Summary

This chapter proposes a reversible JPEG hiding method with high hiding capacity and high hiding ratio. The secret data are embedded in a JPEG code. In decoding, after lossless extraction of the secret data, the original JPEG code is reconstructed.

From Tables 2.1-2.2 and Figures 2.4-2.5, the proposed method outperforms that of the related JPEG hiding methods [12,15,17,18] in terms of hiding capacity, hiding ratio, and stego-image quality. The reversibility makes the reconstructed JPEG code to be used many times without any degrading.

(a) (b) (c)

(d) (e) (f)

Figure 2.3. Images decompressed from JPEG codes. (a) The 41.75-dB image Lena decompressed from the JPEG-Q85 code without any hidden secret. (b) The 39.12-dB stego-image Lena decompressed from our JPEG stego code. (c) The 41.75-dB decrypted-decompressed image Lena derived from our JPEG stego code. (d)-(f) Same as (a)-(c) except that the image Lena is replaced by Jet, and the PSNRs of (d) to (f) are 41.15dB, 38.75 dB, and 41.15dB, respectively.

(a)

(b)

(c)

(d)

Figure 2.4. Comparisons between Chang et al.’s method [18] and ours when the two parameters are Nbit=2 and NQC=16. The comparisons are (a) hiding capacity, (b) hiding ratio, (c) stego-image quality, and (d) average length of the JPEG stego codes.

(a)

(b)

(c)

(d)

Figure 2.5. Same as Figure 2.4 except that the two parameters are Nbit=1 and NQC=10.

(a) (b) (c)

(d)

(e)

(f)

Figure 2.6. Results of Chi-square analysis: (a) the image Lena without any hidden secret; (b) the stego-image Lena generated using the LSB substitution method; (c) the stego-image Lena decompressed from our JPEG stego code after a secret of size 253,952 bits is hidden; (d)-(f) the results of Chi-square analysis of the pixels in (a), (b), and (c), respectively.

(a) (b) (c) (d)

(e) (f) (g) (h)

(i) (j) (k) (l)

(m)

Figure 2.7. Results of StegDetect analysis: (a) the cover image Lena decompressed from the JPEG-Q85 code without any hidden secret; (b)-(d) the stego-images decompressed from the JPEG stego codes of JPHide [10], JSteg [12], OutGuess [11], respectively; (e)-(l) the stego-images decompressed from our eight JPEG stego codes, respectively; (m) the results of StegDetect analysis of the twelve JPEG codes, the decompressed images of which are in (a)-(l).

Table 2.1. Comparisons of hiding capacity, hiding ratio, and stego-image quality among the related JPEG hiding methods [12,15,17] and ours when the grayscale image Lena is compressed using JPEG with QF=85.

Scheme (N_bit, N_QC) Capacity

Table 2.2. Same as Table 2.1 except that the image Lena is replaced by Jet.

Scheme (Nbit, NQC) Capacity

Table 2.3. Our hiding capacity, hiding ratio, and stego-image quality when the grayscale image Lena is compressed using JPEG with QF=75.

(N_bit, N_QC) Hiding capacity (bits) Hiding ratio (%) Stego-image quality (dB)

(1, 16) 65,536 18.91% 38.56

(2, 16) 131,072 28.56% 38.87

(3, 16) 163,840 32.38% 38.94

(4, 16) 167,936 32.81% 38.96

(1, 24) 98,304 24.15% 37.09

(2, 24) 196,608 35.76% 37.78

(3, 24) 262,144 41.07% 37.91

(4, 24) 278,528 41.96% 37.96

(1, 32) 131,072 27.60% 34.48

(2, 32) 262,144 40.59% 35.59

(3, 32) 360,448 46.74% 35.95

(4, 32) 405,504 47.40% 35.81

Chapter 3

Multi-Threshold Progressive Image Sharing with Compact Shadows

This chapter proposes a multi-threshold progressive reconstruction method. An important image is encoded three times using JPEG: first with a low-quality factor, then with a medium-quality factor, and last with a high-quality factor. Huffman coding is employed to encode the difference between the important image and the high-quality JPEG decompressed image. The three JPEG codes and the Huffman code are shared, respectively, according to four pre-specified thresholds. The n generated equally important shadows can be stored or transmitted using n channels in parallel.

