-
J. Vis. Commun. Image R. 25 (2014) 1093–1101
Contents lists available at ScienceDirect
J. Vis. Commun. Image R.
journal homepage: www.elsevier .com/ locate/ jvc i
Secret image sharing scheme with hierarchical threshold
accessstructure
http://dx.doi.org/10.1016/j.jvcir.2014.03.0041047-3203/� 2014
Elsevier Inc. All rights reserved.
⇑ Corresponding author. Fax: +98 2122431655.E-mail addresses:
[email protected] (N. Pakniat), [email protected]
(M. Noroozi), [email protected] (Z. Eslami).
Nasrollah Pakniat, Mahnaz Noroozi, Ziba Eslami ⇑Department of
Computer Sciences, Shahid Beheshti University, G.C., Tehran,
Iran
a r t i c l e i n f o
Article history:Received 10 July 2013Accepted 7 March
2014Available online 19 March 2014
Keywords:CryptographySecret image sharingHierarchical threshold
access structureCellular automataBirkhoff interpolationInformation
hidingReversibilityTamper detection
a b s t r a c t
A hierarchical threshold secret image sharing (HTSIS) scheme is
a method to share a secret image amonga set of participants with
different levels of authority. Recently, Guo et al. (2012) [22]
proposed a HTSISscheme based on steganography and Birkhoff
interpolation. However, their scheme does not provide therequired
secrecy needed for HTSIS schemes so that some non-authorized
subsets of participants are ableto recover parts of the secret
image. In this paper, we employ cellular automata and Birkhoff
interpolationto propose a secure HTSIS scheme. In the new scheme,
each authorized subset of participants is able torecover both the
secret and cover images losslessly whereas non-authorized subsets
obtain no informa-tion about the secret image. Moreover,
participants are able to detect tampering of the recovered
secretimage. Experimental results show that the proposed scheme
outperforms Guo et al.’s approach in termsof visual quality as
well.
� 2014 Elsevier Inc. All rights reserved.
1. Introduction
Sharing images over open channels such as the Internet has
at-tracted considerable attention in recent years [1–8].
However,when it comes to sharing secret images, some challenging
prob-lems should be solved first. The first one is the number of
partiesthat can access the secret image. It is definitely a risk to
considera single party due to the accidental or intentional
loss/corruptionof such images that might occur. On the other hand,
if several par-ticipants share parts of the secret image, care must
be taken to en-sure that no malicious shareholder is able to
manipulate his/herdata. The second concern is the need to keep
invaders unawarenot only of the content of the secret image itself
but also of the veryfact that an image is being transferred. Secret
sharing schemeswhich protect and distribute a secret content among
a group ofparticipants provide solutions to the first issue. In
this regard, thebasic example, proposed first by Shamir [9] and
Blakley [10], isthe concept of a ðt;nÞ-threshold secret sharing
scheme whichencodes a secret data set into n shares and distributes
them amongn participants in such a way that any t or more of the
shares can becollected to recover the secret data, but any t � 1 or
fewer of themprovides no information about the secret. Moreover, to
ensurerecovery of the original secret information some
authentication
process must be employed so that any manipulation of shares
isdetected with high probability. To tackle the second concern,
ste-ganographic techniques are usually employed [11–14]. In
thesemethods, first some innocent looking images, called cover
images,are selected. Then the secret data are embedded into cover
imagesand the resulting stego images are distributed among
participantsusing some secret sharing scheme. Clearly, in order not
to invokesuspicion, the embedding should create high-quality stego
imagessuch that the changes are not visually perceptible. So far,
two mostpopular steganographic methods used in steganographic
secretsharing schemes were the least significant bits (LSBs)
replacementand the modulus operation.
A method of secret image sharing with steganography
andauthentication proposed by Lin and Tsai [15] in 2004. Their
schemeis an example of a lossy polynomial-based image sharing and
thereconstructed secret image may be distorted slightly. Wu et
al.[16] in 2004 proposed another scheme in which the secret imageis
compressed firstly, and then embedded into the cover imagesby
modulus operation. This approach can generate smaller stegoimages,
but the original secret image cannot be retrieved com-pletely in
the reconstruction procedure. To recover the secret im-age
losslessly, the method introduced by Thien and Lin [17] canbe
utilized which splits every pixel with value more than 250 intotwo
pixels. Their method is effective, but the output images
arerandom-looking which attracts the attention of malicious
attack-ers. In order to overcome the defects in Lin and Tsai’s
scheme, Yanget al. [18] used Galois field GFð28Þ instead of modulo
251 and
http://crossmark.crossref.org/dialog/?doi=10.1016/j.jvcir.2014.03.004&domain=pdfhttp://dx.doi.org/10.1016/j.jvcir.2014.03.004mailto:[email protected]:[email protected]:[email protected]://dx.doi.org/10.1016/j.jvcir.2014.03.004http://www.sciencedirect.com/science/journal/10473203http://www.elsevier.com/locate/jvci
-
1094 N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014)
1093–1101
proposed an improved approach in 2007. The scheme proposed
byEslami et al. [4] in 2009 is another example of a secret
imagesharing scheme with steganography and authentication.
Theirscheme is an effective lossless sharing scheme based on
cellularautomata, but their access structure is restricted, i.e.,
only a subsetof some consecutive participants from an ordered set
of partici-pants can form an authorized subset. Eslami and
Ahmadabadi[5], Ulutas et al. [6] and Yang and Chu [7] are more
recentexamples on this line of research.
In the above mentioned schemes, it is not possible for
partici-pants to recover the cover image losslessly. However, in
someapplications, such as medical diagnosis, law enforcement,
militaryimaging system, remote sensing and high-energy particle
physicalexperimental investigation, it is important to reverse the
stegomedia back to original after the embedded data is retrieved
fromit. Therefore, designing a secret image sharing scheme
whichallows authorized participants to restore the distorted stego
imageto original without distortion after retrieving the shared
data isnecessary. Lin and Chan [19] proposed an invertible
sharingscheme with steganography to recover the secret image and
coverimage losslessly. Wu et al. [20] proposed another secret
imagesharing based on cellular automata and steganography
whichretrieves the secret and cover images both losslessly.
