# Efficient reversible data hiding in encrypted image with public key cryptosystem

- Shijun Xiang
^{1}Email authorView ORCID ID profile and - Xinrong Luo
^{1}

**2017**:59

https://doi.org/10.1186/s13634-017-0496-6

© The Author(s) 2017

**Received: **13 February 2017

**Accepted: **10 August 2017

**Published: **22 August 2017

## Abstract

This paper proposes a new reversible data hiding scheme for encrypted images by using homomorphic and probabilistic properties of Paillier cryptosystem. The proposed method can embed additional data directly into encrypted image without any preprocessing operations on original image. By selecting two pixels as a group for encryption, data hider can retrieve the absolute differences of groups of two pixels by employing a modular multiplicative inverse method. Additional data can be embedded into encrypted image by shifting histogram of the absolute differences by using the homomorphic property in encrypted domain. On the receiver side, legal user can extract the marked histogram in encrypted domain in the same way as data hiding procedure. Then, the hidden data can be extracted from the marked histogram and the encrypted version of original image can be restored by using inverse histogram shifting operations. Besides, the marked absolute differences can be computed after decryption for extraction of additional data and restoration of original image. Compared with previous state-of-the-art works, the proposed scheme can effectively avoid preprocessing operations before encryption and can efficiently embed and extract data in encrypted domain. The experiments on the standard image files also certify the effectiveness of the proposed scheme.

## Keywords

## 1 Introduction

Reversible data hiding (RDH) is an efficient technology for cover authentication or content integrity verification [1–3] in which the hidden data can be extracted completely and the original carrier can be recovered losslessly after data extraction. With this property, reversible data hiding is widely applied in such areas as medical imagery, military imagery, and law forensics. Reversible data hiding algorithms are generally classified into three categories by using lossless compression [4, 5], difference expansion [6, 7], and histogram shifting [8, 9]. RDH technique is further developed by making good use of new prediction error algorithms and embedding strategies [10–12], which have higher payload and better image quality.

For the sake of information security and privacy protection, data are usually encrypted before upload and transmission. Encryption, which is one of the most powerful method for content protection, can convert original data into unintelligible ciphertexts. It is especially useful in scenarios that content owner is unwilling to expose their sensitive data or private information to untrusted channel and database. On the administrator side, additional data such as content-related keywords, information features, or authentication data are desired to be embedded directly into the encrypted data for the convenience of management and security protection. What is more, content owner still expects that the original cover can be restored perfectly since any distortion is tolerated in many applications. To this end, reversible data hiding in encrypted images (RDHEI) emerges. RDHEI is a technology which implements data hiding procedure in encrypted domain and can recover the original plaintext without error after decryption and data extraction. Owning to this merit, RDHEI has been a research hotspot in information security community recently. In [13], Zhang encrypted image with a standard stream cipher and further divided the encrypted image into blocks, each of which contains two groups. One bit can be embedded by flipping three LSBs of each pixel in the corresponding group. Zhang’s method was improved by using a different estimation equation so as to better exploit the spatial correlation [14] and different flipping rates [15]. In order to extract the hidden data directly in encrypted domain, Zhang proposed a separable RDHEI which compresses the LSBs of encrypted image with a source coding method to accommodate additional data [16]. Besides, RDHEI for JPEG image has been presented in [17]. To improve the embedding performance, spare room for data hiding was created by implementing self-embedding or compression before encryption [18, 19]. In [20], Qian et al. vacated room after encryption with a distributed source encoding operation, which can avoid to pre-process original image before encryption and has a high capacity. The RDHEI methods mentioned above focus on symmetric cryptosystem. The data encrypted with stream cipher symmetric cryptosystem is hardly for the cloud computing.

Different from symmetric cryptosystem, public key cryptosystem with probabilistic and homomorphic properties, which allows us to conduct operations directly on ciphertexts to generate the expected result, is more powerful in secure signal processing. For example, mass data of an enterprise can be uploaded to the cloud after encryption for statistical analysis services from the third party, e.g., the enterprise can get corresponding annual turnover (sum of plain data) and growth (difference of plain data) from the cloud without any information leakage by utilizing Paillier cryptosystem [21]. Secure signal processing with public key cryptosystem can bring us great benefits.

In the literature, there are a few works on signal processing in encrypted domain with public key cryptosystem [22–26], and two of them have applied Paillier public key cryptosystem for reversible data hiding [25, 26]. In [25], Chen et al. first raised a novel RDHEI method with public key cryptography by dividing a pixel into two parts: LSB and the rest. Image owner encrypted these two parts with Paillier mechanism and transmitted them to data hider. In this way, the transmitted data in size will be twice of the directly encrypted image. One bit can be embedded in encrypted domain by modifying magnitude relationships between the encrypted LSB values of two adjacent pixels with homomorphic multiplication. Since the magnitude relationships can not be kept for the corresponding ciphertexts, the hidden data cannot be extracted before decryption. Aiming at retrieving the hidden data in encrypted domain, Zhang et al. proposed a new reversible data hiding algorithm with public key cryptosystem [26] by using a pre-procession operation to shrink histogram of original image to vacate room for data hiding. After encryption, data hider first embedded additional data into the reserved room so that additional data can be extracted in the plaintext domain. In order to extract data in the encrypted domain in [26], the authors ingeniously applied probabilistic property of Paillier cryptosystem with multi-layer wet paper code (WPC) [27] strategy so that the additional data can be hidden into and extracted from the bit-planes of ciphertexts.

