Reversible data hiding in encrypted AMBTC images

Abstract

Signal processing in the encrypted domain has attracted a lot of attention due to the requirement for content security and privacy protection. Reversible data hiding in encrypted images (RDH-EI) is also a hot topic. However, the majority of the published techniques are designed for uncompressed images rather than JPEG-, VQ- and BTC-compressed images. In this paper, for the first time, a RDH-EI method for AMBTC images is proposed. In the proposed method, the higher mean and lower mean of a triple in an AMBTC-compressed image are encrypted by using stream cipher at first. Then, additional data can be embedded into the redundant space by using prediction error histogram modification technique. Experimental results and analysis demonstrate that, with the marked cipher-image, legal receivers are able to extract embedded data exactly by using a data hiding key, decrypt it to recover an image very similar to the original one by using an image encryption key, or extract additional data and recover the original image error free with both keys. The proposed method is applicable to real-time transmission due to the simple implementation of the algorithm and low computational complexity.

1 Introduction

As one of the most significant information security research topic, data hiding is a technique that embeds additional data into a host signal while leaving little distortion, which can be classified into non-reversible [6, 28] and reversible data hiding (RDH) [18, 19]. According to different applications, it is often called watermarking [24] for copyright protection [10, 22, 33] or steganography [21] for convert communication. Steganography aims to embed additional data into digital media secretly by slightly modifying the cover data, while steganalysis [23, 25] attempts to reveal the presence of the embedded data. For reversible data hiding, the original cover signal can be recovered error-free and it is often achieved based on difference expansion (DE) [20] or histogram shifting (HS) [11]. For plaintext images, all these methods have good embedding efficiency. However, the original cover images have to be accessible to or seen by the data hider during the embedding process.

The needs of content security and privacy protection contribute to the emergence of signal processing in the encrypted domain (SPED) [2,3,4,5]. Reversible data hiding in encrypted images (RDH-EI), as one of the most commonly researched SPED topics, enables additional data to be embedded into a cipher-image without revealing the original image, and also allows the original image to be recovered error-free at the receiver side [13, 29].

The first RDH-EI method was proposed in [13]. In this method, the original image is encrypted with Advanced Encryption Standard (AES), and one bit can be embedded into a block consisting of n pixels. Therefore, the embedding rate of this method achieves 1/n bpp. On the receiver side, after decryption of the marked cipher-image, the analysis of the local standard deviation is indispensable for data extraction and image recovery. This is a good idea. However, the quality of the decrypted image is rather poor and far from human vision requirements if the receiver decrypts the marked encrypted image directly.

In 2011, an entirely new idea and method was proposed [29], in which the image owner can encrypt the original image by using a stream cipher and one bit additional data is embedded into cipher-image by flipping the three least significant bits (LSB) of pixels in each non-overlapping block. On the receiver side, the marked cipher-image is decrypted to obtain an image which is approximate to the original image. To form a new block, three LSBs of pixels in each block are flipped by the receiver and a function is used to estimate each block’s image-texture. The modified block is assumed to be rougher than the original block due to the spatial correlation of natural images. Therefore, the receiver can extract embedded bits and recover the original image jointly.

This well-known method has been the focus of great attention [7, 17, 32]. Hong et al. improved the performance by utilizing a side-match method to enhance the embedding rate while leaving lower error rates during the image recovery phase [7]. Furthermore, during data embedding in Qin and Zhang’s method [17], rather than flip the LSBs of half of the pixels, they flip the LSBs of fewer pixels, leading to significant visual improvement of the approximate image. To estimate the image-texture of each block, they utilize a new adaptive judging function, which is based on the distribution characteristic of local image contents, for the procedures of data extraction and image recovery. Consequently, to some extent, the errors of extracted bits and the recovered image decrease. It is obvious that the embedding rate of these methods largely depends on the size of each block. In other words, errors potentially appear during data extraction and image recovery with inappropriate block sizes. Recently, a RDH-EI method, which is based on a public key cryptosystem and homomorphic encryption, has been proposed [32]. In this method, cipher images are encrypted by public key cryptosystems with probabilistic and homomorphic properties. It is a lossless, reversible, and combined data hiding method for cipher images. In this lossless method, new values substitute for the cipher pixels so that additional bits can be embedded into several cipher pixels’ LSB-planes by using multi-layer wet paper coding. Afterwards, the embedded data are able to be extracted from the encrypted image directly, and the decryption of original image will not be affected by the data embedding operation. In this reversible method, a pretreatment, which is used to shrink the histogram of image before image encryption phase, is adopted. Therefore, no pixel oversaturation of plaintext images would happen when the encrypted images are modified to embed data. From the directly decrypted image, embedded data can still be extracted and the original content recovered when slight distortion is induced. Since the lossless and reversible methods are compatible, these two methods can be performed simultaneously in data embedding of encrypted image. Therefore, on the receiver side, a part of the embedded data can be extracted before decryption, another part of the embedded data can be extracted, and the original image can be recovered after decryption.