In reconstruction of the secret image of these schemes,
eachstego image plays an equivalent role. However, a general
thresholdaccess structure can have other useful properties for some
applica-tions. For example, when the participants differ in their
authority,an access structure which takes this difference into
account may beuseful. A hierarchical threshold access structure is
beneficial insuch situations. In a scheme with hierarchical
threshold accessstructure, the secret is shared among a group of
participants thatis partitioned into levels. The access structure
is then determinedby a sequence of threshold requirements for these
levels, e.g.,considering t0 < t1 < t2 < � � � as the
sequence of threshold require-ments, a subset of participants is
authorized to reconstruct thesecret if it has at least t0
participants from the highest level, as wellas at least t1ð> t0Þ
participants from the two highest levels and soforth. In 2007,
Tassa proposed a new secret sharing scheme basedon Birkhoff
interpolation to deal with hierarchical threshold accessstructures
[21]. However, unlike Shamir’s secret sharing scheme,Tassa’s scheme
is not able to use all potentials of underlyingpolynomial to share
multiple secrets. Using Tassa’s scheme toshare more than t0 secrets
makes it possible for some non-authorizedsubset of participants to
recover some of the secrets.
Based on Tassa’s scheme, Guo et al. in [22] proposed a
hierarchi-cal threshold secret image sharing scheme with
steganographicproperties. To the best of our knowledge, their
scheme is the onlyexisting hierarchical threshold secret image
sharing. In theirscheme, after sharing each block of the secret
image using Tassa’sscheme, modulus operation is used to hide the
shadow data intosome cover images. However, their scheme has the
followingweaknesses:
� As the authors have mentioned in their paper, some
non-authorized subsets of participants can obtain parts of the
secretimage.� The cover image can not be losslessly recovered.�
There is no authentication in their scheme. Therefore, a
malicious participant can make honest participants obtain afake
secret image.� Compared to existing schemes in the literature with
the same
threshold parameter, image quality of this scheme is
notacceptable (see Section 2.2).
The aim of this paper is to employ cellular automata to proposea
hierarchical threshold secret image sharing scheme which
overcomes the weaknesses of Guo et al.’s scheme. In the
proposedscheme, secret and cover images are recovered losslessly.
More-over, participants are able to check the originality of the
recoveredsecret image. We also formally prove that non-authorized
subsetsof participants can obtain no information about the secret
image.As for the steganographic security, we follow the common
method-ology considered so far in the context of secret image
sharing, i.e.,steganographic methods are employed only to prevent
noise-likeshadow data. Therefore, we consider visual quality of
stego imagesto measure how (visually) susceptible stego images are.
The exper-imental results indicate that the proposed scheme
achieves abetter visual quality for stego images compared to Guo et
al.’sscheme. Despite this, we would like to emphasize that the
stegano-graphic method employed in our paper is rather weak (the
same asalmost all existing literature on steganographic secret
imagesharing) and well-designed steganalysis algorithms are able to
de-tect the presence of hidden data in our stego images.
The rest of this paper is organized as follows. Section 2
reviewsGuo et al.’s hierarchical threshold secret image sharing
scheme anddiscusses its weaknesses. An overview of cellular
automata is alsoprovided in this section. In Section 3, we describe
the proposedscheme. Security analysis and experimental results of
our proposedscheme are provided in Sections 4 and 5, respectively.
Finally, theconclusions of this paper are presented in Section
6.
2. Related work
In this section, we first describe Guo et al.’s scheme and then
weexplain its weaknesses. The necessary background on cellular
auto-mata which is the basis of our approach is also covered in
thissection.
2.1. Review of Guo et al.’s hierarchical threshold secret image
sharingscheme
Let U be a group of n participants P1; P2; . . . ; Pn divided
intomþ 1 levels U0;U1; . . . ;Um and suppose that the sequence
ofthreshold requirements t0; t1; . . . ; tm determines the
hierarchicalthreshold access structure. Let SI be the secret image
and letCI1; . . . ;CIn be the cover images corresponding to P1; . .
. ; Pn. The ste-go image STGi corresponding to Pi is constructed
using CIi and thePi’s share from SI, for i ¼ 1; . . . ;n. The
details of Guo et al.’s schemeare as follows:
Setup: The dealer:
(1) Chooses a large prime number p.(2) Divides SI into
ðtmÞ-pixel units D1; . . . ;Dl, where l ¼ MSI�NSItm
l mand MSI and NSI are the width and height of the secret
image.
Sharing: For each unit Djð1 6 j 6 lÞ, the dealer:
(1) Constructs a ðtm � 1Þth degree polynomial FjðxÞ ¼ D1j þ D2j
xþ
� � � þ Dtmj xtm�1ðmod pÞ, where Dijð1 6 i 6 tmÞ is ith pixel of
Dj.
(2) Assigns to each participant Pi his share from Dj as
SHij ¼ Fðtk�1Þj ðiÞ, where k is such that Pi 2 Uk and F
ðtk�1Þj ðxÞ is
the ðtk�1Þth derivative of FjðxÞ.
Embedding: The dealer uses modulus operation to embed
eachparticipant’s share from the secret image into his cover image
CIiand obtains his stego image STGi.
Recovery: Given the stego images corresponding to an autho-rized
subset of participants which satisfy the sequence of
thresholdrequirements, one can recover the secret image as
follows:
� Extracts the embedded data from each stego image.
-
N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014) 1093–1101
1095
� Employs Birkhoff interpolation on extracted data to recover
thesecret image SI.
