1. Introduction
The security of important information transmitted over insecure communication channels is attracting increasing attention. In particular, the transmission of images has become commonplace, so image security is becoming a higher concern. Previous literature has mainly focused on three aspects, including image encryption, image steganography, and secret image sharing (SIS). Image encryption was subject to the earliest research, and more advanced cryptographic methods are developing. Image steganography is the art of hiding secret information into an innocent-looking cover image. However both of these techniques create only one file to hold all secrets, which may lead to the failure of communication if this one item is lost or damaged. On the other hand, if duplicates are used to overcome this weakness, the danger of exposing the secret image increases. SIS [
1,
2] is a solution to the above risks.
In fact, SIS is the expansion of secret sharing (SS) of an image. At the very beginning, SS was a key safeguarding scheme put forward by Blakley [
3] and Shamir [
4] independently. It divided a block of data into
n pieces, and any
k or more pieces could reconstruct the original data, while any
$k-1$ or fewer pieces left it undetermined. This kind of scheme is called the
$(k,n)$ threshold. It is successful in guaranteeing the security of keys. However, with secret images, the number of bytes becomes much larger, and the pixel value is bounded in a specific range (for example, 0–255 for gray-scale images). In this case, using the SS scheme directly may waste a lot of storage space and computation time. So Thien and Lin [
5] extended Shamir’s SS scheme to deal with digital images in 2002, which was the first
$(k,n)$ threshold secret image sharing (abbreviated as
$(k,n)$–PSIS) scheme. It is particularly noteworthy that smaller shadow images were generated in their scheme by utilizing all
k coefficients of Shamir’s polynomial to share the secret image, so that the size of each shadow image was reduced to
$1/k$ of the original size. Inspired by their research, the advantages of smaller shadows have begun to attract interest in this area. These are pointed out as below:
Saving storage space and transmission time. If each shadow image is the same size as the original secret image, the cost of the storage space and transmission time will be n times or at least k times in a $(k,n)$ threshold scheme. If the shadow image size is reduced to $1/k$, the same amount of data is needed in the recovery process. For example, to share 1 GB images using an SIS scheme for a $(4,5)$ threshold, 5 GB data are generated, and 4 GB is required in the recovery process for the scheme with the same size of shadow images. Meanwhile, only 1 GB shadow images are sufficient for reconstruction in Thien and Lin’s $(4,5)$–PSIS scheme, which has smaller shadow images.
Easier process for image hiding. The shadow images produced by SIS are usually noise-like, which tend to attract more attention from an adversary or warden. So, image hiding after sharing is desired in storage and transmission for better security. Many image hiding methods [
6,
7] require that the embedded image should be at least 1/2 (or even 1/4) smaller than the size of the cover image. In such cases, it is more valuable to have smaller shadow images in a secret image sharing scheme.
Consequently, many studies have been devoted to researching the properties of small shadow images. As we all know, a lossy experiment was implemented in Thien and Lin’s
$(k,n)$–PSIS scheme, in which all pixel values more than 250 of the secret image were truncated to less than 251. Therefore, if the pixel value is 251–255, at least 1 bit or at most 3 bits will be changed. In order to minimize the number of modified bits, a cyclical shift was done in Kanso and Ghebleh’s study [
8]. For each pixel value more than 250 in the secret image, they cyclically shifted the 8-bit binary representation of it one position to the right, so that only the most significant bit needed to be set to 0 for truncation. It reduced the difference between the secret image and the recovered image. The other properties of Thien and Lin’s scheme remained unchanged. A serious flaw, referring to the computational security, in Thien and Lin’s
$(k,n)$–PSIS scheme was also inherited: fewer than
k shadow images might reveal the secret image. More details of the problem were analyzed in Yan et al.’s research [
9]. This drawback has been pointed out by many researchers. Most of them intended to solve it by advanced encryption. For example, Guo et al. [
10] applied Advanced Encryption Standard (AES) encryption before the sharing process instead of a simple permutation. Then, they shared the encrypted secret image using Thien and Lin’s
