TSINGHUA SCIENCE AND TECHNOLOGY

ISSN 1007-0214 13/28 pp1139−1156

DOI: 1 0 . 2 6 5 9 9 / T S T . 2 0 2 3 . 9 0 1 0 1 1 6
Volume 30, Number 3, June 2025

High Capacity Reversible Data Hiding Algorithm in Encrypted Images

Based on Image Adaptive MSB Prediction and Secret Sharing

Kaili Qi, Minqing Zhang*, Fuqiang Di, and Chao Jiang

Abstract: Until now, some reversible data hiding in encrypted images (RDH-EI) schemes based on secret
sharing (SIS-RDHEI) still have the problems of not realizing diffusivity and high embedding capacity. Therefore,
this paper innovatively proposes a high capacity RDH-EI scheme that combines adaptive most significant bit
(MSB) prediction with secret sharing technology. Firstly, adaptive MSB prediction is performed on the original
image and cryptographic feedback secret sharing strategy encrypts the spliced pixels to spare embedding
space. In the data hiding phase, each encrypted image is sent to a data hider to embed the secret information
independently. When r copies of the image carrying the secret text are collected, the original image can be
recovered lossless and the secret information can be extracted. Performance evaluation shows that the
proposed method in this paper has the diffusivity, reversibility, and separability. The last but the most important,
it has higher embedding capacity. For 512 × 512 grayscale images, the average embedding rate reaches
4.7358 bits per pixel (bpp). Compared to the average embedding rate that can be achieved by the Wang et al.’s
SIS-RDHEI scheme, the proposed scheme with (2, 2), (2, 3), (2, 4), (3, 4), and (3, 5)-threshold can increase by
0.7358 bpp, 2.0658 bpp, 2.7358 bpp, 0.7358 bpp, and 1.5358 bpp, respectively.

Key words: adaptive most significant bit (MSB) prediction; password feedback secret sharing; high embedding
capacity; reversible data hiding in encrypted images

1 Introduction proposed another SIS-RDHEI scheme. In this scheme,

Recently, some reversible data hiding in encrypted
images schemes based on secret sharing (SIS-RDHEI)
schemes have been proposed[1−7]. In Ref. [1], Wu et al.
first adopted the secret sharing technology in reversible
data hiding in encrypted images (RDH-EI) scheme, in
which secret data were first secretly shared and then
moved into the encrypted image by using differential
expansion or differential histogram. Later, Chen et al.[2]
Kaili Qi, Minqing Zhang, Fuqiang Di, and Chao Jiang are with
Key Laboratory of Network & Information Security under PAP,
Engineering University of PAP, Xi’an 710086, China. E-mail:
the data hider used differential expansion and addition
homomorphism methods to embed secret data, but this
algorithm only had one data hider, and the embedding
rate was not high. In order to achieve greater
embedding capacity, Chen et al.[3] proposed a new
method with multiple data hiders, each of which could
embed secret data by replacing one pixel in every n
pixels in the data hiding stage. The embedding rate
decreases with the increase of the number of data
hiders. However, when n > 7, the embedding rate of the
scheme is limited. In order to further improve the
performance of the algorithm, Hua et al.[5] proposed a

[email protected]; [email protected]; 18710752607@
new SIS-RDHEI scheme based on advanced
163.com; [email protected].
encryption standard (AES) cryptographic feedback
* To whom correspondence should be addressed.
Manuscript received: 2023-06-25 ; revised: 2023-10-03; strategy, which had multiple data hiders. This new SIS-
accepted: 2023-10-06 RDHEI scheme[5] used most significant bit (MSB)

© The author(s) 2025. The articles published in this open access journal are distributed under the terms of the
Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/).
 1140 Tsinghua Science and Technology, June 2025, 30(3): 1139−1156
prediction technology to obtain a larger embedding rate
and a smaller encrypted image, but the embedding
capacity is still not high enough. In the scheme[6] with
greater improvement in embedding capacity, Wang et
al.[6] used the redundant space of the encryption
process to embed information, and selected prime q =
216 + 1 to construct a finite field, accordingly GF(q) =
{0, 1, ..., 65 536}. Before secret segmentation, a pair of
pixels (x, y) is selected to merge and expand to 16 bits.
At the same time, the bits of the secret information
embedded as polynomial coefficients are also
expanded to 16 bits, increasing the space of the
embedded secret information. The embedding
performance of this scheme is not restricted by the
carrier image, and on the basis of ensuring reversible
extraction of embedded information, its embedding
capacity is significantly improved compared with the
SIS-RDHEI methods in Refs. [1, 3, 7]. However,
compared with scheme of Ref. [5], scheme of Ref. [6]
does not add password feedback technology and cannot
realize the diffusivity feature. What is more, this
scheme does not take advantage of the correlation
between pixels of the carrier image, so the embedding
capacity still needs to be further improved. As a whole,
it is still a challenge for SIS-RDHEI schemes to
simultaneously realize high embedding rate, diffusivity
and high security.
In order to further improve the embedding capacity
and application performance of SIS-RDHEI schemes,
this paper proposes a high capacity SIS-RDHEI
scheme based on adaptive MSB prediction. The
proposed method is inspired by the scheme design of
Refs. [5, 6], and innovatively combines the adaptive
MSB prediction method proposed In Ref. [8] with the
secret sharing technology proposed In Ref. [5]. In
addition, for the idea of expanding the number of bits
of polynomial coefficients proposed In Ref. [6], the
maximum number of pixels that can be achieved as
polynomial coefficients are expanded to 16 bits
according to the characteristics of adaptive MSB
prediction method in the proposed scheme, which
increases the space of embedded information. From the
performance of the implementation in this paper, the
proposed algorithm makes full use of the redundancy
of the carrier image, further improves the embedding
capacity and realizes the diffusivity. In addition, it has
reversibility and separability at the same time. Last but
not least, this paper has the high security and realizes
the disaster recovery backup of carrier image, which
has very high application value.
2 Introduction to Basic Knowledge
2.1 Analysis of adaptive MSB prediction method
The adaptive MSB prediction[8] is a method that
predicts the MSB bits shared by the remaining pixels
and the target pixels by using the upper left corner
pixel after receiving the encrypted image, so that the
remaining unshared bits can be retained adaptively by
the remaining pixels and free up the embedding space.
In the scheme of Ref. [8], the 2 × 2 block method is
adopted to carry out block-level encryption and
scrambling in the encryption process, so as to resist
attackers’ analysis of encrypted images. Figure 1
shows the structure of each block. Each pixel block
consists of four pixels P, C1, C2, and C3. The pixel P
marked in red is used to predict the other three pixels,
which are the target pixels. For each pixel block, all
four pixels are first decomposed into binary 8-bits, and
then three variables D1, D2, and D3 are obtained by the
following formula:
Di = dif (P, Ci ) , i = 1, 2, 3 (1)
Return the least significant bit (LSB) value that a and
b do not share. For example, dif (127, 98) = 5 , for the
reason that 127 = (01111111)2 and 98 = (01100010)2 .
According to the variables D1, D2, and D3, the
minimum digit value of MSB shared by P with C1, C2,
and C3 can be calculated, the variable md can be
calculated as follows:
md = 8 − max(D1 , D2 , D3 ) (2)
Since the value range of md belongs to the
interval[1, 3], in order to uniformly use three bits to
represent md, MD is used to replace md, where the
(8−md)-LSBs value of MD is (md − 1), so that all the
decimal expressions of MD are within the interval [0,
7]. In this scheme, the values of C1, C2, and C3 are
taken as prediction errors e1, e2, and e3, respectively,
and in this way, all 32 bits are reconstructed. As shown
in Fig. 1, there are six components marked by different
P C1
C3 C2 P MD e1 e2 e3 nc
Fig. 1 Demonstration of pixel structure and reconstruction
of pixel bits.
 Kaili Qi et al.: High Capacity Reversible Data Hiding Algorithm in Encrypted Images Based on Image Adaptive …
colors. Pixel P occupies the first 8 bits, variable MD
occupies the next 3 bits, prediction error e1, e2, and e3
occupies 3 × (8 − md) bits, and nc represents the
remaining (3md − 3) bits that can be embedded into the
secret data. In this method, a large number of pixel
blocks can be embedded into the secret data, which not
only achieves a high embedding capacity, but also
realizes the complete reversible recovery and the
separability of data extraction and image recovery.
However, in this method, when the value md is 0 or 1,
this method cannot embed any secret.
2.2 Password feedback secret sharing
There are many schemes’ coefficients come from
secrets[9−11] in SIS-RDHEI. In the scheme of Ref. [10],
all r coefficients come from secrets, then each portion
has a 1/r size of the original secret, and all n portions
have the same size of the original secret. However, this
scheme cannot realize the diffusivity and does not use
random numbers in the sharing process, so the security
level is limited. In order to reduce data diffusion and
realize the diffusivity characteristics of the scheme,
Ref. [5] proposes a new cipher-feedback secret sharing
(CFSS) scheme based on the password feedback mode
of AES. In this scheme, the last coefficient of the
polynomial is taken from a random share of the
previous share’s result. That is, p is randomly selected
from 1, 2, …, n of each share. The p of first coefficient
is a random integer. Using this cryptographic feedback
strategy, any change in the embedded encrypted image
can completely change the share obtained, thus the
scheme achieves diffusivity. The concrete construction
of (r, n)-threshold CFSS scheme is to divide the secret
S into several non-repeating parts, and each part has r −
1 elements. The key generates n distinct integers {x1,
x2, …, xn}. For the j-th segment, the polynomial of
degree r − 1 is constructed as
 
