Digital Signal Processing 93 (2019) 22–33

Contents lists available at ScienceDirect

Digital Signal Processing

www.elsevier.com/locate/dsp

Partial reversible AMBTC-based secret image sharing with

steganography
Xiaotian Wu a,∗ , Ching-Nung Yang b
a
Department of Computer Science, Jinan University, Guangzhou, China
b
Department of Computer Science and Information Engineering, National Dong Hwa University, Taiwan

a r t i c l e i n f o a b s t r a c t

Article history: Existing secret image sharing (SIS) schemes with steganography and authentication are designed for
Available online 16 July 2019 uncompressed images. They cannot be applied to compressed domain. When the cover image is of
significance, these schemes cannot revert the distorted stego image into its original form. To solve these
Keywords:
problems, a (k, n) threshold partial reversible absolute moment block truncation coding (AMBTC) based
Secret image sharing
Block truncation coding
SIS scheme with steganography and authentication is proposed. A secret image is split into n noise-
Partial reversible like shares by employing the polynomial based SIS under G F (28 ). To efficiently manage the shares, they
Steganography are concealed into the AMBTC cover image with parity bits by the proposed embedding algorithms,
Authentication and n meaningful stego images are constructed. Authentication is adopted so that the integrity of
stego image can be verified. Sufficient stego images can perfectly reconstruct the secret. Meanwhile,
the original AMBTC cover image can be partially recovered with high probability. Theoretical analysis
and experimental results are demonstrated, showing the effectiveness and advantages of the proposed
scheme.
© 2019 Elsevier Inc. All rights reserved.

1. Introduction or shadows) which are distributed to n participants. Any k or more

Secret sharing is a special cryptographic technique to safeguard
a secret by splitting it into several pieces called shares or shad-
ows, while sufficient pieces can successfully reveal the secret, but
insufficient ones cannot. The basic concept of secret sharing was
introduced independently by Shamir [1] and Blakley [2] in 1979.
The well known (k, n) threshold secret sharing scheme contains
the following three characteristics.
• The secret is shared among n participants, and each partici-
pant is delivered an associate share.
• A collection of any k or more participants can reveal the secret
by their shares.
• Any (k − 1) or less participants cannot obtain any information
about the secret.
Naor and Shamir further extended secret sharing from num-
ber domain to image domain, where a visual cryptography scheme
(VCS) [3] was proposed. In a (k, n) threshold VCS, a binary secret
image is transformed into n random-looking images (called shares
* Corresponding author.
E-mail addresses: wxt.sysu@gmail.com, wxiaotian@jnu.edu.cn (X. Wu).
participants can visually recover the secret image by stacking their
shares together without any computation. Based on the pioneer
work of VCS, different kinds of VCSs [4] [5] [6] [7] [8] [9] [10] [11]
[12] [13] [14] [15] were studied. However, VCS is only suitable for
sharing binary images.
To protect grayscale images, Thien and Lin [16] proposed a
(k, n) threshold secret image sharing (SIS) scheme with noise-like
shares. Based on their method [16], investigations [17] [18] [19]
[20] [21] [22] [23] [24] on SIS were widely conducted.
In SIS scheme, the generated shares are noise-like. When they
are transmitted over the Internet, the meaningless form of the
share might be suspicious to invaders. And these shares would be
possibly attacked. On the other hand, the fidelity of a share might
be damaged incidentally or a false share would be intentionally
brought to reconstruct the secret image. When these two cases
happen, unsuccessful secret recovery occurs.
To prevent the mentioned two threats, steganography and au-
thentication are adopted. Steganography technique [25] [26] [27]
[28] is employed in some SIS schemes [29] [30] [31] [32] [33] [34]
to embed shared data into a cover image, so that high quality stego
images are achieved. When the stego image is transmitted over the
Internet, the invader is unaware of the existence of the secret. Au-
thentication is used to check in advance the fidelity of all shares
before they are used to reconstruct the secret image. Valid shares

https://doi.org/10.1016/j.dsp.2019.06.016
1051-2004/© 2019 Elsevier Inc. All rights reserved.
 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33 23

