Reversible Data Hiding in Encrypted Images Based on Reversible Integer Transformation and Quadtree-Based Partition

This paper presents an improved secure reversible data hiding scheme in encrypted images based on integer transformation, which does not need using a data hider key to protect the embedded secret data. We first segment the original image into blocks of various sizes based on the quadtree-based image partition. For each block, we reserve <inline-formula> <tex-math notation="LaTeX">$m$ </tex-math></inline-formula> least significant bits (LSBs) of each pixel as embedding room based on the reversible integer transformation. In order to improve the security of the image encryption, we pad the <inline-formula> <tex-math notation="LaTeX">$m$ </tex-math></inline-formula>LSBs of each pixel using the corresponding (8-<inline-formula> <tex-math notation="LaTeX">$m$ </tex-math></inline-formula>) most significant bits (MSBs) information after the transformation, which protects the security of the encryption key. Then, we encrypt the transformed image with a standard stream cipher. After the image encryption, the data hider embeds the secret data in the <inline-formula> <tex-math notation="LaTeX">$m$ </tex-math></inline-formula>LSBs of the encrypted images through an exclusive or operation. On the receiving side, the receiver can extract the secret data after the image decryption and recover the original image without loss of quality. The security analysis shows that the proposed scheme improves the security weakness of the scheme directly using adaptive integer transformation. The experimental results show that the proposed method achieves a higher embedding ratio compared with several relevant methods.


