1. Introduction

Reversible data hiding (RDH) has evolved into a compelling methodology, facilitating the embedding of confidential data within various forms of media. This spans sectors such as military, medical, national governance, and copyright-protected content [1]. Traditional RDH research, conducted in the realm of plaintext, primarily revolves around three data embedding techniques: histogram shifting [2], difference expansion [3], and lossless compression [4]. The overarching objective of these methodologies is to augment the embedding rate while enhancing the visual quality of the carrier images.

In summary, Reversible Data Hiding (RDH) technology is a robust tool for reversibly embedding confidential data without damaging the original carrier. Its applications are expansive, and it proves particularly beneficial in sensitive sectors where data security is imperative. However, for content-sensitive scenarios, it is necessary to employ encryption techniques to develop an Encrypted Domain Reversible Data Hiding (RDH-EI) method, suitable for information-sensitive situations. These encryption techniques secure image content by transforming the original image into an unintelligible version using an encryption key.

RDH in encrypted images (RDH-EI) is especially advantageous in sensitive fields where data security is paramount. Despite its limitation in multiple data hider scenarios, the inherent reversibility of RDH technology makes it an optimal choice for situations demanding zero tolerance for image loss. An encrypted domain RDH-EI method, suitable for content-sensitive scenarios, can be developed using encryption techniques.

The traditional RDH-EI model restricts the number of data providers and data hiders to a single entity, limiting its applicability in multiple data hider scenarios. However, the crucial feature of reversibility permits perfect reconstruction of the original carrier during covert data extraction. This attribute renders RDH technology an ideal choice for scenarios necessitating zero tolerance for image loss, such as satellite imagery in the military, government images in judicial determinations, and medical imaging in healthcare.

RDH-EI is a subset of Reversible Data Hiding in Encrypted Domain (RDH-ED) [5], effectively resolves the issue of embedding and extracting confidential data from encrypted images. In this technique, the encrypted image data serves as the carrier. The data can be embedded into the encrypted image without causing any pixel loss in the carrier image during extraction.

As shown in Figure 1, according to the differences in secret data embedding models, we divide RDH-EI into three categories.

• (a). Vacating Room After Encryption (VRAE). In the framework of VRAE, Puech et al. [6] first proposed the method of vacating room after AES encryption, in which additional data can only be extracted according to the local standard deviation of the image before decryption of the token image; subsequently, Zhang et al. [5] vacated space by flipping the three lowest significant bits after encryption based on stream ciphers, and secret data can only be extracted using the fluctuation function defined by the local characteristics of the image after decryption of the token image; in order to achieve the separability of the algorithm, Zhang et al. [7] first proposed a separable scheme by losslessly compressing the ciphertext image to generate redundancy, but its embedding capacity is low.

• (b). Vacating Room Before Encryption (VRBE). The VRBE mode is used to generate redundancy by using image correlation or other pre-processing operations before image encryption, and its implementation methods are mainly based on lossless compression [8], pixel prediction [9,10,11], and frequency domain transformation [12].

• (c). Vacating Room In Encryption (VRIE). (1) Homomorphic encryption-based VRIE. Zhang et al. [13] proposed the RDH-EI scheme based on VRIE by quantizing the encrypted domain after LWE encryption and using the redundancy generated by ciphertext expansion to embed secret data; Huang et al. [14] used prediction error to free up redundant space during stream cipher encryption to enhance the embedding capacity. In recent years, Chen et al. [15] proposed an algorithm based on Paillier public key encryption, which uses the homomorphic property to embed information in the ciphertext domain, and the decrypted plaintext still maintains the relevant properties of the embedded information, but there is partial pixel overflow after embedding the information; Wu et al. [16] improved the method of the literature [15] by solving the overflow problem, and the security of the homomorphic encryption algorithm relies on long keys, which increases the computational overhead and brings about severe data scaling. (2) Secret Sharing-based VRIE. Secret sharing techniques are widely applied in edge computing [17], data sharing [18], and outsourcing computing [19]. Thien and Lin [20] first proposed the concept of secret image sharing in 2002, which is based on the idea of secret sharing (SS) proposed by Shamir [21] in 1979. This technique can effectively solve the data extension problem of the RDH-EI algorithm based on homomorphic encryption, and Wu et al. [22] first proposed the RDH-ED algorithm based on secret sharing encryption, which splits the carrier image into multiple shadow images of the same size as the carrier image with secret sharing encryption, and then embeds the secret data into the shadow images by means of difference expansion and prediction error histogram translation. The problems of high encryption overhead and serious data expansion are effectively solved. As an important multi-party secure cryptosystem, this method uses a threshold function to address important data shares multiplied by different shares stored at different users. Chen et al. [23] further reduced the time complexity by embedding secret data into a pair of pixels using the additive homomorphism property of multiple secret sharing and combining the difference expansion. Ke et al. [24] proposed a separable RDH-ED based on the Chinese residue theorem separable RDH-ED, which achieves separability by combining two embedding methods. In 2022, Xiong et al. [25] proposed an RDH-EI scheme, which uses Asmuth-Bloom’s secret sharing scheme based on the CRT to divide the pixels into several secret share subgraphs, but the embedding efficiency (0.5 bpp) of this method still has room for optimization.

