Beruflich Dokumente
Kultur Dokumente
a r t i c l e i n f o a b s t r a c t
Article history: Existing secret image sharing (SIS) schemes with steganography and authentication are designed for
Available online 16 July 2019 uncompressed images. They cannot be applied to compressed domain. When the cover image is of
significance, these schemes cannot revert the distorted stego image into its original form. To solve these
Keywords:
problems, a (k, n) threshold partial reversible absolute moment block truncation coding (AMBTC) based
Secret image sharing
Block truncation coding
SIS scheme with steganography and authentication is proposed. A secret image is split into n noise-
Partial reversible like shares by employing the polynomial based SIS under G F (28 ). To efficiently manage the shares, they
Steganography are concealed into the AMBTC cover image with parity bits by the proposed embedding algorithms,
Authentication and n meaningful stego images are constructed. Authentication is adopted so that the integrity of
stego image can be verified. Sufficient stego images can perfectly reconstruct the secret. Meanwhile,
the original AMBTC cover image can be partially recovered with high probability. Theoretical analysis
and experimental results are demonstrated, showing the effectiveness and advantages of the proposed
scheme.
© 2019 Elsevier Inc. All rights reserved.
https://doi.org/10.1016/j.dsp.2019.06.016
1051-2004/© 2019 Elsevier Inc. All rights reserved.
X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33 23
are guaranteed to be used in secret image recovery, so that unsuc- codeword length of a code is c = 2b − 1 and the message length
cessful reconstruction can be prevented. is g = 2b − b − 1. Hamming code is capable of correcting one-bit
To offer steganography and authentication, Lin and Tsai [29] error, however, it is impossible to guarantee error correction when
proposed an SIS scheme based on the Shamir’s (k, n) threshold multiple errors happen in a codeword. The parity check matrix for
method. Authentication is achieved by using the parity bits, so a Hamming code is produced by listing columns of length b with
that incidentally bringing an erroneous stego-image or intention- non-zero. The (7, 4, 3) Hamming code has the parity check matrix
ally providing a false image to reconstruct the secret is prevented.
H p , as denoted by
An improved scheme was proposed by Yang et al. [30] to solve
three weaknesses in Lin and Tsai’s method [29]: image authentica- ⎡ ⎤
0 0 0 0 1 1 1
tion by dishonest participant, deterioration quality of stego-image,
and non-lossless secret image reconstruction. Chang et al. [31] also Hp = ⎣0 1 1 0 0 1 1⎦ . (4)
introduced another scheme to further improve the authentication 1 0 1 0 1 0 1
ability and visual quality. Later, some improved SIS schemes [32]
Let Y ∈ F2n be a vector obtained from a codeword X ∈ F2n by
[34] [35] [36] were proposed as well. However, those methods are
modifying at most one coordinate of X (from 0 to 1 or vice versa).
designed for uncompressed images, they cannot be applied to the
Then, X can be recovered from Y . The syndrome decoding algo-
compressed ones. Moreover, when the cover image is significant,
rithm for correcting single error in the Hamming code is given as
those distorted stego images cannot be reverted to original.
follows:
To solve above-mentioned problems, an SIS scheme using abso-
lute moment block truncation coding (AMBTC) compressed cover
images with reversible steganography and authentication is pre- 1. Given a vector Y ∈ F2n , compute its syndrome S (Y ) by
sented in this paper.
The rest of this paper is organized as follows. AMBTC, Hamming S (Y ) = H p Y T . (5)
code, simple least significant bit (LSB) substitution and optimal
pixel adjustment process (OPAP) are briefly described in Section 2. 2. If S (Y ) = 0, no error has occurred, and X = Y . Otherwise,
The partial reversible AMBTC-based SIS (PRASIS) scheme is de- i = S (Y ) and identify the i-th column of H p , decode Y as the
scribed in Section 3, as well as theoretical analysis. Experimental vector X obtained from Y by replacing the i-th coordinate Y i
results are demonstrated in Section 4. Section 5 concludes this of Y with (1 − Y i ).
work.
2.3. LSB substitution and OPAP
2. Preliminaries
Let C and (s1 s2 · · · sk )2 be an 8-bit pixel in the cover image and
2.1. AMBTC the k bits to be embedded, respectively. The cover image pixel C is
represented by bit strings, as denoted as
AMBTC is a lossy image compression method [37] that uses a
quantizer to reduce the number of gray levels in each block of an
C = (c 1 c 2 · · · c 8−k c 8−k+1 · · · c 8 )2 . (6)
image. To compress an image by AMBTC, an image is separated
is used. For each block, the mean pixel value V is calculated by For the k-bit simple LSB substitution method, the k rightmost
t ×t
LSBs of C are directly replaced by the corresponding secret bits
1
V = xj (1) (s1 s2 · · · sk )2 , the marked pixel is denoted as
t ×t
j =1
C m = (c 1 c 2 · · · c 8−k s1 s2 · · · sk )2 (7)
where x j is the j-th pixel value in the block. Then, x j is compared
with the mean value V , so that a bitmap M which consists of two k bits
groups is constructed based on the following rules. (1) If x j < V ,
OPAP for simple LSB substitution [27] was proposed to improve
the corresponding bit in the bitmap is determined as group “0”
the quality of the embedded pixel. Let δ = C m − C be the em-
and is assigned “0” in the bitmap; (2) otherwise, the bit belongs to
bedding error between the marked pixel C m by using simple LSB
group “1” and is assigned “1” in the bitmap. Let q be the number
substitution and original pixel C . When 2k−1 < δ < 2k , the marked
of “1” in the bitmap, two quantization levels L and H are calcu-
pixel by using OPAP is generated by
lated by
1 C m − 2k , if C m ≥ 2k ,
L= xj (2) Cm = (8)
t ×t −q O m
C , otherwise.
