1. Introduction

Data hiding (DH) and digital watermarking (DW) are two of the important contents of cyberspace security research, which have been greatly developed in recent years. Various new technologies and new methods for them emerge one after another. For example, Abdallah et al. [1,2] proposed some new algorithms for video watermarking. Yu et al. [3] summarized the current robust video watermarking algorithms for copyright protection. However, most steganography algorithms cause permanent distortion of the original carrier after embedding the data, which is not allowed in some areas where data authentication is required, such as privacy protection in the cloud environment, military combat map transmission, etc. [4]. Reversible data hiding (RDH) [5] takes data hiding and distortion-free recovery of the original carrier into account. Currently, RDH algorithms mainly include: lossless compression (LC) [6,7], difference expansion (DE) [8,9] and histogram shifting (HS) [10,11]. With the promotion of cloud services, for the purpose of privacy protection, users usually encrypt the uploaded data, so that the original data become incomprehensible ciphertext data. Reversible data hiding in encrypted image (RDH-EI) comes into being and has become the latest research hotspot. The RDH-EI requires that the carrier used for embedding be encrypted, and the carrier still be decrypted without error after extracting embedded data. RDH-EI is an important combination of signal processing technology and data hiding technology in encrypted domain. It has dual functions of privacy protection and secret information transmission for information security in data processing. There are two main applications in medical health. The first is the integrity protection of medical images. Medical images are mostly digital images that are easily copied, edited, or maliciously altered while being easy to store. A more mature technique for protecting image integrity information is digital signatures. The main principle is to generate non-repudiation hash values that are appended to original image and transmitted to the receiver. However, in reality, confidential communications often run the risk of being attacked by malicious attacks and analysis. The way to directly attach the hash value to the image is easily vandalized and replaced, thus increasing the difficulty of image authentication. On some special occasions, image reversible information hiding can be used as an important complementary technology to digital signatures, embedding image integrity information such as hash values into medical images. The receiver can not only recover the medical image reversibly, but also correctly extract the legal authentication information to protect the integrity of the medical image. The second is encrypted image management in telemedicine. Image-oriented telemedicine is widely used in the future information society. For the purposes of confidentiality and privacy protection, medical images sometimes need to be encrypted beforehand and sent to third parties such as the cloud for management. The sensitive information such as the medical record is embedded in encrypted image by means of RDH-EI, so that encrypted image management in telemedicine can be realized.

Zhang [12] firstly proposed RDH-EI, which encrypts images with stream ciphers, and then divides encrypted images into blocks that do not overlap each other. Each block has two groups. By flipping each pixel’s three least significant bits (LSBs) in the corresponding group, 1-bit information can be embedded. The receiver extracts extra data through the wave function. However, when the block is small, the error rate becomes high. Hong et al. improved Zhang’s method by using a wave function capable of edge matching in [13] and using unbalanced bit flipping in [14]. In [15], Zhang proposed a separable RDH-EI algorithm, which can extract additional data in both the encrypted domain and the plaintext domain. The above RDH-EI algorithms need to vacate room after encryption (VRAE) for data hiding, resulting in lower embedding capacity of the algorithm and higher error rate in the data extraction process. Ma et al. [16] proposed a RDH-EI algorithm by vacating room before encryption (VRBE). Zhang et al. [17] improved reversibility, embedding capacity, and image quality by exploiting prediction errors in data embedding.

The RDH-EI algorithms mentioned above are to encrypt images with symmetric cryptography because symmetric cryptography has lower computational complexity and faster encryption and decryption speed. However, because of using symmetric cryptography, each pair of senders and receivers must have different keys, which are required in the context of current multi-party cloud computing services. The amount of keys is huge, which makes it difficult to manage keys. For example, in a communication network with n users, each user must usen−1keys to communicate with the remainingn−1users, and the total number of keys in the system will be up to_^C2n=n(n−1)/2. Such a large amount of keys will have insecurities in the various aspects of saving, transferring, using and destroying. In addition, both parties using symmetric cryptography must use the same key for encryption and decryption, thus the key must be transmitted over the secure channel before communication. If the key is stolen during the delivery process, or either party leaks the key, the encrypted data will be insecure. Because symmetric cryptography has the above shortcomings of designing the RDH-EI algorithms, we naturally use public key cryptography into the RDH-EI algorithms. The key amount of the public key cryptography is greatly reduced, and the key does not need to be transferred in advance. More importantly, with public key cryptography, we can perform homomorphic addition and homomorphic multiplication in the encrypted domain, which makes the embedding process of additional data more secure.