To solve the problems of low embedding efficiency, low embedding capacity, complex auxiliary information for embedding, and the limited number of embedding parties in RDH-EI, we propose a lossless RDH-EI method for multiple data hiders based on PVO and secret sharing. Compared with the existing RDH-EI based on secret sharing, we put forward a new method for the first time, which combines an Arnold cat map and a logistic equation [26] with a CRT-based secret sharing scheme and adds PVO technology, which improves the embedding rate and encryption efficiency while improving security. In addition, unlike other RDH-EI that requires auxiliary information and guiding images, the proposed method in this paper does not need to send guiding images. However, the data hider can automatically convert the shadow image into the guide image by using the data embedding key, which can significantly improve the embedding efficiency.

Main contributions of this paper. This paper describes the main contributions of a lossless RDH-EI (Reversible Data Hiding in Encrypted Images) method for multiple data hiders, based on PVO (Pixel Value Order) and secret sharing. The following are the key contributions of the proposed method:

Novel PCSRDH-EI Method: This paper introduces an innovative lossless RDH-EI method, which allows for multiple data hiders to embed data in encrypted images without any loss. This method is based on the PVO chaotic system and secret sharing, achieving a maximum embedding rate and surpassing existing methods, as well as significantly improving encryption efficiency and effect.

Enhanced Security with Combined Techniques: Combining stream encryption and secret sharing technology, this paper ensures a secure environment for data hiders to embed their data without fear of leaks. Additionally, the proposed scheme guarantees lossless data embedding and extraction, preserving the original image digital assets and enabling full recovery.

No Extra Guide Parameters Required: The proposed scheme does not require any extra guide parameters. By embedding/extracting the key, the data hider can transform the shadow image into an guide image that does not expose the original content information, thereby improving the usability of the scheme.

Organization of this paper. We divide our paper into five sections. Section 1 describes the research area and the existing schemes’ shortcomings and details the paper’s main contributions. Section 2 presents the specific details of the proposed scheme. In Section 3, we give a precise analysis and demonstration of our scheme. Section 4 presents the scheme’s effectiveness and a detailed comparison with the state-of-the-art encryption techniques. In Section 5, we give a summary and outlook of our work.

2. PCSRDH-EI Method

In this section, we provide a detailed description of our proposed method. As depicted in Figure 2, our model involves three key participants: an image owner, a minimum of three data hiders, and at least one receiver. The primary stages of our method encompass image encryption, shadow image creation, data embedding, data extraction, and carrier image recovery.

During the Image Encryption phase, the image owner divides the image into blocks and implements coarse-grained disruption encryption between these blocks. They further apply fine-grained encryption algorithms and the PVO algorithm within the blocks to enhance the security of the encrypted image.

In the Shadow Image Generation phase, the image owner partitions the encrypted image into numerous shadow images and distributes them to a predetermined number of data hiders. This measure ensures that no individual data hider can access the entire image, thereby augmenting the security of the scheme.

During the Data Embedding stage, each data hider employs the embedding secret key to produce the embedding guide map and embeds the confidential data within their respective shadow images. This procedure ensures the dispersion of the embedded data across multiple shadow images, which further bolsters the scheme’s security.

In the Embedded Data Extraction and Image Recovery phase, the receiver employs the secret extraction key to retrieve the embedded data from the shadow images. Upon amassing a minimum of ’k’ secret shares, the receiver can flawlessly recover the carrier image by integrating these shares with the encryption key.

2.1. Image Encryption

The image owner splits a carrier image of size $H\times W$ into non-overlapping sub-blocks of size $2\times 2$ and the number $\lceil \mathrm{H}/2\times \mathrm{W}/2\rceil$, where $\mathrm{H}$ is the height of the image and $\mathrm{W}$ is the width of the image. $i_{h,w}$ is the pixel value at location $(h,w)$, where $I_{h,w}\in [0,255],1\le h\le \mathrm{H},1\le \mathrm{w}\le \mathrm{W}$. Each block has a number in order, numbered in the range 1,2,...,$\lceil \mathrm{H}/2\times \mathrm{W}/2\rceil$. This section divides encryption into two main steps: coarse-grained and fine-grained. The encryption unit of coarse-grained encryption is a 2 × 2 non-overlapping sub-block, the encryption algorithm is Arnold’s cat map, and the target of fine-grained encryption is the four pixels inside the non-overlapping sub-block, which is implemented as Algorithm 1.

Secret key definition. The implementation of encryption or decryption methods, as described in the work by [27], requires both the sender and the recipient of the image to possess a secret key $SK$. This unique key consists of two parts: a coarse-grained encryption key denoted as $K_c\leftarrow (p,q)$ and a fine-grained encryption key denoted as $K_f\leftarrow \left(\eta ,x_0,\forall \right)$. This secret key is generated from 65 hexadecimal digits (260 bits), ranging from P1 to P52, and used to compute the initial conditions and control parameters of the chaotic mapping using the expression indicated below:

(1)$\begin{array}{cc}\hfill K_{c1}& ={\left(P_1,P_2,\dots ,P_{13}\right)}_{10}\hfill \\ \hfill K_{c2}& ={\left(P_{14},P_{15},\dots ,P_{26}\right)}_{10}\hfill \\ \hfill K_{f1}& =\frac{{\left(P_{27},P_{38},\dots ,P_{39}\right)}_{10}}{2^{52}+1}\times {10}^{-8}\hfill \\ \hfill K_{f2}& =\frac{{\left(P_{40},P_{41},\dots ,P_{52}\right)}_{10}}{2^{52}+1}\hfill \\ \hfill K_{f3}& ={\left(P_{53},P_{54},\dots ,P_{65}\right)}_{10}\hfill \end{array}$

In which $K_{c1}$, $K_{c2}$, $K_{f3}$ belong to $(0,2^{52})$, and $K_{f1}$, $K_{f2}$ belong to $(0,1)$.

