Secret Image Sharing Revisited: Forbidden Type, Support Type, and Their Two Approaches

: In this paper, we introduce two new image-sharing types to extend the applicability of sharing. Type 1 is our so-called forbidden type. In its sharing system, any t of the n shares can recover the secret image, unless the t shares form a forbidden group listed in a forbidden list. Type 2 is our so-called cross-department support type. If a government has 3 departments { DEP H , DEP M , DEP L }, then 3 thresholds ( t H , t M and t L ) exist. Any t H number of officers from department DEP H can unveil the secret image, and likewise for any t M and t L number of officers from departments DEP M and DEP L , respectively. Type 2 image sharing allows a secret to be disclosed not only in an intra-department meeting but also in a cross-department meeting. In this study, both types are implemented through two approaches: the polynomial and linear-equations approaches. Hackers can be confused when two approaches are mixed. As for the applications, use Type 1 to protect sensitive information in medical or military images or legal documents; and use type 2 to support cross-department crime investigation, industrial production, etc.


Introduction
Secret sharing was introduced by Shamir [1] and Blakley [2] in 1979. In secret sharing, a given secret is encoded and divided into n shares, and two requirements must be met before a secret can be disclosed: a) any t of the n shares can cooperate to unveil the given secret, and b) less than t shares cannot unveil. Secret image sharing has at least two main streams. The first is visual cryptography (VC) [3], which is used for black-and-white (2-levels) images, and the second is polynomial-based sharing [4], which is used for gray-value or color images. Introduced by Naor and Shamir [3] in 1994, visual cryptography uses several transparencies as media to share the secret image, where each transparency is "larger" than the secret image in size. Building on Shamir's (t, n) scheme, in 2002, Thien and Lin [4] proposed a (t, n) threshold scheme for sharing 256-level secret images. In [4], each share was t times "smaller" than the given secret image. For a (t, n) threshold scheme, t ≤ n always holds. The security level is controlled by the ratio t/n, where a larger t/n ratio means that more participants are required for the secret to be deciphered, and hence, prevent the betraying from a small group of participants. If every participant trusts no one else, then t = n can be set. Smaller t/n ratios are used in unstable environments (e.g., during a war or if the storage medium or Internet connection is unreliable) in which many participants may lose contact. Thus, a (t, n) system not only addresses security concerns from betrayal but also allows for tolerance toward missing shares in unstable environments. Because sharing is useful, all four aforementioned papers [1 -4] have been frequently cited, particularly Shamir [1], which has had more than 10,000 citations from 1979 to 2019. Many recent studies have also focused on sharing [5][6][7][8][9][10][11][12][13][14][15][16][17][18][19]. Finally, as for image sharing, some readers may wonder why one cannot just use a key to encrypt the secret image and then share the key with authorized personnel. This is because the resultant protection of the image will be extremely weak, although the n shares of the key will be smaller in size than the n shares of the secret image. In cases of a disk failure or hacker attack on the computer storing the encrypted version of secret image, the entire secret image will be deleted "forever".
In the present study, we attempt to extend our previous foundational study [4] on sharing to introduce two other types of sharing: the forbidden type and cross-department support type. We implement these two types first by using a polynomial approach and then by using a linear-equations approach. Notably, the polynomial approach has been widely used by researchers, but not the linearequations approach. We list both approaches here to increase security against hackers. For example, the secret image can be divided into several parts, where odd-numbered parts use the polynomial approach, and the even-numbered parts use the linear-equations approach.
The paper is organized as follows: Section 2 outlines the basics of polynomial-based sharing. Section 3 introduces the two proposed sharing types, including our two approaches to implementing each of the two types. Section 4 discusses some details of the design, such as how to obtain independent equations for the linear-equations approach and how to mix the two approaches to increase security. Section 5 describes practical application and implementation results. Section 6 concludes this study.

