Joint Reversible Data Hiding and Image Encryption - Semantic Scholar

Joint Reversible Data Hiding and Image Encryption Bian Yang a,b, Christoph Busch a, Xiamu Niu b Norwegian Information Security Laboratory, Gjøvik University College, Teknologivegen 22, Gjøvik N-2815, Norway b Department of Computer Science and Technology, Harbin Institute of Technology, 92 St. West Dazhi, Harbin, 150001, China a

ABSTRACT Image encryption process is jointed with reversible data hiding in this paper, where the data to be hided are modulated by different secret keys selected for encryption. To extract the hided data from the cipher-text, the different tentative decrypted results are tested against typical random distribution in both spatial and frequency domain and the goodnessof-fit degrees are compared to extract one hided bit. The encryption based data hiding process is inherently reversible. Experiments demonstrate the proposed scheme's effectiveness on natural and textural images, both in gray-level and binary forms. Keywords: reversible data hiding, image encryption, image authentication, randomness test

1. INTRODUCTION Regarding the security aspects of images, encryption [1-8] and reversible data hiding [9-16] have been intensively studied in the recent decade to realize security applications such as confidentiality and authentication within the same image data without need of appending separate metadata. A common implementation is to reversibly hide the authentication data into the image data first, and then encrypt the resultant image data. Reversible data hiding is usually performed before encryption because it is difficult to do reversible data hiding using existing algorithms [9-16] on encrypted data which lacks redundancy. Besides, reversible data hiding is better than other irreversible schemes in this scenario because it guarantees the reversibility of both the image data and the hided data, which is suitable for applications requiring integrity of the original image data. One problem is, to ensure reversibility of the hided data and the image, pixel clipping (value overflow /underflow outside the dynamic range) caused by data hiding should be rigidly avoided. However, for those low-correlated images, binary images, or near-binary images which have a large percent of boundary pixels (e.g., close to 0 and 255 for an 8-bit-depth image such as text images, fingerprint images), even highcapacity reversible watermarking [10-16] are incapable to provide enough capacity to record the pixel clipping information. This matters especially for binary images, which have zero tolerance to value expansion used in [10-16]. However, if we consider those applications requiring both the data hiding and encryption steps, different from pure reversible data hiding applications, the concern over image quality degradation caused by data hiding can be alleviated or even neglected because the latter encryption step will completely scramble the image anyway. This difference, however, cannot be fully exploited if the reversible data hiding algorithm is independent of the image encryption algorithm. Although joint encryption and data hiding schemes [17-19] have been proposed, they were mainly designed to explore security and performance trades-offs or emphasize the commutativity of the encryption and data hiding, but provide no idea to cope with the tough pixel clipping problem mentioned above. Regarding those applications requiring both encryption and data hiding for images, we propose a scheme to joint the two operations in the following sections on natural and textural images, both in gray-level and binary forms. This scheme especially works on those images difficult to reversibly hide data into but needing encryption anyway.

2. PROPOSED SCHEME 2.1 Reversibly hiding data during encryption Regarding a P=M×N pixel sized natural or textural image I as a vector x=(x1,x2,...,xP) in a P-dimensional hyperspace measured by Euclidean distance as shown in Fig.1, a spherical vicinity S centering x can be defined as a set of vectors sharing the same perceptible content with x, with a fuzzy perceptual boundary to other random-like vectors surrounding

S. In the proposed scheme, difference in statistics between perceptible content and random-like content is assumed to discriminate the plain-text from the cipher-text during decryption. En-/decryption can be modeled as a bijection between x and an arbitrary vector xe1 outside S controlled by a secret key K1 for encryption (x→xe1) and decryption (xe1→x). For cases requiring both image encryption and data hiding, diversified secret keys can be used to modulate different bits to be hided. The simplest way is to encrypt x with two different secret keys K1 and K2, generating two possible cipher vectors xe1 and xe2. One bit b = “0” or “1” can be hided by selecting K1 or K2. Due to the reversibility of the encryption process, this data hiding method is inherently reversible.

Figure 1. Data hiding modulated by encryption process.

