Progressive sharing of multiple images with sensitivity-controlled decoding

(1)

R E S E A R C H

Open Access

Progressive sharing of multiple images with

sensitivity-controlled decoding

Sheng-Yu Chang, Suiang-Shyan Lee, Tzu-Min Yeh, Lee Shu-Teng Chen and Ja-Chen Lin

*

Abstract

Secure sharing of digital images is becoming an important issue. Consequently, many schemes for ensuring image sharing security have been proposed. However, existing approaches focus on the sharing of a single image, rather than multiple images. We propose three kinds of sharing methods that progressively reveal n given secret images according to the sensitivity level of each image. Method 1 divides each secret image into n parts and then combines and hides the parts of the images to get n steganographic (stego) JPEG codes of equal importance. Method 2 is similar; however, it allocates different stego JPEG codes of different‘weights’ to indicate their strength. Method 3 first applies traditional threshold-sharing to the n secret images, then progressively shares k keys, and finally combines the two sharing results to get n stego JPEG codes. In the recovery phase, various parameters are compared to a pre-specified low/middle/high (L/M/H) threshold and, according to the respective method, determine whether or not secret images are reconstructed and the quality of the images reconstructed. The results of experiments conducted verify the efficacy of our methods.

Keywords: Progressive sharing; Multiple images; Weighted sharing; Guardian stegos; Sensitivity-controlled decoding 1 Introduction

The Internet has become an integral part of human life and society. This public facility constantly transmitted both public and private information. Consequently, the protection of sensitive information transmitted through this medium has become an important issue. Blakley and Shamir [1,2] first conceptualized the idea of a (t, n) threshold secret sharing scheme, in which at least a minimum number t out of n participants are required in order to recover the secret. This scheme has been extended by various researchers [3-16] and successfully applied to activities such as protection of PDF files [12], visual cryptography [13,14], and network communica-tion [15]. For digital media, many schemes for ensuring image sharing security have been proposed. For ex-ample, Thien and Lin [8] proposed using n shares, in which each share is t times smaller than the given se-cret image, to share a sese-cret image. Wang and Shyu [4] proposed a scalable secret image sharing scheme. Lin and Tsai proposed image sharing schemes with authen-tication capabilities [9], or with reduction of share size

[10]. Further, some approaches are devoted to progres-sively decoding secrets [3-7].

Besides sharing, the approaches using data hiding [17-19] or watermarking [20-24] have also offered other kinds of protection. In general, a hiding method can embed a secret file in a host image. In data hiding, the researchers usually consider the issues such as the size ratio between the secret file and the host image; and the impact on the host image due to embedding. As for the use of watermark, people can embed a watermark in a digital image in order to authenticate or claim the ownership of the digital image. In the design of water-marking methods, the researchers usually pay more at-tention to the work of resisting attacks such as copy attack, tampering, and cropping. Nowadays, the study of watermarks has covered not only software [21,24] but also hardware [22,23]. Notably, a sharing method often has a post-processing which utilizes data hiding or some kinds of authentication tool. This is because each generated share looks like noise and may attract the attention of hackers; whereas data hiding can hide the generated shares in ordinary images. An authentica-tion tool might also be needed in order to verify the

* Correspondence:jclin@cs.nctu.edu.tw

Department of Computer Science, National Chiao Tung University, 1001 University Road, Hsinchu 30050, Taiwan

© 2015 Chang et al.; licensee Springer. This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly credited.

(2)

integrity. For example, ref. [12] uses the SHA-256 hash function to authenticate the file.

Our study here focuses on sharing. Among the exist-ing image sharexist-ing approaches, the secret beexist-ing shared is often assumed to be a single image, rather than mul-tiple images. Repeated use of single-image sharing method often causes the user to neglect the cross rela-tion between distinct images and makes the setting of recovery thresholds not quite suitable. For example, in the sharing process of the photos of criminals, if we only have single-image sharing software, we might just use one set of thresholds for all photos. However, if we have multiple-image sharing software, which requires us to input the security level of each photo being proc-essed simultaneously, then we will be more likely to take a closer look of the case of each criminal, then dis-tinguish the photos, and finally give a stricter threshold setting for the photos of the more serious crime offenders.

When multiple images are being shared, the fact that the security/sensitivity of some images might be higher than that of the other images has to be considered. In this paper, we consider how to share several secret im-ages simultaneously. This paper proposes three progres-sive sharing methods (methods 1, 2, and 3) that use sensitivity-controlled decoding. The sensitive images, i. e., the secret images, are divided into several image groups according to security level, with the more sensi-tive groups requiring more steganographic images (ste-gos) to uncover the images they contain. Specifically, after sharing and hiding, all stegos in method 1 are of equal weight, whereas the stegos in method 2 are quite different; some have more weight, and hence their secret-hiding ability is more powerful than that of the other stegos. Finally, in method 3, some stegos are so powerful that they are called guardian stegos: in this method, no information can be revealed without a mini-mum number of guardian stegos. Thus, in our proposed methods, secret images in each security group are re-vealed progressively when a user receives enough stegos (method 1), the sum of the received weights is sufficient (method 2), or a sufficient number of guardian stegos is present (method 3).

2 Background and related work

2.1 Secret sharing: (t, n) sharing

Thien and Lin [8] proposed the (t, n) threshold method, which distributes a secret image among n shares. First, the secret image is divided into non-overlapping sectors of t pixels each. Then, the following polynomial is used to encode every sector:

f xð Þ ¼ a0þ a1x þ a2x2þ ⋯ þ at−1xt−1ðmod pÞ; ð1Þ

where a0,…., at−1are the t pixel values in a sector and x

is a user-specified index. Here, p is a prime number (or p is a whole power of 2, such as 128 or 256, if the arith-metic +, −, ×, and ÷ are in terms of Galois field opera-tions). Finally, a share, whose index is x, is generated after every encoded result of f(x) is concatenated. Not-ably, n unique indices {x1, x2, …, xn} are selected at the

beginning in order to create n shares, and each share size is 1/t of the original secret image.

In the decoding phase, if at least a minimum number t of the n shares is available, the original secret image can be reconstructed using Lagrange interpolation. The secret image is revealed if at least a minimum number t of the n shares is gathered; otherwise, only noise is obtained.

2.2 Progressive sharing: [r1&r2&…&rk; n] sharing

Chen and Lin [3] developed a progressive sharing method. They used k thresholds - specifically, {r1≤ r2≤ … ≤ rk}

-with each threshold less than or equal to n. For example, for [(2&3&4); n], the three threshold values are r1= 2, r2=

3, and r3= 4. Then, the image is partitioned into multiple

sectors comprising nine (= r1+ r2+ r3) pixels each. To

share a sector - for example, the nine values {146, 167, 255, 60, 124, 165, 211, 73, 25} - first, the rearranging process illustrated in Figure 1 transforms the nine values into nine new values {230, 21, 159, 23, 83, 155, 227, 136, 207}. In the above, note that the binary representation of 230 is 11100110, exactly the first eight digits read from the first column in Figure 1. The first r1= 2 transformed

set of values, {230, 21}, gives the first polynomial in Equa-tion 2. The next r2= 3 transformed set of values, {159, 23,

83}, creates the second polynomial in Equation 3. The final r3= 4 transformed set of values, {155, 227, 136, 207},

creates the third polynomial in Equation 4.

fð Þ1_{ð Þ ¼ 230 þ 21x modp}_x _ð _Þ _ð2Þ

Figure 1 Rearranging the values of the original sector. MSB and LSB are the abbreviations for most and least significant

(3)

fð Þ2_{ð Þ ¼ 159 þ 23x þ 83x}_x 2_ð_{mod p}_Þ _ð3Þ

fð Þ3_{ð Þ ¼ 155 þ 227x þ 136x}_x 2_{þ 207x}3_ð_{mod p}_Þ _ð4Þ Here, as stated in Section 2.1, either let p be a prime number, or let p be a whole power of 2, such as 128 or 256 (if we do all arithmetic in the Galois field). Now, if any two of the generated shares are available, Lagrange interpolation can be used to reconstruct the two coeffi-cients (230 and 21) in Equation 2. By reversing the re-arranging process, we get the rough sector, {128, 128, 192, 0, 64, 128, 192, 64, 0}, of the original sector. If any three of the generated shares are available, we can re-construct the 2 + 3 = 5 coefficients of Equations 2 and 3 and get an approximate sector, {144, 160, 248, 56, 112, 160, 208, 64, 16}, for the original sector. Finally, if any four of the generated shares are available, we can recon-struct the coefficients of Equations 2 to 4 and get the original sector, {146, 167, 255, 60, 124, 165, 211, 73, 25}, without errors.