Differing from RDH-EI, Chen et al. [18] firstly proposed encrypted image-based reversible data hiding with public key cryptography (EIRDH-P). In EIRDH-P, the characteristics of public key cryptography overcome the shortcoming that symmetric encryption requires the safe channel to pass the key in advance. The algorithm embeds the 1-bit information into a pair of adjacent encrypted pixels. According to the homomorphic characteristics of the Paillier cryptosystem, the receiver obtains the secret information by comparing all the decrypted pixel pairs. The disadvantage of the Chen’s method is that there is an inherent overflow problem. Subsequently, Shiu et al. [19] and Wu et al. [20] improved Chen’s method by solving the overflow problem. The above inseparable algorithms limit the application scenario and scope of the algorithms, and the separable algorithms have more application scenarios. The receiver’s privilege determines different operations it can perform, for example the receiver can only extract additional data, the receiver can only decrypt the image, and the receiver can both decrypt the image and extract additional data.

In 2016, Zhang et al. [21] first proposed a separable EIRDH-P algorithm, which combines wet paper code (WPC) [22] with Paillier homomorphic encryption. Zhang’s method vacates room by histogram shrinking and uses WPC to embed additional data. Xiang et al. [23] proposed a RDH-EI algorithm based on mirroring ciphertext groups (MCGs) by using the homomorphic and probabilistic characteristics of the Paillier cryptosystem. In summary, using the homomorphic characteristics of public key cryptography for RDH-EI is the latest research hotspot, which we call reversible data hiding in homomorphic encrypted image (RDH-HEI). This paper proposes a RDH-HEI scheme based on EC-EG. Firstly, the cover image is segmented. The square grid pixel group randomly selected by the image owner has one reference pixel and eight target pixels. The n LSBs of the reference pixel and all bits of the target pixels are self-embedded into other parts of the image by a method of predictive error expansion (PEE). To avoid overflowing when embedding data, the n LSBs of the reference pixel are reset to zero before encryption. Then, the pixel values of the image are encrypted after encoded onto the points of the elliptic curve. The encrypted reference pixel replaces the encrypted target pixels surrounding it, thereby constructing the mirror central ciphertext (MCC). In a set of MCC, the data hider embeds the encrypted additional data into the n LSBs of the target pixels by homomorphic addition in ciphertexts, while the reference pixel remains unchanged. The receiver can achieve separation of additional data extraction from cover-image recovery, additional data extraction without any errors, and reversibility completely.

The rest of this paper is organized as follows. Section 2 briefly describes homomorphic EC-EG cryptosystem, its properties and reviews predictive error expansion for reversible data hiding in the plain domain. Implementation of the proposed RDH-HEI scheme is elaborated in Section 3. Simulation experiment and theoretical analysis are presented in Section 4. Finally, the conclusion is drawn in Section 5. It is important to note that a preliminary version [24] of this paper is in proceedings of the “11th Intelligent Networking and Collaborative Systems (INCoS-2019)”.

2. Related Knowledge 2.1. Elliptic Curve The image trajectory of elliptic curve is not an ellipse, but a cubic curve on a plane. However, it is a problem that people find when studying the arc length of an ellipse.

Definition 1.

Elliptic curve is a plane curve determined by the cubic Weierstrass equation:

^y2+axy+by=^x3+c^x2+dx+e

The points on the curve satisfy the equation. If the coefficient isa,b,c,d,e∈_FP, the number of points on the curve is finite, and all the points on the curve plus an artificial infinity point constitute the setE(_Fp)and the number of points inE(_Fp)is recorded as#E(_FP)(p+1−2p≤#E(_FP)≤p+1+2p).

When constructing a cryptosystem, the following elliptic curve is mainly used:

^y2=^x3+ax+b(x,y,a,b∈_FP)

Figure 1 shows the distribution of points on the elliptic curve whena=4,b=20,p=33331.

