Reversible Data Hiding Scheme in Homomorphic Encrypted Image Based on EC-EG

Abstract

To combine homomorphic public key encryption with reversible data hiding, a reversible data hiding scheme in homomorphic encrypted image based on EC-EG is proposed. Firstly, the cover image is segmented. The square grid pixel group randomly selected by the image owner has one reference pixel and eight target pixels. The n least significant bits (LSBs) of the reference pixel and all bits of target pixel are self-embedded into other parts of the image by a method of predictive error expansion (PEE). To avoid overflowing when embedding data, the n LSBs of the reference pixel are reset to zero before encryption. Then, the pixel values of the image are encrypted after being encoded onto the points of the elliptic curve. The encrypted reference pixel replaces the encrypted target pixels surrounding it, thereby constructing the mirroring central ciphertext (MCC). In a set of MCC, the data hider embeds the encrypted additional data into the n LSBs of the target pixels by homomorphic addition in ciphertexts, while the reference pixel remains unchanged. The receiver can directly extract additional data by homomorphic subtraction in ciphertexts between the target pixels and the corresponding reference pixel; extract the additional data by subtraction in plaintexts with the directly decrypted image; and restore the cover image without loss. The experimental results show that the proposed scheme has higher security than the similar algorithms, and the average embedding rate of the scheme is 0.25 bpp under the premise of ensuring the quality of the directly decrypted image.

1. Introduction

Data hiding (DH) and digital watermarking (DW) are two of the important contents of cyberspace security research, which have been greatly developed in recent years. Various new technologies and new methods for them emerge one after another. For example, Abdallah et al. [1,2] proposed some new algorithms for video watermarking. Yu et al. [3] summarized the current robust video watermarking algorithms for copyright protection. However, most steganography algorithms cause permanent distortion of the original carrier after embedding the data, which is not allowed in some areas where data authentication is required, such as privacy protection in the cloud environment, military combat map transmission, etc. [4]. Reversible data hiding (RDH) [5] takes data hiding and distortion-free recovery of the original carrier into account. Currently, RDH algorithms mainly include: lossless compression (LC) [6,7], difference expansion (DE) [8,9] and histogram shifting (HS) [10,11]. With the promotion of cloud services, for the purpose of privacy protection, users usually encrypt the uploaded data, so that the original data become incomprehensible ciphertext data. Reversible data hiding in encrypted image (RDH-EI) comes into being and has become the latest research hotspot. The RDH-EI requires that the carrier used for embedding be encrypted, and the carrier still be decrypted without error after extracting embedded data. RDH-EI is an important combination of signal processing technology and data hiding technology in encrypted domain. It has dual functions of privacy protection and secret information transmission for information security in data processing. There are two main applications in medical health. The first is the integrity protection of medical images. Medical images are mostly digital images that are easily copied, edited, or maliciously altered while being easy to store. A more mature technique for protecting image integrity information is digital signatures. The main principle is to generate non-repudiation hash values that are appended to original image and transmitted to the receiver. However, in reality, confidential communications often run the risk of being attacked by malicious attacks and analysis. The way to directly attach the hash value to the image is easily vandalized and replaced, thus increasing the difficulty of image authentication. On some special occasions, image reversible information hiding can be used as an important complementary technology to digital signatures, embedding image integrity information such as hash values into medical images. The receiver can not only recover the medical image reversibly, but also correctly extract the legal authentication information to protect the integrity of the medical image. The second is encrypted image management in telemedicine. Image-oriented telemedicine is widely used in the future information society. For the purposes of confidentiality and privacy protection, medical images sometimes need to be encrypted beforehand and sent to third parties such as the cloud for management. The sensitive information such as the medical record is embedded in encrypted image by means of RDH-EI, so that encrypted image management in telemedicine can be realized.

Zhang [12] firstly proposed RDH-EI, which encrypts images with stream ciphers, and then divides encrypted images into blocks that do not overlap each other. Each block has two groups. By flipping each pixel’s three least significant bits (LSBs) in the corresponding group, 1-bit information can be embedded. The receiver extracts extra data through the wave function. However, when the block is small, the error rate becomes high. Hong et al. improved Zhang’s method by using a wave function capable of edge matching in [13] and using unbalanced bit flipping in [14]. In [15], Zhang proposed a separable RDH-EI algorithm, which can extract additional data in both the encrypted domain and the plaintext domain. The above RDH-EI algorithms need to vacate room after encryption (VRAE) for data hiding, resulting in lower embedding capacity of the algorithm and higher error rate in the data extraction process. Ma et al. [16] proposed a RDH-EI algorithm by vacating room before encryption (VRBE). Zhang et al. [17] improved reversibility, embedding capacity, and image quality by exploiting prediction errors in data embedding.

