Fast-weighted secret image sharing

Fast-weighted secret image sharing

Sian-Jheng Lin Lee Shu-Teng Chen Ja-Chen Lin

National Chiao Tung University

Department of Computer Science and Information Engineering

1001 Ta Hsueh Road Hsinchu, 300 Taiwan

E-mail: stlee@cs.nctu.edu.tw

Abstract. Thien and Lin关Comput. and Graphics 26共5兲, 765–770 共2002兲兴 proposed a threshold scheme to share a secret image among n shad-ows: any t of the n shadows can recover the secret, whereas t − 1 or fewer shadows cannot. However, in real life, certain managers probably play key roles to run a company and thus need special authority to re-cover the secret in managers’ meeting.共Each manager’s shadow should be more powerful than an ordinary employee’s shadow.兲 In Thien and Lin’s scheme, if a company has less than t managers, then manager’s meeting cannot recover the secret, unless some managers were given multiple shadows in advance. But this compromise causes managers inconvenience because too many shadows were to be kept daily and carried to the meeting. To solve this dilemma, a weighted sharing method is proposed: each of the shadows has a weight. The secret is recovered if and only if the total weights 共rather than the number兲 of received shadows is at least t. The properties of GF共2r_{兲 are utilized to} accelerate sharing speed. Besides, the method is also a more general approach to polynomial-based sharing. Moreover, for convenience, each person keeps only one shadow and only one shadow index. © 2009 Society of Photo-Optical Instrumentation Engineers. 关DOI: 10.1117/1.3168644兴

Subject terms: secret image sharing; Galois field; Lagrange polynomial; Chinese remainder theorem.

Paper 080900R received Nov. 17, 2008; revised manuscript received Apr. 30, 2009; accepted for publication May 26, 2009; published online Jul. 15, 2009.

1 Introduction

Blakley1 and Shamir2 first proposed the secret sharing

scheme in 1979, independently. In their 共t,n兲 threshold

scheme, a dealer distributed a secret number into n shad-ows and each of n participants held one shadow. The secret number could be reconstructed if at least t of the n shadows were received. On the other hand, the secret number could not be revealed if any of t − 1 or less of the n shadows were

received. Later, Shamir2 introduced the concept of

weighted secret sharing in his seminal work. In Shamir’s

weighted secret sharing with the 共t,n兲 threshold scheme,

each of the n participants is assigned with a positive integer weight wi, where i = 1 , 2 , . . . , n and 1艋wi艋t−1. Then, the dealer distributed a secret number into兺_i=1n wishadows, and the number of shadows that each participant held was equal to their corresponding weight value. The secret could be reconstructed if the sum of the weights of the received par-ticipants is no less than the threshold t.

When the secret data are a secret image rather than a

secret number, using Blakley’s or Shamir’s共t,n兲 threshold

scheme to share the secret image will waste much memory space because the size of the secret image is usually very

large. To reduce the memory space, Thien and Lin3

pro-posed the secret image–sharing method derived from

Shamir’s scheme;2Tso4proposed the secret image–sharing

method based on Blakley’s scheme.1 In Ref. 3 and 4, the

size of each shadow is smaller than that of the secret image.

In addition, based on Thien and Lin’s secret image–sharing

method, the progressive secret image-sharing schemes5–7

were proposed in succession.

When it comes to the issue of secret image sharing among the weighted participants, based on the concept of

Shamir’s seminal work,2Thien and Lin’s method3 can be

simply applied to solve this problem. However, to further improve the execution time in the weighted secret image– sharing phase, a fast–weighted secret image–sharing method is proposed in this paper.

The rest of the paper is organized as follows. Section 2 reviews the related works. Section 3 describes the details of the proposed fast-weighted secret image–sharing scheme. Section 4 shows the experimental results, comparisons, and security analysis. Finally, Sec. 5 draws the conclusions.

2 Related Works

Section 2.1 introduces Thien and Lin’s sharing method,3

and Sec. 2.2 introduces Galois field, which will be utilized in this paper.

2.1 Thien and Lin’s Secret Image–Sharing Method3

In the sharing phase of Thien and Lin’s 共t,n兲 threshold

method, for each nonoverlapping t pixels of the secret im-age, the corresponding polynomial is defined as

f共x兲 = a0+ a1x + ¯ + at−1xt−1共mod p兲, 共1兲

where a0, a1, . . . , at−1 are the gray values of each t pixels, and p is a prime number. Then,

f共1兲, f共2兲, ... , f共n兲 共2兲

are evaluated and assigned to the n shadows sequentially. After processing all pixels in the secret image, the n shad-ows are thus generated. Because each t pixels in secret image only contributes one pixel to each generated shadow, the size of which is 1/t of the secret image.

