A Novel Threshold Changeable Secret Image Sharing Scheme

Abstract

In secret image sharing, the image is divided into several stego images, which are managed by corresponding participants. The secret image can be recovered only when the number of authorized participants is no less than the threshold. Thus, it is widely used to protect essential images, such as engineering drawings and product design drawings. In the traditional secret image sharing scheme, the threshold is fixed and unique. However, in practice, the security policy and the adversarial structure may change; therefore, the threshold must be adjusted dynamically. In this paper, we propose a novel secret image sharing scheme with a changeable threshold capability. Our scheme eliminates the limit of the changeable threshold and reduces the computation required. Also, our scheme is the first threshold changeable secret image sharing scheme that can recover an undistorted cover image. The theoretical analysis shows that our scheme is safe even if the threshold is changed. The experiments demonstrated that the stego image generated by our algorithm has better quality than other changeable-threshold, secret image sharing algorithms.

1. Introduction

With the rapid development of consumer and communication technologies, data, including images, increasingly are collected, transmitted, and disseminated only in electronic form. However, ensuring the security of images-in-transit and images-at-rest is challenging. In order to solve the security problem of private images, symmetric or public-key cryptography encryption images, which needs a key, are often used [1,2,3]. If the key is lost or the encrypted image is damaged, the secret information cannot be recovered. Secret sharing technology can provide private images with better security and fault tolerance. Using the secret image sharing technology, the private image is split into multiple shares and each share is distributed to authorized participants. Only a certain number of authorized participants can recover the original private image.

In 1979, Shamir [4] proposed a secret sharing scheme using the principle of polynomial interpolation. In the same year, Blakey [5] independently designed a secret sharing scheme based on space geometry. Since then, research on secret sharing has attracted the attention of researchers. In 1994, Naor and Shamir [6] proposed a secret image sharing scheme, generally, secure $(t,n)$ image sharing schemes divide the secret image into n shares. No complicated calculations are required, and the secret image can be reconstructed by stacking t shares. However, the share, a random-noise-like image, can be noticed very easily by attackers. To reduce the probability of discovery, Lin and Tsai [7] proposed a new secret image sharing scheme, in which stenography is used to embed the secret share into the cover image. Then, their scheme uses watermarking to provide the capability to verify shares, thereby preventing share spoofing attacks. Secret sharing can effectively ensure the security of secret information, but the traditional secret sharing schemes (e.g., [8,9,10,11,12]) cannot adjust the threshold value. However, in reality, the threshold value must be adjusted when the security policy or the adversary model changes. Here, we describe three example situations in which (1) the importance of the secret information must be changed, (2) some participants have left or joined the system, and (3) attackers have obtained one or more secret shares.

Inspired by the work of Yuan et al. [13], we propose a novel, adjustable, threshold image-sharing scheme. In our method, the threshold value is no longer fixed and can be adjusted dynamically and in a timely fashion according to the actual situation and security policy. By improving the polynomial generation method and the steganography of Guo et al.’s scheme [14], we achieve the following three features:

(1) There is no limit on the adjustable threshold values; therefore, the scheme can be used in more complex applications.

(2) By improving the polynomial generation algorithm, the secret can be recovered by calculating only one polynomial.

(3) We improved Guo et al.’s image hiding scheme [14] by using the location map to void the overflow pixel, which makes our scheme the first scheme to recover the cover image without distortion and to have the highest quality stego images compared to other threshold-changeable secret sharing schemes.

The remainder of the paper is organized as follows. In the next section, we introduce related work; in Section 3, we briefly revisit the work of Yuan et al. [13], before presenting our proposed scheme in Section 4; and in Section 5, we present our security and performance evaluations. Our conclusions are presented in the last section.

2. Related Work

In 1989, Laih et al. [15] proposed the first secret sharing scheme that had a changeable threshold. Desmedt and Jajodia’s scheme [16] incorporated the use of the redistribution of shares, which removed the requirement for the dealer to be online. Before the secret can be recovered, participants must maintain a secure channel with each other. In 1999, Martin et al. [17] designed a general model of sharing secret information with adjustable thresholds. In 2005, Barwick et al. [18] proposed a new secret sharing scheme with changeable thresholds that used broadcast communication to minimize the costs. In recent years, researchers have used different technologies to implement secret sharing schemes with adjustable threshold values. For example, based on polynomial interpolation, in 2012, Zhang et al. [19] designed a secret sharing scheme with an adjustable threshold capability that also resists conspiratorial attacks launched by malicious participants using historical shares. In 2016, Yuan et al. [13] proposed a dealer-free adjustable threshold secret sharing scheme that was designed to defend against a historical share attack by introducing a two-variable function. In 2017, Pilaram et al. [20] proposed an adjustable-threshold multi-secret sharing scheme based on a lattice design. In 2018, Jia et al. [21] proposed a secret sharing scheme with an adjustable threshold. The core of the scheme was to construct a new prime-number matrix, and the generation and reconstruction of the shares were achieved using the Chinese remainder theorem.

With the wide application of images, researchers began to regard images as secret information and introduced secret sharing into the field of images. In 2007, Yang et al. [22] improved Lin and Tsai’s [7] scheme by designing a scheme to achieve enhanced authentication using a Galois field. In a separate work, Lin and Chan [8] proposed an invertible secret image sharing scheme that achieved improved quality of the stego image, that provided larger embedding capacity, and that allowed for the reconstruction of an undistorted secret image. In 2012, Guo et al. [23] proposed the first hierarchical secret image sharing scheme. In their scheme, the stego images are partitioned into several levels, and each level has a corresponding threshold. The access structure is determined by a sequence of threshold requirements. Only when each threshold meets the current requirements and all of the thresholds are satisfied can the secret image be recovered without distortion. Hierarchical secret image sharing extends the boundary of secret image sharing, and such schemes are constantly being proposed [11,24,25]. To improve the quality of stego images, in 2013, Ulutas et al. [26] proposed a novel secret image sharing scheme that uses the exploiting modification direction (EMD) technique and the modulus operator to hide shares. The approach ensures higher visual quality stego images for the cover image. In addition to hierarchical schemes, many researchers have proposed various multi-secret image sharing schemes based on different technologies. For example, the Chinese remainder theorem [10], Boolean [27,28,29], and cellular automaton [30] have been proposed. In 2017, Yuan et al. [31] first applied the adjustable threshold into secret image sharing, and they proposed the first adjustable-threshold secret image scheme. Their scheme can adjust the threshold values securely before recovering the secret image. However, their scheme has some limitations, e.g., the threshold value is conditional, the secret share requires large storage space, and a significant amount of calculation is required during recovery. By extending Thien and Lin’s scheme [32], Liu et al. [33] proposed a threshold-changeable secret image sharing scheme in 2019. However, their scheme does not use image steganography and cannot resist collusion attacks.