3 Proposed methods

We propose three methods: method 1 is a basic progres-sive sharing method that divides n secret images into t groups according to sensitivity levels. In this method, for each j, the sensitivity level of the jth group must be lower than that of the j + 1th group. Further, the user provides several thresholds for each secret image group. For in-stance, if r1≤ r2≤ … ≤ rkis given for a specified group, and

if less than r1shadows are received, nothing can be

dis-played. However, if r1shadows are available, then the user

can get a low-quality version of the images in that group. The more shadows obtained, the better the quality of the recovered images. Finally, if rkshadows are available, then

the user can recover the original images of that group without any errors. This paragraph just mentioned ‘shadow’; and a shadow is formed of several ‘shares’. In fact, in all three proposed methods, each shadow is formed of t shares (because each of the t groups offers a share to the mentioned shadow). The construction detail of the shadows will be in step 4 of the three encoding al-gorithms in Subsections 3.1.1, 3.2.1, and 3.3.1 below.

Method 2 assigns different weights to different‘cover’ image groups. The smaller the weight value of a cover group, the smaller the number of shadows hidden in that cover group. The secret images are also partitioned into groups. For each secret image group, for example, secret group j, multiple threshold values (for instance rj1≤ rj2≤ … ≤ rjk) are specified by the user.

Subse-quently, during the decoding, if the sum of the weights of the received cover groups is at least rj1, then the user

can recover a low-quality version of the images in se-cret group j. The greater the sum of the received

weights, the better the quality of the recovered secret images. Finally, if the sum of the weights equals rjk,

then we can recover all original images in secret group j without errors.

Method 3 designates some of the stego images to be guardian stegos. In this method, if a sufficient minimum number of these guardian stegos are received, then low-quality secret images can be reconstructed, as long as the number of received stego images is also at or above a minimum threshold value. The more guardian stegos received, the better the quality of the recovered images, as long as the number of received stego images is also at certain corresponding threshold values. Finally, if all the guardian stegos are received, then all the secret images can be reconstructed without errors, as long as the num-ber of stego images received is also at or above certain threshold values.

3.1 Method 1: basic form (of sharing with sensitivity-controlled decoding)

3.1.1 Encoding phase

Input: n secret images {S1, S2, …, Sn}, n cover images

(each is in JPEG form), and t sets of‘type-r progressive-ness thresholds’, {[r11≤ r12≤ … ≤ r1k], [r21≤ r22≤ … ≤ r2k],

…, [rt1≤ rt2≤ … ≤ rtk]}.

Output: n JPEG stego codes.

Step 1: Divide {S1, …, Sn} into t groups according to

the sensitivity levels of {S1,…, Sn}. (For each j = 1,…, t −

1, the sensitivity level of group j must be lower than that of group j + 1.)

Step 2: Rearrange the data sequence of each secret image as follows:

Step 2.1: For each non-overlapping 8 × 8 block, per-form discrete cosine transper-form (DCT). Then, according to the zigzag order, only grab DCT values from the dir-ect current (DC) term to the final non-zero value of the alternating current (AC) terms. (Notably, if a quantization of DCT coefficients has been used, then apply Hoffman coding to the residual image which is the difference image between the original image and the image decompressed from the quantized DCT coefficients.)

Step 2.2: For each DCT block, fill in zeroes so that the DCT value of the block is a multiple of RSUM, the local sum of the type-r progressiveness thresholds; i.e., RSUM = RSUMj= rj1+ rj2+… + rjk if the image is in the

jth group. Then, rearrange the data sequence of the DCT block in accordance with Figure 2.

Step 3: For each secret group j = 1, 2, …, t, use [(rj1&rj2&…&rjk); n] progressive sharing to get n shares,

which share the DCT data of each image in group j. (Remark: if lossless reconstruction is also wanted, then for each secret group j = 1, 2,…, t, use rjkas the

thresh-old value in traditional (non-progressive) sharing to generate another n shares, which share the Huffman

(4)

codes (see step 2.1) of the residual images in group j. Now, for i = 1 to n, attach share i of Huffman code to share i of DCT data. This pairwise binding will reduce n + n shares to n shares.)

Step 4: In step 3, each secret group generated n shares, namely, {ith share | i = 1, 2,…, n}. Now, for i = 1, 2,…, n, concatenate (i.e., physically link together) the ith shares across all t secret groups to get the ith shadow. Note that there are t secret groups, and each shadow re-ceives one share from each secret group. Hence, each shadow is formed of t shares. For example, shadow 1 is in the form (share 1 of group 1, share 1 of group 2, …, share 1 of group t).

Step 5: Use the JPEG data hiding method [17] to hide the n shadows in the respective n JPEG codes of the n cover images.

3.1.2 Decoding phase

If (any) r11 of the n stego images are available, then we

can extract the shadows from the r11stego images: they

can then be used to reconstruct low-quality versions of all the secret images in group 1. If (any) r12 of the n

stego images are available, the quality of the recovered group 1 secret images will be better. Finally, if (any) r1k

of the n stego images are available, then the recovered group 1 secret images will all be lossless. Similarly, for each j = 2, …, t, if (any) rj1, rj2, … of the n stego images

are available, we get the progressive recovery effect men-tioned above for group j.

3.2 Method 2: sensitivity-controlled decoding using weights

(each is in JPEG form), t sets of ‘type-r progressiveness

thresholds’, {[r11≤ r12≤ … ≤ r1k], [r21≤ r22≤ … ≤ r2k], …,

[rt1≤ rt2≤ … ≤ rtk]}, and T positive integers {w1, w2, …,

wT} called‘weights’. Note: w1+ w2+… + wT= n.

Output: n JPEG stego codes.

Steps 1 to 4: Do steps 1 to 4 in Section 3.1.1.

Step 5: Assign the n cover images to T cover groups so that each cover group has at least one cover image. Then, for each j = 1, 2, …, T, assign weight wj to cover

group j.

Step 6: Use the JPEG data hiding method [17] to hide the w1 shadows in the JPEGs of the first cover group,

the w2shadows in the JPEGs of the second cover group,

and so on. Since w1+ w2+… + wT= n, hiding of the n

generated shadows is complete when the final wT

shadows are hidden in the tth cover group.

3.2.2 Decoding phase

The decoding is carried out according to the total sum of the weights of the received cover groups. If the total sum of the received weights corresponds to r11, then we

can extract the r11 shadows from the received cover

groups and reconstruct a low-quality version of all the images in secret group 1. If the total sum of the received weights corresponds to r12, then the recovered images of

secret group 1 will be of a better quality. Finally, if the total sum of the received weights corresponds to r1k,

then the recovered images of secret group 1 will be loss-less. Analogously, for each j = 2,…, t, if the total sum of the received weights correspond to rj1, rj2, …, or rjk, we

get the above progressive recovery effect for the jth se-cret group.

3.3 Method 3: sensitivity-controlled decoding with guardian stegos

Thus far, for each secret image group, both methods 1 and 2 used‘multiple’ progressiveness thresholds to con-trol the progressive effect of that secret image group (for example, the parameters [r11≤ r12≤ … ≤ r1k] are used for

secret image group 1, the parameters [r21≤ r22≤ … ≤ r2k]

are used for secret image group 2, and so on). In con-trast, method 3 uses only one rjas the‘single’ threshold

for the jth secret image group (true for each j = 1, 2,…). The progressive effect of method 3 is achieved by other types of parameters (parameters of type q, rather than of type r).

(each is in JPEG form), t positive integer parameters, {r1≤ r2≤ … ≤ rt}, k keys, {Key1, Key2, …, Keyk}, and k

positive integers, [q1≤ q2≤ … ≤ qk= k], called ‘type-q

pro-gressiveness parameters’. (Note: type-q parameters are for the progressive sharing of keys, which is different

Figure 2 DCT value sequence rearrangement order. In Figure 2, the block is adjusted (by filling in zeroes) so that the number of DCT elements (in the block) is a multiple of the integer constant_‘RSUM’.

