Distortion-free secret image sharing mechanism using modulus operator

Pattern Recognition 42 (2009) 886 -- 895

Contents lists available at ScienceDirect

Pattern Recognition journal homepage: w w w . e l s e v i e r . c o m / l o c a t e / p r

Distortion-free secret image sharing mechanism using modulus operator Pei-Yu Lin a,∗ , Jung-San Lee b , Chin-Chen Chang a,b a b

Department of Computer Science and Information Engineering, National Chung Cheng University, 160 San-Hsing, Min-Hsiung, Chiayi 621, Taiwan Department of Information Engineering and Computer Science, Feng Chia University, 100 Wenhwa Rd., Seatwen, Taichung 40724, Taiwan

A R T I C L E

I N F O

Article history: Received 19 April 2008 Received in revised form 22 August 2008 Accepted 21 September 2008 Keywords: Secret sharing Distortion-free Rabin's signature Modulus operator Cheater detection

A B S T R A C T

The (t, n)-threshold has been extended to secret image sharing due to its practicability. In this article, we provide a novel version that employs the modulus operator to embed the secret share into a host image. The simulator shows that the modulus operator is useful for decreasing shadow image distortion. Using Rabin's signature cryptosystem, participants can detect if a cheater exists in the cooperation. In particular, the new mechanism permits involved members to restore a lossless secret image and to reconstruct a distortion-free host image. © 2008 Elsevier Ltd. All rights reserved.

1. Introduction Using Shamir's (t, n)-threshold approach [1], the secret sharing mechanism can protect confidential images [2–5]. Thien and Lin [3] apply Shamir's (t, n)-threshold method to generate n distinct shadows from a secret image and issue these shadows to authorized participants. As a result, any t participants can cooperate to reveal the secret image. Here, each grayscale pixel of the secret image must be truncated to a value between 0 and 250 (due to the prime number 251). This distorts the fidelity of the revealed secret content. To improve the fidelity and to achieve the steganography purpose of [3], Wu et al. [4] use variable size quantization (VSQ) to quantize the secret pixels to values between 0 and 16. This leads to better quality for the shadow images in [4] compared to those in [3]. Based on [4], Chang et al. [5] divide the secret image into 4×4 non-overlapping blocks and then quantize the blocks to make the secret easier to hide. By adopting a two-dimensional approach instead of a one-dimensional approach [4], their method can obtain better quality for the shadow image and the retrieved secret images. Unfortunately, such image sharing schemes [2–5] are insecure against cheating attacks. A fraudulent participant may provide a fake shadow to fool others into cooperating [6,7]. Thus, a secure sharing scheme must allow authorized members to detect cheaters. Zhao et al. [8] introduce the concept of cheater identification into the secret image sharing mechanism. Their method allows authorized members to detect a cheater while reconstructing the secret image. If a dishonest participant provides a fake shadow image,

∗

Corresponding author. Tel.: +8864 24517250x3790; fax: +886 27066495. E-mail address: [email protected] (P.-Y. Lin).

0031-3203/$ - see front matter © 2008 Elsevier Ltd. All rights reserved. doi:10.1016/j.patcog.2008.09.014

others will become aware of his/her attempt. Nevertheless, the generated shadow image of [8] is meaningless. Delivering meaningless shadow images over an insecure channel may attract attention to the secret information. Lin and Tsai [9] propose a sharing scheme with authentication in which each shadow image is meaningful. The meaningfulness of the shadow is useful for decreasing the potential risk. However, Yang et al. [10] point out the weakness of [9] and present an improved scheme that permits authorized users to check the validity of the shadow image. As proposed in [2–5,9], legal users cannot retrieve lossless secret content, since the grayscale values of the secret image are truncated to generate secret shadows. If the shared media are significant images, even slight distortion may be intolerable. As explained above, a secret image sharing mechanism must comply with the following essentials: (i) Involved participants must be able to detect cheaters. (ii) At least t authorized members can cooperate to restore the secret image. (iii) The retrieved secret image must be lossless. (iv) The shadow image must be meaningful; (v) The distortion of the shadow image must be slight. (vi) The size of the embedded secret image must be large enough. In this article, we propose a novel secret image sharing mechanism that can satisfy all of the above-mentioned essentials. According to the (t, n)-threshold mechanism, we construct n secret shadows. Employing the modulus operator [11–14] after we embed the secret shadow into the host image, we can obtain a meaningful shadow image with satisfactory quality. Moreover, we utilize Rabin's signature algorithm [15] to detect cheaters. The security of the algorithm