2.2. Weaknesses of Guo et al.’s scheme
Guo et al. used tm pixels as coefficients of a polynomial
ofdegree tm � 1 in the sharing phase. However, doing so makes
itpossible for some non-authorized subsets of participants to
recoversome parts of the secret image. To overcome this problem and
asan alternative solution, the authors suggested to share only
t0pixels in each construction of the polynomial. But, this
solutionincreases the amount of the secret shadows and as a result
thevisual quality of the stego images severely worsens. In
theirscheme, the cover image can not be recovered losslessly and
henceit’s not useful in applications where this property is needed
(seeSection 1). Moreover, because of absence of an
authenticationmethod in their scheme, a malicious participant can
make honestparticipants obtain a fake secret image and remain
unnoticed.
The visual quality of the stego images is related to the
amountof shadow data which have to be embedded into the cover
images.In most of the secret image sharing schemes in the
literature, theamount of shadow data has been related to the
threshold parame-ter, i.e., increasing the threshold parameter
makes the amount ofshadow data decrease and therefore, the visual
quality of stegoimages will be increased. Therefore, it is not fair
to compare visualquality of two schemes, each using different
parameters. In [22],the authors compared the result of their scheme
using ð2;4;7Þ asthe sequence of threshold numbers and 10 as the
total numberof participants, with results of other schemes such as
[18] using3 as threshold number and 4 as the total number of
participants.Compared to other schemes, by using the same
parameters, theresult of implementing Guo et al.’s scheme in
ordinary thresholdaccess structures is not acceptable.
2.3. One-dimensional linear memory cellular automata
Guo et al.’s secret image sharing scheme is based on
Tassa’ssecret sharing scheme. In the sharing phase of Guo et al.’s
scheme,the secrets (pixels of the secret image) are the
coefficients of somepolynomial Fð�Þ (see Section 2). As the authors
mentioned in theirpaper, some unauthorized subsets of participants
are able torecover some of the coefficients and therefore, they can
obtainsome pixels of the secret image. But, the perfect secrecy of
Tassa’sscheme makes it impossible for unauthorized subsets of
partici-pants to recover the fixed coefficient of polynomial Fð�Þ.
To secureGuo et al.’s scheme, we need a method that allows a subset
ofparticipants to recover pixels of the secret image whenever
theyare able to recover all of the coefficients of Fð�Þ (including
the fixedcoefficient). The method that we use in this paper is
based oncellular automata. In the following, we review the
definition andproperties of cellular automata.
A one-dimensional linear cellular automaton ðLCAÞ is a
discretedynamical model which consists of an array of N cells with
twopossible states s 2 f0;1g. For the ith cell, denoted by hii,
weconsider the symmetric neighborhood of radius r which is
definedas N i ¼ fhi� ri; . . . ; hii; . . . ; hiþ rig. Then, the
state of each cell isupdated simultaneously in discrete time steps
by means of a localtransition function of the following form:
aðTþ1Þi ¼Xrj¼�r
ajaðTÞiþj ðmod 2Þ; 0 6 i 6 N � 1; ð1Þ
where aðTÞi denotes the state of hii at time T and aj 2 Z2 for
every j.Furthermore, if i � j ðmod NÞ, then it is assumed that
aðTÞi ¼ a
ðTÞj to
ensure well-defined dynamics of the CA. Since there are 2r þ
1
neighboring cells for hii, there exist 22rþ1 LCAs and each of
themcan be specified by an integer w called rule number which is
definedas follows:
w ¼Xrj¼�r
aj2rþj: ð2Þ
The configuration of a LCA at time T is shown by the vector
CðTÞ ¼ ðaðTÞ0 ; . . . ; aðTÞN�1Þwhere C
ð0Þ is the initial configuration. Moreover,
the sequence fCðTÞg06T6k is called the evolution of order k of
the LCA.The global function of the LCA is a linear transformation,
U, whichdetermines the configuration at the next time step during
the evo-
lution of the LCA, i.e., CðTþ1Þ ¼ UðCðTÞÞ.In Memory cellular
automaton (MCA) [23] the state of neighbor-
ing cells at time T as well as T � 1; T � 2; . . . contribute to
deter-mine the state at time T þ 1. Hereafter, by a CA, we mean
aparticular type of MCA called the tth order linear MCA (LMCA)whose
local transition function takes the following form:
aðTþ1Þi ¼ f1ðNðTÞi Þ þ f2ðN
ðT�1Þi Þ þ � � � þ ftðN
ðT�tþ1Þi Þ ðmod 2Þ;
0 6 i 6 N � 1; ð3Þ
where fj is the local transition function of a particular LCA
with ra-
dius r (1 6 j 6 t) and N ðTÞi � ðZ2Þ2rþ1 stands for the state of
the
neighboring cells of hii at time T. In this case, t initial
configurationsCð0Þ; . . . ; Cðt�1Þ are required to start the
evolution of LMCA. A cellularautomaton is said to be reversible if
for every current configurationof the cellular automaton there is
exactly one past configuration.For a reversible CA, there exists
another CA, called its inverse, withglobal function U�1. In such
CAs the evolution backward is possible(see [24]).
3. The proposed scheme
In this section, a new hierarchical threshold secret image
shar-ing scheme is proposed to overcome the security weakness of
Guoet al.’s scheme. We employ cellular automata to achieve this
goal.We first provide an overview of the sharing and recovery phase
ofour approach and then explain each phase in detail.
In order to share a set of tm secrets, we first set these
secrets asinitial configurations of a cellular automaton (CA).
Then, after re-quired number of evolutions of a properly
constructed CA, we getthe resulting tm consequent configurations as
temporal secretsand set them as the coefficients of a polynomial.
Then, the shareof each participant is obtained using appropriate
derivative ofthe polynomial. Now, in order to reconstruct the set
of main se-crets, first all of the temporal secrets must be
reconstructed. Thisis achieved through the use of Birkhoff
interpolation in the scheme.Then, we are able to recover the set of
main secrets using the in-verse of the CA. The proposed method has
the ability to reconstructthe cover image losslessly by sharing the
bits of cover images chan-ged during embedding. Moreover, we
provide authentication prop-erty in the scheme by employing a hash
function in theconfigurations of the CA (instead of bits of cover
image) and there-fore, we don’t need to embed extra information for
authenticationpurposes.
