Secret image sharing with capability of share data reduction

Secret image sharing with capability of share

data reduction

Chang-Chou Lin Wen-Hsiang Tsai

National Chiao Tung University

Department of Computer and Information Science

Hsinchu, Taiwan 300

E-mail: gis85529@cis.nctu.edu.tw

Abstract. A novel approach to secret image sharing based on a (k,n)-threshold scheme with the additional capability of share data re-duction is proposed. A secret image is first transformed into the fre-quency domain using the discrete cosine transform (DCT), which is ap-plied in most compression schemes. Then all the DCT coefficients except the first 10 lower frequency ones are discarded. And the values of the 2nd through the 10th coefficients are disarranged in such a way that they cannot be recovered without the first coefficient and that the inverse DCT of them cannot reveal the details of the original image. Finally, the first coefficient is encoded into a number of shares for a group of secret-sharing participants and the remaining nine manipulated coefficients are allowed to be accessible to the public. The overall effect of this scheme is achievement of effective secret sharing with good reduction of share data. The scheme is thus suitable for certain application environments, such as the uses of mobile or handheld devices, where only a small amount of network traffic for shared transmission and a small amount of space for data storage are allowed. Good experimental results proving the feasibility of the proposed approach are also included. © 2003 Society of Photo-Optical Instrumentation Engineers. [DOI: 10.1117/1.1588661]

Subject terms: secret image sharing; data hiding; share data reduction; visual cryptography; image compression; discrete cosine transform.

Paper 020511 received Nov. 26, 2002; revised manuscript received Jan. 16, 2003; accepted for publication Feb. 14, 2003.

1 Introduction

Because of the ease of digital duplication and tampering, data security becomes an important issue nowadays. Private-key and public-key systems are two well-known cryptosystems.1– 4 They enable secret data to be kept se-curely in such a way that an opponent cannot understand what the secret data mean. The secret, which is called plaintext, is first encrypted, using a predetermined key, and the resulting ciphertext is kept by the secret owner. The opponent, who wants to invade, just sees the manipulated ciphertext that is meaningless in semantics but the assigned receiver, who knows the encryption key, can decrypt the ciphertext and reconstruct the plaintext to understand what it means. The data encryption standard共DES兲 and Rivest, Shamir, Adleman共RSA兲 are two representative methods.

Other than cryptography, data hiding provides another way to keep data secure. A method of this kind can be employed to embed imperceptibly secret information in a preselected meaningful image, called a camouflage image, to avoid attacks from invaders. Many techniques can be used to make changes in the original image invisible. Un-like utilizing a particular cipher algorithm to protect secret information from illicit access, the purpose of hiding secret data behind a camouflage image is to make an invader un-aware of the existence of the secret. Numerous schemes have been developed to achieve the goal of data hiding.5– 8 On the other hand, a mechanism is desirable for situa-tions where permission to access the secret depends not on

one person but on a group of people. The study of such a topic is secret sharing, and it has many real-world applica-tions. For example, it might be necessary in a company for three managers to share a digital document, and only when all or two of the three managers appear with mutual agree-ment can they work together to see the docuagree-ment through a digital access scheme. The idea here is like the case in a bank when a vault can be opened only by more than one teller in charge of the vault, or like the case in a story that a treasure map was torn into three pieces of which two or more may be combined together to give a clue for access-ing the treasure. This concept of secret sharaccess-ing provides a good solution to the requirements of both security protec-tion and access flexibility. Security can be achieved through the ownership of the secret held together by a group of people. And no need of participation of all the group mem-bers in the secret access process avoids the impossibility of secret reconstruction due to the absence of a certain mem-ber. This is indeed an advantage of secret sharing, which is not found in other cryptosystems.

A well-known technique for secret sharing is the cryp-tography method proposed by Shamir.9The method, called (k,n)-threshold secret sharing, was designed to encode a secret data set into n shares and distribute them to n par-ticipants, where only when any k or more of the shares are collected can be secret data be recovered. After the scheme was proposed, many related topics have been studied.10–12 However, the resulting methods are suitable for only a few

types of digital data, such as a text file, a password, an encryption/decryption key, etc.