x j <V
and When −2k−1 ≤ δ ≤ 2k−1 , the marked pixel by using OPAP is con-
1 structed by
H= x j. (3)
q
x j ≥V
Cm m
O =C . (9)
Finally, a (t × t )-pixel block is compressed into two quantization
levels ( L , H ) and a bitmap M with t × t bits. When −2k < δ < −2k−1 , the marked pixel by using OPAP is gener-
ated by
2.2. Hamming code
C m + 2k , if C m < 256 − 2k ,
Hamming code is a type of linear perfect single error-correcting Cm
O = m
(10)
C , otherwise.
codes with the minimal distance of 3. For an integer b ≥ 2, the
24 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33
3.1. Motivation and contribution A framework of the proposed scheme is described in Fig. 1. To-
tally, four phases are included: sharing phase, embedding phase,
authentication phase and revealing phase. In sharing phase, a se-
Existing methods [29] [30] [31] [32] [33] [34] [35] [36] with cret image is encoded into n noise-like shares. In embedding
steganography and authentication are designed for uncompressed phase, the n shares with authentication codes are embedded into
images. But nowadays, compressed images are commonly used the AMBTC compressed cover image to form n stego images. In au-
in the Internet and multimedia applications. These existing ap- thentication phase, each stego image can be verified whether it is
proaches cannot be applied to the compressed domain. Moreover, tampered or not. Those authentic stego images are used to recon-
in existing methods, a cover image is adopted to generate the stego struct the secret image in recovering phase. Meanwhile, the AMBTC
images. When the cover image is significant, the distorted stego compressed cover image is partially recovered.
image is preferred to be reverted into its original form. However,
these mentioned methods do not offer this functionality. 3.3. Sharing phase
In this paper, an SIS scheme using compressed cover images
with reversible steganography and authentication is presented.
In sharing phase, a secret image is split into n shares by the
Herein, we consider AMBTC compressed cover image, since AMBTC
(k, n) threshold polynomial based SIS. The secret image is ran-
is a highly efficient image compression technique which offers
domly permuted. For each time, k pixels { I 1 , I 2 , · · · , I k } are se-
good image quality and relatively lower complexity compared
lected from the permuted secret image and encoded by
to the modern compression techniques, e.g., JPEG or JPEG2000.
AMBTC is suitable to be implemented in computational systems
with low-power processing constrains and high resolution demand. F (x) = I 1 + I 2 x + · · · + I k xk−1 mod p . (11)
The main contribution of this paper is summarized as follows. In the above equation, modulus value p is set to the Galois Field
G F (28 ), that is, p = g (x) = x8 + x4 + x3 + 1. And the values of x are
• An SIS scheme with steganography and authentication using
random numbers under G F (28 ). By using n different values of x, n
AMBTC cover images is proposed.
shared pixels are obtained by
• A level embedding algorithm and a bitmap embedding algo-
rithm are proposed to embed shared data into the AMBTC
y 1 = F (x1 ), y 2 = F (x2 ), · · · , yn = F (xn ).
cover image.
• A partial recovering algorithm is introduced to ensure that the
distorted AMBTC stego image can be partially inverted into 3.4. Embedding phase
original with high probability.
• Theoretical analysis and sufficient experiments are provided to In embedding phase, each share is embedded into the AMBTC
demonstrate the effectiveness and advantages of the proposed cover image to form a stego image, as well as the authentication
(1) (2) (8)
scheme. codes. Exactly, a shared pixel y i = (si si · · · si )2 is embedded
into a corresponding AMBTC block { H , L , M } to generate a stego
While comparing to existing methods with steganography and block { H m
i
, Lm
i
, Mm
i
}, where i (1 ≤ i ≤ n) is the share ID corre-
(1) (2) (8)
authentication, the proposed method can deal with AMBTC com- sponding to the i-th participant and (si si · · · si )2 is the binary
pressed image and offer partial recovery functionality for the cover form of y i . The embedding phase contains three main steps, as
image. described as follows.
