Abstract
Reversible Data Hiding (RDH) schemes have recently gained much interest in protecting the secret information and sensitive cover images. For cloud security applications, the third party’s data embedding can be done (e.g., cloud service). In such a scenario, to protect the cover image from unauthorized access, it is essential to encrypt before embedding it. It can be overcome by combining the RDH scheme with encryption. However, the key challenge in integrating RDH with encryption is that the correlation between adjacent pixels begins to disappear after encryption, so reversibility cannot be accomplished. RDH with elliptic curve cryptography is proposed to overcome this challenge. In this paper (ECC-RDH) by adopting additive homomorphism property; the proposed method, the stego image decryption gives the sum of the original image and confidential data. The significant advantages of this method are, the cover image is transferred with high security, the embedding capacity is 0.5 bpp with a smaller location map size of 0.05 bpp. The recovered image and secrets are the same as in the original, and thus 100% reversibility is proved.
Keywords
Introduction
The emergence of communication networks leads to security and privacy issues. Hence the concepts of cryptography and steganography emerge. The cryptography-based system may not leak the messages but at least reveals the message’s presence. But comparing with this, method steganography covers the secret in a digital cover. Therefore, the existence of the secret is hidden by the cover object. The adaptive embedding algorithm is adopted to ensure the correctness, and embedding capacity is improved with good statistical analysis [1]. A channel-dependent payload separation approach based on amplifying channel alteration is proposed for a colour image [2]. Many unique images, such as medical image, military image, and law forensics, are so precious that they cannot be harmed while the secret is embedded. Hence reversible data hiding is used by many researchers in the field of information security.
Reversible data hiding (RDH) invisibly hides the data into a cover in a reversible manner, and the cover and secret data both can be restored completely [3–10]. Hence the RDH algorithms can be found in many applications, which need reversibility when real constancy is required, e.g., for healthcare and army image processing. The various traditional RDH techniques have been suggested in the literature for more than one decade. The RDH method using additive spread spectrum techniques is introduced in [3]. In [4, 5], the compression techniques are used for data embedding by slightly modifying the pixels grayscale value [6, 7]. In [8], pixel difference histogram is used for data embedding instead of pixel value histogram. In [9], the images are divided into several non-overlapping blocks, and then in each block, the highest and the lowest pixel value are predicted to embed the data [6, 7]. After data embedding, the reversibility is assured by maintaining the pixel value in each block. In [10], the reversible data hiding is applied in the 3D mesh. All these above mentioned RDH algorithms are implemented only on plain image, not in an encrypted image. But some applications require cloud services for data embedding; in these circumstances; the cover image is not secured.
To protect both cover and confidential data, the research on embedding data in encrypted domain received attention nowadays because it is instrumental in cloud computing and numerous for safeguarding confidential data. Zhang [11] suggested a new RDH technique in an encrypted domain, in which the encrypted image is split into multiple non-overlapped blocks. The additional information is then embedded by flipping three LSB bits of the arbitrarily chosen pixels in a block. By utilizing the special correlation between the pixels, the original image and confidential data are restored at the receiver side.
Hong et al. [12] improved Zhang’s [11] technique by taking advantage of the spatial relationship of adjacent blocks boundary and the block smoothness. In [13] Further, these methods [11, 12] are improved by reducing the bit error rate. And this method is implemented by using block complexity and side-match technique. The block complexity is calculated by finding the absolute mean difference of pixels with their neighbouring pixels. In [14], the RDH method in an encrypted image is implemented using a compression technique. In these methods [11–14], the secret data extraction and image recovery are made simultaneously and in the same place. It cannot be separable, but some applications needed image recovery and secret data extraction as a separate process.
Several separable RDH techniques have been projected to support the applications based on separable circumstances. Zhang introduces the separable RDH method in [15]. In this method, the room is created for information hiding in an encrypted image by compressing its LSB bits. Later, the original image and secret data are restored independently using an image’s spatial correlation and embedding key. Similarly, the room is allocated in an image for data embedding before image encryption in the methods [16, 17]. In [18], a new technique for separable RDH is introduced by using prediction error. It contains four phases: encryption, information hiding, secret extraction, and cover the recovery phase; all these phases have been implemented separately.