Coarse-grained encryption. Before the image owner splits the image into shadow images, the image needs to be scrambled to ensure its security. Since the fine-grained encryption only needs to satisfy the randomness to generate the scrambling table, and the test sets used in this paper are square matrix, i.e., $H=W$, this paper uses a two-dimensional Arnold’s cat map to generate the scrambling table. For the case of $H\ne W$, other similar random number sorting algorithms can be used to generate the scrambling table, which this paper will not discuss. The image owner uses the coarse-grained encryption key $K_c\leftarrow (p,q)$ as the secret seed key and performs

(2)$\left[\begin{array}{c}{x}_{n+1}\hfill \\ y_{n+1}\hfill \end{array}\right]\leftarrow \left[\begin{array}{cc}1\hfill & p\hfill \\ q\hfill & pq+1\hfill \end{array}\right]\left[\begin{array}{c}{x}_n\hfill \\ y_n\hfill \end{array}\right]modN$

$1\le t\le \lceil \mathrm{H}/2\times \mathrm{W}/2\rceil$, which is the t-th encrypted image block. I is the carrier image and $I^{*}$ is the coarse-grained encrypted image.

Fine-grained encryption. In the proposed scheme, there is no restriction on the specific scrambling method, and we take the enlarged 1D logical mapping as an example. 1D logical mapping only needs to save the seed key, the enlargement factor, and the length of the generated 1D stream, which significantly saves the storage space and the efficiency of crucial transmission. The image owner uses the fine-grained encryption key $K_f\leftarrow \left(\eta ,x_0,\forall \right)$ to generate a random stream by

(3)$x_{r+1}=\eta x_r\left(1-x_r\right)$

Furthermore, the generated sequence $x=\left(x_1,x_2,\cdots x_{\lceil \mathrm{H}/2\times \mathrm{W}/2\rceil }\right)$ is enlarged by a factor of ∀ and rounded down, to obtain the size $\lceil \mathrm{H}/2\times \mathrm{W}/2\rceil$, and perform the following encryption operation:

(4)$I_{h,w}^{\prime }=I_{h,w}^{*}+\left({\sigma }_{s,t}mod256\right)+256$

Moreover, $T_{f_{s,t}}$ is the key corresponding to the $(s,t)$ th image block in $T_f$, where $s=[h/2],t=$$\lceil w/2\rceil$, at the block level, the image owner uses fine-grained encryption by

(5)$I^{\prime }\left(I^{\prime \left(1\right)},I^{\prime \left(2\right)},\cdots ,I^{\prime (\lceil \mathrm{H}/2\times \mathrm{W}/2\rceil )}\right)=En{c}_{\mathrm{fine}}\left(I^{*},K_f\right)$

2.2. Shadow Image Generation

Since the encryption algorithm in this paper employs a permutation algorithm between blocks, there is no scrambling algorithm for pixels between blocks. The RDH algorithm based on histogram shifting (HS) can meet the user’s needs. When the data hider receives the encrypted share, the secure multi-party embedding is performed under the guidance of the dealer. The data distributor can collect encrypted secret data and initiate the embedding phase in a practical application with multiple users and messages. By involving data distributors, communication between multiple data hiders can be avoided. Data hiding based on histogram embedding can be performed on encrypted domains, achieving the high visual quality of the tagged images. Watermark embedding is divided into three main steps. Algorithm 2 demonstrates the detailed algorithmic process in the form of pseudo-code.

2.2.1. Pixel Value Order

Intra-block ascending mapping. For a block of $2\times 2$ pixels $\delta =({\delta }_1,{\delta }_2,{\delta }_3,{\delta }_4)$, the image owner computes the new block of pixels utilizing an ascending ordering algorithm:

(6)$\left({\delta }_1^{\prime },{\delta }_2^{\prime },{\delta }_3^{\prime },{\delta }_4^{\prime }\right)\leftarrow PVO\left({\delta }_1,{\delta }_2,{\delta }_3,{\delta }_4\right)$

(7)${\delta }_1^{\prime }\le {\delta }_2^{\prime }\le {\delta }_3^{\prime }\le {\delta }_4^{\prime }$

Therefore, the two largest values ${\delta }_4^{\prime }$ and ${\delta }_3^{\prime }$ can predict the value of the other with the value of one, and ${\delta }_1$ and ${\delta }_2^{\prime }$ can also predict the value of the other with the value of one, and their prediction differences are

(8)$\left\{\begin{array}{c}{d}_{max}={\delta }_4^{\prime }-{\delta }_3^{\prime }\hfill \\ d_{min}={\delta }_1^{\prime }-{\delta }_2^{\prime }\hfill \end{array}\right.$

$d_{\max }$ and $d_{min}$ are the maximum and minimum prediction errors in the image chunks, respectively. For the result of $I^{\prime }$ after the fine-grained encryption of the image, and after repeating the same PosCon-operation, we can obtain $d_{\max }$ and $d_{min}$ for all chunks of the whole image, and calculate the histograms of the maximum prediction error and minimum prediction error accordingly.

In addition, the image owner uses 00,01,10,11 to denote the original pixel positions (1,2,3,4) matched by the scrambled pixels, respectively, and saves the original position correspondence table $\varpi$ corresponding to the scrambled image pixels.

