Secret Image Sharing with Dealer-Participatory and Non-Dealer-Participatory Mutual Shadow Authentication Capabilities

: A ( k , n ) threshold secret image sharing (SIS) method is proposed to divide a secret image into n shadows. The beauty of this scheme is that one can only reconstruct a secret image with k or more than k shadows, but one cannot obtain any information about the secret from fewer than k shadows. In the ( k , n ) threshold SIS, shadow authentication means the detection and location of manipulated shadows. Traditional shadow authentication schemes require additional bits for authentication; need much information to be public; or need to put each shadow into a host image, utilizing the information hiding technique, which makes the generation, recovery and authentication complexity higher. Besides, most existing schemes work when a dealer participates in recovery. Our contribution is that we propose a SIS method for a ( k , n ) threshold with dealer-participatory and non-dealer-participatory mutual shadow authentication capabilities which integrates polynomial-based SIS and visual secret sharing (VSS) through using the result of VSS to "guide" the polynomial-based SIS by a screening operation. In our scheme, when an authentication image is public, all involved actors (participants and dealer) can mutually authenticate each other by exchange the lowest level plane instead of the whole shadow. Our scheme is suitable for the case with and without a dealer participate recovery. In addition, the proposed scheme has characteristics of low generation and authentication complexity, no pixel expansion, 100% detection rate and lossless recovery.


Introduction
In a (k, n) threshold secret image sharing (SIS) scheme, where k ≤ n, a secret image is divided into n shadow images without any secret information leakage, and it can be reconstructed only when a sufficient number of shadow images are combined together, but one cannot obtain any information of the secret image from fewer than k shadow images. There are two major categories in secret image sharing scheme: one is the visual secret sharing (VSS) [1,2] (i.e., visual cryptography), and the other is the polynomial-based secret image sharing [3]. The beauty of visual cryptography scheme (VCS) is the stack-to-see property, which indicates the secret can be visually recognized by human visual system (HVS) just with sufficient shares stacking. This natural property of VCS is based on OR operation, so it has several drawbacks, such as lossy recovery and low visual quality of recovered images. Shamir [3] designed the first (k, n) threshold polynomial-based secret sharing method to achieve high quality of recovered secret images. Other research [4][5][6][7][8], based on Shamir's work, developed some improved polynomial-based SIS schemes in order to get superior results.
The SIS schemes mentioned above have not taken the shadow authentication ability into account. However, many applications, such as e-voting, e-auctions, secret image sharing and audio sharing, are in an image. Additionally, a fragile watermark is used to authenticate by inspecting the existence of the embedded signal in an image. In Wang's verifiable secret sharing scheme [17], a watermark image with size of n × n was used with the secret image to generate shadows. Before reconstructing the secret image, the reliability from shadow images is determined by the accuracy of watermark image. Through determining the accuracy of watermark image, the recovered secret image could be verified. To slightly distort the quality of shadow, Lin and Tsai [18] embedded the shared bits and authentication bit in a four-pixel block. They combined information hiding and authentication features to prevent accidentally bringing an incorrect shadow or deliberately submitting a fake shadow by using the parity check bit. Unfortunately, parity checking bits lead to the leakage of the information of authentication, and dishonest participants can easily fake a shadow that easily passes validation.
Besides the visual quality of the shadows is not good enough.
Yang et al. [19] improved the authentication by hashing the four-pixel block, block ID and image ID. They used a hash function to prevent participants from manipulating shadows. The shortcomings are high generation and authentication complexity and poor visual quality.
Yang et al. [20] presented a novel approach which is based on a symmetric bivariate polynomial without needing parity bits. In addition, their (k, n) steganography and authenticated image sharing (SAIS) scheme provides better visual quality and has a higher detection ratio. They combine both authentication and secret sharing features into shared bits without needing additional authentication bits. The shortcoming of the scheme is that it generates a stegoimage four times larger than the secret image, which leads to the increase of storage space and transmission bandwidth.
Yan et al. [21] proposed a (k, n) threshold SIS scheme capable of separate shadow authentication. Yan et al.'s work cleverly integrates polynomial-based SIS and visual secret sharing. They utilize (2, 2) RG-VSS to split every pixel of authentication image into two temporary bits. One is assigned to binary authentication shadow, and the other one guide to the generation of secret shadows in polynomial-based SIS. Their scheme has the ability of separate shadow authentication. It achieves low generation complexity, low recovery complexity, low authentication complexity, no pixel expansion and lossless recovery. However, their scheme is only suitable for the case with dealer.
In this paper, we propose a (k, n) threshold SIS authentication with dealer-participatory and non-dealer-participatory mutual shadow authentication capabilities which integrates polynomial-based SIS and visual secret sharing (VSS) through using the result of VSS to "guide" the polynomial-based SIS. We input a public binary authentication image and a grayscale secret image into the proposed scheme to obtain n grayscale shadows when specifying 257 as a prime. The least significant bit (LSB) of each shadow pixel is exactly the value of the appropriate bit of binary authentication shadows generated by (2, n) RG-VSS, and each shadow's pixel value is less than 256 by selecting the random coefficients of the established polynomials. By Lagrange interpolation operation, the secret image is losslessly reconstructed, and the dealer and each participant are authenticated by only stacking or the XOR operation. All involved participants and the dealer can mutually authenticate other participants. Besides, in our scheme the participants only need to exchange the lowest level plane instead of the whole shadow, and only require an authentication image to be public. The proposed scheme has low generation complexity, low recovery complexity, low authentication complexity, no pixel expansion and lossless recovery. In order to validate the proposed scheme, we give illustrations, theoretical analyses and comparisons.
The following sections are organized as follows. In Section 2, we focus on preliminaries for our work. The motivation and contribution of our paper are described in Section 3. In Section 4, we present the proposed SIS scheme authentication with dealer-participatory and non-dealer-participatory mutual shadow authentication capabilities and its performance analysis in detail. Section 5 illustrates the details of the experiments and comparisons, and Section 6 is the conclusion.