In [19] stream cipher is used for cover encryption, and data hider embeds the secret information into an encrypted cover without knowing the cover image. An innovative separable RDH algorithm is proposed in [20] using pixel value ordering and additive homomorphism. Without any pre-processing procedures [21], in fully homomorphic encryption data can be embedded. By comparing with other works, the pre-processing process is neglected before encryption operation, whereas, in the encryption domain, the data is embedded. Elliptic curve homomorphic encryption is used to separate the image decryption and secret extraction process [22].
Though the methods [11–13] can hide the secret information in a cipher image, these methods cannot give 100% recovery of the host image. Also, it cannot retrieve the confidential information with 100% accuracy. Though [15–24] methods are separable; their embedding capacity is minimal. Xin Liao [25] proposed a reversible data hiding by utilizing compressive sensing and DFT. By experimental cropping analysis, the embedded data can reconstruct its original figure entirely by compressive sensing. But the decrypted image quality is not good enough.
Compression and encryption are performed by block compressive sensing techniques, and additional data is embedded into LSB by data hiding key [26]. This technique’s drawback is the distortion of images, which is not acceptable for digital medical images. The block pixel difference histogram is used in [27] for data hiding; it has low embedding capacity. The two-level embedding is used in [28] for increasing the embedding capacity.
The proposed ECC-RDH gives 100% image recovery and lossless secret data extraction in a highly secured manner using elliptic curve cryptography. The main highlights of the proposed work can be described as follows: The encrypted images of the proposed (ECC-RDH) method’s histograms are equally distributed; the entropy values are significantly closer to the bits used to represent the image. The correlation coefficient is significantly less; hence, a statistical attack on the encrypted image is challenging. Higher embedding capacity of 0.5 bpp with a smaller location map size of 0.05 bpp can be made adaptive for real-time cloud related applications. The recovered image and secrets are the same as in the original, and thus 100% reversibility is proved.
This research paper is structured as follows. The Elliptic Curve (EC) over the Finite field and its homomorphism are briefly discussed in section 2. The ECC-RDH method is explained in section 3. The experimental outcomes are described in section 4. Section 5 compares the ECC-RDH approach with different RDH methods in an encrypted domain, and a summary of the findings is given as the conclusion in section 6.
Elliptic Curve (EC) over Finite field Fp and additive homomorphism
The elliptic curve ‘E’ over prime finite field Fp is defined by an Equation (1).
Here, ‘y, ‘x, ‘a’ and ‘b’ are within Fp. The coefficients ‘a’ and ‘b’ are the characteristic coefficients of the curve. These coefficients are used to generate the curve points, and they must satisfy the Equation (2).
The basic operations on elliptic curve points are point addition and point doubling. Consider the two distinct Points P = (Px, Py), Q = (Qx, Qy). Let R = P + Q where R = (Rx, Ry), and this R can be calculated by using Equations (3) to (5). Point doubling can be implemented by adding two same points(R = P + P) using Equation (6).
Adding any point to the infinity point, ‘O’ yields the same point (R = O + P = P) and adding any point with its inverse yields infinity (Q + (-Q) = O). The inverse of point ‘Q’ is (Qx, -Qy). The subtraction (R = P - Q) can be done by adding the inverse point of Q with P. Point multiplication can be done by repeated addition.
Additive homomorphism is proposed in [24] and proved while decrypting the sum of encrypted points, which will give the sum of plain points be done by adding an inverse point of Q with P. Point multiplication can be done by repeated addition. i.e.,
DE(EN(P) + EN(Q) + EN(R) + EN(S) + ...) = (P + Q + R + S ...) where P, Q, R, and S are plain points on the elliptic curve. For encryption and decryption, the public key is constructed as per Equations (7) and (8),
The cipher point CP can be decrypted by using the Equation (10).
Additive homomorphism for ECC is shown in (11) and (12).
This additive homomorphic property is used to embed secret data in the proposed method’s encrypted image by adding an encrypted image and encrypted secret data. When decrypted, the sum of the plain image and the secret data are obtained, then the image and the secret data are separated without any loss.
In this section, the proposed ECC-RDH is described for lossless data hiding in cipher image using additive homomorphism of elliptic curve cryptography (ECC). The overall view of the ECC-RDH scheme is given in Fig. 1. It contains three phases. In phase I, the cover image is encrypted using ECC. In phase II, the information hider hides the encrypted secret data into the cipher image.

