertex, and then the module length of the prediction error is expanded to embed data. In the receiving side, the data extraction is symmetric to the data embedding, and the range of the module length is compared to extract the secret data. Meanwhile, the original 3D model can be recovered with the help of the reference vertex. The experimental results show that the proposed method can achieve greater embedding capacity compared with the existing RDH-ED methods.


Introduction
Since three-dimensional (3D) models can intuitively display stereoscopic information about the real world, there are potential scenes in many applications, such as human, architectural, organ models, etc. [1][2][3]. With the increasing popularity of cloud-based storage, users often store their 3D models in a third party; thus, they can conveniently access the data. To manage the uploaded 3D model, the cloud administrator may embed additional information for media notation, content verification, and so on [4,5]. Moreover, the cloud administrator is not required to change the 3D models permanently when embedding data [6]. Since reversible data hiding (RDH) can completely recover the original media after the secret data are extracted, the RDH method has received much attention from researchers.
The reversible data hiding (RDH) method can be classified into three types: lossless compression [7], difference expansion (DE) [8], and histogram shifting (HS) [9]. Using lossless compression-based RDH, Fridrich et al. compressed an original image to empty the space in order to embed data [7], but the corresponding embedding capacity was small due to the low compression. Using DE-based RDH, Tian expanded the difference between two adjacent pixels to embed data [8]. However, two adjacent pixels sometimes are not close when they are located at the edges, and this leads to high image distortion. Using the histogram shifting-based RDH, Ni et al. built a pixel histogram, and then used the peak to embed data [9]. The pixel histogram is often the mean distribution and the peak is not sharp, so that the embedding performance is not satisfactory. As an extension of DE, Thodi presented a prediction error expansion (PEE)-based RDH method [10], which is effective.
In the following, many improvements are presented for the PEE-based RDH method, such as prediction accuracy, pairwise PEE, sorting, and so on [11][12][13].
The abovementioned RDH methods were designed for images and cannot be directly used for 3D models since the structures of the 3D model and the image are different. Dittmann et al. firstly presented an RDH method for authenticating a 3D model, wherein the concept of a distortion-free 3D model is introduced [14]. Wu et al. embedded secret data by modulating the distances between the face and the 3D model center, so that authentication can be obtained via extracting the data [15]. Moreover, the modulation information is stored in the Stego 3D model; thus, reversibility can be achieved. Jhou et al. selected the last few digits of the vertex coordinate value to embed data, and the original model can be perfectly recovered if it is intact [16]. Sun et al. and Lu et al. embedded data in a predictive vector quantization (PVQ) compressed domain by modifying the prediction mechanism during the compression process [17,18]. Wu et al. designed an RDH method based on DE, which modified differences between the adjacent vertex coordinates to embed data in order to keep the mesh topology unchanged [19]. Wu et al. predicted the vertex position by calculating the centroid of its traversed neighbors and then used PEE to embed data [20]. However, although their method has a large embedding capacity, the 3D model distortion is obvious. Jiang et al. built a three-dimensional prediction error histogram by using recursive construction coding due to the similarities between adjacent vertices, and they then modified the histogram to embed data [21]. Zhang et al. presented an RDH for 3D models based on hybrid prediction, which exploited vertex-vertex correlations to obtain high prediction accuracy to improve the data embedding performance [22].
In reality, before the media is transmitted into the cloud service, it will be encrypted in order to prohibit the cloud administrator from accessing the content of the 3D model [23]. Therefore, the RDH in the encrypted domain (RDH-ED) is more popular in real applications [24,25].
In this paper, an RDH-ED based on PEE is presented for managing the 3D model in the cloud service. Firstly, the user encrypts the 3D model by using the homomorphic Paillier cryptosystem for transmission to the cloud service. Secondly, for embedding data, a greedy algorithm is used to divide the vertices of the 3D model into reference and embedded sets in order to increase the embedding capacity. The reference vertex is employed to compute the prediction error for the embedded vertex, and the module length of the prediction error is expanded to embed data. In parallel with the data embedding, the data extraction in at the receiving end uses the range of the module length to be compared for extracting the secret data; meanwhile, the original 3D model is recovered by using the reference vertex completely. The experimental results show that the proposed method is superior to the existing method in relation to the embedding capacity. The main contributions of the paper are listed as follows.