I. INTRODUCTION
Data hiding in digital images is an information security technique to hide secret data by modifying the cover images. It is usually used for security data transmission or active image authentication. As we know, the process of data embedding may cause distortion to the original image. However, for some sensitive images, such as medical images or artistic images, permanent distortions of the original images are not allowed. For example, a slight distortion of medical images may cause risk diagnosis errors. Reversible data hiding (RDH) technique is just researched to implement lossless data hiding in digital images, which can recover the original images without loss after extracting the secret data [1]. There are many RDH schemes that have been proposed [2]- [6] that hide the secret data in the plaintext domain. In those schemes, the content of the cover image is visible to the data hider.
The associate editor coordinating the review of this manuscript and approving it for publication was Yue Zhang . Recently, with the development of mobile internet, cloud computing becomes a popular solution for the storage of the images generating from the smart mobile devices. And, for protecting the privacy security, image encryption is usually used in a cloud storage system. That is, the content owners first encrypt the images and then upload the encrypted images to the clouds. For ease of management, the cloud servers generally need to embed some additional information such as user data, authentication data or copyright data into the images. In additional, for some sensitive images, the cloud servers are not allowed to introduce permanent distortion to the original images. For those purposes, the reversible data hiding in encrypted images (RDHEI) is researched and has become a new interesting notion in the data hiding area, which allows embedding additional information directly in encrypted images and recovering the original image after the image decryption and the image recovery. The existing methods to embed additional data in encrypted images are summarized to two categories: reserving room before VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ encryption (RRBE) and vacating room after encryption (VRAE). In RRBE methods, the image owners usually pre-process the original images to reserve embedding room before encryption. Schemes [7]- [9] use a self-embedding method to reserve room. They vacate the embedding room in LSBs of some pixels and embed the reversible information of these pixels into other pixels using standard reversible data hiding methods. This method has a lower embedding capacity because only some of pixels are used to carry the secret data. In schemes [10], [11], they reserved the embedding room using a reversible integer transformation. They transformed the adjacent two pixel values to be both even or odd, and the two pixels carry one bit secret data in the data embedding processing. Schemes [12]- [15] reserved the embedding room in the MSBs of the pixel values combined with prediction error methods. Malik et al. [15] used the prediction-error method to reserve the embedding room in the MSBs. They used the prediction-error values to replace the pixel values in the prediction block. When the error is small, the MSBs of the prediction-error values are zeros, and a location map is used to record these pixels. Then, they embed the secret data in the MSBs of these pixels in the encrypted image. Chen et al. [16] used pre-coding method to reserve the embedding room before encryption and embedded the secret data with matrix embedding methods.
In VRAE methods, the data hider vacates the embedding room in the encrypted images. There are two main categories in this method. The first category is to keep some redundant space in the encrypted image, and then the room is vacated directly in the cipher image with different methods [17]- [23]. Scheme [17] transferred the redundant space for data embedding by exchanging the MSBs and LSBs of the pixel values before image encryption. Then, they used a coding method to vacate room in the LSBs of pixels in the cipher image blocks. Scheme [18] used a special encryption algorithm to keep the local characteristics in the encrypted image, then compressed the bits from the cipher image to make room for the data embedding using a different compressing method. Schemes [20], [21] used a parameter binary label to compress room for embedding data. Ge et al. [24] kept the histogram of each block in the encrypted image the same as the original image using block based encryption. Then, they embedded the secret data in the encrypted image using the histogram shifting method. Di et al. [25] proposed a bitplane operation and adaptive embedding method to improve the embedding capacity of the existing schemes. The first method can obtain considerable embedding capacity, but the security of the cipher image is poor because the cipher image entropy is not maximized. The second method vacates the room based on the property of encryption algorithms. Huang and Wang [26] combined the MED prediction and specific encryption algorithm to reserve the embedding room for data hiding in the encryption process. Schemes [27], [28] used the homomorphism of the encryption algorithms to embed the secret data by modifying the cipher pixel values without affecting the decryption. These methods can obtain a higher embedding capacity because they don't consider the quality of the stego-images. However, they expand the size of the encrypted image.
From the above, we know most RDHEI schemes not matter based on RRBE or VRAE have to pre-process the original image for vacating embedding room before encryption. The pre-processing may lead to security weakness of the image encryption, especially reserving the room in the LSBs or MSBs of the cover pixels. Qiu et al. [29] proposed an RDHEI scheme using adaptive integer transformation, which has a high embedding capacity. They divided the original image into blocks. For each block, they transferred the pixel values using a reversible integer transformation with an adaptive parameter m. After the transformation, the m bits LSBs of each pixel value in the block are zero. Then they encrypted the transformed image with the stream cipher, and embedded the secret data in the m bits LSBs of each pixel in the cipher image block. We noticed that if the m bits LSBs of a pixel value are zero, then the m bits of the LSBs of pixel values in the cipher image will disclose the m bits of the encryption key. This means that the attacker can obtain part bits of the encryption key. This is a weakness of the cipher images security. Chen et al. [11] classified the existing RDHEI schemes into two types by the numbers of secret keys that the receiver shares with the image owner and data hider: sharing independent secret key (SIK) and sharing no secret key (SNK). Then, they presented a new type of RDHEI, in which the receiver shares only one secret key (SOK). This paper presents a new SOK-type RDHEI scheme that improves the security of the cipher image based on the reversible integer transformation proposed by [29], which is a SIK-type scheme. We first segment the original image using a quadtree-based partition algorithm. The pre-condition of the image segmentation is to satisfy the demand of the reversible integer transformation. Then, to prevent disclosure of the encryption key information, we pad the m bits LSBs room which are zeros after the transformation with the (8m)MSBs of each cover pixel. After the image encryption, we embed the secret data in the padded LSBs room. The receiver decrypts the marked encrypted image and extracts the secret data by removing the padding information based on the right MSBs of each decrypted pixel value. Finally, we can recover the original image using the inverse transformation. The rest of paper is organized as follows. Section II introduces the integer transformation and the quad-tree based image partition. Section III presents the proposed SOK-type RDHEI scheme. In Section IV, we show the experimental results and analysis. Our scheme is concluded in Section V.

II. RELATED WORKS
In this section, we first introduce the reversible integer transformation proposed in [29], and analyze the weakness of an RDHEI scheme directly using the integer transformation. We then introduce an image partition method based on the quad-tree.