The RDH-EI algorithms mentioned above are to encrypt images with symmetric cryptography because symmetric cryptography has lower computational complexity and faster encryption and decryption speed. However, because of using symmetric cryptography, each pair of senders and receivers must have different keys, which are required in the context of current multi-party cloud computing services. The amount of keys is huge, which makes it difficult to manage keys. For example, in a communication network with n users, each user must use $n-1$ keys to communicate with the remaining $n-1$ users, and the total number of keys in the system will be up to ${C^2}_n=n(n-1)/2$. Such a large amount of keys will have insecurities in the various aspects of saving, transferring, using and destroying. In addition, both parties using symmetric cryptography must use the same key for encryption and decryption, thus the key must be transmitted over the secure channel before communication. If the key is stolen during the delivery process, or either party leaks the key, the encrypted data will be insecure. Because symmetric cryptography has the above shortcomings of designing the RDH-EI algorithms, we naturally use public key cryptography into the RDH-EI algorithms. The key amount of the public key cryptography is greatly reduced, and the key does not need to be transferred in advance. More importantly, with public key cryptography, we can perform homomorphic addition and homomorphic multiplication in the encrypted domain, which makes the embedding process of additional data more secure.

Differing from RDH-EI, Chen et al. [18] firstly proposed encrypted image-based reversible data hiding with public key cryptography (EIRDH-P). In EIRDH-P, the characteristics of public key cryptography overcome the shortcoming that symmetric encryption requires the safe channel to pass the key in advance. The algorithm embeds the 1-bit information into a pair of adjacent encrypted pixels. According to the homomorphic characteristics of the Paillier cryptosystem, the receiver obtains the secret information by comparing all the decrypted pixel pairs. The disadvantage of the Chen’s method is that there is an inherent overflow problem. Subsequently, Shiu et al. [19] and Wu et al. [20] improved Chen’s method by solving the overflow problem. The above inseparable algorithms limit the application scenario and scope of the algorithms, and the separable algorithms have more application scenarios. The receiver’s privilege determines different operations it can perform, for example the receiver can only extract additional data, the receiver can only decrypt the image, and the receiver can both decrypt the image and extract additional data.

In 2016, Zhang et al. [21] first proposed a separable EIRDH-P algorithm, which combines wet paper code (WPC) [22] with Paillier homomorphic encryption. Zhang’s method vacates room by histogram shrinking and uses WPC to embed additional data. Xiang et al. [23] proposed a RDH-EI algorithm based on mirroring ciphertext groups (MCGs) by using the homomorphic and probabilistic characteristics of the Paillier cryptosystem. In summary, using the homomorphic characteristics of public key cryptography for RDH-EI is the latest research hotspot, which we call reversible data hiding in homomorphic encrypted image (RDH-HEI). This paper proposes a RDH-HEI scheme based on EC-EG. Firstly, the cover image is segmented. The square grid pixel group randomly selected by the image owner has one reference pixel and eight target pixels. The n LSBs of the reference pixel and all bits of the target pixels are self-embedded into other parts of the image by a method of predictive error expansion (PEE). To avoid overflowing when embedding data, the n LSBs of the reference pixel are reset to zero before encryption. Then, the pixel values of the image are encrypted after encoded onto the points of the elliptic curve. The encrypted reference pixel replaces the encrypted target pixels surrounding it, thereby constructing the mirror central ciphertext (MCC). In a set of MCC, the data hider embeds the encrypted additional data into the n LSBs of the target pixels by homomorphic addition in ciphertexts, while the reference pixel remains unchanged. The receiver can achieve separation of additional data extraction from cover-image recovery, additional data extraction without any errors, and reversibility completely.

The rest of this paper is organized as follows. Section 2 briefly describes homomorphic EC-EG cryptosystem, its properties and reviews predictive error expansion for reversible data hiding in the plain domain. Implementation of the proposed RDH-HEI scheme is elaborated in Section 3. Simulation experiment and theoretical analysis are presented in Section 4. Finally, the conclusion is drawn in Section 5. It is important to note that a preliminary version [24] of this paper is in proceedings of the “11th Intelligent Networking and Collaborative Systems (INCoS-2019)”.

2. Related Knowledge

2.1. Elliptic Curve

The image trajectory of elliptic curve is not an ellipse, but a cubic curve on a plane. However, it is a problem that people find when studying the arc length of an ellipse.

Definition 1.

Elliptic curve is a plane curve determined by the cubic Weierstrass equation:

$$y^2+axy+by=x^3+c{x}^2+dx+e$$

(1)

The points on the curve satisfy the equation. If the coefficient is $a,b,c,d,e\in F_P$, the number of points on the curve is finite, and all the points on the curve plus an artificial infinity point constitute the set $E\left(F_p\right)$ and the number of points in $E\left(F_p\right)$ is recorded as $\#E\left(F_P\right)(p+1-2\sqrt{p}\le \#E\left(F_P\right)\le p+1+2\sqrt{p})$.

When constructing a cryptosystem, the following elliptic curve is mainly used:

$$y^2=x^3+ax+b(x,y,a,b\in F_P)$$

(2)

Figure 1 shows the distribution of points on the elliptic curve when $a=4,b=20,p=33331$.

Theorem 1.

The set $E\left(F_p\right)$ of points on the elliptic curve forms an Abel group for the addition defined below:

1. 

$\mathrm{O}+\mathrm{O}=\mathrm{O}$

2. 

$\forall (x,y)\in E\left(F_P\right),(x,y)+\mathrm{O}=(x,y)$

3. 

$\forall (x,y)\in E\left(F_P\right),(x,y)+(x,-y)=\mathrm{O}$

4. 

