636 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS … · Abstract—This paper proposes a novel scheme of reversible data hiding in encrypted images ... of room reserving ... after encryption

636 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS FOR VIDEO TECHNOLOGY, VOL. 26, NO. 4, APRIL 2016

Reversible Data Hiding in Encrypted ImagesWith Distributed Source Encoding

Zhenxing Qian, Member, IEEE, and Xinpeng Zhang, Member, IEEE

Abstract— This paper proposes a novel scheme of reversibledata hiding in encrypted images using distributed source coding.After the original image is encrypted by the content owner usinga stream cipher, the data-hider compresses a series of selectedbits taken from the encrypted image to make room for thesecret data. The selected bit series is Slepian–Wolf encoded usinglow-density parity check codes. On the receiver side, the secretbits can be extracted if the image receiver has the embeddingkey only. In case the receiver has the encryption key only,he/she can recover the original image approximately with highquality using an image estimation algorithm. If the receiver hasboth the embedding and encryption keys, he/she can extract thesecret data and perfectly recover the original image using thedistributed source decoding. The proposed method outperformsthe previously published ones.

Index Terms— Image encryption, image recovery, reversibledata hiding (RDH).

I. INTRODUCTION

INFORMATION processing in the encrypted domain hasattracted considerable research interests [1]. In many appli-

cations, such as cloud computing and delegated calculation,the content owner needs to transmit data to a remote server forfurther processing. In some cases, the content owner may nottrust the service supplier and needs to encrypt the data beforeuploading. Thus, the service provider must be able to do theprocessing in the encrypted domain. Some works have beendone for data processing in an encrypted domain, for example,compressing encrypted images [2]–[4], adding a watermarkinto the encrypted image [5], [6], and reversibly hiding datainto the encrypted image [7]–[13].

Unlike robust watermarking, reversible data hiding(RDH) emphasizes perfect image reconstruction and dataextraction, but not robustness against malicious attacks [14].Many RDH methods for plaintext images have beenproposed [15]–[19], for example, a common framework ofredundancy compression [14], difference expansion [15],

Manuscript received February 2, 2014; revised May 19, 2014 andDecember 10, 2014; accepted March 24, 2015. Date of publication April 1,2015; date of current version April 1, 2016. The work was supported in partby the National Natural Science Foundation of China under Grant 61472235and Grant 61103181, in part by the Shanghai Rising-Star Program underGrant 14QA1401900, in part by the Program for Professor of SpecialAppointment Eastern Scholar through the Shanghai Institutions of HigherLearning, in part by the Shanghai Pujiang Program under Grant 13PJ1403200,and in part by the Shanghai Key Laboratory of Intelligent InformationProcessing under Grant IIPL-2014-006. This paper was recommended byAssociate Editor T. Kalker.

The authors are with the School of Communication and InformationEngineering, Shanghai University, Shanghai 200444, China (e-mail:[email protected]).

Color versions of one or more of the figures in this paper are availableonline at http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TCSVT.2015.2418611

and histogram shifting (HS) [16] approaches. However, theseare not applicable to encrypted images since the redundancyin the original image cannot be used directly after imageencryption.

As a new trend, RDH in encrypted images allows theservice provider to embed additional messages, e.g., imagemetadata, labels, notations, or authentication information, intothe encrypted images without accessing the original contents.The original image is required to be perfectly recoveredand the hidden message completely extracted on the receiv-ing side. RDH in encrypted images is desirable. For example,in medical applications, a patient does not allow his/hermedical images to be revealed to any outsiders, while thedatabase administrator may need to embed medical recordsor the patient’s information into the encrypted images. On theother hand, the original medical image for diagnosis must berecovered without error after decryption and retrieval of thehidden message. The emerging methods [7]–[13] on RDH inencrypted images are reviewed in Section II.

This paper aims to enhance embedding payload in encryptedimages. We propose a separable RDH method for encryptedimages using Slepian–Wolf source encoding [21]. The idea isinspired by the distributed source coding (DSC) [3], [22], [23],in which we encode the selected bits taken from thestream-ciphered image using low-density parity check (LDPC)codes [24] into syndrome bits to make room to accommo-date the secret data. With two different keys, the proposedmethod is separable. The hidden data can be completelyextracted using the embedding key and the original imagecan be approximately reconstructed with high quality usingthe encryption key. With both keys available, the hidden datacan be completely extracted and the original image perfectlyrecovered with the aid of some estimated side information.The proposed method achieves a high embedding payload andgood image reconstruction quality, and avoids the operationsof room reserving by the sender.

The rest of this paper is organized as follows. Previousworks of RDH in encrypted images are surveyed in Section II.The proposed system is described in Section III. Section IVpresents the procedures of image encryption and dataembedding. Data extraction and image recovery are elaboratedin Section V. Section VI presents the experimental resultsand Section VII discusses the proposed method. Section VIIIconcludes this paper.

II. PREVIOUS WORKS

In this section, the state-of-the-art RDH techniques ofembedding secret message in encrypted images are reviewed.

1051-8215 © 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

QIAN AND ZHANG: RDH IN ENCRYPTED IMAGES WITH DISTRIBUTED SOURCE ENCODING 637

TABLE I

TERMS USED IN THIS PAPER

RDH for encrypted image are usually designed for theapplications in which the data-hider and the image owner arenot the same party. The data-hider cannot access the imagecontent, and the secret message is held by the data-hider.Thus, encryption is done by the sender, hiding by thedata-hider, and data extraction and/or image reconstructionby the receiver. For the ease of discussion, explanations ofsome frequently used terms are listed in Table I.