Cooperation among these shadows can progressively reconstruct the important image.

The reconstructed image is loss-free when the number of collected shadows reaches the largest threshold. Each shadow is very compact and so can be hidden successfully in the JPEG codes of cover images to reduce the probability of being attacked when transmitted in an unfriendly environment. The proposed scheme is easier than the progressive image sharing schemes [27-30] to apply to scalable Moving Picture Experts Group (MPEG) video transmission [49,50], and the shadows herein can resist differential attack [51-53]. Comparisons with other image sharing methods are also made. The rest of this chapter is organized as follows. Section 3.1 reviews related works. Section 3.2 presents the proposed scheme. Section 3.3 reports the experimental results and makes comparisons with other methods. Section 3.4 discusses security.

Last, Section 3.5 summarizes this chapter.

3.1 Related Works

3.1.1 Secret Image Sharing Method of Thien and Lin

Thien and Lin [21] propose a (k, n) threshold method for splitting a grayscale secret image into n shadows. First, all of the gray values between 251 and 255 in the secret image must be truncated to 250 because the arithmetic operations in Eq. (3.1) are modulo 251. They then use a key to permute the pixels of the secret image, and the permuted image is partitioned into several sectors of k pixels each. For each not-yet processed sector, define a polynomial

2 1

0 1 2 1

( ) ... _k ^k (mod 251)

f z = +r r z+r z + +r z₋ ⁻ , (3.1)

where r₀ to r_k-1 are the k pixel values. The n values f(1), f(2), …, and f(n) are calculated and then attached to the n shadows.

After all sectors have been processed, the n shadows are generated. Since every k pixels in the secret image contribute a single pixel to each of the n generated shadows, each shadow size is 1/k of the secret image size. In collecting at least k shadows, Thien and Lin take the first not-yet-used pixel from each of the k shadows and use these k pixel values f(z₁), f(z₂), …, and f(z_k) to evaluate the k coefficients in Eq. (3.1) for the first sector by reconstructing the (k–1)-degree polynomial f(z) as

2 3

By processing all pixels of the k shadows in order, they obtain the permuted image, which is then de-permuted to reveal the secret image.

An example is presented in the following. To divide k=2 pixel values 100 and 200 into n=3 shadows, Eq. (3.1) is used to compute the three shadows: f(1) =

(100+200×1) mod 251 = 49; f(2) = (100+200×2) mod 251 = 249; and f(3) = (100+200×3) mod 251 = 198. Later, if two shadows f(1)=49 and f(3)=198 are received, Eq. (3.2) is used to reconstruct the polynomial as f(z) ≡ f(1)×(z–3)/(1–3) + f(3)×(z–1)/(3–1) ≡ 49×(z+248)/249 + 198×(z+250)/2 ≡ 49×(z+248)×125 + 198×(z+250)×126 ≡ 100 + 200z (mod 251). The original pixel values, 100 and 200, are therefore obtained.

3.1.2 Galois Field

A Galois field (GF) is a finite field of p^t elements with addition (+) and multiplication (×) operations that satisfy commutative, associative, and distributive laws where p is a prime number and t is a positive integer. The arithmetic over GF(p) is generally the same as modulo p, and therefore Thien and Lin [21] use a Galois field with p^t=p¹=p=251 elements. The proposed method employs a Galois field with 2^t elements, and arithmetic over GF(2^t) is based on the representation of each element in GF(2^t). An element in GF(2^t) is generally represented using a polynomial-basis representation, as a binary polynomial of degree less than t. The t-tuple of coefficients of the binary polynomial corresponds to the binary representation of an integer between 0 and 2^t–1. where ♁ is the exclusive-or (XOR) operator. For the subtraction, because each element in GF(2^t) is its own additive inverse, the subtraction of B from A is defined as