Theorem 1.

The setE(_Fp)of points on the elliptic curve forms an Abel group for the addition defined below:

1.

O+O=O

2.

∀(x,y)∈E(_FP),(x,y)+O=(x,y)

3.

∀(x,y)∈E(_FP),(x,y)+(x,−y)=O

4.

(addition rule)If(_x1,_y1)+(_x2,_y2)=(_x3,_y3)is satisfied when_x1≠_x2, then

_x3=^λ2−_x1−_x2y3=λ(_x1−_x3)−_y1,λ=_y2−_y1x2−_x1

5.

(multiple point rule)∀(_x1,_y1)∈E(_FP),_y1≠0, If2(_x1,_y1)=(_x2,_y2)is satisfied, then

_x2=^λ2−2_x1y2=λ(_x1−_x2)−_y1,λ=3_x12+a2_y1

2.2. Elliptic Curve Public Key Cryptography

Elliptic curve discrete logarithm problem (ECDLP) means that x is determined by a given P and Q, that is to say, ifP∈E(_FP)is the set, then∃x∈^N∗makesQ=xPtrue. The elliptic curve discrete logarithm problem is more difficult to deal with than the discrete logarithm problem on the finite field, and the security is also higher.

Definition 2.

Suppose that E is an elliptic curve and G is a point on E. If∃n∈^N∗exists,nG=Ois established, then n is said to be the order of point G, where O is the infinity point.

Implementation of elliptic curve ElGamal (EC- EG):

Key generation: Select the base field_Fp, the elliptic curve_Ep, and encode the plaintext information m to the pointM(m)on the curve. Select the generator G (base point) of_Epas the public parameter. The user selects the private keysk∈_FP(sk<n)and the public key ispk=skG.

In cryptography, describe an elliptic curve on an_Fp, commonly used to six parameters:T=(p,a,b,G,n,h)(p, a and b are used to determine an elliptic curve, h is the integer part of the number#E(_FP)of all points on the elliptic curve divided by n). The choice of these parameters directly affects the security of encryption. The parameter values generally require the following conditions to be met:

• p is of course larger and safer, but the larger is p, the slower is the calculation speed. p is about 200 bits to meet general safety requirements:

• p≠n×h;

• ^pt≠1(modn),1≤t<20;

• 4^a3+27^b2≠0(modp);

• n is a prime number; and

• h≤4.

Encryption: Bob selects a random integerr(r<n)and calculates the ciphertext as

C(m)=(_C1,_C2)=(rG,M(m)+rpk)

Decryption: Alice calculatesM(m)=_C2−sk_C1to complete the decryption.

Homomorphic addition: After encoding the plaintext(_m1,_m2)to the two points(M(_m1),M(_m2))on_Ep , the ciphertext is calculated according to Equation (6) using random integer(_r1,_r2).

C(_m1)=(_C11,_C21)=(_r1G,M(_m1)+_r1pk)C(_m2)=(_C12,_C22)=(_r2G,M(_m2)+_r2pk)

According topk=skGin Key generation, the homomorphic addition can be expressed as

C(_m1)+C(_m2)=_C21+_C22−sk_C11−sk_C12=M(_m1)+_r1pk+M(_m2)+_r2pk−_r1skG−_r2skG=M(_m1)+M(_m2)

That is, the sum of the two ciphertexts is equal to the sum of the plaintexts after decryption. 2.3. Rhombus Pattern Based PEE

The rhombus prediction error extension [25] is to divide the image pixels into overlapping pixel groups. Pixels of a group are further divided into “×” and “•” sets. Pixels of “×” set are used for data embedding and pixels of “•” set are used for prediction. Figure 2 illustrates that a pixel_pi,jin the “×” set is predicted by its four neighboring pixels(_pi,j−1,_pi,j+1,_pi−1,j,_pi+1,j)in the “•” set. The embedding, extraction and recovery procedures are given as follows.

2.3.1. The Embedding Procedure

The predicted value_pi,j′is the average of four adjacent pixel values of_pi,i and is calculated by Equation (8).

_pi,j′=_pi,j−1+_pi,j+1+_pi−1,j+_pi+1,j4

The prediction error_ei,jis the difference between the original pixel_pi,jand the predicted value_pi,j′ and is calculated by Equation (9).