Preliminaries
We introduce some preliminaries for our work in this section, including a traditional polynomial-based SIS scheme and random grid-based (2, n) threshold VSS (RG-VSS). The conventional polynomial based SIS scheme means Shamir's primitive polynomial-based secret sharing scheme, which is used as the foundation of our scheme to achieve a mutual shadow authentication, and a (2, n) threshold RG-VSS is used to output n random bits from each binary authentication image pixel.

Polynomial-Based SIS Scheme
In 1979, Shamir [3] did a landmark job in which he constructed a (k, n) threshold sharing algorithm by replacing the constant term a 0 of a K − 1 degree polynomial with secret information and randomly selecting other coefficients of the polynomial. N shadow images ( f (i), f or i = 1, 2, · · · , n.) are generated by a dealer by using different variables (say i∈ [1,n]). The polynomial is defined as where P is a prime number, the secret is f (0) = a 0 and a i is random, for i = 1, 2, · · · , k − 1.
In the recovery phase, by using Lagrange interpolation, any k shadows can together rebuild this k − 1 degree polynomial f (x) following the Lagrange interpolation formula, and the secret information can be derived from a 0 = f (0). Less than k shadow images can not recover any secret information.
Due to a digital image being a special form of digital data, Shamir's primitive polynomial-based secret sharing scheme can be directly applied to the sharing of images, and the prime P is generally set to 251. Figure 1 shows experimental results of (3, 4) threshold PSIS based on Shamir's PSS. Figure 1a denotes secret image S. As is displayed in Figure 1b, one out of four shadow images SC 1 did not reveal any secrets. Figure 1c shows the recovered image S t=2 with not enough shares, where S t=2 represents recovery with any 2 shares. Images S t=3 and S t=4 , which are similar to S, denote the recovered image with any three and four shares, respectively. As shown in Figure 1d-e, there are black shadows in the recovered images. Since p = 251, all the values in Equation (1)( x, f (x), a 0 , a 1 , · · · , a k−1 ) are within the interval [0, 250]. However, the grayscale image includes 256 gray levels from 0 to 255. As a result, pixel values from 251 to 255 can not be processed, so classic PSISs have lossy recovery. Besides, the classic PSISs have not take shadow authentication ability into account which leads to the shadows involved in recovery possibly being faked.

Random Grid-Based VSS -(k, n) RG-VSS
It is necessary to review RG-VSS before introducing (k, n) RG-VSS. In RG-VSS [22,23], "1" and "0" represent black and white pixel respectively. In what follows, symbols ⊗ and ⊕ denote the Boolean OR and XOR operations. The generation and recovering phases of a classical (2, 2) RG-VSS are given below. Generating Step 1: Pseudo-randomly generate RG S 1 C 1 .