1

The multiplication and division involve a primitive polynomial P(X) where P(X) is a t-degree irreducible polynomial (i.e., it has no nontrivial factors). To multiply A by B, the remainder C(X) = c_t-1X^t-1 +…+ c₁X + c₀ is computed in a long division, defined by

( ) ( ) ( ) mod ( )

C X =A X B X P X , (3.5) where the operations of the binary coefficients in the polynomial multiplication and in the mod P(X) operations are all modulo two such that all the resulting coefficients are still in {0, 1} and therefore binary. After the binary polynomial C(X) = c_t-1X^t-1 + … + c₁X + c₀ has been determined using Eq. (3.5), the multiplication of the two t-bit binary elements A and B in GF(2^t) is defined as

The quality factor QF∈{0,1,…,100} in JPEG is used to control image quality. To reconstruct an important image with various quality levels based on the number of received JPEG stego codes, a low-quality factor QFL∈{0,1,…,5}, a medium-quality factor QFM∈{10,11,…,25}, and a high-quality factor QFH∈{55,56,…,85} are used to generate, respectively, a low-quality JPEG code s1, a medium-quality JPEG code s2, and a high-quality JPEG code s3. The quality levels of the JPEG images q1, q2, and q3

decompressed from the codes s1, s2, and s3, respectively, are around 18-28 dB, 30-34 dB, and 36-40 dB. To reconstruct the important image error-freely, a difference image q4 is created by subtracting from the important image the high-quality JPEG image q3

decompressed from the high-quality JPEG code s3. The difference image q4 is

compressed using Huffman coding to generate the Huffman code c4. Last, based on the five user-defined integer parameters 2≤k1<k2<k3<k4≤n, the generated codes s1, s2, s3, and s4 are shared according to Eq. (3.7).

As shown in Figure 3.1, the proposed [(k1, k2, k3, k4), n] threshold scheme comprises four phases: (1) codes generation, (2) sharing, (3) shares combining, and (4) data hiding. The [(k1, k2, k3, k4), n] threshold sharing algorithm is summarized here:

The [(k1, k2, k3, k4), n] threshold sharing algorithm

Input: An important image; five positive integer parameters k1, k2, k3, k4, and n, where 2≤k1<k2<k3<k4≤n; n cover images.

Output: The n JPEG stego codes.

Step 1a: Compress the important image using JPEG three times (with quality factors of QFL, QFM, and QFH, respectively), yielding a low-quality JPEG code s1, a medium-quality JPEG code s2, and a high-quality JPEG code s3.

Step 1b: Compute the difference image q4 by subtracting from the important image its high-quality JPEG image q3 decompressed from the JPEG code s3.Compress the difference image q4 using Huffman coding to create the Huffman code s4. Step 2: For each code si (i=1,2,3,4), use Eq. (3.7) to split the code si into n shares.

Step 3: For each x=1,2,…,n, the x’th shadow is formed by binding together the x’th share of s1, the x’th share of s2, the x’th share of s3, and the x’th share of s4. Step 4: Use the JPEG data hiding method in Chapter 2 to hide the n shadows in the n

JPEG codes of the n cover images, respectively. (This generates n desired JPEG stego codes, and the cooperation of several JPEG stego codes can view the important image at certain quality levels.)

Note: In step 2 above, the code si is divided into sectors of ki bytes each. Each byte is treated as a number between 0 and 255. Our share-generating polynomial is

1

b _{− i} numbers of each sector, and the computations in Eq. (3.7) are over GF(256). Then, g(1) to g(n) are sequentially assigned to n shares. Since each sector of ki bytes contributes only a single byte [a value in the range 0 to 255 and determined by Eq. (3.7)] to each share of the code si, each share size is ki times

denotes the length of the code si. In step 4, to avoid attracting the attention of attackers, the n shadows are hidden in n JPEG codes.