 ∑
r−2 
f j (x) = a0 + ak xk + f j−1 (x p )xr−1  mod F
k=1
where (a0, a1, …, ar−2) are r−1 elements in the j-th part
of S. fj−1(xp) is a randomly selected previous shared
result, where xp (p∈{1, 2, ..., n}) is the input selected
from the previous share, p is random in each share.
When j =1, f0(xp) can be any random integer satisfying
f0(xp) < f, when x∈{x1, x2, ..., xn}, n shares become
{fj(x1), fj(x2), ..., fj(xn)}. Then, one party Pi has identity i
and the j-th element fj(xi) of the share. (r, n)-threshold
CFSS scheme can realize diffusivity. When a bit is
1141
changed in the secret S, all elements can be randomly
changed through the password feedback structure and
random integer f0(xp)[5]. Since fj−1(xp) is randomly
selected from n previous sharing results, and p can be
different in each sharing, it can further enhance the
security of scheme. In terms of the algorithm process,
In Ref. [5], the content owner first splices the low pixel
bits of two adjacent pixels according to the predictor as
the coefficient of the polynomial for encryption, then
divided the encrypted pixels into pixels and filled the
high pixel bits into the highest 8 bits of the polynomial
coefficient. Next, the data hider replaces MSBs of the
padding to embed the secret information. Finally, the
receiver extracts the secret message or restores the
original image according to the corresponding key.
According to the analysis of the algorithm process and
the experimental results of Ref. [5], the scheme still has
the problem of low embedding capacity. On one hand,
the side information of the scheme to recover the
original image and extract the secret information is
large, on the other hand, the maximum number of bits
when the concatenated pixels are used as polynomial
coefficients is 8 bits, and the maximum number of
pixels formed after encryption by secret sharing
technology is also 8 bits. Therefore, after the encrypted
pixels are divided, the two pixels after segmentation
are filled again to the maximum number of pixels 8
bits, the space of embedded information is limited and
the embedding rate is not high enough.
3 Algorithm Design
This paper proposes a high capacity SIS-RDHEI
scheme based on adaptive MSB prediction. The
detailed process of the scheme is shown in Fig. 2. For
image content owners, the original image I is firstly
used for adaptive MSB prediction based on the
correlation between adjacent pixels of natural images,
then the (8−d)-LSBs not shared by pixels are retained
(3) and used as the coefficient of polynomial secret sharing
after pixel reconstruction. The remaining d-MSBs
shared by pixels, the number of shared bit d’s stream
D, the location MAP, and other additional data are used
as side information to restore the original image. Next,
(8−d)-LSBs parts of the original image and edge
information are encrypted and divided into n parts
according to the encryption key Ke through the secret
sharing technology. The encrypted pixels will
adaptively retain the corresponding pixel bits according
to the different shared bits d, so that in the next MSB
 1142 Tsinghua Science and Technology, June 2025, 30(3): 1139−1156

Content owner Encryption key Ke

E1 MSBs padding

…
Original Adaptive MSB Image, side information
Ei EE1, …, EEi, …, EEn
image I prediction encryption, and sharing

…
En

Receiver Data hider

Decryption key Kd
Data hide 1
Message
Reconstructed Image r shares
Data hiding
image reconstruction

Kh(1)
Side information

…
Data hide n

Extracted Message
Data extraction Share Em
message Data hiding

Data hiding key Kh(n) Kh(n)

Fig. 2 High capacity RDH-EI framework based on adaptive MSB prediction and secret sharing.

filling stage, the pixels with different bits can be the marked encrypted image according to the
adaptively filled into 16 bits. For the data hider, after decryption key.
receiving n copies of the encrypted image, the secret
3.1 (r, n)-threshold secret sharing and encryption
data can be embedded into the encrypted image by
replacing the (8+d)-MSBs bits of each 16-bit pixel. For The image owner first divides the original image into
the receiver, the embedded secret data can be extracted several non-overlapping blocks of 2 × 2 size, and
from the marked encrypted image according to the data carries out adaptive MSB prediction on the four pixels
hiding key, and the original image can be within the block. The maximum number of shared
nondestructively reconstructed from at least r copies of MSB bits is d. As shown in Fig. 3, d is “10”, which is
(r=3, n=4, l=2)
Content owner
d-MSBs
010 10 map
Side information 1010 1111
1000 1011 883 13 51 29837 38067
I: 175 139 136 138 116 141 148 181
1000 1000
f j−1(q j−1+p)=91 MSBs
1000 1010 1593 Separation 24 57 padding 63640 45241 248 152 176 185
Separation
10 1111 10 1111 10 1111 10 1111 f j (q j +k)=(3019+522(q j +k)+91(q j +k) 2)mod 4093
2485 38 53 37030 46261 144 166 180 181
q j =68
47 11 8 10 k=0, 1, 2, 3
3559 55 39 12471 31911 97 183 124 167
LSBs
concatenation
3019 522

Data hider Secret data Secret data Secret data Secret data

5261 62643
Share 1 116 141 148 181 0111 0100 1000 1101 1001 0100 1011 0011 0001 0100 1000 1101 1111 0100 1011 0011 20 141 244 179
Data 39064 53433
Share 2 248 152 176 185 1111 1000 1001 1000 1011 0000 1011 1001 1001 1000 1001 1000 1101 0000 1011 1001 Separation 152 152 208 185
embedding

Share 3 144 166 180 181 1001 0000 1010 0110 1011 0100 1011 0101 1111 0000 1010 0110 1101 0100 1011 0101 61606 54453 240 166 212 181

Share 4 97 183 124 167 0011 0000 1011 0111 0111 1100 1010 0111 0101 0000 1011 0111 0001 1100 1010 0111
20663 15527 80 183 30 167

Receiver

20 141 244 179 5261 62643 13 51 883

(8−l)LSBs
extraction Concatenation q j =68
152 152 208 185 39064 53433 24 57 1593 (3019, 522, 91)
Lagrange Separation

38 53 interpolation Side
240 166 212 181 61606 54453 2485
information
47 11 8 10 175 139 136 138 010 10 map

(8−l)LSBs I md d-MSBs

Fig. 3 Numeral algorithm example of the proposed scheme with a (3, 4)-threshold.
 Kaili Qi et al.: High Capacity Reversible Data Hiding Algorithm in Encrypted Images Based on Image Adaptive … 1143

