Secret Image Sharing Scheme with Threshold Changeable Capability
In secret image sharing schemes, the threshold may have to be adjusted in case of changes in the security policy and the adversary structure before recovering the secret image. For example, if participants leave the group, their stego images are useless to them and may not be kept safely. As a result, these images can be easily stolen and utilized by intruders, which reduces the security of the scheme. To solve this problem, we propose a novel threshold changeable secret image sharing scheme with potential changeable thresholds . By preparing advance shares for thresholds and using the two-variable one-way function to generate the identification value, we can change the threshold when necessary. The experiments show that the quality of the stego images in our scheme is satisfactory and the secret image can be recovered without distortion. Moreover, the security analysis shows that we can change the threshold safely.
The rapid development of Internet has brought much more convenience to people’s daily lives, but it has also brought security risks. In the open communication networks, it is easy to intercept, modify, fabricate, and even destroy data. Modern cryptography provides an effective solution to ensure the security of information. Since the design details of most cryptography algorithms are public, the security of the encrypted information depends on the security of the key. Thus, it is important that the key be kept safely.
In order to solve this secret key protecting problem, Shamir  and Blakley  proposed threshold secret sharing schemes independently. Shamir constructed his scheme based on polynomial interpolation, while Blakley provided a geometric construction. In a threshold secret sharing scheme, a dealer encodes and divides the secret into shares that are distributed to participants, and then or more participants can recover the secret, but less than participants cannot get any information about the secret. In 1994, Naor and Shamir  proposed a visual secret image sharing scheme. Utilizing the threshold secret sharing technique, the secret image is encoded and divided into random-noise-like images (called share images), and these share images are distributed to the participants, so that any or more participants can see the secret image by stacking their share images together. However, the random-noise-like images, which are meaningless, can easily attract malicious intruders’ attention. To solve this problem, Lin and Tsai  provided a threshold image sharing scheme using steganography. In their scheme, the shares are camouflaged in a cover image to form the stego images, which cannot be distinguished by the human eye, so these shares can be concealed from intruders. At the same time, their scheme embeds watermarks into the stego images for verification.
In recent years, various secret image sharing techniques have been developed rapidly. In 2007, Yang et al.  proposed an image sharing scheme that can improve the authentication ability, but it degraded the quality of the stego images. In 2009, Lin et al.  utilized the modulo operation to camouflage the secret data in the cover image to overcome this drawback. Their scheme guarantees higher quality stego images, and it can reconstruct the secret image and the cover image without distortion. In 2010, Lin and Chan  proposed an invertible secret image sharing scheme with satisfactory quality of the stego images. It can recover the secret image and the cover image without distortion, and it allows for a large capacity of secret data embedding. In reality, the single threshold access structure cannot satisfy the demand of complex applications. To solve this problem, Guo et al.  first proposed a hierarchical secret image sharing, based on polynomial interpolation in 2012, which divided the secret share images into different hierarchies and set different threshold values. Also in 2012, Guo et al.  proposed another novel hierarchical secret image sharing scheme based on monotone span programs (MSPs). In 2013, Ulutas et al.  proposed an invertible secret image sharing scheme using modification direction and the modulo operation. Their scheme can improve the quality of the stego images effectively when grey-scale cover image is used, and it can also obtain acceptable quality stego images when dithered cover image is used. In 2014, Pakniat et al.  used cellular automata and Birkhoff interpolation to propose a novel secret image sharing scheme with hierarchical threshold access structure. In this scheme, each authorized subset of participants is able to recover the secret image and the cover image without distortion, and they can also check the validity of the secret image.
Before recovering the secret image, the security policies and adversary structures may change, so it may be necessary to adjust the threshold. For example, (1) the importance level of the secret image is increased or decreased; (2) some participants join or leave the group; (3) the mutual trust of participants is strengthened or weakened; (4) the adversary might have corrupted more than participants. Currently, there is not a secret image sharing scheme that can change the threshold after distributing the stego images and before recovering the secret image. Therefore, it is necessary to set up a changeable threshold secret image sharing scheme.