- 1.
Preprocessing operations on original image for data hiding can be effectively avoided before encryption. This is beneficial to protect image content privacy in preprocessing procedure. More importantly, the proposed scheme is more scalable due to the avoidance of preprocessing operations.

- 2.
The data can be directly inserted into and extracted from encrypted images with private key. This is useful for cloud computing services while protecting image privacy in the cloud. In the literature, it is a dilemma to extract the hidden data in encrypted domain with public key cryptosystem. In this paper, we have presented a solution.

- 3.
Compared with the previous work [26], the hidden data in the proposed one has stronger security performance in encrypted domain because the data are embedded into plaintexts by using the homomorphic property instead of embedded into the information into bit-planes of ciphertexts [26].

This paper is very useful since the data hiding scheme can be used for both privacy protection and cloud computing due to homomorphic and probabilistic properties of Paillier cryptosystem.

The remainder of this paper is organized as follows. A brief introduction of Paillier cryptosystem is given in Section 2. Then, the details of the proposed reversible data hiding scheme is elaborated in Section 3. Experiment results and performance comparison are given in Section 4. Finally, we draw a conclusion in Section 5.

## 2 Paillier cryptosystem and modular multiplicative inverse method

### 2.1 Paillier cryptosystem

Paillier cryptosystem [21], which has homomorphic and probabilistic properties, has been widely used in secure computation fields. In Paillier cryptosystem, a plaintext is encrypted with the same public key and different ciphertexts can be obtained since the parameter is selected randomly. The same plaintext, of course, can be retrieved after decrypting corresponding ciphertexts with private key. Hence, Paillier cryptosystem can achieve semantic security. Besides, homomorphic multiplication is permitted in Paillier cryptosystem, meaning that decrypted product of two ciphertexts is equal to the sum of two corresponding plaintexts. It provides an efficient approach to process the original data in encrypted domain. The following is the details of Paillier cryptography.

**Key generation:**Select two large primes

*p*and

*q*randomly. Compute

*N*=

*pq*and

*λ*=

*lcm*(

*p*−1,

*q*−1), where

*lcm*(·) is a function for calculating the least common multiple of two inputs. And then, randomly select \(g\in \mathbb {Z}_{N^{2}}^{*}\), which meanwhile satisfies

where *gcd*(·) is to derive the greatest common divisor of two inputs, \(\mathbb {Z}_{N^{2}}^{*}\) is denoted as the subset of \(\mathbb {Z}_{N^{2}}\) in which elements are all relatively prime with *N*
^{2} and \(\mathbb {Z}_{N^{2}} = \left \{0,1,2,\ldots,N^{2} -1\right \}\). Finally, we get the public key (*N,g*) and corresponding private key *λ* respectively.

**Encryption**For each original data \(m\in \mathbb {Z}_{N}\), select an integer \(r\in \mathbb {Z}_{N}^{*} \) randomly. Denote encryption function as

*E*[·]. The corresponding ciphertext

*c*can be obtained by

According to the property of Paillier cryptosystem, the ciphertext *c* is still in \(\mathbb {Z}_{N^{2}}^{*}\).

**Decryption**Denote the decryption function as

*D*[ ·]. With corresponding private key

*λ*, the original plaintext

*m*can be derived by

Furthermore, the two important properties of Paillier cryptosystem (which have been applied in the proposed method) are introduced as follows:

**Lemma one:** The function *E*[*m,r*] is bijective when *g* obeys Eq. (1). For two plaintexts \(m_{1},m_{2}\in \mathbb {Z}_{N}\), compute corresponding ciphertexts *c*
_{1},*c*
_{2} with *r*
_{1},*r*
_{2} according to Eq. (1). The Eq. *c*
_{1}=*c*
_{2} holds if and only if *m*
_{1}=*m*
_{2} and *r*
_{1}=*r*
_{2}.

**Homomorphic multiplication:**For \(\forall r_{1},r_{2}\in \mathbb {Z}_{N}^{*}\), two plaintexts \(m_{1}, m_{2}\in \mathbb {Z}_{N}\) and corresponding ciphertexts \(E\left [m_{1},r_{1}\right ], E\left [m_{2},r_{2}\right ] \in \mathbb {Z}_{N^{2}}^{*}\) satisfy:

### 2.2 Modular multiplicative inverse method

*MMI*) method first. For two coprime integers

*y*and

*z*, there exists an integer

*Θ*satisfying

*Θ*is called as the modular multiplicative inverse of

*y*. With a given

*y*, the corresponding

*Θ*can be computed efficiently via an Extended Euclidean algorithm [28]. According to the properties of MMI, the

*division*operation can be implemented after modular operation. Assume another integer

*x*and denote

*v*as the product of

*x*and

*y*to the modulo

*z*.