(5)

from the t sets of type-r thresholds of methods 1 and 2; methods 1 and 2 use no keys.)

Output: n JPEG stego codes. Step 1: Do step 1 in Section 3.1.1.

Step 2: Rearrange the data sequence of each secret image and encrypt each value as follows:

Step 2.1: Do step 2.1 in Section 3.1.1.

Step 2.2: Partition the DCT coefficients of each block into k non-overlapping regions according to the zigzag sequence. Region 1 is the most important because it cor-responds to the lowest-frequency area, followed by re-gion 2, and so on. Then, for each i = 1, 2,…, k, use Keyi

to encrypt the DCT values belonging to region i. Finally, use Keyk again to encrypt the Huffman code generated

in step 2.1.

Step 3: For each j = 1, 2, …, t, use rj as the threshold

value in the threshold-sharing to create n shares that share the encrypted data sequence of each image of the jth secret group.

Step 4: For i = 1, 2, …, n, combine the ith shares of all the secret images in the input to get the ith shadow.

Step 5: For each i = 1, 2, …, k, use qi as the threshold

value in the (qi, k) threshold-sharing to share Keyi

among k shares. (consequently, among these k key-shares of Keyi, any qi key-shares can recover Keyi

with-out errors.)

Step 6: For i = 1, 2, …, k, combine the ith key-shares of all keys in the database to get the ith key-shadow.

Step 7: Use the JPEG data hiding method [17] to hide the n shadows in the respective n JPEG codes of the n cover images.

Step 8: Choose k of the n cover images and use the JPEG data hiding method [17] to hide their respective k key-shadows in the k JPEG codes of the k cover images chosen. Note: the k stego images generated in this way are called‘guardian stegos’.

Thus, for k keys, there are k guardian stegos. Fur-ther, the actual number of progressive levels is less than or equal to k (equal to k if all k progressiveness parameters, [q1≤ q2≤ … ≤ qk], are mutually distinct,

i.e., q1< q2<… < qk). 3.3.2 Decoding phase

If (any) r1of the n stego images are available, we can

ex-tract the q1key-shadows and the r1shadows from the r1

stego images, as long as the r1stego images include q1

guardian stegos. Subsequently, we can recover the encrypted version of all the secret images in secret group 1, reconstruct the key Key1, and use Key1to decrypt the

encrypted version of the images in secret group 1. This process reveals the low-quality version of all the secret images in secret group 1. If the r1stego images include

q2 guardian stegos, we can reconstruct the key Key2,

resulting in the recovered version of the secret images in

group 1 having improved quality. Finally, if the r1stego

images include k guardian stegos, the recovered secret images in group 1 are all lossless. Similarly, for each j = 2, …, t, if (any) rj of the n stego images are available,

then, as long as the rjstego images include the q1, q2,…,

or qk guardian stegos, we get the above progressive

re-covery effect for the secret images in group j.

4 Experimental results

We conducted experiments 1, 2, and 3 for methods 1, 2, and 3, respectively. We utilized the six 512 × 512 cover images, {Barbara, Lake, Couple, Baboon, Indian, Bridge}, shown in Figure 3 in all the experiments. We also uti-lized the six secret images, {House, Cameraman, Lena, Pepper, Jet, Blonde}, shown in Figure 4 in each experi-ment; however, because of the limitations imposed on size by the different methods, the width and height of each secret image were smaller in experiments 1 and 2, and larger in experiment 3.

We measured the quality of each stego image and re-covered image using PSNR, defined as

PSNR¼ 10 log₁₀255

2

MSE ð5Þ

Here, the mean square error (MSE) is given by

MSE¼ 1 height width X height i¼1 X width j¼1 pixel_ij−pixel0_ij 2 ð6Þ for an image with height × width pixels, and pixelij and

pixel'ijare, respectively, the value of the pixel at position

(i, j) of the two compared images. For the readers' con-venience, structural similarity [25] (SSIM) is also listed. Notably, the better the image quality, the closer the dis-tance between SSIM value and 1.

Figure 3 The six 512 × 512 cover images: {Barbara, Lake, Couple, Baboon, Indian, Bridge}.

(6)

4.1 Experimental results for method 1

In this experiment, the inputs comprised the six 128 × 128 secret images and the six 512 × 512 cover images (Figure 3). We divided the six images into three groups according to the sensitivity levels of the six secret im-ages, [House, Cameraman], [Lena, Pepper], and [Jet, Blonde], and used [(r11&r12&r13); n] = [(2&3&4); 6] in

the progressive sharing to distribute the first group's im-ages, [House, Cameraman], among {share1 … share6}.

Similarly, we used [(r21&r22&r23); n] = [(3&4&5); 6] in

the progressive sharing to distribute the second group's images, [Lena, Pepper], among {share1… share6}. Finally,

we used [(r31&r32&r33); n] = [(4&5&6); 6] in the

progres-sive sharing to distribute the third group's images, [Jet, Blonde], among {share1… share6}.

To complete the encoding, we constructed the first shadow by integrating all share1s, the second shadow by

integrating all share2s, and so on. Finally, we used the

JPEG data hiding method [17] to hide the six shadows in the respective six JPEG codes of the six cover images.

In the decoding phase, for the scenario where two of the six stego images were available, we first extracted the two shadows hidden in the two available stego images. Then, by inverse-sharing and because r11= 2, we were

able to recover the low-quality version of both secret images, [House, Cameraman], in group 1. For the sce-nario where three of the six stego images were avail-able, we first extracted the three shadows hidden in the three available stego images. Then, by inverse-sharing and because r21= 3 and r12= 3, we were able to recover

the low-quality version of both secret images, [Lena, Pepper], in group 2, and the medium-quality version of both secret images, [House, Cameraman], in group 1, respectively.

Similarly, for the scenario where any four of the six stego images were available, because r31= 4, r22= 4, and

r13= 4, we were able to recover the low-quality version

of both secret images, [Jet, Blonde], in group 3, the

medium-quality version of both secret images, [Lena, Pepper], in group 2, and the lossless version of both se-cret images, [House, Cameraman], in group 1, respect-ively. For the scenario where any five of the six stego images were available, because r32= 5, r13= 4 < 5, and

r23= 5, we were able to recover the medium-quality

ver-sion of both secret images, [Jet, Blonde], in group 3, and the lossless version of each secret image in the first group, [Lena, Pepper], and the second group, [House, Cameraman], respectively. Finally, for the scenario where all six stego images were available, because rj3≤ 6 for

each j = 1, 2, 3, we were able to recover all six secret im-ages without error, irrespective of the group to which they belonged.

Table 1 shows the quality of the progressively recov-ered secret images during the decoding phase. Note that, after encoding, when we decompressed the six JPEG stego codes, which contained the secrets hiding in them, the PSNRs of the decompressed images were between 39.6 and 42 dB, as shown in Table 1. The quality of the images revealed on level 1 (i.e., the low-quality version) is between 24.95 and 27.33 dB, and the quality revealed on level 2 (i.e., medium-quality version) is between 30.35 and 33.09 dB. The secret images were recovered without errors on level 3 of the reconstruction.

In this experiment, the input comprised the six 128 × 128 secret images, the six 512 × 512 cover images (Figure 3), and three weight values {1, 2, 3}. The six images were again divided into three groups according to the sensitivity levels of the secret images: [House, Cameraman], [Lena, Pepper], and [Jet, Blonde]. Then, in the progressive shar-ing, [(r11&r12); n] = [(3&4); 6] was used to distribute each

of the first group's secret images, [House, Cameraman], among {share1… share6} so that the‘rough’ recovery of

any image (say, House) in this group would need r11= 3

shares, whereas the lossless recovery of that image would need r12= 4 shares. Similarly, we used [(r21&r22); n] =

[(4&5); 6] in the progressive sharing to distribute each of the second group's images, [Lena, Pepper], among {share1 … share6}. Finally, we used [(r31&r32); n] =

[(5&6); 6] in the progressive sharing to distribute each of the third group's images, [Jet, Blonde], among {share1… share6}.

The first shadow was generated by integrating the share1s of all six secret images, the second by integrating

the share2s of all six secret images, and so on. Let |SS|

denote the size of a shadow. We also partitioned the six cover images into three groups, [Barbara, Lake], [Couple, Baboon], and [Indian, Bridge], and assigned them weights 1, 2, and 3, respectively. Finally, we bound all the JPEG codes of the cover images of the first cover group together as a unit. Then, we treated this unit as a

Figure 4 The six secret images: {House, Cameraman, Lena, Pepper, Jet, Blonde}.