3. Preliminaries

Here, we introduce the $\left(\left\{t_1,t_2,\dots ,t_N\right\},n\right)$ adjustable-threshold secret sharing scheme of Yuan et al. [13], which is the two-variable one-way function used in our scheme.

3.1. Two-Variable One-Way Function

A two-variable one-way function $f\left(r,s\right)$ is a function of the variables r and s that can be mapped to a fixed range of values in a finite field. It has the following properties as described by Chien et al. [34]:

(1) Given r and s, it is easy to compute $f\left(r,s\right)$;

(2) Given s and $f\left(r,s\right)$, it is hard to compute r;

(3) Having no knowledge of s, it is hard to compute $f(r,s)$ for any r;

(4) Given s, it is hard to find two different values $r_1$ and $r_2$ such that $f(r_1,s)=f(r_2,s)$;

(5) Given r and $f(r,s)$, it is hard to compute s;

(6) Given pairs of $r_i$ and $f(r_i,s)$, it is hard to compute $f(r_j,s)$ for $r_j\ne r_i$.

He and Dawson [35] introduced the concept of the two-variable one-way function through the existing one-way function and gave some theoretical proofs. In addition, they gave some examples of constructing two-variable one-way functions, such as using hash functions as follows: Let A be a secure signature scheme [36]. For a message m, the signature with secret key k is denoted by $A(k,m)$. Let h be a universal one-way hash function, the existence of which is based on any one-to-one, one-way function [37]. Let $f(x,y)=h\left(A\right(x,y\left)\right)$. Then f is a two-variable one-way function that satisfies the properties of (1)–(6).

In our scheme, the two-variable one-way function is used mainly to defend against the historical share attack. At the same time, the real share, $s_i$, can be used in the next secret sharing process, which can improve efficiency.

3.2. Yuan et al.’s Secret Sharing Scheme with a Changeable Threshold

In 2016, Yuan et al. [13] proposed a novel $\left(\left\{t_1,t_2,\dots ,t_N\right\},n\right)$-threshold secret sharing scheme. Their scheme does not have a limit on the value of the changeable threshold, and its computations are less complex. We briefly introduce the process of their scheme, which includes two procedures, i.e., the sharing procedure and the recovery procedure.

3.2.1. Sharing Procedure

To share secret s, the dealer constructs polynomial $h\left(x\right)$ as

$$h_N\left(x\right)=(s+a_{1}x+a_2{x}^2+\dots +a_{t_{N-1}}{x}^{t_{N-1}})modq$$

(1)

where q is a large prime number and $a_1,a_2,\dots ,a_{t_{N-1}}\in GF\left(q\right)$ are chosen randomly. Polynomial $h_j\left(x\right)$, which corresponds to the threshold $t_j(1\le j\le N)$, can be generated as follows:

$$\begin{array}{cc}\hfill h_{(N-1)}\left(x\right)& =(s+a_{1}x+\dots +a_{t_{N-1}-1}{x}^{t_{N-1}-1})modq\hfill \\ \hfill h_{(N-2)}\left(x\right)& =(s+a_{1}x+\dots +a_{t_{N-2}-1}{x}^{t_{N-2}-1})modq\hfill \\ \hfill ⋮\\ \hfill h_1\left(x\right)& =(s+a_{1}x+\dots +a_{t_1-1}{x}^{t_1-1})modq.\hfill \end{array}$$

(2)

Then, the dealer chooses different random integers, i.e., $r_1,r_2,\dots ,r_N$, corresponding to the thresholds $t_1,t_2,\dots ,t_N$ one to one. The shares can be calculated as follows:

$$y_i^j=h_j\left(f(r_j,s_i)\right)(1\le i\le n,1\le j\le N),$$

(3)

where $f(r,s)$ is a two-variable one-way function and $s_i$ is the real identification of the participant, $P_i$.

3.2.2. Recovering Procedure

Before recovering, if $t_j$ participants or more than $t_j$ participants want to recover the secret s, the combiner will broadcast the corresponding key, $r_j$. For a general description, we assume that participants $P_1,P_2,\dots ,P_{t_j}$ want to recover the secret. Then, the secret s can be recovered as follows:

$$\begin{array}{cc}\hfill s& =h_j\left(0\right)={\sum }_{i=1}^{t_j}{y}_i^j{\coprod }_{k=1,k\ne i}^{t_j}\frac{-f(r_j,s_k)}{f(r_j,s_i)-f(r_j,s_k)}modq.\hfill \end{array}$$

(4)

4. Proposed Scheme

In this section, we introduce the process of our scheme, which is divided into two phases, i.e., the secret image sharing phase and the recovery phase.

In the secret sharing procedure, the dealer generates the secret shares from the secret image and embeds them in the cover image to form the stego images. Then, the dealer adjusts the threshold value according to the actual environment and security policy. If the number of authorized participants is more than or equal to the threshold value, it enters the recovery phase and reconstructs the secret image and cover image. The abstract flow of our scheme is shown in Figure 1, and the main notations of this paper are listed in

Table 1. Summary of Notations.

Notation	Meaning
S	Gray-scale secret image S
C	Gray-scale cover image C
$sh\times sw$	$sh$ and $sw$ are the width and height of secret image S
$ch\times cw$	$ch$ and $cw$ is the width and height of cover image C
n	The number of participants
$P_i$	Participant i
$S_i$	The stego images holed by participant $P_i$
N	The number of changeable thresholds
$t_j$	The value of the $jth$ changeable threshold
m	A prime number, and $m\in \left[0,255\right]$
$h_j\left(x\right)$	The polynomial corresponding to threshold $t_j$
$f(r,s)$	A two-variable one-way function
$s_i$	The identification of participant $P_i$
$r_j$	The key corresponding to threshold $t_j$
$\left[x^k\right]$	Coefficient operator. If $h\left(x\right)={\sum }_{i\ge 0}{a}_i{x}^i$, then $\left[x^k\right]h\left(x\right)=a_k$
$⌈·⌉$	The ceiling function
$⌊·⌋$	The flooring function
D	Converted data of secret image
R	Cover data of the cover image
M	Non-embedded location map m-ary data
$L_i$	Location map share data of participan $P_i$

.