$(k,n)$–PSIS scheme. Finally, the shadows were composed of shadow images and additional keys. The study patched up the computational security defect by using AES encryption before the sharing process. As a result, the security of their scheme depended upon the security of AES. The additional encryption cost more storage space and more computational time. Furthermore, because the size of the shadows in Guo et al.’s scheme was
$1/k$ of the secret image plus a short key length, Zhou et al. [
11] made a minor improvement. They also used a stronger encryption algorithm, rather than a simple permutation, to generate the encrypted secret image. Then, they subdivided the original image and encrypted image into super blocks, and used XOR operations to embed the key into the encrypted image. At last, they obtained the same-sized shadow images with Thien and Lin’s
$(k,n)$–PSIS scheme. It seemed to eliminate the obvious additional key. In fact, the key of auxiliary encryption must be recovered before reconstruction of the secret image. Some other studies also tried to solve the computation security problem by adopting more advanced encryption algorithms. Ahmadian et al.’s study [
12] was a variation of Thien and Lin’s scheme, too. It used a slightly modified version of All-or-Nothing Transform (SI-AONT) to replace permutation of the secret image for the first step. Then, an information dispersal algorithm based on systematic Reed–Solomon coding was used to generate n shadow images, instead of Shamir’s polynomial. The security of this scheme was also guaranteed by SI-AONT transformation and not the sharing algorithm itself. For sharing a color image with small shadow images, Liu et al. [
13] made an attempt. They applied compressed sensing (CS) to the
$(k,n)$–PSIS scheme before the sharing phase to complete compression and encryption of the secret color image. Next, the compressed and encrypted secret color image was shared using traditional Thien and Lin’s
$(k,n)$–PSIS scheme. Thus, the reduction of shadow size resulted from compressed sensing(CS). Though their scheme had error-resilient capability, the recovery image was lossy, and computation time was longer. All these properties were due to the additional compression method of CS.
In summary, former SIS schemes with small shadow images were mainly based on $(k,n)$–PSIS. They experienced an inevitable weakness, which is that fewer than k shadow images might reveal the secret image if all coefficients are used to share the secret. So, permutation, encryption, or compression has become an integral step before sharing for these schemes. Additionally, the security of SIS with a small shadow size seems to necessarily rely on the strength and safeguarding of the auxiliary key. Also, the recovery image is lossy when p is 251 in these schemes. Finally, computation is more time-consuming due to more complex encryption and decryption algorithms and Lagrange interpolation in the recovery phase.
Compared to Shamir’s original polynomial-based SS, which needs Lagrange interpolation as a fundamental step in the recovery phase, the Chinese remainder theory
$\left(CRT\right)$-based SS has attracted some researchers’ attention for its low computation complexity. The first SS scheme based on the CRT for a
$(k,n)$ threshold was put forward by Mignotte [
14] in 1982. However, SIS literature based on the
$CRT$ has had little concern for the reduction of shadow image size so far. In Hua et al.’s research [
15], they applied Mignotte’s method to implement a
$(k,n)$ threshold scheme with small shadow size. Because there is a lack of random factors in Mignotte’s expression, very complex arithmetic compression coding was used in the scheme before the sharing process to disrupt the similarity of adjacent pixel values in an image. Similar to the above
$(k,n)$–PSIS schemes, the reduction of shadow size in this scheme was caused by pre-compression too. The security and reduction of shadow images of Hua et al.’s scheme also relied on auxiliary encryption. As a matter of fact, the lack of random factors in Mignotte’s method was solved by Asmuth and Bloom [
16] early in 1983. They introduced a big random integer as the random factor to share the secret image directly. The effectiveness was verified in Ulutas et al.’s research [
17]. However, the size of the shadow images generated in the study was the same as the original secret image. Investigation has shown that studies focusing on the reduction of shadow image size based on Asmuth Bloom’s method are scarce to this day.
In short, former SIS schemes with small shadow sizes were mainly built on additional permutation, encryption, or compression of the secret image before the sharing process. As a result, security and reduction were guaranteed by additional operations and not the sharing procedure itself.