A. REVERSIBLE INTEGER TRANSFORM AND ANALYSIS
Qiu et al. [29] proposed a reversible integer transformation that transforms an integer vector p = (p 1 , p 2 , · · · , p n ) ∈ Z n to another integer vector p = (p 1 , p 2 , · · · , p n ) ∈ Z n with parameter m. After transformation, the mLSBs of all p i in p are zeros. The integer transformation is defined as follows: where f (r(p), 2 m ) = (2 m − 1) × r(p)/2 m , r(p) = round(p), andp = ( n i=1 p i )/n. The inverse transformation is: where h(p i , 2 m ) = p i /2 m , h(p , 2 m ) = p /2 m , and l(r(p), 2 m ) denote the mLSBs of r(p) that is recorded in the processing of transformation (1). The mean square error between p and p is defined as MSE(p, p ) = n i=1 (p i − p i ) 2 /n, and the mean square error of p is defined as s 2 (p) = n i=1 (p i −p) 2 /n. Then, we can verify that: This means that we can control the transformation error by adjusting parameter m or the mean square error of the integer vector.
The integer transformation is used to reserve embedding room in the scheme [29]. Here, we analyze the weakness of this method. For example, considering the original pixel value is (161, 162, 160, 163), then they are transformed to (156, 160, 152, 164) according to (1). The binary representation of the transformed result is (10011100, 10100000, 10011000, 10100100), where the 2LSBs of each pixel is 0. In the image encryption, assuming that the encryption key of the stream cipher is (10100010, 00011001, 01001000, 10001100), the encryption result is (00111110, 10111001, 11010000, 00101000). It is obvious that the 2LSBs of ciphertext disclose the 2LSBs of the encryption key. Therefore, it is important to post-process the reserving embedding room before image encryption, which will be presented in the proposed scheme.

B. IMAGE PARTITION BASED ON QUADTREE
The image partition means that it divides the images into nonoverlapped blocks. The usual method is to divide an image into solid sized blocks. With a quad-tree based partition, an image block is divided into a series of non-overlapped blocks with various sizes, and a quad-tree corresponds to the image partition processing which records the size and location of each block. It is widely used in the image processing to compress the image partition information [30]- [32].
The image partition based on the quad-tree can be simply described as follows. For the given image I sized 2 n × 2 n , decide whether the whole image block satisfies the predefined condition C. If I satisfies condition C, then the partition processing of the current block is complete. If not, then I is divided into four sub-image blocks sized 2 n−1 ×2 n−1 . Construct a 1-bit node as the root node, and take the four sub-blocks as the four children nodes of the root node. For the four children blocks, decide whether they satisfy condition C in a left-to-right, top-to-bottom order. If not satisfy the condition, then the sub-block is further split in four smaller image blocks. Similar processing is done to each smaller sub-image blocks individually. In each node, a value of 1 represents that the corresponding block satisfies the condition C and a value of 0 represents not satisfying condition C. The partition is repeated until all sub-blocks satisfy the condition or the size of the sub-block is equal to the pre-defined size. Finally, we can obtain a quad-tree in which each node denotes a subblock of the image I . The position of a node in the tree determines the size and the position of a sub-block, and the value determines whether the sub-block satisfies the precondition. Fig. 1 shows an example of an image partition processing and its corresponding quadtree.

III. PROPOSED SCHEME
The designed scheme contains three stages. The first stage contains the embedding room reserve and image encryption. The second stage is data hiding. The third stage consists of the data extraction and image recovery. Fig. 2 shows the framework of the three stages, and the detailed processing is described in the following subsection.

