A novel reversible data hiding in encrypted images based on polynomial arithmetic

08/09/2021 ∙ by Lin Chen, et al. ∙ 0

Reversible data hiding in encrypted images is an eff ective technique for data hiding and preserving image privacy. In this paper, we propose a novel schema based on polynomial arithmetic, which achieves a high embedding capacity with the perfect recovery of the original image. An effi cient two-layer symmetric en- cryption method is applied to protect the privacy of the original image. One polynomial is generated by the encryption key and a group of the encrypted pixel, and the secret data is mapped into another polynomial. Through the arithmetic of these two polynomials, the purpose of this work is achieved. Fur- thermore, pixel value mapping is designed to reduce the size of auxiliary data, which can further improve embedding capacity. Experimental results demon- strate that our solution has a stable and good performance on various images. Compared with some state-of-the-art methods, the proposed method can get better decrypted image quality with a large embedding capacity.



There are no comments yet.


page 13

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Reversible data hiding (RDH) is a technology that enables the exact recovery of the original image upon extraction of the embedded information. Due to the feature of lossless or invertible data hiding, it has gradually become a very active research area in the field of data hiding. The feature is desirable when highly sensitive data is embedding into an image, e.g., in military, medical, and legal imaging applications. The first RDH technique 1999Method was proposed by Barton in 2000 to address this concern. To date, various methods have been presented to achieve data hiding in images, in which difference expansion 1227616 and histogram shift ni2006reversible have far-reaching influence. Difference expansion is proposed by Tian in 1227616 , the secret message is embedded by expanding the difference between adjacent pixels. In the histogram shifting method ni2006reversible , the histogram of the original image is first generated, then it embeds messages by slightly modifying the pixel grayscale values of zero and the minimum point of the histogram. Subsequently, some schemes TSAI2013919 ; Local6746082 ; anew5648443 ; Efficient7122319 are introduced to improve the payload and reconstructed image quality based on them. Furthermore, to get better performance, methods such as lossless compression 1608150Lossless9 and prediction error Wu_2014_22 ; 1421361Prediction10 have been presented later.

As a great growth of cloud services and people’s increasing attention for privacy protection, reversible data hiding in encrypted image (RDHEI) has drawn much interest from the research community. It can not only extract the secret message and recover the original image without error but also preserves the privacy of the original image. This concept was first proposed by Zhang 5713234Zhang11 in 2011, there are three roles in the scenario, the image provider uses the encryption key to encrypt the image to protect the privacy of original images; a data hider embeds data by using the data hiding key without knowing the original image content; when having both above keys, the receiver is able to obtain the secret message and origin image correctly. It is helpful in some situations involving data privacy. For example, in a cloud computing scenario, the user uploads an encrypted image, and an inferior assistant hopes to embed some message without access to the origin content.

Shi et al. 7479451Reversible12 classify the existing RDHEI methods into two categories: vacating room before encryption (VRBE) and vacating room after encryption (VRAE). In VRBE methods 6470679Ma13 ; Zhang_2014_14 ; 7098386Cao15 , an extra preprocessing is performed before encryption to vacate space for data embedding. Ma et al. 6470679Ma13 apply a traditional RDH method of histogram shifting to reserve room before encryption. The LSB of certain pixels is embedded into other pixels, which produces a pre-processed image. By substituting the LSB values of these vacated pixels in the encrypted image, the secret message can be embedded. The method can provide a larger payload (0.5 bpp) than previous methods with PSNR = 40 dB. In Zhang_2014_14

, based on the prediction technique, some pixels are estimated through the rest pixels before encryption. Instead of embedding data in encrypted images directly, the secret message can be embedded by modifying the prediction errors. Cao et al.

7098386Cao15 use a sparse coding technique to vacate a large space by exploiting the correlation between neighbor pixels. The leading residual errors produced by sparse coding are encoded and then embedded into the original image. More secret data can be embedded into the vacated room in the encrypted image. In 2020DoubleLi

, a new schema is proposed by designing double linear regression prediction model, which further improves the prediction accuracy and provides a large embedding capacity. The secret message is embeded by referring to difference between current pixel and its predicted value. And they construct a prediction error map to record error positions for lossless recovering the original image.