As for the revealing phase, when any t of the n shadows are received, the first not-yet-used pixel from each of the t shadows is taken, and these t pixels can be used to solve the coefficients a0, a1, . . . , at−1 in Eq.共1兲 by using Lagrange’s polynomial. After sequentially processing all pixels of the t shadows, the secret image can be obtained.

2.2 Galois Field

Galois field is a finite field that contains␤r_{elements, where} ␤is a prime number, and r is a positive integer.共Thien and Lin3used␤= 251 and r = 1, but we use␤= 2 and r = 8 in our method.兲 A finite field also equips with two operators:

ad-dition共⫹兲 and multiplication 共·兲. Both operators must

sat-isfy the commutative, associative, and distributive laws. The manipulation of addition and multiplication over GF共2r_{兲 are introduced below. Before doing GF共2}r_兲 arith-metic, an r-degree binary-coefficient polynomial m共X兲, called primitive polynomial, has to be defined first.

Primi-tive means that m共X兲 has a root ␣, and 兵0, 1, ␣,

␣2_{, . . . ,␣}2r−2_{其 are all elements in GF共2}r_{兲. 关The polynomial}

m共X兲 must satisfy certain requirements specified in Galois

field GF共2r_{兲, see Lin and Costello,}8

for details. Here, we will use r = 8 and m共X兲=1+X2_{+ X}3_{+ X}4_{+ X}8 _{in our} experi-ments.兴

Let A and B be any two elements in GF共2r_{兲. Then define} the addition operator as

A + B = A丣B,

where丣 is the exclusive-X-OR共XOR兲 operator. The

mul-tiplication operator is somewhat more complicated. Before doing multiplication, convert the two elements A and B to two binary polynomials

A =共a_r−1. . . a₂a₁a₀兲₂→ a₀+ a₁X + a₂X2_{+ ¯ + a} r−1Xr−1

B =共br−1. . . b2b1b0兲2→ b0+ b1X + b2X2+ ¯ + br−1Xr−1. Then do the following polynomial multiplication and modulus operations:

关共a0+ a1X + a2X2+ ¯ + ar−1Xr−1兲共b0+ b1X + b2X2+ ¯ + br−1Xr−1兲兴mod m共X兲

=关共a0ˆb0兲 + 共a0ˆb1丣a1ˆb0兲X + 共a0ˆb2丣a1ˆb1

丣a₂ˆb₀兲X2+ ¯ + 共ar−1ˆbr−1兲X2r−2兴mod m共X兲 = c₀+ c₁X + c₂X2_{+ ¯ + c}

r−1Xr−1,

where ˆ is the AND operator. Finally, the result for A · B can be obtained by

A · B = C =共cr−1. . . c2c1c0兲2.

Remark: In general, there exist other definitions for

ad-dition and multiplication operators. 关The details about

GF共2r_{兲 can see be found in Ref. 8.兴 But we will use the}

above definition for addition and multiplication throughout the paper.

3 Proposed Fast-Weighted Secret Image–sharing Method

This section has three subsections: Section 3.1 is for weighted secret image sharing; Sec. 3.2 is for weighted secret image revealing; and Sec. 3.3 shows the improved

weighted secret image–sharing algorithm based on GF共2r_兲.

3.1 Weighted Secret Image–Sharing Phase

According to the Chinese remainder theorem for polynomi-als, when we divide

h共x兲 = a0+ a1x + ¯ + at−1xt−1

by a factor共x−i兲, the remainder is h共i兲. In symbols,

h共i兲 = h共x兲mod共x − i兲.

Now, when we apply mod p on both sides, we have

f共i兲 = h共i兲mod p = 关h共x兲mod共x − i兲兴mod p,

where f共i兲=h共i兲mod p is due to the equation f共x兲=关a0

+ a1x +¯+at−1xt−1兴 mod p=h共x兲 mod p defined in Eq.共2兲. Therefore, in Galois field GF共p兲, i.e., in the field of mod p,

we may say that f共i兲 and 关h共x兲mod共x−i兲兴 are equal. In

sym-bols,

f共i兲 = h共x兲mod共x − i兲

=关a0+ a1x + ¯ + at−1xt−1兴mod共x − i兲 共3兲

in Galois field GF共p兲. That is to say, if we divide that poly-nomial a0+ a1x +¯+at−1xt−1 by共x−i兲, then the remainder is a number. If we divide this number by p further, then we obtain f共i兲. In this paper, to define our own formula of the

