Authentication and cross-recovery for multiple images

Authentication and cross-recovery for multiple images

Yu-Jie Chang Sian-Jheng Lin

Ja-Chen Lin

National Chiao Tung University Department of Computer Science

Hsinchu, 300, Taiwan E-mail: [email protected]

Abstract. We propose a system with image authentication and cross-recovery ability to protect a group of n given digital images. The system is a共r,n兲 threshold scheme (r is a prespecified thresh-old satisfying 2艋r⬍n). Any r of these images can reconstruct the whole group of n images, but less than r images cannot. Therefore, the system has cross-recovery ability because if some [up to共n-r兲] images in the group are destroyed or lost in a distributed storage scheme or transmission mission, the destroyed or lost can be rebuilt vividly by the mutual support of r survived members. The design is composed of compression, a two-layer sharing, cryptographic hash function, and information hiding. © 2008 SPIE and IS&T.

关DOI: 10.1117/1.2991410兴

1 Introduction

Due to the convenience of the Internet, transmission of multiple images via networks has become very popular. However, it is possible for the network connection to be unstable or under hacker attacks. A general remedy is to request the sender end to resend again, but then transmis-sion time has been wasted. Unless the sender immediately handles the request and the network is stable for awhile, the waiting time may seriously influence an important business decision when a cooperative company is eager to know what the new product images look like. Another situation is that in a distributed storage system of multiple images, if some images are lost by the hardware failure or the man-ager’s carelessness, a trivial way to recover them is using back-up copies identical to the lost images but stored else-where. Although the back-up copies can increase the reli-ability of a storage system, it also increases the cost of the system.

As a result, an interesting and important issue becomes how to protect the integrity of multiple images during a transmission or in a storage system. Image authentication is a technique that can verify an image’s integrity by inserting a digital watermark into the protected image, or storing its digital signature elsewhere. In recent years, several image authentication methods1–10 have been proposed. Most of them emphasize the detection of whether malicious ma-nipulations have occurred, and some have the position-locating ability for the tampered parts of the test image.

Some approaches7–10additionally possess the gorgeous ca-pability of automatic recovery for the tampered parts to a certain extent, after detection and locating work. However, these recovery approaches usually only target a single image rather than a group of images.

We review these approaches for recovery of a single image. Wu and Chang7proposed an elegant method based on the JPEG compression technique. They used an edge detection technique to identify the edges of the image be-fore JPEG compression, and then embedded the obtained edge characteristic into some ac coefficients of the fre-quency domain after JPEG compression. If the image was tampered with, then the embedded edge characteristic could be used to detect the tampered areas and cooperate the in-terpolation method to reconstruct it. Lin, Hsieh, and Huang8 proposed an attractive block-based watermarking scheme for image tampering detection, locating, and recov-ery. They used a parity check and a kind of comparison to generate the watermark of each block, and then added to the watermark the recovery information that recorded the six most significant bits共MSBs兲 of the mean value of an-other block. In their verification procedure, a four-layer hi-erarchical inspection system was used to increase the accu-racy of locating the tampered area. Yeh and Lee9proposed content-based fragile watermarking to recover tampered ar-eas of an image with JPEG-compressed quality. They cat-egorized each block as smooth, mid-textured, or textured type, and the recovery data of the smooth and mid-textured blocks were replicated to raise the recovery ability. The relationship between a block and its backup block was by an automorphism. Chan and Chang10 also proposed an ef-ficient method consisting of three techniques: Hamming code, Torus automorphism, and bit rotation. The Hamming code was to generate parity check data as the authentication information and recover burst bit errors that happen during transmission of the digital image. Torus automorphism spread the authentication information around the image. Bit rotation was used to improve the security of the authenti-cation information.

Our goal is to design an image authentication scheme that deals with a group of n images simultaneously instead of a single image, and the recovery of any member image in this group can be done through the mutual support of r Paper 08019R received Feb. 1, 2008; revised manuscript received Aug. 5,

2008; accepted for publication Aug. 7, 2008; published online Oct. 14, 2008.

of the n-1 remaining member images, as long as these r images pass the authentication tests. The method uses some sharing techniques.11

The rest of the work is organized as follows. Section 2 briefly reviews image sharing. The encoding and decoding 共the latter includes verification and recovery兲 of the pro-posed method are described in Secs. 3 and 4, respectively. Experimental results are in Sec. 5. The comparison is in Sec. 6, and the summary is in Sec. 7.

2 Review of Sharing

In this section, related works about sharing are briefly re-viewed to provide some necessary background for the pro-posed method. The concept of secret sharing was intro-duced independently by Shamir12 and Blakley13 in 1979. Their 共r,n兲 threshold scheme divides a secret numerical value into n shares, and any r of these shares can recon-struct the secret numerical value, but less than r shares cannot 共r艋n is a prespecified threshold. Notably, r=n is allowed in their papers, because they might require that the unveiling of the secret is impossible unless all r = n shares arrive. However, we do not use r = n here. The reason we require r⬍n is because of our goal: “When some images 共at least one image兲 in a group of n images are destroyed or lost, they can be rebuilt vividly by the mutual support of the

r survived members.” Several secret sharing methods based

on the共r,n兲 threshold scheme have been proposed.11,14–21 Among them, Chang and Huang12applied the vector quan-tization technique22 to encode the secret image, then the generated codebook is shared among the n participants by applying the共r,n兲 threshold scheme. Thien and Lin11 pro-posed an共r,n兲 scheme for sharing images. In their scheme, a secret image was shared among n participants, and each participant held a generated shadow image whose size was only 1/r of that of the secret image. The secret image could be reconstructed if at least r of the n shadow images were received. The smaller size of their shadow images共r times smaller than the shadow images generated by ordinary sharing methods兲 is an advantage in transmission and stor-age. They further developed a method15 that made the shadow images looked like portraits of the original secret image, and thus provided a user-friendly interface to facili-tate the management of the shadow images.

As for other variations, Lin and Tsai16 integrated the 共r,n兲 threshold scheme with a fragile watermarking tech-nique to make their shares have authentication capability to verify the shares’ integrity before reconstructing the secret image. Chen and Lin17 applied a secret image sharing scheme11to transmit an image in a progressive way. Wang and Shyu18 also proposed a scalable secret image sharing scheme with three sharing modes: 1. multisecrets, 2. prior-ity, and 3. progressive, according to the spatial and depth information to increase the potential application for secret image sharing. Extensions of Shamir’s masterpiece12 com-bined with visual cryptography23 can be found in Ref.19. Even the visual cryptograph23 itself has many extensions. For example, Wu and Chang24 skillfully employed circular shape of shares to improve the amount of the embedded message in traditional visual cryptography,23 which uses rectangular shapes, without sacrificing the clarity quality of the stacking result.