For VRAE methods, the image provider directly encrypts the origin image, then the secret bits are embedded into the encrypted image. The first VRAE method 5713234Zhang11 is proposed by Zhang, the original image is encrypted by a stream cipher, then the data hider divides the encrypted image into blocks and embeds secret bits by modifying a small proportion of encrypted data. The receiver can extract secret messages and recover the origin image perfectly by using the spatial correlation in natural images. Zhang 6081934Zhang16 proposes a novel separable method, the exclusive-or operation is applied to encrypt the origin image, a sparse space to accommodate the secret data is created by compressing the least significant bits of the encrypted image. Qian and Zhang 7076645Qian17 propose a novel method using distributed source coding, after the image provider encrypt the image by using a stream cipher, some selected bits taken from the encrypted image are compressed to make space for secret messages.

Chen et al. 8705382Chen18 are inspired by the factor of key setting, they divide RDHEI into three categories: share independent secret keys (SIK), shared one key (SOK), and share no secret keys (SNK). Then, they proposed a novel SOK scheme by using multi-secret sharing, which overcomes the shortcoming of spending much space cost in Wu et al. Wu_2018_19 . To achieve message embedding, a new technique to operate addition homomorphism in multi-secret sharing (called OAMSS) is presented. It can also get a high payload (close to 0.5 bpp). However, extra public identities needed to be sent to the data hider and receiver, which may lead to reduce the efficiency of their method.

In existing RDHEI methods, most of them only provide a high embedding capacity while fail to recover the original image perfectly. In 6470679Ma13 , the method has a high payload (0.5 bpp), but the original image cannot be reconstructed free of error (PSNR=40 dB). For most traditional reversible data hiding methods, the correlation between the neighboring pixels is applied to hide secret messages. However, it is difficult to embed messages into the encrypted image, since the correlation between a pixel and its adjacent neighbors is disappeared after encrypted. It is a challenge for RDHEI to achieve a high embedding capacity while the original image is recovered perfectly.

Facing the challenge, we propose a novel schema based on polynomial arithmetic. Our work is dedicated to finding a good solution not only in the recovery of the original image, but also in the embedding capacity. For the encryption of images, we design an efficient symmetric encryption method with support for correct data extraction and perfect image recovery in the RDHEI. The cipher of pixels in an image is generated via a univariate polynomial math expression , in which the coefficients of are associated with both pixels and the encryption key, and the degree of is the number of the pixels. The secret data is also mapped into another polynomial math expression . These expressions support polynomial addition, subtraction, and modulo operations to achieve data extraction and image recovery.

The rest of this paper is organized as follows. The scheme of the proposed method is elaborated in Section 2. Abundant experimental results with the comparison and analysis are presented in Section 3. Finally, the conclusion is drawn in Section 4.

2 Proposed Scheme

In the section, based on polynomial arithmetic, a novel solution is proposed to hide secret bits in pixels of origin image with low computational complexity and a high payload (the maximal payload could be 0.662 bpp for Lena). The overview of this process is shown in Fig. 1.

Figure 1: Overview of the proposed schema

There are three entities: an image provider, a data hider and a receiver. The two pixels of original image are chosen, and then are encrypted with the key by the provider as a polynomial . Similarly, the hider using its key can encode two secret bits as a polynomial with the same degree. Through the transaction of coefficients, the encryption pixels are sent to the hider. Upon receiving the encrypted pixels, the hider computes . Note that the encrypted pixels hiding secret bits are coefficients of . Based on coefficients of and the keys and , the receiver can extract the secret bits and recover pixels of the original image perfectly.

2.1 Image Encryption

Let F be a prime number. Assume that is an encryption key and is a data hiding key, where the former is shared between the provider and the receiver, the latter is shared between the hider and the receiver, .