*x*can be derived from the product

*v*by multiplying

*y*’s corresponding modular multiplicative inverse

*Θ*,

## 3 Reversible data hiding scheme with public key cryptosystem

*K*

_{ g }to form groups of two pixels for encryption with Paillier cryptosystem by using public key

*K*

_{ p }with two selected parameters (

*r*

_{1}and

*r*

_{2}) for a group. Two pixels in a group are encrypted with

*r*

_{1}(randomly selected as descripted in Section 2) first. Then, one of the two pixels is further encrypted with

*r*

_{2}(controlled by a secret key

*K*

_{ s }). With

*K*

_{ g }and

*K*

_{ s }, data hider can calculate absolute differences of groups of two pixels by exploiting modular multiplicative inverse method and looking for a mapping table in encrypted domain. Then, additional data, after encryption, are embedded into the encrypted image by shifting histogram of the calculated absolute differences with a data hiding key

*K*

_{ d }. With

*K*

_{ g },

*K*

_{ s }, and

*K*

_{ d }, receiver can extract the additional data from the histogram of absolute differences (which are computed in the same manner as data hiding procedure). With the private key

*K*

_{ c }only, receiver can obtain an image similar to the original image after decryption. With both

*K*

_{ d }and

*K*

_{ c }, receiver can retrieve the hidden data from the histogram of absolute differences of pixel groups after decryption and recover the original image by implementing an inverse operation of histogram shifting. The remainder of this section elaborates the details of the proposed scheme.

### 3.1 Image encryption

According to the probabilistic property of Paillier cryptosystem, the parameter \(r\in \mathbb {Z}_{N}^{*}\) is selected randomly for each plaintext to achieve semantic security. Since magnitude relationships among plaintexts can not be kept to the corresponding ciphertexts, it is still a dilemma to embed additional data directly into an encrypted image with such a cryptosystem. In this work, with the probabilistic property, we design a strategy to encrypt two pixels in a group by using a random parameter so as to reserve the difference of two plaintexts for data hiding in encrypted domain.

*I*by using a key

*K*

_{ g }. Denote the two pixels in

*k*

^{ th }group as

*P*

_{1}(

*k*) and

*P*

_{2}(

*k*), respectively. Data hider first randomly selects an integer \(r_{1}{(k)}\in \mathbb {Z}_{N}^{*}\) and encrypts

*P*

_{1}(

*k*) and

*P*

_{2}(

*k*) with the public key (

*N,g*) and Paillier cryptosystem.

*c*

_{1}(

*k*) and

*c*

_{2}(

*k*) are the corresponding ciphertexts of

*P*

_{1}(

*k*) and

*P*

_{2}(

*k*), respectively. To void the effect of using the same parameter for encrypting a group of two pixels, image owner selects another integer \(r_{2}{(k)}\in \mathbb {Z}_{N}^{*}\) with a secret key

*K*

_{ s }and implement a homomorphic multiplication operation on

*c*

_{2}(

*k*),

*D*[

*c*

_{2}(

*k*)

^{′}] be the decrypted version of

*c*

_{2}(

*k*)

^{′}. According to Eqs. (5) and (6),

*D*[

*c*

_{2}(

*k*)

^{′}] satisfies

Therefore, *c*
_{2}(*k*)^{′} is still an encrypted version of *P*
_{2}(*k*). Data hider obtains *c*
_{1}(*k*) and *c*
_{2}(*k*)^{′} as the cyphertexts of the *k*
^{
th
} group. Denote the encrypted image as *E* [ *I*].

### 3.2 Data hiding

*E*[

*I*] and the group selection key

*K*

_{ g }and the secret key

*K*

_{ s }, data hider can retrieve ciphertext of the absolute difference of two plaintexts with a modular multiplicative inverse method, and then extract the absolute difference from the corresponding ciphertexts by looking for a mapping table (see Fig. 2) without private key

*K*

_{ c }. Additional data can be embedded into

*E*[

*I*] by shifting histogram of the absolute differences with a data hiding key

*K*

_{ d }. Firstly, data hider divides

*E*[

*I*] into groups in the same manner as image encryption procedure, and then retrieves the ciphertext group {

*c*

_{1}(

*k*),

*c*

_{2}(

*k*)

^{′}}.

#### 3.2.1 Data embedding

*P*

_{1}(

*k*) and

*P*

_{2}(

*k*) in the

*k*

^{ th }group can be calculated in encrypted domain. As described in Section 2, ciphertext

*c*=

*E*[

*m,r*] can be obtained for each \(m\in \mathbb {Z}_{N}\) according to Eq. (3) and \(c\in \mathbb {Z}_{N^{2}}^{*}\). It means that

*E*[0,

*r*

_{2}(

*k*)],

*c*

_{1}(

*k*) and

*c*

_{2}(

*k*) are coprime to

*N*

^{2}. Denote the modular multiplicative inverse of

*E*[0,

*r*

_{2}(

*k*)] as

*Θ*

_{ Er }. Data hider first calculates

*Θ*

_{ Er }(

*k*) with the Extended Euclidean algorithm and

*Θ*

_{ Er }(

*k*) satisfies

*c*

_{2}(

*k*)

^{′}is the product of

*c*

_{2}(

*k*) and

*E*[0,

*r*

_{2}(

*k*)] according to Eq. (11), data hider derives

*c*

_{2}(

*k*) by multiplying

*c*

_{2}(

*k*)

^{′}with

*Θ*

_{ Er }(

*k*),

*c*

_{1}(

*k*) and

*c*

_{2}(

*k*), denoted as

*Θ*

_{1}(

*k*) and

*Θ*

_{2}(

*k*) respectively.