Besides the aforementioned spatial-domain methods, Lin and Tsai20 proposed a frequency domain method to transform the secret image into the frequency domain, and then utilized a sequence of random numbers to record the lower frequency coefficients共the ac values兲, except the dc value. The dc value of each block is regarded as the secret key and is shared among the n participants by applying the 共r,n兲 threshold scheme.

Because we utilize the sharing polynomials of Thien and Lin’s method11in our two-layer sharing, below we review Ref.11particularly. In Ref.11, a secret image O containing

m pixels is shared by n participants based on Shamir’s

polynomial 共r,n兲-threshold scheme12 with a module base

p = 251. The image O is first transformed into a noisy image Q by permuting pixels according to a secret key. Then, Q is

further divided into m/r nonoverlapping sectors so that each sector contains r pixels. Let q共x兲 be the x’th shadow image and qj共x兲 be the j’th pixel in q共x兲, where 1艋x艋n and 1艋 j艋m/r. For each sector j, the r coefficients

a₀, a₁, . . . , a_r−1of the corresponding polynomial

qj共x兲 = a₀+ a₁⫻ x + ¯ + ar−1⫻ xr−1_{共mod p兲, 共1兲} are used as the gray values of the r pixels of the corre-sponding sector j in Q. The x’th shadow image q共x兲 is the collection 兵qj共x兲兩 j=1,2, ... ,m/r其. Any r of the n shadow images can be utilized to reconstruct Q. For inverse finding of the r coefficients, a0, a1, . . . , ar−1in Eq.共1兲only needs r of the n values 兵qj共1兲,qj共2兲, ... ,qj共n兲其. The detail is omitted.

Notably, Thien and Lin’s method11used p = 251, but we use p = 256 here for 8-bit grayscale images that have a brightness range of 0 to 255. Since 256 is not a prime number, all arithmetic calculations in Ref.11are now done in the sense of Galois field GF共256兲. The change from 251 to 256 is more convenient for sharing digital data such as pixel value, binary bit stream, and index value of vector quantization.

3 Proposed Method„Encoding…

Figure1共a兲shows the flowchart of the encoding procedure, while Fig.1共b兲is for the decoding共verification and recov-ery兲 procedure. In Sec. 3, we explain Fig. 1共a兲 only. As-sume that there are n grayscale共8-bit兲 images in the pro-tected group. Our goal is that after watermarking these n images, if at least r 共out of the n兲 watermarked images survive共must pass the authentication test兲 in a transmission or disk crash, where r is a prespecified threshold and 2 艋r⬍n, all nonsurvived images can be recovered to a cer-tain extent. On the other hand, if less than r watermarked images passes the authentication test, then the recovery work for the remaining images fails. In conclusion, our method can tolerate the loss or modification of up to共n-r兲 watermarked images.

The encoding procedure consists of three parts. First, create the rough image by setting all t least significant bits 共LSBs兲 of each pixel of the original image to zero. To re-duce the amount of recovery data, encode each of the n rough images respectively by the JPEG2000 compression technique to generate n bit streams. These n bit streams are treated as the recovery data. Then, share these n bit streams

by means of a two-layer sharing method to generate n shad-ows. Use a module method, modified from the simple LSB substitution method, to embed these n shadows in the n original images of the group, respectively, to form n stego-images. Finally, generate the authentication data共a 128-bits watermark兲 for each stego-image by using a cryptographic hash function, in which the input includes the local and interrelated information of the stego-image. The authenti-cation data are embedded into a certain space of the stego-image to form the watermarked stego-image. The watermarked images are the final results, which not only look like the original images but also contain the authentication and cross-recovery data needed to protect the transmission and storage of the group. Details of the encoding are described in the following three sections accordingly.

3.1 Generation of the Recovery Data

In the proposed method, the recovery data of each image is generated first. As a remark, all the bit values of the t LSBs at each pixel of the original image will be completely de-stroyed 共erased兲 to hide the recovery and authentication data. Therefore, after the hiding procedure, only the re-maining 共8-t兲 most significant bits 共MSBs兲 of the original image are directly related to the local gray values. Hence, the rough image, which is a 2共8-t兲-level image formed of the 共8-t兲 MSB bit-planes, of each original image is the input data for generating the corresponding recovery data.

Furthermore, a small skill used in our scheme is that the rough image is obtained by using the modulus operation rather than directly setting all t LSBs of each pixel of the original image to zero.共The modulus-based zeroing scheme here is inspired by Thien and Lin’s modulus-based hiding method.25Reference25has proven that when doing hiding, the gray value distortion of the simple LSB substitution method is never smaller than that caused by modulus-based hiding.兲

Our modulus-based zeroing scheme is as follows. To set

t LSBs of a pixel value y共0艋y艋255兲 of an 8-bit grayscale

image to zero, the new value yˆ of our rough image can be expressed as

yˆ = 2t⫻ rounding

冉

y

2t

冊

, 共2兲

where the rounding共·兲 operator means rounding its content to the nearest integer. This rounding operator is better than the truncation operator, which directly truncates the nonin-teger part; and the latter is exactly the one used in a simple LSB method. Of course, we need to check whether or not the yˆ falls in the valid gray-value range 0艋yˆ艋255. If it is out of the range, then yˆ should be corrected further as

yˆ =

再

yˆ + 2

t

if yˆ⬍ 0

yˆ − 2t if yˆ⬎ 255

冎

. 共3兲

Now, the rough image is an image whose gray values are yˆ, of which 2t_{is a factor, rather than the old pixel values y of} the original image.

For example, assume that a rough image of zeroing 2-LSB共i.e., t=2兲 is desired, and the gray value y of a pixel in the original image is 107=共01101011兲2. Instead of using 104=共011010គ00兲2, which is the result of directly erasing the 2 LSBs by zeros, we use the modulus-based zeroing formula in Eq.共2兲, i.e., the value of the corresponding pixel in our rough image is 22_{⫻rounding共107/2}2_兲=108 =共011011គ00兲₂. Obviously, the distortion 共108−107=1兲 of using Eq.共2兲is smaller than the distortion共107−104=3兲 of using direct truncation. Before going further, we remark here on the influence of the value of t. The bigger the parameter value of t, the larger the hiding capacity of each image共to embed the recovery and authentication data into the space provided by t bit planes兲 and, hence, the better the quality of the recovered image. However, the quality of the watermarked image will become worse as the value of t increases, for the final t bits have been changed at each pixel. So, there is a tradeoff.