represented as three bits “010”. Then, the qualified
pixels (8−d)-LSBs are retained, as shown in Fig. 3. The
(8−d)-LSBs “101111”, “001011”, “001000”, and
“001010” of the four pixels are retained, and every two
adjacent pixels are spliced to form a pixel of 2(8−d)
bits. Finally, shared MSB bits d-MSBs and the d are
processed as side information. The value of d ranges
from [0, 7], because d is represented by three bits. So
when d = 8, additional location MAP should be used as
additional information to embed in the image,
facilitating the image recovery and information
extraction by the receiver.
After the adaptive MSB prediction, every two
adjacent pixels form a 2(8−d) pixel. The reconstructed
pixels are taken as the coefficients (a0, a1, …, ar−2) of
Eq. (3). By adjusting and transforming the modulus F,
we can ensure that the results of polynomial operations
meet specific bit requirements, thereby maintaining
consistency with the coefficient bits and effectively
saving storage space. After polynomial operation, each
reconstructed pixel is 2(8−d) bits and then is divided
into two (8−d) bits pixels. In order to further improve
the embedding capacity, two pixels with different bits
of n copies are unified into 16-bit pixels through MSBs
filling respectively. Finally, n copies of the encrypted
image are forming.
3.1.1 Parameter setting
Inspired by the idea of expanding the bits’ number of
polynomial coefficient to 16 to improve the embedding
rate proposed In Ref. [6], this paper uniformly fills
pixels into 16 bits in the subsequent MSB filling stage,
thus further increasing the embedding space of the
proposed scheme. In this paper, when the image owner
carried out adaptive MSB prediction processing on the
original image, the value range of (8−d) bits retained
by each pixel after pixel prediction is correspondingly
[0, 8], since the range of MSB bits shared by pixels is
[0, 8]. That is, when the adjacent two pixels of retained
(8−d)-LSBs are splicing, the reconstructed pixel
number is 2(8−d), and the range is changed to [0, 16].
In order to adaptively retain the bits of pixels in the
adaptive MSB prediction stage, the corresponding
parameters of module F were set in the polynomial
secret sharing stage. When d = 8, no pixel in (8−d)-
LSBs is retained. In order to enable each pixel and
secret information to be shared and encrypted by
polynomials, the retained pixels’ bit is taken as 8 in this
special case, where the setting of module F is the same
as d = 0’s situation. In addition, considering that the
number of shared MSB bits d is 3, which can only
represent the cases in the range of [0, 7], the special
cases of d = 8 will be recorded with the location MAP.
For the setting of polynomial modulus F, considering
that when d = 6, 7, the (8−d)-LSBs retained after pixels
splicing are 4 and 2, respectively, there are 16 and
4 possible values of decimal pixel values, respectively.
Theoretically, the corresponding modulus can be
13 and 3, respectively. However, the range of abnormal
data overflow after polynomial secret sharing is [10,
13] and [2, 3], respectively. Therefore, it can be
analyzed that the value range of the abnormal data at
this time occupies a large component of the total pixel
value range, which will increase the amount of edge
information and affect the embedding performance of
the scheme. Therefore, when d = 6, 7, the parameter
setting and corresponding processing are uniformly
classified into the situation when d = 5. In the retention
(8−d)-LSBs stage, MSBs of retained bits are filled with
0 to 3 bits of the situation d = 5. Except for the above
three special cases, the selection of modulus F is all set
with the standard of minimum overflow pixels amount
and retaining the same number of reconstructed pixels
after polynomial processing.
The value of F corresponding to different shared
MSBs d are shown in Table 1. In Table 1, the value
range of overflow abnormal pixels under different F
values and the length W of corresponding bits used to
mark these special positions T are also explained.
3.1.2 Edge information embedded
In order to be able to recover the original image
reversibly, side information (SI) needs to be embedded
in the encrypted image, as shown in Table 2. In the
stage of image recovery and data extraction, the
receiver needs the total location map of MAP, the bits
Table 1 Concatenation strategies in the (8−d)-LSBs image
for different shared MSB maximum bits d.
Reserved Reference pixels’ Rearrangement
d F
LSBs bits D range E type lengths W
0 65 537 8 [65 536, 65 537] 1
1 16 381 7 [16 380, 16 383] 2
2 4093 6 [4092, 4095] 2
3 1021 5 [1020, 1023] 2
4 251 4 [250, 255] 3
5 61 3 [60, 64] 3
6 61 3 [60, 64] 3
7 61 3 [60, 64] 3
8 65 537 8 [65 536, 65 537] 1
 1144
Table 2 Components of the final side information SI.
Symbol Information Bit length (bit)
R Rearrangement type – secret information is embedded at (8+d)-MSBs of 16-
⌈ ⌉
LMAP Length of MAP log2 (MN)
⌈ ⌉
LT Length of T log2 (3MN/2)
MAP Compressed location map – key Kh to extract the encrypted secret data and decrypt
⌈ ⌉
B d-MSBs of the predictable pixels log2 (dMN)
T Reference information – key Kd', so as to obtain the secret data.
D Minimum value of shared MSB – Receivers with the decryption key Kd can reconstruct
stream B of the entire image’s d-MSBs, the total bits
stream d of the shared MSBs of each 2 × 2 block, the
types of rearrangement pixels, the bits stream T of
information recording the location and identification of
abnormal pixels, and the length information of various
parameters, LMAP, LT, and so on. The final side
message SI should be embedded in n encrypted images
before being sent to the data hider. In order to equally
divide the final side information into n encrypted
images, the proposed method still uses a polynomial to
encrypt the side information SI into n copies, and
embed the final encrypted side information into the
most significant bits of the first 8 pixels of each
encrypted image. Therefore, the proposed method can
recover the final complete side information only if
there are enough r encrypted images. When side
information is encrypted by polynomial secret sharing
method, pixel stitching and polynomial secret sharing
encryption are carried out based on the situation of d =
0. Therefore, after the side information SI being
encrypted by polynomial secret sharing, the side
1
information is SI.
2
3.2 Data hiding
For the data hider with the i-th encrypted image Ei, it
can directly embed the secret data into the encrypted
image without knowing the encryption key or the
content of the original image. Secret data are first
encrypted by an existing encryption algorithm (such as
data encryption standard (DES) or AES) using the data
encryption key Ke′ . Then, data hiders use data hiding
key Kh to embed encrypted secret data by replacing
(8+d)-MSBs bits of a pixel.
3.3 Data extraction and image recovery
Since data embedding and image encryption are
independent of each other, data extraction and image
reconstruction can be separated. Receivers obtain the
side information SI of the encrypted image and extract
Tsinghua Science and Technology, June 2025, 30(3): 1139−1156
ds’ bitstream D in the first 8 pixels. According to the
proposed secret information embedding strategy, the
bit pixels, so the first (8+d)-MSBs bits of all 16-bit
pixels are extracted. Then, receivers use data hiding
the encrypted secret data by using the data decryption
the original image from r marked encrypted images. In
the first step, receivers extract the encrypted side
information from these marked encrypted images. The
same pseudo-random integer sequence Q is generated
using the decryption key, and then the reverse
polynomial cryptographic feedback strategy is
performed to recover the final side information SI.
Finally, the compressed location MAP, the information
flow B of d-MSBs shared by all pixel blocks, and the
additional information T of abnormal pixels can be
recovered. In the second step, according to Table 1, the
(8−d)-LSBs of the encrypted image are combined, and
the reverse polynomial cipher feedback strategy is
executed to restore the modified image II', which is
composed of all modified pixels’ (8−md)-LSBs. In the
third step, the additional information T is used to
restore the original image II consist of all pixels’
(8−md)-LSBs. If the pixel value in II is (F−1), the
corresponding W bits in Table 1 is extracted from T
and the corresponding pixel value is modified. After all
pixels are processed, reverse arrangement is carried out
to obtain all original spliced pixels. Then, pixel
separation is carried out according to Table 1, bitstream
D to reconstruct (8−d)-LSBs of original image I.
Finally, the d-MSBs of the original image I are
recovered by MAP, ds’ bitstream D and d-MSBs
bitstream B. In this process, the uncompressed location
is obtained from the MAP, and the pixels are scanned
from left to right and from top to bottom. Next, the
pixels are extracted for the case when d = 8, and then
the pixels are restored according to the case when d =
0. The corresponding d-MSBs and (8−d)-LSBs are
combined to reconstruct the original pixels. After
rebuilding all pixels, the original image I can be
obtained.
Traditional RDH-EI schemes focus on a single data
hider. If one copy of the encrypted image is lost or
damaged, the original image cannot be recovered. The
proposed scheme can solve this problem because it
encrypts the original image into n copies and can fully
 Kaili Qi et al.: High Capacity Reversible Data Hiding Algorithm in Encrypted Images Based on Image Adaptive …
recover the original image from any r (r ⩽ n) shares. So
even if some share encryption image is lost or
damaged, as long as owns r shares without damage, the
original image can still be fully recovered, therefore the
image security is determined by r shares, which can
resist the collusive attack of r − 1 party.
3.4 Algorithm example
In order to better demonstrate the main process of the
proposed scheme, Fig. 3 shows a concrete example
with (3, 4)-threshold, which represents that the image
is encrypted into four encrypted images, and any three
of which can be used to reconstruct the original image.
Figure 3 shows the whole process of image sharing,
data hiding, and image reconstruction. When r = 3, two
pixels need to be constructed as the coefficients of the
polynomial, so four pixels of the original image are
needed in one shared operation. In the j-th section, it is
assumed that the four selected pixels are 175, 139, 136,
and 138, respectively. After eight-bit binary analysis of
pixels, the MSB shared by the four pixels is “10”,
namely, d = 2. Therefore, the remaining 6 bits of each
four pixels are retained, and the (8−d)-LSBs parts of
two adjacent pixels are spliced to obtain two 12-bit
reconstructed pixels, respectively.
Then, the two 12-bit reconstructed pixels are
converted into decimal form and used as two
coefficients of the polynomial. In addition, the j-th
element of the pseudo-random integer sequence Q is
qj = 68.
For the content owner, the side information is
generated first. After adaptive MSB prediction, the four
pixels (175, 139, 136, 138) have a shared MSBs of 2,
and d is “010”. The (8−d)-LSBs of the pixels are
reserved for constructing new pixels and laying the
foundation for the secret sharing in the next step. d-
MSBs, which is “10”, is recorded as additional
information to restore the image. Since only 3 bits are
used to represent the shared MSBs d, that is, d can only
record the shared bits from [0, 7]. Therefore, for special
cases d = 8 , it is necessary to use the MAP to record
the location information separately. Then, according to
Table 1, the (8−d)-LSBs value of four pixels is (41, 11,
8, 10), and the two adjacent elements are splice to get
two reconstructed pixels x0 = 3019 and x1 = 522 .
According to Table 1, because x0 , x1 < [4092, 4095] , the
two reconstructed pixels are not abnormal pixels and
do not need special additional marks. ( Using )x0, x1, qj,
plus the previous sharing results f j−1 q j−1 + p = 91 , we
1145
can get the secret sharing polynomial:
f j (q j + k) =(x0 + x1 (q j + k)+
f j−1 (q j−1 + p)(q j + k2 ) mod F (4)
where k ∈ {0, 1, 2, 3} . According to Table 1, we can get
coefficient
( ) F( = 4093
) and four
( outputs
) can be obtained
( )
fj qj , fj qj +1 , fj qj +2 , and fj qj +3 ,
respectively, which are then respectively divided into
two (8−d) bits’ pixels in each encrypted image, namely
(13, 51), (24, 57), (38, 53), and (55, 39), respectively.
These pixels are then uniformly performed MSBs
padding to the maximum number of bits before
segmentation, which is 16 bits, that is, the pixel (8+d)-
MSBs bits are filled with random bits. Then, the
content owner can get four encrypted images consisting
of two 16-bit pixels and side information SI =
R || LMAP || LT || MAP || B || P || D in Table 2.
Each data hider can embed secret data by replacing
(8+d)-MSBs per pixel. As shown in Fig. 3, after
embedding secret data in each of the four images’
(8+d)-MSBs, four images become (5261, 62 643),
(39 064, 53 433), (61, 606, 54 453), and (20, 663,
15 527) , respectively. After pixel segmentation, four
encrypted images of the same size as the original image
are obtained.
For the receiver, it is assumed that three marked
encrypted images are collected, and the pixels are (20,
141, 244, 179), (152, 152, 208, 185), and (240, 166,
212, 181), respectively. After the pixels are spliced,
three encrypted images consisting of 16-bit pixels are
obtained (5261, 62, 643), (39, 064, 53 433), and (61,
606, 54 453), respectively. Firstly, extracting side
information from the first 8 pixels and using data
hiding key Kh to extract secret information, then the
(8−d)-LSBs of the three slices are getting, which are
(13, 51), (24, 57), and (38, 53), respectively. Next, they
are splicing into 2(8 − d) bits’ pixels, namely (883,
1593, 2485). The same integer q j = 68 is used to
perform the reverse polynomial cipher feedback
strategy, and the (8−d)-LSBs of four pixels is restored
to (47, 11, 8, 10). Finally, the d-MSBs of four pixels
can be supplemented according to the location map,
shared MSBs d = “010” and d-MSBs = “10” in the side
information. Finally, the original four pixels are
restored (175, 139, 136, 138).
4 Experimental Result and Analysis
In order to evaluate the performance of the proposed
method and the improvement effect of the proposed
 1146 Tsinghua Science and Technology, June 2025, 30(3): 1139−1156