P.-Y. Lin et al. / Pattern Recognition 42 (2009) 886 -- 895

is the same as that of the factorization problem [16,17]. Specifically, the proposed method allows participants to retrieve a lossless secret image and to recover a distortion-free host image. The rest of this article is organized as follows. We introduce Shamir's method in Section 2. The new mechanism is described in Section 3, followed by security analysis and experimental results in Section 4. We make conclusions in Section 5. 2. Related works In the (t, n)-threshold mechanism proposed by Shamir [1], a dealer first constructs n shadows (S1 ,S2 , . . . ,Sn ) from the secret S. Without t or more shadows, no one can restore the secret S. To divide S into n shadows, the dealer selects a large prime number m and generates a (t−1)-degree polynomial as F(x) = (s0 + a1 x + · · · + at−1 xt−1 )mod m,

(1)

where s0 = S and coefficients (a1 ,a2 , . . . ,at−1 ) are randomly determined from integers within [0, m−1]. The dealer then computes y1 = F(1), y2 = F(2), . . . , yn = F(n).

(2)

Next, the dealer issues secret shadows yi to involved participants. Given any t pairs of {(i, yi )}ni=1 , involved participants can construct F(x) using the Lagrange interpolation polynomial. Thus, they can recover all coefficients s0 , a1 , . . . ,at−1 of F(x) to learn the secret S. Applying Shamir's threshold mechanism to share a secret image, the retrieved image content is distorted, because all secret pixels have been truncated to the value within 0–250 [2,3,8–10]. To overcome this problem, the proposed scheme transforms the secret data into the base-m representation. Moreover, the sharing schemes based on Shamir's mechanism allow the participants to share only one secret value in F(x) [1,2,9,10]. To increase the secret capacity, the new method allows participants to embed (t−3) secret values in F(x) simultaneously. This enhances the practicality of the method for sharing large amounts of data. As shown in Eq. (2), the generated secret shadows are meaningless. Delivering meaningless shadows over an insecure channel may attract the attention of malicious intruders. To eliminate this potential hazard, we apply the modulus operator to embed shadows into a host image; thus, we can obtain a meaningful shadow. The modulus operator can reduce the distortion of the embedded shadow image. Tompa and Woll [6] demonstrate that Shamir's scheme is insecure against dishonest participants. Detecting fraudulent participants is important for the application of secret sharing schemes. Therefore, we design a cheater prevention mechanism that allows all participants to determine if a cheater exists. The security of the cheater detection mechanism is based on Rabin's signature algorithm. Furthermore, our sharing scheme allows authorized participants to losslessly reconstruct the host image after retrieving the secret image. Thus, the new scheme can preserve the values of the host image in F(x) and of the secret image. The details of the novel sharing scheme are introduced in the next section. 3. The proposed scheme There exist two main roles in the secret image sharing mechanism: an image holder H and a set of n involved participants {I = ID1 ,ID2 , . . . ,IDn }. H is responsible for generating and issuing shadows and certificates to involved participants. 3.1. Secret image sharing procedure This procedure includes sharing, embedding, and protecting phases. First, H constructs n pairs of secret shadows. Then, H embeds

887

them into a cover image to generate n meaningful shadow images; this avoids attracting attention to the secret image. To achieve cheater detection, H utilizes Rabin's digital signature mechanism [15] to create a certificate for each shadow image. Details of these phases are described in the following sections. Assume that the grayscale host image O possesses M×N pixels, O={pi |i=1, 2, . . . , (M ×N)}. To share an MS×NS secret grayscale image among t participants, H utilizes the (t, n)-threshold technique to construct n shadow images of size M×N, where 3 < t  n. To enhance security, the pixels of S can be shuffled using a chaotic function before being processed [18]. 3.1.1. Preliminaries Step 1: H selects a prime modulus m. Step 2: H transforms all pixels of the secret image into base-m representation, denoted as S = {sj |j = 1, 2, . . . , (MS × NS × logm 255)}. For instance, if m = 7 and the original pixel values of secret image are 66 and 251, we obtain S = (1, 2, 3, 5, 0, 6)7 . That is, we need logm 225 digits to represent each pixel value of the secret image. 3.1.2. Sharing phase Assume that the selected camouflage pixel in O is pi , and the (t−3) shared secret values in S are Sj , Sj+1 , . . . ,Sj+( t −4) . Step 1: H transforms pi into base-m representation, denoted as (pi2 ,pi1 ,pi0 )m. Step 2: H generates a (t−1)-degree polynomial for pi as ⎛ ⎞ t  k−4 ⎠ +pi0 xt−3 +pi1 xt−2 + pi2 xt−1 mod m. (3) Fi (x) = ⎝ sj+(k−4) x k=4

For example, if t = 6, m = 7, S = (1,2,3)7 , and pi = 237 = (4,5,6)7 , we obtain Fi (x) = 1 + 2x + 3x2 + 6x3 + 5x4 + 4x5 mod 7. Step 3: H calculates n pairs of (xk , Fi (xk )), where xk is the serial number of IDk , k = 1,2, . . . ,n. Step 4: Repeat the above steps until all secret values are processed. 3.1.3. Embedding phase To diminish the distortion of the shadow images, we utilize the modulus operator to embed the shadow Fi (xk ) into pixel pi . Step 1: Evaluate value b as b = pi mod m.