X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33 25
3. If e 1 = 3, L i is modified by
m
i − 4,
Lm i ≥4
if L m
Lm
i = (12)
Lm
i
, otherwise
4. If e 1 = −3, L m
i
is modified by
Fig. 2. Embedding examples by the proposed level embedding algorithm. (a) Share
i + 4,
Lm if L m ID is odd, and (b) share ID is even.
i < 252
Lm
i = (13)
Lm
i
, otherwise
Hm
(1) (2) ⎡ ⎤
i = (h 1 h 2 · · · h 6 s i s i )2 . (17)
m1 m2 m3 m4
And the order of the two levels is reversed as ( H m , L i ). When d2 = 1, ob- ⎢ m5 m6 m7 m8 ⎥
i ⎢
Mi = ⎣ ⎥.
m12 ⎦
(1) (2)
tain the 2 LSBs (h7 h8 )2 of H i . If ((h7 h8 )2 = (01)2 )&&((si si )2 = (11)2 ) or m9 m10 m11
(1) (2) (1) (2)
((h7 h8 )2 = (11)2 )&&((si si )2 = (01)2 ), the secret bits (si si )2 are embed- m13 m14 m15 m16
ded into H i . The two levels are modified as ( L i , H m
i
). For the other cases when
d2 = 1, the two levels are modified like d2 > 1. The proposed bitmap embedding algorithm based on Hamming
11. Output the two levels.
code is formulated in Algorithm 2.
For example, six bits (111000)2 are embedded into the bitmap
Embedding examples by the proposed level embedding algo- ⎡ ⎤
1 1 1 1
rithm are shown in Fig. 2. When the share ID is odd (resp. even),
⎢1 0 0 0⎥
the secret bits are embedded into the lower (resp. higher) level. In Mi = ⎢
⎣0
⎥
Fig. 2(a), if (10)2 is to be embedded, the complement of (10)2 is 0 0 0⎦
concealed into the lower level and the order of L and H is re- 1 1 1 0
versed, so that the distortion is further reduced. Note that, the
by the proposed bitmap embedding algorithm. Two variables X 1
lower level L is not always less than higher level H after modi-
and X 2 are obtained by
fication, since the order of L and H is rearranged. When decom-
pressing the AMBTC stego image, we should compare L with H ,
and the smaller one is the actual lower level. X 1 = (1111100)2 , X 2 = (0000111)2 .
26 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33
As a result, the (110)2 = 6-th and (100)2 + 8 = 12-th elements (s(i 3) s(i 4) s(i 5) )2 = H X 1T (6 ) (7 ) (8 )
mod 2, (si si si )2 = H X 2T mod 2
in M are replaced by m6 and m12 , respectively. And the modified
bitmap M m is
(25)
i
⎡ ⎤ where
1 1 1 1
⎢1 1 0 0⎥ X 1 = (m1 m2m3 m4m5m6m7 )2 (26)
⎢ ⎥.
⎣0 0 0 1⎦
and
1 1 1 0
X 2 = (m9 m10m11m12m13m14m15 )2 , (27)
3.4.3. Generate and embed the parity bit
To prevent participants from manipulating AMBTC stego im- respectively.
When all the shared bits are extracted, the permuted secret
ages, A Hash-based Message Authentication Code (HMAC) is used,
image is perfectly reconstructed by using a Lagrange polynomial
as given by
interpolation algorithm under G F (28 ). Then, the permuted se-
cret image is reverted into its original form. Moreover, when t
H K (Hm m m
i L i ( M i − m8 − m16 )) (22)
(k ≤ t ≤ n) AMBTC stego images are achieved, the original AMBTC
where procedure H K () is a one-way hash function with the secret cover image is partially recovered. The partial recovering algorithm
is depicted in Algorithm 3.
i and L i are two levels with embedded bits, ( M i − m8 −
key K , H m m m
m
m16 ) denotes 14 bits in M i except m8 and m16 . H K () can be
implemented by SHA-1, and 160 bits are generated as output. 3.7. Theoretical analysis
Next, the generated HMAC bits adopt Boolean XOR operation to
Herein, we prove the proposed scheme is a valid construction
generate the authentication parity bit p by
of SIS and analyze the percentage of partial reversibility of the two
levels and bitmap in the AMBTC cover image, as well as the au-
p = X O RH K (Hm m m
i L i ( M i − m8 − m16 )) . (23)
thentication capacity.
The authentication parity bit p is then embedded into (m8 ⊕ m16 ).
When m8 ⊕ m16 = p, m8 and m16 remain the same. When m8 ⊕ Theorem 1. The proposed scheme is valid construction of secret image
m16
= p, m8 or m16 is reversed to the complement m8 or m16 . sharing scheme, where the security and reconstruction conditions are
Note that, if this time m8 is modified, then m16 is modified next met.
time if a modification is required.
When all the shared bits and parity bits are embedded into the Proof. In the sharing phase of the proposed scheme, a (k − 1) de-
AMBTC compressed image, n stego images are constructed. And gree polynomial is used to generate the shares. The secret pixels
they are distributed to n participants. form the k coefficients of the polynomial.
X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33 27
Algorithm 3 Partial recover algorithm for AMBTC cover image. Proof. When all the t stego images are with odd (resp. even) IDs,
Input: t AMBTC stego images. only the original higher (resp. lower) levels are obtained. At this
Output: Reconstructed AMBTC cover image. time, the partial reversibility of the two original levels is 12 . When
1. The t stego images are separated into blocks, the original AMBTC block is re-
the t stego images contain odd ID and even ID simultaneously,
covered from the t stego image block in the same position by Steps 2-4.