The existing RDH methods for encrypted images canbe classified into two categories: 1) vacating roomafter encryption (VRAE) and 2) vacating room beforeencryption (VRBE) [11].

In VRAE, the original image is encrypted directly by thesender, and the data-hider embeds the additional bits bymodifying some bits of the encrypted data. The idea wasfirst proposed in [7], in which the owner encrypts the originalimage by Advanced Encryption Standard, and the data-hiderembeds 1 bit in each block containing n pixels, meaningthat the embedding rate is 1/n bpp. On the receiver side,data extraction and image recovery are realized by analyzingthe local standard deviation during decryption of the markedencrypted image. This method requires that image decryptionand data extraction operations must be done jointly. In otherwords, extraction and decryption are inseparable.

With a different idea, Zhang [8] proposed a practical RDHmethod for encrypted images in which the data-hider dividesthe encrypted image into blocks and embeds 1 bit into eachblock by flipping three least significant bits (LSBs) of halfthe pixels in the block. On the receiver side, the markedencrypted image is decrypted to an approximate image. Thereceiver flips the three LSBs of pixels to form a new block.

Due to spatial correlation in natural images, original block ispresumed to be much smoother than interfered block. Thus,the embedded bits can be extracted and the original imagerecovered jointly. Embedding rate of this method depends onthe block size. If an inappropriate block size is chosen, errorsmay occur during data extraction and image recovery. Thismethod was improved in [9] by exploiting spatial correlationbetween neighboring blocks and using a side-match algorithmto achieve a better embedding payload with much lowererror rates in image recovery. Both methods [8] and [9] arefeasible based on the spatial correlation in natural images. Dataextraction, however, are inseparable.

To overcome the drawback of inseparability in [7]–[9],a separable RDH scheme was proposed for encrypted imagesin [10]. The data-hider pseudorandomly permutes and dividesthe encrypted image into groups with a size of L. The P LSBplanes of each group are compressed with a matrix G sized(P · L − S) × P · L to generate corresponding vectors.Thus, S bits are available for data embedding. On thereceiver side, a total of (8–P) most significant bits (MSBs) ofpixels are obtained by decryption. The receiver then estimatesthe P LSBs by the MSBs of neighboring pixels. By comparingthe estimated bits with the vectors in the coset �

corresponding to the extracted vectors, the receiver can recoverthe original bits of the P LSBs. Because the additional bitsare embedded in LSBs of the encrypted images, which canbe extracted directly before image recovery, data extraction,and image recovery are therefore separable. In addition, thismethod achieves a better embedding rate than [8] and [9].Another separable method was proposed in [12], in which thedata-hider embeds additional bits by an HS and n-nary datahiding scheme, greatly improving the embedding payload ascompared with [8]–[10]. However, as the original image isencrypted with pixel permutation and affine transformation,leakage of image histogram is inevitable under exhaustiveattack.

In the VRBE, the original images are processed by theowner before encryption to create spare space for dataembedding, and the secret data are embedded into specifiedpositions by the data-hider. For example, the method in [11]creates embedding room in the plaintext image by embeddingLSBs of certain pixels into other pixels using a traditionalRDH method. The preprocessed image is then encrypted bythe owner to generate an encrypted image. Thus, positions ofthese vacated LSBs in the encrypted image can be used by thedata-hider, and a large payload up to 0.5 bpp, can be achieved.With a similar idea, another method based on an estimationtechnique was proposed in [13], in which a large portionof pixels are used to estimate the rest before encryption,and the final version of encrypted image is formulated byconcatenating the encrypted estimating errors and a largegroup of encrypted pixels. Additional bits can be embeddedinto the encrypted image by modifying the estimated errors.With this method, peak signal-to-noise ratio (PSNR) of theapproximate image reconstructed by the receiver is higher thanthe previous methods.

Both [11] and [13] are separable RDH methods with goodembedding rates and reconstruction capability, but require


Fig. 1. Sketch of the proposed system.

an additional RDH operation by the sender before imageencryption. That means the issue of RDH in encrypted imagesis actually transformed into a traditional RDH in the plaintextimages.

In summary, methods in both VRAE and VRBE categoriesare effective for RDH in encrypted images. However, thereare some limitations. In VRAE RDH methods for encryptedimages, estimation technique is necessary for the receiver,because no prior information of the original content isavailable except that he/she knows that the cover is anatural image. In traditional methods, LSB planes of theencrypted image are modified to accommodate the additionalmessage, and the image recovery is based on estimating theoriginal LSB planes with an assessment criterion, such as thefluctuation function in [8]–[10]. Because these estimationsare not accurate enough, the recovery is only suitable for thecase when a small amount of additional bits were embedded.

Although VRBE can achieve a higher payload, it requiresthat the sender must perform an extra RDH before imageencryption. This may be impractical, in case the sender hasno idea of the forthcoming data hiding by the data-hider, orhe/she has no computational capability of the traditional RDH.On the other hand, in case the sender can reserve room forembedding by reversibly hiding redundant bits into the originalplain image, all embedding tasks can also be done on thesender side and then the data-hider becomes redundant.

In view of these problems, we propose a method to achievehigh embedding payload by combining the MSB estimationwith DSC. As estimating MSB is much more accurate thanestimating LSB planes, the original data of the MSB plane canbe recovered by DSC decoding with an acceptable decodingerror probability. In other words, large embedding capacitycan be achieved by this kind of combination.