weighted secret image sharing with the 共t,n兲 threshold

scheme, we extend Eq.共2兲 as

gi

w_{i共x兲 = 关a}

0+ a1x + ¯ + at−1xt−1兴mod共x − i兲wi, 共4兲 where wi is the shadow weight and i = 1 , 2 , . . . , n. Also,

rather than explaining Eq.共4兲over GF共251兲 that Thien and

Lin3used, we explain Eq.共4兲over Galois field GF共2r_{兲. As} stated in Sec. 2.2, r is a positive integer and we will use GF共28_{兲 in our experiments.}

Before sharing each nonoverlapping t pixels of the

se-cret image using weighted sese-cret image sharing with共t,n兲

threshold scheme, the secret image is encrypted first. Next,

g₁w1共x兲,g 2

w_{2共x兲, ... ,g} n

w_{n共x兲 共5兲}

are computed using Eq.共4兲. Then, the wicoefficients of the

polynomial gi

wi共x兲 in order of decreasing power of x are

sequentially assigned to the corresponding shadow hi. After processing all pixels in the secret image, the n shadows 兵共h1, w1兲,共h2, w2兲, ... ,共hn, wn兲其 are generated. Because t pixels in secret image contribute wipixels to the generated

shadow hi, the size of which is wi/t of the secret image.

In the proposed共t,n兲 threshold weighted secret image–

sharing scheme, the two values index i and weight wiof the

generated shadow hi are needed for revealing the secret

image where 1艋i艋n. Like Thien and Lin’s method,3

the value i can be attached to the head of the shadow hi. As for the value wi, it can be either simply attached to the head of

the shadow hior calculated by the size of the shadow. Let

the size of the secret image be兩S兩 and the size of shadow be 兩hi兩. Then, the weight wican be calculated by the formula wi=

兩hi兩

兩S兩/t. 共6兲

3.2 Weighted Secret Image-Revealing Phase

If someone gets any m of the n shadows and the sum of the weights of the m shadows is greater than or equal to the threshold t, then the secret image can be recovered. Without

loss of generality, let these m shadows be

兵共h˜k₁, wk₁兲,共h˜k₂, wk 2

⬘兲, ¯ ,共h˜k_m, wk_m兲其, and 兺j=1 m

wk_j艌t. Then for each shadow h˜k_j, the first wk_j not-yet-used pixels are sequentially taken and then assigned to the coefficients of polynomial g˜_k

j

wk_{j共x兲 in order of decreasing power of x. After}

obtaining g˜_k j wk_{j共x兲, we have} g ˜_k j w_k j共x兲 = f˜共x兲mod共x − k_j兲wk_j, 共7兲

where j = 1 , 2 , . . . , m. Because the m divisors 共x−k1兲wk1,共x − k₂兲wk_{2, . . . ,}共x−k

m兲wkm in Eq. 共7兲 are pairwise relatively

prime, as stated in Ref. 9, f˜共x兲 can be solved using

ex-tended Lagrange interpolation as

f˜共x兲 =

兺

冢

兿

冣

冢

兿

冣

In addition, according to the Chinese remainder theorem for polynomials, f˜共x兲 is a unique polynomial with degree less than兺m_j=1wk_j. Because兺j=1

m

wk_j艌t, the polynomial f˜共x兲 is identical to the original polynomial f共x兲, where the de-gree of f共x兲 is less than t. In other words, the t coefficients

a0, a1, . . . , at−1in Eq.共4兲 can be obtained.

After sequentially processing all pixels of the m shad-ows, the encrypted secret image can be reconstructed. The encrypted secret image is then decrypted to obtain the se-cret image.

3.3 Fast-Weighted Secret Image–Sharing Algorithm

The computing time of Eq. 共5兲 is improved by using the

properties of GF共2r_{兲. The utilized property is that the} addi-tive inverse of an element over GF共2r_{兲 is the element itself.} In other words,

x = − x. 共9兲

By Eq.共9兲, the following equation is derived: 共x − u兲2_{=共x + u兲}2_{= x}2_{+ xu + xu + u}2

