Sharing an Image with Variable-size Shadows

Sharing an Image with Variable-size Shadows

Shyong Jian Shyu

, Chun-Chieh Chuang

and Ying-Ru Chen

1

Department of Computer Science and Information Engineering

Ming Chuan University, No. 5 De Ming Road, Gui Shan, Taoyuan 333, Taiwan

2

Department of Computer Science, Taipei Municipal University of Education

No. 1 Ai-Guo West Road, Taipei 100, Taiwan

*

sjshyu@mail.mcu.edu.tw

Abstract

Keywords: Secret sharing, Threshold structure,

Secret image sharing, Chinese remainder theorem.

1. Introduction

Secret sharing aims at protecting a secret by a group of participants where each participant owns a part of the secret called shadow which reveals nothing about the secret. To recover the secret, threshold secret sharing addresses that only when a certain number (called threshold) of participants can reconstruct the secret be using their shadows altogether, while any group of less than the threshold number of participants cannot. Consider a secret s and a set of participants P = {1, 2, … , n} sharing s. Any approach that achieves the requirements of secret sharing for s with a threshold r among the n participants in P is called an r out of n (or (r, n)) threshold secret sharing

scheme.

Shamir [1] and Blakley [2] independently proposed threshold secret sharing schemes in 1979. Shamir’s approach is based upon the polynomial interpolation in a two-dimensional space, while Blakley’s scheme originates from the intersections of some high-dimensional planes in a high-dimensional space. Shamir’s scheme is simple and easy to implement so that it has attracted many researchers’ attention [3-7]. We give a brief introduction to Shamir’s scheme in the following.

Consider an r−1 degree polynomial: f(x) = a0 + a1x1 + a2x2 + … + ar−1xr−1

where all computations are perform in GF(p) in which p is a prime (or a power of 2 or a prime), 1 ≤ ar−1 < p, 0 ≤ aw < p for 0 ≤ w ≤ r−2, and 1 ≤ x <

p. Shamir’s (r, n) scheme apply this polynomial to share a secret s. The dealer sets s to be a0 and randomly chooses a1, a2, … , ar−1 to form f(x).

Then, he/she chooses x1, x2, … , xn as keys based

upon which f(x1), f(x2), … , f(xn) are computed as

shadows. The n pairs of (f(xi), xi)’s, 1≤i≤n, are

distributed to the n participants one by one. Since any group of r (or more) (f(xi), xi)’s is able to

obtain (a0, a1, … , ar−1) by solving the r equations

using polynomial interpolation, s (= a0) is thus recovered. None of any group of less than r participants can solve the r equations completely. We say that s is shared by n participants in an (r, n) threshold structure.

Thien and Lin [8] in 2002 extended Shamir’s scheme so that the polynomial-based idea can be applied to share a secret image. Consider an image P with N pixels in total which is shared in an (r, n) threshold structure. Thien-Lin’s scheme first diffuses all N pixels in P and organizes them into N/r segments with r pixels each. Let the r pixels in segment t be denoted as (a0, a1, … , ar−1)t for 1 ≤ t

≤ N/r. The values of these r pixels of segment t are assigned to be the r coefficients of the polynomial to form ft(x). Then, the dealer determines n keys x1, x2, … , xn, and computes ft(x1), ft(x2), … , ft(xn) for

1 ≤ t ≤ N/r. After that, f1(xi), f2(xi), … , fN/r(xi) are

merged into a shadow image Di for 1 ≤ i ≤ n. The

dealer distributes (Di, xi) to participant i for 1 ≤ i ≤

n. It is not hard to see that r (or more) participants can recover (a0, a1, … , ar−1)t by their r pairs of

keys and shadows with polynomial interpolation for all equations ft(x)’s, 1 ≤ t ≤ N/r. (a0, a1, … , ar−1)1, (a0, a1, … , ar−1)2, … , (a0, a1, … , ar−1)N/r are

indeed the N pixels in P which have been diffused ever. After re-ordering all of the pixels, we reconstruct P. The shadow size of Thien-Lin’s approach is N/r, that is, each Di contains N/r pixels

for 1 ≤ i ≤ n. If the original Shamir’s approach is directly applied to share the image, the size of each shadow is N. Therefore, Thien-Lin’s scheme reduces the size of the shadows as compared to Shamir’s.