(4)

Step 2: Find the value of dk for k = 1,2, . . . ,n. dk = Fi (xk ) − b.

(5)

Step 3: Compute dk  as ⎧ dk ⎪ ⎪ ⎪ ⎪ ⎨ dk = dk + m ⎪ ⎪ ⎪ ⎪ ⎩ dk − m

    , − m−1  dk  m−1 2 2

  , if (−m + 1)  dk < − m−1 2   < dk < m. if m−1 2 if

(6)

Step 4: Derive shadow pixel values pi,k according to pi,k = pi + dk ,

(7)

where pi,k denotes the corresponding pixel value in shadow image Ok  for IDk . Step 5: Adjust pi,k if overflow or underflow occurs.  pi,k =

pi,k + m if pi,k < 0, pi,k − m if pi,k > 255.

(8)

Step 6: Repeat the above steps until all Fi (xk )'s are embedded.

888

P.-Y. Lin et al. / Pattern Recognition 42 (2009) 886 -- 895

Fig. 1. Example of the secret image sharing procedure. (a) host image; (b) secret pixels; (c) results of pixel p1 = 237; (d) results of pixel p2 = 254; (e) results of pixel p3 = 168; (f) results of pixel p4 = 50; (g) results of pixel p5 = 165; (h) results of pixel p6 = 203; (i) shadow images.

Note that each shadow image O k is meaningful and similar to the host image O, which achieves the camouflage purpose. Example 1. Assume that (t, n) = (4, 6) and m = 7. Figs. 1(a) and (b) illustrate the pixel values of the host and secret images, respectively. The base-7 representation of the secret image is (66, 251) = (1, 2, 3, 5, 0, 6)7 . From s1 = 1 and p1 = 237 = (4, 5, 6)7 , we can construct the polynomial as F1 (x) = 1 + 6x + 5x2 + 4x3 mod 7. From the

value of xk listed in the left column of Fig. 1(c), we can obtain the corresponding F1 (xk ). Since 237 mod 7 = 6, we find that b = 6. From Eqs. (5) and (6), we can derive dk and dk  . According to Eq. (7), we obtain p1,k shadow values of 240, 240, 235, 235, 236, and 234, as shown in Fig. 1(c). In the case that p2,k incurs overflow or underflow, we reset its value by Eq. (8) as illustrated in Fig. 1(d). Process results of the rest of the pixels are provided in Figs. 1(e)–(h). The outcome of the six shadow images from Fig. 1(a) is demonstrated in Fig. 1(i).

P.-Y. Lin et al. / Pattern Recognition 42 (2009) 886 -- 895

3.1.4. Protecting phase The dealer can generate a certificate Certk for O k that can be used to prevent the dishonest participants. Step 1: H selects two large primes P and Q as secret keys and then computes R = P×Q, where 4|(P+1) and 4|(Q+1). Step 2: H generates four modifiers as

 ∈ QRP ∩ QRQ,  ∈ QRP ∩ NQRQ,  ∈ NQRP ∩ QRQ,  ∈ NQRP ∩ NQRQ,

(9)

where QRC denotes a set of integers that are quadratic residues modulo G and NQRG denotes a set of integers that are quadratic nonresidues modulo G. Next, H publishes R, −1 , −1 , −1 and −1 . Example 2 illustrates how to obtain parameters , , , , −1 , −1 , −1 and −1 . Step 3: H computes zk = Z(Ok IDk ), where k = 1,2, . . . ,n and Z( ) is a one-way hash function with 128-bit output. Step 4: H computes z k as

zk =

⎧ zk × , ck = 1 ⎪ ⎪ ⎪ ⎪ ⎨ z × , c = 2 k k ⎪ zk × , ck = 3 ⎪ ⎪ ⎪ ⎩ zk × , ck = 4

if zk ∈ QRP ∩ QRQ, if zk ∈ QRP ∩ NQRQ, if zk ∈ NQRP ∩ QRQ, if zk ∈ NQRP ∩ NQRQ.

(10)

where pi,l denotes the pixel value in shadow image Ol  , for l = 1,2, . . . ,t. Step 2: Employ the Lagrange interpolation to derive a (t−1)degree polynomial Fi (x) from t pairs of (xl , yi ,l ), where ⎛ Fi (x) = ⎝

t 

⎞ sj+(k−4) xk−4 ⎠ +pi0 xt−3 +pi1 xt−2 +pi2 xt−1 mod m.