Up to now, the existing RDH-ED methods can be classified into two categories: vacating room before encryption [1, 31] and vacating room after encryption [8, 12, 15, 26, 27, 30]. However, all of the methods introduced above are focus on uncompressed images. To the best of our knowledge, there are few RDH-EI methods designed for compressed images such as JPEG (Joint Photographic Experts Group), BTC (Block Truncation Coding) and VQ (vector quantization). For JPEG images, Qian et al. proposed several methods recently [14, 16], in which additional data are embedded into the encrypted JPEG bit-stream, and the original bit-stream can be recovered by means of analyzing blocking artifacts induced by data hiding. In this paper, a RDH-EI method designed for AMBTC compressed images is proposed. AMBTC was proposed by Lema and Mitchell [9]. Compared with VQ and JPEG, AMBTC is more specifically suited to real-time application and less powerful processing application due to its lower computational complexity. It has been the subject of development in the real-time image transmission field. WSN (Wireless Sensor Networks), as low-power processor, needs not change the battery for at least 5 years or merely uses the solar energy. But WSN only has low bandwidth, low-end processors, and small amount of storage. That means AMBTC is required. The technique of AMBTC is described in detail in Section 2.

The proposed AMBTC RDH-EI method consists of three phases: image encryption, data embedding, and data extraction and image recovery. In the data embedding phase, the higher mean and lower mean of a triple in AMBTC-compressed image are encrypted by a stream cipher with the same random bits. Therefore, the block correlation of a natural image is preserved and the redundant space can be exploited by using the histogram of the prediction error in the data embedding phase. Experimental results and analysis demonstrate that, with the marked cipher-image, legal receivers are able to extract the embedded data exactly by using a data hiding key, decrypt it to get an image very similar to the original one by using an image encryption key, or extract additional data and recover the original image error free with both keys. In addition, the proposed method is applicable to real-time transmission due to the simple algorithm and low computational complexity.

2 AMBTC compression technique

To compress a gray-scale image I sized H × W, I is subdivided into non-overlapping m × n blocks. In total, N = ⌊H/m⌋ × ⌊W/n⌋ blocks can be obtained. We denote p _i , j as the j-th pixel of block P _i . Therefore, the i-th block is represented as P _i  = {p _i , 1, p _i , 2,  ⋯ , p _{i , m × n} }. The mean of P _i can be calculated as

$$ {\overline{P}}_i=\frac{1}{m\times n}\sum_{j=1}^{m\times n}{p}_{i,j} $$

(1)

The bit plane b _i  = {b _i , 1, b _i , 2,  ⋯ , b _{i , m × n} } is generated to record the comparative result between p _i , j and \( {\overline{P}}_i \)

$$ {b}_{i,j}=\left\{\begin{array}{l}0,{p}_{i,j}<{\overline{P}}_i\\ {}1,{p}_{i,j}\ge {\overline{P}}_i\end{array}\right. $$

(2)

For the i-th block, the lower mean l _i is the average of pixels whose values are smaller than \( {\overline{P}}_i \). Similarly, the higher mean h _i is the average of pixels whose values are not smaller than \( {\overline{P}}_i \). Therefore, the i-th block in I can be compressed into triple (l _i , h _i , b _i  = {b _i , 1, b _i , 2,  ⋯ , b _{i , m × n} }), and the AMBTC-compressed image \( \tilde{I} \) can be represented as \( {\left\{{l}_i,{h}_i,{b}_i\right\}}_{i=1}^N \).