However, the sizes of all shadow images are the same in either Thien-Lin’s or Shamir’s approach. In real-world applications, this might not always be an advantage. For instance, a particular participant (the boss, some secret agent, etc.) would like to carry a shadow with a smaller size (than others) for reducing the cost, burden or other concerns. Our interest in this paper is thus to design a secret image sharing scheme with various shadow sizes. Since the dealer could define the degrees of importance of the participants and distribute the different-sized shadows to the participants in terms of their degrees. Essentially, the proposed scheme is based upon the Chinese remainder theorem.

The rest of the paper is organized as follows. We introduce Chinese remainder theorem and how to apply CRT to accomplish secret sharing in Section 2. Our threshold scheme for sharing images is proposed in Section 3. Some experiments results and related discussions are reported in Section 4. Section 5 gives some concluding remarks

.

2. Previous Studies

2.1 Chinese reminder theorem

Consider a secret value x and m ≥ 2 positive relatively prime moduli, namely q1, q2, … , qm. Let

Q = q1 × q2 × … × qm and si be the remainder of x

modulo qi for 1 ≤ i ≤ m. The Chinese remainder

theorem (CRT) asserts that the following system has a unique solution x in ZQ [9, 10]:

x ≡ s1 (mod q1) x ≡ s2 (mod q2) …

x ≡ sm (mod qm)

Give a number x and m positive relatively

prime moduli q1, q2, … , qm where x∈ZQ, the above

system is described as:

(s1,s2,…, sm) = CRT_remainders(x,m,q1,q2,…,qm).

The solution x∈ZQ can be obtained by many

ways. One of the popular approaches is to compute Mi and its multiple inverse ci (under modulus qi)

for all moduli qi, 1 ≤ i ≤ m [10] first as follows:

Mi = Q / qi;

ci Mi = 1 mod qi.

Then x can be obtained by x = (

∑

To ease the following applications of finding a solution based upon CRT, we organize these operations as a procedure:

x = CRT_solution(m,q1,q2,…,qm,s1,s2,…,sm)

where x ≡ si (mod qi) for 1 ≤ i ≤ m.

2.2 Threshold secret sharing by CRT

Let x be a secret value and q1, q2, … , qm be m

positive relatively prime moduli where Q = q1 × q2 × … × qm and x ∈ ZQ. Since (s1, s2, … , sm) =

CRT_remainder(x, m, q1, q2,…, qm), a naïve idea for

applying CRT for sharing x among the m participants may be using si as the shadow for

participant i, 1≤i≤m. (This was adopted by Meher and Patra in their secret image sharing scheme in 2006 [11].) For instance, assume that m = 3 and (q1, q2, q3) = (3, 5, 7). Consider a secret x = 97 sharing by the 3 (=m) participants. Since (s1, s2 s3) = (1, 2, 6) (= CRT_remainder(97, 3, 3, 5, 7)), i.e.

97 ≡ 1 mod 3 97 ≡ 2 mod 5 97 ≡ 6 mod 7

(si, qi) might be distributed to participant i for i = 1,

2, 3. Then, only when all three participants contribute their information can they compute x = 97; while any group of less than two participants cannot.

Yet, we give an example to illustrate that such naïve application is incorrect in some cases. Consider the same scenario except for x = 18. We have (s1, s2 s3) = (0, 3, 4) (= CRT_remainder(18, 3, 3, 5, 7)):

18 ≡ 0 mod 3 18 ≡ 3 mod 5 18 ≡ 4 mod 7

Indeed, all three participants can obtain 18 (18 = CRT_solution(3, 3, 5, 7, 0, 3, 4). However, participants 1 and 3 (or 2 and 3) can do so by using their (0, 3) and (4, 7) (or (3, 5) and (4, 7)) (18 = CRT_solution(2, 3, 7, 0, 4) = CRT_solution(2, 5, 7,

3, 4)) too. Thus, it is not a (3, 3) scheme, let alone a threshold scheme. This naïve application of CRT cannot establish a threshold secret sharing scheme.