(12)

k=4

Step 3: Extract (t−3) secret values sj , sj+1 , . . . , sj+(t−4) using Eq. (12). Step 4: Restore the original pixel pi from Eq. (12) and transform the coefficients pi 2 , pi 1 , pi 0 to decimal representation as (pi2 , pi1 , pi0 )m = pi .

(13)

Step 5: Repeat the above steps until all secret digits are extracted. Step 6: Transform all sj values to decimal representation to restore the secret image. Step 7: Collect all pi values to reconstruct the host image O = {pi |i = 1, 2, 3, · · · , (M × N)}. 4. Security analysis and experimental results

Step 5: H uses secret keys P and Q to compute a certificate Certk

for Ok  . Here, Certk = ((zk )1/2 mod R)ck ).

Example 2. Assume that P = 7 and Q = 11, we find that R = 77. First, we determine the sets of quadratic residue for P and Q. Since {12 , 22 , 32 , 42 , 52 , 62 } mod 7 = {1, 2, 4}, we obtain QRP = {1, 2, 4} and NQRP = {3, 5, 6}. Since {12 , 22 , 32 , 42 , 52 , 62 , 72 , 82 , 92 , 102 } mod 11 = {1, 3, 4, 5, 9}, we obtain QRQ = {1, 2, 4, 5, 9} and NQRQ = {2, 6, 7, 8, 10}. According to Eq. (9), we set  = 4,  = 2,  = 3, and  = 6. We utilize the Euclidean algorithm to obtain the inverse of these parameters under the modulus R = 77 as follows [17]:

−1 = 1 mod 77, −1 = 58, −1 = 1 mod 77, −1 = 39, −1 = 1 mod 77, −1 = 103, −1 = 1 mod 77,

889

−1 = 13.

In this section, we analyze the security and conduct simulations to demonstrate the practicability of the new scheme. 4.1. Security analysis Assume that I ⊂ I is a minimal subset of authorized participants that can cooperate to reveal the secret S. The probability that participants of ˆI ⊂ I can correctly reconstruct S is m−logm 255(MS ×NS )/(t−3) according to Theorem 1, where |ˆI| = t − 1. This guarantees that the secret image cannot be restored by ˆI. In addition, a dishonest participant IDl ∈ I is unable to fool others with a fake shadow image according to Theorem 2. The security of Theorem 2 is based on two well-known cryptographic assumptions: the secure one-way hash function and solving the square roots of modulus R, which is as difficult as factorizing R = P×Q [16,17].

3.2. Secret image retrieving procedure

Theorem 1. The probability that involved participants of ˆI will correctly recover S is m−logm 255(MS ×NS )/(t−3) .

This procedure includes two phases: verifying and retrieving. Given any t shadow images with corresponding certificates, involved participants can cooperate to extract the original secret image and to losslessly recover the original host image. Moreover, they can detect if a cheater exists.

See Appendix A for proof. For instance, if S is a 256×256 grayscale image, then the probability of obtaining S from fewer than four members is 7−log7 255(256×256)/(4−3) = 7−3×256×256/1 = 7−196608 2−520175 . Thus, the proposed scheme satisfies the security requirement.

3.2.1. Verifying phase Let Ol  be a shadow image, where l = 1,2, . . . ,t. For each pair of (Ol  ||IDl , Certl ), involved participants can perform the following procedure to determine the validity of the shadows. Step 1: Extract cl from Certl = ((zl )1/2 mod R)cl ).

Theorem 2. Any involved member can determine if cheater IDl intends to provide a false shadow image to fool others.

Step 2: Determine l from {−1 , −1 , −1 , −1 } according to cl .

Step 3: Compute zl = ((zl )1/2 mod R)2 . Step 4: Compute zˆ = z ×  mod R. l

l

l

Step 5: Compute zˆ l = Z(Ol IDl ) and compare with zˆ l . If they are the same, then IDl is valid; otherwise, IDl is invalid. 3.2.2. Retrieving phase Step 1: Evaluate yi,l by yi,l = pi,l mod m,

(11)

See Appendix B for proof. 4.2. Simulation results Test images with size 512×512 pixels used in the simulations are shown in Fig. 2, and the secret sharing image Jet (F16) is set to 256×256 pixels. The peak-signal to noise rate (PSNR) is used to measure the image qualities of the shadow images. The formula of PSNR is described as follows:   2552 PSNR = 10 log10 dB. (14) MSE

890

P.-Y. Lin et al. / Pattern Recognition 42 (2009) 886 -- 895

Fig. 2. Test images. (a) Baboon; (b) Cameraman; (c) Clown; (d) Couple; (e) Fruits; (f) House; (g) Jet (F16); (h) Lena; (i) Peppers; (j) Sailboat; (k) Splash; (l) Tiffany; (m) Painting1; (n) Painting2; (o) Painting3.