Review of Previous Work
Thien and Lin [4] proposed a (t, n) secret image sharing scheme in 2002. Their work has had many citations. In the scheme, the input image is partitioned and distributed into shares by using a polynomial. The size of every share is only 1/t the size of the original secret. Any t shares can reconstruct the image, whereas shares fewer than t cannot. The (t, n) secret image sharing scheme of Thien and Lin [4] is as follows: Polynomial-based (t, n) secret image sharing Step 1. Input a secret image. Assume it has m pixels. Permute all the pixels according to a key to obtain a noisy-looking image , which still has m pixels.
Step 2. Divide into (m/t) nonoverlapping segments so that every segment has t pixels.
Step 3. For each t-pixel segment j = 1, 2,..., m/t, use the gray values of its t pixels as the t coefficients {a0,..., at-1} in the segment-dependent polynomial: Step 4. Then, for each segment, the share Si receives a value p(i), true for each i = 1,…, n. As the segments are processed sequentially, the data size of each of the n shares also grows. Finally, when all m/t segments are processed, there are n shares. For each i = 1,…, n, the share Si receives one value from each of the m/t segments of image Q; thus, each share Si has m/t values. (Therefore, each share is t times smaller than the m-pixel secret image.) In these steps, the value of Z in Equation (1) can be set to 256, if all arithmetic operations in Equation (1) are in terms of the arithmetic operations in the Galois Field GF(256). For readers who are not familiar with the Galois Field, simply set Z to be a prime number near 256. For example, a study used Z = 251 [4], with auxiliary preprocessing that splits one pixel into two pixels for each pixel whose gray value is greater than 250.
The steps to recover the secret image are also executed segment by segment. For each segment, the t coefficients {a0,..., at-1} in the segment-dependent polynomial (1) is solved using Lagrangian interpolation polynomial method. We omit a discussion of this method because it can be learned through Internet resources or from any textbook on Numerical Analysis, such as [20].

Proposed Types and Approaches
In this section, we introduce two extended types (Types 1 and 2) of image sharing; we also demonstrate how they can be implemented by using either the polynomial approach or linearequations approach.
Type 1 (Sharing with forbidden combinations): To understand what Type 1 image sharing is, without loss of generality, consider 6 people {P1,..., P6} who share together a secret of the company. The secret is such that 3 or more people must be gathered to unveil it. Hence, the secret can be recovered by ( 6! (6−3)!3! ) = 20 possible combinations of personnel if no combination is forbidden. However, according to a security check, P1, P3, and P5 worked for a rival company before working in ours, making them less trustworthy. The combination of these 3 employees should thus be excluded as a combination that allows access to the secret. This is an example of Type 1 image sharing with a single forbidden combination, namely, {P1, P3, P5}. Of course, if the boss of our company wishes to be more careful, he can even forbid more combinations such as {P1, P3, x}, {P1, P5, x}, and/or {P3, P5, x}, where x can be any of the other employees (i.e., any other Pi). In the preceding example, some combinations cannot be used to gain access to the secret. We call it "sharing with forbidden combinations" and denote it as (tparticipants, nparticipants, f) sharing. Here, nparticipants: The number of participants who share the secret. Each participant will hold a so-called "shadow" file.
tparticipants: The minimum number of people required to recover the secret. Any tparticipants of the nparticipants participants can recover the secret by using the their shadow files, unless the tparticipants people constitute a forbidden combination.
f : The number of forbidden combinations. For example, the preceding example is a (3, 6, 1) scheme if there is only one forbidden combination {P1, P3, P5} and a (3,6,4) scheme if all {P1, P3, x} combinations are forbidden. Traditional sharing, which has no forbidden combinations, can be denoted as (tparticipants, nparticipants, f) = (3, 6, 0), and it is thus treated as a special case of Type 1 image sharing.
Type 2 (Sharing with cross-department support): Without loss of generality, assume there are 3 departments, namely {DEPH, DEPM, DEPL}. For officers in department DEPH, assume any 3 of them can recover the secret. For officers in department DEPM, assume any 4 of them can recover the same secret. For officers in department DEPL, assume any 5 of them can recover the same secret. Notice that this one secret has 3 thresholds: tH = 3, tM = 4, tL = 5. Hence, each department has its own threshold. This system can be easily implemented by repeating the traditional sharing system thrice: first, use a (t, n) = (3, nH) sharing system to share the secret among the nH officers of department DEPH, then use a (t, n) = (4, nM) sharing system to share the "same" secret among the nM officers of department DEPM, and then use a (t, n) = (5, nL) sharing system to share the "same" secret among the nL officers of department DEPL. However, due to illness, a terrorist attack, or business trips abroad, not every officer of the same department comes to the office every day. It is thus quite possible that on some workdays, the department has insufficient personnel to unveil the secret. For the company or government to still function, an auxiliary system must be designed to allow the secret to be unveiled in such a circumstance. Our so-called "crossdepartment support system" is one such system, where the secret can be unveiled through the cooperation of multiple departments.
In the following section, we detail our design for these two types. Section 3.1 and Section 3.2 describe the use of the polynomial and linear-equations approaches, respectively, in implementing the two types.