Generating
Step 2: Calculate S 1 C 2 as in Equation (2). Recovering phase: S 1 = S 1 C 1 ⊗ S 1 C 2 as Equation (3). For example, suppose the value of a secret pixel s 1 = S 1 (h, w) of S 1 is 1; then, the recovered bit S 1 C 1 ⊗ S 1 C 2 = 1 is always black. While the value of a secret pixel is 0, the reconstructed bit S 1 C 1 ⊗ S 1 C 2 = S 1 C 1 (h, w) ⊗ S 1 C 1 (h, w) has a 50% chance to be black or white since S 1 C 1 is pseudo-randomly generated.
. Thus, we can losslessly reconstruct S 1 (h, w) by Boolean XOR operation.
In [23], Yan et al. proposed a (k, n) (generally n, k ∈ Z + , 2 ≤ k ≤ n)VSS based on RG. The generating phase of a typical (k, n) RG-VSS are demonstrated in Algorithm 1.
Input: A M × N binary secret image S , a pair of threshold parameters (k, n). Output: n shadows SC i , i = 1, 2, · · · n.
Step 5: Output n shadows SC 1 , SC 2 , · · · SC n . It is remarkable that the k bits are utilized to gain the threshold mechanism in Step 2, and Step 3 is designed to improve the visual quality of reconstructed secret image by a different way to use the last n − k bits, through which the chance of covering b 1 , b 2 , · · · , b k in the recovered t bits is improved. While Step 4 aims to make all the shadows be equal to each other, the generated n bits are rearranged to corresponding n shadow images.
The secret recovery of the scheme is also based on stacking or the HVS.

Motivation and Contribution
In our scheme, there are three roles, namely, dealer, participant and combiner, as described in Section 1. To simplify and make it easier to understand, we assume the combiner is one of the participants or the dealer in this paper. Additionally, it is assumed that the three roles all store the authentication image.
As shown in Figure 2, we give an example of the general application scenario regarding the (k, n) threshold SIS with dealer-participatory and non-dealer-participatory mutual shadow authentication. For Case 1: (k, n) threshold SIS with dealer-participation and no deception. Any k of the participants send their shadows; the dealer authenticates the k shadows and successfully recovers the secret image. For Case 2: (k, n) threshold SIS with dealer-participation and deception. Any k of the participants send their shadows to the dealer; the dealer authenticates the k shadows, and then detects a fake shadow. The dealer stops the recovery phase and broadcasts the dishonest participant to the other participants. Our motivation is to propose an SIS scheme which is suitable for shadow verification with and without a dealer. Further, it is great if the proposed scheme has characteristics of lossless recovery, low recovery complexity, low authentication complexity and no auxiliary encryption.
It is easy to think that it is the best case that any two participants can verify each other. It means that every honest participant's detection rate of fake shadows is 100%. Based on the ability of mutual authentication ability, we can design a variety of shadow authentication protocols. For example, it is reasonable to design a shadow authentication protocol like majority rule. As described in Yang et al.'s work [20], majority rule is a decision rule that selects the valid shadows which have more than half the votes. Suppose that the k shadows are all valid. k participants exchange their shadows mutually; then, each participant authenticates other k − 1 shadows and votes for them. If any one shadow gains less than (k − 1) votes, we stop recovery and proceed with the auxiliary authentication procedure of other (n − k) participants. Remaining participants vote for these k shadows. If the shadow gains less than T votes from (n − 1) participants, we affirm this shadow as fake; otherwise it is valid. Here, we suppose more than half participants are honest. The maximum number of votes from other participants is (n − 1) votes. Therefore, a majority-voting threshold is chosen as T = (n − 1)/2 . Since T = (n − 1)/2 = n/2 , it implies that we need a majority T = (n/2) + 1 of trustworthy participants among all n participants to achieve the threshold.
For example, see Case 4 in Figure 2-(3, 5) for threshold SIS without a dealer when there is a dishonest participant. Suppose that Participant 2, Participant 3 and the dishonest participant send their shadows to each other at the same time. If every shadow gain two votes from other two participants, the shadows are authenticated successfully. Otherwise, we proceed with the authentication procedure with the help of Participant 4 and Participant 5.
In this paper, we propose a (k, n) threshold SIS with dealer-participatory and non-dealer-participatory mutual shadow authentication which integrates polynomial-based SIS and visual secret sharing (VSS) through using the result of VSS to "guide" the polynomial-based SIS by screening operation. In this paper, we assume that the dealer can be both the producer and distributor of shadow and the combiner. In our scheme, all involved participants and the dealer can mutually authenticate other participants. If a dealer is responsible for recovering secret image, participants can verify the credibility of the dealer too. Our scheme is suitable for the case with and without dealer and only requires an authentication image to be public. If the recovery is done by entities other than the participants and the dealer, our scheme applies. Besides, in our scheme the participants only need to exchange the lowest level plane instead of the whole shadow. The proposed scheme has features of low generation complexity, low authentication complexity and no pixel expansion. It achieves lossless recovery and 100% detection rate. In terms of classification, our scheme uses the interactive verifiable secret sharing mentioned in Section 1. Figure 3 shows the design mentality of the proposed (k, n) SIS authentication with dealer-participatory and non-dealer-participatory mutual shadow authentication capabilities. The explicit generating algorithm is illustrated in Algorithm 2, and its matching authentication and recovery algorithm is in Algorithm 3. Figure 3. Design mentality of the proposed secret image sharing with dealer-participatory and non-dealer-participatory mutual shadow authentication ability.

