A Lossless-Recovery Secret Distribution Scheme Based on QR Codes

The visual cryptography scheme (VCS) distributes a secret to several images that can enhance the secure transmission of that secret. Quick response (QR) codes are widespread. VCS can be used to improve their secure transmission. Some schemes recover QR codes with many errors. This paper uses a distribution mechanism to achieve the error-free recovery of QR codes. An error-correction codeword (ECC) is used to divide the QR code into different areas. Every area is a key, and they are distributed to n shares. The loss of any share will make the reconstructed QR code impossible to decode normally. Stacking all shares can recover the secret QR code losslessly. Based on some experiments, the proposed scheme is relatively safe. The proposed scheme can restore a secret QR code without errors, and it is effective and feasible.


Introduction
The rapid development of the Internet has prompted the beginning of the information age [1][2][3][4]. As a two-dimensional image, the quick response (QR) code carries a lot of information [5]. A decoder can decode its information by scanning it. People can perform operations using QR codes [6], such as visiting a website, obtaining text, using mobile payment systems, and many more. The convenience of QR codes makes them popular. The spread of information across a network requires security [7][8][9][10]. The standard for a QR code is public, and its security on the Internet is dependent on methods such as authenticated key exchange [11][12][13][14], watermarking technology [15][16][17][18], or information hiding [19][20][21].
The (n, n)-VCS distributes a secret among images [27][28][29][30]. Each share is a key. All shares perform the decoding method to reconstruct the secret. The secret will be not constructed if any share is not present. The main idea of the VCS is distribution. The secret is distributed among some images. Every share contains no information about the secret image. Naor and Shamir designed two fundamental matrices for the (k, n)-VCS (k ≤ n) [31]. The secret is distributed to n images. Receivers need to stack no fewer than k shares to recover the secret. The recovered image requires the human visual system (HVS) for decoding. This scheme is used to encrypt a binary image. Liu et al. proposed an extended VCS [32]. A VCS for gray-level and color images was proposed by Hou using halftone technology and the subtractive model [33]. The two schemes are pixel-expansible. Based on the random grid and halftone technology, Shyu designed a VCS for color images without pixel expansion [34]. Error diffusion was used to design a VCS [35]. Luo et al. designed a VCS to encrypt a continuous tone image [36], mainly relying on halftone 1. This paper uses the mechanism of the ECC to divide the QR code into n areas. Every area is distributed to n shares to achieve a non-pixel-expansible VCS. Compared to the pixel-expansible VCS (such as [37]), the generated share is the same size as the secret image using the proposed VCS.

2.
Compared with [42], this paper can recover a QR code losslessly. The capacity of the ECC is not sacrificed in the recovered QR code.

3.
There are no measures to protect itself during the transmission of the QR code. The proposed VCS provides a method to ensure the security of QR codes across the network.
The rest of the paper is structured as follows: Section 2 shows the VCS, the QR code, and the decoding stacking method. The proposed VCS is introduced in Section 3. All experiments are described in Section 4. Section 5 offers some conclusions.

Preliminaries
This section introduces the VCS (Section 2.1), the QR code (Section 2.2) and the decoding stacking method (Section 2.3). This is an abbreviation, as shown in Table 1.

VCS
The (k, n)-VCS was presented by Naor and Shamir [31]. A secret can be distributed among images. The secret is reconstructed when no fewer than k shares are stacked. Secret information about the restored image is recognized using the HVS. The decoding process does not need complex calculations. The user does not need complex computer knowledge.
Let R • (resp. R • ) be a black (resp. white) pixel block in the recovered image. The n • (·) represents the number of black pixels. The (k, n)-VCS satisfies two conditions: Security Condition: Fewer than k shares being stacked will satisfy n • (R • ) = n • (R • ) in the recovered image.
Contrast Condition: The image generated by stacking more than k − 1 shares will satisfy n • (R • ) > n • (R • ). The function of the quantity n Natural number (N) c The number of total codewords a The number of data codewords r The capacity of correction in the QR code b The block of the QR code → Generation Area Q The module collection of QR code Stacking(·) The decoding operation of the VCS When attackers use no more than k shares to stack, the generated image has no color contrast. It is a useless image, which will not reveal away secrets. When no fewer than k shares are stacked, the generated image has color contrast. This image is useful.
Naor and Shamir's VCS is pixel-expansible. It shares a secret image using two fundamental matrices, M • and M • . M • encrypts the black pixels. The white pixels are encrypted using M • . As an example, a (4, 4)-VC scheme is shown below: k and the w are the black and white pixels, respectively. In (4, 4)-VC, M • and M • have: w k k k k k w w w w k w k k w w k k w w k k k w k w k w w w k k k k k w Every line of the M • and M • represents a 3 × 3 pixel block, as shown in Figure 1. When no fewer than four shares are stacked, n • (R • ) = n • (R • ) is established in the recovered secret. That makes the reconstructed image non-contrasting in color. The recovered image is useless without any information. When four shares are stacked, the recovered image satisfies n • (R • ) = 9 > n • (R • ) = 8. Its color has contrast, HVS can decode it, and the secret information is obtained.
For the (n, n)-VCS, only n shares can restore the secret. If n − 1 or fewer shares are stacked, the secret will not be recovered. The decoding method of VCS is public, and the attacker knows it. If the attacker cannot obtain all shares, they cannot decode the secret. When the VCS is of the (k, n) type, the attacker needs to obtain k or more shares to decode the secret.