Using the Polynomial Approach to Design Types 1 and 2
Type 1 (Sharing with forbidden combinations): Without loss of generality, consider 6 participants {P1,..., P6} in the company, of which, any 3 can unveil the secret, unless the 3 participants constitute a forbidden combination. Examples 1 and 2 illustrate the steps in creating a sharing scheme with one and two forbidden combinations, respectively, and the appendix at the end of paper illustrates the cases when the number of forbidden combinations is 3 or 4. In general, the design of Type 1 is case by case, and the design of Type 2 is easier.
Example 1 (one forbidden combination): A sharing scheme with one forbidden combination is easy to design. Without loss of generality, let the only forbidden combination be the combination {P4, P5, P6}. Because there are only 6 participants, we shall create 6 "shadows" for the 6 participants per the following steps 1 and 2. This results in the creation of a (tparticipants = 3, nparticipants = 6, f = 1) threshold scheme, where {P4, P5, P6} is the only forbidden combination.
Note that we deliberately let the final two components of the participant P6 be the already-used shares S12 and S15, which had already appeared in P4 and P5. By doing this, the total number of different shares in the combination {P4, P5, P6} is only 3 + 3 + 2 = 8, which is less than the threshold of 9, meaning that the secret cannot be revealed. Conversely, any other combination {Pi, Pj, Pk} yields at least 9 distinct shares, and hence, can reveal the secret. Notably, for Participants P1 to P5, every participant holds a shadow (the data held by a participant), which is constituted by 3 shares; and each share is 9 times smaller in size than the original secret in the (9, 17) threshold scheme. Therefore, in our (tparticipants = 3, nparticipants = 6, f = 1) scheme, the data size of each participant P1 to P5 is 3  1/9 = 1/3 of the size of the original secret. By contrast, because P6 holds 4 shares, the data size is 4  1/9 = 4/9 of the size of the original secret.
Notably, because more constraints must be considered, the design is likely to become more difficult when the number of forbidden combinations increases. Example 3. (3, nparticipants, f) sharing whose f forbidden combinations always contain a troublemaking couple P1 and P2. See the appendix for the design.
Type 2 (Sharing with cross-department support): Let each participant belong to one of several departments, for example, 3 departments {DEPH, DEPM, DEPL}. Without loss of generality, assume the parameter pair (t = threshold, n = number of people in this department) for the 3 departments are, respectively, (tH = 3, nH = 4) for DEPH, (tM = 5, nM = 6) for DEPM, and (tL = 7, nL = 7) for DEPL. As the first step in the design, we shall assign a value to an artificial threshold tartificial, which is larger than any given local threshold. Subsequently, we use this artificial threshold tartificial to share the secret and thus obtain several shares such that any tartificial shares can recover the secret. We then distribute these shares to each person of each department. In this cross-department support type, we assume that shares are not repeatedly distributed. Let each person in DEPH, DEPM, and DEPL obtain, respectively, QH, QM, and QL shares. Then, to satisfy each department's rule for unveiling the secret, we must have: Because tartificial, QH, QM, and QL are all positive integers, if QL is 1, then Equation (2) implies 7  tartificial > 6; hence, tartificial = 7. Furthermore, the right-hand side of Equation (3) implies tartificial = 7 > 4  QM, which means the positive integer QM is 1, thus contradicting the left-hand side of Equation (3) because 5  QM  tartificial then becomes 5  1  7. Hence, we cannot use QL = 1. Thus, we try the next smallest value 2 for QL. Equation (2) then implies 14  tartificial > 12. Hence, tartificial is 13 or 14, proven as follows. If tartificial = 13, Equation (3) becomes 5QM  13 > 4QM, which can be satisfied by QM = 13/5 = 3, and Equation (4)  We now examine the system further. For example, let the artificial threshold be 14. We can then use (tartificial, nartificial) = (14, 52) in the traditional polynomial-based sharing scheme to create 52 shares. Each participant in DEPH, DEPM, and DEPL gets 5 = 14/3, 3 = 14/5, and 2 = 14/7 shares, respectively. Moreover, for any 2 participants (whether from the same department or from different departments), their set of shares do not intersect. Notably, because no intersection is allowed, any 3 DEPH participants can hand in 3  5 = 15 > 14 distinct shares; any 5 DEPM participants can hand in 5  3 = 15 > 14 distinct shares; and any 7 DEPL participants can hand in 7  2 = 14 distinct shares. However, 2 DEPH participants receive only 2  5 = 10 < 14 distinct shares; 4 DEPM participants receive only 4  3 = 12 < 14 distinct shares; and 6 DEPL participants receive only 6  2 = 12 < 14 distinct shares. Hence, the intra-department thresholds to unveil the secret are 3 for DEPH, 5 for DEPM, and 7 for DEPL. We create 52 shares because 4  5 + 6  3 + 7  2 = 52. In the deciphering meeting, the secret is revealed once the total number of available shares is equal to or greater than the threshold number 14, regardless of whether the participants are from the same department. Table 2 lists some of the many possible combinations that can be used to reveal the secret. Table 2. Solutions to unveil secret using within-department or cross-department support. The (t, n) instances are (3,4), (5,6), and (7, 7), respectively, for each of the 3 departments. For the 3 departments, the size of each shadow file held by a participant is, respectively, 5/14, 3/14, and 2/14 of the original secret image size. Moreover, in the aforementioned design for crossdepartment sharing, the artificial threshold tartificial is not unique, and the designers have the freedom to choose their own artificial threshold tartificial. For example, rather than using the aforementioned tartificial = 14, we may also use, say, tartificial = 20, to create shares. Then each participant in DEPH, DEPM and DEPL has 7 (= 20/3), 4 (= 20/5) and 3(= 20/7) shares, respectively. For each of the 3 departments, the shadow size is, respectively, 7/20, 4/20, and 3/20 of the size of the original secret. In addition to following the preceding steps to obtain valid values of tartificial by checking whether Equations (2-4) are satisfied, another method for obtaining tartificial is to use the least common multiple (LCM) of the threshold values of all departments. If the LCM is used, Equations (2-4) will be automatically satisfied: positive integer solutions for QH, QM, and QL necessarily exist because we can let QH = tartificial/tH, QM = tartificial/tM, and QL = tartificial/tL. Algorithm 1 shows how to use LCM to create shadows for cross-department support.  [4], each share is LCM times smaller than the original secret is when tartificial = LCM is used to create shares.