3.2.2 Decoding

When any k1 of the n JPEG stego codes are received, the k1 shadows can be extracted from the k1 JPEG stego codes by inverse hiding. For each x=1,2,…,k1, the x’th shadow is partitioned to yield the x’th share of each code s_i (1 ≤ i ≤ 4). The k1

shares of the code s1 are used to reconstruct the low-quality JPEG code s1 using the Lagrange interpolation method. The reconstructed JPEG code s1 is then decompressed to yield the low-quality JPEG image q1, which is an approximate version of the original important image.

When k2 (or k3) JPEG stego codes are available, the reconstruction process is similar to that described earlier, and the reconstructed image q2 (or q3) will be of medium (or high) quality. Last, if at least k4 JPEG stego codes are received, the k4

shadows can also be extracted from the k4 JPEG stego codes by inverse hiding. Then, for each x=1,2,…,k4, the x’th shadow is divided to generate the x’th share of each code s_i (1 ≤ i ≤ 4). The k4 shares of the code s4 are used in inverse sharing to reconstruct the

Huffman code s4 by Lagrange interpolation, and the reconstructed code s4 is then decompressed to generate the difference image q4. Adding the difference image q4 to the image q3 yields the error-free important image.

3.2.3 Example of Sharing and Inverse-Sharing Processes based on GF(256)

An example of the sharing and inverse-sharing processes based on GF(256) and P(X)=X⁸+X⁴+X³+X+1 is presented. To partition ki=2 numbers 100 and 200 of 8 bits each into n=3 shares, Eq. (3.7) is used to compute the three shares: g(1) ≡ 100+200×1

≡ 100+200 ≡ 172 [over GF(256)]; g(2) ≡ 100+200×2 ≡ 100+139 ≡ 239 [over GF(256)]; and g(3) ≡ 100+200×3 ≡ 100+67 ≡ 39 [over GF(256)]. In obtaining the two shares g(1)=172 and g(3)=39, the two numbers 100 and 200 are revealed by Lagrange interpolation, as g(z) ≡ g(1)×(z–3)/(1–3) + g(3)×(z–1)/(3–1) ≡ 172×(z+3)/(1+3) + 39×(z+1)/(3+1) ≡ 172×(z+3)×141 + 39×(z+1)×141 ≡ 100+200z [over GF(256)].

3.3 Experiments and Comparisons

3.3.1 Experimental Results

The inequalities (k1=3)<(k2=4)<(k3=5)<(k4=6) and the irreducible polynomial P(X)=X⁸+X⁴+X³+X+1 are used to generate n=6 shadows of the important image. The JPEG source code used in the experiments is taken from the fourth public release of the Independent JPEG Group's free JPEG software [43]. The quality of an image is measured by the PSNR.

In the first experiment, the 512×512 grayscale important image Lena, displayed in Figure 3.2, is encoded using JPEG with three quality factors QFL=5, QFM=25, and QF_H=85. The four codes s1, s2, s3, and s4 have lengths 5,750, 13,787, 45,972, and 115,458 bytes, respectively. The six cover images Peppers, Jet, Boat, Lake, Baboon,

and Zelda, shown in Figure 3.3, are all encoded using JPEG with QF=75 to hide the six shadows, and therefore generate the six JPEG stego codes. Figure 3.4 displays the n=6 images decompressed from our six JPEG stego codes without any extraction of the hidden shadows, and the PSNRs of the six decompressed images are 37.42, 37.41, 36.40, 34.39, 32.73, and 38.67 dB, respectively. When different numbers of JPEG stego codes are received, the reconstructed versions q1, q2, q3, and q4 of Lena are as plotted in Figure 3.5, and the respective PSNRs are 27.32, 33.67, 39.35, and ∞ dB.