2. For each stego image block { L i , H i , M i }, the original higher and lower levels both the two original levels are reconstructed. The correspond-
H iO and L iO for this block are recovered. When i is odd, if L i < H i , the original ing partial reversibility is 1. The analysis on partial reversibility
higher level is H iO = H i ; If L i > H i , the original higher level is H iO = L i . Simi- is given based on two cases: (1) n is odd, and (2) n is even.
larly, when i is even, if L i < H i , the original lower level is L iO = L i ; If L i > H i , (1) n is odd. The numbers of odd IDs and even IDs are n+ 2
1
the original lower level is L iO = H i . n−1
and , respectively. When t > n+ 1
, both odd ID and even ID
3. When t is odd, the original elements m Oj (1 ≤ j ≤ 16) in the original bitmap 2 2
M i is recovered by majority voting, as denoted by are contained in the t stego images. Hence, P R L = 1. When n−
2
1
<
t ≤ n+ 1
, the t stego images would contain (a) odd ID and even
1, if H m (m j , m j , · · · , m j ) ≥ t +2 1 2
(1) (2) (t )
m Oj = (28) ID simultaneously or (b) only odd IDs. The probability of t stego
0, otherwise (n+1)/2
images having only the odd IDs is nt , when all the t stego
(1) t
where procedure H m () calculates the Hamming weight of the t bits (m j , n+1
(2) (t ) images are chosen from the stego images with odd IDs. On2
m j , · · · , m j ).
the other hand, the probability of t stego
images having odd ID
4. When t is even, m Oj (1 ≤ j ≤ 16) in the original bitmap M i is recovered by (n+1)/2
O (1) (2) (t )
2 partial reversibility is
m j = r , if H m (m j , m j , · · · , m j ) = t
(29)
⎪
⎩
2 (n+1)/2 (n+1)/2
0, otherwise 1
P RL = nt × + 1− nt ×1
where r is randomly chosen from {0, 1}. 2
t t
5. When all the stego image blocks are processed, the partially recovered AMBTC (n+1)/2 (33)
cover image is obtained.
=1− tn .
2 t
For the reconstruction condition, a collection of any k or more
When t < n− 1
, the t stego images would contain (a) odd ID and
shares can recover the (k − 1) degree polynomial F (x) by using a 2
even ID simultaneously, (b) only odd IDs or (c) only even IDs. The
Lagrange polynomial interpolation algorithm, as represented by
probability
of t stego
images
having only the odd (resp. even) IDs
(n+1)/2 (n−1)/2
(x − x2 )(x − x3 ) · · · (x − xk ) is nt (resp. nt ), when all the t stego images are selected
F (x) = F (x1 ) t t
(x1 − x2 )(x1 − x3 ) · · · (x1 − xk ) from the n+1
(resp. n−1
)
stego images with odd (resp. even) IDs.
2 2
(x − x1 )(x − x3 ) · · · (x − xk ) The probability of t stego images having odd ID and even ID si-
+ F (x2 ) (n+1)/2 (n−1)/2
(x2 − x1 )(x2 − x3 ) · · · (x2 − xk ) multaneously is 1 − t
+
n t . Hence, the associate partial
(x − x1 )(x − x2 ) · · · (x − xk−1 ) t
+ · · · + F (xk ) mod p . reversibility is
(xk − x1 )(xk − x2 ) · · · (xk − xk−1 ) (n+1)/2
(30) + (n−t1)/2 1
P RL = t
n ×
t
2
The secret pixels can be obtained from the recovered polynomial. (n+1)/2 (n−1)/2
The proposed scheme meets the reconstruction condition. +
For the security condition, any (k − 1) or less shares give no + 1− t
n t
×1 (34)
clue about the secret, since the k unknown coefficients cannot be t
(n+1)/2
precisely reconstructed by the Lagrange polynomial interpolation + (n−t1)/2
algorithm. Thus, the proposed scheme satisfies the security condi- =1− t
n .
tion. t
Actually, the security of the proposed scheme is based on In summary, when n is odd, the partial reversibility is
Shamir’s polynomial secret sharing. Since Shamir’s method is se-
⎧
curity, the proposed method is security as well. 2 ⎪ 1, if t > n+ 1
⎪
⎪ (n+1)/2 2
⎨
P RL = 1 −
tn , if n− 1
< t ≤ n+2 1 (35)
Theorem 2. When any t (k ≤ t ≤ n) stego images are used to recover the 2 2
⎪
⎪
t
(n−1)/2 (n+1)/2
original AMBTC cover image, if n is odd, the partial reversibility P R L of ⎪
⎩1 − + n −1
t n t
2 t
, if t ≤ 2
.
two original levels is
⎧ (2) n is even. The numbers of odd IDs and even IDs are both
⎪
⎪1, if t > n+ 1
⎪
⎪ (n+1)/2 2 n
.When t > n2 , both odd ID and even ID are contained in the t
⎨ 2
1− tn , if n− 1
< t ≤ n+2 1 stego images. And the reversibility is P R L = 1. When t ≤ n2 , the t
P RL = 2 2 (31)
⎪
⎪
t
(n−1)/2 (n+1)/2 stego images would contain (a) odd ID and even ID simultaneously,
⎪
⎪ +
⎩1 − t n t , if t ≤ n−
2
1
. (b) only odd IDs or (c) only even IDs. The probability
of t stego
2 t (n)/2 (n)/2
images having only the odd (resp. even) IDs is nt (resp. nt ),
If n is even, t
n n
t
when all the t stego images are chosen from the (resp. stego )
⎧ 2 2
⎨1, n images with odd (resp. even) IDs. The probability of t stego
images
if t > 2 (n)/2
n/2 2
P RL = (32) having odd ID and even ID simultaneously is 1 − nt . Thus, the
⎩1 − nt , if t ≤ n
2
t
t associate partial reversibility is
28 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33
(n)/2 (n)/2
1 ai = 12 × 0 + 12 × 1 = 12 . If i < 2t , m Rj is different from the original
P RL = 2 nt × + 1 − 2 nt ×1
2 value, and we achieve ai = 0.