To decode AMBTC-compressed image \( \tilde{I} \), each triple in \( {\left\{{l}_i,{h}_i,{b}_i\right\}}_{i=1}^N \) is visited. Suppose (l _i , h _i , b _i  = {b _i , 1, b _i , 2,  ⋯ , b _{i , m × n} }) is decoded as \( {\tilde{P}}_i=\left\{{\tilde{p}}_{i,1},{\tilde{p}}_{i,2},\cdots, {\tilde{p}}_{i,m\times n}\right\} \). If b _i , j  = 0, then \( {\tilde{p}}_{i,j}={l}_i \). Otherwise, if b _i , j  = 1, then \( {\tilde{p}}_{i,j}={h}_i \). After all block are processed in the same way, the AMBTC-compressed image can be obtained.

3 Proposed method

The detail of the proposed method is presented in this section. The proposed method is divided into three phases: image encryption, data embedding, and data extraction and image recovery. The diagram of the proposed method is shown in Fig. 1. The image owner encrypts an AMBTC-compressed image with an image encryption key. Then, using a data-hiding key, the data owner can embed additional data into the encrypted AMBTC image in the absence of the original image content. On the receiver side, with the marked cipher AMBTC image which contains additional data, a legal receiver is able to extract the embedded data by using the data-hiding key, or decrypt it directly by using the image encryption key, or extract data and recover the original AMBTC image error-free by using both keys.

Fig. 1

Diagram of the proposed method

3.1 Image encryption

Stream cipher is a typical encryption method and is commonly used in image encryption [8, 30]. Supposing the AMBTC image \( \tilde{I} \) consists of N triples. For the i-th block, the triple is (l _i , h _i , b _i  = {b _i , 1, b _i , 2,  ⋯ , b _{i , m × n} }). It is obvious that l _i and h _i fall into [0, 255]. Denote the bits of l _i as l _i , 0, l _i , 1, ⋯, l _i , 7. Thus

$$ {l}_{i,j}=\left\lfloor \frac{l_i}{2^j}\right\rfloor \operatorname{mod}2,j=0,1,\cdots 7 $$

(3)

Similarly

$$ {h}_{i,j}=\left\lfloor \frac{h_i}{2^j}\right\rfloor \operatorname{mod}2,j=0,1,\cdots 7 $$

(4)

Then encrypt l _i , j and h _i , j by using exclusive or operation. For h _i

$$ {H}_{i,j}={h}_{i,j}\oplus {r}_{i,j},j=0,1,\cdots, 7 $$

(5)

Similarly

$$ {L}_{i,j}={l}_{i,j}\oplus {r}_{i,j},j=0,1,\cdots, 7 $$

(6)

Where r _i , j is pseudo-random binary number determined by image encryption key. Note that the random binary numbers used to encrypt l _i , j and h _i , j are the same. The correlation between l _i , j and h _i , j still exists for the existence of tradeoff between encryption and data embedding. A fully encrypted image has theoretically reached maximum information entropy, so embedding data in it is impractical. The gray values of the encrypted higher mean and lower mean are

$$ {H}_i=\sum_{j=0}^7{H}_{i,j}\cdot {2}^j $$

(7)

And

$$ {L}_i=\sum_{j=0}^7{L}_{i,j}\cdot {2}^j $$

(8)

Then to encrypt b _i  = {b _i , 1, b _i , 2,  ⋯ , b _{i , m × n} }, pseudo-random binary number s _i , k , which is also generated by the image encryption key, is adopted. Here

$$ {B}_{i,k}={b}_{i,k}\oplus {s}_{i,k},k=0,1,\cdots, m\times n $$

(9)

The encrypted b _i is B _i  = {B _i , 1, B _i , 2,  ⋯ , B _{i , m × n} }. Accordingly, the i-th encrypted triple is represented as (H _i , L _i , B _i  = {B _i , 1, B _i , 2,  ⋯ , B _{i , m × n} }). Both H _i , L _i together with B _i are encrypted with random binary numbers, therefore, for an attacker without an encryption key, it’s impractical to reveal the content of the plain image. The AMBTC image \( \tilde{I} \), consisting of N triples, is encrypted triple by triple, hence, time complexity of image encryption process is O(N).