Fig. 1 Two flowcharts:共a兲 is the encoding procedure and 共b兲 is the authentication and recovery procedure.

Next we discuss the design of the recovery data. In gen-eral, the data amount of a digital image is large, so it is difficult to embed all information of a protected image in quite a limited hiding space. For this reason, we first use a compression technique to reduce the data amount, so that it is easier to perform the embedding procedure later. JPEG is a very common image compression standard on the Inter-net. In contrast to JPEG, JPEG2000 is a new international standard for image compression that is advantageous over JPEG in terms of compression ratio, freedom of compres-sion mode selection, and adaptation to different kinds of images. Therefore, JPEG2000 is employed as the image compression technique in our method to generate the recov-ery data. As shown in Fig.1共a兲, after modulus-base zeroing,

n rough images of the group are compressed by the

JPEG2000 compression encoder, and the compression re-sult of each rough image is a bit stream. The n bit streams are the input of the first-layer sharing introduced in Sec. 3.2. As a rule, the bit stream of each rough image is treated as the recovery data for that image, i.e., the decompressed image obtained from the corresponding bit stream will be used as the recovered image to replace a watermarked im-age, should the watermarked image be tampered with or lost.

3.2 Two-Layer Sharing

After generating the recovery data, the next thing to do is to share it. We design next a two-layer sharing scheme to share the information needed in recovery.

3.2.1 First-layer sharing

As shown in Fig.1共a兲, the recovery data共the n compressed bit streams of the rough images兲 are shared in the first-layer sharing process to generate the共n-r兲 temporary shares. The process is explained next.

Assume that each bit stream has m bits. Divide each stream into m/8 nonoverlapping cells so that each cell con-tains 8 bits. Then, each cell is converted from base 2 to base 10共a decimal number ranges between 0 and 255兲; in other words, each cell value is a decimal value in the range of commonly seen gray values.

For each cell j, where 1艋 j艋m/8, let 兵A1, A2, . . . , An其 be, respectively, the n decimal values of the j’th cell in the

n bit streams. Then, let the first-layer sharing polynomial

共for the j’th cell兲 be

pj共x兲 = 关A1⫻ 共c1兲x+ A2⫻ 共c2兲x+ ¯ + An⫻ 共cn兲x兴 共4兲 共mod 256兲,

where the arbitrarily chosen positive integer constants 兵c1, c2, . . . , cn其 satisfy ci⫽ck, for all i⫽k. For example, let

c1= 1, c2= 2 , . . . , cn= n.

For each integer x僆兵1,2, ¯ ,共n−r兲其, let

p共x兲 = 关p1共x兲,p2共x兲, ... ,pm/8共x兲兴 共5兲 denote the x’th temporary share, in which each pj共x兲 is just the j’th cell value of p共x兲. Since each cell value pj共x兲 is still an 8-bit value by Eq.共4兲, each temporary share p共x兲 can be treated as an image; and it has 8⫻共m/8兲=m bits, just like the length of each bit stream.

After first-layer sharing, there are 共n-r兲 temporary shares. Because the tampered or lost parts of some bit streams can be reconstructed by the cooperation between the 共n-r兲 temporary shares and the r survived bit streams 共the details are illustrated in Sec. 4.2兲, the 共n-r兲 temporary shares are the key data for the recovery purpose. To ensure the survival of these共n-r兲 temporary shares, they are shared again among the n images.

Notably, the original recovery data 共n bit streams兲, which keeps the main information about the n original im-ages, are condensed to the 共n-r兲 temporary shares by the first-layer sharing. In other words, the first-layer sharing not only contributes to the recovery work, but also decreases further the total amount of the recovery data, for there are 共n-r兲 temporary shares of m bits each, which are more eco-nomic共in total size兲 than the n bit strings of m bits each. 3.2.2 Second-layer sharing

In second-layer sharing, we use Thien and Lin’s 共r,n兲 threshold sharing method11 to create n shadows, which share the 共n-r兲 temporary shares just generated from the first layer. The detail is as follows. For each temporary share p共x兲=关p1共x兲,p2共x兲, ... ,pm/8共x兲兴, divide it into sectors of r pixels each. 关Recall from Eq. 共4兲 that each element

pj共x兲 has 8 bits and, hence, can be treated as a pixel.兴 Then,

for each sector, use its r pixels as r coefficients in Eq.共1兲, and then plug in n prespecified integer values for the vari-able x. This creates n transformed values for a sector. After doing this for all sectors of a temporary share i, and col-lecting the transformed values for each x, the temporary share i is transformed to n shadows. As i runs from 1 through 共n-r兲, each temporary share gets its own n shad-ows. Then, the first shadows of all共n-r兲 temporary shares are concatenated, and the result is still called shadow 1. Similarly, second shadows of all共n-r兲 temporary shares are concatenated, and the result is still called shadow 2. As the process goes on, the concatenation sequentially yields shad-ows 1, 2 , . . . , n.

As shown in Fig. 1共a兲, after the aforementioned two-layer sharing phase, the recovery data of the n original images in the group are condensed to n shadows. To have the ability to later recover any polluted image by using the remaining images of the group, we may “hide”共see Refs. 26–30 for examples of hiding techniques兲 the n obtained shadows, respectively, into the n rough images of the pro-tected group. Recall that the t least significant bits of each rough image have been zeros, so we may use these t least significant bits to embed shadow 共embed one shadow in one rough image兲. This hiding technique is the famous

t-LSB substitution method. Now, n stego-images are thus

generated, which still look like their original images. The reason we use t-LSB substitution for hiding is because it is simple, fast, and with great hiding capacity without down-grading too much the quality of the stego-images. Notably, in the hiding step here, we use t-LSB substitution rather than the modulus-based substitution,25 because we do not want to change the共8-t兲 MSBs of the rough images when creating stego-images. This ensures the共8-t兲 MSBs are the same between each rough image and its stego-image. Therefore, in later days, when a lost or tampered

stego-image is to be recovered, we can grab the rough stego-images obtained from the 共8-t兲 MSBs of nontampered stego-images, then do JPG2000 compression, and thus obtain recovery data关see Figs.1共a兲and1共b兲兴.

3.3 Generation of the Authentication Data

After the hiding procedure, the n original images of the protected group are transformed to the n stego-images. Later, to determine whether a stego-image of the protected group is tampered or not, people can use image authentica-tion to verify the integrity of each stego-image. Next we describe the details of the generation of our authentication code共the watermark兲.