4.1. Secret Sharing Procedure

In the secret sharing procedure, the dealer generates secret shares from secret image S and then embeds them in cover image C to form stego images $S_1,S_2,\dots S_n$. The secret sharing procedure is divided into two parts, i.e., (1) the share generation phase and (2) the stego image generation phase. Figure 2 shows the flow diagram of the secret image sharing phase.

4.1.1. Share Generation Phase

In this phase, the secret image is processed to generate the shares of n participants. The work steps are as follows:

Step 1: According to the order from left to right and top to bottom, the dealer converts every pixel of secret image S into m-ary digits and forms the converted data D and $m\in \left[0,255\right]$. Every pixel is converted to $⌈{log}_{m}255⌉$ digits.

Step 2: The dealer selects N changeable thresholds according to their needs and in ascending order $(t_{i-1}<t_i,2\le i\le N)$.

Step 3: The dealer selects $t_1$ digits $d_0,d_1,\dots ,d_{t_1-1}$ from converted data D and constructs original polynomial $h_N\left(x\right)$ as follows:

$$\begin{array}{cc}\hfill h_N\left(x\right)& =a_0+a_{1}x+\dots +a_{t_N-1}{x}^{t_N-1}modm,\hfill \end{array}$$

(5)

where $a_i=d_i(0\le i\le t_1-1)$ and $t_N-t_1$ different integers $a_{t_1},a_{t_1+1},\dots ,a_{t_N-1}$ are chosen randomly in $GF\left(m\right)$.

Step 4: According to Algorithm 1, the polynomials $h_1\left(x\right),h_2\left(x\right),\dots ,h_{N-1}\left(x\right)$ corresponding to the thresholds $t_1,t_2,\dots ,t_{N-1}$ can be generated as follows:

$$\begin{array}{cc}\hfill h_{(N-1)}\left(x\right)& =(a_0+a_{1}x+\dots +a_{t_{N-1}-1}{x}^{t_{N-1}-1})modm\hfill \\ \hfill h_{(N-2)}\left(x\right)& =(a_0+a_{1}x+\dots +a_{t_{N-2}-1}{x}^{t_{N-2}-1})modm\hfill \\ \hfill ⋮\\ \hfill h_1\left(x\right)& =(a_0+a_{1}x+...+a_{t_1-1}{x}^{t_1-1})modm.\hfill \end{array}$$

(6)

Step 5: The dealer selects n distinct and nonzero random integers $s_1,s_2,\dots ,s_n$ to identify participants $P_1,P_2,\dots ,P_n$, and the dealer randomly selects N different integers $r_1,r_2,\dots ,r_N$ as the key. Then, shares $y_i^1,y_i^2,\dots ,y_i^N(1\le i\le n)$ can be calculated as follows:

$$y_i^j=h_j\left(f(r_j,s_i)\right)(1\le j\le N),$$

(7)

where $y_i^j$ is participant $P_i$’s share corresponding to the jth threshold and $f(r,s)$ is a function with two-variable one-way.

Step 6: Repeat steps 3–5 until the converted data are completely processed.

Algorithm 1 Polynomial generator.

Input:$h_N\left(x\right)$, j, $t_j$, $t_N$

Output:$h_j\left(x\right)$

$h_j\left(x\right)=h_N\left(x\right)$;

$d=t_N-t_j$;

while $d>0$ do

$c=\left[x^{t_j+d-1}\right]h\left(x\right)$

$h_j\left(x\right)=h_j\left(x\right)-c{x}^{t_j+d-1}$

end while

4.1.2. Stego Images Generation Phase

In this phase, the dealer embeds every participant’s share into the cover image and generates a corresponding stego image. The steps are as follows.

Step 1: Non-location map generation and hiding

The embedded pixel value may overflow (The reason is explained in Section 5); therefore, we need to generate the non-embedded location map. According to the principle of symmetry, a non-embedded location map is generated for the cover image as follows. First, we set a map of the same size as the cover image, and the default value for each position in the map is 0. Then, if the pixel c, which comes from cover image C, is not within the range of $\left[⌈(m-1)/2⌉,255-⌊(m-1)/2⌋\right]$, the corresponding position in map is modified to 1. As shown in Figure 3, we can obtain a corresponding non-embedded location map based on the $3\times 3$ block from the gray-scale image “Crowd”, where $m=7$ and the range of embeddable pixels is [3, 252].

In order to reduce the amount of embedded data, we used the secret image sharing method to generate shares of the non-embedded location map data as follows:

① The non-embedded location map is converted to m-ary data (called location map data M).

② The dealer selects $t_1$ digits $m_0,m_1,\dots ,m_{t_1-1}$ from data M and constructs the following polynomial:

$$g\left(x\right)=m_0+m_{1}x+\dots +m_{t_1-1}{x}^{t_1-1}modm.$$

(8)

Then, the share $g\left(s_i\right)(1\le i\le n)$ of participant $P_i$ is calculated, where $s_i$ is participant $P_i$’s identification. Share $g\left(s_i\right)$ is converted to binary data and saved to location map share data $L_i$.

③ Repeat step ② until data M are processed.

④ We used the LSB(Least Significant Bit) algorithm to embed $L_i$ into the cover image. Assume that the w-bit data in the pixel are replaced with the location map share data. The dealer selects unembedded pixel c from cover image C in the order from left to right and top to bottom and saves $c_{w-1},c_{w-2},\dots ,c_0$ to cover data R, where pixel c is represented in 8-bit binary as $c_7,c_6,\dots ,c_0$. Then, the dealer selects w digits $l_0,l_1,\dots ,l_{w-1}$ from the location map share data, $L_i$, and replaces $c_{w-1},c_{w-2},\dots ,c_0$ with $c_i=l_{w-1-i}(0\le i\le w-1)$.

⑤ Repeat step ④ until the location map share data, $L_i$, are embedded.