Table 2 The PSNR values (dB) of the shadow images for calligraphy images

Table 1 The PSNR values (dB) of the shadow images for common images, t = 4 Test images

Baboon Cameraman Clown Couple Fruits House Jet (F16) Lena Peppers Sailboat Splash Tiffany Painting 1 Painting 2 Painting 3

PSNR (dB)

Test images

Shadow 1

Shadow 2

Shadow 3

Shadow 4

43.44 43.23 43.53 43.40 43.22 41.98 43.48 43.40 43.28 43.34 43.47 43.30 43.20 43.28 43.36

43.36 43.33 43.40 43.30 43.28 42.55 43.34 43.35 43.36 43.34 43.38 43.36 43.37 43.38 43.35

43.36 43.35 43.38 43.32 43.32 43.45 43.36 43.34 43.35 43.33 43.35 43.36 43.36 43.38 43.35

43.35 43.32 43.35 43.32 43.31 43.22 43.37 43.37 43.36 43.38 43.35 43.36 43.34 43.35 43.37

Calligraphy Calligraphy Calligraphy Calligraphy

M×N  1 (pi − p˜ i )2 , M×N

1 2 3 4

Shadow 1

Shadow 2

Shadow 3

Shadow 4

38.31 42.49 43.11 40.27

37.96 43.09 42.73 40.41

39.47 42.76 42.98 40.58

38.99 42.67 42.82 40.44

distributed drastically, they approximate to either 0 or 255. This often results in underflow and overflow, making it difficult to reconstruct a lossless host image. In the new method, we utilize the modulus operator to prevent underflow and overflow in order to obtain a lossless host image. As shown in Fig. 4, the transparency of the shadow images is acceptable, and there is no distortion of the reconstructed host images. The distortion of shadow images is slight, even though we have altered the white regions in the calligraphy images.

The mean square error (MSE) of an image with M×N pixels is defined as MSE =

PSNR (dB)

(15)

i=1

where pi is the original pixel value and p˜ i is the processed pixel value of shadow image. We set the system parameters as m = 7 and t = 4. Table 1 displays the quality of the shadow images. It is obvious that no matter what we use as the carrier, the PSNR value of the shadow image remains satisfactory. Fig. 3 demonstrates the visual perception of the test image Fruits. Figs. 3(a)–(d) show the results for the four shadow images. Since the distortion is slight, it is difficult to distinguish between the host image and the shadow image. We extract the secret image Jet(F16) as shown in Fig. 3(e) and reconstruct the original host image without distortion as shown in Fig. 3(f). To emphasize the practicality of our method, we use calligraphy images as the carrier. Table 2 displays the experimental results. Because we know that the pixel values of the calligraphy image are

4.3. Discussion Fig. 5(a) illustrates a normal distribution histogram for the image Fruits. The histograms of the dark image Couple and the bright image Tiffany are shown in Figs. 5(b) and (c), respectively. According to the simulation results, the new scheme can be applied to different luminous images. The histograms of the calligraphy images are shown in Figs. 5(d)–(f). Compared with normal shadow images, the image quality of the calligraphy shadow images is reduced (see Tables 1 and 2). This is due to the fact that the distortion dk in Eq. (7) is within [− (m − 1)/2, (m − 1)/2]. Once underflow or overflow occurs in Eq. (8), the distortion dk  is adjusted as   dk + m if pi + dk < 0, dk = dk − m if pi + dk > 255. Thus, dk  is within (−m, +m). To preserve the lossless requirement, we need three digits to record a pixel pi of the host image in Eq. (3). Thus, the degree of

P.-Y. Lin et al. / Pattern Recognition 42 (2009) 886 -- 895

891

Fig. 3. Results of Fruits. (a) the shadow image 1: PSNR = 43.22 dB; (b) the shadow image 2: PSNR = 43.28 dB; (c) the shadow image 3: PSNR = 43.32 dB; (d) the shadow image 4: PSNR = 43.31 dB; (e) the extracted secret image; (f) the reconstructed image.

the polynomial must be larger than three (i.e., t  4). To share the secret image for t = 2 and t = 3, we assume that the selected pixel in O is pi and that the secret value in S is sj . Case 1: t = 2. We generate two shadow pixels pi ,1 and pi ,2 for two participants as  pi,k =

pi + sj

for k = 0,

pi − sj

for k = 1.

We retrieve the secret sj and losslessly restore the original pixel pi as  p +p pi = i,0 2 i,1 , sj =

pi,0 −pi,1 . 2

Case 2: t = 3. To construct a polynomial with degree (t−1), we use two digits to record pi . We divide pi into base-m representation, denoted as (pi 1 ,pi 0 )m . It is clear that if we want to represent the

892

P.-Y. Lin et al. / Pattern Recognition 42 (2009) 886 -- 895

Fig. 4. Results of calligraphy images. (a) a shadow image from Calligraphy1; (b) the restored Calligraphy1; (c) a shadow image from Calligraphy2; (d) the restored Calligraphy2; (e) a shadow image from Calligraphy3; (f) the restored Calligraphy3; (g) a shadow image from Calligraphy4; (h) the restored Calligraphy4.