Possible Solutions The Number of Participants in Three Departments
Remark 2: Many values can be used as the value of tartificial, but they must satisfy the necessary but insufficient condition of tartificial ≥ Max{thresholds of all departments}. We may use multiple thresholds. For example, to confuse hackers, we can use tartificial = 19, 14, 13, 20, 21, 25, 26, 28, 27, 31, 32, 35, 34, 33, ... to confuse hackers. For instance, a small part of the secret is shared using tartificial = 19; then a small part of the secret is shared using tartificial = 14; then certain parts of the secret are shared using tartificial = 13; then... Since there are so many possible combinations, it will be more difficult for the hackers. Figure 2 illustrates the design (Figure 2a-c) and the secret disclosure ( Figure 2d) for a crossdepartment support system involving 3 departments, as described in Section 3.1. We use (tartificial, nartificial) = (14, 52) in traditional polynomial-based sharing to create 52 shares. Then, we distribute these 52 shares to all participants; and each participant of department DEPH gets more shares to form their shadows.
DEPH is a (3,4) sharing scheme; thus, create the 4 shadows for the 4 participants by using the shares in (b).

DEPM :
DEPM is a (5, 6) sharing scheme; thus, create 6 shadows for the 6 people by using the shares in (b).

Using the Linear-Equations Approach to Design Types 1 and 2
The linear-equations approach can be mapped from the polynomial approach. Because we already introduced the polynomial approach, we only need to know how to map from the polynomial approach to the linear-equations approach. In the polynomial approach, every participant has a shadow file comprising several shares, whereas in the linear-equations approach, every participant has a shadow file comprising several equations. For both approaches, the threshold tartificial must be met to unveil the secret. Specifically, in the polynomial approach, participants attending a meeting must have at least tartificial distinct shares, whereas in the linear-equations approach, participant attendees must have at least tartificial independent equations. The linear-equations approach thus proceeds as follows.  = 3, 4, 6, 8. Moreover, if rows are created using a specified process or algorithm, as discussed in Section 4.1, then each participant does not need to store the rows; for example, Pa only stores {IPj}j = 1, 2,5,7 and Pb only stores {IPj}j = 3, 4, 6, 8. Types 1 and 2 are detailed as follows. Example 1* is derived from Example 1 of Section 3.1, where Example 1*'s steps are such that Step 1* is derived from Step 1 of Section 3.1, Step 2* is derived from Step 2 of Section 3.1, and so on.
Type 1: Sharing with forbidden combinations Because the linear-equations approach can be mapped from the polynomial approach, we can, without loss of generality, simply use the examples in Section 3.1 to detail such a mapping. Hence, as in Section 3.1, we still consider 6 participants (P1,…, P6), where any 3 of the 6 participants can unveil the secret, unless the 3 participants form a forbidden combination. Examples 1* and 2* illustrate the steps required to create the sharing scheme with one and two forbidden combinations, respectively. Every other example of Section 3.1 also has a linear-equations counterpart in this section, Section 3.2.
Step 1*: As in Step 1 of Example 1 for the polynomial-based approach, tartificial = 9 and nartificial = 17. First, create a matrix with 17 rows where each row is 9-dimensional and any tartificial of the nartificial rows are independent. Subsequently, grab the next tartificial = 9 not-shared-yet numbers from the secret, where these secret numbers are termed Dsecret. Then, for i = 1 to i = nartificial (1 to 17 in this case), let Eqi be the equation (Rowi) • (Dsecret) = IPi, where IPi is the value of the inner product of the two vectors Rowi and Dsecret. Notably, because any tartificial = 9 of the nartificial rows are independent, any tartificial = 9 of the nartificial equations can uniquely solve for Dsecret, which has tartificial = 9 secret numbers.