To share a secret by using CRT is not a new topic, Mignotte [12] and Asmuth-Bloom [13] proposed (r, n) threshold secret sharing schemes in 1983 individually. Some following studies can be found in [14-17]. Our scheme is based upon Mignotte’s idea that is introduced as follows.

Consider n relatively positive prime moduli q1 < q2 < … < qn. Let α = qn−r+2 × qn−r+3 × … × qn (the

product of maximal r−1 moduli) and β = q1 × q2 × … × qr (the product of the minimal r moduli).

Let secret x satisfy α < x < β. The dealer distributes (si, qi) to participant i for 1 ≤ i ≤ n

where (s1, s2, … , sn) = CRT_remainder(x, n, q1, q2, … , qn) so as to accomplish sharing x among

the n participants in an (r, n) structure. Assume that any group of r−1 participants, say {i1, i2, … , ir−1}, compute as follows with their shadows and

moduli:

y = CRT_solution(r−1,q_i1,q_i2,…,q_ir−1,s_i1,s_i2,…,s_ir−1).

They can only retain a solution y in ZQ' where Q' =

q_i1 × q_i2 × … × q_ir−1 ≤ α (= qn−r+2 × qn−r+3 × … × qn)

according to CRT. Since y ≤ α < x, y ≠ x. On the other hand, when r participants, say i1, i2, … , ir,

compute as follows with all their shadows and moduli, they can recover x:

x = CRT_solution(r,q_i1,q_i2,…,q_ir,s_i1,s_i2,…,s_ir). Therefor the (r, n) threshold property holds.

3. The Proposed Scheme

Consider an h×w secret image I with M bits in total and a set of n participants sharing I. Our encoding process first chooses n relatively prime moduli q1 < q2 < … < qn, and compute α = qn−r+2 ×

qn−r+3 × … × qn and β = q1 × q2 × … × qr. We

regard secret image I as a series of l blocks with d-bit each (i.e. l= ⎡M/d⎤) and take each block, say Ik, as an encoding unit for 1 ≤ k ≤ l. Let xk denote

the decimal value of the d-bit of block Ik, 0 ≤ xk ≤

2d−1.

To cope with the cases like natural images which comprise blocks of similar or even same colors, we simply introduce a series of random numbers, namely random()’s, in range [0, 2d−1] with an initial seed e and perform xk⊕random() for

all blocks in order to diffuse the values of all

blocks where ⊕ is the “xor” operation. (Note that it would be shown later that the seed e is also shared among the n participants in the (r, n) structure.)

To maintain the (r, n) threshold property, we adjust the diffused value xk to be xk' to assure that

the constraint α < xk' < β is met. This is done by

adding a pre-determined offset p to the diffused value xk where α < p < β−2d.

Formally, we set e as the seed of the random sequence, i.e.

random_ seed(e),

and set the range of the random numbers generated as

random_range(0:2d−1); then perform

xk' = (xk ⊕ random()) + p

for all Ik’s, 1 ≤ k ≤ l where random() returns a

random number which is a member of a random sequence seeded by e. Note that we deliberately set p as the seed e, i.e. e = p in our implementation. Then, xk' is shared among the n participants in an

(r, n) structure by using CRT for all Ik’s:

(sk,1,sk,2,...,sk,n)=CRT_remainder(xk',n,q1,q2,…,qn)

where 0 ≤ sk,i < qi. We take zi = ⎡log2qi⎤ bits to

store sk,i for 1 ≤ k ≤ l and 1 ≤ i ≤ n. All zi-bit

remainders are merged zi-bit by zi-bit to form

shadow Si, i.e.