Algorithm 2
The proposed secret image sharing for (k, n) threshold authentication with dealer-participatory and non-dealer-participatory mutual shadow authentication capabilities.
Step 5: Step 6: n grayscale shadows SC 1 , SC 2 , · · · SC n and a binary authentication shadow S 1 C n+1 which assigned to the dealer if there exists are output.
S 1 is a binary authentication image with size of H × W which is held or known by all participants involved and the dealer. In other words, S 1 is public. 2.
In Step 1, we set a prime number P = 257; thus, in Step 4 S 2 C i (h, w) < P − 1 to guarantee the value of the shadow pixel is within [0, 255] and lossless recovery by utilizing the screening operation. 3.
Step 3 aims at guaranteeing the (k, n) threshold attribute and no pixel expansion by using the polynomial.

4.
Step 4 is designed to satisfy LSB (S 2 C i (h, w)) = S 1 C j (h, w) to achieve mutual shadow authentication. 5.

Algorithm 3
The authentication and recovery in the proposed secret image sharing for (k, n) threshold authentication with dealer-participatory and non-dealer-participatory mutual shadow authentication capabilities.

Input:
The binary authentication image S 1 and dealer's binary authentication shadow S 1 C n+1 , any k grayscale shadows SC i 1 , SC i 2 , · · · SC i k . Output: k authenticating results of SC i j for j = 1, 2, · · · , k or (k − 1) authenticating results of SC i j for j = 1, 2, · · · , k for each participant involved depends on there is a dealer participant or not. Recovered grayscale secret image S 2 with a size of H×W Step 1: If there is a dealer, for j = 1, 2, · · · , k, take the LSB (least significant bit) of SC i j , denoted by S 1 C 1 , obtain the reconstructed binary authentication image S 1 through the stacking or XORing operation of S 1 C 1 and S 1 C n+1 . If S 1 is recognized as S 1 by HVS or S 1 = S 1 , pass the authentication and go to Step 3; otherwise, a fake shadow is identified, denoted by i * j , and broadcast the dishonest participant to the other participants.
Step 2: If there is not a dealer involved, take the LSB (least significant bit) of the participant itself's shadow, denoted by S 1 C 1 , take the LSB (least significant bit) of SC i j for j = 1, 2, · · · , k, denoted by S 1 C i j for j = 1, 2, · · · , k − 1, obtain the reconstructed binary authentication image S 1 through the stacking or XORing operation of S 1 C 1 and S 1 C i j . If all the S 1 are recognized as S 1 by HVS or S 1 = S 1 , pass the authentication and go to Step 3; otherwise, a fake shadow is identified, denoted by i * j , and broadcast the dishonest participant to the other participants.
Step 3: Step 4: Solve the following equation to get a 0 by Lagrange interpolation function.
Step 6: Output recovered grayscale secret image S 2 with a size of H×W and k authenticating results of SC i j for j = 1, 2, · · · , k or (k − 1) authenticating results of SC i j for j = 1, 2, · · · , k for each participant.
For Algorithm 3, we note the following.

1.
If there is a dealer, the dealer generates k authenticating results of SC i j for j = 1, 2, · · · , k. If there is not a dealer, each participant involved generates the (k − 1) authenticating result of SC i j for j = 1, 2, · · · , k. When we mention each participant involved, it means k participants in the final recovery.