As the final work for the encoding procedure, the water-mark to verify the stego-image’s integrity is generated, and it is then embedded in stego-images to obtain the water-marked image. In our method, we use a cryptographic hash function to generate the watermark of each stego-image. It consists of some important information of the stego-image, including width, length, the image’s identification number, and the pixel values of the stego-image. Consider a crypto-graphic hash function

H共S兲 = 共b1,b2, . . . ,bu兲, 共6兲

where S is an input bit string of arbitrary length, biis the output binary bits of the hash function for 1艋i艋u, and u is the length of the output bit string. Wong and Memon6 sug-gest that a cryptographic hash function should have the property that once an input bit string S and its correspond-ing output共b₁, b₂, . . . , bu兲 are given, then it is almost com-putationally infeasible to find another input bit string that will be hashed to the same output共b1, b2, . . . , bu兲. Notably, MD531 is a famous collision-resistant one-way hash func-tion, in which any input bit string is hashed into a bit stream of 128 bits, i.e., u = 128. In our method, MD5 is employed as the hash function. Of course, using other cryp-tographic hash functions to replace MD5 is also allowable. Let ID be the image’s identification number of the origi-nal image in the protected group. Now, for each stego-image whose size is h⫻w, the authentication data can be computed as

H共ID储h储w储p1储p2储 ¯ 储ph⫻w−128储pˆh⫻w−127储 ¯ 储pˆh⫻w兲

=共b1,b2, . . . ,bu兲, 共7兲

where the symbol 储 is the concatenation of all input streams, and p₁, p₂, . . . , ph⫻w−128 are the stego-image pix-els’ gray values according to the raster-scan order of the stego-image, which is from left to right and top to bottom. Because the least-significant bit of the final 128 pixels

pˆh_⫻w−127, pˆh_⫻w−126,¯ , pˆh_⫻w of each stego-image are par-ticularly reserved for embedding its 128-bits authentication data, their pixel values pˆh_⫻w−127, pˆh_⫻w−126,¯ , pˆh⫻w are computed just using the 8 − 1 = 7 most significant bits 共MSBs兲 only. Finally, the generated 128-bits watermark is embedded in the LSB of the final 128 pixels of the corre-sponding stego-image to form the watermarked image. These watermarked images are used in transmission or storage.

The version in the previous paragraph, which sequen-tially hides the 128-bits authentication data共watermark兲 in

the LSB of the last 128 pixels of a stego-image, is just the simplest version. For security concerns, we can use a pseu-dorandom number generator to randomize the embedding locations of the watermark in the stego-image. More spe-cifically, assume that the pixels of the stego-image are num-bered sequentially from 0 to L − 1 according to the raster scan order, which is from left to right and top to bottom. In other words, L is the total number of the pixels in the stego-image 共i.e., L is 262, 144 for a 512⫻512 image兲. By a pseudorandom number generator, we can generate a se-quence of random integer numbers. Then, we can embed the watermark into the stego-image according to the gener-ated sequence one by one. For example, if the genergener-ated sequence is兵214,257, 133,785, 34,480, 9284,…其, the first bit of the watermark is embedded into the LSB of the pixel number 214,257 in the stego-image, and the second bit is embedded into the LSB of the pixel number 214,257, and so on. Therefore, the pseudorandom sequence is used to increase the difficulty in getting the watermark for an un-authorized user. In our method, the Mersenne Twister共MT兲 pseudorandom number generator32 is employed as the per-mutation function of the watermark, and its seed can be regarded as a secret key. In the image-disclosure site, only the authorized person who owns the same secret key can obtain the same sequence of pseudorandom integer num-bers to extract the watermark in the verification phase. 4 Proposed Method_{„Decoding…}

This section introduces the decoding procedure. Figure1共b兲 shows the flowchart for decoding. The detail subprocedures for verifying and recovering n query images are as follows. 4.1 Verification

When a user receives some of the n query images from the protected group, the first thing to do is to verify the integ-rity of each query image. This is because the pervasive and powerful image manipulation tools now have made the im-perceptible modification of images become very easy, and a user usually cannot determine whether the query image is tampered with or not by using the naked eye. According to the final paragraph of Sec. 3.3, a legal user can have the secret key, which is the seed of the MT pseudorandom number generator,32 to obtain the embedding locations of the hidden watermark.

For each query image, its extracted watermark should be the same as the authentication data recomputed directly ac-cording to the hash function described in the paragraph containing Eq. 共7兲. If the extracted watermark coincides with the recomputed watermark, then the query image is called an authentic image; otherwise, it is regarded as a tampered image. An authentic image means that it is ex-tremely likely that no tampering occurs in this image, and the recovery data embedded in this image are therefore considered trustworthy in joining the reconstruction team to recover some tampered images. Note that if an image fails to pass the authentication test, then the recovery informa-tion stored in it should never be used.

4.2 Cross-Recovery of Tampered Images Through the Cooperation of Authentic Images

After checking the authentication status of all the query images, the recovery phase starts if there is at least one

tampered or lost image; and simultaneously, there exist at least r authentic images. To recover a tampered or lost im-age, we may collect its recovery data from any r authentic images. The recovery data were embedded earlier in the encoding phase in the t LSBs of all n images共one shadow per image, as stated in Sec. 3.2兲. When at least r 共out of the

n兲 images are authentic, we can extract r shadows from the t LSBs of the r authentic images. Then, by doing the

in-verse of the second-layer sharing, we can use these r shad-ows to extract back the共n-r兲 temporary shares, which are the result of the first-layer sharing. 共The detail steps of inverse sharing are similar to those in Sec. 3.2 of Ref.11.兲 Meanwhile, the r authentic stego-images can replace all their t LSBs by zeros to obtain r rough images. Then use JPEG2000 compression 共as described in Sec. 3.1 and Fig. 1兲 to obtain r bit streams. Because the r authentic stego-images are verified to have not been tampered with, the r rough images obtained now in the decoding phase, and hence the r bit streams obtained now are identical to those obtained in the encoding phase.

Then, the r bit streams are combined with the共n-r兲 tem-porary shares obtained from the aforementioned second-layer inverse sharing, to rebuild other共n-r兲 bit streams by solving n coefficients共A1, A2, . . . , An兲 of Eq.共4兲.

Notably, these共n-r兲 bit streams are the compression re-sult corresponding to those共n-r兲 tampered or lost images, so we may decompress these共n-r兲 bit streams to recover the共n-r兲 tampered or lost images in lower resolution.

In Lemma, we prove that the共n-r兲 bit streams could be recovered successfully through the cooperation of the r共out of the n兲 bit streams and the 共n-r兲 temporary shares.