A. RESERVE EMBEDDING ROOM
In our scheme, we use integer transform (1) to reserve the embedding room. Unlike scheme [29] that adaptively chooses block size m, we choose a solid m for the integer transform and adjust the size of the blocks. We use the quadtree-based image partition to adjust the size of the blocks. When transfer the pixel vector p = (p 1 , p 2 , · · · , p n ) of a image block to p = (p 1 , p 2 , · · · , p n ), to prevent the underflow/overflow in the transform, we must ensure the transformed values belonging to [0, 255]. So, according to (1), the pixel values must satisfy the following condition: Additionally, according to (3), to preserve the distortion of the transform, the mean square error of the vector p must satisfy: where T is a threshold value and MSE(p, p ) ≤ T . Thus, for the given m, we must choose a suitable block size to VOLUME 8, 2020  make the pixel vector p = (p 1 , p 2 , · · · , p n ) satisfy the following condition C: So, we use condition C to operate the quadtree-based image partition in an original image. The process of reserving the embedding room is described as follows.
Step 1: Generate a 1-bit size label as the root node of the quadtree LT . Determine whether the pixel values vector in the whole image satisfy the condition C. If yes, set the value of the root node to 1, and terminate the partition process. If not, set the value to 0, and go to the next step.
Step 2: Divide the current image block into four sub-image blocks, determine whether the pixel value vectors of each sub-block satisfy condition C in a left-to-right, top-to-bottom order. Generate 4 label nodes to record the determined results. If a sub-block satisfies the condition C, then set the corresponding label value to 1. If no, then set it to 0. Take the four label nodes as the child nodes of the current label node.
Step 3: For each block of the four child blocks, assuming that there are (j − 1) blocks that have been confirmed, then: Case 1: If its label value is 1, the block is represented as pb (j) , and we take the pixel values to form an integer vector (j) . Reshape pb (j) to an image block pb (j) , and record the mLSBs of r(pb (j) ) in LSB 1 (j). Record the location and size of this block in the blocks table BT (j) for the next encryption process and end the partition in this block.
Case 2: If its label value is 0 and the size of the block is equal to the pre-defined minimum size, then keep the pixel values in this block unchanged and end the partition in this block. Record the location and size of this block in BT (j).
Case 3: If its label value is 0 and the size of the block is larger than the pre-defined minimum size, then go to Step 2 to continue dividing this block to four smaller sub-blocks.
After completing the image partition according to the condition C, we can get a label tree LT , like the example shown in Fig. 1. The leaf nodes of LT denote all the blocks of the image. The original image consisting all the blocks is denoted as I = {pb (1) , pb (2) , · · · , pb (N ) }, and the transformed image is denoted as I = {pb (1) , pb (2) , · · · , pb (N ) }, where N is the amount of blocks. In pb (j) i , the mLSBs of the pixel values in those blocks whose label values are 1 are all zeros, which is the embedding room reserved by integer transformation. Meanwhile, the block table BT records the location and size information of each block. The data hider and receiver can obtain the block table BT again by operating the image partition according to the label tree LT . So, we only need to embed LT information in the encrypted image.

B. IMAGE ENCRYPTION
According to the block table BT , the image owner encrypts the transformed image I block by block. If we directly encrypt it with a stream cipher, then the mLSBs of the encrypted pixel values of blocks whose label values are 1 will disclose the information of the encryption key. Therefore, to prevent disclosure of the encryption key information, we pad messages in the mLSBs of pixel values in those blocks before encryption. The encryption processing is presented as follows.
Step 1 (LSBs Padding): For each block pb (j) whose label value is 1, the mLSBs of pixel values in those blocks are zeros. The pixel value pb (j) i in each block pb (j) is represented as 8 bits binary pb then the padding result is pb After all the blocks have been processed, we obtain the new image I p = {pb (1) , pb (2) , · · · , pb (N ) }. Fig. 3 shows an example of LSBs padding: here, the padding messages are computed by b Step 2 (Image Encryption): Here, we apply the standard key stream cipher to encrypt the image. We use the sharing key with the receiver as the seed key of a pseudorandom number generator to generate the encryption key sequence Key = {key (1) , key (2) , · · · , key (N ) }, where key (j) is a key block with the same size as block pb (j) and 1 ≤ j ≤ N . The pixel value pb where b = 1, 2, · · · , 8, pb i(j) (b) represents the b-th bit of i-th pixel values in the block pb (j) , and key (j) i (b) represents the b-th bit of the i-th key in the key block key (j) . When all the blocks have been encrypted, we obtain the encrypted image I c = {cb (1) , cb (2) , · · · , cb (N ) }.
Step 3 (Auxiliary Data Self-Embedding): In order to implement the data hiding and decryption, the encrypted image must carry the label tree LT . Convert the label tree LT to binary sequence LT b in the breadth first order as parts of the auxiliary information. Then, to recover the original image, the mLSBs of the mean values of each transformed block, which are recorded in LSB 1 , are required. So, we first compress the auxiliary data consisted of LT b and LSB 1 losslessly, then embed it in the fixed square area in upper left of the encrypted image by mLSBs substitution. When the auxiliary data is embedded in blocks whose label is 1, we do not need addition operation because the mLSBs of the pixels in those blocks are all zeros. If the pixels carrying auxiliary data belong to the blocks whose label is 0, we record their original mLSBs in LSB 0 , then LSB 0 is taken as parts of the secret data to be embedded in the encrypted image using the data embedding processing.