= x2+ xu − xu + u2= x2+ u2. 共10兲

Then, Eq.共10兲can be extended as

共x − u兲2q_{=共x + u兲}2q_=共x2_{+ u}2_兲2q−1_=共x4_{+ u}4_兲2q−2

= ¯ = x2q_{+ u}2q_{, 共11兲}

where q is a positive integer and u is an element in GF共2r_兲. Let 兺2_j=0q−1ajxj and 共x2

q−1

+ u2q−1兲 be two polynomials. Then 兺j=0

2q−1_a

jxj is divided by 共x2

q−1

+ u2q−1_{兲 over GF共2}r_{兲 to}

get the quotient a2q₋₁x2

q−1 −1_{+ a} 2q₋₂x2 q−1 −2_+¯+a 2q−1

and the remainder 共a₂q−1₋₁+ a₂q₋₁u2 q−1 兲x2q−1−1_+共a 2q−1₋₂ + a2q₋₂u2 q−1 兲x2q−1−2_+¯+共a 0+ a2q−1u2 q−1 兲. By Eq. 共11兲, we

have x2q−1_{+ u}2q−1_=共x+u兲2q−1_{. Therefore, 兺} j=0 2q−1_a jxj can be expressed as

兺

However, if one uses Eq.共12兲 for sharing directly, the

weight wiis restricted as a power of two共2q−1兲. In order to achieve a generalized version, a recursive algorithm is pro-posed below. Let iˆ←i, wˆi←wi, tˆ←2
log2t, and fˆ共x兲← f共x兲. Now, fˆ共x兲mod共x+iˆ兲wˆ_i

is solved using the following recur-sive algorithm A关fˆ共x兲,iˆ,wˆi, tˆ兴.

Algorithm 1 (Fast–weighted secret image–sharing al-gorithm A关fˆ共x兲,iˆ,wˆi, tˆ兴兲:

Input: A polynomial fˆ共x兲, three positive integers iˆ

共in-dex兲, wˆi共weight兲, and tˆ 关a value in 兵1, 2, 22, 23, . . .其, and tˆ is the number of polynomial coefficients for fˆ共x兲兴.

Output: The shadow values with index iˆ and weight wˆi 关the coefficients of fˆ共x兲mod共x+iˆ兲wˆ_i兴.

Step 1. According to Eq. 共12兲, rewrite fˆ共x兲 as fˆ共x兲

= Qˆ 共x兲共x+iˆ兲tˆ/2_{+ R}ˆ 共x兲, where Qˆ共x兲 and Rˆ共x兲 are, respectively, the quotient and the remainder on dividing fˆ共x兲 by 共x+iˆ兲tˆ/2_{= x}tˆ/2_{+ iˆ}tˆ/2 _{over GF共2}r_兲.

Case 1. If wˆi= tˆ/2, then fˆ共x兲mod共x+iˆ兲wˆi=关Qˆ共x兲共x+iˆ兲tˆ/2 + Rˆ 共x兲兴mod共x+iˆ兲wˆi₌关Qˆ共x兲共x+iˆ兲tˆ/2_{+ R}ˆ 共x兲兴mod共x+iˆ兲tˆ/2_{= R}ˆ 共x兲.

Therefore, return Rˆ 共x兲.

Case 2. If wˆi⬍tˆ/2, then fˆ共x兲mod共x+iˆ兲wˆi=关Qˆ共x兲共x+iˆ兲tˆ/2 + Rˆ 共x兲兴mod共x+iˆ兲wˆ_i

= Rˆ 共x兲mod共x+iˆ兲wˆ_i

. Then, Rˆ 共x兲mod共x

+ iˆ兲wˆ_{iis recursively computed by A关Rˆ共x兲,iˆ,wˆ}

i, tˆ/2兴. Finally, return Rˆ 共x兲mod共x+iˆ兲wˆi_.

Case 3. If wˆi⬎tˆ/2, then fˆ共x兲mod共x+iˆ兲w ˆ_i

=关Qˆ共x兲共x+iˆ兲tˆ/2 + Rˆ 共x兲兴mod共x+iˆ兲wˆ_i

=关Qˆ共x兲mod共x+iˆ兲wˆ_{i−tˆ/2兴共x+iˆ兲}tˆ/2_{+ Rˆ 共x兲.}

From Eq. 共11兲, because 共x+iˆ兲tˆ/2= xtˆ/2+ itˆ/2, fˆ共x兲mod共x+iˆ兲wˆi

=关Qˆ共x兲mod共x+iˆ兲wˆ_{i−tˆ/2兴共x+iˆ兲}tˆ/2_{+ R}ˆ 共x兲=关Qˆ共x兲mod共x+iˆ兲wˆ_i−tˆ/2兴 ⫻共xtˆ/2_{+ iˆ}tˆ/2_{兲+Rˆ共x兲. Then, Qˆ共x兲mod共x+iˆ兲}wˆ_i−tˆ/2