Lemma. If any r共out of the n兲 bit streams and 共n-r兲

tem-porary shares are obtained, then the absent共n-r兲 bit streams can be recovered successfully.

Proof. In first-layer sharing, the 共n-r兲 temporary shares p共1兲,p共2兲, ... ,p共n−r兲 are generated by Eq. 共4兲. For each cell j, the following shows the relation between the coeffi-cients兵A1, . . . , An其 of the n bit streams and temporary share values 兵pj共x兲:x=1,2, ... ,共n-r兲其. For convenience, we dropped the subscript j in this proof.

冤

c₁1 c₂1 c₃1 ¯ cn1 c₁2 c₂2 c₃2 ¯ cn 2 ] ] ] ¯ ] c₁n−r c₂n−r c₃n−r ¯ cnn−r

冥

·

冤

A₁ A2 ] An

冥

=

冤

p共1兲 p共2兲 ] p共n − r兲

冥

. 共8兲

Without the loss of generality, assume that the obtained r 共out of the n兲 bit streams are A1, A2, . . . , Ar, and the tam-pered or lost共n-r兲 bit streams that need to be reconstructed are Ar+1, Ar+2, . . . , An. Then, Eq.共8兲 can be rewritten as

冤

c₁1 c₂1 ¯ cr 1 c₁2 c₂2 ¯ c₂2 ] ] ¯ ] c₁n−r c₂n−r ¯ crn−r

冥

·

冤

A1 A2 ] Ar

冥

+

冤

c_r+11 c_r+11 ¯ cn 1 c_r+12 c_r+22 ¯ cn2 ] ] ¯ ] c_r+1n−r c_r+2n−r ¯ cnn−r

冥

·

冤

Ar+1 Ar+2 ] An

冥

=

冤

p共1兲 p共1兲 ] p共n − r兲

冥

. 共9兲 Equation共9兲can be expressed as the abbreviation

Ck· A៝k+ Cu· A៝u= P៝ . 共10兲

Equation共10兲therefore becomes

Cu· A៝u= P៝ − Ck· A៝k. 共11兲

From Eq.共9兲, because ci⫽ck⫽0, if i⫽k, we can see that

Cu T =

冤

c_r+11 c_r+12 ¯ cr+1n−r c_r+21 c_r+22 ¯ cr+2n−r ] ] ¯ ] cn 1 cn 2 _{¯ cn}n−r

冥

,

and obviously, it is a Vander Monde matrix. Note that for any Vander Monde matrix

V =

冤

1 e1 e12 ¯ e1h−1 1 e₂ e₂2 ¯ e2 h−1 ] ] ] ¯ ] 1 eh eh 2 ¯ ehh−1

冥

, 共12兲

the determinant will be det共V兲 =

兿

l⬍m

共em− el兲, 共13兲

and hence nonzero as long as all ei are distinct. Because matrix Cu

T

is the form of the Vander Monde matrix, det共CuT兲 is nonzero, that is, det共Cu兲 is nonzero. It means that Cuhas the inverse matrix C_u−1. Therefore, Eq.共11兲can be rewritten as

A៝u= Cu

−1_{共P៝ − Ck}

· A៝k兲. 共14兲

Because the r共out of the n兲 bit streams A៝k=共A1, . . . , Ar兲 are

known, and the 共n-r兲 temporary shares P៝

=兵p共1兲, ... . ,p共n-r兲其 are also known, 共P៝−Ck· A៝k兲 can be calculated. By the inverse operation of matrix Cu, the ab-sent 共n-r兲 bit streams A៝u=共Ar+1, . . . , An兲 can be recovered easily by the multiplication operation between C_u−1and共P៝ − Ck· A៝k兲.

5 Experimental Results and Robustness-Related Issues

5.1 Experimental Results

Experimental results are presented to demonstrate the per-formance and feasibility of the proposed method. A group of 512⫻512 standard 8-bit gray-scaled images 共Baboon, Lena, Jet, Scene兲 shown in Fig.2 are used as the test im-ages in the experiments.

In the experiments, we used a 共r=2, n=4兲 threshold scheme in the two-layer sharing procedure to share the re-covery data, i.e., the group of four images could survive even if共n-r=4−2兲 of the watermarked images was lost or tampered. The parameter setting for the t-LSBs is t = 2, i.e., the watermark is embedded into the 2 LSBs of the images’ pixels. Figure 3 shows the watermarked images of Fig. 2 using the proposed method described in Sec. 3. The quali-ties of all watermarked images and recovered images are measured by the peak signal-to-noise ratio共PSNR兲 defined as

PSNR = 10⫻ log10 2552

MSE, 共15兲

in which the MSE denotes the mean square error between the pixel values of the original and watermarked/recovered images. From Fig. 3, we can see that the qualities of the watermarked images are acceptable 共their PSNR values range between 44.14 and 44.17 dB兲. It is visually indistin-guishable between Figs. 2 and 3 using the naked eye. In other words, our watermarked images have the transpar-ency property for the hidden data, i.e., the recovery data and watermark are perceptually invisible. To inspect our scheme’s recovery ability, some of the watermarked images shown in Fig.3 are lost or tampered with in the following experiments.

5.1.1 Case 1: one watermarked image is lost

When the watermarked image “Lena”关Fig.3共b兲兴 is lost due to transmission error or hardware storage failure, the re-maining images are Baboon, Jet, and Scene, as shown in Figs.4共a兲–4共c兲. After the verification procedure described Fig. 2 A group of test images:共a兲 Baboon, 共b兲 Lena, 共c兲 Jet, and 共d兲

Scene.

Fig. 3 The watermarked image of Fig. 2: 共a兲 Baboon 共PSNR = 44.17 dB_{兲, 共b兲 Lena 共PSNR=44.14 dB兲, 共c兲 Jet 共PSNR} = 44.16 dB_{兲, and 共d兲 Scene 共PSNR=44.15 dB兲.}

Fig. 4 The experiment result when the watermarked image Lena is lost.共a兲, 共b兲, and 共c兲 are the survived 44.1 dB images that passed the authentication test, and _{共d兲 is the recovered image Lena’} 共PSNR=41.57 dB兲 saved from using 共a兲, 共b兲, and 共c兲.

in Sec. 4.1, these three images are authentic, and thus par-ticipate in the recovery team to save the lost member Lena. Using the support from the three authentic images Baboon, Jet, and Scene, we recover the Lena

_⬘

shown in Fig.4共d兲, whose PSNR value is 41.57 dB.