QR Code
QR codes are two-dimensional images carrying information [47] that are encrypted into black and white modules. D × D modules are combined into a QR code. D can be calculated as follows: where V is the version of the QR code (V ≤ 40). The V decides the number of modules. The larger V is, the larger D is. A QR code consists of a finder pattern, version and format information, alignment pattern, and codeword area, as shown in Figure 2. The codeword area is made up of blocks. Every block carries some data and error-correction codewords. Every codeword consists of 8 modules. A module is a square pattern. It is a pixel or 2 × 2 pixels or n × n pixels. The finder pattern determines the location of the QR code. The ECC corrects the errors. The capacity of the ECC is over four levels, namely L, M, Q, and H. L denotes that the ECC corrects about 7% errors in the QR code. Similarly, M is 15%, Q is 25% and H is 30%. These error-correction capacities are approximations. Different QR codes can correct different numbers of codewords. The capability of each block is different. An example of the capacity of the ECC is shown in Table 2. Any module with errors will make the codeword wrong. A module can cause a codeword error. When a block has wrong codewords, the QR code cannot be decoded correctly. A few wrong modules create many wrong codewords in a block. These errors prevent the QR code from being decoded correctly. c, a and r are the numbers of total codewords, data codewords, and the capacity of correction, respectively.
The information is encoded as a 0-1 matrix (this process is reversible). This matrix is rendered as a black-and-white two-dimensional image. The graphical rule is that 0 (resp. 1) represents black (resp. white) modules. QR codes consist of black and white modules. When a decoder decodes QR codes, it scans them to confirm the black and white modules. All modules are then converted into a 0-1 matrix and the information is recovered. If QR codes have many errors, they cannot be decoded. For example, version 4 and error-correction level H of the QR code has nine wrong codewords in a block (it can correct eight wrong codewords; r = 8 in Table 2). Therefore, it will not be decoded, and is meaningless. The QR code will lose its value. The error of the QR code refers to the black (resp. white) modules that are changed to white (resp. black) modules.

Stacking
This paper uses stacking to denote a specific operation performed on the colors in the image. The process for stacking the two colors is as follows: When the two colors are stacked, white and white generate white (other color combinations generate black). This paper uses this operation (stacking) to achieve a secret recovery. All operations are shown in Table 3. The operation of stacking is used to recover the secret [31]. It is also the method used in this paper to restore a secret QR code.

The Proposed VCS
This paper proposes an (n, n)-threshold VCS. It can distribute a secret QR code (H) to n meaningless images. When n shares are stacked, the reconstructed QR code (R) can be obtained without errors. All processes are described in Figure 3. When the receiver obtains all shares, it can stack them to recover the secret QR code. The restored QR code can then be decoded by the decoder. The secret QR code is encrypted and decrypted using a VCS. The security of its transmission across the network is improved. When all shares are obtained, an attacker can decode the QR code. If any share is missed, the attacker will not be able to decode the QR code.

Conditions of the Proposed VCS
Let n b i (·) show that block b has n b i (·) incorrect codewords. r b denotes the number of erroneous codewords that ECC can correct in block b. Every block can correct different numbers of the wrong codeword. The capacities of the different blocks are independent. Let n b (·) be the number of blocks. The proposed VCS satisfies Condition 1 and Condition 2: it is decoded using the decoder, and the secret is obtained.
Every share is a key to restoring the secret QR code. If any share is missing, the restored QR code will have many errors. The number of wrong codewords is exceeded by the capacity of the ECC. This wrong QR code cannot be decoded using the standard decoder. The security of the VCS for the QR code is therefore ensured.