Step 2: Hiding Shares

According to the non-embedded location map, the dealer selects N embeddable pixels $c_1,c_2,\dots ,c_N$ from cover image C. Then, the dealer computes $b_1,b_2,\dots ,b_N$ and saves them to cover data R, where $b_j=c_{j}modm$$\left(1\le j\le N\right)$. The pixel values, i.e., $s{p}_i^1,s{p}_i^2,\dots ,s{p}_i^N$$\left(1\le i\le n\right)$, used to replace $c_1,c_2,\dots ,c_N$ can be calculated as

$$s{p}_i^j=\left\{\begin{array}{c}{c}_j^{\prime }-mif(-m<{\sigma }_i^j<-⌊\frac{m-1}{2}⌋)\hfill \\ \\ c_j^{\prime }if(-⌊\frac{m-1}{2}⌋\le {\sigma }_i^j\le ⌈\frac{m-1}{2}⌉),\hfill \\ \\ c_j^{\prime }+mif(⌈\frac{m-1}{2}⌉<{\sigma }_i^j<m)\hfill \end{array}\right.$$

(9)

where $c_j^{\prime }=c_j-b_j+y_i^j,$ and ${\sigma }_i^j=b_j-y_i^j$, $y_i^1,y_i^2,\dots ,y_i^N$ are the shares of participant $P_i$$\left(1\le i\le n\right)$.

Then, the dealer repeats the above processes until all of the shares of data are embedded.

Step 3: Cover data hiding

To recover the cover image without distortion, cover data R must be embedded into the cover image. The dealer selects an unembedded pixel c from cover image C and calculates $b=cmodm$. Then, the dealer selects $t_1-1$ digits $r_0,r_1,\dots ,r_{t_1-1}\in GF\left(m\right)$ from cover data R and constructs polynomial $g\left(x\right)$ as

$$g\left(x\right)=r_0+r_{1}x+...+r_{t_1-2}{x}^{t_1-2}+b{x}^{t_1-1}modm.$$

(10)

Then, the dealer computes every participant’s share $g_i=g\left(s_i\right)$, where $s_i$ is the identification of participant $P_i(1\le i\le n)$ and $c^{\prime }=c-b+g_i$. Stego image pixel $s{p}_i$ is calculated as

$$s{p}_i=\left\{\begin{array}{c}{c}^{\prime }-mif(-m<b-g_i<-⌊\frac{m-1}{2}⌋)\hfill \\ \\ c^{\prime }if(-⌊\frac{m-1}{2}⌋\le b-g_i\le ⌈\frac{m-1}{2}⌉).\hfill \\ \\ c^{\prime }+mif(⌈\frac{m-1}{2}⌉<b-g_i<m)\hfill \end{array}\right.$$

(11)

The dealer repeats the above processes until cover data R are embedded into cover image C, and then, the dealer generates all stego image $S_1,S_2,\dots ,S_n$. The composition of the stego image is shown in Figure 4.

Last, the dealer sends stego image $S_i$ and identification $s_i$ to participant $P_i$ through the secure channel and destroys secret image S and all of the stego images, i.e., $S_1,S_2,\dots ,S_n$, to avoid a situation in which the attacker can attain the secrete image S by attacking the dealer.

4.2. Recovery Procedure

When the security strategy or the adversary model changes, the threshold must be adjusted to maintain the original security level. Assume that the threshold value is changed to $t_j$$(1\le j\le N)$. Then, if the number of participants who agree to join in the recovery phase is greater than or equal to $t_j$, the dealer broadcasts key $r_j$ and the secret image S can be recovered.

Without loss of generality, we assume that participants $P_1,P_2,\dots ,P_{t_j}$ agree to recover secret image S. Then, the authorized participants recover secret image S and cover image C through three steps, i.e., (1) extraction of the non-embedded location map, (2) reconstruction of the secret image, and (3) recovery of the cover image. Figure 5 shows the flow diagram of the recovery phase.

Step 1: Extraction of the non-embedded location map

① The authorized participants select $t_1$$(t_1\le t_j)$ stego pixels from corresponding stego images $S_1,S_2,\dots ,S_{t_1}$(note: since $t_1=min\left\{t_1,t_2,\dots ,t_N\right\}$, at least $t_1$ participants participate in the recovery phase regardless of the current threshold).

② For each stego image $S_i$$\left(1\le i\le t_1\right)$, the authorized participants select pixel $s{p}_i$ in the order from left to right and top to bottom and represent pixel $s{p}_i$ as $c_i^7,c_i^6,\dots ,c_i^0$. Then, they extract the embedding data $c_i^{w-1},c_i^{w-2},\dots ,c_i^0$.

③ Repeat step ② to obtain the location map share data $L_i$.

④ The share $g\left(s_i\right)$ of stego image $S_i$ is extracted from $L_i$. Then, the polynomial $g\left(x\right)$ can be reconstructed as [38]:

$$g\left(x\right)=\sum _{i=1}^{t_1}g\left(s_i\right)\prod _{j=1,j\ne i}^{t_1}\frac{x-s_i}{s_i-s_j}modm.$$

(12)

From the coefficient of polynomial $g\left(x\right)$, we can obtain the recovery digits, i.e., $m_0,m_1,\dots ,m_{t_1-1}$.

⑤ Repeat step ④ until the non-embedded data of the location map are recovered.

Step 2: Reconstruction of the secret image

According to the extracted, non-embedded location map, the corresponding stego pixels, i.e., $s{p}_1^j,s{p}_2^j,\dots ,s{p}_{t_j}^j$, can be obtained from stego images $S_1,S_2,\dots ,S_{t_j}$. By using keys $r_j$ and $t_j$ and the participants’ identifications, i.e., $s_1,s_2,\dots ,s_{t_j}$, the polynomial $h_j\left(x\right)$ can be reconstructed as [38]

$$h_j\left(x\right)={\sum }_{i=1}^{t_j}{y}_i^j{\prod }_{k=1,k\ne i}^{t_j}\frac{x-f(r_j,s_k)}{f(r_j,s_i)-f(r_j,s_k)}modm,$$

(13)

where $y_i^j=s{p}_i^{j}modm$.

By repeating the processes above, all converted data, D, can be extracted, and the secret image, S, can be recovered by converting data, D.

Step 3: Recovery of the cover image

The authorized participants select $t_1(t_1\le t_j)$ stego pixels from the corresponding stego images. We assumed that the authorized participants selected stego pixels $\mathrm{s}{p}_1,\mathrm{s}{p}_2,\dots ,\mathrm{s}{p}_{t_1}$ from the stego images $S_1,S_2,\dots ,S_{t_1}$. Then, polynomial $g\left(x\right)$ can be reconstructed as

$$g\left(x\right)=\sum _{i=1}^{t_1}g\left(s_i\right)\prod _{j=1,j\ne i}^{t_1}\frac{x-s_i}{s_i-s_j}modm,$$

(14)

where $g\left(s_i\right)=s{p}_{i}modm$. From the coefficient of polynomial $g\left(x\right)$, we can obtain cover digits $r_0,r_1,\dots ,r_{t_1-2}$ and b. Digits $r_0,r_1,\dots ,r_{t_1-2}$ can be used to recover the cover image pixels of the location map area and the share area, and digit b can be used to recover the cover image pixel of the cover data area. Then, the participants repeat these processes to obtain cover data R. Because the LSB algorithm normally is used, we only represent how to recover cover pixels used to embed the share and the cover data.