Without loss of generality, assume the original image is of size . In the first layer encryption, all pixels of the image are encrypted as


Where , , and are generated by the encryption key using a secure standard stream cipher, .

Given a data list of two elements, where pixels are selected from the above encrypted image. Then, a polynomial is constructed as follows


and the coefficient of function will be sent as the encrypted data. That is,


Side information

Since all pixels are encrypted by modular arithmetic with F, thus for a pixel having grayscale value great than or equal to F can’t be restored. In order to lossless recovery of the image, a location map(LM) is constructed. It indicates whether a pixel before encrypted.


The obtained location map (LM) will be losslessly compressed by arithmetic encoding or run-length coding. Denote the compressed LM as CLM. For blind extraction and image recovery, we send CLM as the side information. For all pixels, some of them are used to embed the side information, and the rest part to embed secret message. The strategy of sending side information is shown as

  1. Records the origin LSB value of the first L pixels in encrypted image, denote as , than combine CLM and together into one binary bitstream .

  2. Replace the LSB of the first L pixels in encrypted image to save the length of (denote as ).

  3. Ship L pixels, will be embedded into the rest pixels by using our data embedding procedure.

2.2 Data Embedding

In data embedding phase, is decomposed from the first L pixels, then the boundary between first part and rest part can be obtained. The secret message will be embedded into second part of encrypted image without knowing the encryption key . When having the encrypted image , the data hider first uses the to encrypt secret message by a standard symmetric encryption (AES, DES and so on), then embed the encrypted secret bits into . Specifically, a polynomial is generated as follows,


Then, the encrypted image embedded above secret bits is represented as


Note that . That is,


2.3 Data extraction and image recovery

Upon receiving the encrypted image embedded secret bits, the receiver extracts the secret bits and then recovers the original image. Specifically, the receiver works as follows,

  1. Getting three pixels from the encrypted image embedded secret bits, she/he constructs a polynomial

  2. Compute the value . Note that and .

  3. Let

  4. It calculates the inverse element of on F as . The function is constructed by using the “Extended Euclidean algorithm”.

  5. The secret bits are extracted as follows

  6. Based on the extracted secret bits, the polynomial g(x) is obtained as

  7. For , let . Then, can be reconstructed as

  8. By using and , the receiver can recover origin pre-process pixels, , as follows,

  9. From the extracted secret bits, and real secret message could be decomposed.

  10. Decrypting secret message by using .

  11. With the origin LSB , the first L pixels can be recovered by replacing their LSB value.

  12. Decompressing LM from CLM. For every pixel in recovered image, is firstly generated, original pixels could be restored as,

    If , let

    Then for each pixel in location map, let

    Finally, the original image can be recovered free of error.

Example 1

Fig. 2 shows the sketch of this example.

Figure 2: Example of the proposed schema

For an 8-bit image, we choose 251 as F in the proposed method. Given two pixels (35,132) and , the provider firstly generates key=30 by . The original pixels are encrypted as (65,162) by addition and modular operations. Then the provider produces a polynomial . The encrypted pixels can be obtained by modular operation, set the output (65,216,9).

In the embedding data phase, with the secret message , that are encrypted by , the hider also generates a polynomial , and gets the output (1,30,225) by the modular operation. Finally, due to the additive modular arithmetic, the encrypted pixels containing a secret message (66,216,9) are obtained by adding (65,216,9) and (1,0,0).

When receiving the encrypted pixels, the receiver firstly generates a polynomial . Let , and get . Then receiver uses to extract the hidden message and by “Extended Euclidean Algorithm”. With the extracted message, the receiver reconstructs the polynomial . From the coefficient, the origin pixels (35,132) could be recovered with key=30.

2.4 Key generation

Since the proposed schema based on modular operation, for perfectly extracting message and reconstructing image, should satisfy,


Due to the above constraint, only a small amount of secret keys is available. To improve the security of the secret key, we can divide the image into blocks. For each group apply a different key to encrypt pixels. The keys can be generated by


where ID is the position of block in the image, and is generated by using 256-bit SHA3 (denoted as SHA). We concatenate the

and ID together, then pad it to 256-bit as the input of SHA3. Finally, the most significant eight bits of SHA’s output represented as binary is selected as the random key.