Overall view of the proposed method.
In phase III, the receiver restores the cover image and retrieves the encrypted secret data using additive homomorphism of ECC. In this ECC-RDH method, the information hider can hide the secret data without knowing the host image. The 4 bit 4×4 image in Fig. 2 and the elliptic curve E17(1, 5) in Fig. 3 are chosen to illustrate the ECC-RDH method.

4×4 image.

The Elliptic curve y2 mod17 = (x3 + 1x + 5) mod17.
The image encryption process contains four steps. In the first step, the image is modified so that the image is suitable for data embedding. In the second step, random numbers (Rai)are generated for image encryption. These random numbers and modified image pixel values (Moi) are mapped with elliptic curve(EC) points as (Rax, Ray) and (Mox, Moy) respectively; this mapping is shown in Fig. 4. In step three, random EC points (Rax, Ray) and pixel EC points (Mox, Moy) are encrypted using ECC. Finally, the encrypted random EC points (CRax, CRay) and encrypted modified pixel EC points(CPix, CPiy) are added to get the encrypted image.

The mapping between EC points and pixel values.
The image with size M×N is divided into several non-overlapping blocks with size G×H. Then each block contains
Suppose all the differences (Pi _ diff
j
) in each block are less than half the image’s maximum intensity value. In that case, that block is used for secret embedding as shown in Equation (14) because if it is greater than ‘max intensity/2’, then the pixels may go out of range while embedding the secret bit, hence the threshold value of Pi _ diff
j
is ‘max intensity/2’. The blocks which are used for embedding is identified by the location map (LM).
The differences in the block used for embedding, are multiplied by 2, as shown in Equation (15). No changes are made in the blocks which are not used for embedding, as shown in Equation (16).
In the location map, the blocks used for secret embedding are identified by the bit zero. The bits followed by zero bit represent the position of the maximum pixel value of the secret embedding block. The blocks which are not used for embedding is identified by bit one.
Any elliptic curve, which can generate the number of points equal to the max intensity of image +1 is chosen for encryption. The random numbers are generated for the image size, and then these random numbers (Rai) and modified pixels (Moi) of the image are mapped with EC points (Rax, Ray) and(Mox, Moy), respectively.
The random number of EC points (Rax, Ray)and modified image EC points (Mox, Moy) are encrypted using ECC to get the encrypted random points (CRax, CRay) and encrypted modified pixel points (CPix, CPiy) as shown in Equation 17 and 18.
The encrypted random points and encrypted modified image points are added to get the original encrypted image points (CIx, CIy) using Equations (19) and (20). Finally, these encrypted image points are mapped with pixel values. Figure 5 shows the overall image encryption process.

Image Encryption.
In phase II, the information hider hides the encrypted secret data into the cipher image using the following two steps.
The encrypted secret bits (CS) are mapped with the EC points (CSx, CSy). These EC points are again encrypted by using ECC as in Equation (21).
To get the stego point, the encrypted secret point as (CCSx, CCSy) is added with encrypted image point as (CIx, CIy), and the point not used for embedding is ignored as in Equation (22), and Fig. 6 shows the overall secret embedding process.

Data Embedding.
The overall data retrieval and image restoration process are shown in Fig. 7. It contains three steps. These three steps are explained as follows.

Encrypted secret data retrieval and image restoration.
The pixel which contains confidential data is decrypted using Equation (23), and the pixel which does not have secret information is decrypted using Equation (24).
After decrypting the points (Sx, Sy), the random number points (Rax, Ray) are subtracted from the decrypted points, which give the modified points with encrypted secret data, as shown in the Equation (25).
In this step, after subtracting a random point (Rax, Ray)from the decrypted point, the point obtained is mapped with the pixel value(Pival). After that, the secret bits (CS) are extracted by using Equation (26).
After extracting the private bits, the host image (I) is recovered using Equation (27).
The proposed method experiments with several grayscale images for the different block sizes; the results are shown for six standard 512×512 grayscale images shown in Fig. 8. For the block size 32×32, the corresponding encryption images are given in Fig. 9. These encrypted images are in unreadable form, hence getting original information from those images is very difficult.

Test images.