2.2 Hided data extraction and decryption To extract one hided bit, firstly two tentative decryption (using both K1 and K2) processes are performed, secondly the correct secret key out of K1 and K2 for decryption is identified, and lastly one bit “0” or “1” corresponding to the identified secret key is obtained as the extracted bit. Because the plain-text image vector x is normally not available as a reference during decryption, some mechanism should be designed to distinguish the correct one out of the two tentative decrypted results. Assuming that an image's content in plain-text has difference in statistics from its cipher-text (or a wrongly decrypted result from the cipher-text), we consider a statistic-based mechanism to discriminate the correct decrypted result from the wrong one. Another assumption is that the encryption should map x to a vector outside all possible perceptible content zones (S is just one of them) in the hyperspace. This can be guaranteed by standard data encryption algorithms such as DES and AES, and also most image encryption algorithms (except those perceptual encryption algorithms [7-8]). Intuitively, statistics such as entropy or pixel histogram can be used as such a mechanism for discrimination, assuming these statistics exhibit high values (entropy) or flatness (histogram) on random-like ciphertext rather than correlated image data. However, such statistics are only necessary but not sufficient conditions to cipherlike randomness, which implies the possibility that some plain-text content exhibits even higher entropy or more flat pixel histogram than its cipher-text, especially in the case that small sample size causes large variability for statistic parameter estimation. To obtain a discrimination mechanism with improved sufficiency, we must investigate the typical statistics of a cipher-text. A key factor to a cipher's security is the output cipher-text's uncertainty, which can be measured by the entropy of the cipher-text [20]. For an image, the pixels' first-order entropy can be calculated to measure the image' average uncertainty, which reaches maximum when the alphabets in the cipher-text conforms to a uniform distribution among the pixel value dynamic range [Lmin,Lmax]. So intuitively the goodness-of-fit of the cipher-text to a uniform distribution can be a criterion to discriminate it from a plain-text assuming the plain-text exhibits some non-uniformity in pixel value distribution in most cases. However, this assumption is easy to negate by some special image examples (supposing an 8-bit grayscale image with scale 0 to 255 gradually increasing from left to right) or the histogram equalization processing. Higher-order entropy can help to detect plain-text pixels' local correlation but it is complicate to compute different orders of entropy. Instead, we refer to the discrete cosine transform (DCT) domain, which is popular for image de-correlation, to find

typical statistics for the random-like cipher-text. Considering the 2-dimensional type-II DCT for an N×N sized image block, in which each coefficient C(u,v) (u,v=1,2,...,N) can be represented by summation of weighted pixels I(x,y) (x,y=1,2,...,N) as N −1 N −1

C (u , v) = α (u )α (v)

∑∑ I ( x, y) cos⎛⎜⎝ x =0 y =0

( 2 x + 1)uπ ⎞ ⎛ (2 y + 1)vπ ⎞ ⎟ cos⎜ ⎟ 2N 2N ⎠ ⎝ ⎠

(1)

where ⎧ 1 ⎪ ⎪ N α (u ) = ⎨ ⎪ 2 ⎪ N ⎩

for u = 0

(2) for u > 0

and ⎧ 1 ⎪ ⎪ N α (v ) = ⎨ ⎪ 2 ⎪ N ⎩

for v = 0

(3) for v > 0

Assuming the use of a chaotic-map based image cipher which does not change the image's size and bit -depth, the pixels I(x,y) in the encrypted image block should be sufficiently randomized and thus independently and uniformly distributed. Then the encrypted pixels' mean values and variances across all the image blocks will have constants µp=0.5(Lmax-Lmin) and σp2=(Lmax-Lmin)2/12, and the coefficients C(u,v) can be approximately fitted to a Gaussian distribution by the central limit theorem [21]. The expectation value of this Gaussian distribution is µc = 0 for the unitary nature of DCT and standard deviation value σc is equal to the pixels' standard deviation σp=((Lmax-Lmin)2/12)0.5 which can be obtained by Parsevel's theroem: N −1 N −1

∑∑

C 2 (u , v) =

u =0 v=0

⇔ C (0,0) +

∑

∑∑ I

2

( x, y )

(4)

x =0 y =0

N 2 −1

2

N −1 N −1

C 2 AC ( s ) =

s =1

N −1 N −1

∑∑ I

2

( x, y )

x =0 y =0

2

N −1 N −1 N 2 −1 N −1 N −1 ⎞ ⎛ ⎟ ⎜ I ( x, y ) ⎟ + C 2 AC ( s ) = I 2 ( x, y ) ⇔ ⎜ α (0)α (0) ⎟ ⎜ x =0 y =0 s =1 x =0 y =0 ⎠ ⎝

∑∑

⇔

1 N2

∑

N 2 −1

∑ (C

AC ( s ) − µc

s =1

)