1.
A greedy algorithm is employed to classify the vertex into the embedded set and the reference set to increase the embedding capacity.

2.
The module length of the prediction error is expanded to embed data in the encryption domain.

3.
The embedding capacity of the proposed method is superior to that of the existing RDH-ED methods.
The rest of this article is organized as follows. The Paillier cryptosystem is briefly introduced in Section 2. The proposed method is described in detail in Section 3. Section 4 presents the experimental results. Section 5 provides the conclusions.

Related Work
In this section, we introduce the encryption technique and review related RDH-ED methods. Commonly used encryption algorithms include stream bit encryption and Paillier encryption. Stream bit encryption uses a stream ciphertext to encrypt the image, which has low complexity and no pixel overflow [26]. Since homomorphic encryption can directly process data in the encryption domain and there is no need to decrypt the cipher-texts before operating them, the Paillier cryptosystem is more practical [27,28]. For example, Chen et al. encrypted an image through the Paillier cryptosystem and used the additive homomorphism of the Paillier encryption system to embed the secret data [29].
The RDH-ED method can be divided into two categories. The first category is reserving room before encryption (RRBE), in which the room for data embedding is created before encrypting the original image [30][31][32]. Zhang et al. embedded one bit into each encrypted image block by flipping three least significant bits (LSB), and the data were extracted through the texture evaluation [33]. On the basis of Zhang's study, Hong et al. increased the embedding capacity by using a public key modulation mechanism [34]. However, in these two methods, the image needs to be decrypted before data extraction. Zhang compressed the LSBs of the encrypted image to provide embedding room, and they separated data extraction and image recovery [35]. Xiang et al. designed an RDH-ED method using the properties of the Paillier cryptosystem [36], where data can be extracted from the decrypted domain and the encrypted domain, respectively. In summary, the RRBE method requires a great deal of work before encryption, and reliable interaction with the cloud administrator must be established.
Compared with RRBE, vacating room after encryption (VRAE) as the second category is more practical [37,38]. Xiang et al. selected two pixels as a group for encryption, and data were embedded by shifting the histogram of the absolute difference between pairs of pixels [39]. However, the embedding capacity was insufficient. Xiong et al. embedded two bits into groups of three pixels to increase the embedding capacity [40]. However, these RDH-ED methods are designed for images; to date, only a few RDH-ED methods have been studied for 3D models. Jiang et al. proposed an RDH-ED based on stream bit encryption, and they embedded data by flipping several LSBs of vertex coordinates [41]. With the help of spatial correlation of the 3D model, the receiver extracted data by using the smooth function. Li et al. divided the 3D model into non-overlapping patches, and the vertex in each patch was encrypted using the Paillier cryptosystem [42]. In this method, three directions of each patch are computed to build the corresponding histogram for embedding data. However, each patch only can hold one bit, and the embedding capacity cannot be increased further. Moreover, the cipher mapping table should be transmitted to the receiver for data decryption. In order to increase the embedding capacity, Li et al. encrypted the 3D model using the Paillier cryptosystem and used the dyeing algorithm to classify vertices into the embedded set and the reference set for data embedding [43]. To embed more than one bit into the embedded vertex, each bit is mapped to the direction of the vertex, which should be recorded in a mapping table. However, after the dyeing algorithm, the number of embedded vertices is low, which affects the embedding capacity. Furthermore, the mapping table as the additional information should be transmitted for data extraction.
Finally, to better distinguish the proposed method from some related methods, some differences are listed in Table 1. Similar to Jiang's [41] and Li's [43] methods, the vertex is classified, but the proposed method uses a greedy algorithm to improve the embedding capacity. Similarly to Li's [43] method, the proposed method uses PEE but expands the module length of the prediction error to embed data. Compared with Jiang's [41] and Li's [42] methods, the proposed method embeds more than one bit for one vertex. Moreover, the proposed method only transmits secret keys as the additional information for data extraction and uses the Paillier cryptosystem to encrypt the 3D model.