Si = s1,i || s2,i || ... || sl,i

where || denotes the concatenation operation. Thus, the bit-length (size) of Si is zi × l (= ⎡log2qi⎤×

⎡M/d⎤).

Further, p is shared among the n participants in the (r, n) structure by using CRT, too; that is,

(a1,a2,...,an) = CRT_remainder(p,n,q1,q2,…,qn).

The dealer thus distributes (Si, ai, qi) to

participant i for 1 ≤ i ≤ n. Since q1 < q2 < ... < qn,

we have | z1 | ≤ | z2 | ≤ ... ≤ | zn |, and consequently,

| S1 | ≤ | S2 | ≤ ... ≤ | Sn |. That means the sizes of the

shadows are different (which depend on those of the moduli). Or, each participant receives a part of information whose size is related to his/her degree of importance.

The encoding algorithm is formally illustrated as follows.

Encoding algorithm

Input: a secret image I with M bits in total, a set of participants P = {1, 2, …, n} with various degrees of importance, threshold r (2 ≤ r ≤ n), and parameter d

Output: shadows Si and ai, and modulus qi for 1≤ i ≤ n

1. Choose {q1, q2, … , qn | (qi, qj) = 1, 2 ≤ q1 < q2 < … < qn < 2d} according to the degrees of

importance in P

2. α = qn−r+2 × qn−r+3 × … × qn; β = q1 × q2 × … × qr

3. Choose seed p randomly with α < p < β−2d 4. random_seed(p); random_range(0:2d−1)

// set p as the seed of the random sequence ranging from 0 to 2d

5. Partition I into l (= ⎡M/d⎤) segments: I1, I2, … , Il // Ik is with d bits, 1 ≤ k ≤ l

6. for (each Ik, 1 ≤ k ≤ l) do

6.1 { xk = the decimal representation of Ik

6.2 xk' = (xk ⊕ random()) + p

6.3 for (each i, 1 ≤ i ≤ n) do sk,i = xk' mod qi // | sk,i | = ⎡log2qi⎤

}

7. for (each i, 1 ≤ i≤ n) do 7.1 { Si = ∅

7.2 for (each k, 1 ≤ k ≤ l) do Si = Si ∪ {sk,i} // Append sk,i (| sk,i | = ⎡log2qi⎤) after Si (Si = Si || sk,i)

}

8. for (each i, 1 ≤ i ≤ n) do ai = p mod qi

9. Output(S1, S2, … , Sn, a1, a2, … , an, q1, q2, … , qn)

// the dealer distributes (Si, ai, qi) to participant i

Participant i gets (Si, ai, qi) from the dealer

for 1 ≤ i ≤ n. It is noticed that the size of shadow Si

is ⎡log2qi⎤×⎡M/d⎤ for 1 ≤ i ≤ n. Thus the sizes of S1, S2, … , Sn are determined by those of q1, q2, … , qn

which are defined according to the degrees of

importance of the participants. This offers a flexible decision about which participant is more/less important at the dealer’s convenience.

The decoding algorithm is shown in the following.

Decoding algorithm

Input: r participants i1, i2, ... , ir ∈ P and the corresponding moduli qi1 < qi2 < ... < qir, shadows Si1, Si2, ... , Sir

and a_i1, a_i2, ... , a_ir, and parameter d Output: the secret image I

1. p = CRT_solution(r, a_i1, a_i2, … , a_ir, q_i1, q_i2, … , q_ir) 2. for (1 ≤ j ≤ r) zj = ⎡log2qij⎤

3. random_seed(p); random_range(0:2d−1) 4. I = ∅

5. l = | S1 | / z1 // l is the number of blocks; each shadow has the same l 6. for (each k, 1 ≤ k ≤ l) do