2

∑∑

⎛ ⎜ 1 I ( x , y ) −⎜ 2 = 2 N x =0 y =0 ⎜N ⎝ 1

N −1 N −1

∑∑

2

⎞ ⎟ I ( x, y ) ⎟ ⎟ x =0 y =0 ⎠

N −1 N −1

2

∑∑

⇔ σ c2 = E ( I 2 ( x, y )) − ( E ( I ( x, y )) 2 ⇔ σ c2 = σ 2p

(5)

Now we generate the Pearson's chi-square test [22] statistic values Vp and Vc from the pixels and DCT coefficients of the encrypted image block to form a new statistic – combined fitting degree V:

V = V p + Vc =

X 2p

+

X c2

⎛ (O pi − E pi ) 2 (O − E ) 2 ⎞ ci ⎜ ⎟ + ci ⎜ ⎟ E pi Eci i =1 ⎝ ⎠ n

=

∑

(6)

where Epi and Eci are expected counts in the ith (i=1,2,...,M) bin divided from the uniform distributed pixel value dynamic range [Lmin, Lmax]; and Opi and Oci are observed counts in the ith (i=1,2,...,M) bin divided from the Gaussian distributed DCT coefficient value dynamic range with the expectation µc = 0 and the standard deviation σc = σp = ((LmaxLmin)2/12)0.5. This new statistic V can be generated from the two decrypted results via the secret keys K1 and K2, denoted as V1 and V2. We expect the larger one out of the two corresponds to the correct decrypted result, i.e., the true plain-text image block, assuming the wrongly decrypted data better conform to uniform distribution and Gaussian distribution in the spatial domain and DCT domain respectively in the same time, and thus generating smaller test statistic value. Note that this new statistic might still not be sufficient to discriminate a cipher-text from a plain-text, especially for the smallsized image block case which counts in some bins for the Pearson's chi-square test are too less (such as less than 5). To further guarantee the correct decryption and data extraction, error-correction coding (ECC) can be used on the data to be hided. 2.3 Realization of joint data hiding and encryption – image encryption and authentication We consider a practical image security enhancement scenario reversibly hiding authentication bits A = HASH(I) (e.g., MD5 sequence) while encrypting the image I block by block. After error-correction coding (ECC), the data to be hided D_em = ECC(A). For encryption and authentication bits hiding, I is equally divided into B_num blocks and then do the following steps: // Data Hiding Capacity Checking: Step 1: Let length(c) be the ECC code length. Check the capacity for watermark embedding:

Capa = ⎣B_ num / length (c) ⎦ ⋅ length (c)

(7)

if Capa >= length(D_em), go on to Step 2; otherwise go to Step 6; // Discrimination Error Checking for Decryption Results: Step 2: For each image block Bi (i=1,2,...,length(D_em)), do encryption and data hiding modulated by secret keys K1 and K2: if D_em(i) = 0, then Bei=ENC(Bi,K1), where ENC and Bei denote the encryption function and the encrypted result respectively; if D_em(i) = 1, then Bei=ENC(Bi,K2); and for each image block Bi (i=length(D_em)+1,...,B_num), use K1 for only encryption without data hiding: Bei=ENC(Bi,K1);

⎦ , set error number ERN(j) = 0, and for each encrypted image block Bei Step 3: For j=1,2,..., ⎣ (i=(j-1)×length(c)+1,...,(j-1)×length(c)+length(c)), do error checking for extraction of the hided data: length(D_em) / length (c)

if V(DEC(Bei,K1)) >= V(DEC(Bei,K2)), then D_ex(i) = 0, where DEC denotes the decryption function and V is defined in Eq.(6); if V(DEC(Bei,K1)) < V(DEC(Bei,K2)), then D_ex(i) = 1; where D_ex(i) denotes the extracted authentication bits. Now check: if D_ex(i) ≠ D_em(i), then ERN(j) ++; // ECC Capability Checking: Step 4: Let t be maximum number of error bits that the employed ECC can correct. For any j, if t >= max(ERN(j)), go on to Step 5; otherwise go to Step 6; Actual Encryption and Data Hiding: Step 5: repeat Step 2; and conclude the algorithm. Data Hiding Failure Notification: Step 6: Notification to system administrator of watermark embedding failure and conclude the algorithm. Steps for decryption and hided data extraction: // Extraction of the Hided Data and Decryption Testing: Step 1: For each encrypted image block Bei (i=1,2,...,Capa), if V(DEC(Bei,K1)) >= V(DEC(Bei,K2)), then D_ex(i)= 0 and Bdi=DEC(Bei,K1);