(addition rule)If $(x_1,y_1)+(x_2,y_2)=(x_3,y_3)$ is satisfied when $x_1\ne x_2$, then

$$\left\{\begin{array}{c}{x}_3={\lambda }^2-x_1-x_2\hfill \\ y_3=\lambda (x_1-x_3)-y_1\hfill \end{array}\right.,\lambda =\frac{y_2-y_1}{x_2-x_1}$$

(3)

5. 

(multiple point rule) $\forall (x_1,y_1)\in E\left(F_P\right),y_1\ne 0$, If $2(x_1,y_1)=(x_2,y_2)$ is satisfied, then

$$\left\{\begin{array}{c}{x}_2={\lambda }^2-2x_1\hfill \\ y_2=\lambda (x_1-x_2)-y_1\hfill \end{array}\right.,\lambda =\frac{3x_1^2+a}{2y_1}$$

(4)

2.2. Elliptic Curve Public Key Cryptography

Elliptic curve discrete logarithm problem (ECDLP) means that x is determined by a given P and Q, that is to say, if $P\in E\left(F_P\right)$ is the set, then $\exists x\in N^{\ast }$ makes $Q=xP$ true. The elliptic curve discrete logarithm problem is more difficult to deal with than the discrete logarithm problem on the finite field, and the security is also higher.

Definition 2.

Suppose that E is an elliptic curve and G is a point on E. If $\exists n\in N^{\ast }$ exists, $nG=\mathrm{O}$ is established, then n is said to be the order of point G, where O is the infinity point.

Implementation of elliptic curve ElGamal (EC- EG):

Key generation: Select the base field $F_p$, the elliptic curve $E_p$, and encode the plaintext information m to the point $M\left(m\right)$ on the curve. Select the generator G (base point) of $E_p$ as the public parameter. The user selects the private key $sk\in F_P(sk<n)$ and the public key is $pk=skG$.

In cryptography, describe an elliptic curve on an $F_p$, commonly used to six parameters: $T=(p,a,b,G,n,h)$ (p, a and b are used to determine an elliptic curve, h is the integer part of the number $\#E\left(F_P\right)$ of all points on the elliptic curve divided by n). The choice of these parameters directly affects the security of encryption. The parameter values generally require the following conditions to be met:

• p is of course larger and safer, but the larger is p, the slower is the calculation speed. p is about 200 bits to meet general safety requirements:
• $p\ne n\times h$;
• $p^t\ne 1(modn),1\le t<20$;
• $4a^3+27b^2\ne 0(modp)$;
• n is a prime number; and
• $h\le 4$.

Encryption: Bob selects a random integer $r(r<n)$ and calculates the ciphertext as

$$C\left(m\right)=(C_1,C_2)=(rG,M\left(m\right)+rpk)$$

(5)

Decryption: Alice calculates $M\left(m\right)=C_2-sk{C}_1$ to complete the decryption.

Homomorphic addition: After encoding the plaintext $(m_1,m_2)$ to the two points $(M\left(m_1\right),M\left(m_2\right))$ on $E_p$, the ciphertext is calculated according to Equation (6) using random integer $(r_1,r_2)$.

$$\begin{array}{cc}\hfill C\left(m_1\right)& =(C_{11},C_{21})=(r_{1}G,M\left(m_1\right)+r_{1}pk)\hfill \\ \hfill C\left(m_2\right)& =(C_{12},C_{22})=(r_{2}G,M\left(m_2\right)+r_{2}pk)\hfill \end{array}$$

(6)

According to $pk=skG$ in Key generation, the homomorphic addition can be expressed as

$$\begin{array}{cc}\hfill C\left(m_1\right)+C\left(m_2\right)=& C_{21}+C_{22}-sk{C}_{11}-sk{C}_{12}\hfill \\ \hfill =& M\left(m_1\right)+r_{1}pk+M\left(m_2\right)+r_{2}pk-r_{1}skG-r_{2}skG\hfill \\ \hfill =& M\left(m_1\right)+M\left(m_2\right)\hfill \end{array}$$

(7)

That is, the sum of the two ciphertexts is equal to the sum of the plaintexts after decryption.

2.3. Rhombus Pattern Based PEE

The rhombus prediction error extension [25] is to divide the image pixels into overlapping pixel groups. Pixels of a group are further divided into “×” and “•” sets. Pixels of “×” set are used for data embedding and pixels of “•” set are used for prediction. Figure 2 illustrates that a pixel $p_{i,j}$ in the “×” set is predicted by its four neighboring pixels $(p_{i,j-1},p_{i,j+1},p_{i-1,j},p_{i+1,j})$ in the “•” set. The embedding, extraction and recovery procedures are given as follows.