(7)

cover medium and used the JPEG data hiding method [17] to hide only one shadow in this cover medium (we hid only one shadow because w1= 1). The shadow

hid-den here was shadow #1, with size being w1× |SS| =

|SS|. Then, we bound all the JPEG codes of the cover images of the second cover group together as a unit and used the hiding method [17] to hide two (2 = w2)

shadows (i.e., shadows #2 and #3) in this unit; thus, the secret data hidden in the second cover group had size w2× |SS| = 2 × |SS|. Finally, we bound all the JPEG codes

of the cover images of the third cover group together as a unit and used the hiding method to hide in this unit three (3 = w3) shadows (i.e., shadows #4, #5, and #6).

Hence, the data being hidden in the third cover group had size w3× |SS| = 3 × |SS|.

For the scenario where we received all stego JPEG codes of the first cover group, [Barbara, Lake], we ex-tracted the only shadow (i.e., shadow #1) hidden in the first cover group. However, nothing could be displayed because the weight, w1= 1, was too small. When we did

not receive the first cover group, but instead, received all the stego JPEG codes of the second cover group, [Couple, Baboon], we were only able to extract the two shadows (i.e., shadows #2 and #3) hidden in the second cover group. Similarly, nothing could be displayed be-cause the weights w2= 2 were still not sufficiently large.

Finally, for a scenario where we received neither the first cover group nor the second cover group but received all the stego JPEG codes of the third cover group, [Indian, Bridge], we first extracted the three shadows (i.e., shadows #4, #5, and #6) hidden in the third cover group. Then, by inverse-sharing and because threshold r11= 3,

we were able to recover the low-quality version of each secret image in the first secret group, [House, Cameraman].

For the scenario where we received all four stego JPEG codes for both the first cover group, [Barbara, Lake], and the second cover group, [Couple, Baboon], we first ex-tracted the w1= 1 shadow hidden in the first cover group

and then extracted the w2= 2 shadows hidden in the

sec-ond cover group. Thus, we extracted w1+ w2= 1 + 2 = 3

shadows, namely, {shadows #1, #2, and #3}. Then, by inverse-sharing and because r11= 3, we were able to

re-cover the low-quality version of each secret image in the first secret group, [House, Cameraman].

Similarly, for the scenario where we received all four stego JPEG codes of both the first cover group, [Barbara, Lake], and the third cover group, [Indian, Bridge], we were able to extract w1+ w3= 1 + 3 = 4 shadows, namely,

{shadows #1, #4, #5, and #6}. Thus, because r21= 4 and

r12= 4, we were able to recover the low-quality version

of each secret image in the second secret group, [Lena, Pepper], and the lossless version of each secret image in the first secret group, [House, Cameraman], respectively. For the scenario where we received all four stego JPEG codes of both the second cover group, [Couple, Baboon], and the third cover group, [Indian, Bridge], we were able to extract w2+ w3= 2 + 3 = 5 shadows, namely, {shadows

#2, #3, #4, #5, and #6}. Thus, because r31= 5, r12= 4 < 5,

and r22= 5, we were able to recover the low-quality

ver-sion of each secret image in the third secret group, and the lossless version of each secret image in the first and second secret groups, respectively. Finally, for the sce-nario where we received all six stego JPEG codes, be-cause rj2≤ 6 for each j = 1, 2, 3, we were able to recover

all six secret images without errors, irrespective of the secret group to which they belonged.

Table 2 shows the quality of the progressively recov-ered secret images during the decoding phase. Note that, in the encoding phase, when we decompressed the six JPEG stego codes, which contained the secrets hiding in them, the PSNRs of the decompressed images were be-tween 39.26 and 44.17 dB. The revealed secret images' quality on level 1 (i.e., low-quality version) of the recon-struction was between 28.21 dB and 30.71 dB. All secret images on level 2 of the reconstruction were recovered without errors.

Here, the input comprised the six 232 × 232 secret im-ages, the six 512 × 512 cover images (Figure 3), three positive integer parameters {4≤ 5 ≤ 6} for secret image

Table 1 Image quality of method 1 (three-level progressive sharing) Secret

images

Progressive thresholds (rj1, rj2, rj3)

Image quality of recovery on level 1 Image quality of recovery on level 2 Quality of stego images

PSNR SSIM MSE PSNR SSIM MSE Stego images PSNR SSIM MSE

House 2&3&4 26.29 0.795 152.8 33.06 0.905 32.1 Barbara 39.60 0.975 7.1

Cameraman 2&3&4 24.95 0.787 208.0 30.35 0.897 60.0 Lake 42.00 0.977 4.1

Lena 3&4&5 26.40 0.777 149.0 32.15 0.902 39.6 Couple 41.63 0.972 4.5

Pepper 3&4&5 26.05 0.804 161.5 33.09 0.924 31.9 Baboon 41.22 0.979 4.9

Jet 4&5&6 25.86 0.817 168.7 31.66 0.914 44.4 Indian 41.92 0.971 4.2

Blonde 4&5&6 27.33 0.797 120.2 32.83 0.905 33.9 Bridge 40.50 0.977 5.8

(8)

sharing (the values 4, 5, and 6 are for image groups 1, 2, and 3, respectively), three keys for encryption, and three integers {q1= 2, q2= 2, and q3= 3} called type-q

progres-siveness parameters for the sharing of ‘keys’.

We again divided the six images into three groups ac-cording to the sensitivity levels of the six secret images: secret group 1, lowest sensitivity, comprised [House]; secret group 2, moderate sensitivity, comprised [Cameraman, Lena]; and secret group 3, highest sensitivity, comprised [Pepper, Jet, Blonde]. Then, we encrypted each secret image using all three keys.

We then used (r1, n) = (4, 6) in secret sharing to share

the first secret group, i.e., to share the encrypted House, among {share1… share6}. Similarly, we used (r2, n) = (5, 6)

in secret sharing to share the second secret group (i.e., the encrypted Cameraman and the encrypted Lena) among {share1… share6}. Finally, we used (r3, n) = (6, 6) in secret

sharing to share the third group's encrypted secret images [Pepper, Jet, Blonde] among {share1 … share6}. The first

shadow was generated by integrating the share1s of all six

secret images, the second by integrating the share2s of all

six secret images, and so on.

The thresholds to share the three keys {Key1, Key2,

Key3} were, respectively, q1= 2, q2= 2, and q3= 3. Hence,

for i = 1, 2, 3, we used (qi, 3) sharing to share the

numer-ical value Keyiamong k = 3 key-shares, so that any qi of

the k = 3 generated key-shares (of Keyi) could recover

Keyi. Then, for i = 1, 2, 3, we combined the ith

key-shares of all three keys to get the ith key-shadow. Next, we used the JPEG data hiding method [17] to hide the six image-shadows in the respective six JPEG codes of the six cover images. Finally, we chose k = 3 of the six cover images and hid the k = 3 key-shadows in the k = 3 JPEG codes of the chosen k = 3 cover images; for example, {Barbara, Lake, Couple}. These three stego images were designated the‘guardian stegos’.

With any two of the three guardian stegos, we were able to first extract the two key-shadows hidden in the two available guardian stegos. Then, by the inverse pro-gressive sharing process, we were able to recover Key1and

Key2 because their thresholds were q1= 2, and q2= 2,

respectively. Because two of the three guardian stegos were already available, when any two of the three non-guardian stegos were also available, we had 2 + 2 = 4 shares. We first extracted the four image-shadows hidden in the four available stego images (i.e., two guardian stegos and two non-guardian stegos). Then, by inverse-sharing and decryption and because r1= 4, we were able to

re-cover the low-quality version of the secret image in the first group. Although we only had two keys (instead of three keys), we were still able to decrypt the first several (low-quality) DCT Coefficients (see step 2 in Section 3.3.1). This is why we can decrypt low-quality versions of an image even when not all three keys are available.

Let us now consider another scenario. We assumed that two of the three guardian stegos were already avail-able; hence, {Key1and Key2} were known. Consequently,

because all 6− 3 = 3 non-guardian stegos were available, we first extracted the 2 + 3 = 5 image-shadows hidden in the five available stego images. Then, by inverse-sharing and decryption, the low-quality version of each secret image in the second group were recovered because the threshold for the second image group was assumed to be r2= 5. However, since the total number of stego

im-ages received was only five, the secret imim-ages in the third group still could not be recovered because the threshold for the third image group was assumed to be r3= 6.