2.
The LSB of SC i j can be gotten by bitwise operation. 3.
In Step 1, dealer or participants authenticate each gathered shadow to estimate whether S 1 is recognized as S 1 by HVS or S 1 = S 1 ; thus, mutual shadow authentication is achieved by stacking or XOR operation. 4.
In Step 2, every participant involved authenticates other (k − 1) participants' shadows. SC i j for j = 1, 2, · · · , k − 1 denote shadows held by other (k − 1) participants. Each participant involved takes his/her shadow's LSB, denoted by S 1 C 1 . The other (k − 1) participants involved take their shadows' LSBs, denoted by S 1 C i j for j = 1, 2, · · · , k − 1. Since authentication is performed in pairs in our scheme, we achieve mutual shadow authentication. 5. In Step 2, every participant involved authenticates other (k − 1) participants' shadows. So if k × (k − 1) S 1 are recognized as S 1 by HVS or S 1 = S 1 , pass the authentication and go to Step 3. 6.
In Step 2, when detecting a fake shadow, the participant broadcasts the dishonest participant to the other participants and stops recovery phase. Here, the scheme supposes that the participant performing shadow authentication is honest. There is no further discussion on how to authenticate and recover in the case of more than one dishonest participant in our scheme.
In this paper, we focus on designing a SIS with mutual authentication capability, rather than the rules or protocols of mutual authentication among participants. However, one can design many protocols for authentication and recovery based on the proposed scheme with mutual authentication ability. For example, one can design to allow participants to perform authentication by using a vote-based protocol. Every participant authenticates other shadows, and decides whether to vote for the shadows. According to the result of a majority vote, the authenticity of the shadows is then determined by peers.
Here we will give a simple numerical example of (3, 4) threshold to illustrate the algorithm process of our scheme. Let us take the current processing positions S 1 (h, w) = 0 and S 2 (h, w) = 161 as an example.
In the authentication phase, when the dealer is responsible for verifying and recovering images, assume S 1 C i (h, w) = LSB(SC i (h, w)), for i = 1, 2, · · · , 5. To authenticate SC 1 , obtain the recovered binary authentication image S 1 through the stacking or XORing operation of S 1 C 1 and S 1 C 5 ; if all the S 1 are recognized as S 1 by HVS or S 1 = S 1 , pass the authentication. When there is not a dealer, suppose Participant 1 and Participant 2 who hold SC 1 and SC 2 respectively mutually verify each other. To authenticate SC 1 and SC 2 , obtain the recovered binary authentication image S 1 through the stacking or XORing operation of S 1 C 1 and S 1 C 2 ; if all the S 1 are recognized as S 1 by HVS or S 1 = S 1 , pass the authentication.

Security Analysis, Time and Space Complexity Analyses and Performance Proof
Herein, we provide the performance and security analysis of the proposed (k, n) threshold SIS authentication with dealer-participatory and non-dealer-participatory mutual shadow authentication capabilities. In the next analyses, we suppose that the authentication image S 1 and the secret image S 2 are natural images, and they have no relevance.
Proof. Using the equation mentioned in Algorithm 3 and the Lagrange interpolation, we can calculate the value of a 0 and a i uniquely for i = 1, 2, · · · k − 1. Based on the Lemma 1, since s 2 = a 0 < P, s 2 can be recovered with sc i 1 , sc i 2 , · · · sc i k without distortion. Theorem 1. Using SC i , S 1 and SC i j (S 1 C n+1 ), we can recognize whether SC i is fake, for i = 1, 2, · · · n.
Proof. In Step 4 of Algorithm 2, we make LSB (SC i (h, w)) = S 1 C 1 (h, w), LSB(SC i ) = S 1 C 1 , LSB SC i j (h, w) = S 1 C i j (h, w) and LSB(SC i j ) = S 1 C i j . According to (k, n) RG-VSS [23], we can visually reveal S 1 by stacking and XORing S 1 C 1 and S 1 C i j (S 1 C n+1 ). According to Equation (2), the probability of correctly inferring S 1 C 1 is (1/2) HW . As a result, using SC i , S 1 and S 1 C i j (S 1 C n+1 ), we can judge whether SC i is fake for i = 1, 2, · · · n. Lemma 3. When gathering k − 1 or fewer shadows, The secret image S 2 cannot be recovered.
Proof. If only k − 1 equations are built in the equation mentioned in Algorithm 3, we have P solutions rather than only one to the equation mentioned in Algorithm 3. Thus, the secret image S 2 cannot be recovered when gathered k − 1 or fewer shadows.