method compared with the more advanced literatures in schemes of Refs. [5, 6], which is similar to this paper,
recent years, experiments such as embedding rate the theoretical embedding rate of each encrypted image
comparison and histogram analysis were carried out. In Ref. [5] is d"-g" for m × n original image, where d"
The experimental environment was an AMD Ryzen 7 is the optimal level of different images based on MSB
5800H with Radeon Graphics 3.20 GHz CPU, 16 GB median prediction method. After a lot of experiments,
RAM, MATLAB R2021a computer. In order to more 4, 5, and 6 are selected in the setting of d", and g" is the
accurately analyze the effectiveness of the proposed size of side information required by each encrypted
scheme in improving the performance of embedding image on average. In scheme of Ref. [6], for (3, 4)-
capacity and security, the size of 512 × 512 ’s 8 standard threshold m × n original image, the theoretical
test grayscale images with different texture features embedding rate of each encrypted image is 4−g', where
and BOWS2 database[12] were used as test images in g' is the theoretical size of side information required by
the experiment. Eight standard test images were each encrypted image on average. For 512 × 512 size
obtained from USC-SIPI image database[13]. of most images, the order of magnitudes for D is
2D
4.1 Embedding performance mostly in 105, and the theoretical value for is
mn
2D
Data hiders focus on embedding performance that how mostly above 0.76, that is, 3.625 + is above 4.385.
mn
much secret data can be embedded in the encrypted Therefore, from the perspective of theoretical analysis,
image received. Effective embedding capacity the proposed method has better effectiveness in terms
represents the maximum amount of secret data that a of embedding rate compared with Refs. [5, 6].
data hider can embed into each encrypted image. It is From a logical analysis, Ref. [6] expands the number
usually evaluated by embedding rate (ER). The of pixel bits substituted with polynomial coefficients to
calculation equation of ER is 16 bits, which is inspired by this paper. Based on the
Effective embedding capacity characteristics of adaptive MSB prediction method, the
ER = (5)
Pixel number of each encrypted image maximum number of pixel bits substituted with
where effective ER represents the total ER minus edge polynomial coefficients is 16 bits, thus improving the
information SI. embedding capacity. Moreover, compared with Ref.
High embedding rate is an effective index to measure [6], the prediction method adopted in this paper also
the performance of the scheme. It can allow more makes full use of the redundancy between adjacent
secret data to be embedded into the encrypted image, pixels of the image to free up more embedding space.
so as to facilitate the management of the ciphertext data Compared with Ref. [6], Ref. [5] uses MSB median
such as annotation, retrieval, clustering, or prediction to spare space and conducts MSBs padding
authentication. In the proposed scheme, according to to embed secret information. In the proposed method,
theoretical analysis as shown in Table 3, the the maximum bits number of pixels encrypted by secret
embeddable capacity of the encrypted image with size sharing technology reaches 16 bits, and the (8+d)
1 MSBs of each 16-bit pixel can be embedded with
m × n is 3.625mn + 2D − H , where D is the sum of
2 secret messages. Thus, the embedding rate is improved
sharing MSBs d bitstream in the encrypted image, and
to a greater extent, where d is the pixel bits freed up by
H is the number of side information SI needed to
each pixel in the adaptive MSB prediction method.
restore for the m × n original image. Therefore, the
Based on the analysis of experimental results,
embedding rate of the proposed method is
2D H Table 4 lists the embeddable capacity, the size of side
3.625 + − . Compared with the SIS-RDHEI information SI, effective embedding capacity, and the
mn 2mn
Table 3 Embedding rate’s theoretical analysis of three SIS-RDHEI schemes with (3, 4)-threshold of m × n images.
Size of each Number of EC of encrypted image EC of each ER of each
Scheme
encrypted image block with each image block encrypted image encrypted image
1 1 ′′ ′′ 1
Reference [5] mn 2 d −h mnd′′ − H ′′ d′′ − g′′
2 2 2
Reference [6] mn 4 8 − h′ 4mn − H ′′ 4 − g′′
1 2D H
Proposed mn 4 16 + 2d − h 3.625mn + 2D − H 3.625 + −
2 mn 2mn
 Kaili Qi et al.: High Capacity Reversible Data Hiding Algorithm in Encrypted Images Based on Image Adaptive … 1147

Table 4 Embedding performance analysis of the proposed database[12] are shown in Table 6. It can be seen that
scheme with (3, 4)-scheme. the ER of the best case and the EC of the lowest case
Test image EC (bit) SI (bit) Effective EC (bit) ER (bpp) are 5.1735 bpp and 3.8776 bpp, respectively, and the
Lena 1 461 396 206 953 1 254 443 4.7853 EC of the best case and the lowest case are 1 356 201 bits
Baboon 1 266 014 153 607 1 112 407 4.2435 and 1 016 489 bits, respectively. The average ER and
Airplane 1 493 732 222 174 1 271 559 4.8506 EC of the proposed method were 4.7358 bpp and
Man 1 430 526 201 088 1 229 438 4.6899
1 241 461 bits, respectively.
F16 1 482 066 218 068 1 263 999 4.8218
In order to analyze the effectiveness of the proposed
Peppers 1 443 854 200 366 1 243 488 4.7435
method in embedding rate more comprehensively and
Goldhill 1 403 038 190 518 1 212 521 4.6254
systematically, the proposed method was compared
Boat 1 406 678 190 297 1 216 381 4.6401
with the more advanced and typical SIS-RDHEI
schemes in recent years, and experiments were
embedding rate of 8 test images in the (3, 4)-threshold conducted on embedding rate of 8 standard test images
proposed scheme. Due to the different smoothness of with different (r, n)-thresholds. As shown in Fig. 5,
different images, the size of embedding space freed up except for the case of (3, 3)-threshold, the embedding
by the adaptive MSB prediction method will also be rate of the proposed method decreases compared to
different, resulting in different embedding rate. For Ref. [6]. In all other cases, the embedding rate of the
example, the smooth-textured Airplane and F16 have proposed method for the 8 standard test images is
high embedding rates of 4.8506 bits per pixel (bpp) and higher than other schemes to a large extent.
4.8218 bpp. However, the embedding rate of Baboon In summary, the effectiveness of the proposed
with complex image textures is relatively low, still and method in embedding rate is fully proved through
all, the embedding rate of Baboon can still reach theoretical analysis, logical analysis, and experimental
4.2435 bpp, indicating that the proposed method has results analysis.
good embedding performance.
In order to better prove the effectiveness of the 4.2 Reversibility
proposed method in embedding capacity from According to the existence and uniqueness theorem of
experimental results, the proposed method was Lagrange interpolation polynomial, the polynomial can
compared with two SIS-RDHEI schemes of Refs. [5, 6] be reconstructed by any subset composed of r
in embedding rate of 8 standard test images, where the participants, which can realize the completely
three schemes have great similarities in conception and reversible restoration of the image. The complete
design. As shown in Table 5, for the eight standard test reversibility of the algorithm can also be proved by
images, the method proposed has significantly calculating the peak signal-to-noise ratio (PSNR) value
improved the embedding capacity compared with Refs. of the restored image and the original image as +∞.
[5, 6]. Figure 6 shows Lena’s PSNR in this algorithm
In order to test the general performance of the compared to other algorithms that decrypt and recover
proposed scheme ER, 10 000 grayscale images of images directly under the same ER[14−17]. It can be seen
512 × 512 size were randomly selected from BOWS-2 that the PSNR between the image decrypted directly by
database[12], and the experimental results are shown in the proposed method and the original image is “+∞”,
Fig. 4. As shown in Fig. 4, the embedding rate of which proves the reversibility.
almost images is above 4 bpp, and most of the According to the analysis of simulation experiment,
embedding rate fluctuates around 4.7 bpp. The analysis Figs. 7l−7o show four Lena images reconstructed from
results of the specific experimental data of BOWS-2 three of four marked encrypted images using the
Table 5 Embedding rates of three (3, 4)-thresholds SIS-RDHEI schemes.
ER (bpp)
Scheme
Lena Baboon Airplane Man F16 Peppers Goldhill Boat
Reference [5] 2.91 1.25 3.24 2.19 3.64 2.57 2.48 2.78
Reference [6] 4.00 4.00 4.00 4.00 4.00 4.00 4.00 4.00
Proposed 4.79 4.24 4.85 4.69 4.82 4.74 4.63 4.64
 1148 Tsinghua Science and Technology, June 2025, 30(3): 1139−1156