t t
(n)/2 (36) For each block, there are totally 14 bits are used for embedding,
nt the partial reversibility of m Oj (1 ≤ j ≤ 7 and 9 ≤ j ≤ 15) in the
=1− .
t
bitmap is computed by
Theorem 3. When any t (k ≤ t ≤ n) stego images are used to recover the Theorem 4. When any t (k ≤ t ≤ n) stego images are used to recover the
original AMBTC cover image, the partial reversibility of m Oj (1 ≤ j ≤ 7 original AMBTC cover image, the partial reversibility of m Oj ( j = 8 and
and 9 ≤ j ≤ 15) in the bitmap is 16) in the bitmap is
i =t i t −i i =t i t −i
t 7 1 t 3 1
P RM = ai (38) P RP = bi (44)
i 8 8 i 4 4
i =0 i =0
where ai is the average length of a correct recovered bit when i bits in where b i is the average length of a correct recovered bit when i bits in
(1) (t )
(1) (t )
{m j , · · · , m j } are not modified. When t is odd, ai is computed by {m j , · · · , m j } are not modified. When t is odd, bi is computed by
1, if i ≥ t +2 1 1, if i ≥ t +2 1
ai = (39) bi = (45)
0, otherwise. 0, otherwise.
Proof. According to the block embedding algorithm, 3 bits are Proof. Based on the parity bit generation, the authentication par-
embedded into (m1 · · · m7 )2 . When β1 = 0, the 7 bits remain the ity bit p is independent of (m8 ⊕ m16 ) before p is embedded.
same. When β1
= 0, one bit in (m1 · · · m7 )2 is flipped. Since β1 ∈ When p
= (m8 ⊕ m16 ), m8 or m16 is flipped. The probability of
{0, 1, · · · , 7}, the probability of modification in (m1 · · · m7 )2 is 78 . p
= (m8 ⊕ m16 ) is 12 . Since the modification on m8 and m16 is al-
Thus, for one bit m j ( j ∈ {1, 2, · · · , 7}) in (m1 · · · m7 )2 , the proba- ternative when modification is required, the probability of m8 that
bility of modifying one bit m j in the 7 bits is 78 × 17 = 18 . Hence, the is modified is 12 × 12 = 14 , and the probability of m8 remaining the
1
probability of m j without modification is 1 − 78 = 78 . Similarly, for same is 1 − 4
= 34 . Similarly, the probabilities of m16 with and
one bit m j ( j ∈ {9, 10, · · · , 15}) in (m9 · · · m15 )2 , the probabilities without modification are 14 and 34 .
of m j with and without modification are 18 and 78 , respectively. Let m Rj ( j = 8 and 16) be the recovered bit by the reconstruc-
Let m Rj (1 ≤ j ≤ 7 and 9 ≤ j ≤ 15) be the recovered bit by the (1)
tion algorithm based on t bits {m j , m j , · · · , m j }, and let m Oj
(2) (t )
(1) (2) (t )
reconstruction algorithm based on t bits {m j , m j , · · · , m j }, and be the original bit in the AMBTC cover image. Suppose that i is
(1) (t )
let m Oj be the original bit in the AMBTC cover image. Suppose that the number of bits in {m j , · · · , m j } that are not modified by the
(1) (t ) embedding algorithm. The probability of having i bits remained
i is the number of bits in {m j , · · · , m j } that are not modified
the same and (t − i ) bits modified simultaneously is
by the embedding algorithm. The probability of having i bits re-
mained the same and (t − i ) bits modified simultaneously is i t −i
t 7 1
i t −i i 8 8
. (47)
t 7 1
. (41)
i 8 8 Let b i be the average length of a correct recovered bit when i bits
Let ai be the average length of a correct recovered bit when i bits in {m1j , · · · , mtj } are not modified. The average length bm of a cor-
(1) (t )
in {m j , · · · , m j } are not modified. The average length am of a rect recovered bit for all cases is calculated by
correct recovered bit for all cases is calculated by i =t i t −i
t 7 1
i =t i t −i bm = bi . (48)
t 7 1 i 8 8
am = ai . (42) i =0
i 8 8
i =0 When t is odd, if i ≥ t +2 1 , m Rj is correctly recovered and b i = 1.