Due to the widespread uses of images, how to share a secret image has attracted wide attention in recent years. Naor and Shamir13 proposed first the idea of visual cryp-tography to share secret images. The scheme provides an easy and fast decryption process that includes the steps of xeroxing the shares onto transparencies and stacking them to reveal the shared image for visual inspection. This scheme, which differs from traditional secret sharing, does not require complicated cryptographic mechanisms and computations. Instead, it can be decoded directly by the human visual system. Great expansion of share data sizes and the fact that it deals only with binary images limit the applicability of this scheme. Although an extended scheme for color images14 was proposed later, it handles images with only a small number of colors and inherits the charac-teristic of share data size expansion.

In this paper, we propose a scheme that does not ma-nipulate images in the spatial domain as the mentioned vi-sual cryptography does. Instead it transforms images into the frequency domain by the discrete cosine transform 共DCT兲, resulting in a set of transform coefficients. For most natural images, a significant number of the high-frequency coefficients are small in magnitude and can be discarded. Therefore, in this paper we reserve only low-frequency DCT coefficients that keep most visual information in im-ages. This drastically decreases the size of the data that must be shared, and guarantees the quality of the recovered image in the mean time. Furthermore, we randomize the values of all the reserved coefficients except the first one 共called the DC value兲 by a designed transformation. The DC value is taken to be a key for this transformation. It is also used in the back transformation to recover the original coefficients. That is, the critical item for sharing is re-stricted to be just the DC value, and so the amount of information to be shared and that of the created share data both decrease noticeably. Therefore, the proposed scheme has the capabilities of sharing full-color images as well as reducing the share data size. The former capability extends the application scope of secret image sharing which is still quite limited so far, and the latter makes the proposed scheme more practical for certain applications, where the memory size and network bandwidth are restricted. For ex-ample, the scheme is suitable for applications to mobile or handheld devices, where only a small amount of network traffic for shared transmission as well as a small amount of space for data storage are allowed.

The remainder of this paper is organized as follows. Section 2 gives an overview of the proposed approach and describe the proposed process of encryption. Section 3 in-troduces proposed decryption method. Some experimental results are shown in Sec. 4. For ease of demonstration, we use gray-scale image data as examples. Finally, some con-clusions are given in Sec. 5.

2 Proposed Process of Encryption

In the proposed process of image share encryption, first we divide a given secret image into 8⫻8 blocks and transform each block into the frequency domain by the DCT. We then

reserve the first 10 DCT coefficients and discard the re-maining ones. This reduces the size of the original secret image without degrading the image quality too much. Of course, if higher image quality is desired, we may keep more than 10 coefficients. Next, we perform a randomiza-tion process to change in a random way the values of the reserved DCT coefficients except the first one. The details are described later in this section. Without the help of the first coefficient, the use of the randomized 2nd through 10th coefficients is insufficient to recover the original secret im-age. So we just keep the first coefficient secret and let the others be public. Accordingly, the amount of shares that should be delivered to users and kept by them is reduced drastically. This saves network bandwidth and storage space requirement for each user. To guarantee the security of the first coefficient, we use the Shamir (k,n)-threshold scheme to share it. In the remainder of this section, we describe the details of the encryption process.

2.1 Algorithm 1: The Process of Encryption

The input is an 8b⫻8b secret image I. The output is n sets of b⫻b shares, with each set delivered to a member in a group of n secret sharing participants. The steps are

Step 1. Divide I into b⫻b blocks, each with the size of 8⫻8 pixels.

Step 2. For each block Bi, i⫽1,2,...,b⫻b, perform the following steps.

2.1 Transform each block into the frequency domain by the DCT.

2.2 Reserve the first 10 coefficients and discard the remaining ones.

2.3 Use the first coefficient C1 as a seed into a random number generator f_R to generate a sequence of numbers R2,R3,..., and R10in the range of关0,C1兴.

2.4 Replace respectively the 2nd through the 10th coefficients C2,C3,...,C10 with the values of C2

⬘

⫽R2••C2, C2

⬘

⫽R3••C3,..., C₁₀

⬘

⫽R10••C10. Call this procedure a ran-domization process. And keep all C₁

⬘

in a public place.

2.5 Encrypt the first coefficient C1 with the Shamir secret sharing scheme into n shares Si1,Si2,...,Sin.

Step 3. For each secret sharing participant P_j, j⫽1,2,...,n, collect as a set Wj all the corre-sponding b⫻b shares S1 j,S2 j,...,S(b⫻b) j, with each share Si j from an image block Bi, and deliver Wj to him/her as his/her final secret share.