2.5 Pixel value mapping

The finally embedded data consists of the real secret message and a side information , thus large side information would lead to the reduction of the payload. To improve the embedding rate, we present a technique called pixel value mapping to reduce the size of . For an 8-bit image, let . When constructing the location map, if there are too many pixel values greater than or equal to 251, a little secret message can be embedded in that the compressed CLM will still be large. Consequently, we could mapping these pixels to the five lowest frequent pixel values as follows,

  1. Let be a set of pixel values (251,252,253,254,255).

  2. Count the five pixels with the least frequency in the original image, denote as .

  3. Before encryption, for pixel values and , and Mapping each to and from .

  4. When generating the side information, converted to a 40-bit binary sequence is appended to the end of .

  5. In the image recovery phase, can be decomposed from the extracted side information. Then the recovery of original pixel values is accomplished by the reverse mapping.

3 Experimental results

In this section, based on the embedding capacity (payload) and reconstructed image quality, we evaluate the performance of the proposed method. The method is tested on the uncompressed 512×512 gray-scale images chosen from the USC-SIPI image databaseUSC-SIPI-20 . To validate the proposed scheme, experiments are done with a variety of standard test gray-scale images. Some are presented in Fig. 3 namely Lena, Boat, Baboon, and Airplane. The comparisons between the existing methods and ours are shown in Fig. 4 and 5

, according to the embedding rate (EC) and the peak-signal-to-noise ratio (PSNR) of images. Here, EC is adopted to evaluate the embedding capacity, and it calculated as


Again, the peak-signal-to-noise ratio (PSNR) is applied to evaluate the reconstructed image quality in comparison to the original image, which is computed as follows.


where is the total number of pixels, and denote the pixel values of origin and recovered images, respectively. Finally, we would compare our schema with some related works, and discuss their efficiency.

Figure 3: Test images with 512 × 512 pixels. Left: Original-image. Middle: Encrypted with secret message, Right: After Decryption.

The proposed method can perfectly recover the original images from the corresponding encrypted images as shown in Fig. 3. In our experiments, 200000-bits is embedded into four randomly selected images. The original image is shown at the left of the figure. After encryption and data embedding, an encrypted image with the secret message shown in the middle of the figure is generated with the 8 encrypted bits. The rest is the decrypted image. The comparison shows the pixel values of the recovered image is the same as that of the original image (PSNR), which indicates the images could be perfectly recovered. The corresponding experimental results are shown in Table 1.


Moreover, we make a performance testing by a random selection of 1000 grayscale images with size 512x512 on BOWS-2 database BOWS-2_21 . The test results for these images are shown in Table 2. For embedding capacity, the best case is 0.6625 bpp, and 0.5956 bpp in the worst case. It is clear that the worst EC remains high. And the average EC can reach 0.6609 bpp, which is really close to the best case. Certainly, each original image could be reconstructed free of error (satisfy PSNR and SSIM=1). From the above analysis, it indicates that the proposed method has stable and good performance.

Best case
Worst case
EC (bpp)

We now compare the performance of our approach with some state-of-the-art design 5713234Zhang11 ; 6470679Ma13 ; 7098386Cao15 ; 2020DoubleLi ; 6081934Zhang16 . Our experiments are based upon the two typical images of Lena and Baboon. Then, their embedding capacity and PSNR are estimated through (10) and (3). The results are summarized in Fig. 4 and Fig. 5, respectively. As expected, across all six designs and in terms of two criteria considered here, the proposed approach exhibits the best PSNR. When the embedding capacity increases, our approach has a stable performance on PSNR compare to others. Thus, when the receiver having the encryption key and without the data hiding key, our approach is the only schema that can perfectly recover both Lena and Baboon image (PSNR). As for EC, our method can reach 0.6625 bpp for both Lean and Baboon. It is clear that our method can obtain a higher payload than other related methods, except for Cao et al 7098386Cao15 and Li et al 2020DoubleLi . These show that our approach provides a good trade-off between the embedding capacity and PSNR.

