1
Number theory based{k, n} Visual
Cryptography Scheme For Color Images
Mohsen Heidarinejad, Karl Martin and Konstantinos N. Plataniotis
The Edward S. Rogers Sr. Department of ECE,
University of Toronto
E-mail: {mohsen,kmartin,kostas}@comm.utoronto.ca
Abstract
An efficient and secure visual secret sharing scheme suitable for transmission of color images is
introduced and discussed in this paper. The scheme employs number theory concepts and the pixel level
representation of the color image to derive reciprocal encryption and decryption procedures. Using the
input color image, the scheme generatesn shares which are then distributed to participants. Any subset
of k or more participants can perfectly reconstruct the original image using their shares. The perfect
reconstruction and the no pixel expansion properties make the proposed secret sharing scheme ideal
for transmitting color images over un-trusted, bandwidth limited communication channels. Experimental
results and comparative evaluations included in this work confirm the efficiency and effectiveness of
the solution.
I. INTRODUCTION
With rapid growth in the area of communication systems and network, large amounts of
visual data are transmitted over networks. Encryption is used to protect these types of data
from unauthorized access. The confidentiality of transmitted visual data can be obtained through
data hiding techniques and visual cryptography. Data hiding, a form of steganography, embeds
data into digital media for the purpose of identification, annotation, and copyright [1]. These
techniques try to modify the original image and transmit it in an imperceptible way [2]. On
the other hand, visual cryptography is based on the idea of secret sharing whereby, a secret is
shared between a set of participants. In visual cryptography or visual secret sharing schemes,
September 7, 2007 DRAFT
2
the secret is an image and encryption is done by using digital processing algorithm. In early
visual cryptography schemes, decryption was performed using the human eye and no complex
cryptographic techniques were needed. A dealer distributes the generated image shares to par-
ticipants and, based on the sharing policy, the shares must not reveal any information about
the original input image. In other words, none of these participants can independently decode
the secret image based on their share only. According to the sharing policy, only some defined
coalition of participants can recover the input image by polling their shares. Visual cryptography
has applications in information hiding, visual identification, authentication and image protection
[3],[4]. This paper introduces a{k, n} visual secret sharing scheme for transmission of color
images over bandwidth limited and un-secure communication channels. However the proposed
framework can also be applied on gray-scale images. The visual cryptography scheme proposed
here operates directly on the pixels of the color images in the RGB representation. In visual
cryptography schemes, two factors are used to determine the performance and effectiveness,
namely:1) the quality of the reconstructed image and2) pixel expansion (m). The quality of the
recovered image is related to the perfect reconstruction property. With regards to the quality of
the reconstructed image, the various visual cryptography schemes in the literature vary in their
reconstructed output image quality. However, some applications require perfect reconstruction,
such as in law enforcement where an image may be used for evidentiary purposes. On the
other hand, pixel expansion refers to the number of subpixels(m) in the share image required
to represent a single pixel in the original input image, and as a result affects the size of the
generated shares. Obviously in the context of bandwidth-constraint communications, the size of
the shares must be controlled. The larger the pixel expansion factor(m), the more bandwidth
is required for transmitting the generated shares through communication channels. It should
be noted that color images occupy much more space and consume more bandwidth compared
to gray scale and binary images. As a result it is important to develop color image visual
cryptography scheme with no pixel expansion (m = 1) and perfect reconstruction. Most of the
previous research works in the area of visual cryptography attempted to develop schemes that
either optimize pixel expansion or focus on perfect reconstruction but they did not attempt to
optimize both of these factors simultaneously. In [5], the size of the generated shares is half
of the size of the input image but the clarity of the recovered image is proportional to the
number of shares that were used in decryption procedure, i.e., the original input image can be
September 7, 2007 DRAFT
3
completely recovered only if all of the generated shares were used during decryption. Minimizing
the pixel expansion factor(m) for a given reconstructed image clarity level is considered in [6]
but for any level of image clarity it can not achievem = 1. The method in [7] considers any
pixel color value to belong to a set withc elements and thus develops a scheme with a pixel
expansion factor ofc. However, that decreases the resolution of the input image by factorc. In
[8], optimizing the expansion factor for the case of{n, n} (using all of the generated shares) is
considered. Generation of meaningful shares based on threshold arrays is developed in [9] but
it can not perfectly recover the original input image. The SFCOD (space filling curve ordered
dither) method in [10] is utilized to transform a gray-level image into an image with fewer gray
scale values. The size of the generated shares is the same as the original input image but the
solution can not perfectly reconstruct the original input secret. The solution in [11] attempts
to balance pixel expansion and perfect reconstruction for a{2, n} scheme with the quality of
the recovered image depending on the expansion factor of the scheme. The higher the value
of the pixel expansion factor, the better the achieved quality at decryption. A scheme without
pixel expansion for both gray level and chromatic images was introduced in [12]. This scheme
encodes a number of successive pixels each time using only two basis matrices. However, it can
not perfectly recover the input image. In [13], boolean operations are used to drive a probabilistic
{2, n} scheme for binary images and a deterministic{n, n} scheme for gray scale images. Both
of these schemes do not expand the size of the generated shares in comparison to original input
image i.e.m = 1, but it can not perfectly reconstruct the original input image. Their gray scale
scheme exactly reconstructs the original input image, however all of the generated shares are
needed in the decryption procedure. In [14], a visual secret sharing scheme which preserves
the aspect ratio of the recovered image is considered but its shares have an expansion factor
greater than one and it can not perfectly reconstruct the original input image. In [15], the authors
develop a visual cryptography algorithm that has minimum pixel expansion compared to [8] and
[16]. The bit level based visual secret sharing scheme for color images is considered in [17]. It
operates directly on the bit planes of the original secret image. This solution recovers the original
input image perfectly because of the reciprocality of its encryption and decryption functions,
but it has a pixel expansion factor ofm = 4. In order to control pixel expansion, in [18],
[19] and [20] dithering and half-toning methods are used but such steps decrease the quality
of the reconstructed image. In [21], the tradeoff between the contrast and pixel expansion of
September 7, 2007 DRAFT
4
the proposed scheme is discussed. Since none of the previously developed schemes can achieve
the pixel expansion ofm = 1 while ensuring perfect reconstruction, we develop a visual secret
sharing scheme satisfying these characteristics. In the employed RGB representation of color
images the range of each color channel pixel is a natural number between0 and 255, but any
data represented in a finite field may be used. Accordingly, number theory algorithms (mainly
the Bezout lemma [22]) are utilized to develop the proposed visual secret sharing scheme. Some
generated numbers using specified prime factors are used for share generation.