III. SYSTEM DESCRIPTION

The proposed system is sketched in Fig. 1, which consiststhree phases: 1) image encryption; 2) data embedding; and3) data extraction/image recovery. In phase I, the senderencrypts the original image into an encrypted image usinga stream cipher and an encryption key. In phase II, thedata-hider selects and compresses some MSB of the secretimage using LDPC codes to generate a spare space, andembeds additional bits into the encrypted image using anembedding key. In phase III, the receiver extracts the secretbits using the embedding key. If he/she has the encryptionkey, the original image can be approximately reconstructed viaimage decryption and estimation. When both the encryptionand embedding keys are available, the receiver can extractthe compressed bits, and implement the distributed sourcedecoding using the estimated image as side information toperfectly recover the original image.

IV. IMAGE ENCRYPTION AND DATA EMBEDDING

A. Image Encryption

Without loss of generality, we assume the originalimage O is a grayscale image with all pixel values fallinginto [0, 255], and the image size is M × N , where bothM and N are the power of 2. First, the image owner turnsthe original image into plain bits by decomposing each pixelinto 8 bits using

bi, j,u = �Oi, j /2u� mod 2, u = 0, 1, 2, . . . , 7 (1)

where Oi, j are the pixels of the original image, 1 ≤ i ≤ Mand 1 ≤ j ≤ N .

The owner then chooses an encryption key KENC to generatepseudorandom bits using a stream cipher function (e.g., RC4


Fig. 2. Example of image decomposing.

or SEAL), and encrypts the bitstream of the original image by

ei, j,u = bi, j,u ⊕ ki, j,u , u = 0, 1, 2, . . . , 7 (2)

where ki, j,u are the key stream bits, ei, j,u are the generatedcipher text, and ⊕ denotes the exclusive OR.

Accordingly, the encrypted image E can be constructed by

Ei, j =7∑

u=0

ei, j,u · 2u (3)

where Ei, j are the pixel values of the encrypted image,1 ≤ i ≤ M and 1 ≤ j ≤ N . Note that the stream cipherin (2) only scrambles pixel values but does not shuffle pixellocations.

B. Data Embedding

After image encryption, the content owner sends theencrypted image to the data-hider. To embed additional datainto the image, the data-hider first decomposes the encryptedimage E into four subimages E(1), E(2), E(3), and E(4), eachsized M/2 × N/2⎧⎪⎪⎨

⎪⎪⎩

E (1)(i, j) = E(2i − 1, 2 j − 1)

E (2)(i, j) = E(2i − 1, 2 j)E (3)(i, j) = E(2i, 2 j − 1)

E (4)(i, j) = E(2i, 2 j)

i = 1, 2, . . . , M/2j = 1, 2, . . . , N/2

(4)

where E (k)(i, j) (k = 1, . . . , 4) are the pixels of thesubimages. Fig. 2 shows an example, in which a 4 × 4 imageis downsampled to four 2 × 2 subimages.

Bits of the three MSB planes of the subimages E(2), E(3),and E(4) are collected, resulting in a total of 3MN/4 bits. Usinga selection key KSL, the data-hider pseudorandomly selectsL bits (1 ≤ L ≤ 3MN/4) from them and shuffles the selectedbits. The shuffling is controlled by a shuffle key KSF.

Call α = L/(3MN/4) the selection ratio, and divide theshuffled bits into K = �L/n� groups, each containing n bits.Denote the bits in each group as C(k, l) where k = 1, 2, . . . , Kand l = 1, 2, . . . , n. Next, the data-hider uses theSlepian–Wolf codes to compress the selected bits C . Define anLDPC matrix H sized r × n (0 < r < n), whose constructionwill be discussed in the following section. Transform eachsegment into corresponding syndrome bits by calculating

⎡

⎢⎢⎢⎣

S(k, 1)S(k, 2)

...S(k, r)

⎤

⎥⎥⎥⎦ =

⎡

⎢⎢⎢⎣

C(k, 1)C(k, 2)

...C(k, n)

⎤

⎥⎥⎥⎦ · HT , k = 1, 2, . . . , K (5)

Fig. 3. DSC and distributed source decoding.

where the arithmetic is modulo-2, k is the group index,and S is the resulting syndrome.

According to (5), groups [C(k, 1), C(k, 2), . . . , C(k, n)]are compressed into [S(k, 1), S(k, 2), . . . , S(k, r)]. Thus,n − r bits are vacated for data hiding. Assuming there areK (n − r) additional bits to be embedded, the data-hiderencrypts these data using a stream cipher algorithmsuch as RC4 or SEAL with another key KSC. Dividethe encrypted additional bits into K segments andappend each segment to [S(k, 1), S(k, 2), . . . , S(k, r)]to create a composition [C ′(k, 1), C ′(k, 2), . . . , C ′(k, n)].[C(k, 1), C(k, 2), . . . , C(k, n)] are then replaced with[C ′(k, 1), C ′(k, 2), . . . , C ′(k, n)] and put into the originalMSB positions after inverse shuffling using the shufflekey KSF. This way, a marked encrypted image is generated.

The keys KSL, KSF, and KSC constitute the embeddingkey KEMB = (KSL, KSF, KSC). Through a trusted channel,the embedding key KEMB and parameters PR = (L, n, r) aretransmitted to the receiver.

C. Virtual Channel and Embedding Rate

As the proposed method is based on DSC, we only use theLDPC matrix H to generate the syndrome bits that compressesn bits into r bits. Here, the ratio β should be determinedby correlation statistics between the source and the sideinformation. DSC is shown in Fig. 3, in which X is the sourceto be encoded, Y is the side information for decoding, and avirtual channel between X and Y is assumed [25].

According to the Slepian–Wolf theorem of DSC [22],X can be compressed with the rate

R ≥ H (X |Y ) (6)

where H (x) = −x · log(x)− (1− x) · log(1− x) is the entropyfunction.