5.5 restored by using the decryption key to decrypt the four

Embedding rate (bpp)

reconstructed images from three of the four marked

5.0
images. When the receiver only holds the data hiding
4.5 key, as shown in Figs. 7f and 7k, the embedded secret
4.0
information is completely recovered. When the
receiver possesses both the decryption key and the data
3.5 hiding key, as shown in Figs. 7k–7o, the receiver fully
0
0
0
0
0
0
00

0
0

10 0
0
0
0
0
0
0

0
0
0
00
10
20
30
40
50
60
70
80
90
recovers the original image and the embedded secret
Serial number of the image data. That is, the proposed method has the separability
Fig. 4 ER of 10 000 test images in BOSSbase database. of extracting secret data and restoring original image.
4.4 Security
Table 6 Embedding performance of 10 000 test images in
BOSSbase database. 4.4.1 Simulation experiment analysis
Case EC (bit) ER (bpp) In RDH-EI schemes, data are embedded in the image,
Highest 1 356 201 5.1735 different strategies will produce different visual effects
Lowest 1 016 489 3.8776 on the flat image, so it is necessary to evaluate the
Average 1 241 461 4.7358 visual imperceptibility of the image containing secret
data. Figure 7 shows the (3, 4)-threshold image
decryption key, and Fig. 7k shows the extracted secret sharing’s simulation results of image Lena. Figure 7a
information. Figure 7 shows that Figs. 7l−7o are shows the Lena original image, and Figs. 7b–7e shows
identical to the original image in Fig. 7a, and Fig. 7k is four encrypted images. Figures 7g–7j are four marked
the same as Fig. 7f. Therefore, the proposed scheme is encrypted images obtained by embedding secret
completely reversible. information Fig. 7f in Figs. 7b–7e. As can be seen from
Fig. 7, all encrypted images and marked encrypted
4.3 Separability
images are noise-like and do not contain any original
In order to verify the separability of the proposed information from statistical features.
method, the experiment selected “Lena” image as the 4.4.2 Uncertainty
original image to image recovery and data extraction. The proposed scheme is a random and nondeterministic
When the receiver holds only the decryption key, as encryption system. When the image is encrypted twice
shown in Figs. 7l–7o, the original image is completely using the same encryption key, the resulting encrypted
Ref. [1] Ref. [2] Ref. [3] Ref. [1] Ref. [2] Ref. [3] Ref. [1] Ref. [2] Ref. [3]
Ref. [4] Ref. [5] Ref. [6] Ref. [4] Ref. [5] Ref. [6] Ref. [4] Ref. [5] Ref. [6]
Embedding rate (bpp)
Embedding rate (bpp)

Embedding rate (bpp)

6 Proposed 6 Proposed 6 Proposed

5 5 5
4 4 4
3 3 3
2 2 2
1 1 1
0 0 0
Ba na
A on
ne

an

Pe 6
G ers
ill
at
Ba na
A oon
ne

an

Pe 6
G ers
ill
at

Ba na
A oon
ne

an

Pe 6
G ers
ill
at

F1
F1

F1

Bo
Bo

Bo

dh
dh

dh

Le

la
M
bo
Le

la
M

Le

la
M

pp
pp

pp
b

irp
irp

irp

ol
ol

ol

(a) r=2, n=2 (b) r=2, n=3 (c) r=2, n=4

Ref. [1] Ref. [2] Ref. [3] Ref. [1] Ref. [2] Ref. [3] Ref. [1] Ref. [2] Ref. [3]
Ref. [4] Ref. [5] Ref. [6] Ref. [4] Ref. [5] Ref. [6] Ref. [4] Ref. [5] Ref. [6]
Embedding rate (bpp)
Embedding rate (bpp)

Embedding rate (bpp)

6 Proposed 6 Proposed 6 Proposed

5 5 5
4 4 4
3 3 3
2 2 2
1 1 1
0 0 0
Ba na
A oon
ne

an

Pe 6
G ers
ill
at
Ba na
A oon
ne

an

Pe 6
G ers
ill
at

Ba na
A oon
ne

an

Pe 6
G ers
ill
at

F1
F1

F1

Bo
Bo

Bo

dh
dh

dh

Le

la
M
Le

la
M

Le

la
M

pp
pp

pp

b
b

irp
irp

irp

ol
ol

ol

(d) r=3, n=3 (e) r=3, n=4 (f) r=3, n=5

Fig. 5 Embedding rates of different SIS-RDHEI schemes at different (r, n)-thresholds.

 Kaili Qi et al.: High Capacity Reversible Data Hiding Algorithm in Encrypted Images Based on Image Adaptive … 1149

+∞
Ref. [14]
55 Ref. [15]
Ref. [16]
50
PSNR (dB)

Ref. [17]
45 Proposed
(a) (b) (c)
40

35

30
0.05 0.10 0.15 0.20 0.25 0.30 0.35 0.40 0.45 0.50 0.55 0.60
ER (bpp)

Fig. 6 Comparison of Lena rate distortion curve. (d) (e) (f)

Fig. 8 Encrypted results of Lena by (3, 4)-threshold

proposed scheme using the same encryption key in two
executions. (a) The first encrypted image in the first
execution. (b) The first encrypted image in the second
(a) (b) (c) (d) (e) execution. (c) Difference of Figs. 8a and 8b. (d) The second
encrypted image in the first execution. (e) The second
encrypted image in the second execution. (f) Difference of
Figs. 8d and 8e.

(f) (g) (h) (i)
(k) (l) (m) (n)
Fig. 7 Simulation results of the proposed scheme with (3,
4)-threshold. (a) Original image Lena of size 512 × 512.
(b)−(e) Four encrypted images. (f) Secret image. (g)−(j) Four
marked encrypted images. (k) Extracted secret image. (l)
Reconstructed image with PSNR = +∞ dB from Figs. 7g−7i.
(m) Reconstructed image with PSNR = +∞ dB from Figs.
7h−j. (n) Reconstructed image with PSNR = +∞ dB from
Figs. 7g, 7h, and 7j. (o) Reconstructed image with
PSNR = +∞ dB from Figs. 7h−7j.
image is completely different. This is because some
random values from Eq. (5) are used, and these random
values are different in each encryption. It can be seen
from Figs. 8c and 8f that the two encrypted images
generated by two executions are completely different,
thus it can be seen that the encryption system of the
proposed algorithm is random and non-deterministic.
Since the non-deterministic random encryption system
has the ability to resist various potential attacks[18], the
algorithm proposed in this paper has high security.
4.4.3 Histogram analysis
It is assumed that the attacker has captured an
encrypted image and a marked encrypted image
corresponding to the three original images,
respectively. In order to obtain the information of the
(j) corresponding captured images, histogram statistical
analysis is conducted on the captured images
respectively. It is obvious from the results in Fig. 9 that
all the histograms in the encrypted image and marked
encrypted image are both uniform, and completely
(o)
different from the original image, so the proposed
scheme can resist statistical analysis’ attack.
4.4.4 Correlation analysis
In RDH-EI algorithms, it is imperative that the
embedding process does not pose any risk of
compromising the confidentiality of the image or
additional data. In the proposed scheme, a secret
sharing scheme with self-feedback ensures the
confidentiality of the image content, and the data
hiding key and encryption key are independent, so they
will not reveal any information about each other. The
adjacent correlation coefficients of original pixels in
horizontal, vertical, and diagonal directions are shown
in Figs. 10a, 10d, and 10g. The adjacent relationships
of encrypted pixels are shown in Figs. 10b, 10e, and
10h, and the scatter diagrams of marked encrypted
images are shown in Figs. 10c, 10f, and 10i.
Experimental data show that the scatter plots of
encrypted images and those marked encrypted images
are evenly distributed, that is, encrypted images’ pixels
and those marked encrypted images follow random and
uniform distribution, and adjacent pixels’ correlation is
reduced, which can resist ciphertext-only attack.
4.4.5 Key sensitivity analysis
Unified averaged changed intensity (UACI) measures
 1150 Tsinghua Science and Technology, June 2025, 30(3): 1139−1156