The rest of this paper is organized as follows. The required number theory fundamentals and
the full proposed scheme described are presented in section II. Design characteristics of the
encryption and decryption functions are analyzed in detail. Experimental results using a variety
of input images and application scenarios are shown in section III. Comparisons to other schemes
are also provided in this section. Finally, our discussion is concluded in section IV.
II. PROPOSED METHOD
A visual cryptography scheme based on number theory concepts is presented in this section.
The system level diagram of the proposed{k, n} visual secret sharing scheme is depicted in
Fig. 1. The solution consists of two main parts : encryption (Fig. 1b) and decryption (Fig. 1c).
In encryption, a set ofn numbersχ = {xi ∈ N|i = 1, ..., n andxi 6= 1} with properties to
be discussed in sectionB are applied to the original input image (S) to generaten noise like
images (SHi where1 ≤ i ≤ n) as the shares which are given to participants. In decryption, any
coalition of participants withk or more members poll their shares to recover the secret input
image(SR). As discussed in following parts the main characteristics of our algorithm are perfect
reconstruction of the original input image, i.e.S = SR, and no pixel expansion(m = 1), i.e.
the generated shares, the reconstructed and the original input image have the same dimension.
A. Preprocessing
The original input image that we want to share isS with dimension(K1×K2). We use RGB
as a standard representation but any8-bit integer, unsigned trichromatic representation would
suffice. Thus, a given color imageS is usually represented in RGB space asS : Z2 → Z3. In
other words it is viewed as a(K1×K2) matrix with each of its pixels considered to be a three-
dimensional vector. A color pixel in the RGB space is defined by the value of its red, green and
September 7, 2007 DRAFT
5
blue spectral components. Each spectral band is represented by eight bits taking values between
0 and28 − 1. Thus, each color pixel is represented using24 bits according to the formula:
S(i,j) = [s(i,j)1, s(i,j)2, s(i,j)3] (1)
where(i, j) (for i = 1, 2, ..., K1 and j = 1, 2, ..., K2) and c = 1, 2 or 3 are the spatial position
and color channels respectively withc = 1 denoting theR component,c = 2 denoting theG
component andc = 3 indicating theB component. In the rest of this paper we will show a
given color imageS as follows :
S , [S1, S2, S3] (2)
whereSc is a (K1 ×K2) matrix such that all of its elements are the value ofcth channel ofS
pixels.
Permutation is firstly performed on the original input image to ensure that the generated shares
do not reveal image details fromS. It decreases the correlation between pixels inS and increases
the randomness of the generated shares [23]. A square permutation matrix contains only one1 in
each row and column and the rest of its elements are ‘zeros’. For example a(3×3) permutation
matrix is as follows :
0 1 0
0 0 1
1 0 0
The permutation on each image channel ofSc is performed using the same two matricesP1 and
P2 with dimensions(K1 ×K1) and (K2 ×K2) respectively such that
Spc = (P1 × Sc)× P2 (3)
whereSpc is the permutated version ofSc. As it can be seen,P1 andP2 are applied to permute
rows and columns ofSc respectively. It should be noted that if the input image is square(K1 =
K2) the size ofP1 andP2 will be the same and as a result one permutation matrix is sufficient.
We define the complete permuted image as
Sp = [Sp1, Sp2, Sp3] (4)
Permutation matrices must be sent in addition to the generated shares. If communication resources
need to be conserved, the permutation matrices can be compressed greatly due to their sparse
September 7, 2007 DRAFT
6
nature (i.e., using lossless compression) without affecting the overall performance. Suppose that
a permutation matrix of dimension(K1×K1) should be compressed. The compression procedure
is performed using the following code. Each row of this matrix contains only one1 element,
hence to transmit this matrix knowing this position which ish (1 ≤ h ≤ K1) is enough. After
compression ofP1, the representation is an integer vectors as follows,
P1−com = [P1,1, P1,2, . . . , P1,K1 ],
whereP1,j denotes the position of the ‘one’ in thejth row of P1. P2 can be coded similarly to
produceP2−com. As a result, for transmission of this permutation matrix, at mostK1dlog2 K1ebits are required. Since without compressionK2
1 bits are needed to send this matrix, the com-
pression ratio is K1
dlog2 K1e . This amount of information is negligible in comparison to the RGB
representation of the original input image. For example for transmission of a given512 × 512
screen size color image, the number of bits required for share transmission is512×512×24, and
the number of bits required for transmission of the compressed version of permutation matrix
is at most512× log2 512 which is approximately less than0.001 of color image information.
B. Encryption
Having Sp as the permuted version of the original input image, encryption is then performed
on it. To develop our{k, n} visual secret sharing scheme, some fundamental concepts of number
theory are needed. Since the proposed visual cryptography solution applies on the pixel values
of the RGB representation ofS, after introducing the required number theory concepts, a secret
sharing method for sharingp ∈ Fq (finite field with q elements) is defined and is subsequently
extended for a visual cryptography scheme. It should be noted at this point that the RGB color
image visual secret sharing scheme discussed here is applicable to any input secret (assuming
that takes values on the field of integer numbers). Detail analysis of the cryptographic properties
are beyond the scope of this submission and it will be the subject of a forthcoming submission.
1) Fundamental concepts:The following theorems are used in developing the proposed secret
sharing scheme.
Theorem 1 (prime factorization):Every integern > 1 can be represented uniquely as a prod-
uct of prime factors, some of which may be equal to another one [24].
Proof : The proof of this theorem can be found in [24].
September 7, 2007 DRAFT
7
Theorem 2 (Bezout lemma):Let us assume thatg is the greatest common divisor ofx1, x2, . . . , xn ∈Z (hereafterg = gcd(x1, x2, . . . , xn)). Then∃ s1, s2, . . . , sn ∈ Z such that
s1x1 + · · ·+ snxn = g
Proof : The proof of the theorem is given in [22].
