Visual Cryptography

Visual Cryptography

Hossein HajiabolhassanDepartment of Mathematical Sciences

Shahid Beheshti UniversityTehran, Iran

Secret Sharing SchemeA secret sharing scheme is a method of

dividing a secret S among a finite set of participants.

only certain pre-specified subsets of participants can recover the secret (Qualified subsets).

secret

K out of n Consider a finite field GF(q) where q≥n+1 and Choose a secret key s from GF(q) . Randomly choose s=a0, a1,…, ak-1 from GF(q),

Freely choose distinct xi (1≤i≤n). Give to person i Secret share (xi, f(xi)) for all (1≤i≤n).

Perfect Secret Sharing

A secret sharing scheme is perfect if all authorized subsets can reconstruct the secret but no other subset can determine any information about the secret.

This scheme is not perfect!

Visual Cryptography

Anyone knows what is the secret?

Basic Definitions Let P={1,...,n } be a set of elements called

participants. 2^P denote the set of all subsets of P. Q 2^P : members of qualified sets. F 2^P: members of forbidden sets, Q F=. =(Q ,F) is called the access structure of the

scheme. _0 : Call all the minimal qualified sets of basis

for the access structure : _0={A Q : B Q for all B A, B≠A}.

Basic Definitions Secret Image: The Secret consists of a

collection of black and white pixels.

Share: Secret image encode into n shadow images in the form of the transparencies, called shares, where each participant receives one share.

Subpixel: Each pixel is divided into a certain number of subpixels.

Superimposing:

1

2

q

+ + + +

Generation of Shares

share1

share2

stack

pixel

random

1 2 1 2

Generation of Shares

Mathematical Model

(0,1,0,1,0)

(1,1,0,0,1)

Sticking (1,1,0,1,1)

Representationwith Matrix [0 1 0 1 0

1 1 0 0 1 ]

msss 11211

msss 22221

nmnn sss 21

1

2

n

Mathematical Model

2 out of 2

`Pixel Probability Shares#1 #2

Superposition ofthe two shares

5.0p

5.0p

5.0p

5.0p

1 01 0 [ ]

[0 1 0 1

]

[ ]0 1

1 0

[ ]1 0

0 1

C_0

C_1Same Matrices

withSame Frequency

Expansion & ContrastThe number of subpixels that each pixel of the original image is encoded into on each transparency is termed pixel expansion.The difference measure between a black and a white pixel in the reconstructed image is called contrast.

[0 1 0 1

] [0 1 1 0

1 0 0 1

1 0 1 0

[[ ]]]

Expansion = 2 Contrast=(2-1)/2=0.5

[

Visual Cryptography SchemeNaor and Shamir, 1994

Let =(Q, F) be an access structure on a set of n participants. A - VCS_1 with expansion m and contrast (m) consists of two collections of n×m matrices C_0 and C_1 such that:I. For any qualified subset X={i_1,…,i_k} and A ε C_0, the or V of rows i_1,…,i_k of A satisfies w(V) t_X- (m).m ; whereas, for any B ε C_1 it results that w(V) t_X.II. For any non-qualified subset X={i_1,…,i_t}. The two collections of t×m matrices D_j, with j ε {0,1}, obtained by restricting each n×m matrix in C_j to rows i_1,…,i_t are indistinguishable in the sense that they contain the same matrices with the same frequencies.

2 out of 2

1 01 0 [ ][

0 1 0 1

]

[ ]0 1

1 0 [ ]

1 0

0 1

C_0

C_1 X={1,2}, W(V)=2

X={1,2}, W(V)=1D_0

D_1

X={1}

VCS with Basis Matrices Let =(Q, F) be an access structure on a set of n participants. A basis for - VCS_2 with expansion m and contrast (m) consists of two matrices S^0 and S^1 such that:I. For any qualified subset X={i_1,…,i_k}, the or V of rows i_1,…,i_k of S^0 satisfies w(V) t_X- (m).m ; whereas, for S^1 it results that w(V) t_X.

II. For any non-qualified subset X={i_1,…,i_t}. The two t×m matrices D^j, with j ε {0,1}, obtained by restricting rows i_1,…,i_t to S^j are equal up to a permutation of columns.