In this paper, a scheme with a small shadow size based on the
$CRT$ is proposed. It utilizes a scheme named
$(k,n)$–CRTSIS [
18], which was developed from Asmuth Bloom’s method. The advantages of the
$(k,n)$–CRTSIS scheme are the
$(k,n)$ threshold, lossless recovery, and low recovery computation complexity, while the size of the shadow images are the same as the original secret image. To further reduce the size of the shadow images under the proposed scheme, several approaches are carried out. Similar to the
$(k,n)$–PSIS scheme, all random elements in
$(k,n)$–CRTSIS are utilized to share the secret image. First, the secret image is translated to binary data. Second, the bits of binary data are taken out in sequence as random element values. In order to get a lossless recovery image,
$\lfloor \rfloor $ is performed to ensure the value of the coefficient is in the right range, so that 1 bit is dropped per operation of rounding down. Additionally, optional random binary bits are added in each binary sequence to enhance the security of the proposed scheme. These operations subsequently cause randomness. At last, the secret image is divided into small shadow images, which are close to
$1/k$ of original size in some cases. Thus the proposed scheme not only reduces the size of shadow images but also eliminates auxiliary encryption. Proper modifications also preserve the positive features of the
$CRT$, including
$(k,n)$ threshold, lossless recovery, and low recovery computation complexity.
The rest of this paper is organized as follows.
Section 2 introduces some basic requirements for the proposed scheme. In
Section 3, the proposed scheme is presented in detail. Analyses and improvements are given in
Section 4.
Section 5 displays several examples of experiments to verify our method. Finally,
Section 6 concludes this paper.
2. Preliminaries
In this section, some useful background is presented before introducing the proposed scheme, and the main parameters and constraints of
$(k,n)$–CRTSIS [
18] are elaborated briefly.
Asmuth Bloom’s SS scheme, which is the basic theory of $(k,n)$–CRTSIS, is presented first. The sharing process is carried out as follows:
Step 1. Choose a set of integers $\left\{p,{m}_{1}<{m}_{2}\cdots <{m}_{n}\right\}$ subject to
$gcd\left({m}_{i},{m}_{j}\right)=1,i\ne j$.
$gcd\left({m}_{i},p\right)=1$ for $i=1,2,\cdots ,n$.
$M>pN$
where $M={\prod}_{i=1}^{k}{m}_{i}$, $N={\prod}_{i=1}^{k-1}{m}_{n-i+1}$.
Step 2. Let x denote the secret data, satisfying $0\le x<p$. Then, $y=x+Ap$, where A is a random integer subject to $0\le y<M$. It yields A being in $\left[0,M/p-1\right]$.
Step 3. For $i=1,2,\cdots ,n$, ${a}_{i}\equiv y\left(\phantom{\rule{-0.277778em}{0ex}}mod{m}_{i}\right)$ is the $ith$ shadow of the secret data x.
The recovery process aims to solve the following linear congruence equations, which has the only solution for any
k shadows:
The solution is $y\equiv \left({a}_{1}{M}_{1}{M}_{1}^{-1}+{a}_{2}{M}_{2}{M}_{2}^{-1}+\cdots +{a}_{k}{M}_{k}{M}_{k}^{-1}\right)\left(\phantom{\rule{-0.277778em}{0ex}}modM\right)$ where $y\in \left[0,M-1\right]$, $M={\prod}_{i=1}^{k}{m}_{i}$, ${M}_{i}=\raisebox{1ex}{$M$}\!\left/ \!\raisebox{-1ex}{${m}_{i}$}\right.$ and ${M}_{i}{M}_{i}^{-1}\equiv 1\left(\phantom{\rule{-0.277778em}{0ex}}mod{m}_{i}\right)$ Consequently, the secret data can be recovered as $x\equiv y\left(\phantom{\rule{-0.277778em}{0ex}}modp\right)$.