Experimental Results and Discussion
In this section, we implement a set of experiments to verify the effectiveness of the proposed (k, n) threshold SIS authentication with dealer-participatory and non-dealer-participatory mutual shadow authentication capabilities in which we set the value of n from 2 to 5, and the value of k from 2 to n accordingly. Then, comparisons with related scheme will be given to show the features of our scheme. In the future, we intend to use machine learning (i.e., [24]) to perform shadow verification.

Experimental Illustration
Due to the characteristics of no pixel expansion of the proposed SIS, all the experimental images are have same size 128 × 128 in our experiments. Here we only introduce the experimental results of (2, 2) threshold and (3,4) threshold SIS with dealer-participatory and non-dealer-participatory mutual shadow authentication ability. Figure 4 exhibits the results of (3, 4) threshold SIS authentication with dealer-participatory and non-dealer-participatory mutual shadow authentication capabilities, the binary authentication image S 1 is shown in Figure 4a and the input secret image S 2 which is grayscale is displayed in Figure 4e. Figure 4b-d denotes the output binary shadows S 1 C 1 , S 1 C 2 , S 1 C 3 , where S 1 C 3 is the binary authentication shadow assigned to the dealer. Figure 4f-g presents the outputs of two shadows SC 1 and SC 2 . Figure 4h illustrates a fake shadow which is denoted by SC * 1 . Figure 4i-l denotes the recovered binary authentication images obtained through the stacking and XORing operations of S 1 C 3 and SC 1 , SC 2 , respectively, where the recovered binary authentication image can be well recognized; thus, the shadows SC 1 and SC 2 are authenticated by the dealer. Meanwhile, participants holding the shadows SC 1 and SC 2 can verify the credibility of the dealer responsible for recovering secret image. Figure 4m,n denotes the recovered binary authentication images obtained through the stacking and XORing operations of SC 1 and SC 2 , respectively, where the recovered binary authentication image can be well recognized; thus, the shadows SC 1 and SC 2 are authenticated. In other words, the two participants are mutually authenticated successfully. Suppose there is an attacker posing as Participant 1, or that Participant 1 is an dishonest participant who sends a fake shadow SC * 1 to other participants or the dealer. The recovered binary authentication images with SC * 1 and SC 1 , SC 2 by stacking and XORing, respectively, are presented in Figure 4o-r, and it is obvious that the binary authentication image is not disclosed or recovered, and thus the shadow SC * 1 is fake. Figure 4s exhibits the secret image reconstructed with the two shadows by Lagrange interpolation, and we can see that the secret image is reconstructed losslessly. Figure 4t demonstrates the secret image recovered with SC * 1 and SC 2 by Lagrange interpolation operation, which is not recognized as the secret image; thus, the recovery is failed. Additional instructions are needed here. In our scheme, participants exchange and authenticate their shadows' LSB planes mutually in the case of non-dealer-participation. In the case of dealer-participation, the dealer authenticates the LSB planes of shadows sent by participants. Thus, the SC 1 and SC 2 we are talking about here are actually the LSB planes of them. . Results of (2, 2) threshold SIS with dealer-participatory and non-dealer-participatory multual shadow authentication ability. (a) The binary authentication image S 1 ; (b,c) two binary shares S 1 C 1 and S 1 C 2 ; (d) the binary authentication shadow S 1 C 3 ; (e) the grayscale secret image S 2 ; (f,g) two grayscale shadows SC 1 and SC 2 ; (h) fake shadow SC * 1 ; (i,j) recovered binary authentication image with S 1 C 3 and the LSB of SC 1 by stacking and XORing; (k,l) recovered binary authentication image with S 1 C 3 and the least significant bit (LSB) of SC 2 by stacking and XORing; (m,n) recovered binary authentication image with the LSB of SC 1 and SC 2 by stacking and XORing; (o,p) recovered binary authentication image with the LSB of SC 2 and SC * by stacking and XORing; (q,r) recovered binary authentication image with the LSB of SC 3 and SC * by stacking and XORing; (s) recovered grayscale secret image S2 with SC 1 and SC 2 ; (t) recovered grayscale secret image S2 * with SC * and SC 2 . Figure 5 exhibits the results of (3, 4) threshold SIS authentication with dealer-participatory and non-dealer-participatory mutual shadow authentication capabilities. The input binary authentication image S 1 is shown in Figure 5a. Figure 5c shows the input grayscale secret image S 2 . Figure 5b denotes the output binary authentication shadow S 1 C 5 . Figure 5d-g presents the output 4 shadows. Suppose SC 1 , SC 2 and SC 3 are specified to recover the secret image. When the dealer is in charge of the authentication, he/she takes his/her binary shadow and the shadow (the LSB plane of shadow) sent to him/her by the participant to perform stacking and XORing. Figure 5h-m denotes the binary authentication images recovered through the stacking and XORing operations of S 1 C 5 and SC 1 , SC 2 , SC 3 , respectively, where the recovered binary authentication image can be well recognized, and thus the three shadows are authenticated. Meanwhile, participants holding the shadows SC 1 , SC 2 and SC 3 can verify the credibility of the dealer responsible for recovering secret image. When there is not a dealer, the participants holding SC 1 or SC 2 or SC 3 mutually authenticate each other. Figure 5n-s shows binary authentication images mutually recovered through the stacking and XORing operations of SC 1 , SC 2 and SC 3 , respectively, where the recovered binary authentication image can be well recognized; thus, the shadows SC 1 , SC 2 and SC 3 are authenticated. In other words, the three participants are mutually authenticated successfully. Figure 5t shows the secret image recovered with the three shadows by Lagrange interpolation, and we can see that the secret image is reconstructed losslessly. Figure 6 exhibits the results of our proposed (3,4) threshold SIS authentication with dealer-participatory and non-dealer-participatory mutual shadow authentication capabilities, when there is a fake shadow participating in recovery. A randomly generated fake shadow, denoted by SC * 1 , is illustrated in Figure 6a. Suppose there is an attacker posing as Participant 1 or Participant 1 is an dishonest participant who sends a fake shadow SC * 1 to other participants or dealer. The binary authentication images recovered SC * 1 , SC 2 and SC 1 by stacking and XORing, respectively, are presented in Figure 6b-e, and the binary authentication images are not correctly identified; thus the shadow SC * 1 is fake. Figure 6f demonstrates the recovered secret images S * 2 with SC * 1 and SC 2 , SC 3 by stacking and XORing, respectively by Lagrange interpolation, which displays no secret information; thus, the recovery is failed.
According to the above experimental results, we draw the following conclusions: 1. The shadow generated by our scheme has no cross-interference and no pixel expansion of the secret image. 2. Figure 7 shows the security of the proposed SIS when recovered with fewer than k shadows; the recovered image leaks no secret details. 3.
One can losslessly reconstruct the secret image with any number k or more of shadows.