When t is odd, if i ≥ t +2 1 , m Rj is the same as m Oj . At this If i < t +2 1 , m Rj is not the same as the original value, and we obtain
t +1 t
time, ai = 1. If i < 2
, m Rj is different from the original value, b i = 0. When t is even, if i ≥ 2
+ 1, m Rj is correctly reconstructed,
t
and we have ai = 0. When t is even, if i ≥ + 1, is cor- t
2
m Rj and b i = 1. If i = 2
, the value of m Rj is randomly chosen from
rectly reconstructed, and we obtain ai = 1. If i = 2t , the value of {0, 1}. Hence, the average length is bi = 1
× 0 + 12 × 1 = 12 . If i < 2t ,
2
m Rj is randomly chosen from {0, 1}. Hence, the average length is m Rj is different from the original value, and we have b i = 0.
X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33 29
Fig. 4. An example of a (2, 5) threshold PRASIS scheme. (a) Secret image with 128 × 256 pixels, (b) the AMBTC cover image with 512 × 512 pixels, (c)-(g) stego images 1-5.
For each block, there are 2 bits used for embedding the parity 4. Experimental results and discussions
information, the partial reversibility of m Oj ( j = 8 and 16) in the
bitmap is calculated by Eight AMBTC compressed test images are used as cover im-
ages in the experiments, as demonstrated in Fig. 3. Notice that,
the cover images are compressed from the original images chosen
P R P = (bm × 2)/2 = bm from USC-SIPI and CVG-UGR image databases.
i =t i t −i
An example of a (2, 5) threshold PRASIS scheme is shown in
t 3 1 (49)
= bi . 2 Fig. 4, where the secret image with 128 × 256 pixels and the origi-
i 4 4 nal AMBTC cover images with 512 × 512 pixels are illustrated in
i =0
Figs. 4(a) and (b), respectively. Five stego images are generated
by the proposed method, as shown in Figs. 4(c)-(g). The visual
Theorem 5. Let 4U × 4V be the size of the stego image, the probability
quality of the stego images in Fig. 4 is demonstrated in Table 1,
to successfully make a fake stego-image that passes the authentication is
1 U V where P S N R A − O is the PSNR of original AMBTC cover image com-
2
. pared with original uncompressed image, P S N R S − O is the PSNR
of AMBTC stego image compared with original uncompressed im-
age, and P S N R S − A is the PSNR of AMBTC stego image compared
Proof. Any modification of stego image block can be detected
with original AMBTC cover image. The PSNR value of the original
by the authentication parity bit with probability 12 . For a 4U ×
AMBTC cover image is about 29.4 dB. The PSNR of the stego im-
4V -pixel stego image, it contains U × V blocks. Hence, the prob-
age with embedded data is approximately 24.6 dB. The value of
ability to successfully make a fake stego-image that passes the
1 U V PSNR is decreased by 4.8 dB due to the embedding. But the visual
authentication is 2
. 2 quality of the stego image is satisfied.
30 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33
Table 1
Visual quality of the stego images in Fig. 4.
Table 2
PSNR and SSIM of the stego images for the (2, 2) scheme.
4.2. Authentication
Table 3
Comparison of authentication ability.
Table 4
Percentages of partial reversibility for recovering the bitmap when t stego images are used in the (2, 5) threshold PRASIS
scheme.
Table 5
Comparison among the proposed method and related methods.
Scheme Feature
a 4 × 4 AMBTC block. The embedding rate is 8/(8 + 8 + 16) = 1/4. to BTC compressed image. The application scenario is further
The embedding rates for other schemes are listed in Table 5. Most extended.
schemes [29] [30] [31] [32] [36] are 1/4. • Partial reversibility for cover image with high probability.
The key techniques used in SIS schemes are mentioned. For When the cover image is important, the original cover image
the proposed scheme, polynomial based SIS (PSIS) and HMAC are can be partially reconstructed with high probability.
used. For Refs. [32] and [35], cellular automata (CA) are adopted.
The computation complexity for CA to share a secret image is re- 5. Conclusions
duced from O (nlog 2 n) by PSIS to O (n). The computation cost by
using CA is lower than those by using PSIS. For Refs. [31] and A (k, n) threshold PRASIS scheme is presented in this paper.
[36], Chinese remainder theorem (CRT) based authentication and Steganography and authentication for secret image sharing are ob-
Aryabhata remainder theorem (ART) based authentication are used, tained. In the proposed method, a secret image is encoded into
respectively. For Yan et al.’s method [38], a partial SIS scheme is n shares by using polynomial based SIS under G F (28 ). Then, the
introduced based on linear congruence and image inpainting. But random-looking shares are concealed into the AMBTC cover im-
their method only provides partial SIS functionality. age with parity bits by the proposed embedding algorithms, and n
For Wu et al.’s VCS [39], VCS and BTC are combined together. stego images are achieved. Prior to revealing the secret, each stego
Differing from the proposed scheme, Wu et al.’s scheme [39] is image is verified to prevent the attack of unauthorized parties. Fur-
a VCS, where the secret is revealed by stacking via human vi- ther, when the secret is reconstructed, the original AMBTC cover
sual system. Further, the proposed method provides authentication image can be partially recovered with high probability. Theoretical
property. The integrity of an AMBTC stego image can be verified, analysis on the proposed method is given, as well as sufficient ex-
and the tampered areas can be identified if it is destructed. On the perimental results. According to the analysis and experiments, the
other hand, the method by Wu et al. [39] does not offer this abil- proposed method is effective and advanced.
ity. In the proposed method, the quantization levels and bitmaps
are used to conceal the shared bits. The approaches for partially re- Declaration of Competing Interest
covering the original quantization levels and bitmaps are based on
the embedding method and majority voting. In Wu et al.’s scheme The authors confirm that there are no known conflicts of inter-
[39], only the bitmaps are used to generate the bit patterns for est associated with this publication and there has been no signifi-
visual cryptography. The method for recovering the bitmap is to cant financial support for this work that could have influenced its
predict the allocation of ‘0’ and ‘1’ in the bitmap. It is a technique outcome.
like cheat-preventing VCS.