Encryption and Decryption Processes
To restore a QR code without errors, the white module in the QR code must also be the white module in the share. The black module of the QR code is a black module or white module in the share. Therefore, only the black modules are processed in the VCS.
Every block has error-correction codewords, which correct incorrect codewords. A QR code with more than r b wrong codewords will be not decoded. Therefore, any two shares need to recover more than r b codewords. If any share is not obtained, the recovered QR code will have more than r b wrong codewords. ECC can correct up to about 30%. To be more secure, when a share is missing, about half of the codeword will be wrong in a certain block of the restored QR code. Any two shares can restore modules of at least d codewords (the codeword is restored or the part of the codeword is restored) in every block. The d can be calculated by: where a block has c codewords of the data and error correction. When c has different values in a QR code, it takes the minimum value. We use d and ECC to divide the QR code into area Q l • and areaQ l • (l = 1, 2, · · · , n). Every area should include modules that belong to many codewords. For example, one or two modules per codeword are in each area. The module of a codeword is wrong, and this codeword is wrong. Therefore, an area is missed that will cause many codeword errors. If these wrong codewords are in a block, the QR code will not be decoded.

•
The area of the codeword is divided into area Q l • (l = 1, 2, · · · , n). The area Q l • is generated in two cases as follows: Case 1, When n ∈ [2, 2n b (H)]: If n ≤ n b (H), the area Q l • is generated as follows: a. We select n blocks randomly. The black modules of every selected block form the area Q l • , where l = 1, 2, · · · , n. b. The area of all unselected black modules in each block is added to area Q n • . For example, n = 3, n b (H) = 4 and selected blocks are block 1-block 3. Area Q 1 • , Q 2 • and Q 3 • are the area of all black modules in block 1, block 2 and (block 3 and block 4), respectively.
If n > n b (H), the area Q l • is generated as follows: a. We select 2n b (H) − n blocks randomly. The black modules of every selected block form the area Q l 1 • , where l 1 = 1, 2, · · · , 2n b (H) − n. For example, 2n b (H) − n = 3 and selected blocks are block 1-block 3. Area Q 1 • -Q 3 • is the area of all black modules in block 1-block 3, respectively.
b. The area of all black modules (d different unselected codewords in every unselected block) forms the area Q l 2 • (l 2 = 2n b (H) − n + 1, 2n b (H) − n + 2, · · · , n). If a block does not have d different codewords, it will select the next block. There is no intersection for any subset in area Q l 2 • . For example, n b (H) − (2n b (H) − n) = 1 and an unselected block is block 4. Area Q 4 • and area Q 5 • , respectively, consist of all black modules in d different codewords. They satisfy area Q 4 • ∩ area Q 5 • = ∅. These codewords are all from block 4. c. The area of all unselected black modules (every block) is added to area Q n • . The area Q l • = area Q l 1 • ∪ area Q l 2 • , which l = 1, 2, · · · , n. Case 2, When n > 2n b (H): We sort the number of black modules of each codeword from small to large in block b. Area A b • consists of the last d codewords in the sequence in block b. AreaÂ b • is made up of the rest of the codewords in block b. The minimum number of black modules for every codeword in area A b • (resp.Â b • ) is denoted by n 1 (resp. n 2 ). The value of b is b = 1, 2, · · · , n b (H). The biggest value (n m ) of n is: When n > n m , the proposed scheme is not suitable and n ∈ [2, n m ].
Area Q l • generates rules as follows: Rule 1: Rule 2: Select a black module from each codeword (these codewords are from area Q l 1 • , where l 1 is a random number from 1 to 2n b (H)) to perform n − 2n b (H) times to form area Q are made up of all black modules in the first, second, and third to be chosen, respectively. The selected modules are deleted in the area Q • , which l = 1, 2, · · · , n.

The Generation of AreaQ
The selected modules should not be repeated where possible. AreaQ l • = areaQ l 1 • ∪ areaQ l 2 • , where l = 1, 2, · · · , n. Every area is made up of a black module in the areaQ l • . When n < n • (Q • ), we select n • (Q • ) n black modules (not repeating) from areaQ • for n times to form areaQ l • which l = 1, 2, · · · , n. The unselected area of all the black modules from the areaQ • is added to areaQ n • . For example, areaQ 1 • is the area of n • (Q • ) n black modules. AreaQ n • is the area of several black modules (the number is no less than

The Encryption Process of the Proposed VCS
H is distributed to n shares. The encoding of the proposed VCS for H is: Step 1: H is divided into area H • , areaQ l • and area Q l • by Sections 3.2.1 and 3.2.2.
Step 2: Generate n shares as follows: Here, S l (x, y) ← k (resp. S l (x, y) ← w) represents the color of S l (x, y) is modified by black (resp. white).
All processes are shown in Algorithm 1. The secret QR code is divided into several areas. Every area has some black modules in a certain block. If this area is missed or is not used to restore the QR code, this restored QR code will have errors. These errors will cause the restored QR code not to be decoded by the standard decoder. All areas are distributed by n shares to share the secret QR code.