Suppose we hide data into the spare room generatedby compressing the source X with an ideal Slepian–Wolfencoding. Thus, the embedding capacity is

CSW ≤ H (X) − R = H (X) − H (X |Y ). (7)

For statistically independent identically distributed (i.i.d.)binary source X and Y , the embedding capacity is

CEB ≤ 1 − H (q) (8)

where q is the crossover probability of the virtual channel.In the proposed method, L bits are selected from

MN pixels as the embedding cover. Although the selected bitsmay be highly correlated, the correlation is weakened afterpseudorandom shuffling and segmentation. These bits can be


assumed i.i.d., and the virtual channel can be treated as abinary symmetric channel with error probability q . Thus, theupper bound of embedding rate in bits per pixel is

RC = L

M N· CEB = 3

4α[1 − H (q)]. (9)

With the LDPC algorithm for Slepian–Wolf compression,the actual embedding rate is less than the bound RC . Duringdata hiding, a total of (n−r) · K bits are reserved in all groupsto accommodate the secret data. Thus, the actual embeddingrate between the amount of secret bits and the total numberof pixels in bits per pixel is

RE = (n − r) · K

M N≈ (1 − β)L

M N= 3

4α(1 − β) (10)

where β = r/n.From the value of q , the ratio β can be determined, and the

LDPC matrix H can be constructed in several different forms.The data-hider arbitrarily chooses a parity-check matrix Hcorresponding to a regular or irregular LDPC code bysetting the numbers of variable nodes and the check nodes.Algorithms have been proposed for the matrix construction,for example, matrices used in Gallager codes, MacKay codes,and finite geometry codes. Details of the LDPC matrix Hcan be found in [23]. Since the data-hider has no knowledgeof the virtual channel and there is no feedback channelbetween the data-hider and the receiver, a precise q cannotbe determined for every image. Therefore, an empirical valueof q suitable for most natural images can be specified, whichwill be discussed in Section VI.

V. DATA EXTRACTION AND IMAGE RECOVERY

On the receiver end, with the marked encrypted image,the hidden data can be extracted using the embedding key,and the original image can be approximately reconstructedusing the encryption key, or losslessly recovered using bothof the keys. Three cases are analyzed in Sections V-A–V-C,respectively, in which the receiver has the embedding key only,the encryption key only, and both. We denote the receivedencrypted image containing secret data as V.

A. Data Extraction

In the first case, the receiver extracts the embeddedsecret data using the embedding key KEMB and theparameters PR = (L, n, r), where KEMB = (KSL, KSF, KSC).Divide V into four subimages V(1), V(2), V(3), and V(4)

using the same algorithm of (4). Collect all bits in theMSB planes of V(2), V(3), and V(4), and select L bitsaccording to the selection key KSL. Shuffle the selected bitsusing the shuffle key KSF and divide the shuffled bits into

K groups, each containing n bits. Denote the bits in eachgroup as D(k, l), where k = 1, 2, . . . , K and l = 1, 2, . . . , n.For each group, extract the last (n − r ) bits [D(k, r + 1),D(k, r + 2), . . . , D(k, n)]. Thus, the secret data can bereproduced by concatenating all the extracted bits from allK groups, and decrypted to the plaintext message using thekey KSC.

B. Image Decryption and Estimation

In the second case, since the receiver has the encryption keybut not the embedding key, he can reconstruct an approximateimage based on image estimation.

Denote pixels in V as V ′i, j (1 ≤ i ≤ M , 1 ≤ j ≤ N).

Decompose V ′i, j into 8 bits v′

i, j,0, v′i, j,2, . . . , v′

i, j,7 using (1),and decrypt the bits using stream decipher

b′i, j,u = v′

i, j,u ⊕ ki, j,u, u = 0, 1, 2, . . . , 7 (11)

where ki, j,u are the key stream bits generated by the encryptionkey. Values of the decrypted image can be constructed from thedeciphered bits using (3). We denote the decrypted image as A.

Without the embedding key, the selected pixels that containsecret bits cannot be identified. To approximately recover thecontent, the receiver downsamples the decrypted image A intofour subimages A(1), A(2), A(3), and A(4) according to (4).Pixel values in subimage A(1) are the same as the pixel valuesin the original image, while part of the MSBs of the pixelsin A(2), A(3), and A(4) may differ from that in the originalimage. As a result, an estimation algorithm is defined to dothe approximate reconstruction.

The receiver generates a reference image B sized M × Nfrom the subimage A(1) using bilinear interpolation. Then,he/she downsamples B into four subimages B(1), B(2), B(3),and B(4). With A(k) and B(k), the estimated subimages A′(k)

(k = 2, 3, 4) can be generated using (12), as shown at thebottom of this page. Because the last seven LSBs in thesubimages A(k)(k = 2, 3, 4) are unchanged during data hiding,the interpolated values in B(k) is used to optimize the MSBplanes in A(k). For each subimage A(k)(k = 2, 3, 4), on the(i , j )th position (1 ≤ i ≤ M/2 and 1 ≤ j ≤ N/2),if the calculated value mod(A(k)(i , j ), 128) + 128 is closer tothe interpolated value B(k)(i , j ) than mod(A(k)(i , j ), 128), theMSB of the (i , j )th pixel is estimated to be 1; otherwise 0.