2.2.2. Key Generation

Shadow recovery key generation. For the secret sharing scheme with a $\left(k,n\right)$ threshold, we choose a set of modules $Mb=\left\{{Mb}^{\left(1\right)},{Mb}^{\left(2\right)},\cdots ,{Mb}^{\left(n\right)}\right\}$, where the elements in Mb satisfy $\left\{128<{Mb}^{\left(1\right)}<{Mb}^{\left(2\right)}<\cdots <{Mb}^{\left(n\right)}\le 251<Mp\right\}$, satisfying the following conditions:

(9)$gcd\left(M{b}^{\left(i\right)},M{b}^{\left(j\right)}\right)=1,i\ne j$

(10)$gcd\left(M{b}^{\left(j\right)},Mp\right)=1,i=1,2,\dots ,n$

(11)$Mp=\prod _{i=1}^{k}M{b}^{\left(i\right)}$

In addition, we set the secret key $\vartheta$ to satisfy the following relation:

(12)$\vartheta \in {\mathbb{Z}}_{\left({\prod }_{i=1}^{k}M{b}^{\left(i\right)}\right)\left(2^8-1\right)}$

(13)$gcd\left(M{b}^{\left(i\right)},\vartheta \right)=1,i=1,2,\dots ,n$

Then, the shadow image is generated by $K_g\leftarrow (\vartheta ,Mb)$.

Embedding key generation. The randomly chosen integer $\vartheta$ is the secret key, and using the equivalence property of congruence since $\vartheta$ is the amplification parameter, the following two calculations have equivalence conditions under $modb$:

(14)$x\vartheta modb\iff x(\vartheta modb)modb$

Therefore, firstly, $\vartheta$ is converted into the residue form of $a_i=\vartheta mod{Mb}_i$, and the secret parameter $\vartheta$ can be guaranteed not to be revealed without exposing a certain number of ${Mb}_i$. The generated key is $K_a\leftarrow (\mathrm{Mb},\mathrm{a},\Delta ,\chi ),\Delta$ is the threshold parameter which determines the embedding payload, pixels exceeding the threshold $\Delta$ are panned, and those within the threshold $\Delta$ are embedded. The size of $\Delta$ will affect the visual quality of the labeled image. For example, when increasing, the embedding payload will increase, but the visual quality will decrease.

2.2.3. Shadow Image Generation

Unlike the scheme proposed by Xiong et al. [25] which only adds large random numbers (only addition), the secret sharing scheme used in this paper uses the method of adding perturbations first and then scaling up (a combination of addition and multiplication) to improve security. For a single pixel value, $x(h,w),h=1,2,\dots ,H,w=1,2,\dots ,W$, an image of size $H\times W$, and the encryption key $K_g=(\vartheta ,Mb)$, let us calculate

(15)$\begin{array}{c}\vartheta \left(x(h,w)\right)={\tau }_1(h,w)modM{b}^{\left(1\right)}\\ \vartheta \left(x(h,w)\right)={\tau }_2(h,w)modM{b}^{\left(2\right)}\\ \dots \\ \vartheta \left(x(h,w)\right)={\tau }_n(h,w)modM{b}^{\left(n\right)}\end{array}$

2.3. Data Embedding

Since the same noise is added to each image sub-block during fine-grained encryption, the differences between pixels do not change, which means that additional information can be embedded in the DH embedding data using homomorphic embedding. A module homomorphic embedding approach is adopted in this paper, in which any shadow image after image segmentation is used as a carrier. The additive homomorphic property of secret sharing is taken advantage of so that the data hider can embed all extra data into the shadow image independently. This algorithm can extract the extra data rapidly from the newly generated shadow image. It is convenient for multiple users to tag, manage, and retrieve secret texts independently too improve the embedding efficiency, i.e., to embed as much data as possible with fewer modifications. Importantly, each data hider owns an independent shadow image and can produce the embedding instruction and data embedding images independently. Consequently, the embedding capacity scales linearly with the number of data hiders, such that the overall capacity is obtained by multiplying the capacity of a single image by the number of hiders involved. Algorithm 3 demonstrates the detailed algorithmic process in the form of pseudo-code.

Upon receiving the image to be embedded ${\tau }^{\left(i\right)}$, ${DH}^{\left(i\right)}$ divides it into non-overlapping $2\times 2$ sub-blocks. We denote the block at position $(h,w)$ as $\{{\delta }_1[h,w],{\delta }_2[h,w],{\delta }_3[h,w],{\delta }_4[h,w]\}$ (for ease of writing, we abbreviate it as $\{{\delta }_1,{\delta }_2,{\delta }_3,{\delta }_4\}$) and embed $c_i[h,w]\leftarrow \{c_{i_0},c_{i_1}\}$). Specifically, $c_{i_0}[h,w]$ is embedded into ${\delta }_1$ while $c_{i_1}[h,w]$ is embedded into ${\delta }_4$. To obtain a difference histogram that encodes the image difference information, we employ the secret extraction key $K_a$ as follows:

(16)${\dot{\delta }}_j={\delta }_j{a}^{\left(i\right)}modM{b}^{\left(i\right)},\mathrm{j}=1,2,3,4$

Prediction error recovery. For a single $2\times 2$ pixel block, the four elements within the block perform sum and mode operations using the same cryptographic secret key. This means that the difference between any two pixels within the block should satisfy the ascending ordering, and thus the true prediction error is recovered in the following manner:

(17)$d_{max}[h,w]=\left\{\begin{array}{c}{\dot{\delta }}_4-{\dot{\delta }}_3,if:{\dot{\delta }}_4-{\dot{\delta }}_3\ge 0\\ {\dot{\delta }}_4-{\dot{\delta }}_3+M{b}^{\left(i\right)},if:{\dot{\delta }}_4-{\dot{\delta }}_3<0\end{array}\right.$

(18)$d_{min}[h,w]=\left\{\begin{array}{c}{\dot{\delta }}_1-{\dot{\delta }}_2,if:{\dot{\delta }}_1-{\dot{\delta }}_2\le 0\\ {\dot{\delta }}_1-{\dot{\delta }}_2-M{b}^{\left(i\right)},if:{\dot{\delta }}_1-{\dot{\delta }}_2>0\end{array}\right.$

The difference histograms are mainly concentrated around the value of 0, and the prediction error statistics of ciphertext images are the same as those of plaintext images, so the prediction error statistics of ciphertext images retain the statistical characteristics of plaintext. The prediction error histogram of a raw image is generally Laplacian, so we can use the histogram shifting technique to hide the data in the ciphertext image.

Histogram embedding. We perform the translation embedding in two prediction error histograms of the ciphertext image. It is worth noting that, in addition to the 0 value, several histograms of its nearby values are also high, so we utilize multiple histogram embeddings to increase the embedding capacity. In addition, due to the unique nature of module homomorphic secret sharing in this paper, the selected module bases are less than 252. Therefore, the data overflow before secret sharing will not affect the embedding flags and results after secret sharing in the all-position embeddable histogram translation embedding method.The image owner can use an additional auxiliary information table to cooperate with data embedding and extraction. Therefore, the histogram panning embedding method based on secret sharing can effectively solve the problem of possible overflow and underflow during the data panning process.

We set the storage threshold at $\Delta$, pixels exceeding the threshold $\Delta$ are shifted, those within the threshold $\Delta$ are embedded, and according to the prediction error $d_{\max }$, the data $c_1$ are embedded by shifting the maximum value ${\delta }_4$, the maximum value of possible embedding is $\chi$, and the data embedding algorithm $\mathrm{embed}\left(\tau \right)$ is executed, so the data embedding is performed by

(19)${\delta }_4^{\prime }\leftarrow \left\{\begin{array}{cc}{\delta }_4+c_1[h,w]\Delta \hfill & \mathrm{if}0\le d_{\max }[h,w]\le \Delta \hfill \\ {\delta }_4+\chi \Delta \hfill & \mathrm{else}\hfill \end{array}\right.$

According to the equation prediction error $d_{\min }$, embedding the data $c_0$ by shifting the minimum ${\delta }_1$, the data embedding is performed by

(20)${\delta }_1^{\prime }\leftarrow \left\{\begin{array}{cc}{\delta }_1-c_0[h,w]\Delta \hfill & \mathrm{if}-\Delta \le d_{min}^{\left(i\right)}\le 0\hfill \\ {\delta }_1-\chi \Delta \hfill & \mathrm{else}\hfill \end{array}\right.$

The embedding algorithm is executed on all image blocks of the image to obtain the labeled image ${\mathbb{S}}^{\left(i\right)}=\mathrm{embed}\left({\tau }^{\left(i\right)}\right)$, and send it to the corresponding ${\mathrm{receiver}}^{\left(i\right)},i=1,2,\cdots n$.

2.4. Data Extraction

When the secret data are embedded into the encrypted shadow share, the receiver can collect the tagged encrypted shadow images from different data hiders. Upon receiving the extraction secret key $K_a^{\left(i\right)}$ that corresponds to the ${Share}^{\left(i\right)}$ of the i-th shadow image, the i-th receiver can recover the embedded data individually. At position $(h,w)$ of ${\mathbb{S}}^{\left(i\right)}$, the block is denoted as $\{{\delta }_1[h,w],{\delta }_2[h,w],{\delta }_3[h,w],{\delta }_4[h,w]\}$ (for ease of writing, we abbreviate it as $\{{\delta }_1,{\delta }_2,{\delta }_3,{\delta }_4\}$). We extract $w[h,w]\leftarrow \{c_0^{\prime }[h,w],c_1^{\prime }[h,w]\}$, wherein $c_0^{\prime }[h,w]$ is extracted into ${\delta }_1$, and $c_1^{\prime }[h,w]$ is extracted into ${\delta }_4$. Moreover, we can obtain $d_{max}[h,w]$ and $d_{min}[h,w]$ using the same method as in Equations (16)–(18).

Iterating through all the storage blocks of the block, we obtain the computational prediction error $d_{max}[h,w]$ and $d_{min}[h,w]$. From the nature of the $2\times 2$ pixel-based block, it is known that there are two positions within the block where the data can be embedded, and the possible embedded data are ${\tilde{w}}_0$ by Equation (21) and ${\tilde{w}}_1$ by Equation (22).