Currently, many researchers are interested in secret sharing schemes, especially threshold changeable secret sharing schemes. In 1991, Laih et al.  proposed the first threshold changeable secret sharing scheme. In recent years, some researchers have been developing threshold changeable secret sharing schemes based on various techniques, such as (1) the share redistributing technique in [13–15]; (2) the lattice basis reduction technique in [16–18]; (3) the redundant shares technique in [19, 20]; and (4) the advance shares technique in . In 1997, Desmedt and Jajodia  used the share redistributing technique to propose a threshold changeable secret sharing scheme without the dealer’s participation after the initialization phase. Some similar schemes can be found in [14, 15]. In these schemes, if the threshold needs to be adjusted, each original share is split into smaller shares which are then redistributed to all participants in the new access structure. Each participant can combine all received smaller shares into one new share by a suitable linear combination; thus each participant only has to store . Note that all participants must simultaneously keep mutual secure communication channels. However, this may be impractical when the threshold changes, especially in the event of an urgent threshold change, so many schemes based on broadcasting have been proposed. In 1999, Martin et al.  provided a general model for threshold changeable secret sharing schemes and also provided two threshold schemes which were based on polynomial interpolation and geometric construction. In 2005, Barwick et al.  proposed a novel threshold changeable secret sharing scheme based on broadcasting, which can minimize the storage space required for secret sharing and limit the size of the broadcast information in low-bandwidth environment. In 2007, Steinfeld et al.  provided a lattice-based threshold changeable secret sharing scheme in which the threshold can be increased by partial updating of shares. In 2012, Zhang et al.  also proposed two threshold changeable secret sharing schemes. In their schemes, the advance shares, which have a one-to-one relationship with all potential thresholds, are prepared in the initialization phase, and then the new threshold can be validated by broadcasting related information.
Inspired by Zhang et al.’s work , we propose a novel threshold changeable secret image sharing scheme that can adjust the threshold to () dynamically by broadcasting information. Since the novel characteristic of our scheme is not available in the existing secret image sharing schemes, it has the potential to work in many applications. Our scheme has the following characteristics:(1)The quality of stego images is satisfactory, and the secret image can be recovered without distortion.(2)The problem with Zhang et al.’s scheme, that is, that the encrypted shares are too large to be camouflaged in the cover image to form the stego images, is solved by our scheme.(3)The threshold can be adjusted in case of changes in the security policy or the adversary structure, and our scheme remains secure after these changes are made.
The rest of this paper is organized as follows. We describe Shamir’s secret sharing scheme and the two-variable one-way function in Section 2, and we present our novel threshold changeable secret image sharing scheme in Section 3. Our experiments, the performance of our scheme, and the security analysis are presented in Section 4. Section 5 presents our conclusions.
This section describes the concept of Shamir’s threshold secret sharing scheme  and the two-variable one-way function.
2.1. Shamir’s Threshold Secret Sharing Scheme
Let be the secret domain, where is a big prime number. Secret is shared amongst participants and is the threshold value. Each participant gets a piece of secret called share. Then, or more participants can cooperate to reconstruct the secret by polynomial interpolation, and less than participants cannot get any information about the secret. Shamir’s secret sharing scheme  can work as follows.
Sharing Procedure. The dealer chooses distinct and nonzero elements for the unique identifications of the participants, where , . The identification can be known by everyone. Then, the dealer constructs a ()-degree polynomialwhere are randomly chosen. For all , the dealer computes share and then sends it to corresponding participant by secure communication channels. The values of the shares are limited to .
Recovery Procedure. Without loss of generality, assume that participants provide their shares. With points , polynomial can be reconstructed as follows:
Then, secret can be recovered as .
2.2. Two-Variable One-Way Function
If each participant’s share data generated according to the secret image is sent directly, it can easily attract malicious intruders’ attention, because it is meaningless. To solve this problem, in our scheme, each participant’s share data is camouflaged in a cover image to form corresponding stego image. Since each stego image and cover image cannot be distinguished by the human eye, each participant’s share data can be concealed from intruders.
In Zhang et al.’s threshold changeable secret sharing scheme , they prepare advance shares for all potential changeable thresholds and encrypt the advance shares by the symmetric encryption algorithm in the sharing procedure. But their encrypted shares are too large to be camouflaged in the cover image. To solve this problem, we used the two-variable one-way function to generate the identification values, which are fed into the polynomial to generate the shares. The details will be given in Section 3. For the reader’s convenience, we introduce the two-variable one-way function represented by Chien et al.  as follows.