Remark 3: Assume that the rule to create the independent 17-by-9 matrix A in Step 1* is from an algorithm-for example, each element ai,j is (i) j-1 -then there is no need to store the matrix. In this case, only the right-hand side of that equation-for example, the value IPi of the inner product for Eqi-needs to be stored. Hence, when a 9-number Dsecret is shared, every participant from P1 to P5 holds 3 inner product values, and P6 holds 4 inner product values. Example 2*. (two forbidden combinations): Similarly, assume that tparticipants = 3 and nparticipants = 6, meaning that any 3 participants can unveil the secret, unless the 3 participants constitute a forbidden combination. As in Example 2 of the polynomial approach, only the two combinations {P1, P2, P3} and {P4, P5, P6} are forbidden; hence, f = 2. Because we have 6 participants, we create 6 shadow files for these 6 participants. Each participant gets a shadow comprising some equations. As in the first step of Example 1*, we use the (tartificial = 9, nartificial = 16) scheme to share the 9-number secret section Dsecret and obtain 16  combinations, the secret can be revealed because at least 9 equations are available. The proofs of the preceding statements are routine and are thus not presented.
Type 2: Cross-department support system We must demonstrate how the polynomial approach can be extended to the linear-equations approach. Without loss of generality, only demonstrate such an extension for the example where tartificial = 14 in the cross-department support algorithm (Algorithm 1) of Section 3.1. Other examples of Type 2 in Section 3.1 can be analogously extended. In Algorithm 3, still use the parameter values used in Figure 2, namely, (tH = 3, nH = 4), (tM = 5, nM = 6), (tL = 7, nL = 7), and tartificial = 14. Grab a tartificial-values not-yet-shared segment, Dsecret, of the secret image. 8: for k = 1 to nartificial do 9: Calculate the inner product value IPk = Rowk • Dsecret for this segment. 10: end for 11: end while 12: for each participant in DEPH do 13: Grab tartificial/tH = 14/3 = 5 of the not-yet-assigned rows of A. The participant stores these 5 rows and the 5 × nSEG inner product values created above using these 5 rows. 14: end for 15: for each participant in DEPM do 16: Grab tartificial/tH = 14/5 = 3 of the not-yet-assigned rows of A. The participant stores these 3 rows and the 3 × nSEG inner product values created above using these 3 rows. 17: end for 18: for each participant in DEPL do 19: Grab 14/7 = 2 of the not-yet-assigned rows of A. The participant stores these 2 rows and the 2 × nSEG inner product values created above using these 2 rows. 20: end for 21: return the equation shadows, which are the stored rows and corresponding stored inner product values, of each participant of each department.

Discussion: Other Details of the Design
Section 4.1 introduces some methods to generate linear independent equations in the linearequations approach. Section 4.2 discusses the mixed use of the polynomial and linear-equations approaches to improve security. Section 4.3 introduces one more application type.

Mixed Use of the Two Approaches
In this paper, by introducing two distinct approaches when sharing, we can confuse hackers as follows. We may divide the given secret image into several regions; then apply the polynomial approach to some regions and the linear-equations approach to others. Figure 3 illustrates one of many examples. In general, there are a large number of possible ways to partition an image into regions. This is because either of the two approaches can be chosen for each region, and regionspecific parameters (for either the polynomial or linear-equations approach) can be used. This makes hacking much more difficult. For example, if we partition the image into 100 blocks, then, even if the blocks are of uniform size, and even if the hackers know that we have used 100 blocks of the same size, there are still 2 100 = 10 30 possible choices that the hackers have to sieve through before they can arrive at the correct local sharing parameters. This difficulty is compounded if other shapes, such as triangular blocks, or irregular shapes are used.
Linear-equations approach is used in white regions.
Polynomial approach is used in gray regions.