6.1 { for (each S_ij, 1 ≤ j ≤ r) do { sk,j = the first zj bits of Sij

S_ij = S_ij−{sk,j} // delete the first zj bits from Sij

}

6.2 yk = CRT_solution(r, sk,1, sk,2, … , sk,r, qi1, qi2, … , qir)

6.3 xk = (yk− p) ⊕ random()

6.4 make xk to be d-bit long

6.5 I = I ∪ {xk} // Append xk after I by d-bit concatenation (I = I || xk)

}

7. Output(I)

4. Experimental Results

We report the implementation results of our scheme for testing a simple (3, 4) case in this section. Our program was coded in Microsoft C#

and run in a PC with Windows. A 256×256 gray-level Lena image was regarded as the secret image I as shown in Figure 1 which is shared by four participants 1, 2, 3 and 4 with the degrees of

importance 4 < 3 < 2 < 1. We assume that the dealer would like to produce four shadows S1, S2, S3 and S4 for participants 1, 2, 3 and 4 respectively with | S1 | ≤ | S2 | ≤ | S3 | ≤ | S4 | so that the most important participant 1 gets the smallest shadow. (Of course, this is the dealer’s decision about who gets the smallest shadow.)

In our implementation, we set d as 29 and (q1, q2, q3, q4) = (1009, 2026, 5095, 31651); thus, α = 5095 × 31651 = 161261845 and β = 1009 × 2026 × 5095 = 10415372230. The secret image is treated as a one dimensional array with M = 256×256×8 = 524288 bit (since one gray pixel takes 8 bits specifying the gray scales in a Windows environment). The number of blocks in our experiment is l = ⎡M/d⎤ = 18079. Note that we simply append white pixels in the last block to make the number of pixels within it to be 29.

Figure 2 shows the four shares S1, S2, S3 and S4 produced by our encoding algorithm with pixels 89×256, 98×256, 115×256 and 133×256 respectively which meet the requirement of | S1 | ≤ | S2 | ≤ | S3 | ≤ | S4 |. Let us explain why the pixels of S1 is 89×256. Each remainder of a 29-bit block under modulus q1 (= 1009) is less than 1009 and is stored by using ⎡log2q1⎤ = ⎡log21009⎤ = 10 bits. Thus, after encoding all l blocks, there are 18079×10 = 180790 encoded bits which constitute S1. The bit-lengths of the other shadows are determined in the same way. For the display and comparison purposes, we took these consecutive bits as a series of 8-bit gray pixels which constitute a gray-level image with a height of 256. Since ⎡(180790/8)/256⎤ = 89, thus the width and height of S1 become 89 and 256 respectively.

Figure 3 illustrates the reconstructed images from our decoding algorithm by various groups of participants where (a)-(g) are reconstructed results by {1, 2}, {1, 3}, {1, 4}, {2, 3}, {2, 4}, {3, 4}, {1, 2, 3} respectively. Note that the results obtained by {1, 2, 4}, {1, 3, 4}. {2, 3, 4} and {1, 2, 3, 4} are exactly the same as Figure 3 (g), which is the same as the original Lena image; therefore, we just omit them here. Besides, the pixels (width×height) of these resultant images are all 256×256. This is due to our assumption that the groups of more than one participant knew d (the block size), l (the number of blocks) and the decoding algorithm so that they applied CRT to recover the 29-bit secret blocks by using their information and displayed their result as a 8-bit based gray-level image.

Figure 1. Secret image to be shared.

(a) (b) (c) (d) Figure 2. Shadows produced by the encoding algorithm: (a) S1, (b) S2, (c) S3, (d) S4.

(a) (b)

(c) (d)

(e) (f)

(g)

Figure 3. Reconstructed results from the decoding algorithm by various groups of participants: (a) {1, 2}, (b) {1, 3}, (c) {1, 4}, (d) {2, 3}, (e) {2, 4}, (f)

{3, 4}, (g) {1, 2, 3}.