Function is a two-variable one-way function that can map variables and into a value with a fixed length. The features of are as follows:(1)Given and , is easy to calculate.(2)Given and , it is not feasible to calculate .(3)Given and , it is not feasible to calculate .(4)It is not feasible to calculate for any without .(5)It is not feasible to calculate for any without .(6)Given , it is not feasible for and to satisfy .(7)Given , it is not feasible for and to satisfy .(8)Given any pairs of , it is not feasible to calculate when .
3. Proposed Scheme
Given a grey-scale secret image with pixels and a grey-scale cover image with pixels, the dealer can derive shares from and generate stego images for participants . Before recovering secret image , if the security policy and adversary structure are changed, the threshold can be adjusted to a suitable threshold , where are potential thresholds, and the scheme can remain secure after these changes are made. Then, or more participants can recover secret image without distortion.
In our scheme, the pixels of and are read from left to right and from top to bottom. Assume that the dealer knows potential thresholds to which the threshold may be changed in the future, and these thresholds satisfy the condition (). This condition can be achieved easily by adding new potential thresholds to shorten the difference between the two potential thresholds. For a univariate polynomial , the degree operator is used to compute the degree of the polynomial, and the coefficient operator is defined, such that . Our threshold changeable secret image sharing scheme can be divided into two procedures, that is, sharing and recovery. These procedures are described as follows.
3.1. Sharing Procedure
In the sharing procedure, the dealer derives shares from secret image and generates stego images for participants . Figure 1 displays the flowchart of this procedure. We describe how to generate the shares in Section 3.1.1 and how to camouflage these shares into the cover image to form the stego images in Section 3.1.2.
3.1.1. Share Derivation
The dealer selects a prime number , distinct and nonzero random integers as the real identifications of participants, and distinct and nonzero random integers as the corresponding secret keys of potential thresholds . To share secret image , the dealer converts into m-ary data (called converted data). The size of this converted data is , where is the ceiling function. For instance, we can assume that the chosen is equal to 5, and then . If two pixels in secret image are 78 and 231, the converted digits become and .
For convenience, assume that converted digits, which are selected from the converted data, are , and then polynomials, which are used to hide these converted digits, can be constructed as follows:where polynomial is generated by Algorithm 1, and , for all . Algorithm 1 is described as follows.
Then, each participant’s advance shares () are computed as follows: where is the advance shares of participant and is the fake identification that is computed by feeding key and real identification into two-variable one-way function .
In this phase, shares are camouflaged in cover image to form stego images , and then they are distributed to corresponding participants.
For convenience, assume that pixels, which are selected from cover image , are . With and , each participant’s camouflaged pixels () are computed aswhere is camouflaged pixel of participant and is the floor function.
If all of the converted digits have been camouflaged in cover image , the dealer can obtain each participant’s stego image (), and then the dealer distributes real identification and stego image to corresponding participant through secure communication channel.
3.2. Recovery Procedure
Before recovering secret image , if security policy and adversary structure are changed, the threshold can be adjusted to a suitable threshold which is one of potential thresholds , and the scheme can remain secure after these changes are made. Then, or more participants can use their own stego images to recover secret image without distortion. In this section, we describe how to change the threshold in Section 3.2.1 and how to recover secret image without distortion in Section 3.2.2.
3.2.1. Threshold Changing
Assuming that the new threshold must be changed to (), the dealer broadcasts keys . With keys and real identification , each participant () computes her/his fake identifications , which are used to reconstruct polynomials in the next phase.
3.2.2. Secret Image Recovery
In this section, we describe how to recover secret image with threshold . The procedure for doing so is shown in Figure 2.
For convenience, assume that participants provide their stego images . Let pixels be the corresponding pixel value of stego image . To extract the converted data, these participants must reconstruct polynomial from their advance shares. Thus, by utilizing the modulo operation, advance shares () can be computed aswhere is the advance shares of participant .
If , with shares and fake identification values , polynomial can be reconstructed as follows:Then, converted digits can be recovered from coefficients of polynomial .