Figure 2. Testing images (from top to bottom and left to right: F16, Bridge, Baboon, Barbara, Cameraman, Fingerprint, Text50, Text100, Text150, RNU, RNG, RT).

if V(DEC(Bei,K1)) < V(DEC(Bei,K2)), then D_ex(i)=1 and Bdi=DEC(Bei,K2); where Bdi denotes the decryption result. // ECC Decoding of the Extracted Data: Step 2: ECC decode the extracted data D_ex: A' = ECC -1(D_ex); // Decryption Update: Step 3: Find error position vector e = XOR(ECC(A'),D_ex), and for each dimension ei (i=1,2,...Capa): if ei=1 and D_ex(i) = 0, then Bdi=DEC(Bei,K2); if ei=1 and D_ex(i) = 1, then Bdi=DEC(Bei,K1); if ei=0, then keep Bdi unchanged; Step 4: For each encrypted block Bei (i=length(D_em)+1, ...,B_num), use K1 for only encryption without data extraction: Bdi=DEC(Bei,K1). Now we re-calculate the decrypted image's authentication bits Ad = HASH(I'), where I' is the decrypted image constituted by all decrypted image blocks {Bd1,Bd2, ..., BdB_num}. If Ad=A', the decrypted image can be regarded as authentic to the original image, and all extracted bits match the originally embedded ones, otherwise the encrypted image must have been tampered.

3. EXPERIMENTAL RESULTS We tested the proposed algorithm with 4 categories of 8-bit gray-level images: (1) natural images (F16, Bridge, Baboon, Barbara, Cameraman); (2) near-binary (Fingerprint, Text50, Text100, and Text150, where Text50, Text100 and Text150 are screen-print results of the first page of the PDF document of [31] with view-size scales 50%, 100% and 150%, respectively, from the left-top corner), (3) random images (randomly generated noise image (RNU) having uniform distribution over [0,255], and randomly generated noise image (RNG) having Gaussian distribution with mean 127 and standard deviation 30), and (4) a random textural image (RT, ½ down-sampling and 2 times interpolated and histogramequalized result of the RNU), shown in Fig.2. Besides, binary versions of all the above images are also tested. All the images were divided into 32×32 and 16×16 blocks and for each block the chaotic en-/decryption (Baker-Map combined with diffusion operations in [1]) was performed. Error-correction code BCH(255;139;15) was used. 255×4 = 1020 bits can be embedded and 139×4 = 556 bits are available for hiding data. Note that besides a 128-bit MD5 hash sequence as the authentication data A, over 400-bit space is available for other purposes, such as copyright information or archival information. The significance level set in the Pearson's chi-square test is 0.05. To increase the counts in each bin in the Pearson's chi-square test and thus the accuracy of the test, we use half-Gaussian distribution (µ'c = µc + σc(2/π)0.5 = 58.8, µ'c = σc(1-2/π)0.5 = 44.4) to replace the Gaussian distribution (µc = 0 and σc = ((Lmax-Lmin)2/12)0.5 ≈ 73.6, where Lmax = 255 and Lmin = 0) to fit the absolute values of the AC coefficients. We found in our experiments that most of the tested images can pass the discrimination regarding their plain-text and cipher-text by both the variance value and the combined fitting degree V, except three images presented in Table 1,

(a) Barbara – pixel histogram

(b) Barbara – DCT AC histogram

(c) Fingerprint – pixel histogram

(d) Fingerprint – DCT AC histogram

(e) RNU – pixel histogram

(f) RNU – DCT AC histogram

(g) bRNU – pixel histogram

(h) bRNU – DCT AC histogram

Figure 3. (a)(c)(e)(g) Pixel histogram comparison: before encryption (dotted-line) and after encryption (solid line); (b)(d)(f)(h) DCT AC coefficients histogram comparison: before encryption (dotted-line) and after encryption (solid line).