2) Proposed secret sharing scheme:Let us assume that numberρ ∈ Fq is to be shared between
n participants using a{k, n} secret sharing scheme such that any subset of these participants with
k or more elements can recoverρ by polling their shares, while any coalition of participants with
k − 1 or less members are prohibited to gain any information aboutρ. We define the complete
participant index setP n as well as the arbitrary subsetP nt ⊂ P n with cardinality t, where
1 ≤ t ≤ n. We denote an individual elementinj ∈ P nt using the ordered index, where1 ≤ j ≤ t.
Similarly, we haveχ = {x1, . . . , xn}, χt = {xi|∀i ∈ P nt } and gcd(χt) , gcd(xi1 , . . . , xit). We
define the two different scenarios1 ≤ t ≤ k − 1 which results in anunqualifiedparticipant set
P nt , whereask ≤ t ≤ n results in aqualified participants set. According to the concepts from
the preceding section, ifχ is generated such that
gcd(χt) =
1 t ≥ k
other t < k(5)
then theith share ofρ can be computed as follows
shi = xi · ρ modq (6)
and we define the complete set of all generated shares asSh = {sh1, . . . , shn}. Similarly we
defineSht = {shi|∀i ∈ P nt } as the subset of shares to be polled by cooperating participants.
It should be noted that knowingshi without havingxi does not give any information aboutρ.
In other words, ifH(ρ) is the uncertainty aboutρ, thenH(ρ|shi) = H(ρ). If we havet ≥ k
so thatP nt constitutes a qualified subset of participants, then based on (5),gcd(χt) = 1 and
according to the Bezout lemma,∃ s = {si|∀i ∈ P nt , si ∈ Z} such that
∑i∈P n
tsishi = 1. Given
the subset of sharesSht = {shi|∀i ∈ P nt } and having knowledge ofs, we can combine the
September 7, 2007 DRAFT
8
shares to completely recover the original input(ρ) as follows:
ρ = [∑i∈P n
t
sishi] modq
= [∑i∈P n
t
sixiρ] modq
= [∑i∈P n
t
sixi]ρ modq
= 1 · ρ modq
= ρ
It should be noted that ift < k, P nt constitutes an unqualified participant set and as a result@ s
such that∑
i∈P nt
sixi = 1 and accordinglyρ 6= p. It means that every coalition of the participants
with k or more member can perfectly recover the secret while any subset of participants with
k − 1 or less members can not gain any information about the secret.
One of the important system requirements is that the permutation matrices should not be
accessible by each of participants independently, because it would allow each participant to
independently detect structural patterns from the original image within their respective shares.
As a solution, after coding the permutation matrices, the integer codes are shared using the
described secret sharing scheme. SinceP1−com andP2−com are sufficient to recover the permu-
tation matrices, sharing them leads to the fact that none of participant can independently gain
information about the permutation matrices. Let
sh′i,1 = xi · P1−com modKj
be ith share ofP1−com. The shares ofP2−com are generated in the same fashion. We define
Sh′= {(sh′i,1, sh′i,2)|1 ≤ i ≤ n} as the complete set of all generated shares of the coded version
of permutation matrices. LetSh′t ⊂ Sh
′be an arbitrary subset ofSh with cardinality t. For
t ≥ k, based on (5),∃s = {si|∀i ∈ P nt } such that
∑i∈P n
tsixi = 1. As a result
P1−com =∑i∈P n
t
sish′i,1 modK1
=∑i∈P n
t
sixiP1−com modK1
= P1−com(∑i∈P n
t
sixi) modK1
= P1−com
September 7, 2007 DRAFT
9
On the other hand, according to (5), fort ≤ k − 1 as an unqualified subset of participants@
s = {si|∀i ∈ P nt } such that
∑i∈P n
tsixi = 1. Hence, just qualified subsets of participants can
perfectly recover the permutation matrices.P2−com can be computed similarly.
3) Number generation algorithm:Having previously demonstrated the fact thatχ with the
properties discussed can be used to develop secret sharing schemes, we turn our attention to a
methodology which allows us to generatexi ∈ χ , 1 ≤ i ≤ n. The algorithm minimizes the
number of prime factors which are needed to generate each element ofχ in order to reduce
the computational complexity of our sharing algorithm. For a{k, n} secret sharing scheme,
the number of necessary prime factors depends onk and n. Our solution assigns a matrix
representation to then numbers (xi) that we expect to generate. For notational purposes, we
defineC(u, v) ,
u
v
= u!
v!(u−v)!wherev ≤ u andu, v ∈ N. Let us assume that everyxi has
C(n, k− 1) factors. We will prove that this is the minimum number of prime factors which are
needed to generate the elements ofχ with our desired property (5) for a{k, n} secret sharing
solution. Let{p1, . . . , pC(n,k−1)} be theC(n, k − 1) random candidate prime factors needed for
generation of eachxi. We defineAn×C(n,k−1) = [a(k,n)(ij) ], 1 ≤ i ≤ n and1 ≤ j ≤ C(n, k − 1) as
the prime factors look-up table denoting which primepj is a factor inxi, where
a(k,n)(ij) =
1 if pj is a factor inxi
0 otherwise(7)
In other words, theith row of An×C(k−1,n) is a representation of the prime factors ofxi giving
us
xi =
C(n,k−1)∏j=1
pa(k,n)(ij)
j (8)
Having A as a look up table matrix, the property in (5) reduces to finding matrixA with the
following properties:
1) Considering each column separately, any subset of its elements withk or more elements
should contain at least one ‘zero’ element. This means that each column must contain a
maximum ofk − 1 ‘ones’.
2) For any arbitrary set oft < k rows, there exists a column1 ≤ j ≤ C(n, k − 1) within
these rows containing elements all equal to ‘one’.
September 7, 2007 DRAFT
10
In other words, satisfying the two following conditions leads to generating numbers with desired
property in (5).
1) ∀k ≤ t ≤ n and∀1 ≤ j ≤ C(n, k − 1), ∃i ∈ P nt such thata(k,n)
(ij) = 0 (property1)
2) ∀t < k and∀i ∈ P nt , ∃1 ≤ j ≤ C(n, k − 1) such thata(k,n)
(ij) = 1 (property2)
The first condition implies that∀t ≥ k there is no column for whichpj is a common factor of
χt; that isgcd(χt) = 1. The second condition means that∀t < k, there is apj that is a common
factor of χt; that is gcd(χt) ≥ pj. It can be seen from these properties thatA must contain
C(n, k − 1) columns because it is equal to the number of ways to construct binary vector of
n elements such that any subset of its elements withk − 1 or less elements are all ‘one’ and
any subset of its elements withk or more elements contains at least a ‘zero’. Later we prove it
using Pascal triangle concept. Based on this definition, it can be seen that
Ai×C(i,1) = Ii (9)
whereIi is the identity matrix withi rows and1 ≤ i ≤ n. Also, we define
Ai×C(i,i) = Ai×1 =[
1 1 . . . 1]T
(i×1)(10)
It should be noted thatAi×1 in (10) is not used for a legitimate secret sharing scheme. It is
simply a construct in the algorithm to be described. Knowing these matrices, the following
theorem explains how to constructAn×C(n,k−1) recursively.