(21)${\tilde{w}}_0[h,w]=\left\{\begin{array}{cc}⌊d_{max}^{\left(i\right)}(h,w)/\Delta ⌋\hfill & \mathrm{if}\Delta <d_{max}^{\left(i\right)}(h,w)\le \chi \Delta \mathrm{and}{d}_{min}^{\left(i\right)}(h,w)/\Delta \ne 0\hfill \\ \left(d_{max}^{\left(i\right)}(h,w)/\Delta \right)-1\hfill & \mathrm{if}\Delta <d_{max}^{\left(i\right)}(h,w)\le \chi \Delta \mathrm{and}{d}_{min}^{\left(i\right)}(h,w)/\Delta =0\hfill \\ 0\hfill & \mathrm{if}0<d_{max}^{\left(i\right)}(h,w)\le \Delta \hfill \\ NULL\hfill & \mathrm{if}\chi \Delta <d_{max}^{\left(i\right)}(h,w)\hfill \end{array}\right.$

(22)${\tilde{w}}_1[h,w]=\left\{\begin{array}{cc}⌊|d_{min}^{\left(i\right)}(h,w)/\Delta |⌋\hfill & \mathrm{if}\Delta <\left|d_{min}^{\left(i\right)}(h,w)\right|\le \chi \Delta \mathrm{and}{d}_{min}^{\left(i\right)}(h,w)/\Delta \ne 0\hfill \\ \left|d_{min}^{\left(i\right)}(h,w)/\Delta \right|-1\hfill & \mathrm{if}\Delta <\left|d_{min}^{\left(i\right)}(h,w)\right|\le \chi \Delta \mathrm{and}{d}_{min}^{\left(i\right)}(h,w)/\Delta =0\hfill \\ 0\hfill & \mathrm{if}0<\left|d_{min}^{\left(i\right)}(h,w)\right|\le \Delta \hfill \\ NULL\hfill & \mathrm{if}\chi \Delta <\left|d_{min}^{\left(i\right)}(h,w)\right|\hfill \end{array}\right.$

Iterate over all blocks and recover all embedded data. Algorithm 4 demonstrates the detailed algorithmic process in the form of pseudo-code.

2.5. Image Recovery

Algorithm 5 demonstrates the detailed algorithmic process of image recovery in the form of pseudo-code. After receiving the secret shares of $\mathit{k}$, the image owner first uses the inverse theorem based on the residual theorem of the Chinese Remainder to obtain the fine-grained encrypted digital image data. For the share of the hth row and wth column of the image ${\mathbb{S}}_1\left(h,w\right),{\mathbb{S}}_2\left(h,w\right),\dots ,{\mathbb{S}}_k\left(h,w\right)$, ${\mathbb{S}}_4^{\left(i\right)}(h,w)$ and ${\dot{\mathbb{S}}}_1^{\left(i\right)}(h,w)$ can be recovered by

(23)${\dot{\mathbb{S}}}_4^{\left(i\right)}(h,w)=\left\{\begin{array}{cc}{\mathbb{S}}_4^{\left(i\right)}(h,w)-⌊d_{max}^{\left(i\right)}(h,w)/\Delta ⌋\Delta modM{b}_i& \mathrm{if}{\tilde{w}}_0=⌊d_{max}^{\left(i\right)}(h,w)/\Delta ⌋\\ {\mathbb{S}}_4^{\left(i\right)}(h,w)-d_{max}^{\left(i\right)}(h,w)+\Delta modM{b}_i& \mathrm{if}{\tilde{w}}_0=\left(d_{max}^{\left(i\right)}(h,w)/\Delta \right)-1\\ {\mathbb{S}}_4^{\left(i\right)}(h,w)modM{b}_i& \mathrm{if}{\tilde{w}}_0=0\\ {\mathbb{S}}_4^{\left(i\right)}(h,w)-\Delta \chi modM{b}_i& \mathrm{if}{\tilde{w}}_0=NULL\end{array}\right.$

(24) ${\dot{\mathbb{S}}}_1^{\left(i\right)}(h,w)=\left\{\begin{array}{cc}{\mathbb{S}}_1^{\left(i\right)}(h,w)+⌊|d_{min}^{\left(i\right)}(h,w)/\Delta |⌋\Delta modM{b}_i& \mathrm{if}{\tilde{w}}_1=⌊|d_{min}^{\left(i\right)}(h,w)/\Delta |⌋\\ {\mathbb{S}}_1^{\left(i\right)}(h,w)-d_{min}^{\left(i\right)}(h,w)-\Delta & \mathrm{if}{\tilde{w}}_1=\left|d_{min}^{\left(i\right)}(h,w)/\Delta \right|-1\\ {\mathbb{S}}_1^{\left(i\right)}(h,w)modM{b}_i& \mathrm{if}{\tilde{w}}_1=0\\ {\mathbb{S}}_1^{\left(i\right)}(h,w)+\Delta \chi modM{b}_i& \mathrm{if}{\tilde{w}}_1=\mathrm{NULL}\end{array}\right.$

The secret can be recovered by executing the following secret recovery algorithm:

(25)$\begin{array}{c}\tilde{I}(h,w)={\displaystyle \sum _{i=1}^k}{M}_i{\mathbb{S}}_{\mathrm{i}}(h,w)M_i^{-1}modMp\\ M_i=Mp/M{b}_i\\ M_i{M}_i^{-1}=1modMp\end{array}$

After recovering the secret sub share, a fine-grained decryption algorithm is executed, and it is decrypted by

(26)$I^{*}(h,w)=\tilde{I}(h,w)-256-\left(T_{f_{s,t}}mod256\right)$

(27)$\left[\begin{array}{c}{x}_{n+1}\hfill \\ y_{n+1}\hfill \end{array}\right]=\left[\begin{array}{cc}pq+1\hfill & \hfill -p\\ -q\hfill & \hfill 1\end{array}\right]\left[\begin{array}{c}{x}_n\hfill \\ y_n\hfill \end{array}\right]modN$

(28)$I\left(I^{\left(1\right)},I^{\left(2\right)},\cdots ,I^{\left(\right[H/2\times W/2\left]\right)}\right)={Dec}_{\mathrm{coarse}}\left(I^{*},K_c\right)$

The method proposed in this paper has significant social impact in fields such as military imagery, remote healthcare, and forensic investigation. These fields demand the assurance of data security and integrity, which the proposed method can improve and ensure. As a multi-party secure cryptographic system, it can enhance data disaster recovery through secret sharing properties and have a positive effect on data security.