K out of K

1 0 0 1

0 1 0 1

0 0 1 1

{1} {2} {3} {1,2,3}

[ 0 1 1 0

0 1 0 1

0 0 1 1

{ } {1,2} {1,3} {2,3}

] [ ]S^1=. S^0=.

C_1={A: A is a permutation column of S^1}

C_0={B: B is a permutation column of S^0}

3

2

1

3

2

1

K out of n scheme

There is a k out of k scheme with expansion 2k-1 and contrast α=2-k+1.

In any k out of k scheme m≥2k-1 and α≤21-k.

For any n and k, there is a k out of n VCS with m=log n 2O(klog k), α=2Ώ(k).

General Access StructureQuestion: Let be a access structure. Is there an -VCS?

Note that if there exists an -VCS then Q should be monotone.

Theorem: Let =(Q,F) be a monotone access structure where F∩Q =, and let Z_M be the family of maximal forbidden sets in F. Then there exists a -VCS with expansion less than or equal to

2^(|Z_M|-1).

Cumulative Array Method Let =(Q,F) be a monotone access structure where Q U F= 2^P.

Also, let F_1,… , F_t be maximal forbidden sets in F.

Let S^0 and S^1 be basis of white matrix and black matrix of t out of t VCS, respectively.

Construct n×2^(t-1) white basis matrix C^0 and black basis matrix C^1 of as follows:

I. For any participant i, set the i-th row of C^0 be the or of rows i_1,…,i_s of S^0 that i_1,…,i_s are rows of S^0 where for any 1≤j≤s, “i’’ is not member of F_(i_j).

II. Similarly, construct C^1.

Cumulative Array MethodExample: Let P={1, 2, 3, 4}, _0={{1, 2}, {2, 3}, {3, 4}}, and Z_M={F_1,F_2, F_3}; F_1={1, 4} ,F_2={1, 3}, F_3={2, 4}. Hence,

011001010011

0^S

100101010011

1^S

0101011101110110

0^C

0101101101111001

1^C

Theoretically,

realizable.

New VCS, Color of SecretTzeng and Hu, 2002

Let =(Q, F) be an access structure on a set of n participants. A - VCS_3 with expansion m and contrast (m) consists of two collections of n×m matrices C_0 and C_1 such that:I. For any qualified subset X={i_1,…,i_k} and A ε C_0, the or V of rows i_1,…,i_k of A satisfies w(V) = t_X; whereas,

II. For any non-qualified subset X={i_1,…,i_t}. The two collections of t×m matrices D_j, with j ε {0,1}, obtained by restricting each n×m matrix in C_j to rows i_1,…,i_t are indistinguishable in the sense that they contain the same matrices with the same frequencies.

for any B ε C_1 it results that w(V) t_X-(m).m or for any B ε C_1 w(V) ≤t_X- (m).m.

New VCS, Color of SecretTzeng and Hu, 2002

Extended VCS In 1998, S. Droste introduced an extension of the visual cryptography. In fact, he has presented an extended VCS in which every combination of the transparencies can contain independent information.

In 2001, G. Ateniese, C. Blundo, A. Santis and D.R. Stinson has introduced another version of extended visual cryptography in which every share have to be an image.

Extended VCSDroste 1998

Consider multi-sets C^T (T is a subset of 2^P\{ф}) of n×m Boolean matrices which satisfy the following conditions. 1.For all X={i_1,…,i_k} and A ε C^T, where X is a member of T, the or V of rows i_1,…,i_t of A satisfies w(V) t_X.2.For all X={i_1,…,i_k} and A ε C^T, where X is not a member of T, the or V of rows i_1,…,i_k of A satisfies w(V) t_X- (m).m.3.The condition of Security!