Afterward, SIS based on Asmuth Bloom’s SS scheme was implemented in Ulutas et al.’s research [
17]. It mapped the pixel values
x (corresponding to the secret data), which is larger than
p, in the right range and divided the span of
A into two intervals corresponding to different pixel values
x. Since the pixel values of a gray image are in the range
$\left[0,255\right]$, it leads to the changes in the first two steps in Asmuth Blooms’s scheme:
Step 1. The boundary value p is further clarified as $p<{m}_{1}$ to satisfy the constraints.
Step 2. According to different pixel values of x, the big integer y is computed differently. If $x<p$, $y=x+Ap$, A is a random integer in $\left[t+1,M-1\right]$, while $x\ge p$, $y=x-p+Ap$, A is randomly picked from integral range $\left[0,t\right]$. Here, t is a new boundary of two intervals.
Because of the two situations of x in the sharing phase, a comparison is also made in the recovery phase. Let ${T}^{*}=\u230a\frac{y}{p}\u230b$, if ${T}^{*}\ge T$, $x\equiv y\left(\phantom{\rule{-0.277778em}{0ex}}modp\right)$, else $x=y\left(\phantom{\rule{-0.277778em}{0ex}}modp\right)+p$. Then, x is the recovered pixel value of the secret image.
Subsequently,
$(k,n)$–CRTSIS [
18] enhanced the performance of the above scheme. It ensures the
$(k,n)$ threshold, together with lossless reconstruction, by computing the boundary values more specifically.
1. In Step 1, the chosen integers are limited to $\left\{128\le p<{m}_{1}<{m}_{2}\cdots <{m}_{n}\le 256\right\}$, which is also subject to the original constraints.
2. In Step 2, the boundary values are narrowed and specified. First, the range of A is reduced from $\left[0,M-1\right]$ to $\left[\u2308\frac{N}{p}\u2309,\u230a\frac{M}{p}-1\u230b\right]$. Second, the segmentation value t is computed as the median $T=\left[\frac{\u230a\frac{M}{p}-1\u230b-\u2308\frac{N}{p}\u2309}{2}+\u2308\frac{N}{p}\u2309\right]$. Thus, the sharing phase can be carried out clearly, in line with the strict parameters. If $0\le x<p$, $y=x+Ap$, A is in $\left[T+1,\u230a\frac{M}{p}-1\u230b\right]$, else $y=x-p+Ap$, A is in $\left[\u2308\frac{N}{p}\u2309,T\right)$.
The reconstructed phase of
$(k,n)$–CRTSIS is the same as Ulutas et al.’s scheme [
17], with two accessorial public parameters
p and
T.
The $(k,n)$–CRTSIS overall acquires the following advantages:
Lossless recovery. It is well known that in Thien and Lin’s scheme [
5], only a lossy experiment was realized. In their experiment, the prime number
p was set as 251, so that all the coefficients of Shamir’s polynomial needed to be truncated to less than 251 for reconstructing the secret image successfully. Apparently, the recovery image of Thien and Lin’s
$(k,n)$–PSIS scheme would be lossy. Although they also provided a lossless method, lack of realization for the solution is not optimal. The previous studies focusing on reducing the size of shadow images were mainly devoted to enhancing the security of the
$(k,n)$–PSIS scheme, but they did not pay much attention to obtaining a lossless result. In the
$(k,n)$–CRTSIS scheme, a lossless recovery image can be gained directly without any more complex operations or auxiliary encryptions. Thus, the proposed scheme based on
$(k,n)$–CRTSIS can obtain a lossless recovered image.
Low computation complexity. As stated above, Lagrange interpolation is a fundamental step in the recovery phase of Shamir’s polynomial-based schemes. It requires
$O\left(k{log}^{2}k\right)$ operations to decrypt each pixel of the secret image. For the
$CRT$, only
$O\left(k\right)$ modular operations are needed in reconstruction [
16]. This will show a clear priority for dealing with many secret images and large images.
A shortcoming of the $(k,n)$–CRTSIS scheme which can be improved is that the size of shadow images is the same as the original secret image. The following Sections of this paper are devoted to solving this problem.
5. Experiments and Comparisons
In this section, experiments are described to verify the effectiveness of the proposed scheme and prove the theoretic analysis in
Section 4. Comparisons of Thien and Lin’s
$(k,n)$–PSIS without pre-encryption and our scheme are listed in
Section 5.2. Finally, further discussions are given to enhance the security of our scheme by increasing the random bits
r.