In step 1, we first divide the secret image into blocks and then perform the DCT to transform each of them into the frequency domain in step 2.1. This process is often done in the image compression field. The leading coefficients, which are often more significant to human vision, represent the magnitudes of lower frequencies. According to this

characteristic, we reserve only the first 10 coefficients and discard the remaining ones in step 2.2. This can reduce the size of the data to be shared, with little sacrifice of the quality of the reversely-transformed images. However, this is not the only step we adopt for share data reduction. After the randomization process in step 2.4 is performed, the im-age obtained from inversely transforming the modified co-efficients will become noise. Consequently, these coeffi-cients need not be shared but may be made public instead. Only when the value of the first coefficient is obtained can the original coefficient values C2,C3,...,C10 be solved by the following equations:

Ci⫽Ri⫺Ci

⬘

i⫽2,3,...,10. 共1兲

In Eq.共1兲 Ri is obtained by using C1 as a seed to gen-erate a random number sequence, as is done in step 2.3. It is obvious that C1 is now the only factor that we need to protect securely in the access control of the secret image. It is so used in step 2.5 by the Shamir (k,n)-threshold scheme to generate n shares for the group of n secret sharing par-ticipants. The details of this sharing process are described as follows. Based on a preselected secret integer value y and a preselected threshold k, and by using the following (k⫺1)-degree polynomial

F共x兲⫽y⫹m1⫻x⫹m2⫻x2⫹¯⫹mk_⫺1⫻xk⫺1 mod p, 共2兲 the generation of the n shares proceeds in the following way.

1. Choose y to be the value of C1 that is to be shared. 2. Select the number k is to be no larger than n. 3. Choose p to be the nearest prime number larger than

C1.

4. Choose k⫺1 integer values m1,m2,...,mk_⫺1 ran-domly in the range关0,p).

5. Choose freely for the i’th secret sharing participant a value of x 共denoted as x_i), with all x_i distinct from one another.

6. For each chosen x_i, compute a corresponding value of F(x_i) by Eq. 共2兲.

7. Take each pair of关xi,F(xi)兴 as a share.

Here we use modular arithmetic instead of real arith-metic as Shamir did. The set of all integers modulo a prime number p forms a Galois field. In this field, we can recon-struct the polynomial F(x) using an interpolation method in the secret recovery phase, which is described in the next section.

So far, we have accomplished a mechanism that not only shares a secret image but also generates a small amount of share data for each participant. In our proposed scheme, the characteristic that lower frequencies preserve most infor-mation based on human vision after an image is trans-formed into the frequency domain is utilized. So coeffi-cients of higher frequencies can be discarded and the information we must process decreases preliminarily. Moreover, an extra randomization process is applied to

ma-nipulate the remaining coefficients and further decreases the amount of information that must be securely dealt with. Note here that an extra step could be added between steps 2.4 and 2.5 if further data compression is required. That is, we can perform a process called quantization to reduce the amount of data to be kept. Such quantization can be represented by the following formula:

C_i

⬙

⫽round共C_i

⬘

/Qi兲, 共3兲

where Qi is called a quantization factor, round共•兲 is a rounding function, and C_i

⬙

is the quantized value. The value of Q_i affects the transformed image size and the image quality, and is a trade-off between them.

3 Proposed Process of Decryption

In this section, we first describe the process of decryption as an algorithm, and then explain the details.

3.1 Algorithm 2: The Process of Decryption

The input is the n sets of secret shares held by the n secret sharing participants. The output is an 8b⫻8b secret image with b⫻b blocks. The steps are

Step 1. Divide the set of secret shares of each partici-pant Pj of the n ones into b⫻b shares S1 j, S_{2 j},...,S_{(b⫻b) j}.

Step 2. For each image block B_iof the b⫻b ones to be reconstructed, perform the following steps. 2.1 Reconstruct the value of C1using the

inter-polation method mentioned in Ref. 9 from the n corresponding shares S_i1,S_i2,...,S_in held by the n participants, respectively. 2.2 Use C1 as a seed into the random number

generator fR identical to that used in the process of encryption to generate a number sequence R2 through R10.