_ei,j=_pi,j−_pi,j′

The difference expansion method [26] is employed to expand the prediction error_ei,j for data embedding. Equation (10) is used for PEE.

_ei,j′=2×_ei,j+b

where_ei,j′is the modified prediction error after data embedding and b is one bit of the message to be embedded. Thus, each group can embed one bit of information. The modified pixel value_Pi,j after data embedding is calculated by Equation (11).

_Pi,j=_ei,j′+_pi,j′

2.3.2. Overflow or Underflow Processing

The PEE data embedding may cause overflow or underflow.L_mapcan be used to avoid embedding into pixels that cause overflow or underflow. Substituting_pi,j′ from Equation (9) and_ei,j′ from Equation (10) into Equation (11), we get

_Pi,j=_ei,j+_pi,j+b

According to Equation (12), it is clear that pixels that do not cause overflow or underflow satisfy the condition in Equation (13).

0≤_ei,j+_pi,j≤254

TheL_map to record the positions of invalid groups can be created by pre-processing the original image. Each group of the original image is checked for Equation (13) and records the row and column binary data of invalid groups. TheL_mapis compressed and then self-embedded into to the image.

2.3.3. Extraction and Recovery Procedures

The extraction procedure is the inverse of the embedding procedure. Since the “•” pixels do not change, the receiver has the same predicted pixel value_pi,j′of “×” pixels as the image owner. Given the modified pixel value_Pi,jand the modified prediction error_ei,j′ , Equation (14) is used to calculate which additional data have been embedded.

_ei,j′=_Pi,j−_pi,j′

Then, the embedded information is calculated by Equation (15).

b=_ei,j′mod2

Equation (16) is used for calculating the original prediction error_ei,j.

_ei,j=_ei,j′2

Finally, the original pixel value_pi,jis recovered as

_pi,j=_pi,j′+_ei,j

3. Proposed Scheme 3.1. Overall Framework of the Proposed Scheme

The overall framework of RDH-HEI based on EC-EG is shown in Figure 3. Firstly, the image is divided into non-overlappingA,B,C, and then the space is reserved by the PEE algorithm. The image owner encodes the pixel values of image onto the points of the elliptic curve. Finally, the MCC is constructed after encrypting image with the public keypk. The data hider divides the encrypted image into non-overlapping_AE,_BE,_CEin the same way as the image owner, scrambles the additional data with the hidden key_k2and then encrypts it withpk. Finally, the data hider embeds the encrypted additional data into the n LSBs of the target pixels by homomorphic addition in ciphertexts. The addition operation embeds the encrypted additional data into the lower n bits of the target pixel. When the receiver owns the private keyskand the hidden key_k2of the data hider, the homomorphic subtraction in ciphertexts is used to extract the encrypted information, which is then decrypted byskand the additional data are restored by_k2. When the receiver only has the private keyskof the image owner, a directly decrypted image containing additional data can be obtained. When has the private keysk, the self-embedded key_k1, and the hidden key_k2, the receiver can extract additional data after decryption and restore the cover image losslessly.

3.2. Room Reserving

3.2.1. Image Partition

Before the cover image is segmented, the pixel values of the image must be encoded to the points of the elliptic curve. Then, it can be encrypted using EC-EG. The grayscale image has a pixel value between 0 and 255. It is necessary to map the pixel values one by one to the points on the elliptic curve. The image owner divides the cover image into three non-overlapping blocksA,B,C , as shown in Figure 4.

3.2.2. Self-Reversible Embedding

Self-reversible embedding is to embed all bits of the target pixels in A, n LSBs of the reference pixels in A and the LSB in B into C through the PEE algorithm._{Ar_map}is the set of locations of reference pixels in A, and the image owner sends n and_{Ar_map}as shared parameters to the data hider and receiver. More importantly,L_mapis scrambled by the self-embedding key_k1, and is embedded into B by replacing the LSB for data extraction and image recovery to achieve complete reversibility.