10101001

1011

10100101

100110110101

1010 101001111011

1011 10111011 0111

Extended VCSDroste 1998

C^{}= C^{{1,2}}=

C^{{1},{1,2}}=

C^{{2},{1,2}}=

C^{{1},{2},{1,2}}=

C^{{1}}=

C^{{2}}=

C^{{1},{2}}=

Extended VCS G. Ateniese, C. Blundo, A. Santis and D.R. Stinson, 2001

10101001

1011

10100101

100110110101

1010 101001111011

1011 10111011 0111

Extended VCSDroste 1998

C^{}= C^{{1,2}}=

C^{{1},{1,2}}=

C^{{2},{1,2}}=

C^{{1},{2},{1,2}}=

C^{{1}}=

C^{{2}}=

C^{{1},{2}}=

10101001

1011

10100101

100110110101

1010 101001111011

1011 10111011 0111

Extended VCSDroste 1998

C^{}= C^{{1,2}}=

C^{{1},{1,2}}=

C^{{2},{1,2}}=

C^{{1},{2},{1,2}}=

C^{{1}}=

C^{{2}}=

C^{{1},{2}}=

Colored Visual CryptographyThe generalized “or” of elements (colors) in

{a_0, a_1, . . . , a_{c−1}} equals a_i if all colors are equal to a_i, otherwise it equals BLACK Color.

Colored Visual CryptographyVERHEUL and VAN TILBORG, 1997

Let =(Q, F) be an access structure on a set of n participants. The c collections of n×m matrices C_0, C_1, . . . , C_{c−1} constitute a c-colour - VCS_1 with pixel expansion m, if there exist two integers h and l such that h > l satisfying:

I. For any qualified subset X={i_1,…,i_k} and A ε C_i, the generalized or V of rows i_1,…,i_k of A satisfies Z_i(V) h while for any j≠ i, Z_j(V) ≤ l.

II. For any non-qualified subset X={i_1,…,i_t}. The collections of t×m matrices D_j, obtained by restricting each n×m matrix in C_j to rows i_1,…,i_t , are indistinguishable in the sense that they contain the same matrices with the same frequencies.

Colored Visual Cryptography2 out of 5

Colored Visual Cryptography Yang and Laih, 2000

Probabilistic Visual CryptographyK out of n, Yang 2004

A k out of n ProbVSS_1 scheme can be shown as two multi-sets, C_0 and C_1; consisting of n×1 matrices which satisfies the following conditions: For these matrices in the multi-set C_0 (resp. C1), the ‘‘OR’’-ed value of any k-tuple column vector V is L(V). These values of all matrices form a multi-set E_0 (resp. E_1), respectively.The two multi-sets E_0 and E_1 satisfy that p_1≥p_t andP_0≤p_t- α, where p_0 and p_1 are the appearanceprobabilities of the ‘‘1’’ (black color) in the multi-sets E_0 and E_1, respectively.For any subset {i_1,…,i_t} of participants with t<k the p_0 and p_1 are the same.

Probabilistic Visual CryptographyK out of n, Yang 2004

2 out of 2

Probabilistic Visual CryptographyK out of n, Yang 2004

2 out of 3

Share 1 Share 2

Secret 1 “VISUAL” Secret 2 “SECRET”

Staking Staking

Rotating 72o

W.G. Tzeng and C.M. Hu, 2002, introduced another model for visual cryptography in which just minimal qualified subsets can recover the shared image by stacking their transparencies.

(C. Blundo, S. Cimato, and A. De Santis, 2006) Let =(Q, F) be an access structure. The best pixel expansion of -VCS_3 (basis matrices) satisfies

.2

|_0 |)(3

m

(H. Hajiabolhassan and A. Cheraghi) Let =(Q, F) be an access structure. Also, assume that there exist disjoint qualified sets A_1, . . . ,A_t such that for any qualified set B A_1 ··· A_t⊆ ∪ ∪ , one should have A_i B⊆ for some 1 ≤ i ≤ t, i.e., A_i’s constitute an induced matching in Q. Then

One can consider another model for visual cryptography (VCS_4) in which minimal qualified subsets can recover the secret. In fact, we don’t mind whether non-minimal qualified subsets can obtain the secret.

)1(2)}(m,)(min{mt

1i

|-1A|32

i

t

A graph access structure is an access structure for which the set of participants is the vertex set V (G) of a graph G = (V (G),E(G)), and the sets of participants qualified to reconstruct the secret image are precisely those containing an edge of G.

A strong edge coloring of a graph G is an edge coloring in which every color class is an induced matching. The strong chromatic index s (G) ′ is the minimum number of colors in a strong edge coloring of G.

(H. Hajiabolhassan and A. Cheraghi) Let G be a non-empty graph. Then

m_4(G) ≤ min{2bc(G), 2s (G)}′ .

Thanks for your attention!