5.1.2 Case 2: two watermarked images are tampered with

In the experiment, we consider the situation when 共any兲 two of the four watermarked images shown in Fig. 3 are tampered with by manipulations or processing such as ro-tation, filtering, cropping, noise addition, resizing, and re-placement 共see Fig. 5兲. Because the authentication code was generated by a hash function using the pixel values of the stego-image, the image’s width and length, and the im-age’s identification number as the input information 共see Sec. 3.3兲, any manipulation of pixel values, image size, or image ID would cause the input image to fail our verifica-tion test. So, these images shown in Figs. 5共a兲–5共f兲 are judged as tampered images by the authentication test.

Therefore, the recovery phase begins, and the two tampered members of the protected group are successfully recon-structed using the remaining two authentic images共all im-ages in Fig.3can pass the authentic test, so any two from Fig.3can achieve this兲.

One such example is shown in Fig. 6, in which Figs. 3共c兲and3共d兲are tampered with and become Figs.6共c兲and 6共d兲. Their recovery versions become Jet’ and Scene’ in Figs.6共e兲and 6共f兲. As for the other examples of 共r=2, n = 4兲, each time two of the four images in Fig.3are replaced by two of the six images shown in Fig.5. The two images identical to the images shown in Fig.3can pass the authen-tication test and thus need no recovery. Moreover, after passing the test, they will back-up the recovery of the two images missing from Fig.3. No matter which two are tam-pered or missing from Fig. 3, the recovered versions are always identical to two of the four images shown in Fig.7. Fig. 5 Some alternations of Fig.3:共a兲 the watermarked image

Ba-boon is rotated through 90 deg;_{共b兲 the watermarked image Lena} filtered by a low-pass filter; 共c兲 the watermarked image Jet is cropped;共d兲 noise is uniformly added to the watermarked image Scene;共e兲 the watermarked image Jet is shrunk to a quarter of its size; and共f兲 the watermarked image Scene is completely replaced by another image Boat.

Fig. 6 An experiment when two images are tampered with.共a兲 and 共b兲 are the watermarked images 关Figs.3共a兲and3共b兲兴 that pass the

authentication test;共c兲 and 共d兲 fail the test, where 共c兲 is the cropped watermarked image Jet, and共d兲 is when the watermarked image Scene is completely replaced by another image Boat. Finally, using 共a兲 and 共b兲, the two recovered images are the image Jet’ 共PSNR = 42.54 dB_{兲 shown in 共e兲, and the image Scene’ 共PSNR} = 38.32 dB_{兲 shown in 共f兲.}

5.2 Robustness-Related Issues

Now we discuss the robustness of the watermarked images. There are two parts of information carried in each water-marked image: 1. watermark共i.e., the authentication code兲, and 2. recovery data. Their robustness are discussed respec-tively next.

1. The authentication code is powerful enough so that if a received image R is not exactly共100%兲 a product of our method共a watermarked image of ours兲, then the received image R is rejected immediately, no matter if the difference between R and our product is small or big, and also no matter if the difference is due to noise addition, filtering, resizing, rotation, cropping, replacement, hacker attack, etc. This is shown in the experiment共related to Figs.6and7兲. The reason we require the authentication code to be so sensitive is that we want to make sure the recovery data that we grab from the received image R is 100% exact, avoiding confusion in the later step of helping the recovery of other broken images 兵R2, R3, . . .其. 共For example, if the recovery of R2from r = 3 images兵A,B,C其 are distinct from 兵A,B,R其, or 兵B,C,R其, or 兵A,C,R其, then there are some other troubles to judge which recovery of R2 is to be believed.

2. As a result of this, after the authentication test, if a received image R cannot pass the authentication test, then we discard all information hidden in or carried by image R, because we do not think this information is trustworthy. Therefore, in some sense, we might say that the recovery data are not robust against any change of the watermarked image.

3. The discussions in 1. and 2. are from logic sense. As for the technique sense, notably, the recovery data are usu-ally much larger in size than the authentication code. Hid-ing much larger sized data and makHid-ing it robust is more difficult than hiding much smaller sized data and making it robust. This is because the robustness process against every kind of manipulation or attack often enlarges the hidden data. If the original data to be hidden are small, such as the authentication code, then robust hiding is less difficult. But if the original data to be hidden is already large, such as the cross-recovery data of multiple images, then this is difficult.

6 Discussion

Table 1 compares our method with Refs. 4–10 and 33. Among them, Refs.4–6are for authentication only. Refer-ences7–10can have both authentication and self-recovery ability of a “single” image. Reference 33 is the only one 共other than ours兲 dealing with multiple images. So we in-troduce and compare with Ref. 33 in more detail in the following paragraphs. Before that, let us take a look at single-image recovery methods. Usually, for single-image methods, their schemes can recover the tampered parts of the protected image by using the recovery data, which is often embedded in blocks of other areas of the same image. However, when a watermarked image is tampered exten-sively in a large area and randomly, it is not rare that a block and its back-up block are tampered with at the same time. In this case, the recovery ability of the tampered block in their approaches is gone, but our scheme can handle this case, even if the whole image is lost, as long as the remaining r members are authentic.

Next we compare our method with Ref. 33 in which Tsai, Chang, and Chen proposed a method whose goal is somehow related to ours. Their goal is to share multiple secret images among a group of cover images, so that each pair of stego-images can recover a unique secret image for that pair关see Fig.8共a兲兴. In Fig.8共a兲, the six secret images 兵Jet, Goldhill, Girl, Toys, Boat, and Scene其 with size of 200⫻200 pixels are shared in the four cover images 兵Lena, Baboon, Tiffany, and Zelda其 with size of 600⫻600 pixels. The secret image Jet is shared between the pair of stego-images Lena and Baboon; the secret image Boat is shared between the pair of stego-images Lena and Tiffany, and so on. The PSNR values of their stego-images range between 42.41 and 42.61 dB.

Reference33has two main advantages. First, it is effec-tive. By an ingenious design of the sharing order and an adequate utilization of bit planes of the cover image, one can share multiple secret images with multiple cover im-ages, and the quality of all stego-images is visually accept-able to cover communication. Second, it is efficient, be-cause the stego-images are generated using simple operators such as addition and exclusive-or.