is recursively

computed by A关Qˆ共x兲,iˆ,wˆi− tˆ/2,tˆ/2兴. Finally, return

关Qˆ共x兲mod共x+iˆ兲wˆ_{i−tˆ/2兴共x}tˆ/2_{+ iˆ}tˆ/2_{兲+Rˆ共x兲.}

Notably, the above algorithm can be abbreviated as a recursive function. Let iˆ= i, wˆi= wi, tˆ= 2
log t and fˆ共x兲 =兺_i=ttˆ 0xi_{+ f共x兲. Then,}

A关fˆ共x兲,iˆ,wˆi,tˆ兴 = A关Qˆ共x兲共x + iˆ兲tˆ/2+ Rˆ 共x兲,iˆ,wˆi,tˆ兴 =

冦

Case 1: Rˆ 共x兲, if wˆi= tˆ/2,

Case 2: A共Rˆ共x兲,iˆ,wˆi,tˆ/2兲, if wˆi⬍ tˆ/2,

Case 3: A共Qˆ共x兲,iˆ,wˆi− tˆ/2,tˆ/2兲共xtˆ/2+ iˆtˆ/2兲 + Rˆ共x兲, if wˆi⬎ tˆ/2.

冧

given below.

3.4 Demonstration Example of Fast-Weighted Secret Image Sharing

3.4.1 Input of the demonstration

1. A polynomial f共x兲=2x5_{+ 5x}4_{+ 2x}3_{+ 6x}2_{+ 3x + 1 whose} coefficients are all in GF共23_{= 8兲 共i.e., all in the range} 兵0, 1, 2, 3, 4, 5, 6, 7其兲

2. A shadow index i = 1, a shadow weight wi= 5, and a

threshold t = 6

3.4.2 Demonstration purpose

Show how to compute the corresponding shadow value

g₁5共x兲= fˆ共x兲mod共x+iˆ兲wˆi₌共0x7_{+ 0x}6_{+ 2x}5_{+ 5x}4_{+ 2x}3_{+ 6x}2_{+ 3x}

+ 1兲mod共x+1兲5 _{where iˆ= i = 1, wˆ}

i= wi= 5, and fˆ共x兲=兺i=t tˆ

0xi

+ f共x兲=0x7_{+ 0x}6_{+ 2x}5_{+ 5x}4_{+ 2x}3_{+ 6x}2_{+ 3x + 1 is the}

whole-power-of-two version of f 共by adding the missing zero

co-efficients to f so that all tˆ= 2
log2t_{= 2}
log26_{= 8 coefficients} appear兲.

3.4.3 Demonstration detail

According to the recursive function of our sharing algo-rithm, we have A共fˆ共x兲,iˆ,wˆi,tˆ兲 = A共0x7+ 0x6+ 2x5+ 5x4+ 2x3+ 6x2+ 3x + 1,1,5,8兲 = A关共0x3_{+ 0x}2_{+ 2x + 5兲共x + 1兲}4_+共2x3_{+ 6x}2 + 1x + 4兲,1,5,8兴 关⬗ Eq. 共12兲兴 = A关0x3_{+ 0x}2_{+ 2x + 5,1,1,4兴共x}4_{+ 1}4_{兲 + 共2x}3 + 6x2+ 1x + 4兲 共⬗ wˆi= 5⬎ tˆ/2 = 4, ⬖ case 3兲 = A关共0x + 0兲共x + 1兲2_{+共2x + 5兲,1,1,4兴共x}4 + 14兲 + 共2x3+ 6x2+ 1x + 4兲 关⬗ Eq. 共12兲兴 = A共2x + 5,1,1,2兲共x4_{+ 1}4_{兲 + 共2x}3_{+ 6x}2_{+ 1x} + 4兲 共⬗ wˆi= 1⬍ tˆ/2 = 2, ⬖ case 2兲 = A关2共x + 1兲1_{+ 7,1,1,2兴共x}4_{+ 1}4_{兲 + 共2x}3_{+ 6x}2 + 1x + 4兲 关⬗ Eq. 共12兲兴 = 7共x4_{+ 1}4_{兲 + 共2x}3_{+ 6x}2_{+ 1x + 4兲} 共⬗ wˆi= 1 = tˆ/2 = 1, ⬖ case 1兲 = 7x4+ 2x3+ 6x2+ 1x + 3. Fig. 1 The 512⫻512 secret image Lena.