Suppose that there is a group U of n participants P1; P2; . . .
; Pnpartitioned into mþ 1 levels U0;U1; . . . ;Um and assume that
thesequence of threshold requirements t0; t1; . . . ; tm determines
thehierarchical threshold access structure. In the proposed
scheme,we have one secret image SI and one cover image CI. The
stegoimages fSTGigni¼1 are produced by embedding the shadow data
cor-responding to participant Pi, into the cover image CI. The
proposedscheme consists of 4 phases, (1) the setup phase, (2) the
sharingphase, (3) the embedding phase and (4) the recovery and
authen-tication phase. In the following, we describe each phase in
detail.
-
1096 N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014)
1093–1101
3.1. The setup phase
In this phase, the dealer fixes some parameters and constructs
areversible LMCA of order tm, denoted by M. In what follows,
weconsider 1 byte for each pixel and we use q concatenated pixelsas
a configuration of M. Therefore, the number of cells in each
con-figuration of M is 8� q and this is why we assume 1 6 r 6
b8�q�12 c.Note also that for a rule number w, we must have0 6 w 6
22rþ1 � 1. Here are the detailed steps:
1. Assigns an identity number i to each participant Pi 2 U.2.
Chooses a cryptographic hash function H : f0;1g8�q�ðtm�1Þ
!f0;1g8�q.
3. Constructs a reversible LMCA (M):(a) Chooses 1 6 r 6 b8�q�12
c as the radius of the symmetric
neighborhood of the LMCA.(b) Chooses a random number 0 6 ws 6
22rþ1 � tm þ 1. The rule
numbers of the LMCA are then ws;ws þ 1; . . . ;ws þ tm � 2.(c)
Constructs M of order tm by
aðTþ1Þj ¼ fws ðNðTÞj Þ þ � � � þ fwsþtm�2ðN
ðT�tmþ2Þj Þ
þ aT�tmþ1j ðmod 2Þ; ð4Þ
(a)
(b)Fig. 1. Diagram of the proposed scheme. (a) T
where 0 6 j 6 8� q� 1 and fwsþi is the local transition function
ofthe LMCA with radius r and rule numbers ws þ i; 0 6 i 6 tm �
2.
3.2. The share generation phase
In the sharing phase, first, the dealer obtains all pixels of
the se-cret image SI, denoted as SI ¼ fs1; s2; . . . ; sMSI�NSIg
and divides SI intoðq� ðtm � 2ÞÞ-pixel units D1;D2; . . . ;Dl,
where l ¼ MSI�NSIq�ðtm�2Þ
l mand
Dj;1 6 j 6 l is as follows:
D1;1j D1;2j � � � D
1;tm�2j
..
. ... . .
. ...
Dq;1j Dq;2j � � � D
q;tm�2j
26664
37775: ð5Þ
The dealer also divides the cover image CI into blocks D01;D02;
. . . ;D
0l0 ,
where each block contains 4� q pixels. The details of this
phase, de-picted in Fig. 1(a), are as follows:
The dealer:
1. Divides SI into ðq� ðtm � 2ÞÞ-pixel units D1;D2; . . . ;Dl.2.
Divides CI into (4� q)-pixel blocks D01;D
02; . . . ;D
0l0 .
3. Repeats for j ¼ 1; . . . ; l:(a) For k ¼ 0; . . . ; ðtm �
3Þ:
he sharing phase. (b) The recovery phase.
-
N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014) 1093–1101
1097
i. Sets initial configuration CðkÞ of M as ðD1;kþ1j Þ2k � � �
kðDq;kþ1j Þ2,
where ðxÞ2 means binary representation of x and k standsfor
concatenation of two strings.
(b) Extracts the 2 least significant bits from each pixel in the
jthunit of the cover image and concatenates them to obtainq� 8
bits. He now sets Cðtm�2Þ as the result of theconcatenation.
(c) Computes Cðtm�1Þ as HðCð0Þ; . . . ; Cðtm�2ÞÞ.(d) Computes
evolutions of M of order 2� tm � 1 with the ini-
tial configurations Cð0Þ; . . . ;Cðtm�1Þ and obtains CðtmÞ; . .
. ;Cð2�tm�1Þ.
(e) Constructs a ðtm � 1Þth degree polynomial FjðxÞ ¼
CðtmÞþCðtmþ1Þxþ � � � þ Cð2�tm�1Þxtm�1 over GFð2q�8Þ.
(f) Assigns to each participant Pi his share from jth unit
asSHij ¼ F
ðtk�1Þj ðiÞ, where k is such that Pi 2 Uk; F
ðtk�1Þj ðxÞ is the
ðtk�1Þth derivative of FjðxÞ and t�1 ¼ 0.
In order to generate the stego image corresponding to Pi, so
farthe string SHi1kSH
i2k � � � kSH
il, plus other information about M and SI
must be embedded in the cover image (CI). For lossless recovery
ofthe cover image, the dealer shares another tm � 1 blocks from
thecover image and obtains fSHilþ1g
n
i¼1 during the following steps:
1. For j ¼ 0; . . . ; tm � 2:(a) Sets initial configuration CðjÞ
of M as the result of concatena-
tion of 2 LSBs of pixels in ðjþ lþ 1Þth block of the
coverimage.
2. Computes Cðtm�1Þ as HðCð0Þ; . . . ;Cðtm�2ÞÞ.3. Computes
evolutions of M of order 2� tm � 1 with the initial
configurations Cð0Þ; . . . ;Cðtm�1Þ and obtains CðtmÞ; . . .
;Cð2�tm�1Þ.4. Constructs a ðtm � 1Þth degree polynomial FðxÞ ¼
CðtmÞþ
Cðtmþ1Þxþ � � � þ Cð2�tm�1Þxtm�1 over GFð2q�8Þ.5. Assigns to
each participant Pi 2 Uk, the share SHilþ1 ¼ F
ðtk�1ÞðiÞ.