2500 2500
3000
2500 2000 2000

2000 1500 1500

Number

Number

Number
1500
1000 1000
1000
500 500
500
0 0 0
0 50 100 150 200 250 0 50 100 150 200 250 0 50 100 150 200 250
Pixel value Pixel value Pixel value
(a) Original image of Lena (b) Encrypted image of Lena (c) Marked encrypted image of Lena
4000 2500 2500
3500
2000 2000
3000
2500 1500 1500
Number

Number

Number
2000
1500 1000 1000

1000 500
500
500
0 0 0

0 50 100 150 200 250 0 50 100 150 200 250 0 50 100 150 200 250
Pixel value Pixel value Pixel value
(d) Original image of Boat (e) Encrypted image of Boat (f) Marked encrypted image of Boat
3000 2500 2500

2500 2000 2000

2000
1500 1500
Number

Number

Number

1500
1000 1000
1000

500 500 500

0 0 0
0 50 100 150 200 250 0 50 100 150 200 250 0 50 100 150 200 250
Pixel value Pixel value Pixel value
(g) Original image of Peppers (h) Encrypted image of Peppers (i) Marked encrypted image of Peppers

Fig. 9 Histogram of different images.

the difference between two images of size M × N,
where the pixels I(i, j) and I'(i, j) (0 ⩽ i<m, 0 ⩽ j<n) are
encoded by using 256 grayscale values, and C(i, j) and
C'(i, j) are the encrypted pixels corresponding to I(i, j)
and I'(i, j), respectively. Its calculation equation is as
follows:
∑j=N
i=M,
|C(i, j) − C ′ (i, j)|
UACI =
i=1, j=1
M × N × 255
The ideal value of UACI depends on the tonal range
of the image, and the higher the value of UACI, the
higher the level of visual security. This metric can be
used to test the sensitivity of using keys during
encryption. During the test, the original image is
encrypted by using two keys that differ by only one bit,
and then the corresponding encrypted image is
compared. In this case, the optimal value of UACI is
33.33%[19]. However, this test has no statistical
decision criteria and the observation of theoretical
optimum values is purely experimental.
× 100% (6) Table 7 shows the experimental results of key
sensitivity analysis under the RDH-EI scheme based on
secret sharing (5, 6)-threshold. For the same share, two
encrypted images are generated using different keys
with a difference of 1 bit for each encryption. The
proposed method calculates the UACI for two
 Kaili Qi et al.: High Capacity Reversible Data Hiding Algorithm in Encrypted Images Based on Image Adaptive … 1151

250 300 300

200 250 250
150 200 200
150 150

z
z

100 100 100

50 50 50
0 0 0
600 600 600
600 400 600 600
400 400 400
400 y 200 400
y 200 200
200 x y 200 200 x
x 0 0 0 0
0 0
(a) Original image of Lena (b) Encrypted image of Lena (c) Marked encrypted image of Lena

300 300 300

250 250 250
200 200 200
150
z

150 150

z
z

100 100 100

50 50 50
0 0 0
600 600 600
400 600 400 600 400 600
400 400 400
y 200 200 y 200 200 x y 200 200
0 0 x 0 0 0 0 x
(d) Original image of Boat (e) Encrypted image of Boat (f) Marked encrypted image of Boat

250 300 300

200 250 250
150 200 200
150 150
z

z
z

100 100
100
50 50 50
0 0 0
600 600 600
400 600 400 600 400 600
400 400 400
y 200 200 y 200 200 y 200 200
x 0 0 x 0 0 x
0 0
(g) Original image of Peppers (h) Encrypted image of Peppers (i) Marked encrypted image of Peppers

Fig. 10 Scatter map of different images.

Table 7 UACI analysis of key sensitivity for different optimal value of 33.33%. It can be seen that for images
images in (5, 6)-threshold proposed method. with different textures, the change of 1 bit of the
UACI (%) encryption key will lead to a large difference in the
Image
Share 1 Share 2 Share 3 Share 4 Share 5 Share 6 encryption image, which fully proves that the proposed
Lena 33.53 33.53 33.50 33.53 33.51 33.50 method is relatively sensitive to its encryption key.
Baboon 33.50 33.49 33.51 33.47 33.49 33.51
4.4.6 Shannon entropy
Jetplane 33.42 33.42 33.40 33.43 33.44 33.44
Shannon entropy is a metric commonly used to
Man 33.43 33.45 33.43 33.42 33.43 33.43
evaluate the randomness of pixel distribution in a
F16 33.53 33.54 33.54 33.51 33.55 33.52
marked-encrypted image. Its calculation equation is as
Peppers 33.47 33.49 33.49 33.51 33.49 33.48
follows:
Goldhill 33.47 33.49 33.45 33.45 33.45 33.45
Boat 33.44 33.44 33.44 33.44 33.43 33.41 ∑
h
H (β) = − P (βi ) log2 P (βi ) (7)
i=1
encrypted images in two encryption processes. As
where h represents the total number of different
shown in Table 7, for eight standard test images, in the symbols in the source, βi represents the i-th symbol,
same secret sharing, when the encryption key changes and P(βi) represents the probability of the pixel value
by only 1 bit, the value of UACI is very close to the symbol βi. For an image with a gray scale of 256 and a
 1152 Tsinghua Science and Technology, June 2025, 30(3): 1139−1156

depth of 8 bits, the closer the Shannon entropy of the two images with the size M×N. The calculation
encrypted image is to 8, the more uniform the equation is as follows:
distribution of image pixels, the higher the source ∑j=N
i=M,
D(i, j)
security, and the better the encryption performance of NPCR = ×100% (8)
M×N
the algorithm. Table 8 lists the Shannon entropy of i=1, j=1

images encrypted by different RDH-EI methods based When I(i, j) = I ′ (i, j) , D (i, j) = 0 , if I(i, j) ≡ I ′ (i, j) ,
on secret sharing. Chen et al.[2] can only generate one and D(i, j) ≡ 0 . NPCR is used to represent the
encrypted image for different threshold schemes. For difference between a marked encrypted (or simply
the scheme proposed by Hua et al.[5], the Shannon marked) image and the original image. Therefore, the
entropy of the encrypted image in the scheme is closer the value is to 100%, the more mismatch
calculated by using the optimal level l = 5 of the between the two images, and the higher the
prediction algorithm. It can be seen from Table 8 that corresponding level of visual security. UACI is the
the proposed method can generate an encrypted image average of the difference between the pixels in two
with greater Shannon entropy than the other five images. According to the theoretical analysis of Ref.
methods, and is very close to the theoretical maximum [20], the ideal NPCR value and ideal UACI value of 8-
8. The results show that the pixels of the encrypted bit gray scale image are 99.6094% and 33.4635%,
image generated by the proposed algorithm are evenly respectively.
distributed and have high pixel randomness, which can Because of the uncertainty and diffusion
defend against security attacks based on statistics. characteristics of the proposed scheme, the change of
4.4.7 Differential attack one bit in the original image will lead to the change of
Differential attack studies how plaintext differences all parts in the encrypted image. As can be seen from
affect ciphertext differences, and it is an effective Table 9, the proposed scheme can obtain NPCR and
cryptanalysis method. To resist differential attacks, UACI that are very close to the theoretical values, and
small changes in plaintext can lead to large differences the slight change in corresponding ciphertext will bring
in ciphertext. Number of changing pixel rate (NPCR) a strong change, which indicates that the proposed
and UACI[20] are two measures used to test the scheme has good security and strong resistance to
resistance of cryptosystems to differential attacks. differential attacks.
NPCR[21] represents the number of changing pixel 4.4.8 Missing share
rate (0 ⩽ i<m, 0 ⩽ j<n) between pixel I(i, j) and I'(i, j) in Secret sharing technology has the ability to resist the
Table 8 Shannon entropy of encrypted images RDH-EI method based on secret sharing in recent years.
(3, 3)-threshold scheme (5, 6)-threshold scheme
Scheme
Share 1 Share 2 Share 3 Share 1 Share 2 Share 3 Share 4 Share 5 Share 6
Reference [2] 7.9708 7.9708
Reference [1] 7.9707 7.9707 7.9709 7.9708 7.9708 7.9708 7.9708 7.9707 7.9707
Reference [3] 7.9708 7.9709 7.9709 7.9708 7.9708 7.9708 7.9709 7.9708 7.9708
Reference [4] 7.9707 7.9706 7.9707 7.9708 7.9707 7.9707 7.9707 7.9706 7.9707
Reference [5] 7.9929 7.9930 7.9961 7.9916 7.9921 7.9912 7.9908 7.9918 7.9917
Proposed 7.9990 7.9991 7.9990 7.9990 7.9991 7.9991 7.9991 7.9991 7.9991