If , since , participants cannot reconstruct polynomial directly. But, they can reconstruct polynomial and then reconstruct polynomials in turn by computing polynomials where and ().
With points (), polynomial can be constructed as follows:
Then, polynomial can be constructed as . By repeating above procedures, polynomials can be recovered in turn, and then converted digits can be obtained from coefficients of polynomial .
By repeating these processes, all converted digits can be extracted, and then secret image can be recovered by transforming these converted digits to decimal representation.
4. Experiment and Analysis
In this section, we describe the tests we conducted to determine the feasibility and performance of our scheme using simulations and experiments, and then we discuss the security of our scheme.
To estimate the quality of the stego images, we used peak signal-to-noise ratio (PSNR):The mean square error (MSE) of an image with pixels is defined aswhere is the original pixel value of the cover image and is the camouflaged pixel value of the stego image. Therefore, the higher the PSNR value, the smaller the difference between the cover image and the stego image. If the PSNR value is less than 35 dB, some of the important characteristics of the signal may be lost. When the PSNR value is less than 30 dB, the quality is unacceptable. But it is difficult for people to distinguish the original cover image from the stego image when the PSNR value is greater than 35 dB .
4.1. Simulation Results
The simulation settings of our experimental parameters were as follows: , , , , , and (i.e., this scheme is a threshold changeable secret sharing scheme). Let the real identification of six participants be . We used image Baboon with pixels as the secret image, as shown in Figure 3. We embedded shares into the original cover pixels, except for those pixels within as Lin and Chan’s scheme  does.
To compare the quality of the stego images for different cover images, we selected twelve gray-scale test cover images with pixels to conduct the experiment. The twelve cover images are shown in Figure 4.
Table 1 displays the corresponding PSNR values of the stego images for the test cover images by our threshold changeable secret image sharing scheme.
Table 1 indicates that the cover image has little effect on the quality of the stego images. All of the PSNR values of our experiments are about 40 dB, which is greater than 35 dB, indicating that the quality of the stego images is satisfactory.
In the recovery procedure of our scheme, we set as the threshold value, and we broadcast the corresponding secret keys . For convenience, we used stego images (a), (b), and (c) to reconstruct the secret image. Figure 5 shows cover image Lena, six stego images, and reconstructed secret image Baboon. The average PSNR value of the six stego images (i.e., images (a), (b), (c), (d), (e), and (f)) is 40.02 dB. We observe that each stego image shown in Figure 5 has a natural appearance and cannot leak any information about the secret image. The secret image recovered by stego images (a), (b), and (c) is displayed as image (g), which is the same as the original secret image.
(a) Stego image 1, PSNR dB
(b) Stego image 2, PSNR dB
(c) Stego image 3, PSNR dB
(d) Stego image 4, PSNR dB
(e) Stego image 5, PSNR dB
(f) Stego image 6, PSNR dB
(g) Recovered secret image Baboon
(h) Cover image Lena
4.2. Performance Analysis
Factors and potential thresholds are important in our scheme’s ability to maximize the secret capacity and preserve the fidelity of the stego images. The influence of these two factors is discussed in this section.
Table 2 displays the relationship of capacity and distortion for different values. Image Baboon is used as the secret image in all of those experiments, and Lena is used as the cover image. The parameters are as follows: , , , , and . Table 2 indicates that (1) the number of influenced bits is increased as the value of factor increases; (2) the capacity of the embedded converted data is increased as the value of factor increases; and (3) the value of PSNR is decreased as the value of factor increases. Since the difference between the original pixel in the cover image and the camouflaged pixel in the stego image is limited to , it becomes smaller as the value of factor decreases; that is, the quality of the stego images increases as factor decreases. But a smaller value can increase the number of converted digits; that is, the capacity of the embedded converted data is decreased. Different from Lin and Chan’s scheme  which constructs one polynomial, we construct polynomials to embed converted digits into pixels of the cover image in one iteration of polynomial calculation. Assuming that this cover image has pixels, it can embed converted digits (i.e., pixels). Table 2 indicates that the values of the PSNR are greater than 35 dB when the values of are set as 5 and 7. Since the capacity when is 7 is greater than that when is 5, setting as 7 is more suitable in this situation.