3.2.3. Vacating Room

After self-reversible embedding, all bits of the target pixels_Ptand n LSBs of the reference pixels_prare saved in C. The image owner sets n LSBs of the reference pixels_Prto zero, and then the additional data are embedded into n LSBs of the target pixels_Pt that have been set to zero by homomorphic addition in ciphertexts. This operation can also avoid overflow when embedding data into the encrypted domain. Figure 5 describes the proposed scheme more intuitively.

3.3. Image Encryption

After vacating room, the image owner randomly selects an integer_ri,j,i=1,2,⋯,M,j=1,2,⋯,Nfor each pixel_pi,j, and encrypts the image with the public keypkto obtain the ciphertexts.

M(_CPi,j′ )=(_C1i,j ,_C2i,j )=(_ri,jG,M(_Pi,j′)+_ri,jpk)

3.4. Construction of Mirroring Central Ciphertext

As shown in Figure 5, the image owner constructs the MCC by replacing the ciphertexts of the target pixels with the ciphertext of the reference pixel, which is_Ct′=_Cr. In a square grid, all target pixels become mirror of the reference pixel. All target pixels have the same ciphertext and the n LSBs that have been set to zero as the reference pixels.

3.5. Data Hiding

The data hider first scrambles the extra information with the hidden key_k2. Then, it groups the scrambled additional data w, and each group has n bits, which is recorded as_w0,_w1,⋯,_wn−1. From this, the decimal value of each dataset can be calculated as:

_Sw=∑i=0n−1_wiײⁱ,(_Sw=0,1,⋯,²ⁿ−1)

To enhance confidentiality, the data hider can choose a random integer_rSw (_rSw <n)for each_Swand encrypt it with EC-EG to get the ciphertext_CSw .

M(_cSw )=(_rSw G,M(_Sw)+_rSw pk)

According to the method of room reserving, the encrypted image is divided into non-overlapping_AE,_BE,_CE. The data hider embeds additional data into the encrypted domain as following:

M(_ct″)=M(_ct′)+M(_cSw )=(_rtG,M(^t′)+_rtpk)+(_rSw G,M(_Sw)+_rSw pk)=M(^t′)+_rtpk+M(_Sw)+_rSw pk−sk_rtG−sk_rSw G=M(^t′)+M(_Sw)

Among them,_ct″is the encrypted target pixel with hidden data. Suppose that a group contains 3 bits of data, which aren=3,(_{w0 w1 w2})=(100). Then, we can calculate_Sw=1,_cSw =E(1,_rSw ) . As shown in Figure 5e, the data hider performs homomorphic addition in ciphertexts to embed 3 bits of additional data into the correspondingMCC[_ct′=E(160,_rr),_cr=E(160,_rr)], and then obtains the corresponding_ct″=E(161,_rSw +_rr).

3.6. Data Extraction

3.6.1. Extract the Embedded Data from Encrypted Image

As shown in Figure 5h,i, when having the shared parameter n,_{Ar_map}, the private keyskand the hidden key_k2, the receiver extracts additional data from the received encrypted image with hidden data by using homomorphic subtraction in ciphertexts. The steps are as follows:

Step 1. The received image is divided into blocks in the same way as the process of room reserving. As shown in Figure 5e, the legal receiver extracts the square grid with hidden data.

Step 2. In the MCC, the encrypted target pixels with hidden data areM(_ct″)=M(_cr)+M(_cSw ).M(_CSw )is extracted by the homomorphic subtraction, which isM(_cSw )=M(_ct″)−M(_cr).

Step 3. UseM(_Sw)=M(_cSw )+_rSw pk−sk_rSw Gto decryptM(_CSw )toM(_Sw)and decode to get_Sw.

Step 4. The receiver can use_wi=_Sw ²ⁱ,i=0,1,⋯,n−1to get_w0,_w1,⋯,_wn−1, and then use the hidden key_k2to perform scrambling recovery. Finally, we can extract additional data.

3.6.2. Extract the Embedded Data from Decrypted Image

As shown in Figure 5f,g, when the receiver only has the private keyskof the image owner, a directly decrypted image with hidden data is obtained fromM(_Pi,j″)=M(_Ci,j″)+_ri,jpk−sk_ri,jG, where_Ci,j″is the ciphertexts with hidden data and_Pi,j″is the corresponding plaintexts with hidden data. According to the method of room reserving, the directly decrypted image is divided into three parts of_AD,_BD,_CD, andM(_Sw)=M(_Pt″)−M(_Pr″)can be obtained by plaintext subtraction in the target pixel pair of the square grid, where_Pt″and_Pr″ are the target pixels and reference pixels in the directly decrypted image, respectively. Finally, we can obtain additional data with the method in Steps 3 and 4 in Section 3.6.1.