Theorem 3 (Number generation algorithm):The matrix representation for the numbers that
are used in a{k, n} secret sharing scheme can be constructed as follows :
An×C(n,k−1) =
An−1×C(n−1,k−1) An−1×C(n−1,k−2)
01×C(n−1,k−1) 11×C(n−1,k−2)
(11)
where01×C(n−1,k−1) and11×C(n−1,k−2) are row vectors composed ofC(n− 1, k− 1) ‘zeros’ and
C(n− 1, k − 2) ‘ones’ respectively.
Proof : The proof is given in the appendix.
Here, we compute the exact number ofA columns. Letcol(n, k) denotes the number of
columns ofAn×C(n,k−1). According to the property of matrixA
col(n, k) = col(n− 1, k) + col(n− 1, k − 1) (12)
September 7, 2007 DRAFT
11
andcol(i, 2) = i andcol(i, i+1) = 1 where1 ≤ k ≤ n and1 ≤ i ≤ n. Based on Pascal triangle
definition [25], col(n, k) is kth element ofnth row of Pascal triangle. Thus, based on Pascal
triangle definition , the number ofAn×C(n,k−1) is equal to
col(n, k) = C(n, k − 1) (13)
Example: Suppose that we want to generateA4×C(4,2) i.e. the matrix representation for the
numbers which are used in a{3, 4} secret sharing scheme.
A4×C(4,2) =
A3×C(3,2) A3×C(3,1)
0 1
=
A3×C(3,2) A3×C(3,1)
0 0 0 1 1 1
We know thatA3×C(3,1) = I3. Hence
A4×C(4,2) =
A3×C(3,2)
1 0 0
0 1 0
0 0 1
0 0 0 1 1 1
=
A2×C(2,2) A2×C(2,1)
0 1
1 0 0
0 1 0
0 0 1
0 0 0 1 1 1
Based on our definition,A2×C(2,2) =
1
1
andA2×C(2,1) = I2. ThenA3×C(3,2) =
1 1 0
1 0 1
0 1 1
and finally
A4×C(4,2) =
1 1 0 1 0 0
1 0 1 0 1 0
0 1 1 0 0 1
0 0 0 1 1 1
SinceA4×C(4,2) has six (C(4, 2)) columns, then six candidate prime factors are needed in the
construction ofxi. For example, letp1 = 2, p2 = 3, p3 = 5, p4 = 7, p5 = 11, p6 = 13 be the
given candidate prime factors. Based on the rows ofA4×C(2,4) and (8), the required numbers are
generated as follows :
x1 = (2)1 × (3)1 × (5)0 × (7)1 × (11)0 × (13)0 = 42
x2 = (2)1 × (3)0 × (5)1 × (7)0 × (11)1 × (13)0 = 110
x3 = (2)0 × (3)1 × (5)1 × (7)0 × (11)0 × (13)1 = 195
x4 = (2)0 × (3)0 × (5)0 × (7)1 × (11)1 × (13)1 = 1001
September 7, 2007 DRAFT
12
If we randomly choose any subset of these numbers with2 elements, they have at least one
common factor. For examplex2 andx3 have5 as a common factor, and as a result,gcd(x2, x3) 6=1. Based on the properties of matrixA4×C(4,2), if a subset of these numbers with3 or 4 elements
is randomly selected, their elements are relatively prime to each other.
It should be noted that the number generation algorithm is deterministic and only has to be
performed once for a given(k, n). Consequently, sincexi must remain secret from one secret
sharing instance to another, the set of candidate prime factorspj should be varied from one
instance to the next.
4) Security ofxi: The valuesxi must remain secret to unqualified participants in order to
maintain the security of the shares. Given thatq is public and theith participant is givenshi,
knowledge ofxi would reveal information about the secretρ; from (6) the attacker could solve
for ρ, producing one or more possible solutions for the secret. To enhance the confidentiality of
xi, they must be generated with a wide range of possible values so that they are secure against
on exhaustive search attack. Here we compute the number of possible values thatxi can take as
a function ofPmax (the upper bound of candidate prime factor) as well ask andn. After that,
we use the bit level based secret sharing scheme in [17] to share eachxi independently.
Suppose that all candidate prime factors should be less than or equal toPmax. There is no
exact function to compute the number of prime factors less than or equal toPmax, but Gauss
and Legendre proved that it is asymptotically equal to
#prime =Pmax
ln Pmax
(14)
for large values ofPmax. For a{k, n} secret sharing scheme, as discussed before,C(n, k − 1)
candidate prime factors are needed. There areC(#prime, C(n, k−1)) ways to chooseC(n, k−1)
candidate prime factors out of#prime elements. Also, the order of any selectedC(n, k − 1)
candidate prime factors can be changed by(C(n, k−1))! ways. Each of the resulted pattern can
be utilized for generation of each ofxi. As a result the approximate number of possible values
of xi (#x) can be computed approximately as follows.
#x = C(#prime, C(n, k − 1)) · (C(n, k − 1))! · n =(b#primec)!
(b#primec − C(n, k − 1))!· n (15)
Fig. 2 depictslog2 #x vs. #prime as a measure of security of thexi for different values of
{k, n}. Hence#prime should be set large enough to achieve a certain desired level of security.
September 7, 2007 DRAFT
13
For example, according to Fig. 2, for a{3, 4} sharing scheme, setting#prime to 459 achieves
the equivalent of approximately56 bits of security. Once the desired#prime is set,Pmax can
be determined from a look up table, or approximately from (14), which is3253 in this case.