*Θ*

_{1}(

*k*) and

*Θ*

_{2}(

*k*) satisfy

*Θ*

_{1}(

*k*) and

*Θ*

_{2}(

*k*), data hider calculates

*c*

_{1}

*k*·

*Θ*

_{2}(

*k*),

*c*

_{2}

*k*·

*Θ*

_{1}(

*k*), and the results are denoted as \(c_{d_{1}}{(k)}\), \(c_{d_{2}}{(k)}\),

*N*is the product of two large primes

*p*and

*q*and

*λ*=

*lcm*(

*p*−1,

*q*−1). Hence, in the Paillier cryptosystem described in Section (2), \(g\in \mathbb {Z}_{N^{2}}^{*}\) and \(r_{1}\in \mathbb {Z}_{N}^{*}\) satisfy

*Θ*

_{1}(

*k*) and

*Θ*

_{2}(

*k*)

*Θ*

_{1}(

*k*),

*Θ*

_{2}(

*k*), Eq. (16) can be further simplified as (21) and (22) by considering the magnitude relation of

*P*

_{1}(

*k*) and

*P*

_{2}(

*k*),if

*P*

_{1}(

*k*)≥

*P*

_{2}(

*k*)

*P*

_{1}(

*k*) and

*P*

_{2}(

*k*). Denote probable value of the absolute difference as

*d*

_{ p }. Since data hider has the public key

*K*

_{ p }=(

*N,g*) and

*d*ranges from 0 to 255, a one-to-one mapping table between

*d*

_{ p }and \(c_{d}=g^{d_{p}}\phantom {\dot {i}\!}\) can be obtained by

*K*

_{ c }, data hider can look for this table to get a match of \(c_{d_{1}}{(k)}\) if

*P*

_{1}(

*k*)≥

*P*

_{2}(

*k*) or \(c_{d_{2}}{(k)}\) if

*P*

_{1}(

*k*)<

*P*

_{2}(

*k*). Denote the matched result as

*d*(

*k*), which is the corresponding absolute difference between the two plaintexts

*P*

_{1}(

*k*) and

*P*

_{2}(

*k*). Besides, data hider can get the magnitude relationships between

*P*

_{1}(

*k*) and

*P*

_{2}(

*k*). If \(c_{d_{1}}{(k)}\) is matched with the mapping table, we have

*P*

_{1}(

*k*)≥

*P*

_{2}(

*k*); Otherwise, we have

*P*

_{2}(

*k*)>

*P*

_{1}(

*k*). Consequently, a histogram of the absolute differences between groups of two plaintexts is obtained as shown in Fig. 3 a.

*E*[

*I*] by shifting histogram of the absolute differences in several rounds. Assume

*n*

_{ e }rounds are implemented and

*EP*is the embedding bin in each round in referring to data hiding key

*K*

_{ d }. To achieve a better performance, we suggest to select the peak point of the histogram as

*EP*in each round. Data hiding procedure is accomplished as follows:If

*P*

_{1}(

*k*)≥

*P*

_{2}(

*k*),

*k*

^{ th }group and

*w*is one bit of the additional data. Denote decrypted versions of \(c_{1}^{w}{(k)}\) and \(c_{2}^{w}{(k)}\) as \(P_{1}^{w}{(k)}\) and \(P_{2}^{w}{(k)}\) respectively. The effect of data hiding on plaintexts is to change

*P*

_{1}(

*k*),

*P*

_{2}(

*k*) to \(P_{1}^{w}{(k)}\), \(P_{2}^{w}{(k)}\):If

*P*

_{1}(

*k*)≥

*P*

_{2}(

*k*),

Here, we denote \(P_{1}^{w}{(k)}\) and \(P_{2}^{w}{(k)}\) as the marked versions of *P*
_{1}(*k*) and *P*
_{2}(*k*). Obviously, we keep the relative magnitude of two pixels in each group unchanged after data hiding: \(P_{1}^{w}{(k)}\geq P_{2}^{w}{(k)}\) if *P*
_{1}(*k*)≥*P*
_{2}(*k*) or \(P_{1}^{w}{(k)}<P_{2}^{w}{(k)}\) if *P*
_{1}(*k*)<*P*
_{2}(*k*). Denote the absolute difference after data hiding as *d*
_{
w
}(*k*). According to Eqs. (28), (29), (30) and (31), when *d*(*k*)≥*EP*+1, let *d*
_{
w
}(*k*)=*d*(*k*)+1 create room for data hiding, as shown in Fig. 3
b. Let *d*
_{
w
}(*k*)=*d*(*k*)+*w* hide the additional data if *d*(*k*)=*EP*, as shown in Fig. 3
c. If the receiver has the EP in each round, he/she can extract the hidden data and recover the original pixels with the inverse operation of embedding procedure.

*E*[0,

*r*

_{2}(

*k*)] to encrypt the absolute difference properties according to

*K*

_{ s },

Denote the encrypted image with hidden data as *E*[*I*
_{
w
}].

By employing Paillier cryptosystem to encrypt a group of two pixels with two selected parameters, we have successfully reserved the absolute differences of plaintexts in encrypted domain. Data hider can retrieve the absolute differences and embed additional data directly into the encrypted image by shifting histogram of the absolute differences.

#### 3.2.2 Security of image content in encrypted domain

Security of image content in encrypted domain is an important aspect that users are most concerned about. Here, we discussed the security problem by considering whether an attacker is with the secret key *K*
_{
s
}:

**Case one:** If the user does not have *K*
_{
s
}, there is no extra information can be extracted from the encrypted image since *P*
_{1}(*k*) and *P*
_{2}(*k*) were encrypted with two random integers *r*
_{1}(*k*) and *r*
_{1}(*k*)·*r*
_{2}(*k*). In this case, the proposed image encryption strategy has the same security performance as the standard encryption method in Eq. (3).