3. Demonstration and Analysis

3.1. Method Demonstration

In the last section, we introduced the specific details of our proposed protocol. To better understand the proposed method, in this chapter, we show the whole method in distributions. That is, the image encryption example diagram, secret split example diagram, data embedding example diagram, and data extraction example diagram; additionally, the extraction of feature images is integrated into the overall framework.

We will give a concrete example of the protocol and give an analysis and security proof of the protocol. We will take four 2 × 2 image blocks as an example and set the parameters of (k, n) secret sharing as 4 and 5.

Image encryption. As shown in Figure 3, let an image with 16 original pixels be I. The image is divided into four 2 × 2 dot blocks ($I^{\left(1\right)},I^{\left(2\right)},I^{\left(3\right)},I^{\left(4\right)}$), and pixels of the same color are grouped together in the image encryption example diagram:

(29)$\left\{\begin{array}{c}{I}^{\left(1\right)}=\left(I_1^{\left(1\right)},I_2^{\left(1\right)},I_3^{\left(1\right)},I_4^{\left(1\right)}\right)=(159,152,151,158)\hfill \\ I^{\left(2\right)}=\left(I_1^{\left(2\right)},I_2^{\left(2\right)},I_3^{\left(3\right)},I_4^{\left(4\right)}\right)=(152,152,154,153)\hfill \\ I^{\left(3\right)}=\left(I_1^{\left(3\right)},I_2^{\left(3\right)},I_3^{\left(3\right)},I_4^{\left(3\right)}\right)=(151,158,153,160)\hfill \\ I^{\left(4\right)}=\left(I_1^{\left(4\right)},I_2^{\left(4\right)},I_3^{\left(4\right)},I_4^{\left(4\right)}\right)=(156,156,155,156)\hfill \end{array}\right.$

The image owner uses the coarse-grained Arnold image permutation algorithm $En{c}_{coarse}(I,K_c)$ to obtain $I^{*}$:

(30)$\left\{\begin{array}{c}{I}^{*\left(1\right)}=\left(I_1^{*}\left(1\right),I_2^{*\left(1\right)},I_3^{*\left(1\right)},I_4^{*}\left(1\right)=(155,156,156,156)\right.\hfill \\ I^{*\left(2\right)}=\left(I_1^{*\left(2\right)},I_2^{*\left(2\right)},I_3^{*\left(3\right)},I_4^{*}\right)=(151,153,158,160)\hfill \\ I^{*\left(3\right)}=\left(I_1^{*\left(3\right)},I_2^{*\left(3\right)},I_3^{*\left(3\right)},I_4^{*\left(3\right)}\right)=(152,152,153,154)\hfill \\ I^{*\left(4\right)}=\left(I_1^{*\left(4\right)},I_2^{*\left(4\right)},I_3^{*\left(4\right)},I_4^{*}\left(4\right)=(151,152,158,159)\right.\hfill \end{array}\right.$

The image owner uses the fine-grained image scrambling algorithm $En{c}_{fine}(I^{*},K_f)$, where the encryption key $K_f=427,311,455,340$, and obtains $I^{\prime }$:

(31)$\left\{\begin{array}{c}{I}^{\prime \left(1\right)}=\left(I_1^{\prime \left(1\right)},I_2^{\prime \left(1\right)},I_3^{\prime \left(1\right)},I_4^{\prime \left(1\right)}\right)=(582,583,583,583)\hfill \\ I^{\prime \left(2\right)}=\left(I_1^{\prime \left(2\right)},I_2^{\prime \left(2\right)},I_3^{\prime \left(2\right)},I_4^{\prime \left(2\right)}\right)=(462,464,459,471)\hfill \\ I^{\prime \left(3\right)}=\left(I_1^{\prime \left(3\right)},I_2^{\prime \left(3\right)},I_3^{\prime \left(3\right)},I_4^{\prime \left(3\right)}\right)=(597,597,598,599)\hfill \\ I^{\prime \left(4\right)}=\left(I_1^{\prime \left(4\right)},I_2^{\prime \left(4\right)},I_3^{\prime \left(4\right)},I_4^{\prime \left(4\right)}\right)=(491,492,498,499)\hfill \end{array}\right.$

Shadow image generation: As shown in Figure 4, the image owner randomly picks the module $Mb$ and the random mapping parameter $\mathrm{A}=996,601$, as well as the secret key $K_a\leftarrow (\mathrm{Mb},\mathrm{a},\Delta \chi )$ for the module $Mb$ inverse of the random parameter $\mathrm{A}$:

(32)$Mb=\left(M{b}_1,M{b}_2,M{b}_3,M{b}_4,M{b}_5\right)=(131,137,139,149,153)$

(33)$a=A^{-1}modMb=\left(a^{\left(1\right)},a^{\left(2\right)},a^{\left(3\right)},a^{\left(4\right)},a^{\left(5\right)}\right)=(39,87,115,72,97)$