C. SECRET DATA EMBEDDING
The data hider embeds the secret data in the encrypted image I c by the XOR operation, which contains three steps. The detailed data embedding process is described as follows.
Step 1 (Image Partition): Extract the auxiliary data LT b from the mLSBs of pixels in the upper left square area of the encrypted image, and convert LT b into label tree LT . According to the label tree LT , segment the encrypted image I c again to obtain the block table BT . According to BT , divide I c into a series of blocks, and denoted as I c = {cb (1) , cb (2) , · · · , cb (N ) }. Then, divide it into two parts I c = I c0 ∪ I c1 , where I c1 denotes the blocks whose label values are 1, and I c0 denotes the blocks whose label values are 0.
Step 2 (Blocks Sorting): After the image partition, according to LT , obtain the distribution graph of blocks and label values. According to the distribution graph, sort all the embeddable blocks without carrying the auxiliary data starting from the larger blocks first, top to bottom, and left to right, and then obtain the sorted embeddable block set I c1 = {cb (1,1) , cb (1,2) , · · · , cb (1,N 1 ) }, where N 1 ≤ N . Fig. 4 shows a blocks sorting example in a 16 × 16 sized image, in which VOLUME 8, 2020  Step 3 (Data Embedding): Convert the binary secret data into a 2 m -ary integer sequence and divide it into a set of blocks s = {s (1) , s (2) , · · · , s (L) } according to I c1 , where L ≤ N 1 . The i-th secret digit s (j) i in block s (j) will be embedded into the pixel cb (1,j) i in the block cb (1,j) as follows: where b = 1, 2, · · · , 8. Finally, we obtain the marked encrypted image I mc = I c0 ∪ I mc1 = {mcb (1) , mcb (2) , · · · , mcb (N ) }. Fig. 5.a shows an example of the image encryption, in which the block after the mLSBs padding is pb (1,j)

D. DATA EXTRACTION AND IMAGE RECOVERY
When receiving the marked encrypted image I mc , the receiver extracts the mLSBs of the pixels in the upper left fixed square area of the encrypted image to obtain the auxiliary data LT , LSB 1 . According to the tree LT , divide the encrypted image I mc to reconstruct the block table BT again. According to BT , divide I mc into I mc = {mcb (1) , mcb (2) , · · · , mcb (N ) }.
Step 1 (Decryption): Use the sharing key with the content owner as the seed key of shared pseudorandom number generator to generate the decryption key sequence Key = {key (1) , key (2) , · · · , key (N ) }, where key (j) is a key block with the same size as block mcb (j) and 1 ≤ j ≤ N . Decrypt the pixel mcb (j) i in the block mcb (j) of the marked encrypted image I mc with the decryption key key (j) i as follows: sb After all the pixels have been decrypted, obtain a stego-image I s = {sb (1) , sb (2) , · · · , sb (N ) }. According to LT , divide I s in to two parts: non-embeddable blocks set I s0 and embeddable block set I s1 , that is I s = I s0 ∪ I s1 . The non-embeddable blocks are not modified in the integer transformation and data embedding process, so I s0 is part of the original image, which is denoted by I 0 . Sort all the embeddable blocks in I s1 , and obtain the embeddable block set that is denoted by I s1 = {sb (1,1) , sb (1,2) , · · · , sb (1,N 1 ) }, where N 1 ≤ N .
Step 2 (Secret Data Extraction): For the pixel value sb (1,j) i in the stego-block sb (1,j) , according to (6), (7), and (8), we can verify that: The binary representations of sb Therefore, When all the embedded blocks have been processed, the secret data s = {s (1) , s (2) , · · · , s (L ) } is extracted. Then, LSB 0 is split from s to recover the mLSBs of the pixel values in a block that carry auxiliary data and whose labels are 0.

IV. EXPERIMENTAL RESULTS AND ANALYSIS
In this section, we will evaluate and analyze the performance of the proposed scheme. We first analyze the security of the mLSBs of the encrypted image. Then, we evaluate the performance of the proposed method on some standard test images and 10000 images from BOWS-2 database [33], and present the comparison results with some relevant works.