The Decryption of the Proposed VCS
The decryption operation of this paper is as follows: the receiver needs to obtain n shares. These n shares are stacked to reconstruct the QR code. Its operation is: R is completely recovered. Its information is obtained using the decoder. When the receiver obtains all the shares, it needs to stack all the shares to recover the secret QR code. Each share contains nothing. They are meaningless.

Analysis of the Proposed VCS
This paper proposes an (n, n)-VCS. Use the mechanism of the ECC to ensure that no more than n shares can reconstruct the secret image losslessly. The number recovering the codeword exceeds the capacity of the ECC by every share. There is about half the number of the wrong codewords in the restored image in a specific block when the number is less than n, using Equation (5). The ECC of the QR code cannot correct half the codeword in every block. Therefore, the proposed scheme is relatively safe. When the attacker obtains n − 1 or fewer shares, they can know that the secret image is a QR code. However, they cannot decode the secret QR code. The attacker does not obtain the secret.
If the attacker obtains n − 1 shares, they will stack them to generate an image that resembles a QR code. However, it will not be decoded. Some codewords have one or many wrong modules that will cause these codewords to be wrong. The errors refer to some black modules being white. If a module is wrong, it makes a codeword wrong. It is hard to confirm which white module is wrong in a recovered image. The security is mainly reflected in the following points:

1.
This new image has more wrong codewords than it can correct (n − 1 shares). Therefore, it cannot be decoded. The attacker will not obtain the secret.

2.
The attacker knows some white modules are wrong. However, they cannot determine which areas are wrong. The errors are scattered throughout the QR code.
Due to the particularity of the QR code, this proposed scheme is secure. These n − 1 shares are used to recover the wrong QR code, which cannot be decoded. All recovered black modules are right, no matter how many shares. The number of wrong modules is very small, but they are mixed with the correct ones. There are many white codewords in the QR code. The right white modules and the wrong white modules are mixed, and are difficult to correct by any means.
This paper uses the mechanism of the ECC to design a QR code. Every share can restore a certain number of codewords. This number will exceed the number that the ECC can correct. Therefore, the number of shares is connected to the number of codewords. The n is limited in the proposed (n, n)-VCS and n ∈ [2, n m ].
This paper designs a scheme for a QR code. When a QR code is transmitted across a network, it can be obtained by an attacker. The standard of the QR code is public. Therefore, this QR code can easily be decoded. When using the proposed scheme to transmit the QR code, the attacker needs to obtain all the shares to restore the QR code. The proposed scheme enhances the security of the QR code on the Internet.

Experiments
The designed QR code follows ISO standard [48] and the Zxing library [49]. All experiments are introduced in this section.