For the scenario where all three guardian stegos were available, we first extracted the three key-shadows hid-den in the three guardian stegos. Then, by inverse-sharing, we were able to recover all three keys because the largest threshold for the keys was assumed to be q3= 3

when we earlier distributed the three keys among the three key-shadows. Since all three guardian stegos were now available, if any one of the 6− 3 = 3 non-guardian ste-gos was also available, then, since all three keys were already extracted, we were able to recover the lossless ver-sion of the secret image in the first group because 3 + 1 = 4 and the threshold for image group 1 was assumed to be r1= 4. In the case where (any) two of the three

non-guard-ian stegos were available, we were able to recover the

Table 2 Image quality of method 2 (two-level progressive sharing) Secret

images

Progressive thresholds (rj1&rj2)

Image quality of recovery on level 1 Image quality of recovery on level 2

Quality of stego images

PSNR SSIM MSE Stego images PSNR SSIM MSE

House 3&4 30.71 0.883 55.17 Lossless Barbara 43.75 0.980 2.73

Cameraman 3&4 28.21 0.866 98.18 Lossless Lake 44.17 0.979 2.48

Lena 4&5 29.63 0.871 70.80 Lossless Couple 42.10 0.978 4.00

Pepper 4&5 29.97 0.891 65.43 Lossless Baboon 42.31 0.985 3.81

Jet 5&6 28.55 0.883 90.70 Lossless Indian 41.29 0.975 4.82

(9)

lossless version of each secret image in the second group because 3 + 2 = 5 and the threshold for image group 2 was assumed to be r2= 5. Finally, for the scenario where all

three non-guardian stegos were available, we were able to recover the lossless version of each secret image in the third group because 3 + 3 = 6 and the threshold for image in group 3 was assumed to be r3= 6. The experimental

re-sults are listed in Table 3. Note that the thresholds for the sharing of the three keys are {q1= q2= 2, and q3= 3}; thus,

there are only two levels to control the recovery of the keys; namely, the collection of two guardian stegos versus the collection of three guardian stegos. Thus, to view se-cret images, the effective number of progressive levels is also only two.

Note also that, if only one of the three guardian stegos is available, then no secret image can be recovered, even if all three non-guardian stegos are available. This is be-cause the three encryption keys are shared and hidden in the guardian stegos, and the smallest threshold q1=

min{q1, q2, q3} to recover at least one key was already set

to q1= 2.

5 Discussion and comparison

5.1 Summary and discussion

Our proposed method 1 is a progressive sharing sensitivity-controlled decoding method; i.e., the decoding is conducted according to the sensitivity level of each image. Images with the same sensitivity level constitute a group. Each secret image in an image group is shared among n shares, and the shares of all images are prop-erly combined to get n shadows with equal significance; consequently, there is no need to worry about which shadow is lost or transmitted first. The n shadows are hidden in the JPEG codes of n cover images to get n stego JPEG codes. If the number of received stegos cor-responds to the lowest threshold of an image group, then the rough version of each secret image in that group can be revealed. The higher the number of stegos received, the better the quality of the recovered secret images. In particular, when the number of stego images

received corresponds to the highest threshold (consider-ing all thresholds for all groups), then all secret images in all groups can be recovered without errors.

Our proposed method 2 is also a progressive sharing sensitivity-controlled decoding method; however, it dif-fers from method 1 in that‘weights’ are used in method 2. We divide the n ‘cover’ images into several groups and equip each cover group with a weight specially assigned to that group. Then, according to the weight of each cover group, we hide some of the n secret shadows in the cover group.

Subsequently, decoding is conducted according to the total sum of the weights of the received cover groups. If the sum of the received weights corresponds to the low-est threshold of a secret group, then all secret images of that secret group can be recovered with a low quality. The larger the sum of the received weights, the better the quality of the recovered secret images. Finally, if the sum of the received weights corresponds to the highest threshold of a secret group, then the recovered secret images of that secret group are lossless.

Both progressive methods (methods 1 and 2) increase the shadow size after using multiple thresholds. There-fore, in our proposed method 3, we use a different tech-nique to progressively share multiple secret images. In method 3, if the number of received guardian stegos cor-responds to the lowest threshold, as long as the number of received stego images also corresponds to the thresh-old value of a secret image group, then the rough ver-sion of each secret image in that secret group can be revealed. The more guardian images received, the better the quality of the recovered secret images, as long as the number of received stego images also corresponds to certain threshold values. In particular, when the number of received guardian stegos corresponds to the highest threshold value, then all secret images can be recovered without errors, as long as the number of received stego images also corresponds to certain threshold values.

Compared with methods 1 and 2, method 3 has a tigh-ter restriction in the recovery phase: nothing can be

Table 3 Image quality of method 3 (the secret images are recovered in two levels) Secret

images

Threshold r to recover the secret image

Image quality on low-level recovery Image quality on high-level recovery

Image quality of stego

PSNR SSIM MSE Stego images PSNR SSIM MSE

House 4 31.53 0.858 45.7 Lossless Barbara 40.07 0.979 6.40

Cameraman 5 27.11 0.853 126.5 Lossless Lake 41.57 0.978 4.53

Lena 5 29.38 0.869 75.0 Lossless Couple 41.04 0.978 5.12

Pepper 6* _{No such level}* _Lossless _Baboon _41.41 _0.980 _4.70

Jet 6* _{No such level}* _Lossless _Indian _41.56 _0.976 _4.54

Blonde 6* _{No such level}* _Lossless _Bridge _40.08 _0.978 _6.38

*

Since we used (r, n) = (6, 6) in the secret sharing of the third group's secret images, [Pepper, Jet, Blonde], these three images cannot be viewed unless all six stego images have been collected. Consequently, only high-level PSNR, i.e., only the lossless version, exists.

(10)

displayed without a sufficient number of guardian stegos. Therefore, methods 1 and 2 are more suitable for a pub-lic company whose owners are (pubpub-lic) stock holders. The more shadows (stocks) or the more weights appear in the meeting, the more secret details can be unveiled. In contrast, method 3 is more suitable for a family-owned private company in which all the decision-making must first get the permission of the persons in charge, or at least, get the majority agreement of the committee board.

In Table 4, we list the advantages and disadvantages of the three proposed methods. Notably, about the issue of stability, method 1 is the most stable one, as explained below. In method 2, the recovered versions of secret im-ages are identical to that of method 1. However, stego images' quality is less stable in method 2, for the stegos' quality is influenced by the matching between the

weights {wi} and the hiding capacity of the cover groups

{CGi}. When one of the weights is particularly large,

the instability becomes obvious. For example, if {w1= 1,

w2= 1, w3= 4} and if the three cover groups have

simi-lar hiding capacity, then distinct stego groups might have very distinct qualities. In Table 2, where {w1= 1,

w2= 2, w3= 3}, the quality of the image Bridge, which is

in stego group 3, is also worse than the quality of the {Bar-bara, Lake} in stego group 1. Finally, method 3 is also less stable than method 1 because some assignment to the values of the type-r parameter might cut the effective number of progressive levels, as will be seen in Table 5 and a paragraph near the end of Section 5.5.

Now we analyze the precision of the recovered secret images. Since all three methods can produce error-free recovery as the highest-quality recovery, we focus our comparison on the lowest-quality version, i.e., the

Table 4 A comparison between the three proposed methods

Methods Characteristic Suitable environment Advantage Disadvantage

Method 1 a) Basic form of our progressive sharing/ viewing.

All participants, i.e., all holders of stegos, must be of equal importance.

a) Simple and stable. Shadow size is larger than that of method 3.

b) Every stego image is of the same significance.

b) Every stego image hides the same amount of secrets. Therefore, there is no need to worry about which cover image should hide more.

Method 2 a) The recovered versions of the secret images are identical to that of method 1.

The owners of some stegos are more important than the owners of other stegos.

a) Method 1 is just a special case of method 2.

a) Shadow size is larger than that of method 3.

b) However, the stego images have different weights in method 2.

b) Hence, compared to method 1, method 2 has more possible ways to control the unveiling of secret images.

b) The hiding capacity of some covers might be insufficient (or a severe impact on some cover images might exist), if a weight value is much larger than other weight values.

c) The stego images' quality is less stable than that of methods 1 and 3. d) Therefore, a careful matching between weights and covers might be needed. (In general, assign larger weights to the cover groups of larger size.)