Assume that we use stego images $S_1,S_2,\dots ,S_{t_j}$ to recover the area of cover image C used to embed the share. Then, we select N stego image pixels $s{p}_i^1,s{p}_i^2,\dots ,s{p}_i^N$ from the corresponding area of stego image $S_i$$\left(1\le i\le t_j\right)$ and select N digits $r_1,r_2,\dots ,r_N$ from cover data R. As we know, $b_j=c_{j}modm$, where $c_j$ is the cover image pixel value corresponding to stego image pixel $s{p}_i^j$. (See the details in Section 4.1) Stego image pixel $s{p}_i^j$$\left(1\le j\le N\right)$ can be computed as

$$s{p}_i^j=\left\{\begin{array}{c}{c}_j^{\prime }-mif(-m<{\sigma }_i^j<-⌊\frac{m-1}{2}⌋)\hfill \\ \\ c_j^{\prime }if(-⌊\frac{m-1}{2}⌋\le {\sigma }_i^j\le ⌈\frac{m-1}{2}⌉),\hfill \\ \\ c_j^{\prime }+mif(⌈\frac{m-1}{2}⌉<{\sigma }_i^j<m)\hfill \end{array}\right.$$

(15)

where $c_j^{\prime }=c_j-b_j+y_i^j$ and ${\sigma }_i^j=b_j-y_i^j$, where $y_i^j=s{p}_i^{j}modm$. Thus, the cover image pixel $c_j$ can be recovered as

$$c_j=\left\{\begin{array}{c}s{p}_i^j+{\sigma }_i^j+mif(-m<{\sigma }_i^j<-⌊\frac{m-1}{2}⌋)\hfill \\ \\ s{p}_i^j+{\sigma }_i^{j}if(-⌊\frac{m-1}{2}⌋\le {\sigma }_i^j\le ⌈\frac{m-1}{2}⌉),\hfill \\ \\ s{p}_i^j+{\sigma }_i^j-mif(⌈\frac{m-1}{2}⌉<{\sigma }_i^j<m).\hfill \end{array}\right.$$

(16)

After recovering the cover pixel used to embed the share, we can use the same method to recover the cover pixel used to embed the cover data. Then, we can recover the cover image without distortion.

5. Experiment and Analysis

In this section, we describe the experiments that were conducted on the scheme. Then, the performance of the experiments are analyzed in detail, and finally, the security of the scheme is discussed.

In the experiments, we use the peak signal-to-noise ratio (PSNR) as a measure of performance [39]:

$$\mathrm{PSNR}=10{log}_{10}\left(\frac{{255}^2}{\mathrm{MSE}}\right)\mathrm{dB}.$$

(17)

The mean square error (MSE) is defined in an $H\times W$-sized image [39]:

$$\mathrm{MSE}=\frac{1}{H\times W}\sum _{i=1}^H\sum _{j=1}^W{\left(p_{ij}-p_{ij}^{{}^{\prime }}\right)}^2,$$

(18)

where $p_{ij}$ is the original pixel value before embedding and ${p^{\prime }}_{ij}$ is the pixel value of the stego image.

5.1. Simulation Results

In our experiment, the parameters were set as follows: $N=3$, $n=6$, $m=7$, $t_1=3$, $t_2=4$, and $t_3=5$, which is a $\left(\left\{3,4,5\right\},6\right)$ threshold-changeable secret image sharing scheme. We chose a gray-scale baboon of $128\times 128$ pixels as the secret image, as shown in Figure 6.

Initially, we used the classic standard test image, Lena, at $512\times 512$ pixels, as the cover image. In our $\left(\left\{3,4,5\right\},6\right)$ scheme, six stego images were obtained, and then, $t_2=4$ was used as the changed threshold and the key, $r_2$, was broadcast. For simplicity, we choose to use images (a), (b), (c), and (d) to recover the secret image, and Figure 7 shows the experimental results, i.e., the average PSNR of the stego image was 47.15 dB. The results showed that this scheme has a good quality image, i.e., the difference between the stego image and the cover image could not be detected by the human eye, and the secret image can be recovered without any distortion.

In addition, the influence of the cover image on the quality of the stego image was considered. We used 9 different $512\times 512$-pixel gray-scale images as the cover image. This group of images is shown in Figure 8, and the experimental results are shown in

Table 2. Peak signal-to-noise ratio (PSNR) values (dB) of the stego images tested in nine cover images.

Cover Images	Stego 1	Stego 2	Stego 3	Stego 4	Stego 5	Stego 6	Average
Lena	47.14	47.13	47.16	47.17	47.13	47.14	47.15
Peppers	47.20	47.19	47.22	47.20	47.23	47.22	47.21
Boat	47.22	47.13	47.22	47.24	47.15	47.20	47.19
Fruits	47.03	47.12	47.00	47.14	47.03	47.10	47.07
Couple	47.15	47.22	47.22	47.13	47.15	47.22	47.18
Crowd	47.17	47.16	47.15	47.17	47.13	47.15	47.15
Airplane	47.11	47.12	47.13	47.13	47.12	47.11	47.12
Tiffany	47.03	47.14	47.11	47.14	47.06	47.03	47.08
Barbara	47.16	47.19	47.19	47.18	47.17	47.20	47.18

. It was apparent that the difference between the results of different cover images was small; therefore it was concluded that the cover image has little effect on the quality of the stego images.

5.2. Performance Analysis

In this section, we focus on analyzing the parameter m and thresholds $t_1,t_2,\dots ,t_N$ because these two parameters have important influences on the secret capacity and the quality of secret images in our scheme.