3.2 Data embedding

When the AMBTC image is encrypted, the data hider has to embed additional data into the cipher image. For the triple (H _i , L _i , B _i ), we utilize B _i and modify L _i to create the embedding space which can embed a considerable number of bits. We define the prediction error as

$$ {PE}_i={H}_i-{L}_i,{PE}_i\in \left[-255,255\right] $$

(10)

By calculating all triples, a histogram of PE can be obtained. The values of H _i and L _i are close in most cases because of the correlation to the original image. Most of PE are close to 0, hence the peak points of the histogram are exploited to embed data. Two peak points in the histogram of PE can be utilized. As shown in Figs. 2 and 3, bin −2 and bin 3 are expanded to embed data, bins larger than 3 or smaller than −2 are shifted, and bins between −2 and 3 remain unchanged. Supposing two peak points are P ₁ and P ₂ respectively, and corresponding zero points are Z ₁ and Z ₂. Here Z ₁ < P ₁ < P ₂ < Z ₂. If H _i is equal to L _i , we replace the bit plane with binary additional data to be embedded directly, and set flag _i  = 1 at the same time, otherwise, set flag _i  = 0. Then modify L _i according to the following equation:

$$ {L_i}^{\prime }=\left\{\begin{array}{l}{L}_i+1,{Z}_1<{PE}_i<{P}_1\\ {}{L}_i+d,{PE}_i={P}_1 and{flag}_i\ne 1\\ {}{L}_i-d,{PE}_i={P}_2 and{flag}_i\ne 1\\ {}{L}_i-1,{P}_2<{PE}_i<{Z}_2\end{array}\right. $$

(11)

Fig. 2

The histogram of PE

Fig. 3

The shifted histogram of PE

Here d ∈ {0, 1} represents one binary additional data. flag _i is merely used for recording whether the bit plane in the i-th triple is replaced by additional data in the embedding phase.

Note that L _i may be modified in the embedding phase. Overflow and underflow problems are likely to happen. To solve this problem, a location map is adopted here. If L _i is 255 or 0, the corresponding location map point will be set as 1 and L _i will be modified to be 254 or 1. If L _i is 254 or 1, the corresponding location map point will be set as 0 and L _i remains unchanged. The embedding technique should be carried out after overflow and underflow processing so that location map can be embedded into host image and needs not to be stored by extra devices.

Returning to the process of data embedding, after location map is obtained and L _i which is equal to 255 or 0, is revised as 254 or 1, 4 cases must be considered in data embedding of the i-th triple:

1. Case 1:

   if PE _i  = 1, L _i  = 254 and corresponding location map is 1, then the bit plane should be replaced by binary additional data to be embedded and flag _i  = 1;

2. Case 2:

   if PE _i  =  − 1, L _i  = 1 and corresponding location map is 1, then the bit plane should be replaced by binary additional data to be embedded and flag _i  = 1;

3. Case 3:

   if PE _i  = 0, L _i  ≠ 1andL _i  ≠ 254 or corresponding location map is 0, then the bit plane should be replaced by binary additional data to be embedded and flag _i  = 1;

4. Case 4:

   otherwise, flag _i  = 0;

Then modify L _i according to eq. (11) to embed additional data.

However, this process raises the issue of how to embed auxiliary information so that it needs not to be sent to receiver via separate channel. Auxiliary information consists of two pairs of peak point and zero point (36 bits), the length of the location map (⌈log₂ N⌉ bits), and the location map. The auxiliary information can be compressed and encrypted with AES etc. then it replaces the bit plane of the first several triples. Those triples will be skipped in the data embedding phase. The original bit plane of those triples will be encrypted with AES etc. and embedded into the remaining triples together with the additional data. This then solves all of the problems in the data embedding phase. Obviously, AMBTC image \( \tilde{I} \), consisting of N triples, is processed triple by triple in additional data embedding and collecting of auxiliary information, so, the time complexity of the data embedding process is O(N).