P.-Y. Lin et al. / Pattern Recognition 42 (2009) 886 -- 895

3500

10000

3000

8000 Count

Count

2500 2000 1500 1000

6000 4000 2000

500

0

0

Count

25

50

75 100 125 150 175 200 225 255 The histogram of Fruits

0

Count

0

5000 4500 4000 3500 3000 2500 2000 1500 1000 500 0

893

0

25

50

75 100 125 150 175 200 225 255 The histogram of Tiffany

2 1.8 1.6 1.4 1.2 1 0.8 0.6 0.4 0.2 0

25

50

75 100 125 150 175 200 225 The histogram of Couple

255

25

50

75 100 125 150 175 200 225 The histogram of Calligraphy1

255

50

75 100 125 150 175 200 225 255 The histogram of Calligraphy4

x105

0

18000 16000 14000 12000 10000 8000 6000 4000 2000 0

Count

Count

x104

0

25

50

75

100 125 150 175 200 225 255

The histogram of Calligraphy3

9 8 7 6 5 4 3 2 1 0

0

25

Fig. 5. The histogram of the test images. (a) the histogram of fruits; (b) the histogram of couple; (c) the histogram of Tiffany; (d) the histogram of Calligraphy1; (e) the histogram of Calligraphy3; (f) the histogram of Calligraphy4.

Table 3 The PSNR of shadow images

Table 4 The maximum capacity under different t's

Scheme

Test images (512×512)

t

Capacity (secret pixels)

PSNR (dB)

Baboon

Fruits

Lena

Splash

Tiffany

Ref. [9] Ref. [10] Ours

39.31 40.12 43.38

39.30 40.10 43.28

39.31 40.11 43.37

39.36 40.15 43.39

39.28 40.14 43.39

4 6 8 9 11 13 15

295×295 512×512 660×660 724×724 839×836 934×934 1024×1024

42.06 42.05 42.08 42.06 42.07 42.06 42.06

grayscale value of 255 with two digits, the value of m must be larger than or equal to 17 (255 = (15,0)17 ). We follow the same procedure to generate the shadow images and to restore the secret and host images. Table 3 compares the PSNR values of shadow images for the proposed method and for related works. The size of secret image is 256×256 pixels. The new method allows participants to obtain a better quality shadow image than in other methods. Table 4 describes the maximum size of the secret image that we can embed into the

512×512 host image. The embedding capacity is proportional to the increase of t. Note that no matter how many secret pixels are embedded into the host image, the PSNR of the shadow image is still acceptable. Under the same condition, [9] and [10] are limited to a maximum of 256×256 pixels. We also compare related works in terms of functionality. As presented in Table 5, the new method outperforms others in most cases. Employing Rabin's signature cryptosystem, the new method allows

894

P.-Y. Lin et al. / Pattern Recognition 42 (2009) 886 -- 895

Table 5 Functionality comparisons between related secret image sharing mechanisms and the novel scheme Ref. [3]

Ref. [4]

Ref. [5]

Ref. [8]

Ref. [9]

Ref. [10]

Ours

Cheater detection (t, n)-threshold Meaningful shadow image Quality of shadow images (dB) Lossless secret image Lossless host image

No Yes No – Yes No

No Yes Yes – No No

No Yes Yes – No No

Yes Yes No – Yes No

Capacity

–

–

–

–

Yes Yes Yes 39.31 No No M×N 4

Yes Yes Yes 40.12 Yes No M×N 4

Yes Yes Yes 43.36 Yes Yes M × N × (t − 3) 3

involved participants to determine if a cheater exists. This can effectively enhance the security of the secret image sharing mechanism and is guaranteed by Theorem 2. Furthermore, involved participants can cooperate to reveal a complete secret image. In Yang et al.'s method [10], the secret shadow image is meaningful; this reduces the risk of attracting intruder attention. Moreover, the new scheme is superior to [9] and [10] in terms of the average quality of shadow images. Only the new method allows authorized members to restore a lossless secret image and a distortion-free host image. This demonstrates practicality for artistic and medical images. Furthermore, for an M×N host image, we can embed a secret image with size M×N×(t−3)/3 pixels. According to the analysis in Table 5, the new method still outperforms others in this capacity.

digit is an independent event. Hence, we have Pr[Ei ∩ Ej ] = Pr[Ei ] ∩ Pr[Ej ], for i, j = 1, 2, . . . , (MS × NS × logm 255/(t − 3)) and i  j. Since we need logm 255 digits to present each pixel value of S, the probability Pr[S] of obtaining S from the cooperation of participants of ˆI is Pr[S] = Pr[E1 ∩ E2 ∩ · · · ∩ E(M ×N ×log 255/(t−3)) ] m S S = Pr[E1 ] ∩ Pr[E2 ] ∩ · · · ∩ Pr[E(M ×N ×log 255/(t−3)) ] m S S =