Table 9 Comparison of NPCR and UACI in (5, 6)-threshold secret sharing RDH-EI scheme.
NPCR (%) UACI (%)
Scheme
Share 1 Share 2 Share 3 Share 4 Share 5 Share 6 Share 1 Share 2 Share 3 Share 4 Share 5 Share 6
Reference [2] 0.0022 0.0004
Reference [1] 99.6017 99.6002 99.6208 99.6155 99.6065 99.6170 32.8110 32.7243 32.8842 32.7243 32.7288 32.8197
Reference [3] 99.6033 99.6037 99.5995 99.6067 99.6056 99.5956 32.7525 32.8473 32.8096 32.8448 32.7970 32.9304
Reference [4] 99.5850 99.6323 99.6429 99.6017 99.5819 99.6033 32.7984 32.7492 32.8662 32.8237 32.9214 32.6916
Reference [5] 99.5873 99.6306 99.5839 99.5663 99.6274 99.5957 33.4778 33.3290 33.3626 33.5272 33.4318 33.3787
Proposed 99.6109 99.5991 99.60988 99.6297 99.6193 99.5987 33.4856 33.4956 33.4674 33.4691 33.4878 33.4714
 Kaili Qi et al.: High Capacity Reversible Data Hiding Algorithm in Encrypted Images Based on Image Adaptive …
collusion analysis of attackers. If the attacker collects
r − 1 encrypted images, the probability of solving r
variables for the r − 1 equations constructed from them
is 1/F. For M × N images, the probability that
collecting r − 1 encrypted images can fully recover the
original image is (M × N)/[F × (r − 1)]. Therefore, it is
difficult for an attacker to correctly recover the original
image by using r − 1 encrypted images[5].
4.5 Data extension
The data expansion of the overall scheme is the ratio of
the bits of all marked encrypted images to the bits of
the original image, while the data expansion of each
data hider is the ratio of the bits of each marked
encrypted image to the bits of the original image. In the
traditional RDH-EI scheme, the data of each data hider
are expanded to 1. Since the encryption result of
homomorphic encryption is larger than the original
data, and multiple images are generated under the
secret sharing scheme, the total size of the marked
encrypted image is often larger than the original image
in these RDH-EI schemes based on homomorphic
encryption and SIS-RDHEI schemes. In the (r, n)-
threshold scheme proposed in this paper, a secret image
is encrypted into n encrypted images, each of which is
2/(r−1) the size of the original image. Since the data
embedding operation does not result in data expansion,
the total size of the n marked encrypted images is
2n/(r−1) of the original image. Since each data hider
keeps a marked encrypted image, the expansion rate of
each data hider is 2/(r−1). Table 10 lists the data
extension comparison of different SIS-RDHEI
schemes. In Refs. [1, 3, 4], the data of the whole
scheme was extended to n, which was n/(r−1) in Hua
et al.[5] In the method of Chen et al.[2], because there is
only one encrypted image, the data expansion of the
whole scheme is always 1. In addition, the proposed
method has a data expansion rate of only 2/(r−1) for
Table 10 Data expansion comparison of SIS-RDHEI
schemes.
ER for the Expansion rate for
Scheme
whole scheme (bit) each data hider
Chen et al.[2] 1 1
Wu et al.[1] n 1
Chen et al.[3] n 1
Qin et al.[4] n 1
Hua et al.[5] n/(r−1) 1/(r−1)
Proposed 2n/(r−1) 2/(r−1)
1153
each data hider, which is much smaller than the
previous four methods when r > 2. However, compared
with Ref. [5], the data expansion rate is larger. In
general, compared with other SIS-RDHEI schemes, the
proposed scheme has a smaller data expansion rate to
some extent.
4.6 Time complexity
Time complexity is one of the most important
indicators for evaluating schemes’ security. In order to
further analyze the security of the proposed algorithm,
as shown in Table 11, the theoretical time complexity
of different SIS-RDHEI schemes is listed. The time
complexity of several most advanced secret sharing
technologies[1−5, 22−24] are compared. The results show
that the proposed algorithm and the secret sharing
techniques used in Refs. [1, 3−5] have the same
amount of addition and multiplication in one share.
When secret sharing technique is used, Ref. [2] has the
maximum time complexity for one share. However,
since this scheme can simultaneously process multiple
pixels in one sharing, the secret sharing technology
applicable in Ref. [2] has a relatively smaller time
complexity for the whole image than Refs. [23, 24].
This paper shares r−1 pixels in one sharing. For images
with image size M×N, the time complexity of the
overall scheme using secret sharing technology is
(r+1)MN/2, and the time complexity in this paper is as
small as that in Ref. [5].
5 Algorithm Advantage and Application
Scenario Analysis
In general, compared with the traditional RDH-ED
algorithm, the proposed algorithm has the following
advantages.
• High embedding capacity. The proposed method
can fully consider the correlation between adjacent
pixels in an image and share multiple pixels at a time
using a cryptographic feedback strategy, freeing up
more embedding space, which can obtain a high
embedding capacity for many natural images.
• Diffusivity. When a bit is changed in the secret
message S, all elements can be randomly changed
through the password feedback structure and random
integer f0(xp).
• High security. Since fj−1(xp) is randomly selected
from n previous shared results, and p can be different
in each share. In addition, this paper applies the AES
cryptographic feedback strategy to the polynomial-
 1154 Tsinghua Science and Technology, June 2025, 30(3): 1139−1156

Table 11 Theoretical time complexity of different secret sharing technique with (r, n)-threshold.
One sharing Sharing for image of size M × N
Scheme
Addition Multiplication Total Addition Multiplication Total
( )
2 + r + 1 (r − 1) MN
(r − 1)MN
2
r(r − 1)MN
r
Reference [22] r −1
2 r (r − 1)
2 (r + r + 1)(r − 1)
2
r
( )r
References [23, 24] r2 − 1 r2 (r − 1) (r2 + r + 1)(r − 1) (r2 − 1)MN r2 (r − 1)MN r2 + r + 1 (r − 1) MN
r(r − 1) (r + 2)(r − 1) r(r − 1)MN (r + 2)(r − 1)MN
References [1, 3, 4] r−1 (r − 1)MN
2 2 2 2
(2r − 1)MN r(2r − 1)MN (r + 1)(2r − 1)MN
Reference [2] 2r − 1 r(2r − 1) (r + 1)(2r − 1)
r 2 r
r(r − 1) (r + 2)(r − 1) rMN (r + 2)MN
Reference [5] r−1 MN
2 2 2 2
r(r − 1) (r + 2)(r − 1) rMN (r + 2)MN
Proposed r−1 MN
2 2 2 2