The solution that is utilized to prohibit participants from knowingxi independently is to use
the {k, n} bit level based secret sharing proposed in [17]. There aren secrets(x1, . . . , xn) and
we share each of them independently using this solution. Since the scheme in [17] can perfectly
recover the input secret, there is not any loss during this procedure. We defineshare = [xi,j]
(1 ≤ i, j ≤ n) as the matrix representation of the generated shares of the elements ofχ. The ith
row is equal to
fe(xi) = (xi,1, . . . , xi,n) (16)
where fe(·) is the encryption function which is used in [17]. The random nature of thexi,j
leads to the fact that none of the generated shares can independently revealxi. Suppose that
a qualified subset of participantsP nt wheret ≥ k want to recoverχt, according to the perfect
reconstruction property of the algorithm in [17]
fd(xi,in1, . . . , xi,int
) = xi
wherefd(·) is the decryption function. This secret sharing scheme is secure and simple. It should
be noted that we do not apply it on the original input image data because the pixel expansion
factor is m = 4. In this case of sharingxi, if xmax is the largest valuexi can take, then each
sharexi,j requires4 · dlog2 xmaxe bits to represent it. To compute the upper bound onxi we need
to know how many candidate prime factors are involved in generation ofxi. In other words,
according to the definition of matrixA, we should compute the number of ‘ones’ in each row
of A. The following Theorem describes this.
Theorem 4:The number of ‘ones’ in each row ofAn×C(n,k−1) is equal toC(n− 1, k − 2).
Proof of this theorem can be find in the appendix.
We note thatxmax is produced when the candidate prime factors are chosen as the highest
possible values for a givenPmax. If the prime factorspj are arranged in increasing order,
according to Theorem4, we get
xmax = xn =
C(n,k−1)∏
i=C(n−1,k−2)+1
pi (17)
September 7, 2007 DRAFT
14
The amount of overhead required for sharingxi (n · 4 · dlog2 xmaxe) is negligible because in
real time applicationsn is limited. For example, for a{3, 4} sharing scheme, and choosing
approximately56 bits of security for the choice ofxi, we get from Fig. 2#prime ' 459. Using
(14), we findPmax ' 3253 results inxmax = 3229 · 3251 · 3253 = 65231. Therefore, the total
number of bits required for shared transmission ofχ to theith participant isn ·4 · dlog2 xmaxe =
560, which is negligible compared to a typical image share size.
5) Visual share generation:The previous parts1) to 4) describes a generic secret sharing
scheme. For the visual secret sharing, let us assume that upon completing the permutation step
(i.e. computingSp = [Sp1, Sp2, Sp3]) the dealer generatesn numbersx1, . . . , xn according to our
proposed number generation algorithm. Theith generated share is defined as follows :
SHi = (xi × Sp) mod256 (18)
where1 ≤ i ≤ n for a {k, n} visual secret sharing scheme. From the definition it is obvious that
the dealer computes the remainder of the multiplication operation of each pixel in the permuted
input image and valuexi according to equation (18). By construction, the size of the generated
image share in (18) is(K1×K2) with 8 bits per pixel per channel, thus matching the dimension
of the original input image. Therefore, it can be claimed that the proposed scheme has resulted
in no pixel expansion.
C. Decryption
Based on [17], any qualified subset of participants(P nt ) can perfectly recoverχt. Havingχt,
according to (5), fort ≥ k, gcd(χt) = 1 and based on Bezout lemma∃s = {si|i ∈ P nt } such
that∑
i∈P nt
sixi = 1. This qualified subset of participants computes
SP nt
=∑i∈Pt
siSHi mod256 (19)
which is equal toSp because
SP nt
=∑i∈P n
t
siSHi mod256
=∑i∈P n
t
sixiSp mod, 256
=∑i∈P n
t
(sixi)Sp mod256
= Sp (20)
September 7, 2007 DRAFT
15
Also, P nt , for t ≥ k, can perfectly recover the coded permutation matricesP1−com andP2−com.
Having the coded permutation matrices, the permutation matrices can be easily recovered. The
existence of inverse of permutation matrices is proved in the appendix. The reconstructed version
of S is
SR = (R−1 × SP nt)× C−1 (21)
Since the permutation process is invertible, the reconstructed image is the same as the original
input image. In other words,SR = S. It should be noted that since fort < k @s = {si|i ∈ P nt }
such that∑
i∈P nt
sixi = 1, as a result the members ofP nt as an unqualified subset of participants
can not gain any information about the original input image. According to the above discussion,
the visual cryptography scheme proposed here can perfectly recover the original input image.
Also, as stated in section II-B.5, it does not expand the generated shares in comparison to the
input image.
The visual secret sharing scheme proposed here is perfect in that zero information about the
secret is revealed for an unqualified group ofk − 1 or fewer participants [26]. LetH(ρ) refers
to the uncertainty inρ. We tell that a secret sharing scheme is perfect if and only if
H(ρ|Sht) =
0 t ≥ k
H(ρ) t ≤ k − 1(22)
Based on (5),gcd(χt) 6= 1 for t ≥ k and since as a result@ s such that∑
i∈P nt
sixi = 1, P nt
can not reconstruct the image. In comparison to our proposed visual secret sharing solution,
the scalable scheme presented in [5] is not perfect because any subset of participant can get
information about the secret image proportional to the cardinality of the subset.
In visual cryptography, contrast factor is often considered a measure of evaluating the perfect
reconstruction property. Let us defineεP ni
as the contrast factor of the reconstructed image using
P ni where0 ≤ εP n
i≤ 1 and1 ≤ i ≤ n. Specifically
εP ni
= 1−∑K1
i=1
∑K2
j=1 |(SR(i,j)− S(i,j))|
256 · (K1 ×K2)(23)
where(K1 ×K2) is the dimension ofS. The greater the value ofεi, the better the quality of
the reconstructed image using shares ofP ni . In [27], authors define types I and II optimal visual
cryptography schemes based on the contrast of the reconstructed image. Letν(n,m) be the class
September 7, 2007 DRAFT
16
of all visual cryptography schemes withn participants and pixel expansionm. Given k, n and
m, we define :
1) A visual cryptography scheme is type I optimal inν(n,m) if it belongs toν(n,m) and
has maximumε = 1C(n,k)
∑P n
k ⊂P n εP nk
over ν(n,m).
2) A visual cryptography scheme is type II optimal inν(n,m) if it belongs toν(n,m) and
has maximumεmin = minP nk ⊂P n εP n
kover ν(n,m).