MS ×NS ×logm 255/(t−3)



Pr[Ej ]

j=1

= m−logm 255(MS ×NS )/(t−3) .  Appendix B. Proof of Theorem 2

5. Conclusions This article proposes a novel secret image sharing mechanism. Theorem 1 ensures that a group with fewer than t shadow images is unable to recover the secret image, while Theorem 2 guarantees that involved participants are capable of detecting cheaters. For normal host images, experimental results show that the new method is applicable to calligraphy images, which often lead to underflow or overflow in image processing. The new method can share a larger secret image than other methods and allows participants to restore a lossless secret image and to reconstruct a distortion-free host image. Appendix A. Proof of Theorem 1 Proof.. From Eq. (1), we have the (t−1)-degree sharing polynomial in the form of Fi (x) = a0 + a1 x + · · · + at−1 xt−1 mod m, to protect (t−3) secret values. According to the solution space of the Lagrange interpolating polynomial, if we have fewer than t constraints for an equation Fi (x) with degree (t−1) and Fi (x) is guaranteed to have at least one solution, then we have infinite solutions in Zm . That is, given (t−1) pairs of (xl , Fi (x)) for l = 1,2, . . . ,(t−1), involved participants of ˆI can construct the following equation:

Fi (x) =

t−1  l=1

Fi (xl )

t−1  j=1,j  l

x − xl mod m xl − xj

= a0 + a1 x + · · · + at−2 xt−2 mod m. Besides (x1 , Fi (x1 )), (x2 , Fi (x2 )), . . . , and (xt−1 , Fi (xt−1 )), (0, a0  ) is a solution of the equation. It is clear that a0  can be an arbitrary integer in Zm . Thus, there are at least m solutions for Fi (x) in integer space. Let the event of hitting the (t−3) secret digits be Ej for j = 1, 2, . . . , (MS × NS × logm 255/(t − 3)). Thus, we have Pr[Ej ] = Pr[a0 = sj , a1 = sj+1 , . . . , at−4 = sj+(t−4) ] = 1/m. Since the chaotic function has disarranged all pixels in S, no digit correlates with its neighbors. Thus, the probability of correctly hitting each (t−3) secret

Proof. Given a pair of (Of DIl , Certl ), we perform the following to verify the shadow, where Of is a false shadow image. According to Certl , we can obtain cl which can be used to decide l from {−1 , −1 , −1 , −1 }. We then compute

zˆ l = Z(Of IDl ) and zˆ = l ((zl )1/2 mod R)2 mod R mod R = l zl −1 l

= zl

= Z(Ol IDl ). Since the output of Z( ) is extremely sensitive to the input, we can easily distinguish zˆ l from zˆ l to detect that Of is false. There are two possible ways for a cheater IDl to provide a false shadow image in order to fool others in the cooperation. Case 1: IDl generates an Of such that Z(Of IDl ) = Z(Ol IDl ). Then IDl provides (Of IDl , Certl ) in the cooperation; thus, involved participants are convinced of the certificate, but they cannot reconstruct the secret image S. However, it is computationally infeasible for IDl to figure out Of under the assumption of the secure one-way hash function. Case 2: IDl generates an Of and a corresponding certificate Certf as follows. Step 1: Compute zl = Z(Of IDl ). Step 2: Compute zl  such that zl = zl × 

and cl = 1,

zl = zl ×  zl = zl ×  zl = zl × 

and

cl = 2,

if zl ∈ QRP ∩ NQRQ,

and

cl = 3,

if zl ∈ NQRP ∩ QRQ,

and cl = 4,

if zl ∈ QRP ∩ QRQ,

if zl ∈ NQRP ∩ NQRQ.

Step 3: Construct Certf = ((zl )1/2 mod R)cl ). Given (Of IDl , Certl ), involved members can compute zˆ l = Z(Of IDl ). They can further extract cl to determine l from

P.-Y. Lin et al. / Pattern Recognition 42 (2009) 886 -- 895

{−1 , −1 , −1 , −1 } and compute zˆ l = l ((zl )1/2 mod R)2 mod R mod R = l zl −1 l

= zl

= Z(Of IDl ). Obviously, zˆ l shall be equal to zˆ l . This implies that involved participants must believe in the validity of (Of IDl , Certf ), although this equation does not contribute to the recovery of the secret image. In this way, IDl has to solve the square roots of modulus R in Steps 2 and 3. Since we know that finding the solution of the square roots of modulus R is as difficult as factorizing R = P×Q, it is computationally infeasible for IDl to achieve this attempt under the assumption.  References [1] A. Shamir, How to share a secret, Commun. ACM 22 (11) (1979) 612–613. [2] C.C. Chang, R.J. Hwang, Sharing secret images using shadow codebooks, Inf. Sci. 111 (1) (1998) 335–345. [3] C. Thien, J. Lin, Secret image sharing, Comput. Graphics 26 (1) (2002) 765–770. [4] Y.S. Wu, C.C. Thien, J.C. Lin, Sharing and hiding secret images with size constraint, Pattern Recognition 37 (7) (2004) 1377–1385.