2.3.1. The Embedding Procedure

The predicted value $p_{i,j}^{\prime }$ is the average of four adjacent pixel values of $p_{i,i}$ and is calculated by Equation (8).

$$p_{i,j}^{\prime }=⌊\frac{p_{i,j-1}+p_{i,j+1}+p_{i-1,j}+p_{i+1,j}}{4}⌋$$

(8)

The prediction error $e_{i,j}$ is the difference between the original pixel $p_{i,j}$ and the predicted value $p_{i,j}^{\prime }$ and is calculated by Equation (9).

$$e_{i,j}=p_{i,j}-p_{i,j}^{\prime }$$

(9)

The difference expansion method [26] is employed to expand the prediction error $e_{i,j}$ for data embedding. Equation (10) is used for PEE.

$$e_{i,j}^{\prime }=2\times e_{i,j}+b$$

(10)

where $e_{i,j}^{\prime }$ is the modified prediction error after data embedding and b is one bit of the message to be embedded. Thus, each group can embed one bit of information. The modified pixel value $P_{i,j}$ after data embedding is calculated by Equation (11).

$$P_{i,j}=e_{i,j}^{\prime }+p_{i,j}^{\prime }$$

(11)

2.3.2. Overflow or Underflow Processing

The PEE data embedding may cause overflow or underflow. $L\_map$ can be used to avoid embedding into pixels that cause overflow or underflow. Substituting $p_{i,j}^{\prime }$ from Equation (9) and $e_{i,j}^{\prime }$ from Equation (10) into Equation (11), we get

$$P_{i,j}=e_{i,j}+p_{i,j}+b$$

(12)

According to Equation (12), it is clear that pixels that do not cause overflow or underflow satisfy the condition in Equation (13).

$$0\le e_{i,j}+p_{i,j}\le 254$$

(13)

The $L\_map$ to record the positions of invalid groups can be created by pre-processing the original image. Each group of the original image is checked for Equation (13) and records the row and column binary data of invalid groups. The $L\_map$ is compressed and then self-embedded into to the image.

2.3.3. Extraction and Recovery Procedures

The extraction procedure is the inverse of the embedding procedure. Since the “•” pixels do not change, the receiver has the same predicted pixel value $p_{i,j}^{\prime }$ of “×” pixels as the image owner. Given the modified pixel value $P_{i,j}$ and the modified prediction error $e_{i,j}^{\prime }$, Equation (14) is used to calculate which additional data have been embedded.

$$e_{i,j}^{\prime }=P_{i,j}-p_{i,j}^{\prime }$$

(14)

Then, the embedded information is calculated by Equation (15).

$$b=e_{i,j}^{\prime }mod2$$

(15)

Equation (16) is used for calculating the original prediction error $e_{i,j}$.

$$e_{i,j}=⌊\frac{e_{i,j}^{\prime }}{2}⌋$$

(16)

Finally, the original pixel value $p_{i,j}$ is recovered as

$$p_{i,j}=p_{i,j}^{\prime }+e_{i,j}$$

(17)

3. Proposed Scheme

3.1. Overall Framework of the Proposed Scheme

The overall framework of RDH-HEI based on EC-EG is shown in Figure 3. Firstly, the image is divided into non-overlapping $A,B,C$, and then the space is reserved by the PEE algorithm. The image owner encodes the pixel values of image onto the points of the elliptic curve. Finally, the MCC is constructed after encrypting image with the public key $pk$. The data hider divides the encrypted image into non-overlapping $A_E,B_E,C_E$ in the same way as the image owner, scrambles the additional data with the hidden key $k_2$ and then encrypts it with $pk$. Finally, the data hider embeds the encrypted additional data into the n LSBs of the target pixels by homomorphic addition in ciphertexts. The addition operation embeds the encrypted additional data into the lower n bits of the target pixel. When the receiver owns the private key $sk$ and the hidden key $k_2$ of the data hider, the homomorphic subtraction in ciphertexts is used to extract the encrypted information, which is then decrypted by $sk$ and the additional data are restored by $k_2$. When the receiver only has the private key $sk$ of the image owner, a directly decrypted image containing additional data can be obtained. When has the private key $sk$, the self-embedded key $k_1$, and the hidden key $k_2$, the receiver can extract additional data after decryption and restore the cover image losslessly.

3.2. Room Reserving

3.2.1. Image Partition

Before the cover image is segmented, the pixel values of the image must be encoded to the points of the elliptic curve. Then, it can be encrypted using EC-EG. The grayscale image has a pixel value between 0 and 255. It is necessary to map the pixel values one by one to the points on the elliptic curve. The image owner divides the cover image into three non-overlapping blocks $A,B,C$, as shown in Figure 4.

3.2.2. Self-Reversible Embedding

Self-reversible embedding is to embed all bits of the target pixels in A, n LSBs of the reference pixels in A and the LSB in B into C through the PEE algorithm. $A_{r\_map}$ is the set of locations of reference pixels in A, and the image owner sends n and $A_{r\_map}$ as shared parameters to the data hider and receiver. More importantly, $L\_map$ is scrambled by the self-embedding key $k_1$, and is embedded into B by replacing the LSB for data extraction and image recovery to achieve complete reversibility.

3.2.3. Vacating Room

After self-reversible embedding, all bits of the target pixels $P_t$ and n LSBs of the reference pixels $p_r$ are saved in C. The image owner sets n LSBs of the reference pixels $P_r$ to zero, and then the additional data are embedded into n LSBs of the target pixels $P_t$ that have been set to zero by homomorphic addition in ciphertexts. This operation can also avoid overflow when embedding data into the encrypted domain. Figure 5 describes the proposed scheme more intuitively.