At this point, the receiver can compose subimages A′(1),A′(2), A′(3), and A′(4) to generate an estimated image A′

⎧⎪⎪⎨

⎪⎪⎩

A′(2i − 1, 2 j − 1) = A(1)(i, j)A′(2i − 1, 2 j) = A′(2)(i, j)A′(2i, 2 j − 1) = A′(3)(i, j)A′(2i, 2 j) = A′(4)(i, j)

i = 1, 2, . . . , M/2j = 1, 2, . . . , N/2.

(13)

A′(k)(i, j)

={

128 + mod(A(k)(i, j), 128), if∣∣128 + mod(A(k)(i, j), 128) − B(k)(i, j)

∣∣ <∣∣mod(A(k)(i, j), 128) − B(k)(i, j)

∣∣

mod(A(k)(i, j), 128), otherwise (k = 2, 3, 4; i = 1, 2, . . . , M/2; j = 1, 2, . . . , N/2)

(12)


Here, A′(r , s) (r = 1, 2, . . . , M and s = 1, 2, . . . , N) are thepixels of the composed image. The estimated image A′ is theapproximate image reconstructed by the receiver.

The proposed estimation algorithm can also be used to findempirical error probability q of the virtual channel. With adatabase containing numerous natural images, we perform theestimation algorithm to generate estimated images. Calculatethe differences of the MSBs of the last three subimagesbetween the original and estimated images. The largest errorprobability is chosen as q for generating the LDPC matrix H.

C. Lossless Recovery

In the third case, if the receiver has both the encryption andembedding keys, he/she can extract the secret data correctlyand recover the original image perfectly. Using the embeddingkey, the receiver collects the L selected bits in the MSBsof the subimages, and separates the (n − r) · K secret bitsfrom the r · K compressed bits. Denote the extracted r · Kcompressed bits as Se and divide Se into K groups. Groups[Se(k, 1), Se(k, 2), . . . , Se(k, r)] (k = 1, 2, . . . , K ) are used asside information for the distributed source decoder.

With the encryption key, the receiver constructs anapproximate image A′ using the estimation algorithmproposed in Section V-B. Encrypt A′ by the stream cipherdefined in (2), and downsample the encrypted image intofour subimages. Extract the L selected bits in the MSBs ofthe subimages and permute these bits using the shuffle key.We denote the shuffled bits as U . Divide U into K groups[U(k, 1), U(k, 2), . . . , U(k, n)] (k = 1, 2, . . . , K ), eachcontaining n bits.

Next, the log-likelihood ratio (LLR) [23] are calculatedusing the predefined q

LLR(k, i) = logPr[R(k, i) = 0|U(k, i)]Pr[R(k, i) = 1|U(k, i)]

= [1 − 2U(k, i)] log1 − q

q, i = 1, 2, . . . , n.

(14)

With the calculated LLR, the LDPC matrix H and the sideinformation [Se(k, 1), Se(k, 2), . . . , Se(k, r)], the originalbits can be recovered with an iterative belief propagationalgorithm (BPA). Details of the iterative BPA decodingalgorithm can be found in [3]. A diagram of decoding isshown in Fig. 4, where [R(k, 1), R(k, 2), . . . , R(k, n)] standsfor the recovered source bits and k = 1, 2, . . . , K .

After replacing the MSB planes [U(k, 1),U(k, 2), . . . , U(k, n)] with [R(k, 1), R(k, 2), . . . , R(k, n)] togenerate L refreshed bits that are subsequently reshuffledusing the shuffle key, the corresponding MSB planes inthe approximately recovered image A′ are updated, and theoriginal image is thus recovered perfectly.

VI. EXPERIMENTAL RESULTS AND ANALYSIS

The proposed method is verified in experiments usingstandard gray images, all sized 512 × 512. In theSlepian–Wolf encoding and decoding, we use the same LDPCmatrix H as used in [26] with q = 0.1, n = 6336, and

Fig. 4. Distributed source decoding using BPA.

r = 3840. Error probability of the virtual channel q is obtainedby applying image estimation using a database containing5000 natural images of various types. We find q = 0.1 islarge enough for all these images, which guarantees error-freeLDPC decoding. PSNR is used to evaluate the recovered imagequality.

A. Data Hiding/Extraction and Image Recovery

Fig. 5 shows a group of experimental results with Lena.After encrypting the original image Fig. 5(a) into Fig. 5(b)using the stream cipher, 196 608 bits of Fig. 5(b) areselected, with L = 3MN/4 and α = 1, and divided into31 groups. Each group is encoded with LDPC to generatethe corresponding syndrome, and 77 376 additional bitsare embedded into the encrypted image. Fig. 5(c) showsthe resulting encrypted image containing secret bits. Theembedding rate is 0.2952 bpp.

On the receiver side, 77 376 secret bits can be completelyextracted without error when the embedding key is known.With the encryption key only, an approximate image shownin Fig. 5(d) is obtained using the estimation algorithm in (12),with PSNR = 37.9 dB. Fig. 5(e) shows the differencesbetween Fig. 5(a) and (d), with dark dots indicating thelocations where the pixels in Fig. 5(d) differs from thecorresponding ones in Fig. 5(a), and the white area meaningno difference. With both the encryption and embedding keys,the original image is perfectly recovered as shown in Fig. 5(f),which is identical to Fig. 5(a).

B. Comparison With VRAE Methods

Because no operation is required before image encryptionon the sender side, the proposed method is a kind of VRAE.We compare the embedding payload and the approximateimage quality of the method with some existing VRAEmethods, including [7]–[10] and [12].