895

[5] C.C. Chang, C.Y. Lin, C.S. Tseng, Secret image hiding and sharing based on the (t, n)-threshold, Fundam. Inf. 76 (4) (2007) 399–411. [6] M. Tompa, H. Woll, How to share a secret with cheaters, J. Cryptology 1 (2) (1988) 133–138. [7] R.J. Hwang, W.B. Lee, C.C. Chang, A concept of designing cheater identification methods for secret sharing, J. Syst. Software 46 (1) (1999) 7–11. [8] R. Zhao, J.J. Zhao, F. Dai, F.Q. Zhao, A new image secret sharing scheme to identify cheaters, Computer Standards & Interfaces, doi:10.1016/j.csi.2007.10.012. [9] C.C. Lin, W.H. Tsai, Secret image sharing with steganography and authentication, J. Syst. Software 73 (3) (2004) 405–414. [10] C.N. Yang, T.S. Chen, K.H. Yu, C.C. Wang, Improvements of image sharing with steganography and authentication, J. Syst. Software 80 (7) (2007) 1070–1076. [11] S. Li, X. Zheng, On the security of an image encryption method, in: Proceedings of the 2002 IEEE International Conference on Image Processing, vol. 2, 2002, pp. 925–928. [12] C.C. Thien, J.C. Lin, A simple and high-hiding capacity method for hiding digitby-digit data in images based on modulus function, Pattern Recognition 36 (12) (2003) 2875–2881. [13] S. Li, C. Li, K.T. Lo, G. Chen, Cryptanalysis of an image encryption scheme, J. Electron. Imaging 15 (4) (2006) 043012–043113. [14] C. Li, S. Li, G. Alvarez, G. Chen, K.T. Lo, Cryptanalysis of a chaotic block cipher with external key and its improved version, Chaos Solitons Fractals 37 (7) (2008) 299–307. [15] D.R. Stinson, Cryptography—Theory and Practice, second ed, CRC Press, New York, USA, 2002. [16] R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Commun. ACM 21 (2) (1977) 120–126. [17] W. Stallings, Cryptography and Network Security–Principles and Practices, fourth ed, Pearson Education Inc., New Jersey, USA, 2006 pp. 238–241. [18] J. Fridrich, Symmetric ciphers based on two-dimensional chaotic maps, Int. J. Bifurcation Chaos 8 (6) (1998) 1259–1284.

About the Author—PEI-YU LIN received the MS degree in computer science and information engineering from National Chung Cheng University, Chiayi, Taiwan, in 2004. She is currently pursuing her Ph.D. degree in computer science and information engineering from National Chung Cheng University, Chiayi, Taiwan. Her current research interests include digital watermarking, image protection, data mining, and information security. About the Author—JUNG-SAN LEE received the BS degree in computer science and information engineering from National Chung Cheng University, Chiayi, Taiwan in 2002. He received his Ph.D. degree in computer science and information engineering in 2008 from National Chung Cheng University, Chiayi, Taiwan. Since 2008, he has been working as an Assistant Professor in the Department of Information Engineering and Computer Science at Feng Chia University, Taichung, Taiwan. His current research interests include electronic commerce, information security, cryptography, and mobile communications. About the Author—CHIN-CHEN CHANG received his BS degree in applied mathematics in 1977 and his MS degree in computer and decision sciences in 1979, both from National Tsing Hua University, Hsinchu, Taiwan. He received his Ph.D in computer engineering in 1982 from National Chiao Tung University, Hsinchu, Taiwan. During the academic years of 1980–1983, he was on the faculty of the Department of Computer Engineering at the National Chiao Tung University. From 1983 to 1989, he was on the faculty of the Institute of Applied Mathematics, National Chung Hsing University, Taichung, Taiwan. From 1989 to 2004, he worked as a Professor in the Institute of Computer Science and Information Engineering at National Chung Cheng University, Chiayi, Taiwan. Since 2005, he has been working as a Professor in the Department of Information Engineering and Computer Science at Feng Chia University, Taichung, Taiwan. Dr. Chang is a Fellow of IEEE, a Fellow of IEE and a Member of the Chinese Language Computer Society, the Chinese Institute of Engineers of the Republic of China, and the Phi Tau Phi Society of the Republic of China. His research interests include computer cryptography, data engineering, and image compression.