Background
The Paillier cryptosystem is an additive homomorphic encryption method [27] that is often used to process ciphertext in the encrypted domain. Its homomorphism shows that the ciphertext can be arithmetically operated after encryption and the operation result is consistent with the corresponding operation result in the plaintext field. The Paillier cryptosystem mainly includes key generation, encryption, and decryption, which are depicted here in detail.
Key generation is used to select two large primes, a 1 and a 2 , randomly at first. Then, N = a 1 × a 2 and γ = f 1 (a 1 , a 2 ), where f 1 (•) returns the smallest common multiple. Afterwards, we select an integer g ∈ Z * N 2 , where Z N 2 = 0, 1, 2, . . . , N 2 − 1 and Z * N 2 are the numbers in Z N 2 , which are prime with N 2 . Moreover, g satisfies: where f 2 (•) returns the greatest common divisor, mod(•) returns the remainder after division, and f 3 (x) = (x − 1)/N. Finally, we obtain the public key (N,g) and the private key γ.
In the process of encryption, we select an integer t ∈ Z * N 2 randomly, and the plaintext s ∈ Z N 2 is encrypted with the public key (N, g) using Equation (2): where En(•) denotes the encryption function, and c is the ciphertext. Owing to the nature of the Paillier cryptosystem, it ensures the security of the ciphertext. Specifically, different ciphertexts are computed with different t for the same s, and, after decryption, different ciphertexts can be restored to the same s with the secret key γ: where De(•) denotes the decryption function. In the following, homomorphism and homomorphic extension of subtraction are described for the Paillier cryptosystem. For the homomorphism, let two plaintexts be s 1 and s 2 , respectively, and ∀t 1 , t 2 ∈ Z * N 2 . The two ciphertexts are computed as: The original Paillier cryptosystem has addition homomorphism and multiplication homomorphism: The subtraction homomorphism can be obtained through modular multiplication inverse (MMI). In order to compute s 1 − s 2 in the Paillier cryptosystem, first, the negative number -s 2 is represented by N-s 2 . Then, the Euclidean technique is used to compute the ciphertext of N-s 2 . Suppose that En(s 2 ) −1 is the cipertext of N-m 2 ; thus, in the Paillier cryptosystem, s 1 +(−s 2 ) is computed using mod(En(s 1 , t 1 ) × En(s 2 , t 2 ) −1 , N 2 ).

The Proposed Method
Using the Paillier cryptosystem, the 3D model is encrypted and then uploaded to the cloud service. In the cloud service, the corresponding administrator embeds data into the encrypted domain, as illustrated in Figure 1. First, the vertices are preprocessed for the Paillier cryptosystem, and then the greedy algorithm is used to classify the vertices into reference vertices and embedded vertices in order to increase the embedding capacity. Then, the prediction error is computed for each embedded vertex, and data are embedded using PEE. On the receiver side, the data can be extracted and the original 3D model can be restored by comparing the module length range of the prediction error, which is symmetric to the data embedding. In the following, the preprocessing, encryption, data embedding, and data extraction are depicted in detail.

The Proposed Method
Using the Paillier cryptosystem, the 3D model is encrypted and then uploaded to the cloud service. In the cloud service, the corresponding administrator embeds data into the encrypted domain, as illustrated in Figure 1. First, the vertices are preprocessed for the Paillier cryptosystem, and then the greedy algorithm is used to classify the vertices into reference vertices and embedded vertices in order to increase the embedding capacity. Then, the prediction error is computed for each embedded vertex, and data are embedded using PEE. On the receiver side, the data can be extracted and the original 3D model can be restored by comparing the module length range of the prediction error, which is symmetric to the data embedding. In the following, the preprocessing, encryption, data embedding, and data extraction are depicted in detail.