3.7. Image Restoration

When the receiver has the private keysk, a self-embedded key_k1and the hidden key_k2, additional data can be extracted after decryption and the original image can be restored. The directly decrypted image is obtained by decrypting with the private keysk, and the directly decrypted image is divided into three parts of_AD,_BD,_CDaccording to the method of room reserving. Since the additional data are hidden in_Ptof_AD, the hidden key_k2can be used for scrambling recovery after the additional data are extracted. The receiver extracts self-embedded data from_BDand_CDto restore the original image.

L_mapis extracted from the LSB of_BD, and the self-embedded key_k1is used to scrambling recovery. Finally, according to the extraction step of the PEE, all the self-embedded data can be extracted from_CDand the data extracted from_CDis used to complete the recovery of the_AD. The original image of reversible recovery has thus been obtained.

4. Simulation Experiment and Theoretical Analysis 4.1. Analysis of Embedded Capacity and PSNR

The 8-bit gray-scale images of512×512 size were selected in the experiment conducted by Java8 and MATLAB R2015b. Peak signal-to-noise ratio (PSNR) was calculated by Equation (22), which is the most commonly used criterion for evaluating image quality after embedding data.

PSNR=10×_log10²⁵⁵²MSE

MSE is the mean square error between the cover image and the embedded image.

MSE=1M×N∑i=0M−1∑j=0N−1^{p(i,j)−c(i,j)2}

whereM×Ndenotes the size of the image,p(i,j)denotes pixel value of the cover image andc(i,j) denotes pixel value of the embedded image. Through the size of PSNR value, we can clearly know whether the image with hidden data will be observed by the naked eye. Table 1 shows the embedding capacity and PSNR values of the Lena image under different n. Under the same embedding capacity, the PSNR value increases correspondingly with the increase of n. However, when n = 4, the PSNR value of the image is instead decreased because the distortion introduced by constructing the MCC becomes large. Table 2 shows the PSNR values and embedding capacities of the four images with the optimal parametern=3. Moreover, the maximum size of images’L_map is shown in Table 3. Different stages of Lena, F-16, Man and Hill images using the proposed scheme are shown in Figure 6.

4.2. Performance Comparison

Currently, reversible data hiding in homomorphic encrypted image mostly utilizes the Paillier cryptosystem. Table 4 summarizes some of the literature on the reversible data hiding in encrypted image using homomorphic property. Li et al. [27], using VRAE; our scheme; and Xiang et al. [23], using VRBE, could keep the amount of data transmitted unchanged. All of the algorithms in Table 4 have separable properties. In our proposed scheme, after the space is reserved and encrypted, the MCC is constructed. The extra information is embedded into the bit plane of the corresponding plaintext by homomorphic addition. The receiver extracts extra information by homomorphic subtraction in ciphertexts. Zhang et al. [21] used WPC coding to perform two information embedding. The computational complexity isO(^k3) and k is the embedded capacity. Our algorithm and the one in [27] use homomorphic addition in ciphertexts to embed information. Xiang et al. [23] used Homomorphic multiplication in ciphertexts to embed information. The computational complexity of them isO(k).

Zhang et al. [21] combined WPC coding and Paillier homomorphic encryption to embed additional information into the corresponding bit plane of the ciphertext. In the encrypted domain, the embedded information is protected by the WPC encoding mechanism, and the receiver cannot extract the embedded information without the key. However, when the receiver receives the ciphertext image, the same method can be used to forge the information, and the original embedded information may be overwritten or replaced. Xiang et al. [23] used the homomorphic and probabilistic properties of Paillier encryption to protect the embedded extra information. In [27], a high-capacity RDH-HEI algorithm is proposed by using the SHE homomorphism. The image owner divides the image pixels into groups of three, and then encrypts them with SHE, and the ciphertext expansion is small. The data hider sorts the absolute differences of each set of ciphertext pixels and generates an absolute difference histogram, embedding additional data by moving the ciphertext absolute difference histogram. The proposed scheme uses the homomorphic addition feature of EC-EG to protect the embedded extra information. When there is no shared parameter, the receiver cannot find the ciphertext embedded with the information, let alone extract, tamper or replace the additional information.