Remark. As explained in [21], in order to make sure that
everyauthorized subset of participants are able to recover both of
thesecret and cover images losslessly, we have to choose q such
that:
2q�8 > 2�tmþ2 � ðtm � 1Þtm�1
2 � ðtm � 1Þ!� nðtm�1Þ�ðtm�2Þ
2 : ð6Þ
3.3. The embedding phase
In this phase, the dealer produces final stego images by
embed-ding the data obtained in previous phases into the cover
image. Toensure that it is difficult to visually recognize that any
data is
Fig. 2. (a) One block of the cover image consisting of 4� q
bytes, (b) The embedding of thblock of CI.
hidden in the stego images, the embedding procedure must besuch
that the visual quality of the results have no serious
downtrend.
We embed the following data in CI and obtain the stego imageSTGi
corresponding to Pi:
� i; ki: the assigned identity to Pi and the level to which
Pibelongs.� t ¼< t0; t1; . . . ; tm >: the sequence of
threshold numbers.� r; ws: the radius of the symmetric neighborhood
and the initial
rule number of the LMCA.� MSI and NSI: the width and height of
the secret image.� SHij; 1 6 j 6 lþ 1: the shares assigned to
Pi.
We now outline the details of embedding procedure. The
fore-going data, with the same ordering, is considered as an array
of ele-ments in GFð2q�8Þ. Each element is embedded into one block
of CIconsisting of 4� q bytes. Let ðd1; . . . ; d8�qÞ be the binary
represen-tation of the element which has to be embedded in block B
of CIwith pixels X1;X2; . . . ;X4�q with binary representation as
inFig. 2(a). The embedding replaces the least significant bits
ofX1;X2; . . . ;X4�q with d1; . . . ; d8�q as depicted in Fig.
2(b). Note thatthe embedding changes at most two of the LSBs in
each byte ofB. This maintains the quality of stego images.
After obtaining the stego images (STGi; i ¼ 1; . . . ;n), the
dealersends each stego image to the corresponding participant via a
pub-lic channel.
Remark. Note that the only aim of using steganography alongwith
the proposed secret image sharing is to prevent
distributingnoise-like shadow data.
3.4. The recovery and verification phase
The details of this phase are depicted in Fig. 1(b). Suppose
thattm participants, Pa1 ; . . . ; Patm , pool the stego images
STGa1 ;STGa2 ; . . . ; STGatm to recover the secret image SI. Each
STGai isdivided into a set of blocks with 4� q pixels from which
theembedded data can be retrieved as follows:
1. For each ai; 1 6 i 6 tm:� Retrieve from STGai : ai; kai ; ws;
r; t ¼ ht0; t1; . . . ; tmi;
MSI; NSI; SHaij ; 1 6 j 6 lþ 1.
2. Check the threshold numbers to verify if these participants
areauthorized to recover the secret image.
3. Repeat for j ¼ 1; . . . ; l //reconstruct the jth unit of the
secretimage:
e hidden data ðd1; . . . ; d8�qÞ in a stego block. (c)
Distortion-free reconstruction of one
-
Fig. 3. (a)–(d) The test secret images. (e)–(p) The test cover
images.
1098 N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014)
1093–1101
(a) Employ Birkhoff interpolation on pairs ðai; SHaij Þ; 1 6 i 6
tmto reconstruct a tm � 1 degree polynomial FjðxÞ. Supposethat
FjðxÞ ¼ a0 þ a1xþ � � � þ atm�1xtm�1.
(b) Construct the inverse of M, i.e., ~M, with radius r, rule
num-bers determined by ws and initial configurations:
~Cð0Þ ¼ atm�1; ~Cð1Þ ¼ atm�2; . . . ; ~Cðtm�1Þ ¼ a0 ð7Þ
and evolve ~M; 2� tm � 1 times to obtain ~CðtmÞ; . . . ;
~Cð2tm�1Þ.(c) Check if Hashð~Cð2tm�1Þ; . . . ; ~Cðtmþ1ÞÞ equals
~CðtmÞ or not.(d) Divide each ~CðiÞðtm þ 2 6 i 6 2tm � 1Þ into q
bytes bi1; . . . b
iq.
The pixels of the jth unit of SI, that is, D1;1j ; . . . ;Dq;1j
;
. . . ;Dtm�2;1j ; . . . ;Dq;tm�2j , are taken as b
2tm�11 ; . . . ;b
2tm�1q ; . . . ;b
tmþ21 ;
. . . ;btmþ2q .
(e) To lossless recovery of the jth block of the cover image,
usebinary representation of eC ðtmþ1Þ as depicted in Fig. 2(c).
4. Repeat 3a to 3c on fai; SHailþ1g16i6tm and recover the
changed bitsin the last tm � 1 changed blocks of the cover
image.
5. Restore the changed bits in the last tm � 1 blocks of the
coverimage.
4. Security analysis
In this section, we prove that under the assumption of
perfectsecrecy of Tassa’s scheme, the set of stego images
correspondingto non-authorized subsets of participants reveals no
informationabout the secret image. We first mention the following
theoremwhich states a natural property of the memory cellular
automata.The interested reader can find a proof in [25].
-
Fig. 4. An example of the ðf2;4;7g;10Þ hierarchical threshold
case with reversible steganography. (a)–(j) The stego images
generated by the proposed scheme. (k) Theextracted secret image.
(l) The distortion-free recovered cover image.
N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014) 1093–1101
1099
Theorem 1. Let M denote a tth order LMCA. Then, in order
tocompute Cðjþ1Þ for some j P t � 1, exactly t
configurationsCðjÞ;Cðj�1Þ; . . . ;Cðj�tþ1Þ are needed.
Now, we prove the following lemma which is a generalizationof
Theorem 1.
Lemma 1. Let M denote a tth order LMCA. Then, withoutknowing
exactly t configurations CðjÞ;Cðj�1Þ; . . . ;Cðj�tþ1Þ for somej P t
� 1, it is not possible to compute any further configura-tions of
M, i.e., it is not possible to compute CðjþkÞ for anyk P 1.