Therefore, g₁5共x兲=共2x5_{+ 5x}4_{+ 2x}3_{+ 6x}2_{+ 3x + 1兲mod共x+1兲}5 = A共0x7_{+ 0x}6_{+ 2x}5_{+ 5x}4_{+ 2x}3_{+ 6x}2_{+ 3x + 1 , 1 , 5 , 8兲=7x}4 + 2x3_{+ 6x}2_{+ 1x + 3.}

4 Experimental Results, Comparisons, and Security Analysis

Section 4.1 shows the experimental results. Section 4.2

compares our method to Thien and Lin’s method.3Section

4.3 is a discussion about the security of our method.

4.1 Experimental Results

The standard 512⫻512 gray-level image Lena is shown in Fig.1, which is used as the secret image in the experiments.

Figure2shows the encrypted image of Fig.1; the

encryp-tion uses exclusive-OR operaencryp-tion between a random se-quence and the gray values of the secret image. Then, the

proposed fast-weighted secret image sharing with共t=256,

n = 7兲 threshold scheme over GF共28兲 is used to share the

encrypted secret image共Fig.2兲, and n=7 shadows are thus

generated and shown in Figs. 3共a兲–3共g兲 with the shadow

weight 160, 64, 24, 8, 134, 12, and 3, respectively. Figure4

is the image revealed by Figs.3共a兲–3共d兲, and the revealed image is identical to Fig.1.

Figure 5 compares the execution time in the weighted

secret image–sharing phase using Thien and Lin’s共t=256,

n = wi兲 threshold scheme3 and our 共t=256, n=1兲 threshold scheme. The two schemes are both tested on an AMD

Ath-lon 3500⫹ computer with 3GB of RAM. Notably, the

ex-ecution time of our sharing algorithm is 7⫾3 ms for each

of these 255 sets of weights, whereas the execution time increases linearly as the weight value increases in Thien

and Lin’s direct and repeated application 共using multiple

shadows to simulate weighted feature兲.

4.2 Comparisons to Thien and Lin’s Scheme3

Some advantages of our method are presented in this

sec-tion共compared to Thien and Lin’s method3兲.

4.2.1 Time complexity

The time complexity of the weighted secret image sharing

using Thien and Lin’s scheme3and our scheme is analyzed

as follows. For Thien and Lin’s 共t,n兲 threshold scheme,

when sharing each nonoverlapping t pixels of the secret image among兺_i=1n wishadows, based on Shamir’s2seminal work, f共1兲, f共2兲, ... , f共兺i=1

n

wi兲 are computed by Eq. 共1兲.

Because there are t multiplications and共t−1兲 additions in

Eq. 共1兲, the time complexity of sharing secret image with

size兩S兩 among 兺_i=1n wishadows by Thien and Lin’s scheme is ␪共兺_i=1n wi兲⫻␪共t兲⫻␪共兩S兩/t兲=␪共兩S兩⫻兺i=1 n wi兲. Because 兺i=1 n wi⬍nt, we have␪共兩S兩兺i=1 p wi兲=O共兩S兩nt兲.

As for our scheme, when sharing each nonoverlapping t

pixels of the secret image among n shadows, f共x兲=a0

+ a₁x +¯+at−1xt−1 in Eq. 共4兲 is expanded to f共x兲=a0+ a1x +¯+at−1xt−1+ 0xt+¯+0x2

log2t

if the value of t is not power of 2. Then, g₁w1共x兲,g 2 w_{2共x兲, ... ,g} n w_{n共x兲 in Eq. 共5兲} are computed using our fast-weighted secret image-sharing al-gorithm. Suppose the time complexity of computing each Fig. 2 Encrypted image of Lena.

(a) (b) (c) (d) (e) (f) (g)

Fig. 3 Seven generated shadows with the shadow weight共a兲 160, 共b兲 64, 共c兲 24, 共d兲 8, 共e兲 134, 共f兲 12,

g_iwi共x兲 in Eq. 共5兲 _{is T}共tˆ兲, where i=1,2, ¯ ,n. Because the

concept of the recursive function is applied in our algo-rithm, and there are tˆ/2 multiplications and tˆ/2 additions in the step 1 of Algorithm 1, the recurrence relation T共tˆ兲 = T共tˆ/2兲+␪共tˆ兲 can be derived. The recurrence relation is

then solved by the substitution method to obtain T共tˆ兲

=␪共tˆ兲. Because tˆ←2
log2t_{, the value of tˆ is at most two} times of t. Therefore, we have T共tˆ兲=␪共tˆ兲=␪共t兲. Thus, the

time complexity of sharing secret image with size 兩S兩

among n shadows by our scheme is ␪共n兲⫻␪共t兲⫻␪共兩S兩/t兲

=␪共兩S兩n兲.