which compares the performance, in terms of number of decryption discrimination errors, of the two statistics. All of the binary versions of the testing images, including the three one listed in Table 1, can pass the discrimination as well. For each test, data to be hided were randomly generated and totally 10 tests were done for each image to obtain the average error number. The statistic V demonstrates better performance than variance showing almost no error in the testing set, except that uniformly-distributed noise image RNU exactly acts like highly-randomized cipher-text. “ECC error” denotes the cases that too many decryption discrimination errors destroyed the error-correction mechanism. Fig.3 shows the histograms before and after chaotic encryption of 4 typical images (Barbara, Fingerprint, RNU, bRNU (the binary version of RNU)), both for pixels and DCT AC coefficients. We can see that, by simultaneously fitting the cipher-text's pixels and DCT AC coefficients to a uniform distribution and a Gaussian distribution with fixed parameters respectively, the plain-text image can be well discriminated from its cipher-text as along as the plain-text itself is not as random as encrypted data. This method effects as well on small-size image blocks but with decreased discrimination ability, which requires error-correction codes to improve the correctness of decryption. Regarding the image block size, a larger-sized block (the case with 16×16 = 256 blocks in the Table 1) contains more data samples and therefore higher estimation accuracy for distribution parameters can be achieved. As a result, better effectiveness of the combined fitting degree statistic can be achieved. We also tested standard AES cipher in the Counter block cipher mode for the testing images, and generate almost the same performance as the chaotic-map image cipher did in Table 1 and 2, with minor difference caused by different tobe-hided data sequences and different secret key stream segments used in both the chaotic-map cipher and the Counter mode based AES cipher. Specifically, for all the binary images, the chaotic-map cipher regards them as 8-bit images with only gray-scale 0 and 255, generating the cipher-text with 8 times of original data volume. AES cipher can actually regard 128 binary pixels (128 bits) as one cipher block during process without causing file size increase, but this will deduce the data hiding capacity for the 256×256 images to half the original amount in the 32×32 image block case. Table 2 compares data hiding capacities and number of pixel-clipping using the high-capacity reversible data hiding algorithm in [14] and the proposed scheme. For the near-binary and the random textural images - Fingerprint, Text50, Text75, Text100, Text150, and RT, the achieved capacities from the independent reversible data hiding algorithm are difficult to cover the overhead amount required to record pixel-clipping. For other similar value expansion based reversible data hiding schemes [10-12,15-16], it is difficult as well in principle to obtain positive value from the capacity minus overhead bits. Our proposed algorithm circumvents this problem by jointing the encryption and reversible data hiding in the same process and therefore no pixel-clipping problem exists anymore.

Table 1 Average number of discrimination error blocks per test from 10 encryption and data hiding tests: using entropy for discrimination versus using the proposed statistic V for discrimination

Entropy

Testing images

Statistic V in Eq.(6)

32×32 blocks

16×16 blocks

32×32 blocks

16×16 blocks

Cameraman (256×256)

2.1

0

0

0

RNG (µ = 127, σ = 30) (256×256)

9

0

0

0

RNU ([0,255]) (256×256)

ECC error

ECC error

ECC error

ECC error

Other testing images

0

0

0

0

Table 2 Data hiding capacity comparison: only reversible data hiding versus reversible data hiding while encryption

Algorithm in [14]

Proposed scheme

Tested images

Capa.(bits)

Pixel-clip

Capa.(bits)*

F16 (512×512)

59310

0

Bridge (512×512)

23911

367

Baboon (512×512)

14981

35

Barbara (512×512)

42201

0

Cameraman (256×256)

10188

100

Fingerprint (512×512)

149593

57968

For all images:

Text50 (512×512)

119716

72109

556

Text100 (512×512)

139843

0

Text150 (512×512)

165463

71443

RNU (256×256)

486

428

RNG (256×256)

1196

3

RT (256×256)

1986

819

Pixel-clip

None

* Actual capacity is roughly decided by the total block number and the error-correction codes

4. SECURITY ENHANCEMENT TO THE CHAOTIC-MAP IMAGE CIPHER Although standard encryption algorithms such as AES provide solid security implemented in proper block cipher mode, but they usually have distinct higher computational complexity than the chaotic-map based ciphers. In our experiments implemented under MATLAB environment, the AES costs 13-15 folds of processing time the Baker-Map-plus-diffusion cipher costs [1]. However, the major security concern with the proposed scheme is regarding the image block size. The block sizes of 8×8, 16×16 and 32×32 used in the experiments provide rather limited secret key spaces [1] which cannot cope with brute-force attacking. A security enhancement measure can be replacing the fixed grayscale permutation look-up table used in diffusion operation in [1] with a random permutation look-up table which is generated from a pseudo-random number generator (PRNG) and different from image block to image block.

5. CONCLUSIONS A joint reversible data hiding and encryption scheme is proposed using two secret keys to modulate data to be hided. To guarantee the accuracy of data extraction and decryption, a spatial and frequency domain combined statistic is proposed and exhibits ability to discriminate correctly decrypted image content from the wrong one, assuming the plain-text image content having different randomness properties from its cipher-text version. The proposed scheme exhibits better adaptability to binary/near-binary images and low-correlated images than existing independent encryption and data hiding schemes. 6.