based secret sharing scheme, which enhances the fault
tolerance and disaster resistance, so the security can be
further improved.
• Uncertainty. Since random integers are used in the
sharing process, the proposed method is an uncertain
system. This provides a strong ability to defend against
many potential attacks.
The performance advantages of the algorithm should
be measured according to the requirements of specific
application scenarios. In the RDH-EI application
scenario based on cloud-based environment, additional
information needs to be reversibly embedded in
encrypted images to achieve functions such as
authentication, management, and retrieval of encrypted
images. Therefore, high embedding capacity is very
important for practical applications. Moreover, with the
rapid development of cloud computing, the possibility
of cloud server failure or attack is also increasing, and
the demand for improving disaster recovery capability
and ensuring the security performance of user data is
increasing day by day. Therefore, the proposed scheme
adopts image secret sharing technology, which can not
only realize distributed storage of user’s encrypted
images, but also improve the disaster recovery
capability of cloud data. It can also embed the secret
information into the encrypted images to realize the
safe transmission of the images and the secret
information. According to the characteristics of secret
sharing, when one of the cloud servers fails or is
attacked, it will not affect the data recovery of other
cloud servers. Therefore, in a image transmission
system, for scenarios involving multi-unit participation,
only when trust is established among a sufficient
number of units can the user successfully recover the
original image and extract the secret information. The
capture of one side will not reveal secret information,
nor will it affect the completion of the overall mission.
In addition, due to the diffusivity of the proposed
scheme, when the image is tampered with or destroyed,
as long as one bit in the image is changed, all elements
can be randomly changed through the password
feedback structure and random integer f0(xp), which
enhances the tamper-proof characteristics of cloud
data. It can be seen that the proposed scheme has very
high practicability and application value in key
management, multi-party secure computing, data
security, bank network management, missile control
and launch, and other application scenarios.
In order to improve the quality application scenario
of the proposed scheme, the proposed method is
compared with some recent related schemes[24−26].
Scheme of Ref. [24] proposed a novel text
steganography based on long readable text generation,
which addressed the problem that semantic
incoherence and semantic errors when generating long
texts. Scheme of Ref. [25] employed the BicycleGAN
to transform the generated contours to the
corresponding stego-image, which had good quality
under common image attacks, and feature-domain
security. What is more, scheme of Ref. [26] proposed a
generative steganography that transforms secret
information to a generated image. Compare with the
above schemes, the proposed scheme is only to embed
additional information into the image. The media types
and forms of the secret information are relatively
simple, what is more, the characteristics of the secret
information or image are not fully utilized, and
advanced technologies such as deep learning are not
used, which is the proposed method’s direction of
improvement in the future.
 Kaili Qi et al.: High Capacity Reversible Data Hiding Algorithm in Encrypted Images Based on Image Adaptive …
6 Conclusion
Aiming at the problem that the traditional RDH-ED
algorithm is not strong in fault tolerance and disaster
resistance after embedding secret information, this
paper proposes a high capacity SIS-RDHEI based on
adaptive MSB prediction. In the proposed scheme, by
making adaptive MSB prediction, the redundancy
between image pixels is utilized to free up the space of
embedding data, and then the polynomial cipher
feedback strategy is adopted to encrypt image pixels. In
the data hiding stage, multiple data hiders carry out
embedding secret data in the encrypted image.
According to the characteristics of adaptive MSB
prediction method and secret sharing technology, the
maximum number of pixel bits after encryption is 16
bits, so the pixel bits after embedding information is
also unified to 16 bits, effectively improving the
embedding capacity of the scheme. Performance
evaluation shows that compared with other SIS-RDHEI
schemes, the proposed scheme has the following
properties: it enhances the fault tolerance and disaster
resistance of embedding new message and carrier
image. It has high security and achieves diffusivity. It
makes full use of the redundancy between pixels in the
image and has a high embedding rate. It is reversible
and separable at the same time. The next research
direction is to design higher capacity RDH-EI under
the condition of small data expansion rate, and
constantly enhance the practical performance of the
scheme.
Acknowledgment
This work was supported by the National Natural Science
Foundation of China (Nos. 62272478 and 61872384),
National Natural Science Foundation Youth Foundation
Project (Nos. 62102451 and 62102450), and Basic
Frontier Research Foundation Project of Armed Police
Engineering University (Nos. WJY202012 and
WJY202112).
References
[1] X. Wu, J. Weng, and W. Yan, Adopting secret sharing for
reversible data hiding in encrypted images, Signal
Process., vol. 143, pp. 269–281, 2018.
[2] Y. C. Chen, T. H. Hung, S. H. Hsieh, and C. W. Shiu, A
new reversible data hiding in encrypted image based on
multi-secret sharing and lightweight cryptographic
algorithms, IEEE Trans. Inf. Forensics Secur., vol. 14, no.
12, pp. 3332–3343, 2019.
1155
[3] B. Chen, W. Lu, J. Huang, J. Weng, and Y. Zhou, Secret
sharing based reversible data hiding in encrypted images
with multiple data-hiders, IEEE Trans. Dependable Secure
Comput., vol. 19, no. 2, pp. 978–991, 2022.
[4] C. Qin, C. Jiang, Q. Mo, H. Yao, and C. C. Chang,
Reversible data hiding in encrypted image via secret
sharing based on GF(p) and GF(2⁸), IEEE Trans. Circuits
Syst. Video Technol., vol. 32, no. 4, pp. 1928–1941, 2022.
[5] Z. Hua, Y. Wang, S. Yi, Y. Zhou, and X. Jia, Reversible
data hiding in encrypted images using cipher-feedback
secret sharing, IEEE Trans. Circuits Syst. Video Technol.,
vol. 32, no. 8, pp. 4968–4982, 2022.
[6] Z. X. Wang, M. Q. Zhang, and Y. J. Kong, Reversible data
hiding in encrypted images based on image secret sharing,
(in Chinese), Journal of Computer Applications, vol. 42,
no. 5, pp. 1480–1489, 2022.
[7] Y. Ke, M. Zhang, X. Zhang, J. Liu, T. Su, and X. Yang, A
reversible data hiding scheme in encrypted domain for
secret image sharing based on Chinese remainder theorem,
IEEE Trans. Circuits Syst. Video Technol., vol. 32, no. 4,
pp. 2469–2481, 2022.
[8] Y. Wang and W. He, High capacity reversible data hiding
in encrypted image based on adaptive MSB prediction,
IEEE Trans. Multimed., vol. 24, pp. 1288–1298, 2022.
[9] A. Shamir, How to share a secret, Commun. ACM, vol. 22,
no. 11, pp. 612–613, 1979.
[10] C. C. Thien and J. C. Lin, Secret image sharing, Comput.
Graph., vol. 26, no. 5, pp. 765–770, 2002.
[11] X. Jin, L. Su, and J. Huang, A reversible data hiding
algorithm based on secret sharing, J. Inf. Hiding Priv.
Prot., vol. 3, no. 2, pp. 69–82, 2021.
[12] A. Gupta, BOWS2, https://data.mendeley.com/datasets/
kb3ngxfmjw/1, 2023.
[13] University of Southern California, The USC-SIPI Image
Database, http://sipi.usc.edu/database/, 2018.
[14] J. Katz and Y. Lindell, Introduction to Modern
Cryptography. Boca Raton, FL, USA: CRC Press, 2020.
[15] N. Zhou, M. Q. Zhang, and M. M. Liu, Reversible data
hiding algorithm in homomorphic encrypted image based
on secret sharing, Science Technology and Engineering,
vol. 20, no. 19, pp. 7780–7786, 2020.
[16] H. Ge, Y. Chen, Z. Qian, and J. Wang, A high capacity
multi-level approach for reversible data hiding in
encrypted images, IEEE Trans. Circuits Syst. Video
Technol., vol. 29, no. 8, pp. 2285–2295, 2019.
[17] X. Zhang, Reversible data hiding in encrypted image,
IEEE Signal Process. Lett., vol. 18, no. 4, pp. 255–258,
2011.
[18] Y. C. Chen, C. W. Shiu, and G. Horng, Encrypted signal-
based reversible data hiding with public key cryptosystem,
J. Vis. Commun. Image Represent., vol. 25, no. 5, pp.
1164–1170, 2014.
[19] M. Preishuber, T. Hütter, S. Katzenbeisser, and A. Uhl,
Depreciating motivation and empirical security analysis of
chaos-based image and video encryption, IEEE Trans. Inf.
Forensics Secur., vol. 13, no. 9, pp. 2137–2150, 2018.
[20] Y. Wu, J. P. Noonan, and S. Agaian, NPCR and UACI
randomness tests for image encryption, Cyber J.,
Multidisciplinary J. Sci. Technol., J. Sel. Areas
 1156
Telecommun., vol. 1, no. 2, pp. 31–38, 2011.
[21] L. Harn and C. F. Hsu, (t, n) multi-secret sharing scheme
based on bivariate polynomial, Wirel. Pers. Commun. Int.
J., vol. 95, no. 2, pp. 1495–1504, 2017.
[22] Y. Liu, C. Yang, Y. Wang, L. Zhu, and W. Ji, Cheating
identifiable secret sharing scheme using symmetric
bivariate polynomial, Inf. Sci., vol. 453, pp. 21–29, 2018.
[23] K. Meng, F. Miao, W. Huang, and Y. Xiong, Threshold
changeable secret sharing with secure secret
reconstruction, Inf. Process. Lett., vol. 157, p. 105928,
2020.
[24] Z. Zhou, X. Dong, R. Meng, M. Wang, H. Yan, K. Yu,
Kaili Qi received the bachelor degree from
Engineering University of PAP, China, in
2021. She is currently pursuing the master
degree at Engineering University of PAP,
China. She published 1 paper on
Application Research of Computers and 1
paper on Frontiers of Information
Technology &Electronic Engineering. Her
current research focuses on reversible data hiding in encrypted
images and information security.
Minqing Zhang received the MS degree
in computer science and applicaton from
Northwestern Polytechnical University,
Xi’an, China, in 2001, and the PhD degree
in network and information security from
Northwestern Polytechnical University,
Xi’an, China, in 2016. She is currently a
professor at Engineering University of
PAP, Xi’an, China. She has published more than 130 academic
papers, including more than 50 indexed by SCI and EI, 7
monographs and textbooks, 15 national invention patents, and 8
software copyrights. Her research interests include cryptography
and data hiding.
Tsinghua Science and Technology, June 2025, 30(3): 1139−1156
and K. K. R. Choo, Generative steganography via auto-
generation of semantic object contours, IEEE Trans.
Inform. Forensics Secur., vol. 18, pp. 2751–2765, 2023.
[25] Z. Zhou, Y. Su, J. Li, K. Yu, Q. M. J. Wu, Z. Fu, and Y.
Shi, Secret-to-image reversible transformation for
generative steganography, IEEE Trans. Dependable
Secure Comput., vol. 20, no. 5, pp. 4118–4134, 2023.
[26] Y. Cao, Z. Zhou, C. Chakraborty, M. Wang, Q. M. J. Wu,
X. Sun, and K. Yu, Generative steganography based on
long readable text generation, IEEE Trans. Comput. Soc.
Syst., vol. 11, no. 4, pp. 4584–4594, 2024.
Fuqiang Di received the MS and PhD
degrees in information security from
Engineering University of PAP, China, in
2015 and 2019, respectively. He is
currently an assistant professor at
Engineering University of PAP, Xi’an,
China. His research interests include
multimedia security, image processing,
and information hiding.
Chao Jiang received the bachelor degree
from Engineering University of PAP,
China, in 2022. He is currently pursuing
the master degree at Engineering
University of PAP, China. He has
published 1 paper in Journal on
Communications. His current research
focuses on reversible data hiding in
encrypted images and information security.