4.2.2 More general scheme for polynomial-based sharing

In our weighted sharing scheme, according to the Chinese remainder theorem for polynomials, the n polynomials x − 1, x − 2 , . . . , x − n in Eq. 共3兲 can be replaced by n other sharing polynomials, such as x2+ x + 1, x2+ x + 2 , . . . , x2+ x + n, as long as these n polynomials are pairwise relatively

prime共i.e., no pair of polynomials has a nontrivial common

factor兲. Notably, Thien and Lin’s method3is only a special

case of this generalized scheme 共i.e., the n shadows of

Thien and Lin’s are evaluated by f共i兲= f共x兲mod共x−i兲, for

i = 1 , 2 , . . . , n. In other words, only 兵x−1,x−2, ... ,x−n其

were used by Thien and Lin,3whereas we can use all

shar-ing polynomials that are pairwise relatively prime兲.

4.2.3 Better Performance when pixel values are⬎250

The computations in Thien and Lin’s sharing process are over GF共251兲. All the gray values 251–255 of the gray-level secret image have to be truncated to 250. Therefore, the recovered secret image is lossy. To recover the secret

image without any loss, Thien and Lin3introduce a

prepro-cessing to decompose the gray value of⬎250; for example,

253 is separated as a pair of pixels兵250 and 3其. This

pre-processing will waste time and slightly increase the size of their shadows. However, because we use GF共256兲 in our weighted sharing procedure, the secret image can be loss-less reconstructed without additional postprocessing.

4.2.4 Each participant keeps only one index and only one shadow (hence, more convenient and space savings)

If a company wants to apply Thien and Lin’s共t,n兲 scheme3

directly to achieve the goal of weighted participants, then the company can let some participants hold multiple shad-ows. To be more specific, because each shadow generated

by Thien and Lin’s scheme3 has weight 1, the participant

i共1艋i艋n兲 whose weight is wishould be assigned wi

shad-ows, and each of which will be attached with an index value for the secret-recovery meeting in the future. The wi indices for participant i will cause an inconvenience, and the wishadows共rather than a single shadow兲 also waste the storage space of participant i. Moreover, if there are three participants whose weights are, respectively, 128, 122, and 99, then, Thien and Lin’s method3will be in trouble. This is because the first participant will obtain 128 shadows with

the 128 indices values being 1, 2,…, 128; and the second

participant will obtain 122 shadows with the indices values being 129, 130,…, 250. As for the third participant, there is “no” shadow left for him because GF共251兲 restricts the

in-put index value be⬍251; therefore, the system cannot

gen-erate ⬎250 shadows. However, by using our method, the

first participant will obtain only a shadow with the index value 1 and the weight value 128; the second participant will obtain a shadow with the index value 2 and the weight value 122; and the third participant will obtain a shadow with the index value 1 and the weight value 99. Hence, besides giving convenience to each participant, the pro-posed method also keeps the storage space of each partici-pant much more economically.

4.3 Security Analysis

The security analysis is divided into two parts:共i兲 a group of shadows with total weights t − 1 cannot reveal the secret image, and共ii兲 shadows of different weights are not equally secure.

First, suppose that the m

⬘

兵共h˜k₁, wk₁兲,共h˜k₂, wk₂兲, ... ,共h˜k_m⬘, wk_m⬘兲其 and the sum of their weights is t − 1 共i.e., 兺_j=1m⬘wk_j= t − 1兲, then we analyze the probability of obtaining the secret image by guessing. Ac-Fig. 4 Image revealed from Figs.3共a兲–3共d兲. Fig. 5 Execution time in the weighted secret image-sharing using Thien and Lin’s共t=256, n=wi兲 threshold scheme3and our共t=256,

cording the Chinese remainder theorem for polynomials,

we can construct a unique polynomial f˜

⬘

de-gree is less than兺_j=1m⬘wk_j= t − 1 from these m

⬘

⬘

⬘

f˜共x兲 =␣

兿

共x − kj兲wkj+ f˜

⬘

where ␣ is a non-negative integer less than 28= 256

关be-cause GF共28_{兲 is used in our experiments兴. Because there are} 28_{= 256 possible values of␣, the possibility of guessing the} right solution f˜共x兲 is 1/256. For a 512⫻512 secret image, because there are 512⫻512/t polynomials, the possibility of obtaining the right secret image is 共1/256兲共512⫻512兲/t,

which is a form similar to the 共1/251兲共512⫻512兲/t given in

Thien and Lin’s paper3.