Method 3 a) Using the so-called guardian stegos.

a) Suitable for a company which is controlled by a committee (the committee cannot allow any unveiling of secrets without the approval of a certain percentage of the committee members).

a) Some stegos are guardian stegos, and they form the committee to guard the disclosure of secrets (the unveiling of secrets cannot happen if many guardian stegos disapprove it).

a) The social rank of non-guardian stegos is very low. If the number of received guardian stegos is less than the minimal threshold value, then the secret images has no chance to be unveiled (even if‘every’ non-guardian stego's holder wants to unveil the secret images).

b) Keys are used in method 3.

b) Also suitable for the protection of images which are very sensitive.

b) The committee has the absolute rights to turn down the disclosure of a secret.

b) Some values of parameter r make the number of progressive levels reduced from the assigned value to a smaller value.

c) Smaller shadow size.

d) Better security than methods 1 and 2.

(11)

recovery on level 1. Methods 1 and 2 give identical re-covered versions of secret images, so we only need to compare method 1 to method 3. In method 1, as ana-lyzed in Section 5.5, when (rj1≤ rj2≤ … ≤ rjk) are utilized

as the k progressive thresholds to share an image in se-cret group j, the lowest version's quality is determined by the ratio rj1/(rj1+ rj2+… + rjk). The larger the ratio

value, the better the precision. Therefore, The best level-1 quality occurs when k = 2 and rj1/(rj1+ rj2+… + rjk) =

rj1/(rj1+ rj2) is almost 1/2. In this case, as analyzed in

Section 5.5, about rj1/(rj1+ rj2) = 50% of the rearranged

DCT data are utilized to recover level 1 version. On the other hand, for method 3, if q1of the k guardian stegos

are available, then the lowest version's quality is deter-mined by the ratio area(region 1) ÷ [area(region 1) +… + area(region k)], where {region 1, … region k} are the k non-overlapping regions that partitioned the DCT coeffi-cients in step 2.2 of Section 3.3.1. Since we had the free-dom to assign any percentage of the DCT data to region 1, this area-ratio can be as low as 1%, or as high as 99%. Now, compared to the 50% of method 1, we can say that the lowest-quality recovery of method 3 can be either worse or better than the lowest-quality recovery of method 1. The precision comparison between the methods is thus case-by-case and inconclusive.

5.2 Comparison with reported methods

Our methods are progressive sharing methods. Func-tionality comparisons between our methods and various other progressive sharing schemes are shown in Table 6. Our methods' decoding is according to the sensitivity levels of different secret groups. In Table 6, all other schemes consider one secret image instead of multiple secret images. Furthermore, note that, in our method 2, distinct groups of ‘cover’ images are also assigned dis-tinct weights.

The shadow size of method 1 is equal to that of method 2; method 3 has the smallest shadow size. As shown in Table 7, the shadow size is small in each of our three methods; thus, the shadow can be easily hidden in the JPEG codes of cover images. The sizes associated with

the various methods are given below. In the traditional (t, n) secret sharing method, the size of the shadow is only 1/ t of the original secret data. In our proposed methods 1 and 2, when we use [(r1&r2&…&rk); n] progressive sharing

method to share some secret data, the size of each shadow is k/(r1+ r2+… + rk) times smaller than that of the original

secret data, as explained below. We process r1+ r2+… +

rkvalues together each time. The first r1values are shared

by (r1, n) sharing; thus, each shadow receives one value

after sharing these r1values. Similarly, the next r2values

are shared by (r2, n) sharing; thus, each shadow receives

one value after sharing these r2 values, and so on.

Therefore, when we consider the sharing of these r1+

r2+… + rk values; it is obvious that each shadow

re-ceives 1 + 1 +… + 1 = k values generated from the shar-ing of these r1+ r2+… + rk values. As a result, the size

of each shadow is k/(r1+ r2+… + rk) of the original size

of the secret. Note that k is the number of progressive-ness thresholds, {r1…rk}, being used. Therefore, if the

maximal threshold rk of a progressive sharing,

[(r1&r2&…&rk); n], is equal to the single threshold t of

non-progressive sharing, then both progressive scheme and non-progressive scheme can recover the original data without errors if t shares are received. However, the inequality

k= rð1þ r2þ … þ rk−1þ rkÞ

¼ k= rð 1þ r2þ … þ rk−1þ tÞ

> k= t þ t þ … þ tð ð ÞÞ ¼ k=kt ¼ 1=t ð7Þ tells us that the shadow size generated by progressive sharing is larger than the shadow size generated by non-progressive sharing. This is the price of being progres-sive. For instance, comparing a (4, n) non-progressive share and a [(3&4); n] progressive share, it can be seen that both schemes can recover secrets without errors when four shadows are received. However, if only three shadows are received, then the progressive scheme can still recover a‘rough’ version, whereas the non-progressive scheme cannot. The shadow size generated by (4, n) non-progressive sharing is S/4 = 0.25S (assuming that S is the Table 5 Image quality of method 3 (the secret images are recovered in three levels)

Secret images

The (r, n) in sharing

Low-level recovery Moderate-level recovery High-level recovery

Stego images

Quality of stegos

PSNR MSE PSNR MSE PSNR MSE

House (4, 6) 29.89 66.69 35.72 17.42 Lossless Barbara 40.14 6.30

Cameraman (5, 6) N/A N/A 29.19 78.36 Lossless Lake 41.56 4.54

Lena (5, 6) N/A N/A 31.22 49.10 Lossless Couple 41.16 4.98

Pepper (6, 6) N/A N/A N/A N/A Lossless Baboon 41.29 4.83

Jet (6, 6) N/A N/A N/A N/A Lossless Indian 41.47 4.64

Blonde (6, 6) N/A N/A N/A N/A Lossless Bridge 40.17 6.25

(12)

size of the secret file); whereas the shadow size generated by [(3&4); n] progressive sharing is 2S/(3 + 4) = 0.286S. If the number of progressive levels increases, for example, from a two-level scheme [(3&4); n] to a three-level scheme [(2&3&4); n], then the shadow size also increases and be-comes 3S/(2 + 3 + 4) = 0.333S.

Table 7 compares the shadow sizes of various progres-sive sharing schemes. Assume that the given secret image is the 512 × 512 grayscale image Lena, and the progressiveness thresholds are [(3&4&5&6), 6] for ‘all’ schemes. In Table 7, since our proposed methods 1 and 2 are designed for multiple secrets, we let the first secret group have only one secret image (Lena), and all other secret groups be empty (have no secret image). Then, we use [(r11&r12&r13&r14), n] = [(3&4&5&6), 6] as the (local)

progressiveness thresholds for the secret group contain-ing Lena. In Table 7, it can be seen that among all loss-less methods, our scheme has the smallest shadow size. Our shadow size is even smaller than that of the lossy method proposed by Hung et. al. [5]. Using a small shadow size is important in every sharing method. If the shadow is small, the n shadows can be transmitted quickly, storage space can be saved, and shadows can be hidden easily in other media.

Table 8 summarizes the PSNRs of the recovered im-ages and stego imim-ages, when three progressive levels were used in each reported progressive sharing scheme. Our three methods consider multiple images, so we have

a PSNR range, rather than a single PSNR value. Each re-ported method has its own setting of parameters and is too tedious to list, so almost all experimental values in Table 8 were quoted directly from the cited papers. From Table 8, we can see that, like most of other single-secret progressive methods, all three multiple-single-secret methods of ours can also achieve lossless recovery of se-cret images; however, our impact to host images is smal-lest because our stego images have highest PSNR values.