With the proposed method, large embedding payload can beachieved. Table II shows the maximal embedding payloads ofthe VRAE methods. For all tested images sized 512 × 512,at most 77 376 bits can be embedded using the proposedscheme, and the embedding rate is 0.2952 bpp. With [7]–[10]and [12], the maximal embedding rates are merely 0.0625,0.0039, 0.0039, 0.033, and 0.1776, respectively, indicatingthat payload of the proposed method is much higher thanthe other five methods. For fair comparison, all six methodsare realized under the condition that the original image be


Fig. 5. RDH in Lena. (a) Original image. (b) Encrypted image. (c) Encrypted image containing secret data. (d) Recovered image. (e) Difference between(a) and (d). White: no difference. Black: difference. (f) Perfectly recovered image.

perfectly recovered and the embedded bits extracted withouterror on the receiver side, and we have used the parametersdefined in all methods that achieve the highest embeddingpayload. High payload of the proposed method is attributed tothe combination of DSC and estimation. In [10], three LSBsare compressed using a linear transform to accommodate thesecret message. In this case, compression is not sufficient,resulting in a low payload.

With the encryption key only, an approximate image canbe reconstructed with high quality. Fig. 6 shows the curves ofPSNR of the approximate images at different embedding rates.Because the pixels containing embedded bits cannot beidentified without the embedding key, the receiver assumes thatall 3MN/4 bits of the MSB planes in the last three subimagesare modified. With the proposed method, quality of theapproximate image keeps unchanged for all embedding


TABLE II

EMBEDDING PAYLOAD COMPARISON BASED ON THE AMOUNT OF SECRET DATA (BITS) AND EMBEDDING RATE (bpp)

Fig. 6. Comparisons of four different approaches using the images. (a) Lena. (b) Baboon. (c) Lake. (d) Man.

rates. It is observed that the proposed approach outperformsthe state-of-the-art RDH algorithms in most cases. In thefive traditional VRAE methods, the receiver directly decryptsthe received image to reconstruct an approximate image incase that the receiver has the encryption key only. In this case,the recovered quality falls steeply with the increase in theembedding rate. This paper uses an estimation mechanism toguarantee a high-quality reconstructed image. Compared withthe other methods, which are not compatible with quality-improvement mechanism, the PSNR values are better.

C. Comparison With VRBE Methods

Comparisons of the quality of the approximate images withthe VRBE methods in [11] and [13] are shown in Fig. 7.The approximate image quality of the proposed method

is better at relatively high embedding rates than [11].Because [11] vacates the embedding room before imageencryption, the embedding rate can reach 0.5 bpp, whichis higher than the proposed method. While the approximateimage quality of [13] is better in most cases, the maximalembedding rate is much less than the proposed method.It should be noted that the comparisons are based on thefinally generated approximate images, because an estimationalgorithm is required to be used in the proposed method,while no estimation algorithm can be used in the othermethods.

D. Maximal Embedding Rate Versus Value of q

In the proposed method, we use fixed error probability qfor the virtual channel between the source and the side


Fig. 7. Comparison of approximately recovered image quality in (a) [11] and (b) [13].

Fig. 8. Error probability q of 500 images.

information. The empirically generated constant q = 0.1 canensure perfect image recovery in general. However, in somecases, different q values may also be used. For example,the data-hider may have prior knowledge that the encryptedimages are of the same type, e.g., X-ray images; or a feedbackchannel between the data-hider and the receiver for adaptiveembedding may be available. In this case, a higher embed-ding rate can be achieved using a smaller q . In the test,we arbitrarily choose 500 different images from the UCIDdatabase [27], and turn all images into grayscale. With theproposed estimation algorithm, values of error probability qare shown in Fig. 8. The embedding rates correspondingto different q are shown in Fig. 9, in which RE is theactual embedding rate and RC is the bound of the embeddingrate. The curves show that the embedding rate increaseswhen q gets smaller. Table III presents the maximal embeddingpayload for some images in error-free decoding. Because weuse a precise q value in this case, payloads higher than0.2952 bpp (with q = 0.1) are achieved.

If the data-hider chose an inappropriate q smaller than theestimated error probability, there would be no influences on

Fig. 9. Actual embedding rate RE and the bound RC corresponding todifferent q.

TABLE III

MAXIMAL EMBEDDING PAYLOAD FOR DIFFERENT IMAGES

the data extraction. In this case, content of the original imagecannot be perfectly recovered since DSC decoding would fail.However, an approximate image can still be generated withgood quality, if the receiver has both the embedding andencryption keys. After identifying which bits on the MSBplanes of the three subimages were selected by the data-hiderusing the embedding key, the receiver decrypts the image withthe encryption key, and approximately recovers these bits usingthe proposed estimation algorithm in (12). Fig. 10 shows thatquality of the recovered images keeps good albeit it declineswhen the embedding rate increases.


Fig. 10. Quality of approximately recovered images when Slepian–Wolfdecoding fails.

VII. DISCUSSION

The proposed method belongs to the VRAE category.Purpose of this paper is to improve the embedding payload incomparison with the other VRAE methods. To this end, theMSB plane is used as the cover to accommodate additionalbits. As the error probability q of estimating MSB plane ismuch less than estimating the other planes, a much largerembedding payload can be achieved using DSC. Duringimage reconstruction, although some noise would occur whendirectly decrypting the marked encrypted image, a providedestimation mechanism can be used to eliminate the noise.The proposed method is different from the method of [10].In [10], some encrypted LSB planes are compressed using alinear transform to vacate embedding room, and the originalimage can be reconstructed by estimating the LSB planes.However, the efficiency of compression and LSB planeestimation is insufficient, resulting in a low embeddingpayload. To increase the payload, we have used theMSB plane and the LDPC-based DSC.