Figure 4: Performance comparison on Lena
Figure 5: Performance comparison on Baboon

Besides, to measure the efficiency of the proposed schema, we make a comparison with other schemas on data expansion. The result is given in Table 3. Data expansion indicates the encrypted image is bigger than the original image. We denote the number of origin pixels as . There are some methods 6081934Zhang16 ; 6151038Hong23 using stream cipher encryption to encrypt images, which adopt exclusive-or operation to encrypt images. It obviously does not cause data expansion. For those methods 8013725Xiang24 ; Shiu_2015_25 using Paillier homomorphic encryption, a 512-bits or 1024-bits secret key is usually required to encrypt 8-bits pixels. After encrypted by the Paillier encryption, the origin 8-bits pixel is at least expanded to 1024-bits, thus the encrypted pixel is further expanded. The rest schemas 8705382Chen18 ; Wu_2018_19 apply secret sharing to encrypt images, method Wu_2018_19 would expand the original image into two or more times. In method 8705382Chen18 , they improve secret sharing into multi-secret sharing to prevent data expansion. As for our approach based on polynomial arithmetic, two pixels would be encrypted into three pixels, so the encrypted image expands 1.5 times.

Encryption method
Encryption space
Stream cipher
Paillier encryption
Secret sharing
Secret sharing
Polynomial arithmetic

4 Conclusion

In this work, a novel method of reversible data hiding in encrypted images based on polynomial arithmetic is presented, which achieves a good balance between embedding capacity and reconstructed image quality. Since the correlation of adjacent pixels is disappear after encryption, thus various methods have been proposed is trying to preserve the feature. However, we propose a new method to avoid utilizing the correlation of adjacent pixels in nature images. Through arithmetic of the two polynomials, a high capacity can be obtained while the reconstructed image is the same as the original image. And pixel value mapping is introduced to reduce the size of the location map, which further improves embedding capacity.