4.
The binary authentication image is lossily reconstructed, so one can carry out authentication by only stacking or XORing operation.

5.
The mutual authentication ability is gained based on SIS itself rather than another technique. 6.
An SIS with dealer-participatory and non-dealer-participatory mutual shadow authentication for a general (k, n) threshold is achieved, where n ≥ k ≥ 2. Since when k is fixed, as n increases more requirements should be satisfied. Through experiments, we give the suggestion that the condition is n−k n ≤ 3 5 . (a)S2 recovered with SC 1 , Moreover, in Algorithm 2, we use (2, n + 1) RG-VSS to split every pixel of authentication image into n + 1 temporary bits; one is assigned to binary authentication shadow, and the others are used to guide the generation of secret shadows in polynomial-based SIS. The specific guidance method is as follows: we continue to screen a 1 , a 2 , · · · , a k−1 until we find a set of random values to satisfy S 2 C i (h, w) < P − 1 and LSB (S 2 C i (h, w)) = S 1 C j (h, w), for i = 1, 2, · · · n, j = i 1 , i 2 , · · · , i n (randomly pick up n numbers from {1, 2, · · · , n, n + 1}. So, what we change and influence are the LSBs of the shadows generated by the polynomial-based SIS, and the shadow itself is noise like, so it is difficult to be detected even if we modify the LSBs of all pixels of all shadows. Figure 8 shows that the shadows are randomly generated by the polynomial-based SIS.

Comparisons with Relative Schemes
Herein, we will compare the proposed SIS with Yan et al.'s work [21].

1.
Inspired by Yan et al.'s work [21], we improve the SIS scheme to be suitable for the case with and without dealer by extending the sharing method of the authentication image from (2, 2) RG-VSS to (2, n + 1) RG-VSS. Yan et al. utilize the (2, 2) RG-VSS to split every pixel of authentication image into two temporary bits; one is assigned to binary authentication shadow, and another one guides the generation of secret pixels in polynomial-based SIS. We use (2, n + 1) RG-VSS to split every pixel of authentication image into n + 1 temporary bits; one is assigned to the binary authentication shadow, and the others are used to guide the generation of secret shadows in polynomial-based SIS. Thus, in our scheme, any actor (participants or dealer) can be specified as a combiner. Yan et al.'s scheme works when there is a dealer.