The selection of potential thresholds is another critical factor that influences the quality of the stego images. Table 3 shows the performance comparisons of different potential thresholds. In these experiments, we set test potential thresholds as , , , , and , and we set factor . As in the above experiments, image Baboon is used as the secret image, and image Lena is the cover image.
In our threshold changeable secret image sharing scheme, since we camouflage converted digits in -degree polynomial , the order of polynomial increases as increases, which means that, for the same secret image and factor , the number of camouflaged pixels decreases as increases (i.e., the value of PSNR increases as increases, and the capacity of embedding converted data in the cover image increases as increases, which were indicated in Table 3). At the same time, we focus on the performance when the potential thresholds were set as and , and we observed that different potential thresholds had little effect on the quality of the stego images when and were fixed. In our scheme, we need to construct polynomials and camouflage pixels of the cover image, where and are the height and width of gray-scale secret image , respectively. Thus, the difference of potential thresholds cannot influence the quality of the stego images when and were fixed.
Table 4 compares our scheme with Chang et al.’s scheme (2008) , Lin et al.’s scheme (2009) , Lin and Chan’s scheme (2010) , and Ulutas et al.’s scheme (2013) . We still use image Baboon as the secret image and image Lena as the cover image, and set .
Table 4 indicates that our scheme has the unique threshold changeable characteristic and can recover the secret image without distortion. Since we camouflaged converted digits in pixels of the cover image in each iteration, which requires much more modification of the cover image, our scheme has lower quality of stego images and capacity of embedded converted digits. However, the average PSNR value of our scheme is 40 dB, which indicates that the quality of our stego images is acceptable. In addition, in practice, is usually a small integer (such as ) corresponding to the “low, middle, and high” level of security in computers while could be linearly related to , so the capacity of embedded converted digits usually is acceptable.
In some situation, we need to share important secret image using sensitive cover images (such as medical, military, or artistic images) and these cover images need to be recovered without distortion. To satisfy this requirement, our scheme can embed the recovery information of the cover image pixels into the polynomials as Lin and Chan’s scheme  does. But in this situation, we can only embed converted digits into pixels of the cover image in one iteration, which weakens the quality of the stego images and reduces the capacity to , where and are the height and width of gray-scale cover image , respectively.
4.3. Security Analysis
In this section, we analyze the security of our scheme.
First, we notice that our scheme can only change the threshold once. After the dealer broadcasts keys to validate threshold (), then it takes at least cooperating participants to recover the secret image without distortion. If the new threshold must be changed to (), the dealer broadcasts keys to achieve this. On the contrary, if , the shares must be updated. In schemes that have strict security requirements, it is inevitable that shares are updated. For instance, the threshold in schemes [27, 28] can be changed many times, but, when one participant leaves the group, the shares should be updated simultaneously.
Theorem 1. Before broadcasting the keys, no participant can recover secret image .
Proof. In the worst situation, there are participants in set who want to recover the secret image. Assume that they want to recover the first converted digits hidden in polynomial . Then, the participants in can obtainOur scheme is based on polynomial interpolation; that is, given points with distinct , there is one and only one -degree polynomial such that for all . However, the polynomial cannot be reconstructed with less than points. According to the features of the two-variable one-way function , without keys , each participant () cannot compute her/his fake identifications , which are fed into polynomials to generate the shares in the sharing procedure. Thus, utilizing only , no polynomial in can be reconstructed by polynomial interpolation, and they cannot obtain the converted digits that are hidden in the coefficients of polynomial . Likewise, the participants in cannot obtain other converted digits, so the secret image cannot be recovered by any participant.
Theorem 2. After obtaining broadcast information , less than participants cannot recover secret image .
Proof. Without loss of generality, assume that there are participants in set who want to recover the secret image. Assume that they want to recover the first converted digits that are hidden in polynomial . Then, the participants in can obtainAccording to the features of the two-variable one-way function , we know the following:(1)If and () are fed into with the same key , .(2)If is fed into with different keys and , .Thus, the fake identifications of participants in are different, and they cannot deduce their own unknown fake identifications without . Utilizing only , polynomials cannot be reconstructed by polynomial interpolation.