-
1100 N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014)
1093–1101
Proof. We prove by induction on k. Theorem 1 implies that the
state-ment holds for k ¼ 1. Fix some j and suppose that the
statementholds for some positive integer k. Therefore, it is not
possible to com-pute CðjþkÞ without knowing t configurations
CðjÞ;Cðj�1Þ; . . . ;Cðj�tþ1Þ.Now, Theorem 1 implies that in order
to compute Cðjþkþ1Þ we haveto know CðjþkÞ;Cðjþk�1Þ; . . .
;Cðjþk�tþ1Þ. By the impossibility of comput-ing CðjþkÞ from
induction hypothesis, we conclude that it is not possi-ble to
compute Cðjþkþ1Þ without knowing all of the
configurationsCðjÞ;Cðj�1Þ; . . . ;Cðj�tþ1Þ. This completes the
proof. h
The following theorem shows that the proposed scheme satis-fies
the security requirement needed in a hierarchical threshold se-cret
image sharing scheme:
Theorem 2. Assuming the perfect secrecy of Tassa’s scheme,
theproposed scheme is a secure hierarchical threshold secret
imagesharing scheme, i.e., the set of stego images corresponding to
any non-authorized subset of participants reveals no information
about thesecret image.
Proof. Let A be an attacker and let B be an arbitrary
non-autho-rized subset of participants. Perfect secrecy of Tassa’s
schememakes it impossible for A to compute all the coefficients of
f ð:Þfrom the set of stego images corresponding to B. Therefore,
Aobtains less than tm consecutive configurations of eM . Now,
Lemma1 implies that A can not compute any further configuration of
eM .Therefore, he obtains no information about the blocks of the
secretimage from stego images corresponding to B. h
5. Experimental results
In this section, we describe some experimental results to
dem-onstrate the characteristics of the proposed scheme. To the
best ofour knowledge, so far, there has been only one hierarchical
thresh-old secret image sharing scheme in the literature [22].
Therefore,we compare the proposed scheme with this scheme. In order
tomeasure the distortion of the stego images, the peak
signal-to-noise ratio (PSNR) can be used:
PSNR ¼ 10� log10ð255Þ2
MSEdB; ð8Þ
where MSE is the mean-square error between the cover image
andthe stego image. If the cover image is sized f � g; MSE is
defined as
MSE ¼ 1f � g
Xfi¼1
Xgj¼1ðxij � yijÞ
2; ð9Þ
Table 1The PSNR value (dB) of the stego images for different
test cover images, n ¼ 10; t0 ¼ 2; t1
Test images PSNR (dB)
The first level The second level
1 2 3 4 5
Baboon 51.24 51.22 51.26 51.20 51Barbara 51.17 51.15 51.11 51.09
51Boat 51.00 51.04 50.98 51.00 51Cameraman 51.90 51.93 51.94 51.94
51Couple 50.93 50.94 50.92 50.99 50Elaine 50.88 50.90 50.88 50.90
50Girl 50.93 50.88 50.88 50.89 50House 52.32 52.30 52.31 52.27
52Lake 51.12 51.10 51.11 51.14 51Lena 51.12 51.11 51.08 51.11 51Man
51.11 51.10 51.11 51.15 51Peppers 51.03 51.09 51.05 51.07 51
where xij and yij denote the cover and the stego pixel
values,respectively.
In this way, the higher the PSNR values are, the more
difficultthe visual detection of existence of embedded data in the
cover im-age is.
We perform experiments for n ¼ 10 and m ¼ 2, i.e., there are
10participants divided into 3 levels. Assume that there are 3
partici-pants in the first (highest) level, the second level
contains 3 partic-ipants and the third (lowest) level includes 4
participants. Assumea sequence of threshold requirements t ¼ ht0;
t1; t2i ¼ h2;4;7i; thatis at least 7 participants have to pool
their shares together toreconstruct the secret image (of which at
least 4 are from the firsttwo levels and at least 2 are from the
first level). In order to dem-onstrate the visual perception of the
stego images, we take ‘‘Air-plane’’ with size 256� 256 as the
secret image (Fig. 3(a)) and‘‘Peppers’’ with size 512� 512 as the
cover image (Fig. 3(p)).Fig. 4(a)–(j) displays the obtained stego
images and their PSNR val-ues by using the proposed scheme. The
distortion between the cov-er image and the stego images is slight
and therefore, it is difficultfor intruders to suspect that some
secret data is embedded in theimages. If the stego images involved
meet the hierarchical thresh-old access structure, the proposed
scheme is able to reconstructboth of the secret and cover images
without distortion. The ex-tracted secret and cover images are
shown in Fig. 4(k) and (l),respectively.
We performed similar experiments with different test images
ascover image. Table 1 displays the PSNR values of the stego
imagesachieved by the proposed scheme using ‘‘Airplane’’ with
size256� 256 (Fig. 3(a)) as the secret image and twelve test
imageswith size 512� 512 (Fig. 3(e)–(p)) as the cover images. The
resultsshow that the PSNR values of the stego images always
maintain asteady level and are within ½50:87;52:32�.
Table 2 compares the proposed scheme with Guo et al.’s schemein
term of average PSNR values for ‘‘Airplane’’ as the secret imageand
different cover images. The results show that by using the
pro-posed scheme, we can achieve far better visual quality. That is
be-cause, in Guo et al.’s scheme, the authors generated
polynomialsover GFðpÞ (where p is a large prime) and used one pixel
as one se-cret in GFðpÞ. However, in the proposed scheme we
generate poly-nomials over GFð2q�8Þ and we use q concatenated
pixels as onesecret. Hence, compared to Guo et al.’s scheme, less
data must beembedded in our scheme.
Table 3 shows the average PSNR values of the stego images
ob-tained by the proposed scheme using different test secret
images(Fig. 3)) and different access structures while the cover
image isfixed to be Peppers (Fig. 3(p)). The results show that the
visualquality of the stego images obtained by the proposed
methoddoesn’t depend on the secret image.
¼ 4; t2 ¼ 7.