Preprocessing and Encryption
Generally, uncompressed vertices of the 3D model are 32-bit floating point numbers. However, the Paillier cryptosystem requires positive integers for the input; thus, the vertex coordinates are required to be converted from the decimal to the positive integer.
The 3D model mainly consists of vertex data and face data. The vertex data include coordinates of each vertex, and the face data supply the topological information that reflects the connection between vertices. Let { } represent the sequence of vertices after scanning a 3D model, where Nv is the number of vertices and vi = {vi,x, vi,y, vi,z} as shown in Table 2. Note that each coordinate of the vertex , < 1, ∈ { , , } and its significant digit is 6.
Since the 3D model can be accurately represented by the first four significant digits of the vertex coordinates, the vertex coordinates are converted into an integer with four significant digits by using the following formula: Then, all coordinates of the vertices are changed to the positive integer:

Preprocessing and Encryption
Generally, uncompressed vertices of the 3D model are 32-bit floating point numbers. However, the Paillier cryptosystem requires positive integers for the input; thus, the vertex coordinates are required to be converted from the decimal to the positive integer.
The 3D model mainly consists of vertex data and face data. The vertex data include coordinates of each vertex, and the face data supply the topological information that reflects the connection between vertices. Let {v i } N v i=0 represent the sequence of vertices after scanning a 3D model, where N v is the number of vertices and v i = {v i,x , v i,y , v i,z } as shown in Table 2. Note that each coordinate of the vertex v i,j < 1, j ∈ {x, y, z} and its significant digit is 6.  Since the 3D model can be accurately represented by the first four significant digits of the vertex coordinates, the vertex coordinates are converted into an integer with four significant digits by using the following formula: Then, all coordinates of the vertices are changed to the positive integer: After preprocessing, v i,j is encrypted as where t i,j is a small random integer for v i,j , and it is less than N.

Processes of Data Hiding
After encryption, data are embedded to manage the encrypted 3D model. Firstly, the vertex is classified into the embedded vertex set and reference vertex set using the greedy algorithm. Then, the prediction error of the embedded vertex is calculated by using the reference vertex. Finally, the module length of the prediction error is expanded to embed the secret data in the encrypted domain.
When the 3D model is encrypted and uploaded to the cloud, the cloud administrator still can embed the secret data without knowing the original content. Some vertices are chosen to embed data and their adjacent vertices are unmodified as references for prediction. In the following, vertex classification, prediction error computation, data embedding, and the parameter d are described in detail.

Vertex Classification
First, the 1-ring neighborhood and 2-ring neighborhood of a vertex are defined. For two vertices v i and v p , where i,p ∈ {1,2, . . . ,N v }, if they are connected by an edge, v i is an adjacent neighbor of v p . All adjacent neighbors of v i constitute the 1-ring neighborhood, and the neighbors of all 1-ring neighborhoods constitute its 2-ring neighborhood. Vertices are classified into the embedded set and the reference set, which are used for embedding data and predicting data, respectively. Specifically, one vertex in the embedded set is utilized to embed data, and its 1-ring neighborhood is not changed for prediction. Let the embedded set and the referenced set be Se and Sr, respectively. In order to increase the embedding capacity, the maximum of Se must be reached.
Vertices of Se are not connected each other, and if the graph is bipartite, the polynomial algorithm can identify the largest set of nonadjacent vertices. However, there are three loops in the 3D model and the patch structure of the 3D model cannot be represented by the bipartite graph. Thus, NP represents a significant challenge in obtaining the maximum value of Se in the 3D model, and the greedy algorithm is employed to obtain embedded vertices.
When a vertex is added to Se, the 1-ring neighborhood of this vertex is added to Sr. According to the local optimal solution of the greedy algorithm, the values of Sr and Se should be small and large, respectively, by selecting the vertex with the smallest number of the 1-ring neighborhood to be added to Se. The specific steps of vertex classification are listed as follows.
Step a-1. Compute the vertex number of the 1-ring neighborhood for all vertices in the 3D model; we define it as the degree of each vertex.
Step a-2. Suppose that k is the minimum of all degrees and choose vertices with the degree of k to form a set, denoted as V k . For example, V 3 consists of vertices with the degree of 3.
Step a-3. One vertex of V k is added to Se, and the 1-ring neighborhood of this vertex is added to Sr.
Step a-4. Remove this vertex and its 1-ring neighborhood from the 3D model, and the degrees of vertices in the 2-ring neighborhood are updated.
Step a-5. If all vertices of the 3D model are assigned to Se or Sr, the vertex classification is finished. Otherwise, return to Step a-2 until all vertices are assigned.
In order to describe the processes clearly, an example is illustrated in Figure 2. First, we scan v 1 , v 2 , . . . , v 10 and v 11 and compute their degrees. We obtain V 2 = {v 4 where v′l is the 1-ring neighborhood vertex of v′i from Sr, and Ni is the number of vertices in the 1-ring neighborhood. In the spatial domain, is close to v′i and the prediction error is computed as: ∆ includes three directional values, and its module length is often small. Suppose that D is the maximum module length for all prediction errors, and |∆ | satisfies:

Prediction Error Computation
The 1-ring neighborhood is used to predict the current vertex in Se, and the prediction value of v i is computed as where v l is the 1-ring neighborhood vertex of v i from Sr, and N i is the number of vertices in the 1-ring neighborhood. In the spatial domain, v i is close to v i and the prediction error is computed as: ∆v i includes three directional values, and its module length is often small. Suppose that D is the maximum module length for all prediction errors, and |∆v i | satisfies:

Data Embedding
Before data embedding, the secret data are divided evenly into several groups; suppose that w 0 , w 1 , . . . , w n-1 are bits in each group, where n is the number of bits. The weight of each bit is computed as: v i is modified to embed data: where d is the secret key for data embedding, (1, 1, 1), and the corresponding module length of ∆v i is changed. In the encryption domain, data are embedded as: where r s w is the random integer, and c s w is the encrypted ciphertext of s w ·d.
After embedding data, the prediction error is modified as: When the directions of ∆v i and → b are the same, the module length ∆v i is the maximum. If the directions of ∆v i and → b are opposite, ∆v i is the minimum, which is From Equation (17), it can be concluded that the value of ∆v i is the range of s w × √ 3d − ∆v i to s w × √ 3d + ∆v i .

Parameter d
In order to increase the correctness of data extraction, their ranges of module lengths should not be overlapped after embedding the secret data. After embedding s w + 1, its minimum module length should be greater than the maximum module length after embedding s w ; that is, From Equation (18), we can obtain d ≥ 2 × |∆v i |/ √ 3. If d = 2 × D/ √ 3. The ranges of module lengths are not overlapped for different s w , and ∆v i ∈ 0, √ 3d/2 . After data embedding, the range of ∆v i is defined as: Figure 3 shows the value of ∆v i after '0' or '1' is embedded, and, obviously, the module length of embedding '1' is greater than that of embedding '0'.

Data Extraction and Model Recovery
In the receiving side, when the Stego and encrypted 3D model is received, it can be decrypted via the private key γ. The decrypted vertex is computed as: Since the coordinates of a few vertices are modified, the decrypted 3D model is similar to the original 3D model. After decryption, the data extraction and 3D model recovery are processed: - Step b-1. All vertices are classified into the embedded set and the reference set according to the greedy algorithm. - Step b-2. The prediction error ∆ of vi″ is computed. - Step b-3. Equation (21) is used to obtain the range of sw: From Equation (21), only one integer is in the range, and sw can be extracted correctly. sw is converted to the binary bits as: - Step b-4. Via d and sw, the original 3D model is recovered as:

Experimental Results and Discussion
The experiments were implemented in MATLAB R2016b under Windows 7 Pro. To demonstrate the effectiveness of the proposed method, one hundred 3D models were used for testing, and six 3D models are illustrated in Figure 4.
The SNR was used to evaluate the quality of the Stego 3D model.
where Nv is the number of vertices, vi,x, vi,y, and vi,z are the vertex coordinates of the original 3D model, gi,x, gi,y, and gi,z are the vertex coordinates of the Stego 3D model, and , , and are the mean of vi,x, vi,y, and vi,z, respectively. Suppose that SNRD is the SNR of the decrypted 3D model, and SNRR is the SNR of the recovered 3D model. BER is used to evaluate the correctness of the data extraction.