**Case two:**If someone (like the data hider) has the secret key

*K*

_{ s }, he or she can extract the absolute differences of groups of two plaintext pixels. In this case, the differences of groups of two adjacent pixels may expose the high-frequency information of original image, as shown in Fig. 4 b. To solve this problem, we apply the following two group selection strategies:

**Strategy 1:** Select two adjacent pixels as a group for encryption. This is followed by a permutation operation on groups of two encrypted pixels. With the permutation operation, the high-frequency information can be effectively covered, as shown in Fig. 4
c. Correspondingly, an inverse operation of permutation need to be implemented during the image restoration procedure.

**Strategy 2:** Randomly select two pixels as a group for encryption. The permutation operation in the *strategy 1* is not needed. By randomly select two pixels as a group, there is no any information leaked from the absolute differences, as shown in Fig. 4
d.

### 3.3 Data extraction and image restoration

In the proposed scheme, data extraction and image restoration can be completed together by inverse operations of histogram shifting. For a receiver, there are two ways to extract the hidden data and restore original ciphertext image or plaintext image.

#### 3.3.1 Extract hidden data and restore original ciphertext image in encrypted domain

*K*

_{ d }and secret key

*K*

_{ s }, receiver can retrieve the hidden data

*w*and recover the directly encrypted image

*E*[

*I*] from the received image

*E*[

*I*

_{ w }]. The extraction and restoration procedures are described as follows:

- 1.
For a legal receiver, the same group selection operation is first implemented on the received ciphertext image

*E*[*I*_{ w }]. Denote the*k*^{ th }ciphtext group by \(\left (c_{1}^{w}{(k)},c_{2}^{w}{(k)}'\right)\), which contains the hidden data*w*. - 2.With the secret key
*K*_{ s }, receiver can get the corresponding parameter*r*_{2}(*k*), and then compute*E*[0,*r*_{2}(*k*)] referring to Eq. (3). Furthermore,*Θ*_{ Er }(*k*), which is modular multiplicative inverse of*E*[0,*r*_{2}(*k*)], is calculated with Extended Euclidean algorithm. Referring to Eqs. (13) and (32), \(c_{2}^{w}{(k)}\) (which is the ciphertext of \(P_{2}^{w}{(k)}\)) is derived by$$ c_{2}^{w}{(k)}=c_{2}^{w}{(k)}'\cdot \Theta_{Er}{(k)}\text{ mod }N^{2} $$(33)Using the same method, receiver further computes \(\Theta _{1}^{w}{(k)}\) and \(\Theta _{2}^{w}{(k)}\), which are the corresponding modular multiplicative inverse of \(c_{1}^{w}{(k)}\) and \(c_{2}^{w}{(k)}\). Similar to extract the absolute difference in the data hiding procedure, receiver calculates \(c_{d_{1}}^{w}{(k)}\) and \(c_{d_{2}}^{w}{(k)}\) by referring to Eq. (16)$$ \left\{\begin{array}{ll} c_{d_{1}}^{w}{(k)}=c_{1}^{w}{(k)}\cdot\Theta_{2}^{w}{(k)}\text{ mod }N^{2}\\ c_{d_{2}}^{w}{(k)}=c_{2}^{w}{(k)}\cdot\Theta_{1}^{w}{(k)}\text{ mod }N^{2}, \end{array}\right. $$(34)and computes the mapping table beforehand by referring to Eq. (23). After searching \(c_{d_{1}}^{w}{(k)}\) and \(c_{d_{2}}^{w}{(k)}\) in the mapping table, we can retrieve

*d*^{ w }(*k*), which is the absolute difference of the*k*^{ th }marked group \(P_{1}^{w}{(k)}\) and \(P_{2}^{w}{(k)}\)). This can be done to obtain the histogram of the absolute differences of all the groups. Besides, the magnitude relationships between \(P_{1}^{w}{(k)}\) and \(P_{2}^{w}{(k)}\)) are obtained by: If \(c_{d_{1}}^{w}{(k)}\) is matched with the table, \(P_{1}^{w}{(k)}\geq P_{2}^{w}{(k)}\); Otherwise, \(P_{2}^{w}{(k)}> P_{1}^{w}{(k)}\). - 3).With the data hiding key
*K*_{ d }, receiver can obtain the rounds of embedding*n*_{ e }and the embedding point in each round*EP*. According to the corresponding*EP*and the magnitude relationships between \(P_{1}^{w}{(k)}\) and \(P_{2}^{w}{(k)}\), additional data*w*can be extracted from the histogram,$$ w=\left\{\begin{array}{ll} 0, &if~d^{w}(k)=EP\\ 1, &if~d^{w}(k)= EP+1\\ \end{array}\right. $$(35)Accompanied with data extraction, the directly encrypted image*E*[*I*] can be recovered without any error. Receiver calculates the modular multiplicative inverse of*g*via Extended Euclidean algorithm, denoted as*Θ*_{ g }.*Θ*_{ g }satisfies$$ \Theta_{g}\cdot g=1\text{ mod }N^{2} $$(36)According to the property of MMI, ciphertexts