For the analysis of m, our experimental parameters are as follows: $N=3$, $n=6$, $t_1=3$, $t_2=4$, and $t_3=5$. The baboon is still the secret image, and Lena is used as the cover image;

Table 3. Relationship of the capacity distortion for different m values.

m	Pixel Change Range	PSNR
7	[−3, 3]	47.15
11	[−5, 5]	43.32
13	[−6, 6]	41.81
17	[−8, 8]	39.33
19	[−9, 9]	38.34
23	[−11, 11]	36.55

shows the results of the experiment, i.e., the relationship between the different values of m and the secret capacity. Based on the experimental data, we concluded the following: (1) as m increases, the value of PSNR decreases; (2) the secret embedding capacity increases as the factor m increases. For the first point, we can obtain it from the range of pixels. As the range of pixels changes and becomes larger, the difference between the pixels of the stego image and the pixels of the cover image increases; therefore, the PSNR value increases. Also, as the factor m increases, there is a lower share of data after conversion. That is to say, there are fewer areas on the cover image where changes occurred; therefore, the embeddable capacity increases. In our scheme, there were $t_1$ converted digits in the polynomial that was constructed, and it was embedded in N cover pixels (i.e., $N\times ⌈lo{g}_{m}255⌉/t_1$ pixel); similarly, $t_1-1$ cover data occupy one cover pixel. For a cover image with $H_c\times W_c$ pixels and considering the embedded pixels of the location map (the size of which is $⌈⌈\frac{lo{g}_m{H}_c\times W_c}{t_1}⌉\times \frac{lo{g}_{2}m}{w}⌉$), the embedding capacity is $\frac{t_1(t_1-1)}{[N(t_1-1)+t_1]\times ⌈lo{g}_{m}255⌉}\times (H_c\times W_c-⌈⌈\frac{lo{g}_m{H}_c\times W_c}{t_1}⌉\times \frac{⌈lo{g}_{2}m⌉}{w}⌉)$.

The value of the thresholds is another important factor in the scheme. We chose different thresholds in the experiment, and

Table 4. Performance comparisons of different potential thresholds.

Number	Thresholds	PSNR (dB)
1	{2, 3, 4}	44.25
2	{2, 4, 7}	44.24
3	{3, 4, 5}	47.15
4	{3, 5, 7}	47.15
5	{6, 7, 8}	51.18

shows the results of the experiment. In the experiment, there were five different sets of potential thresholds, i.e., $\left\{2,3,4\right\}$, $\left\{2,4,7\right\}$, $\left\{3,4,5\right\}$, $\left\{3,5,7\right\}$, $\left\{6,7,8\right\}$, and $m=7$; other parameters were set as above.

In our scheme, $t_1$ data were embedded for each secret sharing; therefore, the greater the threshold $t_1$, the greater the embedding capacity. The data in Table 4 are consistent with our theoretical analysis. Analyzing the thresholds $\left\{2,3,4\right\}$, $\left\{2,4,7\right\}$, $\left\{3,4,5\right\}$, and $\left\{3,5,7\right\}$ with fixed m and N, it was apparent that the quality of the image had little relationship with $t_N$. It is worth noting that the value of the minimum threshold and the value of the potential threshold are important factors that determine the quality of the stego images. This is because the minimum threshold and the number of thresholds affect the amount of embedded data. Then, by analyzing the data that correspond to the numbers 1, 3, and 5 in Table 4, it was found that the PSNR increases gradually as the factor, $t_1$, increases. The increase in the embedding capacity means fewer shares of fixed secret data, i.e., the number of pixels in the original cover image is modified less; therefore, the quality of the stego image is better.

Table 5. Comparison of related secret image sharing schemes.

Functionality	Yang et al. [22] 2007	Lin et al. [7] 2010	Ulutas et al. [26] 2013	Yuan et al. [31] 2016	Guo et al. [14] 2018	Liu et al. [33] 2019	Ours
Threshold	$\{t,n\}$	$\{t,n\}$	$\{t,n\}$	$\{t_1,t_2,\dots ,t_N\}$	$\{t,n\}$	$\{t^{\prime },t,t^{\prime \prime }\}$	$\{t_1,t_2,\dots ,t_N\}$
				$(t_{i+1}-t_i\le t_1)$
Threshold changeability	No	No	No	Yes	No	Yes	Yes
Collusion Attack Resistance	Yes	Yes	Yes	Yes	Yes	No	Yes
Number of recovering polynomials	1	1	1	$\frac{N+1}{2}$	−	1	1
Meaningful stego image	Yes	Yes	Yes	Yes	Yes	No	Yes
Quality of stego images	46.0 dB	48.36 dB	52.79 dB	46.02 dB	48.0 dB	−	46.65 dB
Lossless secret image	Yes	Yes	Yes	Yes	Yes	No	Yes
Lossless cover image	No	Yes	Yes	No	No	No	Yes
Maximum capacity (pixels)	$\frac{H\times W}{4}$	$\frac{(t-1)\times H\times W}{3}$	$\frac{(t-2)\times H\times W}{4}$	$\frac{t_N\times H\times W}{N\times ⌈lo{g}_{m}255⌉}$	$\frac{H\times W}{⌈lo{g}_{m}255⌉}$	−	*

− The scheme does not have this function; * The maximum capacity of our scheme is $\frac{t_1(t_1-1)\times (H_c\times W_c-⌈⌈\frac{lo{g}_m{H}_c\times W_c}{t_1}⌉\times \frac{⌈lo{g}_{2}m⌉}{w}⌉)}{[N(t_1-1)+t_1]\times ⌈lo{g}_{m}255⌉}$.

shows the comparison of our scheme with other secret image sharing schemes in recent years. We still used the baboon with $256\times 256$ pixels as the secret image and Lena with $1024\times 1024$ pixels as the cover image and set the thresholds as $\left\{2,3,4\right\}$, $m=5$. The results shown in Table 5 indicate that the PSNR value of our scheme was slightly lower than the PSNR values of the single-threshold, secret image sharing schemes. This occurred because our scheme embedded redundant shares and non-embedded location map information. However, in all secret image sharing schemes with changeable thresholds, our scheme had the best quality images. Although the embedding method was optimized, a location map also was embedded in order to recover the cover image; therefore, compared with Yuan et al.’s scheme [31], the improvement in the quality of the stego image was not obvious. In addition, since Liu et al.’s scheme [33] does not use steganography to hide the shared data, the shadow image is generated directly in their scheme; therefore, there is no meaningful reference to PSNR.