The image owner sends the split secret data $I^{\prime }$ and the embedding secret key $K_a$ to the corresponding data hider using a trusted channel. ${\tilde{I}}^{(1\sim 5)}$ is the secret share map of the difference information obtained by $D{H}^{(1\sim 5)}$ with $K_a^{(1\sim 5)}$:

(34)$\left\{\begin{array}{c}{\tilde{I}}^{\left(1\right)}=\left(I_1^{\left(1\right)},I_1^{\prime \left(2\right)},I_1^{\prime \left(3\right)},I_1^{\prime \left(4\right)}\right)a^{\left(1\right)}modM{b}^{\left(1\right)}=(98,99,105,106)\\ {\tilde{I}}^{\left(2\right)}=\left(I^{\prime \left(1\right)},I_2^{\prime \left(2\right)},I_2^{\prime \left(3\right)},I_2^{\prime \left(4\right)}\right)a^{\left(2\right)}modM{b}^{\left(2\right)}=(80,81,87,88)\\ {\tilde{I}}^{\left(3\right)}=\left(I^{\prime \left(1\right)}{}_3^{\left(1\right)},I_3^{\prime \left(2\right)},I_3^{\prime \left(3\right)},I^{\prime }{}_3^{\left(4\right)}\right)a^{\left(3\right)}modM{b}^{\left(3\right)}=(74,75,81,82)\\ {\tilde{I}}^{\left(4\right)}=\left(I^{\prime }{}_4^{\left(1\right)},I_4^{\prime \left(2\right)},I_4^{\prime \left(3\right)},I_4^{\prime \left(4\right)}\right)a^{\left(4\right)}modM{b}^{\left(4\right)}=(44,45,51,52)\\ {\tilde{I}}^{\left(5\right)}=\left(I^{\prime \left(1\right)},I_1^{\prime \left(2\right)},I_1^{\prime \left(3\right)},I_1^{\prime \left(4\right)}\right)a^{\left(5\right)}modM{b}^{\left(5\right)}=(32,33,39,40)\end{array}\right.$

As shown in Figure 5, we can see that $\left|d_{max}^{(1\sim 5)}\right|=\left|d_{min}^{(1\sim 5)}\right|=1$; both are less than or equal to $\Delta$. Therefore, the data hider performs the data embedding operation for both the highest and lowest bits to obtain the shadow image share after embedding the data and sends the secret share to the corresponding SSCP:

(35)$\left\{\begin{array}{c}\mathrm{Share}{}^{\left(1\right)}=(110-0\times \Delta ,63,43,127+1\times \Delta )=(110,63,43,128)\\ \mathrm{Share}{}^{\left(2\right)}=(108-0\times \Delta ,34,1,64+1\times \Delta )=(108,34,1,65)\\ \mathrm{Share}{}^{\left(3\right)}=(78-0\times \Delta ,49,14,124+1\times \Delta )=(78,49,14,125)\\ \mathrm{Share}{}^{\left(4\right)}=(42-0\times \Delta ,141,69,9+1\times \Delta )=(42,141,69,10)\\ \mathrm{Share}{}^{\left(5\right)}=(65-0\times \Delta ,24,84,43+1\times \Delta )=(65,24,84,44)\end{array}\right.$

As shown in Figure 6, receiver ${}^{(1\sim 5)}$ recovers the secret share map that represents the image difference information and obtains $W=[0,1]$ after receiving the embedding data recovery request using $K_a^{(1\sim 5)}$. The shadow image recovery and image decryption are the reverse of the above steps and will not be repeated.

3.2. Method Analysis

4. Experiments and Numerical Results

The six test images, including “Lena”, “Baboon”, “Barbara”, “Goldhill”, and “Peppers”, are from the dataset used for the experiments. All test images are grayscale images with a size of 512 × 512. The experimental environment was as follows: host configuration CPU AMD 5800X, memory 32 GB, operating system Windows 11, programming language python 3.9, and MATLAB 2022b.

4.1. Performance of Image Encryption

According to the guideline [28], we conduct multiple experiments to ensure the security of image encryption by testing image randomness, similarity metrics, graphic correlation, and noise robustness.

Image randomness. The intruder shares two secret images at the same time. To the naked eye, the shadow image must look like noise. In addition, the shadow images can be evaluated in a histogram; the more uniform the histogram distribution, the more secure the proposed scheme is. As shown in Figure 7, the first line is the encryption effect of Lena, Baboon, Barbara, Goldhill, and Peppers, and the second line is the encryption result after coarse-grained encryption, which exhibits a strong regularity among pixels, but it is visually impossible to tell what the original image is. The third line is the encryption result after fine-grained encryption. From the line, we can see that after the fine-grained encryption, the statistical features of the gray pixels of the carrier image can be effectively concealed.

In addition, we propose two evaluation metrics for the similarity metric, which can be measured by the peak signal-to-noise ratio (PSNR) shown in Equation (44) and the structural similarity (SSIM) shown in Equations (45) and (46). PSNR evaluates the similarity of images and MSE denotes mean square error:

(44)$\left\{\begin{array}{c}PSNR=10\times {log}_{10}\left(\frac{{255}^2}{MSE}\right)dB\hfill \\ MSE=\frac{1}{W\times H}\sum _{i=1}^W\sum _{j=1}^H{\left[S^{\prime }(i,j)-S(i,j)\right]}^2\hfill \end{array}\right.$