*c*_{1}(*k*) and*c*_{2}(*k*) before hiding data can be restored as follows:If \(P_{1}^{w}{(k)}\geq P_{2}^{w}{(k)}\),$$ c_{1}{(k)}=\left\{\begin{array}{ll} c_{1}^{w}{(k)}\cdot \Theta_{g}\text{ mod }N^{2} &if~d^{w}(k)\geq EP+1\\ c_{1}^{w}{(k)}, &else \end{array}\right. $$(37)$$ c_{2}{(k)}=c_{2}^{w}{(k)} $$(38)else$$ c_{1}{(k)}=c_{1}^{w}{(k)} $$(39)$$ c_{2}{(k)}=\left\{\begin{array}{ll} c_{2}^{w}{(k)}\cdot \Theta_{g}\text{ mod }N^{2}, &if~d^{w}(k)\geq EP+1\\ c_{2}^{w}{(k)}, &else \end{array}\right. $$(40)where \(c_{1}^{w}{(k)}\cdot \Theta _{g}\) in Eq. (37) is equal to \(g^{P_{1}^{w}{(k)}-1}\cdot r_{1}{(k)}^{N}\) and \(c_{2}^{w}{(k)}\cdot \Theta _{g}\) in Eq. (39) is equal to \(g^{P_{2}^{w}{(k)}-1}\cdot r_{1}{(k)}^{N}\).Therefore, inverse operations of histogram shifting can be implemented.

- 4).
After

*n*_{ e }rounds of data extraction and inverse operations of histogram shifting, the hidden data can be extracted perfectly and the original ciphertext image*E*[*I*] can be restored.

#### 3.3.2 Extract the hidden data and restore the original image after decryption

With the private key *K*
_{
c
} and data hiding key *K*
_{
d
}, receiver can extract the hidden data and recover the original image after decryption.

*E*[

*I*

_{ w }] can be decrypted by private key

*K*

_{ c }=

*λ*, formulated as

where \(P_{1}^{w}{(k)}\) and \(P_{2}^{w}{(k)}\) are the corresponding plaintexts of \(c_{1}^{w}{(k)}\) and \(c_{2}^{w}{(k)}\). This can be done for all the groups to obtain a decrypted version of *E*[*I*
_{
w
}], denoted as *I*
_{
w
}. In the applications, there are two possible scenarios on the decrypted result *I*
_{
w
}.

**Scenario 1:**The receiver extracts the hidden data and recover the original image immediately. Firstly, the receiver divide

*I*

_{ w }into groups in the same manner as in the image encryption procedure and get \(P_{1}^{w}{(k)}\) and \(P_{2}^{w}{(k)}\). Then,

*d*

^{ w }

*k*(the absolute difference between \(P_{1}^{w}{(k)}\) and \(P_{2}^{w}{(k)}\)) is calculated

*K*

_{ d }, the receiver can get

*n*

_{ e }(embedding rounds) and

*PZ*(embedding point in each round). Referring to

*PZ*, the hidden data

*w*can be retrieved by

After *n*
_{
e
} rounds of data extraction and image restoration, the hidden data can be retrieved perfectly and the original image can be restored without any error.

**Scenario 2:** Receiver wants to store or deliver a marked version of plaintext image. If needed, the hidden data can be extracted and the original image can be recovered. This case is possible in cloud computing application. For example, a company may upload the encrypted image to the cloud for watermarking service from the third party. After decryption, the company can deliver the watermarked image to legal users for business. The user can get the original image according to the data hiding key *K*
_{
d
} and the hidden data can be extracted for copyright authentication.

*P*

^{ w }(

*i,j*) by a plaintext in

*I*

_{ w }, where (

*i,j*) indicates the position. Receiver can scans

*I*

_{ w }in order to find overflowed pixels (if

*P*

^{ w }(

*i,j*)≥255). Then, the overflowed part of the

*P*

^{ w }(

*i,j*) can be calculated as

where *P*
^{
w
}(*i,j*) is the *l*
^{
th
} plaintext which is greater than or equal to 255, and *o*(*l*) is the overflowed part of *P*
^{
w
}(*i,j*).

*L*(

*L*=⌈

*log*

_{2}(

*n*

_{ e })⌉) bits to represent

*o*(

*l*) as

*o*

_{1}(

*l*),

*o*

_{2}(

*l*),…,

*o*

_{ L }(

*l*),

When there are *Q* overflowed pixels, we can get a \(L_{S_{a}}\) (\(L_{S_{a}}=L\times Q\)) bits of sequence, denoted by *S*
_{
a
}.

For the overflow problem, we can modify pixels greater than 255 as 255 and restore their position information. All the appendix information including *L*, *S*
_{
a
} and the positions of the overflowed pixels, can be reversibly embedded into *I*
_{
w
} to generate \(\phantom {\dot {i}\!}I_{w'}\). In this way, receiver could deliver \(\phantom {\dot {i}\!}I_{w'}\) to his clients for business. For copyright problem, the receiver can extract the inserted appendix information and reconstruct *I*
_{
w
}. With the data hiding key, the hidden data *w* can be extracted from *I*
_{
w
} and the original image *I* can be restored, as described in *Scenario 1* above.

## 4 Experimental results

In Section 3.2.2, we have presented two group selection strategies. The two group selection strategies is applied to form the proposed two reversible data hiding methods:

**Method 1:** We choose two adjacent pixels as a group for encryption. This is followed by a permutation operation on the encrypted image so as to avoid the difference of the adjacent pixels to leak image content.

**Method 2:** We randomly select two pixels as a group for encryption. The permutation operation in the *Method 1* is not needed.

*Lena*as example image. Last part is a comprehensive comparison of the proposed two methods against previous schemes with Paillier cryptosystem.