However, according to the experiment done in Ref.33 关shown in our Fig. 8共a兲兴, when one of the stego-images is tampered with or lost, three of the multiple secret images cannot be reconstructed and then lost forever. For example, if the stego-image Lena is tampered with or lost, the secret images Jet, Boat, and Toys cannot be recovered by the re-maining three stego-images. Therefore, the method of Ref. 33 is not fault tolerant when some stego-images are Fig. 7 The recovered versions共33.82-dB Baboon’, and/or 41.57-dB

Lena’, and/or 42.54-dB Jet’, and/or 38.32-dB Scene’兲 of the two lost or tampered images in a sequence of共r=2, n=4兲 experiments. In each experiment, only two_{共=r兲 of the received images are exactly} the watermarked images shown in Fig.3_{共and hence can pass the}

authentic test兲. The remaining n-r=4−2=2 images are either lost or tampered with_{共for example, they can be any two images in Fig.}5_兲.

polluted. As a contrast, our recovery still works even if 共n-r兲 of the n watermarked images are tampered with or lost. All member images of the protected group can be recovered by our method.

In summary, each method has its own advantage. Refer-ence33is effective and efficient, and ours is fault tolerant. Reference33is for sharing multiple secrets, and ours is for easy recovery of distributed storage systems in unstable environments.

To compare with Ref. 33 further, we use a structure shown in Fig. 8共b兲 so that Ref. 33 can also be used for cross-recovery of multiple images. Here, the hidden secret images are in fact the JPEG2000-compressed images of the four cover images. Then we generate the authentication

code of each stego-image using the skill aforementioned in Sec. 3.3, and finally embed the code in stego-images to form four watermarked images in Fig.8共b兲.

In Fig. 8共b兲, if one of the four watermarked images is lost or tampered with, then the remaining three members can reconstruct the lost image. For example, if Baboon is lost, we can reconstruct it by the cooperation between Lena and Jet or Jet and Scene. Of course, the recovered version of the lost image is its JPEG2000-compressed version. However, when two of the four watermarked images are lost, only one of the lost images can be reconstructed. For example, if Jet and Scene are lost, then the JPEG2000-compressed Scene can be reconstructed by the cooperation between Baboon and Lena, but the image Jet is gone. To the contrary, our共2, 4兲 scheme can tolerate two tampered or lost images, for they can be recovered by the cooperation of the remaining two authentic images共see Case 2 of Sec. 5兲. Table 2 lists the comparison between our 共r=2, n=4兲 scheme and Ref. 33. From Table 2, we can see that the qualities of the watermarked and recovered images in our scheme are not worse than that of Ref.33. Moreover, in the recovery procedure, the fault-tolerant ability of our scheme is better than the method of Ref. 33. As for processing speed, Ref. 33 is faster than ours, because Ref. 33 uses logic operations rather than arithmetical computations for their sharing process.

7 Conclusions

We propose an authentication and cross-recovery method for a group of n images. The goal of this work is that if some images in the group are tampered with or lost, these Table 1 A comparison between some published methods and our scheme.共*means “quoted directly

from the reported paper,” and N/A means not mentioned in the reported paper.兲 The unit of PSNR is decibels. Schemes PSNR of the watermarked image 共images, if Ref.33or ours兲 Authentication check ability Recovery ability PSNR of the recovered image 共images, if Ref.33 or ours兲

Ref.4 49.19*共Jet 512⫻512兲 Yes No No

Ref.5 N/A Yes No No

Ref.6 N/A Yes No No

Ref.7 34.34*共Lena 512⫻512兲 Yes Self共single image兲 N/A

Ref.8 44.37*共Beach 256⫻256兲 Yes Self共single image兲 30.85*to 48.48*

Ref.9 44*共Jet 512⫻512兲 Yes Self共single image兲 32.82*to 44*

Ref.10 N/A Yes Self_{共single image兲} N/A

Ref.33 42.41 to 42.61

共four 600⫻600 images兲 Nobe modified共but it can and become “yes”_兲 Cross 共Multiple images兲 27.92 to 39.63 for Fig.8_共b兲 Ours 44.14 to 44.17

共four 512⫻512 images兲 Yes Cross共Multiple images兲

33.82 to 42.54

Fig. 8 共a兲 The relationships among four cover images 兵L, Z, B, T其 in the original experiment of Ref.33._{共b兲 The relationships among four} cover images兵B, L, J, S其 in a new version slightly modified from Ref.

33_{共it is an application version of Ref.}33, the hidden images being the JPEG2000 version of the cover images. L means Lena, B means Baboon, etc.兲.

images can be identified and reconstructed by the mutual support of the r survived members. In the method, two-layer sharing is designed to create n shadows that share the recovery data. The sharing design reduces the recovery data amount, and also makes the recovery fault tolerant for up to

n-r shadows can be lost.

The experimental results show that: 1. the quality of our watermarked images is acceptable, i.e., the proposed method keeps the transparency of the hidden data, includ-ing the recovery data and watermark; 2. authentication and cross-recovery can both be done when some watermarked images are altered, tampered with, or lost; 3. the visual quality of the recovered damaged images is maintained; and 4. it can be applied to distributed image storage system or multiimage transmission.

Acknowledgments

The work was supported by the National Science Council, Taiwan, under grant number NSC962221-E-009-039. The authors thank the reviewers and editor for their valuable comments to improve this work.

References

1. C. S. Lu and H. Y. M. Liao, “Structural digital signature for image authentication: An incidental distortion resistant scheme,” IEEE Trans. Multimedia5共2兲, 161–173 共2003兲.

2. C. Y. Lin and S. F. Chang, “A robust image authentication method distinguishing JPEG compression from malicious manipulation,”

IEEE Trans. Circuits Syst. Video Technol.11共2兲, 153–168 共2001兲. 3. P. Tsai, Y. C. Hu, and C. C. Chang, “Using set partitioning in

hierar-chical tree to authenticate digital images,” Signal Process. Image Commun.18共9兲, 813–822 共2003兲.

4. C. C. Chang, Y. S. Hu, and T. C. Lu, “A watermarking-based image

ownership and tampering authentication scheme,”Pattern Recogn. Lett.27共5兲, 439–446 共2006兲.

5. M. U. Ceilk, G. Sharma, E. Saber, and A. M. Tekalp, “Hierarchical watermarking for secure image authentication with localization,”

IEEE Trans. Image Process.11共6兲, 585–594 共2002兲.

6. P. W. Wong and N. Memon, “Secret and public key image water-marking schemes for image authentication and ownership verifica-tion,”IEEE Trans. Image Process.10共10兲, 1593–1601 共2001兲. 7. H. C. Wu and C. C. Chang, “Detection and restoration of tampered

JPEG compressed images,” J. Syst. Softw. 64共2兲, 151–161 共2002兲. 8. P. L. Lin, C. K. Hsieh, and P. W. Huang, “A hierarchical digital

watermarking method for image tamper detection and recovery,” Pat-tern Recogn.38共12兲, 2519–2529 共2005兲.