We note that in [27], only{2, n} schemes are considered. We have simply applied the
definitions of type I and II optimality to{k, n} visual cryptography by considering the case
of qualified participant subsetsP nk . Hence the notationP n
k ⊂ P n describes all unique subsets of
P n with k elements. Since the proposed here visual cryptography scheme can perfectly recover
the original input image for every coalition of participants withk or more elements,∀t ≥ k
εP nt
= 1. It means that over all visual cryptography schemes which do not expand the generated
shares, our proposed scheme is optimal and can perfectly recover the original input image. It
means that our proposed scheme is both type I and II optimal. Fork = 2, it outperforms the
scheme in [27] because their achieved bounds areε ∼= εmin∼= 1
4< 1.
III. E XPERIMENTAL RESULTS
Experimental results to confirm the characteristics of the number theory based visual secret
sharing scheme are provided in this section. Comparison are made with the solutions in [28]
and [5] by applying them on the same color input image. Two main parameters to evaluate the
provided results are perfect reconstruction and pixel expansion. Based on the simulation results,
the proposed visual cryptography scheme here can be applied on different types of color images
for various applications. Finally, the effect of the permutation matrices is examined.
Fig. 3 shows the result of implementing the{2, 2} proposed visual secret sharing scheme on
a flower image depicted in Fig. 3(a). As it can be seen, the original input image (Fig. 3(a)), the
generated shares (Fig. 3(b) and Fig. 3(c)) and the recovered image (Fig. 3(d)) have the same
size, i.e. the expansion factor of our proposed scheme is one(m = 1). Visual inspection of
the generated shares shows that no information from the original image can be seen in any of
shares. Visual and numeric inspection of the reconstructed image show that perfect reconstruction
is obtained. As a result the proposed solution is applicable to transmit color images over un-
trusted, bandwidth constrained communication channels. The result of this experiment is similar
September 7, 2007 DRAFT
17
to [29] but the proposed solution in [29] can be applied in a{2, 2} scheme only.
In Fig. 4 we use the same image (Fig. 3(a)) to show the performance of{2, 3} schemes. Same
as Fig. 3, the generated shares (Figs. 4(b), 4(c), 4(d)) are not expanded in comparison to the
original input image and do not reveal any information about the secret input image. Figs. 4(e),
4(f), 4(g), and 4(h) show the reconstructed image by combining shares1 and2, 1 and3, 2 and
3 and all the generated shares, respectively. The reconstructed image is the same as the original
input image in all four cases. It confirms that any subset of participant with2 or 3 elements can
perfectly recover the input image.
For comparison, the{2, 2} scheme that was proposed in [28] is implemented in Fig. 5. It can
be seen that unlike our solution, the size of the generated shares and the recovered image is four
times of the original input image. Also, it can not perfectly recover the original input image.
Thus, it is not a cost effective scheme for transmission of color images over bandwidth limited
communication channel.
As another example, the solution in [5] in multi secret mode is implemented as shown in
Fig. 6 for n = 4. The size of the generated shares is half of the original input image. If all of the
generated shares are used, the scheme can perfectly recover the input image, while using two
or three shares reveals just part of the image that depends on the number of the shares are used.
As previously stated, this scheme is not perfect in that while perfect reconstruction is obtained
when polling alln shares, image information is revealed with share combinations numbering
less thann.
We apply the proposed scheme on different natural color images to confirm that the proposed
scheme can be used for different types of original input images, such as a face image (Fig. 7),
a natural outdoor image (Fig. 8), a surveillance frame image (Fig. 9), and a scanned document
(Fig. 10). Visual inspection of the results confirms that the original secret image, the generated
shares and the reconstructed image have the same size. Also, the recovered image is the same
as the original input image.
Fig. 11 shows the difference between sharing the image with permutation and without. In both
of them, the size of the generated shares is the same as the original input secret and they perfectly
recover the input image. However, when the permutation is not applied to the proposed visual
secret sharing scheme, the generated shares (Figs. 11(f) and 11(g)) reveal information about the
secret image and as a result the scheme is not secure. This demonstrates the requirement of the
September 7, 2007 DRAFT
18
permutation matrices, and that they must be kept secret from individual participants.
IV. CONCLUSION
A new {k, n} visual secret sharing scheme based on number theory was considered in this
paper. It operates directly on the pixels of the original secret image. In comparison to prior works
in this area, this proposed visual cryptography scheme does not expand the generated shares in
comparison to the input image and can perfectly recover the input image without any loss.
To increase the security of the generated shares, permutation is performed before encryption.
Experimental results in this paper confirm that the new solution can be applied for transmission
of color images through bandwidth limited, untrusted communication channels.
APPENDIX
Proof: [Theorem3] We should prove that for{k, n} secret sharing, the generated matrix
An×C(n,k−1)satisfies the following two properties.
1) ∀k ≤ t ≤ n and∀1 ≤ j ≤ C(n, k − 1), ∃i ∈ P nt such thata(k,n)
(ij) = 0 (property1)
2) ∀t < k and∀i ∈ P nt , ∃1 ≤ j ≤ C(n, k − 1) such thata(k,n)
(ij) = 1 (property2)
It follows that for {k, n− 1}, we haveAn−1×C(n−1,k−1) with the properties
1) ∀ k ≤ t ≤ n − 1 and ∀1 ≤ j ≤ C(n − 1, k − 1), ∃i ∈ P n−1t such thata(k,n−1)
(ij) = 0
(property 1a)
2) ∀t < k and∀i ∈ P n−1t , ∃1 ≤ j ≤ C(n− 1, k − 1) such thata(k,n−1)
(ij) = 1 (property 2a)
Similarly, for {k − 1, n− 1} we haveAn−1×C(n−1,k−2)
1) ∀ k − 1 ≤ t ≤ n− 1 and∀1 ≤ j ≤ C(n− 1, k − 2), ∃i ∈ P n−1t such thata(k−1,n−1)
(ij) = 0
(property 1b)
2) ∀t < k− 1 and∀i ∈ P n−1t , ∃1 ≤ j ≤ C(n− 1, k− 2) such thata(k−1,n−1)
(ij) = 1 (property
2b)
ConsideringAn−1×C(n−1,k−1), if a′zero
′row is added, giving us the extended matrix
A′n−1×C(n−1,k−1) =
An−1×C(n−1,k−1)
01×C(n−1,k−1)
(24)
September 7, 2007 DRAFT
19
It can be seen that property1 for {k, n} is satisfied inA′n−1×C(n−1,k−1). ConsideringAn−1×C(n−1,k−2),
if a ’one’ row is added, giving us the extended matrix
A′′n−1×C(n−1,k−2) =
An−1×C(n−1,k−2)
11×C(n−1,k−2)
(25)
It can again be seen that property1 for {k, n} is satisfied inA′′n−1×C(n−1,k−2). It follows from
the above that for
An×C(n,k−1) =[
A′n−1×C(n−1,k−1) A
′′n−1×C(n−1,k−2)
](26)
property 1 for {k, n} is still satisfied. In order to prove thatAn×C(n,k−1) from (26) satisfies
property2 for {k, n}, we examine two possible cases of unqualified arbitrary participants subsets
P nt , t < k :
1) If n /∈ P nt (the last row is not included in the arbitrary subset), then property2 is satisfied
from A′n−1×C(n−1,k−1) as a result of property2a for {k, n− 1}.