  • (1) J. M. Barton, Method and apparatus for embedding authentication information within digital data, U.S. Patent US5646997A.
  • (2) J. Tian, Reversible data embedding using a difference expansion, IEEE Transactions on Circuits and Systems for Video Technology 13 (8) (2003) 890–896. doi:10.1109/TCSVT.2003.815962.
  • (3) Zhicheng Ni, Yun-Qing Shi, N. Ansari, Wei Su, Reversible data hiding, IEEE Transactions on Circuits and Systems for Video Technology 16 (3) (2006) 354–362. doi:10.1109/TCSVT.2006.869964.
  • (4) Y.-Y. Tsai, D.-S. Tsai, C.-L. Liu, Reversible data hiding scheme based on neighboring pixel differences, Digital Signal Processing 23 (3) (2013) 919 – 927. doi:https://doi.org/10.1016/j.dsp.2012.12.014.
  • (5) I. Dragoi, D. Coltuc, Local-prediction-based difference expansion reversible watermarking, IEEE Transactions on Image Processing 23 (4) (2014) 1779–1790. doi:10.1109/TIP.2014.2307482.
  • (6) S. Jung, L. T. Ha, S. Ko, A new histogram modification based reversible data hiding algorithm considering the human visual system, IEEE Signal Processing Letters 18 (2) (2011) 95–98. doi:10.1109/LSP.2010.2095498.
  • (7) X. Li, W. Zhang, X. Gui, B. Yang, Efficient reversible data hiding based on multiple histograms modification, IEEE Transactions on Information Forensics and Security 10 (9) (2015) 2016–2027. doi:10.1109/TIFS.2015.2444354.
  • (8) M. U. Celik, G. Sharma, A. M. Tekalp, Lossless watermarking for image authentication: a new framework and an implementation, IEEE Transactions on Image Processing 15 (4) (2006) 1042–1049. doi:10.1109/TIP.2005.863053.
  • (9) X. Wu, W. Sun, High-capacity reversible data hiding in encrypted images by prediction error, Signal Processing 104 (2014) 387–400. doi:10.1016/j.sigpro.2014.04.032.
  • (10) S. Yi, Y. Zhou, Z. Hua, Reversible data hiding in encrypted images using adaptive block-level prediction-error expansion, Signal Processing: Image Communication 64 (2018) 78–88. doi:10.1016/j.image.2018.03.001.
  • (11) X. Zhang, Reversible data hiding in encrypted image, IEEE Signal Processing Letters 18 (4) (2011) 255–258. doi:10.1109/LSP.2011.2114651.
  • (12) Y. Shi, X. Li, X. Zhang, H. Wu, B. Ma, Reversible data hiding: Advances in the past two decades, IEEE Access 4 (2016) 3210–3237. doi:10.1109/ACCESS.2016.2573308.
  • (13) K. Ma, W. Zhang, X. Zhao, N. Yu, F. Li, Reversible data hiding in encrypted images by reserving room before encryption, IEEE Transactions on Information Forensics and Security 8 (3) (2013) 553–562. doi:10.1109/TIFS.2013.2248725.
  • (14) W. Zhang, K. Ma, N. Yu, Reversibility improved data hiding in encrypted images, Signal Processing 94 (2014) 118–127. doi:10.1016/j.sigpro.2013.06.023.
  • (15) X. Cao, L. Du, X. Wei, D. Meng, X. Guo, High capacity reversible data hiding in encrypted images by patch-level sparse representation, IEEE Transactions on Cybernetics 46 (5) (2016) 1132–1143. doi:10.1109/TCYB.2015.2423678.
  • (16) F. Li, H. Zhu, J. Yu, C. Qin, Double linear regression prediction based reversible data hiding in encrypted images, Multimedia Tools and Applications (2020) 1–19doi:10.1007/s11042-020-09805-6.
  • (17) X. Zhang, Separable reversible data hiding in encrypted image, IEEE Transactions on Information Forensics and Security 7 (2) (2012) 826–832. doi:10.1109/TIFS.2011.2176120.
  • (18) Z. Qian, X. Zhang, Reversible data hiding in encrypted images with distributed source encoding, IEEE Transactions on Circuits and Systems for Video Technology 26 (4) (2016) 636–646. doi:10.1109/TCSVT.2015.2418611.
  • (19) Y. Chen, T. Hung, S. Hsieh, C. Shiu, A new reversible data hiding in encrypted image based on multi-secret sharing and lightweight cryptographic algorithms, IEEE Transactions on Information Forensics and Security 14 (12) (2019) 3332–3343. doi:10.1109/TIFS.2019.2914557.
  • (20) X. Wu, J. Weng, W. Yan, Adopting secret sharing for reversible data hiding in encrypted images, Signal Processing 143 (2018) 269–281. doi:10.1016/j.sigpro.2017.09.017.
  • (21) USC-SIPI image database, http://sipi.usc.edu/database.
  • (22) P. Bas, T. Furon, Image database of BOWS-2, Available: http://bows2.ec-lille.fr. Accessed: Jun. 20, 2017.
  • (23) W. Hong, T. Chen, H. Wu, An improved reversible data hiding in encrypted images using side match, IEEE Signal Processing Letters 19 (4) (2012) 199–202. doi:10.1109/LSP.2012.2187334.
  • (24) S. Xiang, X. Luo, Reversible data hiding in homomorphic encrypted domain by mirroring ciphertext group, IEEE Transactions on Circuits and Systems for Video Technology 28 (11) (2018) 3099–3110. doi:10.1109/TCSVT.2017.2742023.
  • (25) C.-W. Shiu, Y.-C. Chen, W. Hong, Encrypted image-based reversible data hiding with public key cryptography from difference expansion, Signal Processing: Image Communication 39 (2015) 226–233. doi:10.1016/j.image.2015.09.014.