ACKNOWLEDGEMENT

This work is partially supported by the National Science Foundation of China (Project Number 60832010, 60703011), the Research Fund for the Doctoral Program of China Ministry of Education (RFDP: 20070213047).

REFERENCES [1] Fridrich, J. "Symmetric ciphers based on two-dimensional chaotic maps," Int. J. of Bifurcation and Chaos, 8(6), 1259-1284 (1998). [2] Dang, P. and Chau, M. "Image encryption for secure Internet multimedia applications," IEEE Trans. on Consumer Electronics, 46(3), 395-403 (2000). [3] Chang, C.C., Hwang, M.S., and Chen, T.S. "A new encryption algorithm for image cryptosystems," The Journal of System and Software, 58(7), 83-91 (2001). [4] Ziedan, E., Fouad, M., and Salem, H. "Application of data encryption standard to Bitmap and JPEG images," The 20th National Radio Science Conference, Cairo, Egypt, 6-18 (2003). [5] Maniccam, S.S. and Bourbkis, N.G. "Image and video encryption using scan patterns," Pattern Recognition, 37(4), 725-737 (2003). [6] Zhang, L.H., Liao, X.F., and Wang, X.B. "An image encryption approach based on chaotic maps," Chaos, Solitons and Fractals, 24(3), 759-765 (2005). [7] Zhu, B.B., Swanson, M.D., and Li, S. "Encryption and authentication for scalable multimedia: Current state of the art and challenges," Proc. SPIE Int. Sympo. Inf. Technology & Commun., vol.5601, Philadelphia, PA, US, 157–170, (2004). [8] Li, S., Chen, G., Cheung, A., Bhargava, B., and Lo, K. "On the design of perceptual MPEG-Video encryption algorithms," IEEE Trans. Circuits Syst. Video Techn. 17(2), 214-223 (2007). [9] Fridrich, J., Goljan, M., and Du, R. "Invertible authentication," Proc. SPIE, Security and Watermarking of Multimedia Contents, San Jose, California, (2001). [10] Tian, J. "Reversible watermarking by difference expansion," Proc. of Workshop on Multimedia and Security (2002). [11] Leest, A., Veen M., and Bruekers F. "Reversible image watermarking," IEEE Proceedings of ICIP03, vol.2, 731-734 (2003). [12] Yang, B., Schmucker, M., Funk, W., Busch, C., and Sun, S. "Integer DCT-based reversible watermarking for images using companding technique," Proc. SPIE, Security and watermarking of Multimedia Content, Electronic Imaging, San Jose, USA (2004).

[13] Alattar, A.M. "Reversible watermark using the difference expansion of a generalized integer transform," IEEE Trans. on Image Processing, 13(8), 1147-1156 (2004). [14] Yang, B., Schmucker, M., Busch, C., Niu, X., and Sun, S. "Approaching optimal value expansion for reversible watermarking," Proc. of ACM Multimedia and Security (2005). [15] Lee, S., Yoo, C.D., Kalker, T. "Reversible image watermarking based on integer-to-integer wavelet transform," IEEE Trans. on Information Forensics and Security, 2(3), 321-330 (2007). [16] Kim, H.J., Sachnev, V., Shi, Y.Q., Nam, J., and Choo, H.G. "A novel difference expansion transform for reversible data embedding," IEEE Trans. on Information Forensics and Security, 3(3), 456-465 (2008). [17] Steinebach, M., Zmudzinski, S., Bölke, T. "Audio watermarking and partial encryption," Proc. of SPIE, vol.5681, Security, Steganography, and Watermarking of Multimedia Contents VII (2005). [18] Merhav, N. "On joint coding for watermarking and encryption," IEEE Trans. on Information Theory, 52(1), 190-205 (2006). [19] Cancellaro, M., Battisti, F., Carli, M., Boato, G., Natale, F.G.B.De., and Neri, A. "A joint digital watermarking and encryption method," Proc. of SPIE – Vol.6819, Security, Forensics, Steganography, and Watermarking of Multimedia Contents X (2008). [20] Mao, W. "Modern Cryptography: Theory and Practice," Prentice Hall (2004). [21] Lam, E. Y., and Goodman, J. W. "A mathematical analysis of the DCT coefficient distributions for images," IEEE Trans. on Image Processing, 9(10), (2000). [22] Plackett, R. L. "Karl Pearson and the Chi-Squared Test," International Statistical Review, 51(1), 59-72 (1983).