5.1. Experiments
In this subsection, $(3,3)$ and $(3,4)$ threshold experiments are presented, which are provided to verify that our scheme can satisfy the $(k,n)$ threshold. It indicates that our scheme has the general threshold. It takes $r=2$ as an example for random bits added in A, which is good enough for ordinary natural images.
In
Figure 2, results of a
$(3,3)$ threshold is utilized to demonstrate the effectiveness of the
$(k,k)$ threshold in our scheme, with
$(p,{m}_{1},{m}_{2},{m}_{3})=(131,249,251,253)$.
Figure 2a is the original secret image
S with
$336\times 336$ pixels.
Figure 2b–d are noise-like shadow images with the small size of
$336\times 128$ pixels, which is
$\frac{336\times 128}{336\times 336}=\frac{8}{21}=\frac{1}{3-3/8}=\frac{1}{k-(1+r)/8},(k=3)$.
Figure 2e is an example of the image recovered by two shadow images, which is less than the threshold
$k=3$. It is a bit different from the noise-like image but has no leakage of visual information of the secret image. The security of shadow images and recovery images is further analyzed through their histograms in
Figure 3.
Figure 3 displays the histograms of the experimental results shown in
Figure 2. Histograms in
Figure 3b–d indicate that the pixels of the shadow images are indeed distributed randomly. The histogram of the recovery image, which is reconstructed by two shadow images, is not similar to the original secret image (shown in
Figure 3a) at all. It means that there is no leakage of the secret image when shadow images are collected below the threshold. Also, our scheme is a lossless recovery method, as verified by the difference image, which is all black, shown in
Figure 3f.
In
Figure 4, the experimental results are not listed completely.
Figure 4a,b are the original secret image and its histogram.
Figure 4c is an example of the shadow images with
${m}_{3}=253$, and
Figure 4d is its histogram.
Figure 4e,g,i are the instances of recovery images corresponding to
$k=2,3,4$, and
Figure 4f,h,j are their histograms, respectively.
Figure 4k,l show the difference between the recovery image and the secret image when more than the threshold shadow images are collected.
Figure 4c,d shows that the pixels of shadow images in our scheme are entirely random.
Figure 4e–j verifies the
$(k,n)$ threshold of our scheme, which means that there is no leakage when less than
k shadows are collected, and the secret image can be reconstructed losslessly when
k or more than
k shadows are gained.
The two above experiments prove that our scheme based on $(k,n)$–CRTSIS with small shadow size is feasible and secure.
5.2. Comparisons
A
$(2,4)$ threshold experiment is presented in this subsection, which is used to compare with the experimental results shown in Thien and Lin’s scheme [
5].
Thien and Lin’s
$(k,n)$–PSIS scheme was based on Shamir’s SS, which shared the secret data by using a
$k-1$ degree polynomial, as shown in Equation (
2), in which
p is a prime to guarantee the recoverability.
However, there are two disadvantages in Thien and Lin’s $(k,n)$–PSIS: In Shamir’s original algorithm, only ${a}_{0}$ is used to embed the secret message, while ${a}_{1},{a}_{2},\cdots ,{a}_{k-1}$ are random integers. In this way, shadow images are generated with the same size as the original secret image. To reduce the size of each shadow image, all coefficients in Equation (12) are utilized for sharing in Thien and Lin’s $(k,n)$–PSIS. It means that ${a}_{0},{a}_{1},{a}_{2},\cdots ,{a}_{k-1}$ are all pixel values selected from the secret image S. The size of the generated shadow images are thus $\frac{1}{k}$ of the original secret image. For the reason that adjacent pixel values in the same image may be consecutive, when all coefficients of the polynomial are replaced by pixel values of the secret image, it diminishes the randomness of the integers. As a result, pre-permutation is essential for Thien and Lin’s scheme.