Moreover, some related data hiding methods [40] [41] for BTC Acknowledgments
compressed images are included for comparison as well. These
methods do not offer SIS and authentication functionalities. For This work was partially supported by National Natural Science
Wang et al.’s method [41], the chaotic encryption is used to pro- Foundation of China (Grant No. 61602211), Science and Technol-
tect the image content, and the embedding rate is approximately ogy Program of Guangzhou, China (Grant No. 201707010259), Fun-
0.2563 as indicated in their paper. For Al-Salhi and Lu’s method damental Research Funds for the Central Universities (Grant No.
[40], a steganography scheme based on adaptive neural networks 11617404) and Ministry of Science and Technology, under Grant
(ANNs) is proposed. The embedding rate can be up to 0.5 as 108-2221-E-259-009-MY2.
claimed in their paper. But the stego image in their method [40]
cannot be inverted to the original form. References
In total, merits of the proposed method are summarized as fol-
[1] A. Shamir, How to share a secret, Commun. ACM (ISSN 0001-0782) 22 (11)
lows.
(1979) 612–613.
[2] G.R. Blakley, Safeguarding cryptographic keys, Proc. Natl. Comput. Conf. 88
• Steganography and authentication. The shared data are em- (1979) 313–317.
bedded into the cover image to ease the share management [3] M. Naor, A. Shamir, Visual cryptography, Lect. Notes Comput. Sci. 950 (1) (1995)
problem. Authentication is used to prevent the attack of unau- 1–12.
[4] C. Yang, New visual secret sharing schemes using probabilistic method, Pattern
thorized parties. Recognit. Lett. (ISSN 0167-8655) 25 (4) (2004) 486–494.
• BTC compressed stego image. Existing schemes use uncom- [5] T. Chen, K. Tsao, Visual secret sharing by random grids revisited, Pattern Recog-
pressed cover image, but the proposed method can be applied nit. (ISSN 0031-3203) 42 (9) (2009) 2203–2217.
X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33 33
[6] T. Hofmeister, M. Krause, H. Simon, Contrast-optimal k out of n secret sharing [30] C. Yang, T. Chen, K. Yu, C. Wang, Improvements of image sharing with
schemes in visual cryptography, Comput. Comb. (1997) 176–185. steganography and authentication, J. Syst. Softw. (ISSN 0164-1212) 80 (7)
[7] X. Wu, W. Sun, Improving the visual quality of random grid-based visual secret (2007) 1070–1076.
sharing, Signal Process. 93 (5) (2013) 977–995. [31] C.-C. Chang, Y.-P. Hsieh, C.-H. Lin, Sharing secrets in stego images with authen-
[8] X. Yan, S. Wang, X. Niu, C.-N. Yang, Halftone visual cryptography with mini- tication, Pattern Recognit. 41 (10) (2008) 3130–3137.
mum auxiliary black pixels and uniform image quality, Digit. Signal Process. 38 [32] Z. Eslami, S. Razzaghi, J.Z. Ahmadabadi, Secret image sharing based on cellular
(2015) 53–65. automata and steganography, Pattern Recognit. 43 (1) (2010) 397–404.
[9] P. Tuyls, H. Hollmann, J. Lint, L. Tolhuizen, XOR-based visual cryptography [33] C.-C. Wu, S.-J. Kao, M.-S. Hwang, A high quality image sharing with steganog-
schemes, Des. Codes Cryptogr. 37 (1) (2005) 169–186. raphy and adaptive authentication scheme, J. Syst. Softw. 84 (12) (2011)
[10] X. Wu, W. Sun, Extended capabilities for XOR-based visual cryptography, IEEE 2196–2207.
Trans. Inf. Forensics Secur. 9 (10) (2014) 1592–1605. [34] C.-N. Yang, J.-F. Ouyang, L. Harn, Steganography and authentication in image
[11] C.-N. Yang, C.-C. Wu, Y.-C. Lin, k out of n region-based progressive visual cryp- sharing without parity bits, Opt. Commun. 285 (7) (2012) 1725–1735.
tography, IEEE Trans. Circuits Syst. Video Technol. 29 (1) (2017) 252–262. [35] J. Zarepour-Ahmadabadi, M.S. Ahmadabadi, A. Latif, An adaptive secret im-
[12] H.-C. Chao, T.-Y. Fan, Random-grid based progressive visual secret sharing age sharing with a new bitwise steganographic property, Inf. Sci. 369 (2016)
scheme with adaptive priority, Digit. Signal Process. 68 (2017) 69–80. 467–480.