3.3. Image Encryption

After vacating room, the image owner randomly selects an integer $r_{i,j}$, $i=1,2,\cdots ,M$, $j=1,2,\cdots ,N$ for each pixel $p_{i,j}$, and encrypts the image with the public key $pk$ to obtain the ciphertexts.

$$M(C_{P_{i,j}^{\prime }})=(C_{1_{i,j}},C_{2_{i,j}})=(r_{i,j}G,M(P_{i,j}^{\prime })+r_{i,j}pk)$$

(18)

3.4. Construction of Mirroring Central Ciphertext

As shown in Figure 5, the image owner constructs the MCC by replacing the ciphertexts of the target pixels with the ciphertext of the reference pixel, which is $C_t^{\prime }=C_r$. In a square grid, all target pixels become mirror of the reference pixel. All target pixels have the same ciphertext and the n LSBs that have been set to zero as the reference pixels.

3.5. Data Hiding

The data hider first scrambles the extra information with the hidden key $k_2$. Then, it groups the scrambled additional data w, and each group has n bits, which is recorded as $w_0,w_1,\cdots ,w_{n-1}$. From this, the decimal value of each dataset can be calculated as:

$$S_w={\displaystyle \sum _{i=0}^{n-1}}{w}_i\times 2^i,(S_w=0,1,\cdots ,2^n-1)$$

(19)

To enhance confidentiality, the data hider can choose a random integer $r_{S_w}(r_{S_w}<n)$ for each $S_w$ and encrypt it with EC-EG to get the ciphertext $C_{S_w}$.

$$M\left(c_{S_w}\right)=(r_{S_w}G,M\left(S_w\right)+r_{S_w}pk)$$

(20)

According to the method of room reserving, the encrypted image is divided into non-overlapping $A_E,B_E,C_E$. The data hider embeds additional data into the encrypted domain as following:

$$\begin{array}{cc}\hfill M\left(c_t^{″}\right)& =M\left(c_t^{\prime }\right)+M\left(c_{S_w}\right)\hfill \\ & =(r_{t}G,M\left(t^{\prime }\right)+r_{t}pk)+(r_{S_w}G,M\left(S_w\right)+r_{S_w}pk)\hfill \\ & =M\left(t^{\prime }\right)+r_{t}pk+M\left(S_w\right)+r_{S_w}pk-sk{r}_{t}G-sk{r}_{S_w}G\hfill \\ & =M\left(t^{\prime }\right)+M\left(S_w\right)\hfill \end{array}$$

(21)

Among them, $c_t^{″}$ is the encrypted target pixel with hidden data. Suppose that a group contains 3 bits of data, which are $n=3,\left(w_0{w}_1{w}_2\right)=\left(100\right)$. Then, we can calculate $S_w=1,c_{S_w}=E(1,r_{S_w})$. As shown in Figure 5e, the data hider performs homomorphic addition in ciphertexts to embed 3 bits of additional data into the corresponding $MCC[c_t^{\prime }=E(160,r_r),c_r=E(160,r_r)]$, and then obtains the corresponding $c_t^{″}=E(161,r_{S_w}+r_r)$.

3.6. Data Extraction

3.6.1. Extract the Embedded Data from Encrypted Image

As shown in Figure 5h,i, when having the shared parameter n, $A_{r\_map}$, the private key $sk$ and the hidden key $k_2$, the receiver extracts additional data from the received encrypted image with hidden data by using homomorphic subtraction in ciphertexts. The steps are as follows:

Step 1. The received image is divided into blocks in the same way as the process of room reserving. As shown in Figure 5e, the legal receiver extracts the square grid with hidden data.

Step 2. In the MCC, the encrypted target pixels with hidden data are $M\left(c_t^{″}\right)=M\left(c_r\right)+M\left(c_{S_w}\right)$. $M\left(C_{S_w}\right)$ is extracted by the homomorphic subtraction, which is $M\left(c_{S_w}\right)=M\left(c_t^{″}\right)-M\left(c_r\right)$.

Step 3. Use $M\left(S_w\right)=M\left(c_{S_w}\right)+r_{S_w}pk-sk{r}_{S_w}G$ to decrypt $M\left(C_{S_w}\right)$ to $M\left(S_w\right)$ and decode to get $S_w$.

Step 4. The receiver can use $w_i=⌊\frac{S_w}{2^i}⌋,i=0,1,\cdots ,n-1$ to get $w_0,w_1,\cdots ,w_{n-1}$, and then use the hidden key $k_2$ to perform scrambling recovery. Finally, we can extract additional data.

3.6.2. Extract the Embedded Data from Decrypted Image

As shown in Figure 5f,g, when the receiver only has the private key $sk$ of the image owner, a directly decrypted image with hidden data is obtained from $M\left(P_{i,j}^{″}\right)=M\left(C_{i,j}^{″}\right)+r_{i,j}pk-sk{r}_{i,j}G$, where $C_{i,j}^{″}$ is the ciphertexts with hidden data and $P_{i,j}^{″}$ is the corresponding plaintexts with hidden data. According to the method of room reserving, the directly decrypted image is divided into three parts of $A_D,B_D,C_D$, and $M\left(S_w\right)=M\left(P_t^{″}\right)-M\left(P_r^{″}\right)$ can be obtained by plaintext subtraction in the target pixel pair of the square grid, where $P_t^{″}$ and $P_r^{″}$ are the target pixels and reference pixels in the directly decrypted image, respectively. Finally, we can obtain additional data with the method in Steps 3 and 4 in Section 3.6.1.