A. SECURITY ANALYSIS
The security analysis of the RDHEI scheme contains two aspects. The first is to analyze the security of the encrypted images, where we demonstrate that the process of pre-processing and data embedding don't affect the statistical security of encrypted images. The second is to analyze the security of the secret data, where we demonstrate that an attacker can't disclose the secret data without the decryption key.
In the proposed scheme, because of using the stream cipher algorithm to encrypt the image, we can guarantee the randomness of encrypted pixels base on pseudo randomness of encryption key. Thus, we can conclude that the proposed scheme can resist the statistical analysis attack with security encryption key. In Section II-A, we have pointed out the security weakness of directly using the reversible integer transformation (1) to reserve embedding room resulting from the mbits LSBs of pixel values in the transformed image are zeros. If we directly encrypt the image in the transformed image, then the mLSBs of the pixel values in the encrypted image disclose the mbits information of the encryption key.
In our scheme, we use the (8-m)MSBs of the transformed pixels that are not modified in the data embedding process to generate a padding message. Then, we use the padding message to pad the m bits LSBs of the transformed pixel values. Thus, the m LSBs of those pixel values in the encrypted image are the ciphertexts of the padding message. This method allows us to keep the randomness of the cipher image. The attackers can't disclose the (8-m)MSBs information without the encryption key, so they can't predict the m bits padding data. Therefore, we can ensure the security of the encryption key.
In the proposed scheme, the receiver only shares one secret key. In the data embedding process, the secret data are embedded in the m LSBs of the embeddable pixel values. This means that the secret data are encrypted with the padding message as encryption key. Here, we must point out a reasonable assumption that an attacker will not capture and save the encrypted image if they can't detect the intention of data hiding. Therefore, when an attacker obtains the marked encrypted image and obtains the auxiliary data LT, they can know the image partition and their label values, but they can't extract secret key without image encryption key because they can't obtain the right padding message. And, a receiver who has the image encryption key can decrypt the right (8-m) bits MSBs of each pixel value and remove the padding message in the data extraction. In all, we use the LSBs padding method to improve the security of the image encryption, and which also can guarantee the security of the embedded message without a data hiding key.

B. ANALYSIS RESULTS FOR SOME EXPERIMENTS
In this section, we implement a sequence of experiments to evaluate the proposed scheme using some test images. The test images contain six standard images and 10000 images from Bows-2 database. All the test images are sized 512 × 512.   Fig. 7.c, Fig. 7.g, and Fig. 7.k are directly decrypted images. Fig. 7.d, Fig. 7.h, and Fig. 7.l are recovery images. As shown in Figure 7, we can obtain the stego-image after image decryption. Comparing with the original images, the PSNR values of the recovery images are near +∞, which means that our scheme is reversible.
In the proposed scheme, a pixel in the embeddable blocks of I c1 = {cb (1,1) , cb (1,2) , · · · , cb (1,N 1 ) } carries m bits secret data. Assume that the total pixels of block cb (1,j) is L (1,j) cb . In each block, we must use m bits to record the mbits LSBs of the mean values of the block pb (1,j) in the integer transformation processing or recovery image. In addition, we also record the label tree for the image partition, and the length of label is denoted as L LT . Therefore, the embedding capacity (EC) and embedding ratio (ER) of proposed scheme are where, W × H is the size of the original image.
Here, we analyze the embedding capacity of the proposed scheme from two aspects. The first is to evaluate the directly encrypted images quality with different payloads. We conduct the experiment in six test images, and Fig. 8 shows the experimental results. The image quality is maintained well with a low payload, then declines as the payload increase. In the high payload stage, the image quality is not very good but it is acceptable. It also performs better for the smooth images than the complex images. The second aspect is to evaluate the maximum embedding capacity. We first take the six test images to calculate the embedding capacity according to (11) and (12), and Table 1 shows the experimental results. When the parameter m = 1, which means reserving a 1-bit embedding room in a pixel, the maximum embedding ratio is all over 0.9 bpp in all test images. The first four test images reach the maximum embedding capacity when m = 4. In addition, the larger m may lead to a decrease in the amounts of embeddable blocks, and thereby the embedding capacity is lower. Like in Lake and Wine, the embedding capacity is declining when m increases from 3 to 4. Of course, the directly decrypted image quality will decline as the payload increases. From the experimental results shown in Fig. 7 and Fig. 8, we can conclude that the proposed scheme has a high embedding capacity with an acceptable directly decrypted image quality.
To further evaluate the embedding capacity of the proposed scheme, we perform the scheme on 10000 images from the Bows-2 database [33]. Table 2 shows the experimental results in terms of quartiles (1 st quartile, median, and 3 rd quartile) and mean value. When m = 1, the embedding ratio is higher than 0.9004 bpp for 75% of images, and higher than 0.9750 bpp for 25% of images. When m = 2, the embedding ratio is higher than 1.4731 bpp for 75% of images, and higher than 1.8161 bpp for 25% of images. When m = 3, the mean embedding ratio is 1.9314 bpp, and the embedding ratio is    [29] in the embedding ratio (bpp).
higher than 2.4014 bpp for 25% of images. When m = 4, we can get higher embedding ratio in some smooth images, but lower in some images with complex texture, and the mean value is close to mean value with m = 3.