As to the embedding payload, VRBE substantially outper-forms the previous VRAE method because VRBE has theadvantage of handling the plaintext image by the sender.When comparing with VRBE methods, embedding payloadof the proposed method is not as large as that of [11], whichin fact transforms the problem of RDH in encrypted imageinto the traditional RDH in the plaintext image. The flawsof [11] is that the sender is partly involved in the embeddingcomputation, supposing he/she has the prior knowledge thata data embedding is to be done by the server. This mightnot be practical in case the sender has no idea about thepossible data hiding, or has no computation capability otherthan image encryption. On the other hand, if the sender cando RDH himself, all tasks can be done on the sender side andthe data-hider becomes redundant. Instead, embedding of theproposed method is entirely realized in the encrypted domain,and a high payload is achieved with the association ofDSC decoding computation on the receiver side.

Two aspects of data security need to be considered:1) security of the image content and 2) security of the

additional message. The content owner does not allow theservice provider to access the image content, and the data-hiderdoes not allow adversaries to crack the embedded message.For the content owner, the original image is encrypted with astream cipher algorithm using an encryption key KENC. Forthe data-hider, the additional bits are also encrypted with thestream cipher using another key KSC. Many stream cipheralgorithms can be used, such as RC4 or SEAL. It is infeasiblefor the adversary to execute an exhaustive search if appropriatekeys are used, e.g., the seed keys no less than 128 bitsin RC4, or no less than 160 bits in SEAL. Thus, securityof the image content and the additional message can beguaranteed.

The extraction security can also be guaranteed. On thedata-hider side, L MSB bits are selected from 3MN/4 pixelsusing a selection key KSL, and shuffled by a shuffle key KSF.After compressing the shuffled L bits using DSC andappending the encrypted additional bits to the end of thecompressed bits, a further reshuffle is done with the key KSFto generate the marked L bits that are put into the originalMSB positions. For an adversary without both the embeddingand encryption keys, the success rate of correctly extractingthe hidden bits is as low as 1/(C L

3N M/4 · L!). Supposing theadversary has the encryption key, after directly decryptingthe marked encrypted image, the amount of pixels containingnoises is about L/2. With the only L/2 MSB, the successrate of correctly extracting the additional bits is as lowas 1/(C L/2

3N M/4−L/2 · L!). Therefore, exhaustive searchingis virtually impossible for the adversaries to extract theadditional message provided M , N , and L are not too small.

Data extraction and image recovery are separable in theproposed method. Solutions to three different cases on thereceiver side are provided with: 1) the encryption key only;2) the embedding key only; and 3) both the encryptionand embedding keys. There is yet another special situationin which the receiver obtains the encryption key first andunexpectedly receives the embedding key much later. In theprevious VRAE methods, when the receiver acquires theembedding key later, he/she still cannot extract the hiddenmessage from the decrypted image directly, unless the markedencrypted version has been saved (this is likely the case)and is used, or extra reencryption is carried out using theencryption key to regenerate a marked encrypted copy. In theproposed method, the receiver can save the MSB of the markedencrypted image before estimating the original image. Afterthe embedding key later is acquired later, he/she can extractthe additional bits from the save bits.

VIII. CONCLUSION

This paper proposes a scheme of RDH in encrypted imagesusing DSC. After encrypting the original image with a streamcipher, some bits of MSB planes are selected and compressedto make room for the additional secret data. On the receiverside, all hidden data can be extracted with the embedding keyonly, and the original image approximately recovered withhigh quality using the encryption key only. When both theembedding and encryption keys are available to the receiver,


the hidden data can be extracted completely and the originalimage recovered perfectly.

With the idea of DSC, the proposed method substantiallyincreases the payload as compared with the existing VRAEmethods. An LDPC matrix is used to generate correspondingsyndromes. Associated with the estimated image generatedfrom the proposed estimation algorithm, the receiver candecode these syndromes back to the original bits using iterativeBPA decoding.

Because embedding operations are performed to theencrypted data, the data-hider cannot access the contents ofthe original image, which ensures security of the contents indata hiding. As the embedding and recovery are protected bythe encryption and embedding keys, an adversary is unable tobreak into the system without these keys.

ACKNOWLEDGMENT

The authors would like to thank the anonymous reviewersand the editors for the thorough reviews and comments, andProf. S. Wang for the constructive discussions.

REFERENCES

[1] Z. Erkin et al., “Protection and retrieval of encrypted multimediacontent: When cryptography meets signal processing,” EURASIP J. Inf.Secur., vol. 2007, p. 078943, Dec. 2007.

[2] M. Johnson, P. Ishwar, V. Prabhakaran, D. Schonberg, andK. Ramchandran, “On compressing encrypted data,” IEEE Trans. SignalProcess., vol. 52, no. 10, pp. 2992–3006, Oct. 2004.

[3] W. Liu, W. Zeng, L. Dong, and Q. Yao, “Efficient compression ofencrypted grayscale images,” IEEE Trans. Image Process., vol. 19, no. 4,pp. 1097–1102, Apr. 2010.

[4] X. Zhang, G. Feng, Y. Ren, and Z. Qian, “Scalable coding of encryptedimages,” IEEE Trans. Image Process., vol. 21, no. 6, pp. 3108–3114,Jun. 2012.

[5] M. Deng, T. Bianchi, A. Piva, and B. Preneel, “An efficientbuyer-seller watermarking protocol based on composite signalrepresentation,” in Proc. 11th ACM Workshop Multimedia Secur., 2009,pp. 9–18.

[6] S. Lian, Z. Liu, Z. Ren, and H. Wang, “Commutative encryption andwatermarking in video compression,” IEEE Trans. Circuits Syst. VideoTechnol., vol. 17, no. 6, pp. 774–778, Jun. 2007.