3.7. Image Restoration

When the receiver has the private key $sk$, a self-embedded key $k_1$ and the hidden key $k_2$, additional data can be extracted after decryption and the original image can be restored. The directly decrypted image is obtained by decrypting with the private key $sk$, and the directly decrypted image is divided into three parts of $A_D,B_D,C_D$ according to the method of room reserving. Since the additional data are hidden in $P_t$ of $A_D$, the hidden key $k_2$ can be used for scrambling recovery after the additional data are extracted. The receiver extracts self-embedded data from $B_D$ and $C_D$ to restore the original image.

$L\_map$ is extracted from the LSB of $B_D$, and the self-embedded key $k_1$ is used to scrambling recovery. Finally, according to the extraction step of the PEE, all the self-embedded data can be extracted from $C_D$ and the data extracted from $C_D$ is used to complete the recovery of the $A_D$. The original image of reversible recovery has thus been obtained.

4. Simulation Experiment and Theoretical Analysis

4.1. Analysis of Embedded Capacity and PSNR

The 8-bit gray-scale images of $512\times 512$ size were selected in the experiment conducted by Java8 and MATLAB R2015b. Peak signal-to-noise ratio (PSNR) was calculated by Equation (22), which is the most commonly used criterion for evaluating image quality after embedding data.

$$PSNR=10\times {log}_{10}\left[\frac{{255}^2}{MSE}\right]$$

(22)

MSE is the mean square error between the cover image and the embedded image.

$$MSE=\frac{1}{M\times N}{\displaystyle \sum _{i=0}^{M-1}}{\displaystyle \sum _{j=0}^{N-1}}{\left[p(i,j)-c(i,j)\right]}^2$$

(23)

where $M\times N$ denotes the size of the image, $p(i,j)$ denotes pixel value of the cover image and $c(i,j)$ denotes pixel value of the embedded image. Through the size of PSNR value, we can clearly know whether the image with hidden data will be observed by the naked eye.

Table 1. Embedding capacity and PSNR values under different n.

Embedding Capacity (bits)		PSNR (dB)
		n = 1	n = 2	n = 3	n = 4
Lena	4095	51.681	53.448	54.719	45.353
	8190	48.765	51.13	51.786	43.472
	12,285	46.993	49.022	49.618	41.04
	16,380	45.658	48.012	48.32	40.132
	24,570	43.034	45.684	45.885	37.97
	32,760	40.82	44.301	44.456	36.384
	36,855	39.983	43.634	43.92	35.609
	49,140	38.219	42.09	42.667	34.353
	65,520	35.829	40.03	41.146	32.611

shows the embedding capacity and PSNR values of the Lena image under different n. Under the same embedding capacity, the PSNR value increases correspondingly with the increase of n. However, when n = 4, the PSNR value of the image is instead decreased because the distortion introduced by constructing the MCC becomes large.

Table 2. Embedding capacity and PSNR values under $n=3$.

Embedding Capacity (bits)	PSNR (dB)
	Lena	F-16	Man	Hill
4095	54.719	44.913	47.637	54.526
8190	51.786	43.715	44.158	50.866
12,285	49.618	42.896	42.486	48.695
16,380	48.32	42.12	41.422	46.843
24,570	45.885	40.956	40.277	44.61
32,760	44.456	39.956	39.31	42.919
36,855	43.92	39.574	38.897	42.353
49,140	42.667	38.599	37.73	40.561
65,520	41.146	37.727	36.527	39.135

shows the PSNR values and embedding capacities of the four images with the optimal parameter $n=3$. Moreover, the maximum size of images’ $L\_map$ is shown in

Table 3. Maximum size of images’ $L\_map$.

Image	(bits)
Lena	33
F-16	670
Man	755
Hill	128

. Different stages of Lena, F-16, Man and Hill images using the proposed scheme are shown in Figure 6.

4.2. Performance Comparison

Currently, reversible data hiding in homomorphic encrypted image mostly utilizes the Paillier cryptosystem.

Table 4. Performance comparison of RDH-HEI.

Literature	Features
	Separable	Computational Complexity of Data Hiding	Protection Mechanism of the Hidden Data
Method in [21]	Yes	$O\left(k^3\right)$	WPC mechanism
			Homomorphic and probabilistic
Method in [23]	Yes	$O\left(k\right)$	Mechanism of Paillier
Method in [27]	Yes	$O\left(k\right)$	SHE(R-LWE-based)
			Homomorphic Mechanism
The proposed scheme	Yes	$O\left(k\right)$	of EC-EG

summarizes some of the literature on the reversible data hiding in encrypted image using homomorphic property. Li et al. [27], using VRAE; our scheme; and Xiang et al. [23], using VRBE, could keep the amount of data transmitted unchanged. All of the algorithms in Table 4 have separable properties. In our proposed scheme, after the space is reserved and encrypted, the MCC is constructed. The extra information is embedded into the bit plane of the corresponding plaintext by homomorphic addition. The receiver extracts extra information by homomorphic subtraction in ciphertexts. Zhang et al. [21] used WPC coding to perform two information embedding. The computational complexity is $O\left(k^3\right)$ and k is the embedded capacity. Our algorithm and the one in [27] use homomorphic addition in ciphertexts to embed information. Xiang et al. [23] used Homomorphic multiplication in ciphertexts to embed information. The computational complexity of them is $O\left(k\right)$.