The third level
6 7 8 9 10
.22 51.27 51.21 51.23 51.22 51.26
.16 51.16 51.14 51.12 51.09 51.13
.00 51.02 51.05 51.02 51.02 50.98
.91 51.92 51.96 51.93 51.93 51.94
.93 50.93 50.94 50.91 50.93 50.94
.92 50.89 50.89 50.91 50.93 50.91
.93 50.90 50.89 50.92 50.87 50.92
.28 52.27 52.30 52.27 52.27 52.27
.08 51.12 51.12 51.09 51.10 51.07
.09 51.13 51.10 51.13 51.08 51.11
.14 51.14 51.16 51.10 51.16 51.09
.03 51.08 51.03 51.10 51.07 51.08
-
Table 3The average PSNR value (dB) of the stego images for
different test secret images (Fig. 3(a)–(d)) and different access
structures using Peppers (Fig. 3(i)) as the cover image.
Secret images Average PSNR (dB)
n ¼ 8; M ¼ 2 n ¼ 10; M ¼ 3 n ¼ 12; M ¼ 4NPL ¼ 2;5 NPL ¼ 3;3;4
NPL ¼ 2;3;3;4
t ¼ h1;4i t ¼ h2;5i t ¼ h1;3;6i t ¼ h2;4;7i t ¼ h1;3;5;7i t ¼
h2;4;6;8i
Airplane 47.05 48.81 50.10 51.06 51.07 51.86Bridge 47.05 48.82
50.10 51.07 51.07 51.85Earth 47.06 48.81 50.11 51.07 51.07
51.85Splash 47.05 48.81 50.09 51.07 51.08 51.86
n: The total number of participants.M: the number of
hierarchical levels.NPL: the number of participants in each of M
hierarchy levels.t: The required sequence of threshold numbers to
reconstruct the secret image.
Table 2Comparisons of optimal image quality between the proposed
scheme and Guo et al.’s scheme for different cover images.
Schemes Average PSNRs
Baboon Boat Cameraman Couple Girl House Lake Lena Man
Peppers
Ours 51.23 51.01 51.93 50.93 50.90 52.29 51.11 51.11 51.13
51.06Guo et al.’s 38.19 38.59 39.26 39.33 39.22 40.22 38.90 38.72
38.65 38.25
N. Pakniat et al. / J. Vis. Commun. Image R. 25 (2014) 1093–1101
1101
6. Conclusion
In this paper, by using cellular automata and Birkhoff
interpola-tion we propose a secret image sharing scheme which
overcomesthe weaknesses of Guo et al.’s scheme. We also employ
steganog-raphy to prevent noise-like shares. The proposed scheme
has thefollowing advantages:
� It admits a hierarchical threshold access structure.� It is
able to recover both of the secret and cover image
losslessly.� After lossless recovery of the secret and cover
image, partici-
pants are able to check the validity of the secret image, i.e.,
theyare able to detect whether stego images are tampered or not.�
The set of stego images corresponding to a non authorized sub-
set of participants reveals no information about the
secretimage.� Compared to Guo et al.’s scheme, the stegos produced
by the
proposed scheme have better visual quality.
However, the same as almost all existing steganographic
secretimage sharing schemes, our method is not secure against
steganal-ysis algorithms.
References
[1] M. Naor, A. Shamir, Visual cryptography, in: Lecture Notes
in ComputerScience, vol. 950, 1994, pp. 1–12.
[2] W.-P. Fang, Friendly progressive visual secret sharing,
Pattern Recogn. 41 (4)(2008) 1410–1414.
[3] J.-B. Feng, H.-C. Wu, C.-S. Tsai, Y.-F. Chang, Y.-P. Chu,
Visual secret sharing formultiple secrets, Pattern Recogn. 41 (12)
(2008) 3572–3581.
[4] Z. Eslami, S.H. Razzaghi, J.Z. Ahmadabadi, Secret image
sharing based oncellular automata and steganography, Pattern
Recogn. 43 (1) (2010) 397–404.
[5] Z. Eslami, J.Z. Ahmadabadi, Secret image sharing with
authentication-chainingand dynamic embedding, J. Syst. Software 84
(5) (2011) 803–809.
[6] M. Ulutas, G. Ulutas, V.V. Nabiyev, Invertible secret image
sharing for gray leveland dithered cover images, J. Syst. Software
86 (2) (2013) 485–500.
[7] C.-N. Yang, Y.-Y. Chu, A general (k,n) scalable secret image
sharing schemewith the smooth scalability, J. Syst. Software 84
(10) (2011) 1726–1733.
[8] X. Wu, W. Sun, Secret image sharing scheme with
authentication and remedyabilities based on cellular automata and
discrete wavelet transform, J. Syst.Software 86 (4) (2013)
1068–1088.
[9] A. Shamir, How to share a secret, Commun. ACM 22 (11) (1979)
612–613.[10] G.R. Blakley, Safeguarding cryptographic keys, in:
Proceedings of the National
Computer Conference, vol. 48, 1979, pp. 313–317.[11] R.-Z. Wang,
C.-F. Lin, J.-C. Lin, Image hiding by optimal LSB substitution
and
genetic algorithm, Pattern Recogn. 34 (3) (2001) 671–683.[12]
C.-C. Chang, J.Y. Hsiao, C.-S. Chan, Finding optimal
least-significant-bit
substitution in image hiding by dynamic programming strategy,
PatternRecogn. 36 (7) (2003) 1583–1595.
[13] C.-K. Chan, L.-M. Cheng, Hiding data in images by simple
LSB substitution,Pattern Recogn. 37 (3) (2004) 469–474.
[14] C.-C. Thien, J.-C. Lin, A simple and high-hiding capacity
method for hidingdigit-by-digit data in images based on modulus
function, Pattern Recogn. 36(12) (2003) 2875–2881.
[15] C.-C. Lin, W.-H. Tsai, Secret image sharing with
steganography andauthentication, J. Syst. Software 73 (3) (2004)
405–414.