[13] X. Yan, Y. Lu, Contrast-improved visual secret sharing based on random grid for [36] J.-S. Lee, Y.-R. Chen, Selective scalable secret image sharing with verification,
general access structure, Digit. Signal Process. 71 (2017) 36–45. Multimed. Tools Appl. 76 (1) (2017) 1–11.
[14] S.J. Shyu, XOR-based visual cryptographic schemes with monotonously increas-
[37] E. Delp, O. Mitchell, Image compression using block truncation coding, IEEE
ing and flawless reconstruction properties, IEEE Trans. Circuits Syst. Video
Trans. Commun. 27 (9) (1979) 1335–1342.
Technol. 28 (9) (2018) 2397–2401.
[38] X. Yan, Y. Lu, L. Liu, S. Wang, Partial secret image sharing for (k, n) thresh-
[15] X. Jia, D. Wang, D. Nie, C. Zhang, Collaborative visual cryptography schemes,
old based on image inpainting, J. Vis. Commun. Image Represent. 50 (2018)
IEEE Trans. Circuits Syst. Video Technol. 28 (5) (2018) 1056–1070.
135–144.
[16] C.-C. Thien, J.-C. Lin, Secret image sharing, Comput. Graph. 26 (5) (2002)
[39] X. Wu, D. Chen, C.-N. Yang, Y.-Y. Yang, A (k, n) threshold partial reversible
765–770.
AMBTC-based visual cryptography using one reference image, J. Vis. Commun.
[17] P. Li, C.-N. Yang, Z. Zhou, Essential secret image sharing scheme with the same
Image Represent. 59 (2019) 550–562.
size of shadows, Digit. Signal Process. 50 (2016) 51–60.
[40] Y.E. Al-Salhi, S. Lu, New steganography scheme to conceal a large amount of
[18] A. Kanso, M. Ghebleh, An efficient (t , n)-threshold secret image sharing
secret messages using an improved-AMBTC algorithm based on hybrid adaptive
scheme, Multimed. Tools Appl. 76 (15) (2017) 16369–16388.
[19] L. Bao, S. Yi, Y. Zhou, Combination of sharing matrix and image encryption for neural networks, in: IEEE 3rd International Conference on Big Data Security on
lossless (k, n)-secret image sharing, IEEE Trans. Image Process. 26 (12) (2017) Cloud, IEEE, 2017, pp. 112–121.
5618–5631. [41] H.-Y. Wang, H.-J. Lin, X.-Y. Gao, W.-H. Cheng, Y.-Y. Chen, Reversible AMBTC-
[20] Y. Liu, C. Yang, Scalable secret image sharing scheme with essential shadows, based data hiding with security improvement by chaotic encryption, IEEE Ac-
Signal Process. Image Commun. 58 (2017) 49–55. cess 7 (2019) 38337–38347.
[21] P. Li, Z. Liu, C.-N. Yang, A construction method of (t , k, n)-essential secret image
sharing scheme, Signal Process. Image Commun. 65 (2018) 210–220.
[22] X. Wu, C.-N. Yang, Y.T. Zhuang, S.-C. Hsu, Improving recovered image quality
in secret image sharing by simple modular arithmetic, Signal Process. Image
Xiaotian Wu received the Ph.D. degree in Computer Science from Sun
Commun. 66 (2018) 42–49. Yat-sen University, Guangzhou, China. He is currently an Associate Pro-
[23] X. Wu, J. Weng, W. Yan, Adopting secret sharing for reversible data hiding in fessor in the Department of Computer Science at Jinan University. His
encrypted images, Signal Process. 143 (2018) 269–281. research interests include visual cryptography, secret image sharing, re-
[24] X. Yan, Y. Lu, L. Liu, J. Liu, G. Yang, Chinese remainder theorem-based two-in- versible data hiding and multimedia security.
one image secret sharing with three decoding options, Digit. Signal Process. 82
(2018) 80–90.
[25] N.F. Johnson, S. Jajodia, Exploring steganography: seeing the unseen, Computer Ching-Nung Yang received the B.S. and M.S. degrees in telecommuni-
31 (2) (1998) 26–34. cation engineering from National Chiao Tung University, Hsinchu, Taiwan,
[26] L.M. Marvel, C.G. Boncelet, C.T. Retter, Spread spectrum image steganography, in 1983 and 1985, respectively, and the Ph.D. degree in electrical engineer-
IEEE Trans. Image Process. 8 (8) (1999) 1075–1083.
ing from National Cheng Kung University, Tainan City, Taiwan, in 1997.
[27] C. Chan, L. Cheng, Hiding data in images by simple LSB substitution, Pattern
He is currently a Full Professor with the Department of Computer Sci-
Recognit. 37 (3) (2004) 469–474.
[28] Y. Zhang, C. Qin, W. Zhang, F. Liu, X. Luo, On the fault-tolerant performance for ence and Information Engineering, National Dong Hwa University, Hualien,
a class of robust image steganography, Signal Process. 146 (2018) 99–111. Taiwan. His research interests include coding theory, information security,
[29] C.-C. Lin, W.-H. Tsai, Secret image sharing with steganography and authentica- and cryptography. He is a Fellow of the IET and a senior member of the
tion, J. Syst. Softw. 73 (3) (2004) 405–414. IEEE.