Sharing that Requires All Departments
In some circumstances, representatives from every department must be present. One example is a labor union meeting, where every department of the union must have at least one attendee to disclose a secret. We thus apply our method to this type of sharing, which we call "all-department" sharing. Without loss of generality, we still consider 3 departments: DEPH, DEPM, and DEPL. For simplicity, we also assume that every department has 4 people (i.e., 4 participants). As with the preceding examples, every participant owns a shadow. We now demonstrate how shadows can be created for these participants.
Step 2: Partition these 12 shares into 3 equal parts of 4 shares each. Next, assign shares S1-S4 to DEPL, S5-S8 to DEPM, and S9-S12 to DEPH. Note that each share appears in exactly one department.
Step 3: Every department can use its 5 shares to create Use S11-S15 to create likewise. Every department has 5 shadows, and any 2 departments together can only have 5 + 5 = 10 different shares, which are still less than tartificial = 12 shares. Therefore, the secret can only be revealed when all 3 departments have attendees because at least 4  3 = tartificial = 12 different shares are present.

Practical Applications and Implementation Results
Practical application examples of the forbidden-type sharing include the concealment of sensitive information in medical or military images or legal documents. For instance, for a given xray image, the corresponding patient's name, age, gender, and medical history are very sensitive and must be protected if this information is to be attached to the image for the convenience use of hospital's treatment team. To avoid being charged by the patient, no doctor of the treatment team should be allowed to see any personally identifiable information of the patient (except the x-ray image), unless sufficient number of the members of the treatment team agree to simultaneously unveil the hidden information in the treatment meeting. Figure 4 gives an example of this kind of application. Figure 4a is the original 512  1024 lung xray and medical chart image of a patient. We may use (tparticipants, nparticipants) = (2,4) sharing to share the image among 4 doctors {D1-D4}. The left half (the x-ray image) can be viewed by the cooperation of any two doctors. However, for the right half of the image, due to the sensitivity of the medical history, and also due to the fact that doctors D1 and D2 are brothers, we may particularly forbid the disclosure of the medical history if only these two brothers attend the disclosure meeting. Therefore, the left half image is shared using traditional sharing without any forbidding, i.e., (tparticipants, nparticipants, f) = (tartificial, nartificial, f) = (2, 4, 0). However, the right half image is shared using (tparticipants, nparticipants, f) = (2, 4, 1) with only one forbidden combination, namely {D1, D2}. In the above, the experiment is designed as follows. Split the original 512  1,024 image in Figure  4a to two 512  512 images: one is the lung image, and the other is the medical history image. To show the mixed use of the two approaches, the lung image and the medical history image are shared using distinct approaches. The 512  512 lung image is shared using linear-equations approach with (tparticipants, nparticipants, f) = (2, 4, 0). To achieve this, we need a 2-by-4 matrix A such that each row has 2 elements, and any 2 of the 4 rows are independent. There are infinitely many ways to design this matrix. One such way is to let Rowi = (i, i+1) for i = 1,…,4. Then, for each two-pixels pair of the x-ray image, let doctor Di store an integer IPi which is the inner product value of Rowi and a 2-dimensional vector formed of the two pixel values. Therefore, for the 512  512 x-ray image, each doctor will store 512  512/2 = 512  256 integers.