5.3 Parameters' values

5.3.1 Parameters of methods 1 and 2 k (the number of progressive levels)

We suggest the use of k = 2 or k = 3. Use k = 2 if the user wishes that the recovery of each secret image has two levels (low-quality vs. lossless). Use k = 3 if the user wishes that the recovery of each secret image has three levels (low-quality, medium-quality, and lossless). The value of k should not be large, because each 8-by-8 DCT block only have 64 coefficients, and many of them are zeros. For example, using k = 8 is impractical, for {rj1, rj2,…, rj8} = {2, 3, 4, 5, 6, 7, 8, 9} implies that every

RSUM = 2 + 3 + 4 + 5 + 6 + 7 + 8 + 9 = 44 DCT coeffi-cients are bound together and processed as a unit in the progressive sharing process, but the 64 DCT coeffi-cients might not have so many non-zeros. As a result,

Table 6 Functionality comparisons between various proposed progressive sharing schemes and our sharing scheme

Schemes Cover images

format

Multiple secret images

Different sensitivity levels for different secret image groups

Different weights for different cover image groups

Use of guardian stegos Chen and Lin [3] Uncompressed

cover images

No No No No

Wang and Shyu [4] Uncompressed cover images

No No* _No _No

Hung et al. [5] Uncompressed cover images

No No No No

Chen and Lin [6] Compressed cover images

No No No No

Our scheme Compressed

cover images

Yes Yes Method 2 Method 3

*

Wang and Shyu [4] used different sensitivity levels for different areas of an image.

Table 7 Comparison of shadow sizes among various progressive sharing schemes

Scheme Size of each shadow

(smaller is better) (bytes)

Quality of the best reconstructed versions (dB)

Shadow size ÷ (512 × 512) (%)

Chen and Lin [3] 58,254 Lossless 22.22

Wang and Shyu [4] 131,072 Lossless 50.00

Hung et al. [5] 30,720 37.04 11.72

Chen and Lin [6] 33,802 Lossless 12.89

*

Our methods 1 and 2 28,023 Lossless 10.69

*

(13)

either the method cannot be implemented or a waste of the shadow space is introduced in the sharing process.

rj1

For each secret image group, for example, secret group j, both methods 1 and 2 utilize k progressive threshold values (2≤ rj1≤ rj2≤ … ≤ rjk≤ n). Here, rj1 means that,

people cannot recover any version of the images in se-cret group j unless at least rj1 stegos (in method 1) are

received, or unless the sum of the weights of the re-ceived cover groups is at least rj1 (in method 2).

There-fore, we suggest the use of a large value for rj1 (for

example, rj1=⌈n/2⌉ or ⌈2n/3⌉) if the images in secret

group j are very sensitive; otherwise, just use a small value for rj1(for example, rj1= 2 or 3). Note that rj1=⌈n/2⌉

means at least one half of the shadows must be available before the lowest-quality version of the sensitive images can be reconstructed.

rjk

Since rjk is related to the lossless recovery of the

im-ages in secret group j, let rjkbe a very large value (for

ex-ample, n or n− 1) if secret group j is very sensitive. Notably, using rjk= n means that all cover images must

be received before the lossless version of secret group j can be recovered. Using large value for the parameter rjk

can avoid the stealing of the lossless version of the im-ages in secret group j; however, it also weakens the missing-allowable benefit of the sharing approach. Therefore, do not let rjkbe as large as n or n− 1, unless

the images in secret group j are very sensitive.

The weights {w1,w2,…, wT} and the cover groups

(CG)

Method 2 uses T weights {w1, w2, …, wT} with w1+

w2+… + wT= n. The n given cover images are assigned

to T cover groups, and cover group j (CGj) hides wj

shadows, true for each j = 1, 2, …, T. Therefore, |CGj|,

which denotes the number of cover images in CGj,

can-not be small if wjis large. To explain this, without the

loss of generality, assume that there are, again, n = 6 se-cret images and n = 6 cover images. If T = 3 and the weights of the three cover groups are w1= 1, w2= 1,

and w3= 4, respectively, then the number of cover

im-ages in the three cover groups can be {1, 1, 4} or {1, 2, 3} or {2, 2, 2}. Among them, the combination {2, 2, 2} is the worst, as explained below. Since {|CGj|}j = 1, 2, 3= {2, 2,

2}, one shadow (w1= 1) is hidden in the two cover images

of CG1; one shadow (w2= 1) is hidden in the two cover

images of CG2; but four shadows (w3= 4) are hidden in

the two cover images of CG3. The impact on the two

cover images of CG3 will be too large due to the fact

that each cover image must hide (w3/|CG3|) = (4/2) = 2

shadows. Therefore, to avoid that the quality of some stego images become too low, we suggest that the value of |CGj| cannot be small if wjis large.

In the last paragraph, when {w1= 1, w2= 1, w3= 4},

al-though the partition {|CGj| = wj} = {1, 1, 4} of the six

cover images will not cause big impact on the cover im-ages, the fact that |CG3| = 4 means that these four cover

images are bound together, and the stego file size of cover group 3 is very large (four times larger than that of cover group 1). This might give the manager of group 3 some inconvenience. As a compromise between the

Table 8 Comparison of PSNRs and MSEs among various progressive sharing schemes (three levels)

Scheme PSNR (MSE) of recovery

on level 1 PSNR (MSE) of recovery on level 2 PSNR (MSE) of recovery on level 3 PSNR (MSE) of stego Chen and Lin [3] (three experiments

for‘Lena’, with various parameter settings)

13.15 to 31.11 20.00 to 46.38 Lossless 34.62 to 36.43

(MSE = 50.4 to 3148.3) (MSE = 1.50 to 650.2) (MSE = 14.8 to 22.4)

Wang and Shyu [4] *_N/A *_N/A _Lossless *_N/A

Hung et al. [5] (Lena) 28.00 32.67 37.04 35.68 to 35.86

(MSE = 103.1) (MSE = 35.1) (MSE = 12.9) (MSE = 16.9 to 17.6)

Chen and Lin [6] (lossy version) 28.37 34.12 39.79 32.97 to 38.96

(MSE = 94.7) (MSE = 25.18) (MSE = 6.8) (MSE = 8.3 to 32.8)

Our method 1 24.50 to 28.23 30.26 to 34.85 Lossless 39.60 to 42.00

*

(14)

stego quality and convenience, {|CGj|} = {1, 2, 3} might

be the best tradeoff when {w1= 1, w2= 1, w3= 4}.

The other reason why we do not use {|CGj| = wj}j=1, 2, …, T= {|CGj| = wj}j=1,…,3= {1, 1, 4} is as explained below.

Using |CGj| = wjfor any j will make method 2 very similar

to method 1: each cover image hide exactly one secret image. Hence, the quality of both the stegos (and the re-covered secret images) is identical between methods 1 and 2. The only difference is that the stegos in method 1 is not bound together to form stego groups. So, from the view-point of recovery, if |CGj| = wj∀j = 1, 2, …, T, then method

1 is more convenient than method 2. In method 1, the possible number of shadows for decoding can be any number from 1 through n, because the number of re-ceived shadows equals to the number of rere-ceived ste-gos. In method 2, however, only w1= 1, w2= 1, w3= 4,

w1+ w2= 2, w1+ w3= 5, w1+ w2+ w3= 6 shadows are

possible combination for the number of received shadows. In this case, the recovery using three shadows will never happen. Therefore, if 3 is one of the progres-sive threshold values (2≤ rji≤ rj2≤ … ≤ rjk≤ 6) for some

cover group j, then each image in that group will not have k-levels progressive decoding, provided that method 2 is used and {|CG1| = 1 = w1; |CG2| = 1 = w2;

|CG3| = 4 = w3}.

5.3.2 Parameters of method 3

The thresholdrjfor the sharing of secret groupj

(j = 1, 2,…, t)

The basic requirement is rj ∈{2, …, n}. Assign a very

large value (for example, n or n− 1) to rj, if secret group

j is very sensitive. In general, using a larger rjvalue can

make it harder to steal the images in secret group j; however, this also reduces the missing-allowable benefit of the sharing approach: the corruption of two stegos will make the recovery of secret group j become almost impossible. Therefore, do not let rj be as large as n or

n − 1, unless secret group j is very sensitive. On the other hand, use rj= 2 or rj= 3 if secret group j is of very

low sensitivity.

Thek progressiveness parameters [q1≤ q2≤ … ≤ qk=

k] of type-q

For each j = 1, 2, …, t, if (any) rjof the n stego images

are available, then, since r1≤ r2≤ … ≤ rj, we can

recon-struct the‘encrypted’ version of each secret image in {se-cret group 1, …, secret group j}. After that, there are k possible levels of decryption. Assume that the rjreceived

stego images include qm guardian stegos. Then, we can

recover the m keys {Key1, …, Keym}; and hence,

recon-struct m of the k regions of the DCT coefficients.