C. COMPARISON EXPERIMENTS AND ANALYSIS
In Section IV-A we have shown that the proposed scheme improves the security of the cipher image compared to the scheme [29]. In addition, different from adjusting the parameter m in the solid-sized blocks to satisfy the predefined condition, we try to adjust block sizes by a quad-tree based image partition with the solid parameter m in our scheme. We hope to use this method to reduce the auxiliary data and improve the embedding capacity. Table 3 shows the experimental results. We choose the 4 × 4 block size in [29] which performs better than other block models. The experimental results show that our method obtains higher embedding capacity in the six test images when the parameter m = 1 and m = 2. To further verify the embedding capacity, we experiment on 10000 images from BOWS-2 database to evaluate the mean embedding capacity. The mean embedding ratio in [29] is 0.8555 bpp when max(m) = 1, and 1.5592 bpp when max(m) = 2. And, the mean embedding ratio of the proposed scheme is 0.9248 bpp when m = 1, and 1.6107 bpp when m = 2.
Next, we compare our scheme with other relevant methods [7], [11], [15], [24]- [26] in embedding capacity. Chen et al. [11] also reserved the embedding room using a reversible integer transformation, and it is also a SOK-type scheme. In [11], two adjacent pixels carry a bit secret data, so the max embedding capacity of this scheme is 0.5 bpp. Malik et al. [15] reserved the embedding room in the MSBs using the prediction-error method, and the max embedding capacity is about 0.74 bpp. The experimental results show that the proposed scheme has a higher embedding capacity than these two schemes. Di et al. [25] used the bitplane operation and adaptive embedding method to improve the embedding capacity of the existing schemes. Scheme [24] divided the encrypted image into blocks and embedded the secret data in each block using the histogram shifting method. Huang and Wang [26] combined the MED prediction and specific encryption algorithm to reserve the embedding room for data embedding in the encryption processing and obtained a higher embedding capacity than the above schemes. The detailed comparison results are shown in the Table 4. The proposed scheme has a higher embedding capacity than other schemes in most test images.

V. CONCLUSION
This paper proposed an SOK-type RDHEI scheme using a reversible integer transformation and quad-tree-based image partition, in which we do not need to use a data hiding key to protect the security of the embedded messages. We used the reversible integer transformation based on the various sized blocks to reserve the embedding room. To prevent the LSBs of the pixel values in the cipher image from disclosing the encryption key, we padded information in the mLSBs of the cover pixels after reserving the embedding room. The data hider can embed the secret data directly in the encrypted image through an XOR operation without a data hiding key. The receiver can extract the secret data and recover the original image with the encryption key. The security analysis shows that the proposed scheme improves the security of the image encryption which reserves the embedding room in the LSBs of original images. In addition, the experimental results in the six test images and 10000 images from the BOWS-2 database show that the proposed scheme can obtain a high embedding capacity. Therefore, this RDHEI scheme is can be used to provide the data hiding and image privacy, in which the receiver only share key with content owner. However, the visual quality of directly decrypted image is also important in some application scenc.
In this paper, we mainly focus on the improvement of the embedding capacity and security. Of course, there are requirements for the visual quality of directly decrypted image in some application scenarios. In future work, we are interested in finding an effective way to improving the visual quality of the directly decrypted image, and constructing SOK-type RDHEI schemes based on the homomorphism of encryption algorithm.