Encrypted Test images.
For the block size 32×32, the PSNR, correlation, and entropy value of the proposed methods are given in Table 1. The PSNR value is calculated using Equations (28) and (29) and the values are less than 10 dB, the correlation coefficients are also lower, and the entropy values are closer to 8 as shown in Table 1, it reveals that the content of the original image is tough to retrieve. Figure 10 shows the cover images’ histogram, whereas Figs. 11 and 12 show the cipher images’ histogram and recovered images, respectively. The cipher image histograms are uniformly distributed; hence identifying the original image is very difficult from the cipher image. Thus, the results show that the proposed method can resist statistical attacks. The histograms of the recovered images are similar to cover images. These results prove the lossless recovery of the original image.

Histograms of the test images (a) Lena; (b) Airplane; (c) Barbara; (d) Baboon; (e) Pepper; (f) Boat.

Histograms of the encrypted images (a) Lena; (b) Airplane; (c) Barbara; (d) Baboon; (e) Pepper; (f) Boat.

Histograms of the recovered images (a) Lena; (b) Airplane; (c) Barbara; (d) Baboon; (e) Pepper; (f) Boat.
Encrypted images PSNR, correlation coefficients, and entropy for 32×32 block size
Figure 13 shows the various images’ embedding capacity with different block sizes, and Fig. 14 shows the location map size. If the block size is small, then the correlation between the maximum pixel value and the remaining pixel values is high; hence many blocks are used for embedding. It increases the embedding capacity and also increases the location map size. If the block size is large, then the correlation between the maximum pixel value and the remaining pixel values becomes low; this decreases the embedding capacity and reduces the location map size. Hence the block size must be moderate. For example, Lena’s maximum embedding capacity with a smaller block size 4×4 is 242835 bits, and the location map size is 81140 bits. For the larger block size 128×64, the embedding capacity is 24573 bits, and its location map size is 71 bits. For the moderate block size 32×32, the embedding capacity is 152427 bits, and its corresponding location map size is 1746 bits. Depending on the block size, the embedding capacity and location map size vary, as shown in Figs. 13 and 14. These results prove that the proposed method yields adequate embedding capacity with the location map’s smaller size.

Capacity for various block size.

Location map range for various block size.
Table 2 shows the feature comparison between the proposed method and several existing RDH methods [11–13, 18] to the error rate in data extraction and image recovery. All these five methods have recovered the images with errors, and the methods [11–13] are extracting the secret data with errors. Still, the ECC-RDH process restores the images and retrieve the confidential data without any error. Hence, the proposed ECC-RDH method can be recommended for real-time applications like military, secret communication, image authentication, e-government, medical data transmission, law enforcement, etc. Even though the proposed method is non-separable, the receiver can extract only the encrypted secret data. But the confidential data cannot be decrypted without a decryption key; hence, data can be transferred in a highly secure manner.
Feature comparison with existing methods
Feature comparison with existing methods
Embedding capacity and Average Embedding Rate comparison with the existing method
Figures 13 and 14. Show the proposed method yields a better result for 32×32. Therefore, Table 3 compares the proposed method and other RDH methods concerning the embedding capacity for block size 32×32. Compared to all these methods [12, 20], the proposed method provides excellent embedding capacity. This high embedding capacity is needed in many real-time applications like military and medical, etc.; hence, our proposed method can play a vital role in these applications. In Fig. 15, the PSNR value of the directly decrypted Lena image is compared to the existing methods for various embedding capacity. In the noise-free channel, the PSNR value of the proposed method is infinite.

The PSNR value of the directly decrypted Lena image.
A novel ECC-RDH method has been proposed for lossless data hiding in the cipher image using elliptic curve cryptography. In this method, the information hiding system can hide the encrypted information in the cipher image without knowing the original image. Three phases, namely image encryption, data hiding, and image recovery & data extraction, have been implemented. Experimental analysis shows that the proposed methodology has achieved 8.9288 dB as average PSNR, approximately zero correlation coefficient, and entropy value closer to 8. These results prove that the encrypted image’s statistical attack is very difficult; hence, the proposed method can give high security for the cover image.
On the other hand, the cover image’s PSNR value after secret extraction is infinity, which shows the ECC-RDH method can restore the cover image in a lossless manner. Further, this method can extract confidential data with zero MSE. It can accomplish a higher embedding capacity 0.5 bpp bits with a smaller location map size of 0.005 bpp, which can be made adaptive for real-time cloud related applications.