Second, we analyze the probability of obtaining the

se-cret image by using only one shadow. Given a shadow hw_i

of weight wi, then the polynomial gi

wi共x兲 can be obtained

using the shadow hw_i. Now, to use gi

w_{i共x兲 to reveal the f˜共x兲} in Eq.共7兲, we have f˜共x兲=Q

⬘

i

w_{i共x兲, where Q}

_⬘

t − wi. Therefore, there is 1/256t−wi chance to find out the polynomial Q

⬘

512⫻512/t polynomials for a given 512⫻512 secret

im-age; thus, the possibility of finding out the secret image is 共1/256t−wi兲共512⫻512兲/t₌共1/256兲512⫻512⫻关1−共wi/t兲兴_{. This shows}

that shadows of different weights are not equally secure, because the security of each shadow is weight dependent. To find out the secret image by guessing, the owner of a larger-weight shadow has more of a chance than the owner of a smaller weight has. This agrees with our daily-life

experience: a higher-ranking manager 共having heavier

weight兲 has more of a chance to uncover the company’s secret than a lower-ranking employee has.

5 Conclusions

In this paper, a fast-weighted secret image–sharing with 共t,n兲 threshold method is proposed. The method shares the secret image among the weighted participants, and the se-cret image can be losslessly recovered if the sum of the weights of the participants is greater than or equal to the threshold t. Besides, the execution time in the weighted secret image–sharing phase is improved by using the prop-erties of GF共2r_{兲. As shown in Fig.5, our execution time is}

better than that of Thien and Lin3when wi⬎1. The

execu-tives of a company can use our method to share the secret image.

Acknowledgments

This work is supported by National Science Council of Re-public of China, under Grant No NSC97-2221-E-009-120-MY3. The authors also thank the reviewers for valuable suggestions.

References

1. G. R. Blakley, “Safeguarding cryptographic keys,” Proc. of AFIPS

Natl. Comput. Conf. Vol. 48, pp. 313–317共1979兲.

2. A. Shamir, “How to share a secret,”Commun. ACM22共11兲, 612–613

共1979兲.

3. C. C. Thien and J. C. Lin, “Secret image sharing,”Comput. Graph.

26共5兲, 765–770 共2002兲.

4. H. K. Tso, “Sharing secret images using Blakley’s concept,”Opt. Eng.47共7兲, 077001 共2008兲.

5. S. K. Chen and J. C. Lin, “Fault-tolerant and progressive transmis-sion of images,”Pattern Recogn.38共12兲, 2466–2471 共2005兲.

6. R. Z. Wang and S. J. Shyu, “Scalable secret image sharing,”Signal Process. Image Commun.22共4兲, 363–373 共2007兲.

7. W. P. Fang, “Friendly progressive visual secret sharing,”Pattern Rec-ogn.41共4兲, 1410–1414 共2008兲.

8. S. Lin and D. J. Costello, Error Control Coding, 2nd ed., Pearson Education, Upper Saddle River, New Jersey共2004兲.

9. D. Bini and V. Y. Pan, Polynomial and Matrix Computations, Volume

1: Fundamental Algorithms, Birkhauser, Boston共1994兲.

Sian-Jheng Lin received his BS and MS in

computer science from National Chiao Tung University 共NCTU兲 in 2004 and 2006, re-spectively. His is currently a PhD candidate in the Computer Science Department of Na-tional Chiao Tung University. His current re-search interests include image processing and secret sharing.

Lee Shu-Teng Chen received his BS in

computer science from NCTU, Taiwan, in 1999, and MS in computer science and in-formation engineering from National Taiwan University, Taiwan, in 2001. He has been in the PhD program since 2004 and currently is a PhD candidate in the Department of Computer Science and Information Engi-neering at NCTU. His current research in-terests include data hiding and image shar-ing.

Ja-Chen Lin received his BS and MS from

NCTU, Taiwan. In 1988, he received his PhD in mathematics from Purdue Univer-sity, West Lafayette, Indiana. He joined the Department of Computer and Information Science at NCTU, in 1988, and became a professor there. His research interests in-clude pattern recognition and image pro-cessing. Lin is a member of the Phi-Tau-Phi Scholastic Honor Society.