3.3 Data extraction and image recovery

When the receiver only has the data-hiding key, he can decrypt the auxiliary information, including two pairs of peak points and zero points (P ₁ and Z ₁, P ₂ and Z ₂), the length of the location map, and the location map itself. According to the decrypted auxiliary information, the data can then be extracted. The detail of the extraction phase is:

1. Step 1:

   for the i-th triple, calculate PE _i according to eq. (10), set flag _i  = 0;

2. Step 2:

   recover L _i and extract additional data from thei-th triple, 6 cases are considered:

3. Case 1:

   if Z ₁ ≤ PE _i  < P ₁ − 1, then set L _i  = L _i ^′ − 1;

4. Case 2:

   if PE _i  = P ₁ − 1, then set d = 1, and L _i  = L _i ^′ − 1;

5. Case 3:

   if PE _i  = P ₁, then set d = 0, L _i  = L _i ^′, and flag _i  = 1;

6. Case 4:

   if PE _i  = P ₂, then set d = 0, L _i  = L _i ^′, and flag _i  = 1;

7. Case 5:

   if PE _i  = P ₂ + 1, then set d = 1, and L _i  = L _i ^′ + 1;

8. Case 6:

   if P ₂ + 1 < PE _i  ≤ Z ₂, then set L _i  = L _i ^′ + 1;

Where d is the extracted data, and flag _i is merely used for recording whether PE _i  = P ₁ or PE _i  = P ₂;

1. Step 3:

   To extract additional data in bit plane, 3 cases are considered:

2. Case 1:

   if PE _i  = 1, L _i  = 254, and corresponding location map is 1, then the bits in the bit plane are additional data and one bit of data d extracted in step 2 should be abandoned if flag _i  = 1;

3. Case 2:

   if PE _i  =  − 1, L _i  = 1, and corresponding location map is 1, then the bits in bit plane are additional data and one bit of data d extracted in step 2 should be abandoned if flag _i  = 1;

4. Case 3:

   if PE _i  = 0, L _i  ≠ 1 and L _i  ≠ 254 or corresponding location map is 0, then the bits in bit plane are additional data and one bit of data d extracted in step 2 should be abandoned if flag _i  = 1;

5. Case 4:

   recover encrypted AMBTC image according to the location map. If L _i  = 1 or L _i  = 254, and corresponding location map is 1, then set L _i  = 0 or L _i  = 255, respectively.

By this stage, additional data have been extracted from the triples in the encrypted AMBTC-compressed image and decrypted with the data-hiding key. Note that the first several triples into which auxiliary information has been embedded should be skipped in data extraction phase.

When the receiver only has the image encryption key, he can generate pseudo-random binary numbers r _i , j and s _i , k , get the bits of L _i and H _i according to eq. (3) and (4), then decrypt L _i , H _i , and B _i according to eq. (5), (6), and (9). Median filtering is adopted here to ensure the quality of decrypted image. After filtering, the directly decrypted image is similar to the original AMBTC-compressed image because only the LSB of L _i are modified in the embedding phase.

When the receiver has both the data-hiding and the image encryption keys, additional data can be extracted and the encrypted image can be recovered, after that, the AMBTC image can be decrypted exactly.

As for the efficiency of this stage, no matter which option is chosen, each triple in the AMBTC image is visited once, so its time complexity is also O(N).

4 Experimental results

All experimental results are performed with MATLAB. Nine standard gray-scale images sized 512 × 512 and UCID datasets containing 1338 images (http://vision.cs.aston.as.uk/datasets/UCID/ucid.html) are used here. Nine standard gray-scale images are: Lena, Sailboat, Peppers, Tiffany, Boat, Jet, Baboon, Splash and Man. We divide these images into 2 × 2,4 × 2,8 × 2,2 × 4,4 × 4,8 × 4,8 × 2,8 × 4,8 × 8 non-overlapping blocks to compress these images into AMBTC images.