In the second experiment, the important image is the 512×512 grayscale image Tiffany. The six shadows are generated and then remain hidden in the six JPEG codes generated in the first experiment. The PSNRs of the decompressed images from the six JPEG stego codes are 37.75, 37.70, 36.65, 34.61, 32.97, and 38.96 dB, respectively. (These values are a little better than the 37.42, 37.41, 36.40, 34.39, 32.73, and 38.67 dB values obtained in the first experiment.) For Tiffany, the PSNRs of the versions reconstructed using any three, four, and five JPEG stego codes are 28.37, 34.12, and 39.79 dB, respectively (these values are a little better than those, 27.32, 33.67, and 39.35 dB, for Lena). When six JPEG stego codes are collected, the reconstructed Tiffany is identical to the original Tiffany.

Last, Table 3.1 shows the bit rates [bits per pixel (bpp)] of the JPEG-Q75 codes created using JPEG with QF=75 before and after hiding our shadows.The bit rate will increase significantly after hiding a large-size secret. However, the bit rate of our JPEG stego code still falls in the reasonable range of JPEG, i.e., the bit rate of our JPEG stego code is smaller than that of the JPEG-Q95 code generated using JPEG with QF=95, as shown in Table 3.1. This alleviates the problem of code length. [The reason using QF=95 as the upper bound to examine the bit rate of our JPEG stego codes is that, as stated in Kim et al.’s work [54], the general quality factors (QFs) used in digital cameras are between 90 and 95.]

3.3.2 Comparisons

Table 3.2 compares other sharing schemes [21,25-30] with ours in terms of shadow-size expansion, progressive ability, and lossless reconstruction ability. Each shadow in two of the related works [25,27] is four times larger than the original important image, indicating that size expansions occur. In contrast, each shadow in all of the associated works [21,26,28-30] and ours is smaller than the original important image. Although Thien and Lin [21], Tso [26], and Hung et al. [30] all shared the image without size expansion, Thien and Lin [21] and Tso [26] could not reconstruct the image progressively, whereasHung et al. [30] could not reconstruct the image in an error-free manner. Only Chen and Lin [28], Wang and Shyu [29], and ourselves have achieved reconstruction with all three desired characteristics.

Among these three methods, as presented in Table 3.3, each shadow size herein (12.89% of 512×512 bytes) is smaller than those in Chen and Lin’s method [28]

(22.22%) and Wang and Shyu’s [29] (50%). Therefore, the transmission time in the proposed method is less, and the survival rate in an unfriendly environment, in which the network connection time is unstable among the n channels used to store the n shadows, is increased. Equivalently, in the proposed method, the storage space in a distributed storage system is most reduced. The smaller size of the shadows also facilitates the hiding of shadows in stego media.

The construction of Table 3.3, which compares the shadow sizes among non-expanded schemes, is explained in the following. For fairness of comparison, the shadow sizes in Table 3.3 are all measured before hiding: all are shadow sizes, and none is a stego media size. This action eliminates the size-altering effects of particular post-processing (hiding) approaches. Assume that the important image is the 512×512 grayscale image Lena, and the (largest) threshold value is set to six for all schemes, except that Hung et al.’s scheme [30] uses five as the largest threshold value because

their scheme did not provide a version with a threshold value being six. For each x=1,2,…,n, the four x’th shares are combined to form the x’th shadow, and therefore each shadow in the proposed method has size ⁴

1 i /

i

s k

∑

= ⁱ= (5,750/3) + (13,787/4) + (45,972/5) + (115,458/6) = 33,802 bytes (which is 12.89% of the size of the 512×512 grayscale image Lena).

According to Table 3.3, the shadow sizes in the proposed method and Hung et al.’s [30] are more economic than those in the related works [21,26,28,29]. However, Hung et al.’s method [30] is not lossless when all shadows are collected. In fact, if the original important image can be satisfactorily reconstructed with some loss, then our step 1b can be omitted, such that no Huffman code s4 is generated. Then, each of our shadows can be reduced to ³

1 i /

i

s k

∑

= ⁱ= (5,750/3) + (13,787/4) + (45,972/5) = 14,559 bytes (which is 5.55% of the size of the 512×512 grayscale image Lena). Restated, the size of each shadow in this lossy version is about half of that in Hung et al.’s scheme.