Data Extraction and Model Recovery
In the receiving side, when the Stego and encrypted 3D model is received, it can be decrypted via the private key γ. The decrypted vertex is computed as: Since the coordinates of a few vertices are modified, the decrypted 3D model is similar to the original 3D model. After decryption, the data extraction and 3D model recovery are processed: - Step b-1. All vertices are classified into the embedded set and the reference set according to the greedy algorithm. - Step b-2. The prediction error ∆v i of v i " is computed. - Step b-3. Equation (21) is used to obtain the range of s w : From Equation (21), only one integer is in the range, and s w can be extracted correctly. s w is converted to the binary bits as: - Step b-4. Via d and s w , the original 3D model is recovered as:

Experimental Results and Discussion
The experiments were implemented in MATLAB R2016b under Windows 7 Pro. To demonstrate the effectiveness of the proposed method, one hundred 3D models were used for testing, and six 3D models are illustrated in Figure 4.
The SNR was used to evaluate the quality of the Stego 3D model. where N v is the number of vertices, v i,x , v i,y , and v i,z are the vertex coordinates of the original 3D model, g i,x , g i,y , and g i,z are the vertex coordinates of the Stego 3D model, and v x , v x , and v x are the mean of v i,x , v i,y , and v i,z , respectively. Suppose that SNR D is the SNR of the decrypted 3D model, and SNR R is the SNR of the recovered 3D model. BER is used to evaluate the correctness of the data extraction. For the parameter D, we compute the maximum module lengths for the 3D models, and it is concluded that D < 250 [43]. For the parameter D, we compute the maximum module lengths for the 3D models, and it is concluded that D < 250 [43].

Discussion of Parameters d and n
In order to show the feasibility of the proposed data hiding method, 1024 bits were embedded in the 3D models, and the data could be extracted completely. Taking 'Solider' as an example, the 'solider' encrypted using the Paillier cryptosystem cannot be recognized, as illustrated in Figure 5b. Without data extraction, the 3D model can be decrypted as illustrated in Figure 5d, and the decrypted 3D model is similar to the original 3D model. The 3D model can be recovered completely and data can be extracted without any error, as illustrated in Figure 5e,f, respectively.
The parameters d and n are related to the 3D model's quality and the correctness of the data extraction. When d is low, BER is increased and the 3D model distortion is small, as illustrated in Figure 6a. If d is high, BER is decreased and the distortion of the 3D model is increased.
If n is large, sw is large, and the embedding capacity and the corresponding model distortion are increased, as illustrated in Figure 6. For instance, when n = 1 and d = 110, the corresponding BER = 2.89%, SNRD = 15.34 dB, and SNRR = 33.89 dB. From the experiments, we can conclude that when d = 150 and n = 3, the model distortion is small and BER is small as well. Figure 7 shows the visual quality of the 3D models for different values of d when n = 3, and Figure 8 shows the visual quality of the decrypted 3D models for different values of n when d = 150. It was also found that the decrypted 3D model was similar to the original 3D model.

Discussion of Parameters d and n
In order to show the feasibility of the proposed data hiding method, 1024 bits were embedded in the 3D models, and the data could be extracted completely. Taking 'Solider' as an example, the 'solider' encrypted using the Paillier cryptosystem cannot be recognized, as illustrated in Figure 5b. Without data extraction, the 3D model can be decrypted as illustrated in Figure 5d, and the decrypted 3D model is similar to the original 3D model. The 3D model can be recovered completely and data can be extracted without any error, as illustrated in Figure 5e The parameters d and n are related to the 3D model's quality and the correctness of the data extraction. When d is low, BER is increased and the 3D model distortion is small, as illustrated in Figure 6a. If d is high, BER is decreased and the distortion of the 3D model is increased.  If n is large, s w is large, and the embedding capacity and the corresponding model distortion are increased, as illustrated in Figure 6. For instance, when n = 1 and d = 110, the corresponding BER = 2.89%, SNR D = 15.34 dB, and SNR R = 33.89 dB. From the experiments, we can conclude that when d = 150 and n = 3, the model distortion is small and BER is small as well. Figure 7 shows the visual quality of the 3D models for different values of d when n = 3, and Figure 8 shows the visual quality of the decrypted 3D models for different values of n when d = 150. It was also found that the decrypted 3D model was similar to the original 3D model.