Consequently, each image in secret groups {1,…, j} can be revealed using the mth-level recovery quality.

As for the ith progressiveness parameter qi in the set

[q1≤ q2≤ … ≤ qk= k], just assign a large value (such as k

or k− 1) to qi if we wish that the ith-level recovery

should not be done without the joint attendance of many guardian stegos.

Below we give some examples to illustrate how the values of the k progressiveness parameters [q1≤ q2≤ … ≤

qk= k] affect the decoding results. Assume that we have

received rj stego images; so, the ‘encrypted’ version of

each secret image in secret groups 1, 2, …, j has been known. Then, e.g., 1, let [q1= q2=… = qk-1= 2, and qk=

k]. If the rj received stego images include two or more

guardian stegos, then we can recover almost every re-gion of DCT coefficients. Consequently, each image in secret groups {1,…, j} can be revealed with a very good quality; e.g., 2, let [q1= q2=… = qk-1= k − 1, and qk= k].

If the rjreceived stego images include k− 2 of all

guard-ian stegos, then we still cannot decrypt any region of any secret image; e.g., 3, let [q1= q2= 2; and qi= i for i =

3, 4, …, k]. If the rj received stego images include two

guardian stegos, then we can recover each image in se-cret groups {1, …, j} with level 1 quality. If three guard-ian stegos are included, then the recovery quality is better, i.e., of level 2. If four guardian stegos are in-cluded, then the recovery quality is of level 3, and so on. Therefore, this is a progressive effect with many levels.

The sharing thresholds {rj} vs. the progressiveness

parameters [q1≤ q2≤ … ≤ qk= k]

The influence by rj is local. For example, rj= 3 only

means that at least three out of n stegos are required in order to get the encrypted version of secret group j. On the contrary, the influence of qi is global (across all

se-cret groups), because qi= 3 means that at least three of

the k guardian stegos must be available in order to de-crypt region i of the DCT coefficients of all secret im-ages in all secret groups.

k

Notably, in step 8 of the algorithm, we chose k of the n cover images to hide the respective k key-shadows to get the k guardian stegos. Hence, k < n is a natural re-quirement (k = n makes every stego become a guardian stego; but this is a system not quite meaningful, for it is just like a company in which every employee is in the supervisor committee of the company). On the other hand, k = 1 makes no progressive effect (because the k-level-decryption reduces to one-k-level-decryption). Thus, k ∈ {2, …, n − 1}. For example, in our experiments, since there were n = 6 images, so k is chosen from {2, 3, 4, 5}.

(15)

Of course, the larger the value of k, the more the num-ber of recovery levels. Notably, k also affects the image quality recovered on the lowest level, as explained below. In our algorithm, the DCT coefficients are partitioned into k regions. If the partition is uniform among regions, then smaller value of k means that each region has more DCT coefficients; therefore, the level 1 reconstruction of secret images will have better quality.

5.4 Steganography and security issues

The protection of images in our system is with several check points: a) the stranger must extract the shadows which we hid in the JPEG stegos; b) the stranger must intercept enough number of shadows (if he knows which stegos to intercept); c) we can send or store stegos using distinct channels or computers, and our decoding allows that some channels or computers are destroyed, for the missing-allowable property of threshold-sharing; d) the interceptors must intercept sufficient number of stegos before they can try to obtain sensitive images, for the de-coding using insufficient number of shadows are ex-tremely difficult, as analyzed later in this subsection; e) some of our methods are with multiple keys, and thus increase the difficulty of hackers.

The reasons that we use the JPEG data hiding method [17] to embed our n shadows in n JPEG codes are as fol-lows: 1) Compared to spatial-domain stegos, JPEG code can save storage space and maybe also reduce the chance of attracting attackers; 2) JPEG compression dis-turbs the correlation between adjacent pixels of an image, so the permutation pre-processing employed in certain image sharing schemes [4,8,10] before sharing can be omitted. 3) As for the security of our JPEG codes, the size of the JPEG code (without hiding any secret), with the quality factors being in the range 10 to 95, is between 8, 119, and 94,581 bytes for many gray-level im-ages. The size of our JPEG stego-codes listed in Tables 1, 2, and 3 are all in this range. Therefore, the attackers will not be suspicious about the size of our JPEG stego codes. 4) Note that the JPEG hiding method [17] has been shown to resist Chi-square [26] and StegDetect [27] attacks, reducing the chance that the attackers no-tice the existence of our shadows in the JPEG stego codes. 5) To summarize, the hiding in the JPEG stego-code is less notable.

Below we analyze the probability to get the sensitive image through ‘guessing’ when the number of received shadows is less than the minimal requirement. In methods 1 and 2, for each image in secret group j, let the [(rj1&rj2&…&rjk); n] progressive sharing be utilized to

get n shares, which share the DCT data of the image. Without the loss of generality, let the image be 128 × 128, and [(rj1&rj2&…&rjk); n] = [(3&4); 6]. Therefore,

RSUM = 3 + 4 = 7, and the image has (128 × 128)/(8 ×

8) = 16 × 16 = 256 DCT blocks. In our experiments, some images have about 21 of the 64 DCT coefficients are non-zeros on the average. So, in the rearranged DCT data, each block has about 21 numbers. The first rj1/RSUM = 3/(3 + 4) = 3/7 of the 21 numbers are

shared using (3, n) sharing, and the next rj2/RSUM = 4/

(3 + 4) = 4/7 of the 21 numbers are shared using (4, n) sharing. In the decoding, if a person does not receive at least rj1 shadows; for example, assume that he only

re-ceives rj1− 1 = 3 − 1 = 2 shadows; then for a

three-coefficient polynomial like f(x) = a0+ a1x + a2x2= 109 +

23x + 83x2, although he knows f(1) and f(2), he still can-not know the three coefficients are (109, 23, 83). The only thing he knows is a table, i.e., if a1= 0, then (a1,

a2) =…; if a0= 1, then (a1, a2) =…; if a0= 2, then (a1,

a2) =…; and so on. Now, if each number is in the range

0 to 255, then the probability to get correct (a0, a1, a2) =

(109, 23, 83) is 1/256. Since the first 9 of the 21 numbers use rj1= 3 as the threshold value, the chance that the

stranger gets these 9 values from the two shadows that he owns is (1/256)9/3= (1/256)3. As for the next 21− 9 = 12 numbers, since they are shared using rj2= 4 as the

threshold value, the chance that the stranger gets these 12 values from rj2− 1 = 4 − 1 = 3 shadows is (1/256)12/4= (1/

256)3. However, for the 12 numbers, which are shared using rj2= 4 as the threshold value, the probability that

the stranger gets these 12 values from two shadows is much less than (1/256)12/4= (1/256)3. For example, for a four-coefficient polynomial like g(x) = b0+ b1x + b2x2+

b3x3= 78 + 43x + 65x2+ 114x3, although the stranger

knows two values such as g(1) and g(2) from the two shadows, he still cannot know the four coefficients are (78, 43, 65, 114). The only thing he knows is a two-dimensional table like‘if (b0, b1) = (0, 0), then (b2, b3) =….;

if (b0, b1) = (0, 1), then (b2, b3) =…..;’ Consequently, if each

number is in the range 0 to 255, then the probability to get correct (b0, b1, b2, b3) = (78, 43, 65, 114) is (1/256)2.

Hence, the change to get these 12 values from two shadows is [(1/256)2]12/4= (1/256)6. Together, the change to get the 9 + 12 = 21 values of the block from two shadows is (1/256)3× (1/256)6= (1/256)9. For an image of w-by-h pixels, there are (w × h)/(8 × 8) blocks. So the chance to get the rearranged DCT coefficients of the image is [(1/ 256)9](w×h)/(8×8). If the sensitive image is 128 × 128, then the chance is [(1/256)9]16×16= (1/256)9×256= (256)−2,304= 10−5,548. If the sensitive image is 512 × 512, then the chance is (1/256)9×4,096= (256)−36,864= 10−88,777.

As for method 3, for each image in secret group j, method 3 uses (rj, n) sharing to create n shares which

share the ‘encrypted’ DCT data of the image. Without the loss of generality, still let the image be 128 × 128 and the sharing threshold be rj= 3. Therefore, the image has

(128 × 128)/(8 × 8) = 16 × 16 = 256 DCT blocks. Still as-sume that the image has about 21 of the 64 DCT