Moreover, in this lossy version, the total shadow size is 14,559×6=87,354 bytes, which is still smaller than 30,723×5=153,615 bytes obtained by Hung et al. [30].

When the five shadows are collected, the 39.35-dB Lena [identical to that in Figure 3.5(c)] is reconstructed, better than the 37.04-dB Lena revealed by Hung et al. [30].

Last, the size of each shadow in the proposed [(k1, k2, k3, k4), n] threshold scheme

∑

= ⁱ. Therefore, it is suggested that the readers set the largest threshold k4 to n to save storage space. However, if the readers want to have more freedom, they may use their own choice of a threshold k4 being less than n, at the price of wasting space for the shadows. When k4 is less than n, a simulation is done in the following. Assume that n, the number of cover images, is at least six. In general, the smallest threshold k1

cannot be one because the purpose of sharing is that no participant alone can be trusted. Therefore, {1<k1=2<k2=3<k3=4<k4=5<n=6} is used to generate n=6 shadows,

the size of which is then compared to those in the image sharing schemes [21,26,28-30] when the (largest) threshold value is set to five for all these schemes.

The comparison results are shown in Table 3.4. It is observed that each shadow in the proposed method is still smaller than those in the related works [21,26,28,29], and each shadow in our lossy approach is also smaller than that in Hung et al.’s lossy approach [30].

3.4 Security Discussion

The code si (1 ≤ i ≤ 4) cannot easily be revealed if fewer than ki shadows are intercepted. To determine the coefficients b0 to b_{k 1}

i− in Eq. (3.7), ki equations are required. If only ki−1 equations are available [and without loss of generality, suppose that g(1), g(2), …, and g(ki−1) are intercepted], then the following ki−1 equations can be reconstructed:

The preceding ki−1 equations are solved for the ki unknown coefficients. The set of possible solutions has 256 members, so the probability of guessing the right solution is 1/256. Since s_i /k_i sectors exist for the code si, the probability of obtaining the

right code si is (1/ 256)^si/ki. For example, for a low-quality JPEG code s1 of size 5,000 bytes, the number of sectors is 2,500 if k1 is 2. The probability of obtaining the correct JPEG code s1 is (1/256)²⁵⁰⁰ = 10⁻⁶⁰²⁰.

If the security of the shadows is to be increased, a seed may be used in a random number generator to generate a random sequence for each shadow, and then XOR

operations can be applied between the random sequence and the shadow. Each row of the XOR-encrypted shadows of the code si can then be circularly shifted by a certain number of bytes. Similar operations are applied to each column. This process will transform the shadows to their safer versions. Notably, each seed used to generate a random sequence is based on the creation time and shadow index. Each seed can then be kept by all n participants or held by the company leader if the leader insists on attending the decoding meeting.

As stated in three works [51-53], attackers may slightly change the plaintext and then observe the change in the ciphertext. This is so-called differential attack, which the related progressive image sharing methods [27-29] cannot handle. The attackers may try to find a relationship between the plaintext and its ciphertext. Therefore, to ensure high security, the change in the ciphertext should cover a very large area if change occurs over a small area in the plaintext.

To check this phenomenon, the number of pixels change rate (NPCR) is used to measure the number of pixels that are changed in the ciphertext when only one pixel is changed in the plaintext. To define NPCR, let X and Y be two ciphertexts of size W×H, where the plaintexts of X and Y differ by only one pixel. Let X(i, j) and Y(i, j) be the pixel values at the position (i, j) in X and Y, respectively. Define

To check this phenomenon, the number of pixels change rate (NPCR) is used to measure the number of pixels that are changed in the ciphertext when only one pixel is changed in the plaintext. To define NPCR, let X and Y be two ciphertexts of size W×H, where the plaintexts of X and Y differ by only one pixel. Let X(i, j) and Y(i, j) be the pixel values at the position (i, j) in X and Y, respectively. Define

在文檔中 高容量JPEG資訊隱藏及其在影像分享、驗證與修復之應用 (頁 39-0)