9. F. H. Yeh and G. C. Lee, “Content-based watermarking in image authentication allowing remedying of tampered images,”Opt. Eng.

45共7兲, 077004 共2006兲.

10. C. S. Chan and C. C. Chang, “An efficient image authentication method based on Hamming code,” Pattern Recogn. 40共2兲, 681–690 共2007兲.

11. C. C. Thien and J. C. Lin, “Secret image sharing,”Comput. Graphics

26共5兲, 765–770 共2002兲.

12. A. Shamir, “How to share a secret,”Commun. ACM22共4兲, 612–613 共1979兲.

13. G. R. Blakley, “Safeguarding cryptography keys,” in 1979 National

Computing Conf., AFIPS Conf. Proc. 48, 313–317共1979兲.

14. C. C. Chang and R. J. Huang, “Sharing secret images using shadow codebooks,”Inf. Sci. (N.Y.)111共1–4兲, 335–345 共1998兲.

15. C. C. Thien and J. C. Lin, “An image-sharing method with user-friendly shadow images,”IEEE Trans. Circuits Syst. Video Technol.

13共12兲, 1161–1169 共2003兲.

16. C. C. Lin and W. H. Tsai, “Secret image sharing with steganography and authentication,” J. Syst. Softw. 73共3兲, 405–414 共2004兲. 17. S. K. Chen and J. C. Lin, “Fault-tolerant and progressive

transmis-sion of images,”Pattern Recogn.38共12兲, 2466–2471 共2005兲. 18. R. Z. Wang and S. J. Shyu, “Scalable secret image sharing,”Signal

Process. Image Commun.22共4兲, 363–373 共2007兲.

19. S. J. Lin and J. C. Lin, “VCPSS: A two-in-one two-decoding-options image sharing method combining visual cryptography 共VC兲 and polynomial-style sharing共PSS兲 approaches,”Pattern Recogn.40共12兲, 3652–3666共2007兲.

20. C. C. Lin and W. H. Tsai, “Secret image sharing with capability of Table 2 Comparison between two recovery methods for multi-images: 1. Ref.33using the structure

shown in Fig.8共b兲; and 2. our scheme with共r=2, n=4兲 threshold. 共The unit of PSNR is the decibel.兲

Scheme PSNR of the watermarked images PSNR of the recovered images Number of images allowed to be lost in the recovery procedure Number of cover or watermarked images Purpose of the design in the

original paper Features Ref.33 42.41 to 42.61 27.92 to 39.63 for Fig.8共b兲. None, if cover and hidden images are irrelevant 关Fig.8共a兲兴. One image if cover and hidden images are related 关Fig.8_共b兲兴 4 To cover multiple secret images 关So, its application to cross-recovery will use some structures such as Fig.8共b兲兴. Faster processing speed, but less tolerable about missing images Ours 44.14 to 44.17 33.82 to 42.54 n − r= 4 − 2 = 2 images n = 4 in this case To mutually support images of the same group Slower processing speed, but more tolerable about missing images.

share data reduction,”Opt. Eng.42共8兲, 2340–2345 共2003兲. 21. J. B. Feng, H. C. Wu, and C. S. Tsai, “A new multi-secret images

sharing scheme using Largrange’s interpolation,” J. Syst. Softw. 76共3兲, 327–339 共2005兲.

22. R. M. Gray and D. L. Neuhoff, “Quantization,”IEEE Trans. Inf. Theory44共6兲, 2325–2383 共1998兲.

23. M. Naor and A. Shamir, “Visual cryptography,” Lect. Notes Comput.

Sci. 950, 1–12共1995兲.

24. H. C. Wu and C. C. Chang, “Sharing visual multi-secrets using circle shares,” Computer Standards Interfaces 28共1兲, 123–135 共2005兲. 25. C. C. Thien and J. C. Lin, “A simple and high-hiding capacity

method for hiding digit-by-digit data in images based on modulus function,”Pattern Recogn.36共12兲, 2875–2881 共2003兲.

26. R. Z. Wang, C. F. Lin, and J. C. Lin, “Image hiding by optimal LSB substitution and genetic algorithm,”Pattern Recogn.34共3兲, 671–683 共2001兲.

27. Y. S. Wu, C. C. Thien, and J. C. Lin, “Sharing and hiding secret images with size constraint,” Pattern Recogn. 37共7兲, 1377–1385 共2004兲.

28. D. C. Wu and W. H. Tsai, “A steganographic method for images by pixel-value differencing,”Pattern Recogn. Lett.24共10兲, 1613–1626 共2003兲.

29. Y. C. Hu, “High capacity image hiding scheme based on vector quan-tization,”Pattern Recogn.39共9兲, 1715–1724 共2006兲.

30. C. Y. Yang and J. C. Lin, “Image hiding by base-oriented algorithm,”

Opt. Eng.45共11兲, 117001-共1–10兲 共2006兲.

31. R. L. Rivest, “The MD5 message digest algorithm,” Technique Re-port of MIT Laboratory for Computer Science and RSA Data Secu-rity共1992兲.

32. M. Matsumoto and T. Nishimura, “Mersenne twister: a 623-dimensionally equidistributed uniform pseudorandom number gen-erator,”ACM Trans. Model. Comput. Simul.8共1兲 3–30 共1998兲.

33. C. S. Tsai, C. C. Chang, and T. S. Chen, “Sharing multiple secrets in digital images,” J. Syst. Softw. 64共2兲, 163–170 共2002兲.

Yu-Jie Chang received his BS in computer science and information engineering in 1999 from National Central University, Taiwan. In 2001, he received his MS in computer and information science from National Chiao Tung University. He is now a PhD candidate in the computer science department of National Chiao Tung University. His research interests include digital watermarking, image processing, and pattern recognition.

Sian-Jheng Lin received his BS and MS in computer science from National Chiao Tung University in 2004 and 2006, respectively. He is currently a PhD candidate in the computer science department of National Chiao Tung University. His recent research interests in-clude pattern recognition and image processing.

Ja-Chen Lin received his BS in computer science in 1977 and MS in applied mathematics in 1979, both from National Chiao Tung Uni-versity共NCTU兲, Taiwan. In 1988, he received his PhD in mathemat-ics from Purdue University, Indiana. From 1981 to 1982, he was an instructor at NCTU. From 1984 to 1988, he was a graduate instruc-tor at Purdue University. He joined the Department of Computer and Information Science at NCTU in August 1988, and became a pro-fessor there. His research interests include pattern recognition and image processing. He is a member of the Phi-Tau-Phi Scholastic Honor Society.