Additionally, $x,f\left(x\right),{a}_{0},\cdots ,{a}_{k-1}$ should be limited to $[0,250]$, since $p=251$ in Equation (12). However, the gray-scaling image has 256 gray levels from 0 to 255. Therefore, pixel values more than 250 are all truncated to less than 251. Consequently, the recovery image in Thien and Lin’s scheme is a lossy result. Although the recovered images by this technique look similar to the secret images, they cannot satisfy the requirement of lossless recovery in certain application scenarios.
A lossless solution was also advised in their paper. It split the pixel values ${x}_{i}$ of more than 250 to two partitions, first 250, then ${x}_{i}-250$. Thus, the size of shadow images will vary a lot according to the statistics of the secret image pixels. Nevertheless, the lossless experimental result was not displayed for the complex solution.
The two disadvantages of Thien and Lin’s scheme is presented in
Figure 5. It can be seen that significant parts of the secret image are revealed in the four shadow images (
Figure 5e–h) without pre-permutation, and lossy pixels exist in the recovery image indeed when pixel values are more than 250 in the original secret image. The differences are shown in
Figure 5d, where the white parts are different pixels between the recovery image and the secret image.
In our scheme, the only random factor, which is the big integer
A in the linear congruence equations, is also used to share the secret image. Firstly, the pixel values of the secret image are multiplied in groups to express A. Secondly,
$\lfloor \rfloor $ is done to
A to get lossless reconstruction, so that a
$1-bit$ shift occurs for each loop. For a further step,
r random bits are added in
A to enhance the security of the proposed scheme. Above all, noise-like shadows can be generated by our scheme without pre-encryption, which is shown in
Figure 6. Also, no truncations are manufactured in our scheme, so no lossy pixels are produced in our scheme either. The compared image is also shown in
Figure 6d with all black pixels.
5.3. Discussion
As mentioned in the algorithms of the proposed scheme in
Section 3.2, the randomness of coefficient
A is enhanced by increasing the number of random bits
r in
A. The range of
r is
$\left[1,7\right]$. The bigger
r is, the more secure our scheme is. In
Section 5.1, the experimental results with
$r=2$ are elaborated. This is sufficient for natural images when
r is small. However, if the secret image has lots of continuous pixel values, it needs more random bits to guarantee the security of the method.
Figure 7 is a secret image with lots of continuous pixels. Though the shadow images are still noise-like in
Figure 7b, the outline of the secret image may be revealed a little when less than the threshold for shadows are collected when
$r=2$, as shown in
Figure 7c. The problem can be solved by increasing random bits of
A. As shown in
Figure 7e, there is no leakage for the same parameters as
Figure 7c, except
$r=7$. Nevertheless, security is strengthened as the size of shadow images is enlarged from
$336\times 128$ to
$336\times 168$. Furthermore, when
$k=2$ and
$r=7$, there will be no reduction of the size of the shadow images for
$\frac{1}{k-(1+r)/8}=1$.
Based on the above analyses and discussions, the priorities of our scheme can be concluded as follows.
Reduction of shadow images. In the proposed scheme,
x and
A in the formula of the
$CRT$ are all used to share the secret image. As illustrated in
Section 4.1, reduction of shadow image size is
$\frac{1}{k-(1+r)/8}$.
No pre-encryption. The number of bits contained in A is $8(k-1)-1$. There is always 1 bit dropped and r random bits added in one sharing step. The two operations guarantee the randomness of our scheme. Consequently, the security of the scheme relies on the sharing scheme itself and not additional encryption.
Imperceptibility. Every single shadow image is noise-like, for the pixel values are approximately uniform in distribution. Any $k-1$ or fewer shadows give no clue about the secret image.
Losslessness. Our scheme is built on a lossless $(k,n)$–CRTSIS method, and the number of bits used to share is limited to the floor of A. Consequently, the reconstruction of secret image S is lossless.
Low computation complexity. Compared to
$O\left(k{log}^{2}k\right)$ operations needed in the recovery phase of the polynomial-based scheme due to Lagrange interpolations, it requires only
$O\left(k\right)$ operations of modular method based on
$(k,n)$–CRTSIS [
16].