Vertex Classification Comparison
In order to show the effectiveness of the proposed method for classifying the vertex into the embedded set and the reference set using the greedy algorithm, Jiang's [41] and Li's methods were used for comparison, as shown in Table 3. In Jiang's [41] method, the number of vertices in Se is large, but some vertices are connected, which will lead to high BER of data extraction. The proposed method classifies the vertices more efficiently by using the greedy algorithm compared with Jiang's [41] method since the number of connected vertices is 0. The number of vertices in Se is greater than in Li's [43] method, which indicates that the proposed method can embed more bits.

Performance Comparison
In order to show the effectiveness of the proposed method, Li's [43] method was first used for comparison. We embedded one bit in each vertex, and, as shown in Table  4, the proposed method performed better than Li's [43] in relation to the embedding capacity and the 3D model quality. This is mainly because the greedy algorithm for vertex classification is superior to the dyeing algorithm. This also shows that the proposed

Vertex Classification Comparison
In order to show the effectiveness of the proposed method for classifying the vertex into the embedded set and the reference set using the greedy algorithm, Jiang's [41] and Li's methods were used for comparison, as shown in Table 3. In Jiang's [41] method, the number of vertices in S e is large, but some vertices are connected, which will lead to high BER of data extraction. The proposed method classifies the vertices more efficiently by using the greedy algorithm compared with Jiang's [41] method since the number of connected vertices is 0. The number of vertices in S e is greater than in Li's [43] method, which indicates that the proposed method can embed more bits.

Performance Comparison
In order to show the effectiveness of the proposed method, Li's [43] method was first used for comparison. We embedded one bit in each vertex, and, as shown in Table 4, the proposed method performed better than Li's [43] in relation to the embedding capacity and the 3D model quality. This is mainly because the greedy algorithm for vertex classification is superior to the dyeing algorithm. This also shows that the proposed method successfully achieves low embedding capacity. In Table 5, Jiang's [41] and Li's [42] methods are used for comparison. Compared with Jiang's [41] method, the embedding capacity of the proposed method is nearly three times higher, at 0.972 bpp, as shown in Table 5. The corresponding BER is also lower than that of Jiang's method and the quality is also higher. Compared with Li's [42] method, although the image quality is slightly lower, the embedding capacity is still much higher. Moreover, when d is adjusted to 289, the image quality of the proposed method can be increased significantly. Thus, in summary, the proposed method is superior to the other two methods, with proven effectiveness.

Conclusions
In this paper, a reversible data hiding in encrypted domain (RDH-ED) based on prediction error expansion (PEE) has been presented. Before being sent to the cloud for storage, the 3D model is encrypted using the homomorphic Paillier cryptosystem so that the content cannot be accessed by the cloud administrator. In the cloud service, data are embedded into the encrypted domain for management of the 3D model. Specifically, the vertices of the 3D models are divided into embedded and reference sets using the greedy algorithm, and the maximum vertex number is obtained for the embedded set in order to increase the embedding capacity. The reference vertex is used to compute the prediction value of the embedded vertex, and the corresponding prediction error is calculated and expanded to embed data. On the receiving side, the secret data are extracted by comparing the module length of the prediction error, and the original 3D model can be reconstructed. The experimental results show that the proposed method is superior to the existing RDH-ED methods. However, when the embedding capacity is high, the visual quality is reduced significantly; we will attempt to resolve this in future studies.