[16] Y.-S. Wu, C.-C. Thien, J.-C. Lin, Sharing and hiding secret
images with sizeconstraint, Pattern Recogn. 37 (7) (2004)
1377–1385.
[17] C.-C. Thien, J.-C. Lin, Secret image sharing, Comput.
Graph. 26 (5) (2002) 765–770.
[18] C.-N. Yang, T.-S. Chen, K.H. Yu, C.-C. Wang, Improvements
of image sharingwith steganography and authentication, J. Syst.
Software 80 (7) (2007) 1070–1076.
[19] P.-Y. Lin, C.-S. Chan, Invertible secret image sharing with
steganography,Pattern Recogn. Lett. 31 (13) (2010) 1887–1893.
[20] X. Wu, D. Ou, Q. Liang, W. Sun, A user-friendly secret
image sharing schemewith reversible steganography based on cellular
automata, J. Syst. Software 85(8) (2012) 1852–1863.
[21] T. Tassa, Hierarchical threshold secret sharing, J.
Cryptol. 20 (2) (2007) 237–264.
[22] C. Guo, C.-C. Chang, C. Qin, A hierarchical threshold
secret image sharing,Pattern Recogn. Lett. 33 (1) (2012) 83–91.
[23] R. Alonso-Sanz, Reversible cellular automata with memory:
two-dimensionalpatterns from a single site seed, Physica D 175
(1–2) (2003) 1–30.
[24] T. Toffoli, N. Margolus, Ininvertible cellular automata: a
review, Physica D 45(1–3) (1990) 229–253.
[25] Z. Eslami, J.Z. Ahmadabadi, A verifiable multi-secret
sharing scheme based oncellular automata, Inf. Sci. 180 (15) (2010)
2889–2894.
http://refhub.elsevier.com/S1047-3203(14)00060-1/h0020http://refhub.elsevier.com/S1047-3203(14)00060-1/h0020http://refhub.elsevier.com/S1047-3203(14)00060-1/h0025http://refhub.elsevier.com/S1047-3203(14)00060-1/h0025http://refhub.elsevier.com/S1047-3203(14)00060-1/h0030http://refhub.elsevier.com/S1047-3203(14)00060-1/h0030http://refhub.elsevier.com/S1047-3203(14)00060-1/h0035http://refhub.elsevier.com/S1047-3203(14)00060-1/h0035http://refhub.elsevier.com/S1047-3203(14)00060-1/h9000http://refhub.elsevier.com/S1047-3203(14)00060-1/h9000http://refhub.elsevier.com/S1047-3203(14)00060-1/h0040http://refhub.elsevier.com/S1047-3203(14)00060-1/h0040http://refhub.elsevier.com/S1047-3203(14)00060-1/h0040http://refhub.elsevier.com/S1047-3203(14)00060-1/h0045http://refhub.elsevier.com/S1047-3203(14)00060-1/h0045http://refhub.elsevier.com/S1047-3203(14)00060-1/h0045http://refhub.elsevier.com/S1047-3203(14)00060-1/h0050http://refhub.elsevier.com/S1047-3203(14)00060-1/h0055http://refhub.elsevier.com/S1047-3203(14)00060-1/h0055http://refhub.elsevier.com/S1047-3203(14)00060-1/h0060http://refhub.elsevier.com/S1047-3203(14)00060-1/h0060http://refhub.elsevier.com/S1047-3203(14)00060-1/h0060http://refhub.elsevier.com/S1047-3203(14)00060-1/h0065http://refhub.elsevier.com/S1047-3203(14)00060-1/h0065http://refhub.elsevier.com/S1047-3203(14)00060-1/h0070http://refhub.elsevier.com/S1047-3203(14)00060-1/h0070http://refhub.elsevier.com/S1047-3203(14)00060-1/h0070http://refhub.elsevier.com/S1047-3203(14)00060-1/h0075http://refhub.elsevier.com/S1047-3203(14)00060-1/h0075http://refhub.elsevier.com/S1047-3203(14)00060-1/h0080http://refhub.elsevier.com/S1047-3203(14)00060-1/h0080http://refhub.elsevier.com/S1047-3203(14)00060-1/h0085http://refhub.elsevier.com/S1047-3203(14)00060-1/h0085http://refhub.elsevier.com/S1047-3203(14)00060-1/h0090http://refhub.elsevier.com/S1047-3203(14)00060-1/h0090http://refhub.elsevier.com/S1047-3203(14)00060-1/h0090http://refhub.elsevier.com/S1047-3203(14)00060-1/h0095http://refhub.elsevier.com/S1047-3203(14)00060-1/h0095http://refhub.elsevier.com/S1047-3203(14)00060-1/h0100http://refhub.elsevier.com/S1047-3203(14)00060-1/h0100http://refhub.elsevier.com/S1047-3203(14)00060-1/h0100http://refhub.elsevier.com/S1047-3203(14)00060-1/h0105http://refhub.elsevier.com/S1047-3203(14)00060-1/h0105http://refhub.elsevier.com/S1047-3203(14)00060-1/h0110http://refhub.elsevier.com/S1047-3203(14)00060-1/h0110http://refhub.elsevier.com/S1047-3203(14)00060-1/h0115http://refhub.elsevier.com/S1047-3203(14)00060-1/h0115http://refhub.elsevier.com/S1047-3203(14)00060-1/h0120http://refhub.elsevier.com/S1047-3203(14)00060-1/h0120http://refhub.elsevier.com/S1047-3203(14)00060-1/h0125http://refhub.elsevier.com/S1047-3203(14)00060-1/h0125
Secret image sharing scheme with hierarchical threshold access
structure1 Introduction2 Related work2.1 Review of Guo et al.’s
hierarchical threshold secret image sharing scheme2.2 Weaknesses of
Guo et al.’s scheme2.3 One-dimensional linear memory cellular
automata
3 The proposed scheme3.1 The setup phase3.2 The share generation
phase3.3 The embedding phase3.4 The recovery and verification
phase
4 Security analysis5 Experimental results6
ConclusionReferences