Figure 7 shows the PSNR performance comparison between the proposed scheme and the ones in [21,23,27]. The method in [27], the data are first embedded into the pixel position close to the peak. The method is that three encrypted adjacent pixels are selected as a group, and each group calculates two absolute differences, which are sorted according to the sum of two absolute differences of each group. The image distortion is reduced, thus its performance is generally higher than the scheme in our paper. The method in [21] uses the histogram shrinking to reserve the embedding space. However, the distortion caused by this method increases with the increase of the embedding capacity. The method in [23] is the same as the one in [21]. As the embedding capacity increases, the number of histogram shifts increases when the data are self-embedded. In addition, the distortion introduced by constructing MCGs is also getting larger and larger, which leads to faster performance degradation of the algorithm. In general, the performance of our scheme is better than the one in [21,23] when the embedded capacity is high.

4.3. Analysis of Security

On the one hand, the additional data after encryption are embedded in the bit plane of the target pixel and are protected by the EC-EG homomorphic property. On the other hand, in the existing public key cryptosystem, the one with the highest encryption strength per bit is the difficulty of the ECC math problem, thus it is safe to encrypt images with EC-EG compared to using Paillier to encrypt images. At present, the method to attack the discrete logarithm problem on ECC is only the baby step giant step (BSGS), and its computational complexity isO(exp(log_Pmax))._Pmaxis the maximum prime factor of the order of the exchange group composed of ECC. At the same time, different elliptic curves can be obtained by changing the parameters. Therefore, ECC has a rich group structure and multiple selectivity, and can be flexibly applied.

To verify the theoretical security of EC-EG encryption, the method of statistical analysis can test the anti-attack performance of encryption algorithm in chaos and diffusion from different angles. For this reason, we specify it from three aspects: histogram analysis of encrypted image, correlation analysis of adjacent pixels and information entropy analysis [28].

4.3.1. Histogram Analysis of Encrypted Image

The histogram of the encrypted image should be uniformly distributed, which is obviously different from the histogram of the original image. In mathematical calculation, the variance of encrypted image is much smaller than that of original image. Ifhis_ti(i=0,1,⋯,255)represents the histogram of an image, the equation for calculating the variance is:

S=1256∑i=0255(his_ti−1256∑i=0255his_ti)

The histograms and variances of the images in Figure 6a,b,f,g,k,l,p,q are shown in Figure 8, in which the histogram of the encrypted image is evenly distributed.

4.3.2. Correlation Analysis of Adjacent Pixels

To test the correlation of two pixels that are vertically adjacent, horizontally adjacent, and diagonally adjacent, the following test was performed. In order not to lose generality, we used a random function to select any 1000 pairs of adjacent pixels in the image. The correlation coefficient of the original image should be close to 1, and the correlation coefficient of the encrypted image should be much smaller than 1, indicating that the correlation between the cover image and the encrypted image is completely separated. The correlation coefficient(_rxy∈[−1,1])(−1 indicates a negative correlation, and 1 indicates a positive correlation) of the adjacent pixels of the image is:

_rxy=cov(x,y)D(x)D(y)

In Equation (25),

E(x)=1N∑i=1N_xiD(x)=1N−1∑i=1N(_xi−E(x))cov(x,y)=1N−1∑i=1N(_xi−E(x))(_yi−E(y))

In the above equation, the gray values of two adjacent pixels of the image are represented by x and y, respectively. Table 5 shows adjacent pixel correlation coefficients of the images in Figure 6a,b. The adjacent pixel correlation of the encrypted image is much smaller than the original image. Besides, horizontal adjacent pixel correlation scatter plot of the images in Figure 6a,b,f,g,k,l,p,q are draw in Figure 9. The pixels of the encrypted image exhibit irregular characteristics.