Fig. 4(a) gives the original AMBTC image with compression ratio 0.625. After encryption, the original content of image is invisible as shown in Fig. 4(b). The marked cipher-image is shown in Fig. 4(c), which is the same as Fig. 4(b) when observed by the naked eye. If the receiver has both the data-hiding and image encryption keys, the additional data can be extracted and Fig. 4(c) can be recovered error free, to get Fig. 4(d). However, if the receiver only has the image-encryption key, they can generate Fig. 4(e) by decrypting Fig. 4(c) directly and filter noise by using median filtering, which is shown in Fig. 4(f). The PSNR of the directly decrypted image is 34.00 dB, and the distinction between the original AMBTC image and the directly decrypted image is also invisible to the naked eye.

Fig. 4

(a) original AMBTC image Lena with compression ratio 0.625, (b) encrypted image, (c) cipher-image containing 5963 bits additional data, (d) recovered image, (e) directly decrypted image, (f) filtered version of (e) with PSNR 34.00 dB

Fig. 5 gives the payload of different AMBTC images under different compression ratios. The horizontal axis shows the compression ratio, and the vertical axis shows additional data embedded in AMBTC images. It can be observed that more additional data are embedded into those images with a higher compression ratio, which means an AMBTC image with high compression ratio provides more redundant space.

Fig. 5

The payload of different AMBTC images under different compression ratios

The results of encryption of AMBTC image Lena under different compression ratios are shown in Fig. 6. The higher the compression ratio is, the better the encryption result is. A low compression ratio implies that the block size adopted in the compression procedure is large, so the encryption results of those AMBTC images with low compression ratios are not as good as high ones.

Fig. 6

The encrypted AMBTC image Lena under compression ratio (a) 0.625, (c) 0.25, (e) 0.156, and corresponding image histogram (b), (d), (f)

Table 1 lists payload, PSNR of directly decrypted images (dB) and PSNR of recovered image (dB) for different AMBTC images when the block size in compression procedure is 2 × 2 and 4 × 4 respectively. The PSNR of directly decrypted images are above 27 dB in most cases. The image quality is better when the block size in the compression procedure is 2 × 2 than 4 × 4. The PSNR of the recovered image is infinite because the proposed method can recover the marked cipher-image without error when the receiver has both the data-hiding key and the image encryption key.

Table 1 Payload (bits), PSNR of directly decrypted images (dB) and PSNR of recovered images (dB) with different block size for different AMBTC images

Fig. 7 gives the embedding rate of auxiliary information and additional data which is obtained by the amount of bits dividing the amount of image pixels when tested in 1338 UCID images. The horizontal axis is the number of images, and the vertical axis is corresponding average bits of auxiliary information and additional data embedded in each pixel. It is obvious that different images with the same block size 2 × 2 produce similar amount of auxiliary information because each image is encrypted with pseudo-random numbers. But the amount of additional data will vary with original images’ redundancy. It means that the proposed method can embed a considerable number of bits in images with satisfactory encryption results.

Fig. 7

The embedding rate of auxiliary information and additional data in 1338 UCID images with compression ratio 0.625

5 Conclusion

In this paper, a reversible data hiding for encrypted AMBTC-compressed images is presented, which is divided into three phases: image encryption, data embedding, and data extraction and image recovery. In the data embedding phase, we encrypt the higher mean and lower mean of a triple in an AMBTC-compressed image with the same random numbers, therefore, the correlation of higher mean and lower mean of nature image is preserved. The redundant space of the encrypted AMBTC-compressed image can then be exploited by using the histogram of prediction error in the absence of original image content in the data embedding phase. Experimental results and analysis demonstrate that, with the marked cipher-image, the receiver is able to exactly extract additional data by using the data hiding key, return a decrypted image very similar to the original image with the image encryption key, or extract additional data and recover the original image error free with both keys. In addition, the proposed method is very simple and its computational complexity is low so that it is applicable to real-time transmission.