Zhang et al. [21] combined WPC coding and Paillier homomorphic encryption to embed additional information into the corresponding bit plane of the ciphertext. In the encrypted domain, the embedded information is protected by the WPC encoding mechanism, and the receiver cannot extract the embedded information without the key. However, when the receiver receives the ciphertext image, the same method can be used to forge the information, and the original embedded information may be overwritten or replaced. Xiang et al. [23] used the homomorphic and probabilistic properties of Paillier encryption to protect the embedded extra information. In [27], a high-capacity RDH-HEI algorithm is proposed by using the SHE homomorphism. The image owner divides the image pixels into groups of three, and then encrypts them with SHE, and the ciphertext expansion is small. The data hider sorts the absolute differences of each set of ciphertext pixels and generates an absolute difference histogram, embedding additional data by moving the ciphertext absolute difference histogram. The proposed scheme uses the homomorphic addition feature of EC-EG to protect the embedded extra information. When there is no shared parameter, the receiver cannot find the ciphertext embedded with the information, let alone extract, tamper or replace the additional information.

Figure 7 shows the PSNR performance comparison between the proposed scheme and the ones in [21,23,27]. The method in [27], the data are first embedded into the pixel position close to the peak. The method is that three encrypted adjacent pixels are selected as a group, and each group calculates two absolute differences, which are sorted according to the sum of two absolute differences of each group. The image distortion is reduced, thus its performance is generally higher than the scheme in our paper. The method in [21] uses the histogram shrinking to reserve the embedding space. However, the distortion caused by this method increases with the increase of the embedding capacity. The method in [23] is the same as the one in [21]. As the embedding capacity increases, the number of histogram shifts increases when the data are self-embedded. In addition, the distortion introduced by constructing MCGs is also getting larger and larger, which leads to faster performance degradation of the algorithm. In general, the performance of our scheme is better than the one in [21,23] when the embedded capacity is high.

4.3. Analysis of Security

On the one hand, the additional data after encryption are embedded in the bit plane of the target pixel and are protected by the EC-EG homomorphic property. On the other hand, in the existing public key cryptosystem, the one with the highest encryption strength per bit is the difficulty of the ECC math problem, thus it is safe to encrypt images with EC-EG compared to using Paillier to encrypt images. At present, the method to attack the discrete logarithm problem on ECC is only the baby step giant step (BSGS), and its computational complexity is $\mathrm{O}(exp(log\sqrt{P_{max}}))$. $P_{max}$ is the maximum prime factor of the order of the exchange group composed of ECC. At the same time, different elliptic curves can be obtained by changing the parameters. Therefore, ECC has a rich group structure and multiple selectivity, and can be flexibly applied.

To verify the theoretical security of EC-EG encryption, the method of statistical analysis can test the anti-attack performance of encryption algorithm in chaos and diffusion from different angles. For this reason, we specify it from three aspects: histogram analysis of encrypted image, correlation analysis of adjacent pixels and information entropy analysis [28].

4.3.1. Histogram Analysis of Encrypted Image

The histogram of the encrypted image should be uniformly distributed, which is obviously different from the histogram of the original image. In mathematical calculation, the variance of encrypted image is much smaller than that of original image. If $his{t}_i(i=0,1,\cdots ,255)$ represents the histogram of an image, the equation for calculating the variance is:

$$S=\frac{1}{256}{\displaystyle \sum _{i=0}^{255}}(his{t}_i-\frac{1}{256}{\displaystyle \sum _{i=0}^{255}}his{t}_i)$$

(24)

The histograms and variances of the images in Figure 6a,b,f,g,k,l,p,q are shown in Figure 8, in which the histogram of the encrypted image is evenly distributed.

4.3.2. Correlation Analysis of Adjacent Pixels

To test the correlation of two pixels that are vertically adjacent, horizontally adjacent, and diagonally adjacent, the following test was performed. In order not to lose generality, we used a random function to select any 1000 pairs of adjacent pixels in the image. The correlation coefficient of the original image should be close to 1, and the correlation coefficient of the encrypted image should be much smaller than 1, indicating that the correlation between the cover image and the encrypted image is completely separated. The correlation coefficient $(r_{xy}\in [-1,1])$ (−1 indicates a negative correlation, and 1 indicates a positive correlation) of the adjacent pixels of the image is:

$$r_{xy}=\frac{\mathrm{cov}(x,y)}{\sqrt{D\left(x\right)}\sqrt{D\left(y\right)}}$$

(25)

In Equation (25),

$$\begin{array}{cc}\hfill E\left(x\right)& =\frac{1}{N}{\displaystyle \sum _{i=1}^N}{x}_i\hfill \\ \hfill D\left(x\right)& =\frac{1}{N-1}{\displaystyle \sum _{i=1}^N}(x_i-E\left(x\right))\hfill \\ \hfill \mathrm{cov}(x,y)& =\frac{1}{N-1}{\displaystyle \sum _{i=1}^N}(x_i-E\left(x\right))(y_i-E\left(y\right))\hfill \end{array}$$

(26)

In the above equation, the gray values of two adjacent pixels of the image are represented by x and y, respectively.

Table 5. Adjacent pixel correlation coefficients of the images in Figure 6a,b.