2) If n ∈ P nt (the last row is included in the arbitrary subset) then property2 is satisfied
from A′′n−1×C(n−1,k−2) as a result of property2b for {k− 1, n− 1}. This can be seen from
the fact that adding a row of′ones
′does not break the condition set by property2.
Proof: [Theorem4] According to (11), the last row ofAn×C(n,k−1) hasC(n − 1, k − 2)
‘ones’. It can be seen that the second last row ofAn×C(n,k−1) also hasC(n − 1, k − 2) ‘ones’
becauseAn−1×C(n−1,k−1) andAn−1×C(n−1,k−2) haveC(n− 2, k − 2) andC(n− 2, k − 3) ‘ones’
in their last row, respectively, and based on the Pascal equality
C(n− 2, k − 2) + C(n− 2, k − 3) = C(n− 1, k − 2)
According to the recursive nature ofA, it can be concluded that each row has exactlyC(n −1, k − 2) ′ones′.
Lemma 1 (Existence of the inverse of the permutation matrix):Each permutation matrixP1
(or P2) with size (K1 ×K1) (or (K2 ×K2)) has an inverse.
Proof: We proof this lemma forP1. The details forP2 is the same. Suppose that
P1 = [P11|P12|...|P1K1 ]
whereP1i is ith column ofP1 (1 ≤ i ≤ K1). Now suppose thatPT1 ×P1 = Q, whereQ = [Qij]
and1 ≤ i, j ≤ K1 (Qij are the element ofQ). For 1 ≤ t ≤ K1, Qtt = P1t
⊙P1t = 1 where
⊙
September 7, 2007 DRAFT
20
is the inner product operation and for1 ≤ i, j ≤ K1 and i 6= j, Qij = P1i
⊙P1j = 0 because
P1i and P1j are two vectors that have only one1 in different position. As a resultQ is the
identity matrix. SincePT1 × P1 = I it means thatP1 has an inverse.
REFERENCES
[1] W. Bender, D. Gruhl, N. Morimoto, and A. Lu, “Techniques for data hiding,”IBM Systems Journal, vol. 35, no. 3/4,
pp. 313–336, 1996.
[2] F. Petitcolas, R. Anderson, and M. Kuhn, “Information hiding-a survey,”Proceedings of the IEEE, vol. 87, no. 7, pp. 1062–
1078, 1999.
[3] M. Naor and B. Pinkas, “Visual Authentication and Identification,”Lecture Notes in Computer Science, vol. 1294, p. 322,
1997.
[4] C. Chang and J. Chuang, “An image intellectual property protection scheme for gray-level images using visual secret
sharing strategy,”Pattern Recognition Letters, vol. 23, no. 8, pp. 931–941, 2002.
[5] R. Wang and S. Shyu, “Scalable secret image sharing,”Signal Processing: Image Communication, vol. 22, no. 4, pp. 363–
373, 2007.
[6] P. Eisen and D. Stinson, “Threshold Visual Cryptography Schemes with Specified Whiteness Levels of Reconstructed
Pixels,” Designs, Codes and Cryptography, vol. 25, no. 1, pp. 15–61, 2002.
[7] E. Verheul and H. van Tilborg, “Constructions and Properties of k out of n Visual Secret Sharing Schemes,”Designs,
Codes and Cryptography, vol. 11, no. 2, pp. 179–196, 1997.
[8] C. Blundo, A. Bonis, and A. Santis, “Improved Schemes for Visual Cryptography,”Designs, Codes and Cryptography,
vol. 24, no. 3, pp. 255–278, 2001.
[9] E. Myodo, S. Sakazawa, and Y. Takishima, “Visual Cryptography Based on Void-And-Cluster Halftoning Technique,”
Image Processing, 2006 IEEE International Conference on, pp. 97–100, 2006.
[10] Y. Hsu and L. Chang, “A new construction algorithm of visual crytography for gray level images,”Circuits and Systems,
2006. ISCAS 2006. Proceedings. 2006 IEEE International Symposium on, p. 4, 2006.
[11] L. Fang and B. Yu, “Research on pixel expansion of (2,n) visual threshold scheme,”Pervasive Computing and Applications,
2006 1st International Symposium on, pp. 856 – 860, Aug 2006.
[12] Y. Hou and S. Tu, “Visual cryptography techniques for color images without pixel expansion,”journal of information,
technology and society, vol. 4, no. 1, pp. 95–110, 2004.
[13] D. Wang, L. Zhang, N. Ma, and X. Li, “Two secret sharing schemes based on boolean operations,”Pattern Recognition,
vol. 40, pp. 2776–2785, Oct 2007.
[14] C. Yang and T. Chen, “Reduce shadow size in aspect ratio invariant visual secret sharing schemes using a square block-wise
operation,”Pattern Recognition, vol. 39, no. 7, pp. 1300–1314, 2006.
[15] S. Shyu, “Efficient visual secret sharing scheme for color images,”Pattern Recognition, vol. 39, no. 5, pp. 866–880, 2006.
[16] C. Yang and C. Laih, “New Colored Visual Secret Sharing Schemes,”Designs, Codes and Cryptography, vol. 20, no. 3,
pp. 325–336, 2000.
[17] R. Lukac and K. Plataniotis, “Bit-level based secret sharing for image encryption,”Pattern recognition, vol. 38, no. 5,
pp. 767–772, 2005.