On the other hand, the right half of Figure 4a, i.e., the 512  512 medical history image, is shared using polynomial approach with (tparticipants, nparticipants, f) = (2, 4, 1). To achieve this, we use (tartificial, nartificial) = (4, 7) in traditional polynomial-based sharing to share the 512  512 medical history image and obtain nartificial = 7 shares {S1,..., S7} such that any tartificial = 4 of them can recover the medical history. Then we distribute these 7 shares to the 4 doctors. The distribution is that D1 gets {S1, S2}, D2 gets {S2, S3}, D3 gets {S4, S5}, D4 gets {S6, S7}. Note that we deliberately let the share S2 appear in both D1 and D2. By doing this, the total number of different shares in the combination {D1, D2} is only 2 + 1 = 3, which is less than the threshold value 4, meaning that the medical history cannot be revealed. Conversely, any other combination {Di, Dj} yields 4 distinct shares, and hence, can reveal the medical history. Notably, for the 512  512 medical history image, every doctor holds a record which is constituted by 2 shares; and each share is 4 times smaller in size than the original 512  512 medical history image in the (4, 7) threshold scheme. Therefore, the medical history data held by each doctor has 512  256 bytes which is 2(1/4) = 1/2 of the size of the 512  512 medical history image. Now, combining the two results, we can see that each doctor holds 512  512/2 = 512  256 integers for the x-ray image and also holds 512256 bytes for the medical history image. Since each integer is an inner product value of a 2-element row and a vector formed of two pixel values, the integer is between 0 and 2295 = (4  255) + (5  255) where 255 is the largest possible gray value, and 5 is the largest element of the matrix A whose Rowi = (i, i+1) for i = 1,…, 4. Hence, each integer needs (log 2,296)/(log 2) = 12 bits, or equivalently, 12/8 bytes. Hence each doctor holds 512  256  (12/8 + 1) = 512  256  (5/2) bytes as his shadow data. Therefore, each shadow size is (512  1,024)/(512  256  2.5) = 1.6 times smaller than the size of the image of Figure 4a.
For military, the image in Figure 4a can be replaced by a military image such as Figure 5, and then shared likewise so that certain combination of participants are forbidden to view the dynamics data shown in the right half of Figure 5.  The above are the practical applications of the sharing with forbidden combinations. Below we discuss the practical applications of the sharing with cross-department support. In some events, quite often there are several departments involved in the same events simultaneously. For example, after a terrorist attack in a city, many departments of the government will repeatedly check the same encrypted items such as the photos of the suspects, the weapons being used, or the protection program of the eyewitness. In this case, the national security department, the provincial police department, and the city police department form the three departments {DEPH, DEPM, DEPL} mentioned in Section 3. Let each participant (security agent or policeman) belong to one of the three departments. Without loss of generality, assume the parameter pair (t = threshold, n = number of people in this department) for the three departments are, respectively, (tH = 3, nH = 4) for DEPH, (tM = 5, nM = 6) for DEPM, and (tL = 7, nL = 7) for DEPL. For the 4 officers in department DEPH, any 3 of them can recover Figure 6. For the 6 officers in department DEPM, any 5 of them can recover Figure 6. For the 7 officers in department DEPL, all 7 of them must gather together in order to recover Figure 6. However, due to illness, road accident, or business trips abroad, not every officer of the same department comes to the office every day. It is thus quite possible that on some working days, the department has insufficient personnel to unveil the secret. For the government to still function, our cross-department support system can help us to unveil Figure 6 through the cooperation of multiple departments.
Using the design in Section 3.1, we did the experiments and found that the image in Figure 6 could be really unveiled as described in Table 2, either within-department or cross-department. The other application example is for the mobile-phone/automobile/airplane/ship factories or any company using blueprint to build machine or product (see Figure 7). We can treat the blueprint as a secret image. Then the blueprint is shared among the engineers of the production department. It is also shared among the managers of the administration departments, or among the co-owners of the company. Hence, the cross-department support system is also helpful for the same reasons mentioned in the last paragraph. Figure 7. A blueprint image for a company that designs, builds, and sells houses.