It is easily seen from Figure 3 that any group of less than three participants cannot recover I, while all groups of three or more participants can. The attractive feature is that | S1 | ≤ | S2 | ≤ | S3 | ≤ | S4 | whose sizes are determined by the values of the chosen moduli which define the degrees of importance of the participants. These results demonstrated the feasibility and applicability of our scheme.

5. Concluding Remarks

We propose and implement a novel threshold secret image sharing scheme that produce shadows with different sizes by using CRT in this paper. The shadow sizes produced by our scheme are correlated with the degrees of importance of the participants. As compared to the conventional Shamir’s and the recent Thien-Lin’s approaches which produce shadows with the same size, our scheme is more flexible so that it can be applied to some practical situations that the parts of information given to different participants are with different sizes in terms of their degrees of importance.

It is lucid that our scheme can be easily applied to secretly share a color image in a threshold structure. In the near future, we shall analyze the secrecy of our scheme. In the decoding and encoding algorithms, d is designed to be an input parameter and the seed e is the same as p. To increase the level of secrecy, d and e might be shared among the n participants in an (r, n) structure.

References

[1] A. Shamir, “How to share a secret,＂

Communications of the ACM, vol. 22, no. 11, pp. 612-613, 1979.

[2] G. R. Blakley, “Safeguarding cryptographic keys,＂ in AFIPS Conf. Proc., vol. 48, pp. 313-317, 1979.

[3] E. F. Brickell, “Some ideal secret sharing schemes,＂ Journal of Combinatorial Mathematics and Combinatorial Computing , vol. 6, pp. 105-113, 1989.

[4] C.-C. Chang, and R.-J. Hwang, “Sharing secret images using shadow codebooks,＂

Information Sciences - Informatics and Computer Science: An International Journal, vol. 111, no. 1-4, pp. 335-345, 1998.

[5] M. Ito, A. Saito, and T. Nishizeki, “Secret sharing scheme realizing general access structure,＂ Proceedings of IEEE. Globecom ’87, pp. 99-102, 1987.

[6] C.-C. Lin, and W.-H. Tsai, “Secret image sharing with steganography and authentication,＂ Journal of Systems and Software, vol. 73, no. 3, pp. 405-414, 2004. [7] K. J. Tan, and H. W. Zhu, “General secret

sharing scheme,＂ Computer Communications, vol. 22, pp. 755-757, 1999.

[8] C.-C. Thien, and J.-C. Lin, “Secret image sharing,＂ Computers and Graphics, vol. 26, pp. 765-770, 2002.

[9] Darel W. Hardy, and Carol L. Walker, Applied Algebra: codes, ciphers, and discrete algorithms, Prentice Hall, 2003. [10] W. Stallings, Cryptography and Network

Security Principles and Practices, Fourth Edition, Prentice Hill, 2005.

[11] P. K. Meher, and J. C. Patra, “A new approach to secure distributed storage, sharing and dissemination of digital image,＂ Proceedings of the IEEE International Symposium on Circuits and Systems, pp. 373-376, 2006.

[12] M. Mignotte, “How to share a secret,＂ In T. Beth, editor, Lecture Notes in Computer Science, vol. 149, pp. 371-375, 1983.

[13] C. Asmuth, and J. Bloom, “A Modular Approach to Key Safeguarding,＂ IEEE Transactions on information theory, vol. IT-29, no. 2, pp. 208-210, 1983.

[14] T. Galibus, and G. Matveev, “Generalized mignotte's sequences over polynomial rings,＂ Electr. Notes Theor. Comput. Sci., vol. 186, pp. 43-48, 2007.

[15] S. Iftene, “Compartmented secret sharing based on the Chinese remainder theorem,＂

Cryptology ePrint Archive, 2005.

[16] S. Iftene, “General secret sharing based on the Chinese remainder theorem,＂

Cryptology ePrint Archive, Report 2006/166, 2006.

[17] H.-X. Li, L.-J. Pang, and W.-D Cai, “An efficient threshold multi-group-secret sharing scheme,＂ Advances in Soft Computing, vol. 40, pp. 911-918, 2007.