2.3 Acquire C₂

⬘

through C₁₀

⬘

from the public place where they are kept.

2.4 Compute C2 through C10 using Eq. 共1兲, which is called a derandomization process. 2.5 Perform the inverse DCT using the coeffi-cient C1 as well as C2 through C10 ob-tained from the previous steps to obtain the desired block image Bi in the spatial do-main.

Step 3. Combine in order all the block images B1 through Bb⫻bobtained in the last step to recon-struct the original secret image.

In the preceding algorithm, we first divide in step 1 the secret share set into b⫻b shares, each being obtained from one block in the encryption process. Then we try to recover the block images one by one in step 2. In step 2.1, we recover the value of C1 of each block. The details9 are described as follows.

1. Collect at least k secret shares from the n ones to form a system of equations as follows:

F共x1兲⫽y⫹m1⫻x1⫹m2⫻x12⫹¯⫹mk⫺1⫻x1 k⫺1 mod p, F共x2兲⫽y⫹m1⫻x2⫹m2⫻x₂2⫹¯⫹mk⫺1 ⫻x2k⫺1 _{mod p,} 共4兲 ] F共xk兲⫽y⫹m1⫻xk⫹m2⫻xk 2_⫹¯⫹m k⫺1 ⫻xk k⫺1 _{mod p.}

2. Use the Lagrange method to solve the k unknowns, m1, m2,...,mk⫺1, and y, in the preceding k equa-tions, and reconstruct the (k⫺1)-degree polynomial F(x) described by Eq.共2兲. Note that the xiand F(xi) in Eq. 共4兲 with 1⭐i⭐k are 2k known values col-lected from the k secret shares.

3. Construct F(x) by the following formula: F共x兲⫽F共x1兲 共x⫺x2兲共x⫺x3兲¯共x⫺xk兲 共x1⫺x2兲共x1⫺x3兲¯共x1⫺xk兲 ⫹F共x2兲 共x⫺x1兲共x⫺x3兲¯共x⫺xk兲 共x2⫺x1兲共x2⫺x3兲¯共x2⫺xk兲 ⫹¯ ⫹F共xk兲 共x⫺x1兲共x⫺x2兲¯共x⫺xk⫺1兲 共xk⫺x1兲共xk⫺x2兲¯共xk⫺xk⫺1兲 mod p. 共5兲 4. Take the secret value C1⫽y to be F(0).

Note that according to Shamir,9 if fewer than k secret shares are collected, the k unknowns cannot be solved and the desired y value cannot be reconstructed. After we get the value of C1, we use it in step 2.2 as a seed to generate a random number sequence, which includes just the values of R2through R10also generated in the encryption process. Then we acquire in step 2.3 the values of C₂

⬘

to C₁₀

⬘

, which are kept publicly and obtain C2 to C10 by the derandom-ization process of step 2.4. Now, we have all the values of coefficients C1 to C10, so the inverse DCT can be per-formed in step 2.5 to get the original image block. Finally, we combine these image blocks in order to reconstruct the original secret image.

Note that if quantization was executed in the encryption process, a corresponding restoration action should be taken between steps 2.3 and 2.4 in the decryption process, which is described as

C_i*_⫽Ci

⬙

_⫻Qi, 共6兲

where Qi is the quantization factor in Eq. 共3兲, Ci

⬙

is the quantized value obtained in the encryption process, and Ci* is the restored value which is used as a substitution of C_i

⬘

in the following steps of the decryption process.

4 Experimental Results

In this section, some experimental results are shown to prove the feasibility of the proposed scheme. For ease of demonstration, we use gray-level images to evaluate our scheme. But it is intuitively easy to extend our scheme for

full-color images by just applying the operations we intro-duce in the last two sections on all of the color channels. We show as an example the effect of our secret sharing scheme for the 共2,3兲-threshold case here by some experi-mental results.