Conclusions
In this paper, two types of secret image sharing, which are extensions of traditional image sharing, are proposed. Type 1 is the forbidden type, and Type 2 is the cross-department support type. Both the polynomial approach and linear-equations approach can be applied for each type. By using the concept of redundant shares when assigning traditional shares to participants, and by mapping between the polynomial approach and linear-equations approach, the two proposed designs to achieve the requirement of the two types are obtained. Notably, hacking becomes more difficult if both approaches are used in the same image. Furthermore, as stated in Remark 3 of Section 3, the value of the threshold tartificial can be randomly chosen; hence, we may also use a predetermined sequence of multiple thresholds such as tartificial = 14, 7, 11, 20, 43, 31, ... to share the same secret in order to confuse hackers. Hacking becomes difficult because of this multiplicity of possible combinations.
We now compare between approaches and types. First, because Type 1 systems are designed on a case-by-case basis, systems of the forbidden type are harder to design than those of the crossdepartment support type. Second, the linear-equations approach is harder to apply than the polynomial approach is; although we have Algorithm 2, which is a general procedure to obtain the corresponding instance of the linear-equations approach from an instance of the polynomial approach. This is because Step 1 of Algorithm 2 implies the need to create an nartificial-by-tartificial matrix in the conversion to the linear-equations approach, where tartificial of the nartificial rows are linearly independent. This makes the linear-equations approach slightly harder to apply, but such nontrivial complexity also makes systems designed using the linear-equations approach more difficult to hack. As for storage, if the nartificial-by-tartificial matrix A needs to be stored, then the required storage space of each participant in the linear-equations approach is approximately tartificial times larger than the corresponding space in the polynomial approach. However, if this matrix A can be automatically generated by an algorithm or a preassigned method, then matrix A does not need to be stored, making the storage space of the two approaches approximately equal; we analyze this claim as follows.
Each participant i in the linear-equations approach needs to store a value IPi, which is the inner product of a row of A and a vector of tartificial pixel values, that is, IPi = (Rowi) • (Dsecret). Because (Rowi) has tartificial elements and Dsecret also has tartificial pixel values, notice that the inner product value cannot exceed tartificial  (Max A)  256-where (Max A) is the maximal value of the elements of matrix A, 256 is the pixel value range, and tartificial has its value because each inner product is the sum of tartificial integers in which each integer is less than (Max A)  256. To share a vector constituted by tartificial pixels, each participant for whom the polynomial approach is used stores a byte, but each participant in the linear-equations approach stores approximately log256[tartificial  (Max A)  256] = 1 + log256(Max A) + log256(tartificial) bytes. Notably, 1 + log256(Max A) + log256(tartificial) ≤ 1 + 1 + 1 = 3 if the maximal absolute value of elements of matrix A is < 256 and tartificial ≤ 256. If Max A becomes 65,535, the size amplification factor between the two approaches is still only 1 + 2 + 1 = 4. In the preceding analysis, if A contains negative elements, then replace Max A by the maximal absolute value of the elements of A. In summary, the use of the linear-equations approach (either singly or in conjunction with the polynomial approach, as described in Section 4.2) is meant to increase security against hackers, not decrease the complexity of the user's work.
Third, we analyze the use of the LCM for tartificial for all department thresholds in the crossdepartment support type, specifically regarding why the LCM yields greater economy in storage space relative to other candidate values. The shadow file size of each participant in the three departments are, respectively, tartificial/tH/tartificial = (LCM/tH)/LCM = 1/tH, tartificial/tM/tartificial = (LCM/tM)/LCM = 1/tM, and tartificial/tL/tartificial = (LCM/tL)/LCM = 1/tL of the size of the original secret. To understand why, note that each share is 1/tartificial smaller than the original secret is when we use tartificial as the threshold in traditional sharing to create shares, and also that each DEPx participant uses tartificial/tx shares to create their shadow, where x is the department. However, if tartificial ≠ LCM, then tartificial/tH or tartificial/tM or tartificial/tL can be non-integers, which implies the possibility of tartificial/tH/tartificial > 1/tH or tartificial/tM/tartificial > 1/tM or tartificial/tL/tartificial > 1/tL. If the preceding ">" relation holds for some departments, then the shadow files in those departments are larger than the shadow files created by using tartificial = LCM. However, although the LCM yields a more economical shadow size, the LCM's disadvantage is that because nartificial shares must be created, and nartificial > tartificial, nartificial may be too large if tartificial is very large. In fact, in the linear-equations approach, since we need to create a nartificial-bytartificial matrix where any tartificial of the nartificial rows are independent; such independence becomes harder to achieve for increasing values of tartificial.
Fourth, cross-department-supported sharing is different from progressive sharing [7,8,19]. In progressive sharing, the unveiling of the secret decreases in error to finally become error free. In cross-department-supported sharing, the unveiling of the secret is either error free or completely nothing (100% vs. 0%). In words, the secret disclosure of progressive sharing crosses several resolutions of image quality, whereas the secret disclosure of the cross-department support type crosses participants from several departments.

nparticipants)
The goal of Type 1 is that any tparticipants of the n participants given people can recover the secret together unless these t participants people form a forbidden combination.

(tartificial, nartificial)
To achieve the goal specified in Type 1 (or Type 2), we use the traditional method to create nartificial shares so that any tartificial shares can recover the secret. Then distribute these nartificial shares to the participating people. Each person gets a socalled "shadow" which is formed of several "shares".

Pi
The person who is the i th Participant.

Sj
The j th share.

Shadow
Each person holds a "shadow". Each shadow is formed of several shares.

IPi
The inner product value held by the person Pi in linear-equations approach.
Author Contributions: Conceptualization, methodology, and draft preparation, C.Y.C.; Review & Editing, supervision and validation, J.C.L. All authors have read and agreed to the published version of the manuscript.
Funding: This research received no external funding.

Conflicts of Interest:
The authors declare there are no conflict of interest.