[7] W. Puech, M. Chaumont, and O. Strauss, “A reversible data hidingmethod for encrypted images,” Proc. SPIE, Secur., Forensics,Steganogr., Watermarking Multimedia Contents X, vol. 6819, p. 68191E,Feb. 2008.

[8] X. Zhang, “Reversible data hiding in encrypted image,” IEEE SignalProcess. Lett., vol. 18, no. 4, pp. 255–258, Apr. 2011.

[9] W. Hong, T.-S. Chen, and H.-Y. Wu, “An improved reversible datahiding in encrypted images using side match,” IEEE Signal Process.Lett., vol. 19, no. 4, pp. 199–202, Apr. 2012.

[10] X. Zhang, “Separable reversible data hiding in encrypted image,”IEEE Trans. Inf. Forensics Security, vol. 7, no. 2, pp. 826–832,Apr. 2012.

[11] K. Ma, W. Zhang, X. Zhao, N. Yu, and F. Li, “Reversible datahiding in encrypted images by reserving room before encryption,”IEEE Trans. Inf. Forensics Security, vol. 8, no. 3, pp. 553–562,Mar. 2013.

[12] Z. Qian, X. Han, and X. Zhang, “Separable reversible data hidingin encrypted images by n-nary histogram modification,” in Proc. 3rdInt. Conf. Multimedia Technol. (ICMT), Guangzhou, China, 2013,pp. 869–876.

[13] W. Zhang, K. Ma, and N. Yu, “Reversibility improved data hiding inencrypted images,” Signal Process., vol. 94, pp. 118–127, Jan. 2014.

[14] T. Kalker and F. M. J. Willems, “Capacity bounds and constructionsfor reversible data-hiding,” in Proc. 14th Int. Conf. Digit. SignalProcess. (DSP), 2002, pp. 71–76.

[15] J. Fridrich, M. Goljan, and R. Du, “Lossless data embedding for allimage formats,” Proc. SPIE, Secur. Watermarking Multimedia Contents,vol. 4675, pp. 572–583, Apr. 2002.

[16] J. Tian, “Reversible data embedding using a difference expansion,”IEEE Trans. Circuits Syst. Video Technol., vol. 13, no. 8, pp. 890–896,Aug. 2003.

[17] Z. Ni, Y.-Q. Shi, N. Ansari, and W. Su, “Reversible data hiding,”IEEE Trans. Circuits Syst. Video Technol., vol. 16, no. 3, pp. 354–362,Mar. 2006.

[18] D. M. Thodi and J. J. Rodriguez, “Expansion embedding techniques forreversible watermarking,” IEEE Trans. Image Process., vol. 16, no. 3,pp. 721–730, Mar. 2007.

[19] L. Luo, Z. Chen, M. Chen, X. Zeng, and Z. Xiong, “Reversible imagewatermarking using interpolation technique,” IEEE Trans. Inf. ForensicsSecurity, vol. 5, no. 1, pp. 187–193, Mar. 2010.

[20] X. Li, B. Yang, and T. Zeng, “Efficient reversible watermarking basedon adaptive prediction-error expansion and pixel selection,” IEEE Trans.Image Process., vol. 20, no. 12, pp. 3524–3533, Dec. 2011.

[21] D. Slepian and J. K. Wolf, “Noiseless coding of correlated informationsources,” IEEE Trans. Inf. Theory, vol. IT-19, no. 4, pp. 471–480,Jul. 1973.

[22] T. M. Cover and J. A. Thomas, Elements of Information Theory.New York, NY, USA: Wiley, 1991.

[23] S. S. Pradhan and K. Ramchandran, “Distributed source coding usingsyndromes (DISCUS): Design and construction,” IEEE Trans. Inf.Theory, vol. 49, no. 3, pp. 626–643, Mar. 2003.

[24] W. E. Ryan, “An introduction to LDPC codes,” in CRC Handbook forCoding and Signal Processing for Recording Systems, B. Vasic, Ed.Boca Raton, FL, USA: CRC Press, 2004.

[25] A. D. Liveris, Z. Xiong, and C. N. Georghiades, “Compression of binarysources with side information at the decoder using LDPC codes,” IEEECommun. Lett., vol. 6, no. 10, pp. 440–442, Oct. 2002.

[26] D. Varodayan, A. Aaron, and B. Girod, “Rate-adaptive codesfor distributed source coding,” Signal Process., vol. 86, no. 11,pp. 3123–3130, 2006.

[27] G. Schaefer and M. Stich, “UCID: An uncompressed color imagedatabase,” Proc. SPIE, Storage Retr. Methods Appl. Multimedia,vol. 5307, pp. 472–480, Dec. 2003.

Zhenxing Qian (M’12) received the B.S. andPh.D. degrees from University of Science andTechnology of China, Hefei, China, in 2003 and2007, respectively.

He is an Associate Professor with the Schoolof Communication and Information Engineering,Shanghai University, Shanghai, China. His researchinterests include data hiding, image processing, anddigital forensics.

Xinpeng Zhang (M’11) received the B.S. degreein computational mathematics from Jilin Univer-sity, Changchun, China, in 1995, and the M.E. andPh.D. degrees in communication and informationsystem from Shanghai University, Shanghai, China,in 2001 and 2004, respectively.

He has been with the School of Communicationand Information Engineering, Shanghai University,since 2004, where he is currently a Professor. Hisresearch interests include information hiding, imageprocessing, and digital forensics.

Documents

636 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS … · Abstract—This paper proposes a novel scheme of reversible data hiding in encrypted images ... of room reserving ... after encryption