We first take an image, as shown in Fig. 1共a兲, as the secret image. After we performed the DCT for each block, we reserved only the first 10 coefficients. Next, we random-ized the values of the 2nd through the 10th coefficients of each image block and made them public. After that, we created shares from the first coefficient of each block image using the Shamir method. Combining the share of each block, we acquired the secret share sets. We express the three secret share sets in the form of images in Figs. 1共b兲 through 1共d兲, which look meaningless. Without obtaining enough secret share sets to recover the protected first DCT coefficients, invaders can just guess the values of the first DCT coefficients and then combine the randomized 2nd through 10th coefficients to recover the original image. The result of such an attempt is shown in Fig. 1共e兲. We can observe from the figure that most information of the origi-nal secret image is lost. On the contrary, with enough share sets collected to recover the correct first DCT coefficient of each image block, the 2nd through 10th coefficients were decrypted correctly, and the recovered image is shown in Fig. 1共f兲. Next, we inspect the sharing effect resulting from performing the additional quantization operation. An ex-perimental example is shown in Fig. 2, in which Figs. 2共a兲 through 2共f兲 are all similar to the corresponding ones in Fig. 1. From these results, we can see that the quantization step does not cause visually perceptible changes in the re-sulting images.

5 Security Analysis

In this section, we analyze the effectiveness of our pro-posed scheme for security protection. From Eq. 共4兲, we know that the first coefficient value C₁ can be

recon-Fig. 1 Experimental result: (a) the secret image, (b) the secret share set of participant 1, (c) the secret share set of participant 2, (d) the secret share set of participant 3, (e) the image recovered by data combining a guess of the first coefficient and the randomized 2nd through 10th coefficients of each block, and (f) the image recovered by data combining a correct recovery of the first 10 coefficients of each block.

structed only if k or more shares can be collected. Without getting enough shares, the possibility of guessing the right value of C1 for a certain image block is only 1/p, where p is the prime number used in the modular arithmetic in-volved in the Shamir scheme described by Eq. 共2兲 previ-ously. The reason is that we choose p to be the nearest prime number larger than C1, that is, C1 falls in the range of关0,p). Furthermore, in our decryption process, only the right C1 can be used to deduce the other coefficients cor-rectly. Therefore, the possibility of correct secret image re-covery by guessing is (1/p)b⫻b, assuming that each image has b⫻b blocks. Note here that the choice of the value of p is a trade-off between the size of required storage and the degree of security. A larger p requires more storage space for the shares because the magnitudes of the share data will become larger. On the other hand, a larger p will reduce the possibility of correct secret image recovery by guessing according to the preceding probability of correct guesses.

6 Conclusions

A new scheme for secret image sharing based on the Shamir method9with the additional capability of share data reduction was proposed. The scheme can be employed to avoid the usual case that a set of secret images is held by only one person without extra copies, and thus prevent the secret data from being lost incidentally or modified inten-tionally. The proposed scheme provides high security to encrypt a given secret image into shares, which are noisy and leak no information about the secret image. In addition, the capability of share data reduction drastically extends the applicability of the proposed method. The amount of the created share data, which must saved or delivered, is smaller than that of the original secret image. This merit is especially advantageous to applications of portable devices with limited communication channel capacities and storage

spaces. The proposed scheme can handle full-color images, and the quality of the recovery result is satisfactory. It is thus suitable for applications where high security and effi-ciency are required. Finally, although our proposed scheme is based on the use of the coefficients of DCT-based image compression for ease of demonstration, it is easy to extend our scheme to meet the requirements of other compression standards, such as JPEG, MPEG, and the wavelet trans-form, each of which yields certain types of transform coef-ficients for use in our scheme.

Acknowledgment

This work was supported by the MOE Program for Promot-ing Academic Excellence of Universities under the Grant No. 89-1-FA04-1-4.

References

1. ‘‘Data Encryption Standard 共DES兲,’’ National Bureau of Standards FIPS Publication 46共1977兲.

2. M. Matsui, ‘‘Linear cryptanalysis method for DES cipher,’’ in Ad-vances in Cryptology—EUROCRYPT’93, Vol. 765 of Lecture Notes in Computer Science, pp. 386 –397共1994兲.

3. R. L. Rivest, A. Shamir, and L. Adleman, ‘‘A method for obtaining digital signatures and public key cryptosystems,’’ Commun. Assoc. Comput. Mach. 21, 120–126共1978兲.

4. A. Salomaa, Public Key Cryptography, Springer-Verlag共1990兲. 5. W. Bender, D. Gruhl, N. Morimoto, and A. Lu, ‘‘Techniques for data

hiding,’’ IBM Syst. J. 35共3–4兲, 313–336 共1996兲.