The Simulated Experiment of the Proposed VCS
Version 4 and the error-correction level H (4-H) of the QR code are adopted in this section. The experimental results are shown in Figure 4.
The H (Figure 4a) can be distributed to six shares (Figure 4b-g) when n = 6. When six shares are stacked, the QR code will be recovered without errors (Figure 4h). Five or fewer shares can restore an image that resembles a QR code by HVS (Figure 4i-l). However, a standard decoder cannot decode them, and they are all useless images. Table 4 shows some experimental results. The experiment is tested with Figure 4h-l. The decoder is a standard decoder. The results show that Figure 4 is decoded and Figure 4i-l cannot be decoded. These results verify that the proposed scheme is safe.
When stacking different numbers of shares, the reconstructed QR code has different numbers of wrong codewords, as shown in Table 5. Six shares can fully recover the QR code. If a QR code is 4-H, it can correct eight codewords in every block. If the number of stacked shares is fewer than six, the recovered QR code has some errors. The number of wrong codewords is more than eight in a certain block. The restored QR code will not be decoded by the standard decoder. When the number is less than six, the number of incorrect codewords is greater than the capacity of ECC. A standard decoder cannot decode this recovered QR code.  no Figure 4l no The proposed scheme can fully reconstruct the QR code. It is an (n, n)-VCS. We stack fewer than n shares to recover the image without decoding it (similar to a QR code). The error exceeds the capacity of ECC. The reconstructed QR code is a useless image. The secret will not be revealed. The restored image does not have helpful information from HVS. These experiments show that the proposed VCS is relatively safe. Stacking (S 1 , · · · , S 6 ) (0, 0, 0, 0) Stacking (S 1 , · · · , S 4 , S 6 ) (0, 13, 0, 0) Stacking (S 1 , · · · , S 3 , S 6 ) (0, 13, 0, 12) Stacking (S 1 , S 2 , S 6 ) (0, 25, 0, 12) Stacking (S 1 , S 6 ) (0, 5, 25, 12) Figure 4i and the secondary data in Table 5 (Stacking (S 1 , · · · , S 4 , S 6 ) · · · ) show that the proposed scheme is relatively safe. Figure 4i can be observed as resembling a QR code. It has more wrong codewords than can be corrected in block 2 (13 codewords are wrong in Table 5). This wrong QR code can not be decoded using the decoder. The secret will not be revealed. It is hard to determine what areas are wrong in Figure 4i except for the finder pattern. Therefore, it is hard to do brute force attacks to reveal the secret.
This paper designs an (n, n)-VCS for the QR code. When n shares are used to restore the secret, the secret QR code can be recovered losslessly. This can be decoded by a standard decoder. If n − 1 or fewer shares are used to recover the secret, the restored QR code will have errors. A few wrong modules cause many codeword errors. The recovered QR code cannot be decoded by the standard decoder. The proposed scheme is relatively secure. This recovered QR code is deserved by HVS. However, it cannot be decoded and will not reveal anything. Figure 4, Tables 4, and 5 show that all shares can recover the QR code without errors. The restored QR code with n − 1 shares cannot be decoded by the standard decoder. These results prove that the proposed scheme is feasible and secure.

Comparison of Different Schemes
The proposed VCS is non-pixel-expansible. It can completely reconstruct QR codes. Table 6 introduces the comparison result. Compared with the proposed VCS, this is a pixelexpansible scheme [41]. The two schemes belong to two non-pixel-expansible VCSs [42,43]. However, they can recover the secret image with errors. Compared with these two VCSs, the proposed VCS cannot reconstruct a QR code losslessly. Wan et al. used a QR code to share a secret QR code [45]. The secret QR code version met certain conditions. This scheme does not apply to all versions of QR codes. The proposed scheme can encrypt all versions of QR codes. This is a non-pixel-expansible scheme [46]. It can produce meaningful shares. Compared to the proposed VCS, the restored image has some errors. Compared with the pixel-expansible scheme ( [41]), the proposed VCS has low time complexity.

Meaningful Shares
Recovered Image with Errors [41] yes no no [42] no yes yes [43] no yes yes [45] yes yes yes [46] no yes yes Proposed scheme no no no The proposed scheme has some advantages. It can reconstruct a QR code losslessly. Moreover, its size is the same in both secret images and shares. This paper obtains a VCS for a QR code without pixel expansion. However, the proposed VCS has the shortcoming that the generated shares are meaningless images.
The scheme belongs to a (2, 2)-threshold scheme [41]. It can recover a QR code without errors. It is hard to extend the (n, n)-threshold scheme. These schemes are (n, n) schemes [42,45,46]. However, they cannot restore the secret QR code with errors. To solve the above disadvantages, this paper proposes a new VCS for the QR code. The proposed scheme can recover the QR code without errors. It belongs to a (2, 2) scheme. This scheme is a scheme without pixel expansion. The time complexity is O(2D × 2D) in [41]. The time complexity of the proposed scheme is O(D × D). The proposed scheme is lower than Fang's scheme in terms of time complexity.

Analysis and Discussion
This paper uses the mechanism of the ECC to design a VCS for a QR code. A secret QR code can be recovered without errors using all shares. The proposed scheme is an (n, n)-VCS. It will be improved to design a (k, n)-VCS in the future. Moreover, the proposed scheme generates meaningless shares. That would be difficult for a receiver and sender to manage. In the future, the authors will design a new VCS that can generate meaningful shares for a QR code.

Conclusions
Using the characteristics of the ECC, this paper proposes a method for regional partitioning. A QR code is divided into n areas. These areas are distributed to n shares in a non-pixel-expansible method. If a share is missing, many wrong codewords will exceed the amount that the ECC can correct. A recovered QR code is not decoded, and the secret will not be revealed. Stacking all the shares can completely reconstruct the QR code, and a standard decoder can decode it. The capacity of the ECC will not be sacrificed. The proposed VCS is an (n, n)-VCS, which will be modified to a (k, n)-VCS later. The share is meaningless in this paper. In the future, a new scheme will generate meaningful shares. The proposed scheme is not resistant to outside attacks. A scheme that can resist external attacks will also be designed.