September 7, 2007 DRAFT
21
[18] Y. Hou, C. Lin, and C. Chang, “Visual cryptography for color images without pixel expansion,”Journal of Technology,
vol. 16, no. 4, pp. 595–603, 2001.
[19] Y. Hou and S. Tu, “A Visual Cryptographic Technique for Chromatic Images Using Multi-pixel Encoding Method,”Journal
of Research and Practice in Information Technology, vol. 37, no. 2, p. 179, 2005.
[20] R. Ito, H. Kuwakado, and H. Tanaka, “Image Size Invariant Visual Cryptography,”IEICE TRANSACTIONS on Fundamen-
tals of Electronics, Communications and Computer Sciences, vol. 82, no. 10, pp. 2172–2177, 1999.
[21] C. Yang and T. Chen, “Size-Adjustable Visual Secret Sharing Schemes,”IEICE Transactions on Fundamentals of
Electronics, Communications and Computer Sciences, vol. 88, no. 9, p. 2471, 2005.
[22] J. Tignol,Galois’Theory of Algebraic Equations. World Scientific, 2001.
[23] C. Thien and J. Lin, “Secret image sharing,”Computers & Graphics, vol. 26, no. 5, pp. 765–770, 2002.
[24] C. Gauss, “Disquisitiones Arithmeticae, 1801. English translation by Arthur A. Clarke,” 1986.
[25] A. Edwards,Pascal’s Arithmetical Triangle. Oxford University Press, 1987.
[26] E. Karnin, J. Greene, and M. Hellman, “On secret sharing systems,”Information Theory, IEEE Transactions on, vol. 29,
no. 1, pp. 35–41, 1983.
[27] M. Bose and R. Mukerjee, “Optimal (2, n) visual cryptographic schemes,”Designs, Codes and Cryptography, vol. 40,
no. 3, pp. 255–267, 2006.
[28] Y. Hou, “Visual cryptography for color images,”Pattern Recognition, vol. 36, no. 7, pp. 1619–1629, 2003.
[29] M. Heidarinejad and K. Plataniotis, “A karnaugh map based{2, 2} visual cryptography scheme for color images,”Submitted
for publication, Pattern Recognition Journal, June 2007.
September 7, 2007 DRAFT
22
S Permutation
Compression
Sp
P1,P2P1-com
P2-comSharing Sh’
(a)
Sp Encryption
SH1
SH2
.
.
.
.
.
SHn
k,n Number generation
x1,…,xn
Bit level basedsecret sharing
Sh’
SHARE
Channel
(b)
SH1
SH2
.
.
.
SHn
} Using k or more shares
SHAREtDecryption of bit level based secret sharing
Decryption SR
Sh’t Decryption of
secret sharing Recovering of permutation
matrices
P1-com
P2-com
P1,P2
tχ
(c)
Fig. 1. The sequence of operations in the proposed scheme: (a) preprocessing (b) encryption (c) decryption
0 50 100 150 200 250 300 350 400 450 5000
10
20
30
40
50
60
#prime
log2(#
x)
(k,n)=(2,2)(k,n)=(2,3)(k,n)=(2,4)(k,n)=(3,4)
Fig. 2. Thelog2 of the number of possible values of#x as a function of#prime (14)
September 7, 2007 DRAFT
23
(a) (b) (c) (d)
Fig. 3. The proposed method (tested for a color image){2, 2}: (a) Original image (b) Share 1 (c) Share 2 (d) Reconstructed
image
(a) (b) (c) (d)
(e) (f) (g) (h)
Fig. 4. The proposed method (tested for a color image){2, 3}: (a) Original image (b) Share 1 (c) Share 2 (d) Share 3 (e)-(h)
Reconstructed image using Shares 1 and 2, Shares 1 and 3, Shares 2 and 3, Shares 1,2 and 3
September 7, 2007 DRAFT
24
(a) (b) (c) (d)
Fig. 5. The proposed scheme in [28]{2, 2} (tested for a color image): (a) Original image (b) Share 1 (c) Share 2 (d)
Reconstructed image
(a) (b) (c) (d)
(e) (f) (g) (h)
Fig. 6. The proposed scheme in [5] forn = 4 (tested for a color image): (a) Original image (b) Share 1 (c) Share 2 (d) Share
3 (e) Share 4 (f)-(h) Reconstructed image using Shares 1 and 2, Shares 1,2 and 3 , Shares 1,2,3 and 4
September 7, 2007 DRAFT
25
(a) (b) (c) (d)
(e) (f) (g) (h)
Fig. 7. The proposed method (tested for a face image){2, 3}: (a) Original image (b) Share 1 (c) Share 2 (d) Share 3 (e)-(h)
Reconstructed image using Shares 1 and 2, Shares 1 and 3, Shares 2 and 3, Shares 1,2 and 3
September 7, 2007 DRAFT
26
(a) (b) (c) (d)
(e) (f) (g) (h)
Fig. 8. The proposed method (tested for an outdoor image){2, 3}: (a) Original image (b) Share 1 (c) Share 2 (d) Share 3
(e)-(h) Reconstructed image using Shares 1 and 2, Shares 1 and 3, Shares 2 and 3, Shares 1,2 and 3
(a) (b) (c) (d)
(e) (f) (g) (h)
Fig. 9. The proposed method (tested for a surveillance frame image){2, 3}: (a) Original image (b) Share 1 (c) Share 2 (d)
Share 3 (e)-(h) Reconstructed image using Shares 1 and 2, Shares 1 and 3, Shares 2 and 3, Shares 1,2 and 3
September 7, 2007 DRAFT
27
(a) (b) (c) (d)
(e) (f) (g) (h)
Fig. 10. The proposed method (tested for a scanned document){2, 3}: (a) Original image (b) Share 1 (c) Share 2 (d) Share 3
(e)-(h) Reconstructed image using Shares 1 and 2, Shares 1 and 3, Shares 2 and 3, Shares 1,2 and 3
September 7, 2007 DRAFT
28
(a) (b) (c) (d)
(e) (f) (g) (h)
Fig. 11. An example of effect of permutation for a{2, 2} scheme :a-d with permutation ande-h without permutation (a)
Original image (b) Share 1 (c) Share 2 (d) Decoded image (e) Original image (f ) Share 1 (g) Share 2 (h) Decoded image
September 7, 2007 DRAFT