Image	Adjacent Pixel Correlation Coefficients
	Horizontal	Vertical	Diagonal
(a) Original image	0.962	0.975	0.947
	0.972	0.974	0.942
	0.959	0.972	0.94
	0.96	0.98	0.941
(b) Encrypted image	0.056	−0.041	−0.012
	−0.019	−0.034	−0.089
	−0.05	−0.006	0.02
	−0.009	−0.042	0.023

shows adjacent pixel correlation coefficients of the images in Figure 6a,b. The adjacent pixel correlation of the encrypted image is much smaller than the original image. Besides, horizontal adjacent pixel correlation scatter plot of the images in Figure 6a,b,f,g,k,l,p,q are draw in Figure 9. The pixels of the encrypted image exhibit irregular characteristics.

4.3.3. Information Entropy Analysis

If there is L kinds of gray values $m_i(i=0,1,\cdots ,L-1)$ in an image, and the probability of occurrence of each gray value is $p\left(m_i\right)(i=0,1,\cdots ,L-1)$, according to the theorem of Shannon, the information amount of the image is

$$H\left(m\right)=-{\displaystyle \sum _{i=0}^{L-1}}p\left(m_i\right){log}_{2}p\left(m_i\right),{\displaystyle \sum _{i=0}^{L-1}}p\left(m_i\right)=1$$

(27)

where H is the information entropy of an image. When the probability of occurrence of each gray value in the image is equal, the information entropy of the image is the largest, and the information entropy indicates how much information is contained in one image.

The information entropy of the image can measure the distribution of the gray value. The result shows that the larger is the information entropy, the more consistent is the gray distribution. For an ideal random image, the information entropy is equal to 8. In

Table 6. Information entropy of cover image and encrypted image.

Image	Information Entropy
	Cover Image	Encrypted Image
Lena	7.445 075	7.999 386
F-16	6.705 888	7.999 290
Man	7.192 588	7.999 236
Hill	7.094 869	7.999 246

, the experimental results confirm the conclusion of theoretical analysis. Below, we briefly prove it.

Theorem 2.

For information entropy H, there is $H\left(m\right)\le 8$.

Proof of Theorem 2. 

The known power mean inequality is

$$a_0^{p_0}{a}_1^{p_1}\cdots a_{L-1}^{p_{L-1}}\le p_0{a}_0+p_1{a}_1+\cdots +p_{L-1}{a}_{L-1}$$

(28)

In the inequality in Equation (28), the range of $p_i$ is $0<p_i<1(i=0,1,\cdots ,L-1)$, and satisfies Equation (29).

$${\displaystyle \sum _{i=0}^{L-1}}p\left(m_i\right)=1$$

(29)

If and only if $a_0=a_1=\cdots =a_{L-1}$ is established, the equal sign in the inequality in Equation (28) is established. When $p_i=1/L(i=0,1,\cdots ,L-1)$, the following geometric-arithmetic mean inequality is obtained from Equation (28).

$$\sqrt[L]{a_0{a}_1\cdots a_{L-1}}\le \frac{a_0+a_1+\cdots +a_{L-1}}{L}$$

(30)

According to the logarithmic nature of Equation (27), we can calculate the following.

$$\begin{array}{cc}\hfill H\left(m\right)& ={\displaystyle \sum _{i=0}^{L-1}}{log}_2{(\frac{1}{p(m_i)})}^{p\left(m_i\right)}\hfill \\ & ={log}_2\left[{(\frac{1}{p(m_0)})}^{p(m_0)}{log}_2{(\frac{1}{p(m_1)})}^{p(m_1)}\cdots {log}_2{(\frac{1}{p(m_{L-1})})}^{p(m_{L-1})}\right]\hfill \end{array}$$

(31)

Then, we apply Equation (28) to Equation (31).

$$H\left(m\right)\le {log}_2\left[p\left(m_0\right)\times \frac{1}{p\left(m_0\right)}+p\left(m_1\right)\times \frac{1}{p\left(m_1\right)}+\cdots +p\left(m_{L-1}\right)\times \frac{1}{p\left(m_{L-1}\right)}\right]={log}_{2}L$$

(32)

When the gray level $L=256=2^8$, Theorem 2 is established. According to ${\displaystyle \sum _{i=0}^{L-1}}p\left(m_i\right)=1$ and $a_0=a_1=\cdots =a_{L-1}$, the equal sign in Theorem 2 is established at $p\left(m_i\right)=1/256(i=0,1,\cdots ,255)$. □

5. Conclusions

The scheme in this paper uses the method of constructing MCC after EC-EG encryption to perform reversible data hiding in encrypted image. The scheme realizes the separation of additional data extraction and cover image restoration, and improves the embedding capacity under the premise of completely recovering the cover image. The experimental results show that the PSNR value of the scheme is improved in the image due to the self-embedded data by PEE algorithm. The main contributions of this paper can be summarized as follows:

• A novel method of reversible data hiding in homomorphic encrypted image based on EC-EG is proposed.
• By constructing MCC, the embedded capacity is improved.
• By performing histogram analysis of encrypted image, correlation analysis of adjacent pixels and information entropy analysis, we proved the statistical security of the encryption scheme in this paper.
• However, the method of vacating room before encryption increases the risk of plaintext leakage. Therefore, it should be improved in the future to be a reversible data hiding scheme in homomorphic encrypted image that does not require preprocessing of plaintext.