We also compared and analyzed the actual running performance. Considering that different types of secret image sharing schemes were not suitable for comparison, we experimented on the same type schemes, such as Yuan et al.’s scheme and Liu et al.’s scheme. The secret image was the baboon with $128\times 128$ pixels, and the cover image was Lena with $512\times 512$ pixels. The other parameters were $N=3$, $t_1=3$, $t_2=4$, $t_3=5,$$m=7$, and $n=6$. The adjusted threshold value $t_2=4$ was chosen for the actual performance test. The execution time of Liu et al.’s scheme is 32 s, that of Yuan et al.’s scheme is 151 s, and that of our scheme is 147 s. Liu et al.’s scheme does not have the steganography operation; therefore, its execution time is shorter than our scheme. Yuan et al.’s scheme needs to recover multiple polynomials layer by layer to recover the secret image, but our scheme only needs to compute a polynomial. Meanwhile, our scheme needs to generate and embed a location map, which Yuan et al.’s scheme does not need. Thus, our scheme’s execution time is shorter but close to Yuan et al.’s. Compared with other methods, our work has the following advantages and contributions:

(1) No limit on thresholds. In Yuan et al.’s scheme [31], the threshold can be changed only once. However, in our scheme, N potential thresholds do not need to satisfy $t_{i+1}-t_i\le t_1$$\left(i=1,2,\dots ,N-1\right)$. Meanwhile, the threshold value of our scheme can be changed more than once.

(2) Less calculation. In Yuan et al.’s scheme [26], if the threshold is adjusted to $t_j\left(1\le j\le N\right)$, they must use polynomial interpolation to determine the polynomial $h_j\left(x\right)$ and then to determine the polynomial $h_{j+1}\left(x\right)$,$h_{j+2}\left(x\right)$, …, $h_N\left(x\right)$ to obtain the secret from the polynomial $h_N\left(x\right)$. When recovering, our scheme does not have the process of iterating the polynomials, and only one polynomial has to be recovered.

(3) Recoverable cover image. In the same type of scheme, Yuan et al.’s scheme [31] cannot recover the cover image and Liu et al.’s scheme [33] does not use steganography; however, our proposed method can reconstruct the cover image and completely recover the secret image without distortion.

5.3. Security Analysis

In this part, we prove the applicable pixel range of the proposed method, and the security of the scheme is analyzed theoretically.

Theorem 1.

In our scheme, the difference ${\Delta }_i^j$ between original pixel $c_j$ and the corresponding stego pixel $s{p}_i^j$ must satisfy $-⌈(m-1)/2⌉\le {\Delta }_i^j\le ⌊(m-1)/2⌋$, where m is a prime number and $m\in [0,255]$.

Proof. 

In our scheme, stego pixel $s{p}_i^j$ is calculated as

$$s{p}_i^j=\left\{\begin{array}{c}{c}_j^{\prime }-mif(-m<{\sigma }_i^j<-⌊\frac{m-1}{2}⌋)\hfill \\ \\ c_j^{\prime }if(-⌊\frac{m-1}{2}⌋\le {\sigma }_i^j\le ⌈\frac{m-1}{2}⌉),\hfill \\ \\ c_j^{\prime }+mif(⌈\frac{m-1}{2}⌉<{\sigma }_i^j<m)\hfill \end{array}\right.$$

(19)

where $c_j^{\prime }=c_j-b_j+y_i^j$, ${\sigma }_i^j=b_j-y_i^j$, and $y_i^j=s{p}_i^{j}modm$. Then, there are three cases to consider:

(1) $-m<b_j-y_i^j<-⌊(m-1)/2⌋$

If there exists $-m<b_j-y_i^j<-⌊(m-1)/2⌋$, then, ${\Delta }_i^j=s{p}_i^j-c_j=-b_j+y_i^j-m$. Since $-m<b_j-y_i^j<-⌊(m-1)/2⌋$, it is easy to prove that $⌊(m-1)/2⌋-m<{\Delta }_i^j<0$. The equation can be expressed as $-⌈(m-1)/2⌉\le {\Delta }_i^j<0$ because ${\Delta }_i^j$ is an integer.

(2) $-⌊(m-1)/2⌋\le b_j-y_i^j\le ⌈(m-1)/2⌉$

The difference ${\Delta }_i^j$ can be expressed as ${\Delta }_i^j=s{p}_i^j-c_j=-b_j+y_i^j$ when $-⌊(m-1)/2⌋\le b_j-y_i^j\le ⌈(m-1)/2⌉$. Thus, taking the opposite of $-⌊(m-1)/2⌋\le b_j-y_i^j\le ⌈(m-1)/2⌉$, we can conclude that $-⌈(m-1)/2⌉\le {\Delta }_i^j\le ⌊(m-1)/2⌋$.

(3) $⌈(m-1)/2⌉<b_j-y_i^j<m$

The difference ${\Delta }_i^j$ can be expressed as ${\Delta }_i^j=s{p}_i^j-c_j=-(b_j-y_i^j)+m$ when $⌈(m-1)/2⌉<b_j-y_i^j<m$. Then, we can obtain $0<{\Delta }_i^j<m-⌈(m-1)/2⌉$, which can be transferred to $0<{\Delta }_i^j\le ⌊(m-1)/2⌋$ because ${\Delta }_i^j$ is an integer. □

In summary, we can prove that $-⌈(m-1)/2⌉\le {\Delta }_i^j\le ⌊(m-1)/2⌋$.

Theorem 2.

Let the original pixel, $c_j$, satisfy $⌈(m-1)/2⌉\le c_j\le 255-⌊(m-1)/2⌋$, where $m\in [0,255]$ is a prime number. Then, we can ensure that the generated stego pixel, $s{p}_i^j$, satisfies $s{p}_i^j\in [0,255]$.

Proof. 

In view of Theorem 1, there exists $-⌈(m-1)/2⌉\le {\Delta }_i^j\le ⌊(m-1)/2⌋$, where ${\Delta }_i^j=s{p}_i^j-c_j$. Since $s{p}_i^j\in [0,255]$, there are two cases to consider:

(1) $s{p}_i^j\le 255$

In this case, $s{p}_i^j$ can be expressed as $s{p}_i^j=c_j+{\Delta }_i^j$. Thus, the original pixel $c_j$ must satisfy $c_j\le 255-⌊\left(m-1\right)/2⌋$ because $-⌈(m-1)/2⌉\le {\Delta }_i^j\le ⌊(m-1)/2⌋$ and $c_j+{\Delta }_i^j\le 255$.

(2) $s{p}_i^j\ge 0$

Since $-⌈(m-1)/2⌉\le {\Delta }_i^j\le ⌊(m-1)/2⌋$ and $c_j+{\Delta }_i^j\ge 0$, we can prove that the original pixel, $c_j$, must satisfy $c_j\ge ⌈\left(m-1\right)/2⌉$.