Utilizing for each candidate point , they can reconstruct one and only one polynomial of degree , such that and (). Constructed in the same way, these possible polynomials are equally likely; thus, there is absolutely nothing the opponent can deduce about the real polynomial . Likewise, utilizing , they cannot deduce anything about polynomials either, where ().
In summary, the participants in cannot reconstruct polynomial and obtain hidden converted digits, which are the coefficients of polynomial Likewise, they cannot obtain other converted digits. Thus, less than participants cannot recover secret image , after obtaining broadcast keys .
Theorem 3. If threshold () is validated by broadcasting information, thresholds are validated at the same time.
Proof. In the recovery procedure, assume that threshold () is validated by broadcasting keys ; then any or more participants can collaborate to recover the secret image using their stego images. In addition, any (, ) or more participants can also collaborate to recover the secret image with keys . In other words, when threshold is validated, thresholds are also validated.
Before recovering the secret image, the threshold may have to be adjusted for the change of the security policy and the adversary’s structure. To solve this problem, we propose a threshold changeable secret image sharing scheme with potential thresholds . Our scheme can validate new threshold () by broadcasting the corresponding keys , and then or more participants can recover secret image without distortion. The experiments and analysis showed that the threshold in our scheme can be changed dynamically and that the security can be maintained after these changes. In addition, the quality of the stego images is satisfactory.
However, in order to make the threshold changeable, we embed large amounts of redundant data into the cover image, which requires much more modification of the cover image, so the quality of the stego images is lower than other schemes. At the same time, we do not embed the recovery information of pixels of the cover image in order to increase the capacity, so the cover image in our scheme cannot be recovered without distortion. We will address these issues in future work.
The authors declare that they have no competing interests.
This paper is supported by the Nature Science Foundation of China under Grant nos. 61272173, 91315302, 61401060, 61501080, and 61572095, the General Program of Liaoning Provincial Department of Education Science Research under Grant no. L2014017, and the Fundamental Research Funds for the Central Universities under Grant no. DUT16QY09. In addition, the authors are grateful to Jia Liu for insightful comments and discussions.
G. R. Blakley, “Safeguarding cryptographic keys,” in Proceedings of the AFIPS National Computer Conference, pp. 313–317, New York, NY, USA, June 1979.View at: Google Scholar
M. Naor and A. Shamir, “Visual cryptography,” in Advances in Cryptology- Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques (EUROCRYPT '94), pp. 1–12, Perugia, Italy, 1994.View at: Google Scholar
C. S. Laih, L. Harn, J. Y. Lee, and T. Hwang, “Dynamic threshold scheme based on the definition of cross-product in an n-dimensional linear space,” Journal on Information Science and Engineering, vol. 7, no. 1, pp. 13–23, 1991.View at: Google Scholar
Y. Desmedt and S. Jajodia, “Redistributing secret shares to new access structures and its applications,” Tech. Rep. ISSE TR-97-01, George Mason University, Fairfax, Va, USA, 1997.View at: Google Scholar
L. Chen, D. Gollmann, and C. J. Mitchell, “Key escrow in mutually mistrusting domains,” in Security Protocols: International Workshop Cambridge, United Kingdom, April 10–12, 1996 Proceedings, vol. 1189 of Lecture Notes in Computer Science, pp. 139–153, Springer, Berlin, Germany, 1997.View at: Publisher Site | Google Scholar
K. M. Martin, “Untrustworthy participants in perfect secret sharing schemes,” in Cryptography and Coding III, pp. 255–264, Oxford University Press, Oxford, UK, 1993.View at: Google Scholar
K. M. Martin, J. Pieprzyk, R. Safavi-Naini, and H. Wang, “Changing thresholds in the absence of secure channels,” Australian Computer Journal, vol. 31, no. 2, pp. 34–43, 1999.View at: Google Scholar
H.-Y. Chien, J. Jinn-Ke, and Y. M. Tseng, “A practical (t, n) multi-secret sharing scheme,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 83, no. 12, pp. 2762–2765, 2000.View at: Google Scholar
K. Kyriakopoulos and D. J. Parish, “A live system for wavelet compression of high speed computer network measurements,” in Proceedings of the 8th International Conference on Passive and Active Network Measurement, pp. 241–244, Louvain, Belgium, April 2007.View at: Google Scholar