2.
As shown in Figure 9, when we share extreme image Figure 9a  . The reason is that we use the pixels generated by (2, n + 1) RG-VSS to guide the LSBs of pixels generated by the polynomial-based SIS, while Yan et al. use the pixels generated by (2, 2) RG-VSS to guide the MSBs of pixels generated by the polynomial-based SIS. Besides, based on the above Lemmas 2 and 3, the conditions are satisfied. Unfortunately, Yan et al.'s use MSBs of pixels, which is the most significant bit, may cause information disclosure when n − k gets larger and larger. In contrast, we use the LSB, which will be better.

3.
Due to the characteristics of (2, 2) RG-VSS and (2, n + 1) RG-VSS, in the authentication phase, the shadow passes verification when the binary authentication image is always well recognized in our scheme. The shadow passes verification when the binary authentication image recovered respectively, by stacking or XORing, is always well recognized or losslessly recovered in Yan et al.'s scheme.
Besides, we compare the proposed SIS with Bhattacharjee et al.'s work [25]. Bhattacharjee et al. propose an image-in-image communication scheme which is a data-hiding-based SIS scheme. The process includes encoding and decoding stages. In the encoding stage, they first M-bit signal modulates all the pixels of the secret image, and then n shadows of reduced size are generated by their shadow generation algorithm; finally stegoimages are generated by a series of steps which include generation of Walsh code, a block-based discrete cosine transform (DCT) operation, SS embedding and an inverse DCT transformation operation. It should be noted that the SS embedding in Bhattacharjee et al.'s work means spread spectrum watermarking which is used to resist attacks and unexpected operations. Correspondingly, the decoding stage includes the share image's extraction (the stegoimage's decomposition, correlation calculation and secret rearrangement) and secret reconstruction.
The comparisons between the proposed scheme and Bhattacharjee et al.'s scheme are summarized as follows.

1.
The proposed scheme is (k, n) threshold SIS scheme. Contrarily, the scheme in Bhattacharjee et al.'s [25] work is (n, n) threshold.

2.
Bhattacharjee et al. embed the shares into several cover images; this leads to the need to extract shares from stegoimages during the recovery phase, and thus increases decoding complexity. Contrarily, we do not use a cover image at all. In addition, Bhattacharjee et al.'s scheme generates shadows of reduced size in the encoding phase by using a kind of encryption technology which increases encoding complexity.

3.
Bhattacharjee et al.'s scheme has the characteristics of no key requirements but several cover image requirements, while our scheme only requires an authentication image to be public.  Table 1 shows the comparison of the properties between our scheme and the schemes proposed in [21,25]. In particular, compared with traditional schemes, the proposed SIS for the (k, n) threshold achieves the features of mutual shadow authentication, low recovery operation, no pixel expansion and lossless recovery. Besides, in our scheme the actors only need to exchange the lowest level plane instead of the whole shadow, and it only requires an authentication image to be public.

Conclusions
In this paper, the proposed SIS for a (k, n) threshold authentication with dealer-participatory and non-dealer-participatory mutual shadow authentication capabilities integrates polynomial-based SIS and visual secret sharing (VSS) through using the result of VSS to "guide" the polynomial-based SIS by screening operation. We input a public binary authentication image and a grayscale secret image into the proposed scheme to obtain n grayscale shadows when specifying 257 as a prime. The least significant bit (LSB) of each shadow pixel is exactly the value of the appropriate bit of binary authentication shadows generated by (2, n) RG-VSS, and each shadow's pixel value is less than 256 by selecting the random coefficients of the established polynomials. In our scheme, we can assign any participant as a combiner. By Lagrange interpolation operation, the secret image is losslessly reconstructed, and the dealer and each participant are authenticated by only stacking or XORing operation. All involved participants and the dealer can mutually authenticate other participants. Besides, in our scheme the participants only need to exchange the lowest level plane instead of the whole shadow, and it only requires an authentication image to be public. The proposed scheme has low generation complexity, low recovery complexity, low authentication complexity, no pixel expansion, lossless recovery and a 100% detection rate.