6. D. C. Wu and W. H. Tsai, ‘‘Data hiding in images via multiple-based number conversion and lossy compression,’’ IEEE Trans. Consum. Electron. 44共4兲, 1406–1412 共1998兲.

7. E. Adelson, ‘‘Digital signal encoding and decoding apparatus,’’ U.S. Patent, No. 4,939,515共1990兲.

8. D. C. Wu and W. H. Tsai, ‘‘Embedding of any type of data in images based on a human visual model and multiple-based number conver-sion,’’ Pattern Recogn. Lett. 20, 1511–1517共1999兲.

9. A. Shamir, ‘‘How to share a secret,’’ Commun. Assoc. Comput. Mach. 22共11兲, 612–613 共1979兲.

10. D. R. Stinson, ‘‘An explication of secret sharing schemes,’’ Design. Codes Cryptograph. 2, 357–390共1992兲.

11. H. M. Sun and S. P. Shieh, ‘‘Construction of dynamic threshold schemes,’’ Electron. Lett. 30共24兲, 2023–2024 共1994兲.

12. C. C. Chang and H. C. Lee, ‘‘A new generalized group-oriented cryp-toscheme without trusted centers,’’ IEEE J. Sel. Areas Commun. 11共5兲, 725–729共1993兲.

13. M. Naor and A. Shamir, ‘‘Visual cryptography,’’ in Advances in Cryptology—EUROCRYPT’94, Vol. 950 of Lecture Notes in Com-puter Science, pp. 1–12共1995兲.

14. E. R. Verheul and H. C. A. van Tilborg, ‘‘Construction and properties of k out of n visual secret sharing schemes,’’ Design. Code Crypto-graph. 11, 179–196共1997兲.

Chang-Chang Lin received his BS degree from the Department of Computer Science, National Tsing Hua University, in 1996. Since August 1996 he has been a research assistant with the Computer Vision Laboratory of the Department of Computer and Information Science, National Chiao Tung University, where he is currently work-ing toward his PhD degree. His recent research interests include visual secret sharing, pattern recognition, watermarking, and image hiding.

Wen-Hsiang Tsai received his BS degree in electrical engineering from National Taiwan University, Taipei, in 1973, his MS degree in electrical engineering (with major in computer science) from Brown University, Providence, Rhode Island, in 1977, and his PhD degree in electrical engineering (with major in computer engineering) from Purdue University, West Lafayette, Indiana, in 1979. In 1979 Dr. Tsai joined the faculty of National Chiao Tung University, Hsinchu, Tai-wan, where he is currently a professor in the Department of Com-puter and Information Science and the vice president of the univer-sity. Professor Tsai has been an associate professor with the Department of Computer Engineering (now the Department of Com-puter Science and Information Engineering) and the acting director of the Institute of Computer Engineering. In 1984, he joined the Department of Computer and Information Science and headed the department from 1984 through 1988. He was also the associate Fig. 2 Another experimental result achieved by performing the

ad-ditional quantization step: (a) the secret image, (b) the secret share set of participant 1, (c) the secret share set of participant 2, (d) the secret share set of participant 3, (e) the image recovered by data combining a guess of the first coefficient and the randomized sec-ond through tenth coefficients of each block, and (f) the image re-covered by data combining a correct recovery of the first 10 coeffi-cients of each block.

director of the Microelectronics and Information System Research Center from 1984 through 1987, the dean of general affairs from 1995 to 1996, and the dean of academic affairs of from 1999 to 2001. He has chaired the Chinese Image Processing and Pattern Recognition Society at Taiwan from 1999 to 2000. Professor Tsai has served as a Consultant to several major research institutions in Taiwan, has been coordinator of computer science with the National Science Council and a member of the Counselor Committee of the Institute of Information Science of Academia Sinica in Taipei. He has been the editor of several academic journals and was the

editor-in-chief ofJournal of Information Science and Engineeringfrom 1998 to 2000. His research interests include image processing, pattern recognition, computer vision, virtual reality, and information copy-right and security protection. He has published 107 journal papers and 150 conference papers and holds granted 6 Taiwanese or U.S. patents. Dr. Tsai is a senior member of the IEEE and a member of the Chinese Image Processing and Pattern Recognition Society, the Medical Engineering Society of the Republic of China, and the In-ternational Chinese Computer Society.