To summarize, the original pixel, $c_j$, must satisfy $⌈(m-1)/2⌉\le c_j\le 255-⌊(m-1)/2⌋$, which can ensure that stego pixel $s{p}_i^j$ calculated through formula (19) does not exceed the range [0, 255]. □

According to Theorem 2, we embed the data into the original pixels that satisfy $⌈(m-1)/2⌉\le c_j\le 255-⌊(m-1)/2⌋$ and use the non-embedded location map to record the original pixels that do not meet this condition.

Theorem 3.

Before broadcasting the key, no participant can calculate her/his share point pairs, which can be used to recover the polynomial by Lagrange interpolation.

Proof. 

Assuming that the current threshold is $t_j\in \{t_1,t_2,\dots ,t_N\}$, the corresponding key is $r_j$$\left(1\le j\le N\right)$, and participant $P_i\left(1\le i\le n\right)$ wants to recover her/his first share point pair $\left(x_i^j,y_i^j\right)$, where $x_i^j=f\left(r_j,s_i\right)$, and $s_i$ is $P_i$’s identification. According to feature (2) of the two-variable one-way function, i.e., $f(r,s)$ presented in Section 3.1, participant $P_i$ cannot calculate $(f(r_j,s_i),y_i^j)$ without key $r_j$. Similarly, participant $P_i$ cannot recover the rest of her/his share point pairs and the other participants also cannot recover their share point pairs. Thus, no participant can obtain her/his share point pairs before broadcasting the key. □

Theorem 4.

If the number of authorized participants is less than the current threshold, the secret image cannot be recovered.

Proof. 

According to the people who take part in the recovery phase, there are two cases to consider when recovering:

(1) Only authorized participants take part in the recovery phase.

Assuming that the threshold is $t_j\in \{t_1,t_2,\dots ,t_N\}$, if only authorized participants take part in the recovery phase, the ideal situation is that $t_j-1$ participants want to recover the secret image. In our scheme, only if not less than $t_j$ participants want to recover the secret will the dealer broadcast the corresponding key, $r_j$. By Theorem 3, we know that no participant can calculate her/his share of point pairs before broadcasting the key. Thus, less than $t_j$ authorized participants cannot calculate their share point pairs, which means they cannot recover the secret image. Similarly, participants whose numbers are less than $t_j$ cannot recover their share point pairs that correspond to threshold $t_k$ ($k\in \{1,2,\dots ,j-1,j+1,\dots ,N\}$) because only the dealer can broadcast the current key, $r_j$.

(2) Malicious and authorized participants both take part in the recovery phase.

Assuming that the current threshold is $t_j$ and that $t_j\in \{t_1,t_2,\dots ,t_N\}$ if malicious and authorized participants both take part in the recovery phase, the ideal situation is that $k(1\le k\le n-t_j+1)$ malicious participants and $t_j-1$ authorized participants want to recover the secret image. The malicious participants can disguise themselves as authorized participants. Without loss of generality, it is assumed that both malicious participants $\{M_1,M_2,\dots ,M_k\}$ and authorized participants $\{P_1,P_2,\dots ,P_{t_j-1}\}$ take part in the recovery phase. After broadcasting key $r_j$, authorized participants $\{P_1,P_2,\dots ,P_{t_j-1}\}$ can calculate their share point pairs, i.e., $(f(r_j,s_1),y_1^j)$, $(f{(r_j,s_2)}^j,y_2^j)$, and $(f{(r_j,s_{t_j-1})}^j,y_{t_j-1}^j)$, where $s_1,s_2,\dots ,s_{t_j-1}$ is their identification. According to feature (3) of the two-variable one-way function $f(r,s)$ presented in Section 3.1, malicious participants $\{M_1,M_2,\dots ,M_k\}$ cannot calculate their share point pairs without legal identification. Only if recovery have $t_j$ share point pairs or more can the polynomial of degree $t_j-1$, where secret data can be hidden, be recovered by the Lagrange interpolation formula. Thus, the secret image cannot be recovered in this situation.

To summarize, the secret image cannot be recovered when the number of authorized participants is less than the current threshold. □

Theorem 5.

Even if attackers steal the dealer’s keys, they cannot recover the secret image without being able to identify the legal participants.

Proof. 

Let us assume that the threshold is $t_j\in \{t_1,t_2,\dots ,t_N\}$ and that the attackers want to recover participant $P_i$’s $\left(1\le i\le n\right)$ first share point pair $(x_i^j,y_i^j)$. According to feature (3) of the two-variable one-way function, i.e., $f(r,s)$, presented in Section 3.1, attackers cannot calculate $(f(r_j,s_i),y_i^j)$ without participant $P_i$’s identification, $s_i$. Similarly, attackers cannot recover the rest of $P_i$’s share point pairs and they cannot recover any participant’s share point pairs without her/his identification.

In view of Theorem 4, attackers can recover the secret image only if they can obtain no less than $t_j$ participants’ share point pairs. Thus, attackers cannot recover the secret image without legal participants’ identification even if they steal the dealer’s keys. □

Theorem 6.

Even if attackers obtain the keys and all of the share point pairs used to recover the secret image, they cannot calculate any participant’s identification.

Proof. 

Assume that the current threshold is $t_j$ and that the attackers want to calculate participant $P_i$’s $\left(1\le i\le n\right)$ identification, $s_i$, from key $r_j$ and $P_i$’s first share point $(x_i^j,y_i^j)$. According to feature (5) of the two-variable one-way function, $f(r,s)$, presented in Section 3.1, attackers cannot calculate $s_i$ from $r_j$ and $x_i^j$. Similarly, attackers cannot obtain $s_i$ from the rest of $P_i$’s share point pairs and they cannot calculate any participant’s identification. □

By Theorem 6, we know that attackers cannot obtain any participant’s identification even if they obtain the keys and all share point pairs. Thus, participant’s identification can be reused in subsequent secret image sharing procedures, which can improve the efficiency of our scheme.

6. Conclusions

This paper proposes a novel threshold-changeable secret image sharing scheme. The experiment shows that this scheme can produce high-quality stego images and can recover the cover image with loss. The theoretical analysis proved that our scheme can resist historical secret share attacks and collusion attacks, which means our scheme can adjust the threshold and recover the secret image securely. Thus, our scheme is safe and easy to use.

In the future, we will improve the stego image’s quality by following these two aspects. One is to improve the share generation mechanism, which can reduce the amount of share; on the other hand, we will also design a high-capacity image hiding algorithm based on pixel prediction and compression sensing.