4.3.3. Information Entropy Analysis

If there is L kinds of gray values_mi(i=0,1,⋯,L−1)in an image, and the probability of occurrence of each gray value isp(_mi)(i=0,1,⋯,L−1), according to the theorem of Shannon, the information amount of the image is

H(m)=−∑i=0L−1p(_mi)_log2p(_mi),∑i=0L−1p(_mi)=1

where H is the information entropy of an image. When the probability of occurrence of each gray value in the image is equal, the information entropy of the image is the largest, and the information entropy indicates how much information is contained in one image.

The information entropy of the image can measure the distribution of the gray value. The result shows that the larger is the information entropy, the more consistent is the gray distribution. For an ideal random image, the information entropy is equal to 8. In Table 6, the experimental results confirm the conclusion of theoretical analysis. Below, we briefly prove it.

Theorem 2.

For information entropy H, there isH(m)≤8.

Proof of Theorem 2.

The known power mean inequality is

_{a0p0 a1p1} ⋯_aL−1pL−1 ≤_{p0 a0}+_{p1 a1}+⋯+_{pL−1 aL−1}

In the inequality in Equation (28), the range of_piis0<_pi<1(i=0,1,⋯,L−1) , and satisfies Equation (29).

∑i=0L−1p(_mi)=1

If and only if_a0=_a1=⋯=_aL−1 is established, the equal sign in the inequality in Equation (28) is established. When_pi=1/L(i=0,1,⋯,L−1) , the following geometric-arithmetic mean inequality is obtained from Equation (28).

_{a0 a1}⋯_aL−1L≤_a0+_a1+⋯+_aL−1L

According to the logarithmic nature of Equation (27), we can calculate the following.

H(m)=∑i=0L−1_log2 ^{(1p(_mi))p(_mi)}=_log2^{(1p(_m0))p(_m0)} _log2 ^{(1p(_m1))p(_m1)}⋯_log2 ^{(1p(_mL−1))p(_mL−1)}

Then, we apply Equation (28) to Equation (31).

H(m)≤_log2p(_m0)×1p(_m0)+p(_m1)×1p(_m1)+⋯+p(_mL−1)×1p(_mL−1)=_log2L

When the gray levelL=256=²⁸, Theorem 2 is established. According to∑i=0L−1p(_mi)=1and_a0=_a1=⋯=_aL−1, the equal sign in Theorem 2 is established atp(_mi)=1/256(i=0,1,⋯,255). □

5. Conclusions The scheme in this paper uses the method of constructing MCC after EC-EG encryption to perform reversible data hiding in encrypted image. The scheme realizes the separation of additional data extraction and cover image restoration, and improves the embedding capacity under the premise of completely recovering the cover image. The experimental results show that the PSNR value of the scheme is improved in the image due to the self-embedded data by PEE algorithm. The main contributions of this paper can be summarized as follows:

• A novel method of reversible data hiding in homomorphic encrypted image based on EC-EG is proposed.
• By constructing MCC, the embedded capacity is improved.
• By performing histogram analysis of encrypted image, correlation analysis of adjacent pixels and information entropy analysis, we proved the statistical security of the encryption scheme in this paper.
• However, the method of vacating room before encryption increases the risk of plaintext leakage. Therefore, it should be improved in the future to be a reversible data hiding scheme in homomorphic encrypted image that does not require preprocessing of plaintext.

Author Contributions

Conceptualization, N.Z. and M.Z.; methodology, N.Z.; software, H.W.; validation, M.L.; formal analysis, Y.K.; investigation, N.Z. and M.L.; resources, M.Z.; data curation, N.Z. and H.W.; writing-original draft preparation, N.Z.; writing-review and editing, M.Z. and X.A.W.; visualization, H.W.; supervision, M.Z. and X.A.W.; project administration, M.Z. and X.A.W.; funding acquisition, M.Z. and X.A.W.

Funding

This research was funded by National Natural Science Foundation of China under grant number 61872384, 61772550, U1636114, and 61572521, National Cryptography Development Fund of China under grant number MMJJ20170112, Natural Science Basic Research Plan in Shaanxi Province of China under grant number 2018JM6028, and National Key Research and Development Program of China under grant number 2017YFB0802000.

Acknowledgments

The authors gratefully acknowledge the helpful comments and suggestions of the reviewers.

Conflicts of Interest

The authors declare no conflict of interest.