### 4.1 Embedding distortion

Embedding distortion in the proposed scheme is from histogram shifting operation in encrypted domain. As embedding capacity increases, the more groups are needed and more rounds of histogram shifting will be implemented for data embedding. As a result, the distortion increases.

*Lena*is 44.914 dB for 40,960 bits of additional information, and the distortion is imperceptible, as shown in Fig. 6 b. The basic reason is that a great number of the absolute differences of groups of two adjacent pixels range from 0 to 4 due to strong correlation among neighboring pixels. In the Method 2, since two randomly selected pixels in magnitude are often different, only a small number of the absolute differences are smaller than 4 in magnitude. For 4960 bits of additional data, the PSNR value with the Method 2 is 41.754 dB, as shown in Fig. 6 c.

### 4.2 Performance comparison

In the literature, there are two existing works to reversibly hide data into Homomorphic encrypted image [25, 26] by using Paillier cryptosystem (which is a public key cryptosystem with both homomorphic and probabilistic properties). With Paillier cryptosystem, one of the advantages is that the encrypted image can be processed by the third party in encrypted domain.

- 1.To reserve room before encryption for data hiding in encrypted domain is good idea proposed by Ma et al. in [18]. In [25, 26], preprocessing image before encryption is important step so that additional can be hidden into encrypted image. In the proposed scheme, the use of two selected pixels as a group is directly encrypted with a genuine encryption strategy to transmit the absolute differences of groups of the two plaintext pixels to encrypted domain for data hiding. In other words, without any preprocessing operations are needed in the proposed scheme. This is beneficial to reduce risk of image content exposed. Besides, the scheme without preprocessing has better scalability.Table 1
Comprehensive comparison between the proposed schemes and two previous methods

- 2.
The method [25] introduced an extra data expansion due to the fact that original pixel has been divided into two parts (LSB and the rest) for encryption. Such a way will make delivered ciphertext data double. The method [26] and the proposed scheme has no extra data expansion introduced.

- 3.
The proposed method embedded additional data by shifting histogram of the absolute differences of groups of two pixels in encrypted domain. Since the histogram can be derived in encrypted domain, data extraction is separable from the content decryption. The method in [25] is on the opposite side, where the data can not be extracted before encryption. In [26], additional data were inserted twice in a reversible way and a lossless way, so that the data can be extracted in both encrypted and plaintext domains.

- 4.
The security of hidden data in encrypted domain is one of the features that people are most concerned about. Method in [26] utilized WPC and probabilistic properties of Paillier cryptosystem to embed bits into bit-planes of the ciphertexts, where WPC mechanism was applied to protect the hidden data. Since the bit-planes of ciphertext are exposed in encrypted domain, there exists a risk that an illegal client may embed fake information into the bit-planes. Besides, when the same data are embedded into different images, the hidden data could be found in statistical way. In the proposed scheme, additional data are embedded into histogram of the absolute differences of groups of two selected pixels by using homomorphic properties in encrypted domain. Since the hidden data are capsuled with homomorphic and probabilistic properties of Paillier cryptosystem, an illegal receiver without the data hiding key can hardly crack those encrypted pixels, meaning that the hidden data in the proposed scheme is secure in encrypted domain.

## 5 Conclusions

In this paper, we proposed a new reversible data hiding scheme in encrypted domain with public key cryptosystem. In the proposed method, groups of two pixels are selected for encryption in a way that two pixels in the same group are encrypted with a random integer *r*
_{1} to obtain two ciphertexts first. Then, one of the two ciphertexts is further encrypted with another parameter *r*
_{2} (controlled by a key) so that their difference can be transmitted to encrypted domain. Owing to the encryption strategy, data hider can retrieve absolute differences of groups of two plaintext pixels by combining a modular multiplicative inverse method and a mapping table. And, additional data can be embedded into encrypted image by shifting histogram of the retrieved absolute differences by using the homomorphic property. With the proposed embedding strategy, there is no preprocessing on original image before encryption. On the receiver side, legal receiver can extract the modified histogram in encrypted domain with the same method as data hiding procedure. The hidden data can be further extracted from the marked histogram by performing inverse operations of histogram shifting. After decryption, the marked absolute differences can be computed in plaintext domain. Then, data extraction and image restoration can be accomplished perfectly. Experimental results have shown superiority of the proposed scheme by comparing with two previous schemes.

Also, we have discussed the security of original image and the hidden data in encrypted domain, and the conclusion is satisfied. Since the proposed scheme with Paillier public key cryptosystem is separable and without any preprocessing operations on original image, we suggest that the proposed scheme is useful for privacy protection and cloud computing.

## Declarations

### Funding

This work was partially supported by the NSFC project (No. 61772234 and 61272414), co-funded by the State Key Laboratory of Information Security (No. 2016-MS-07).

### Authors’ contributions

All the authors have participated in writing the manuscript. Both authors read and approved the final manuscript.

### Competing interests

The authors declare that they have no competing interests.

### Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Open Access** This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

## Authors’ Affiliations

## References

- CW Honsinger, P Jones, M Rabbani, JC Stoffel, Lossless recovery of an original image containing embedded data. (US Patent 6278791, 2001).Google Scholar
- B Macq, in Proc. the European Signal Processing Conf,. Lossless multiresolution transform for image authenticating watermarking (Tampere, 2000), pp. 533–536.Google Scholar
- Y Hu, H Lee, K Chen, J Li, Difference expasion based reversible data hiding using two embedding directions. IEEE Trans. Multimedia.
**10**(8), 1500–1512 (2010).View ArticleGoogle Scholar - J Fridrich, M Goljan, R Du, Lossless data embedding—new paradigm in digital watermarking. Eur.Assoc. Signal Process. J. Appl. Signal Process.
**2002**(2), 185–196 (2002).View ArticleMATHGoogle Scholar - M Celik, G Sharma, A Tekalp, E Saber, Lossless generalized-LSB data embedding. IEEE Trans. Image Process.
**14**(2), 253–266 (2005).View ArticleGoogle Scholar - J Tian, Reversible data embedding using a difference expansion. IEEE Trans. Circ. Syst. Video Technol.
**13**(8), 890–896 (2003).View ArticleGoogle Scholar - DM Thodi, JJ Rodriguez, Expansion embedding techniques for reversible watermarking. IEEE Trans. Image Process.
**16**(3), 721–730 (2007).MathSciNetView ArticleGoogle Scholar - Z Ni, YQ Shi, N Ansari, W Su, Reversible data hiding. IEEE Trans. Circ. Syst. Video Technol.
**16**(3), 354–362 (2006).View ArticleGoogle Scholar - SK Lee, YH Suh, YS Ho, in Proc. IEEE Int. Conf. Multimedia Expo. Reversible image authentication based on watermarking (Toronto, 2006), pp. 1321–1324.Google Scholar
- W Hong, TS Chen, CW Shiu, Reversible data hiding for high quality images using modification of prediction errors. J. Syst. Softw.
**82**(11), 1833–1842 (2009).View ArticleGoogle Scholar - L Luo, et al., Reversible image watermarking using interpolation technique. IEEE Trans. Inf. Forensic Secur.
**5**(1), 187–193 (2010).View ArticleGoogle Scholar - XL Li, B Yang, TY Zeng, Efficient reversible watermarking based on adaptive prediction-error expansion and pixel selection. IEEE Trans. Image Process.
**20**(12), 3524–3533 (2011).MathSciNetView ArticleGoogle Scholar - X Zhang, Reversible data hiding in encrypted image. IEEE Signal Process. Lett.
**18**(4), 255–258 (2011).View ArticleGoogle Scholar - W Hong, TS Chen, HY Wu, An improved reversible data hiding in encrypted images using side match. IEEE Signal Process. Lett.
**19**(4), 199–202 (2012).View ArticleGoogle Scholar - W Hong, TS Chen, J Chen, YH Kao, Reversible data embedment for encrypted cartoon images using unbalanced bit flipping. Advances on Swarm Intell. Lect. Notes Comput. Sci.
**7929:**, 208–14 (2013).View ArticleGoogle Scholar - X Zhang, Separable reversible data hiding in encrypted image. IEEE Trans. Inf. Forensic Secur.
**7**(2), 526–532 (2012).Google Scholar - Z Qian, X Zhang, S Wang, Reversible data hiding in encrypted JPEG bitstream. IEEE Trans. Multimedia.
**16**(5), 1486–1491 (2014).View ArticleGoogle Scholar - K Ma, W Zhang, et al., Reversible data hiding in encrypted images by reserving room before encryption. IEEE Trans. Inf. Forensic Secur.
**8**(3), 553–562 (2013).View ArticleGoogle Scholar - W Zhang, Ma K, N Yu, Reversibility improved data hiding in encrypted images by reserving images. Signal Process.
**94:**, 174–182 (2014).View ArticleGoogle Scholar - Z Qian, X Zhang, Reversible data hiding in encrypted image with distributed source encoding. IEEE Trans. Circ. Syst. for Video Technol.
**26**(4), 636–646 (2016).View ArticleGoogle Scholar - P Paillier, Public-key cryptosystems based on composite degree residuosity classes. Proceeding of the, Advances Cryptology. EUROCRYPT99, LNCS.
**1592:**, 223–238 (1999).MathSciNetMATHGoogle Scholar - T Bianchi, A Piva, M Barni, On the implementation of the discrete fourier transform in the encrypted domain. IEEE Trans. Inf. Forensic Secur.
**4**(1), 86–97 (2009).View ArticleGoogle Scholar - T Bianchi, A Piva, M Barni, Composite signal representation for fast and storage-efficient processing of encrypted signals. IEEE Trans. Inf. Forensic Secur.
**5**(1), 180–187 (2010).View ArticleGoogle Scholar - P Zheng, J Huang, Discrete wavelet transform and data expansion reduction in homomorphic encrypted domain. IEEE Trans. Image Process.
**22**(6), 2455–2468 (2013).MathSciNetView ArticleGoogle Scholar - YC Chen, CW Shiu, G Horng, Encrypted signal-based reversible data hiding with public key cryptosystem. J. Vis. Commun. Image Represent.
**25:**, 1164–1170 (2014).View ArticleGoogle Scholar - X Zhang, J Long, Z Wang, H Cheng, Lossless and reversible data hiding in encrypted images with public key cryptography. IEEE Trans. Circ. Syst. for Video Technol.
**26**(9), 1622–1631 (2016).View ArticleGoogle Scholar - J Fridrich, M Goljan, P Lisonek, D Soukal, Writing on wet paper. IEEE Trans. Signal Proc.
**53**(10), 3923–3935 (2005).MathSciNetView ArticleGoogle Scholar - D Knuth, The art of computer programming, 3rd edition Chapter 4, vol. 2 (Addison-Wesley, 1997).Google Scholar