are guaranteed to be used in secret image recovery, so that unsuc-
cessful reconstruction can be prevented.
To offer steganography and authentication, Lin and Tsai [29]
proposed an SIS scheme based on the Shamir’s (k, n) threshold
method. Authentication is achieved by using the parity bits, so
that incidentally bringing an erroneous stego-image or intention-
ally providing a false image to reconstruct the secret is prevented.
An improved scheme was proposed by Yang et al. [30] to solve
three weaknesses in Lin and Tsai’s method [29]: image authentica-
tion by dishonest participant, deterioration quality of stego-image,
and non-lossless secret image reconstruction. Chang et al. [31] also
introduced another scheme to further improve the authentication
ability and visual quality. Later, some improved SIS schemes [32]
[34] [35] [36] were proposed as well. However, those methods are
designed for uncompressed images, they cannot be applied to the
compressed ones. Moreover, when the cover image is significant,
those distorted stego images cannot be reverted to original.
To solve above-mentioned problems, an SIS scheme using abso-
lute moment block truncation coding (AMBTC) compressed cover
images with reversible steganography and authentication is pre-
sented in this paper.
The rest of this paper is organized as follows. AMBTC, Hamming
code, simple least significant bit (LSB) substitution and optimal
pixel adjustment process (OPAP) are briefly described in Section 2.
The partial reversible AMBTC-based SIS (PRASIS) scheme is de-
scribed in Section 3, as well as theoretical analysis. Experimental
results are demonstrated in Section 4. Section 5 concludes this
work.
2. Preliminaries
2.1. AMBTC
AMBTC is a lossy image compression method [37] that uses a
quantizer to reduce the number of gray levels in each block of an
image. To compress an image by AMBTC, an image is separated
codeword length of a code is c = 2b − 1 and the message length
is g = 2b − b − 1. Hamming code is capable of correcting one-bit
error, however, it is impossible to guarantee error correction when
multiple errors happen in a codeword. The parity check matrix for
a Hamming code is produced by listing columns of length b with
non-zero. The (7, 4, 3) Hamming code has the parity check matrix
H p , as denoted by
⎡ ⎤
0 0 0 0 1 1 1
Hp = ⎣0 1 1 0 0 1 1⎦ . (4)
1 0 1 0 1 0 1
Let Y ∈ F2n be a vector obtained from a codeword X ∈ F2n by
modifying at most one coordinate of X (from 0 to 1 or vice versa).
Then, X can be recovered from Y . The syndrome decoding algo-
rithm for correcting single error in the Hamming code is given as
follows:
1. Given a vector Y ∈ F2n , compute its syndrome S (Y ) by
S (Y ) = H p Y T . (5)
2. If S (Y ) = 0, no error has occurred, and X = Y . Otherwise,
i = S (Y ) and identify the i-th column of H p , decode Y as the
vector X obtained from Y by replacing the i-th coordinate Y i
of Y with (1 − Y i ).
2.3. LSB substitution and OPAP
Let C and (s1 s2 · · · sk )2 be an 8-bit pixel in the cover image and
the k bits to be embedded, respectively. The cover image pixel C is
represented by bit strings, as denoted as
C = (c 1 c 2 · · · c 8−k c 8−k+1 · · · c 8 )2 . (6)
 

into non-overlapping blocks with t × t pixels. In this paper, t = 4 k LSBs

is used. For each block, the mean pixel value V is calculated by For the k-bit simple LSB substitution method, the k rightmost
t ×t
 LSBs of C are directly replaced by the corresponding secret bits
1
V = xj (1) (s1 s2 · · · sk )2 , the marked pixel is denoted as
t ×t
j =1
C m = (c 1 c 2 · · · c 8−k s1 s2 · · · sk )2 (7)
where x j is the j-th pixel value in the block. Then, x j is compared  

with the mean value V , so that a bitmap M which consists of two k bits
groups is constructed based on the following rules. (1) If x j < V ,
OPAP for simple LSB substitution [27] was proposed to improve
the corresponding bit in the bitmap is determined as group “0”
the quality of the embedded pixel. Let δ = C m − C be the em-
and is assigned “0” in the bitmap; (2) otherwise, the bit belongs to
bedding error between the marked pixel C m by using simple LSB
group “1” and is assigned “1” in the bitmap. Let q be the number
substitution and original pixel C . When 2k−1 < δ < 2k , the marked
of “1” in the bitmap, two quantization levels L and H are calcu-
pixel by using OPAP is generated by
lated by
 
1 C m − 2k , if C m ≥ 2k ,
L= xj (2) Cm = (8)
t ×t −q O m
C , otherwise.
x j <V

and When −2k−1 ≤ δ ≤ 2k−1 , the marked pixel by using OPAP is con-
1  structed by
H= x j. (3)
q
x j ≥V
Cm m
O =C . (9)
Finally, a (t × t )-pixel block is compressed into two quantization
levels ( L , H ) and a bitmap M with t × t bits. When −2k < δ < −2k−1 , the marked pixel by using OPAP is gener-
ated by
2.2. Hamming code

C m + 2k , if C m < 256 − 2k ,
Hamming code is a type of linear perfect single error-correcting Cm
O = m
(10)
C , otherwise.
codes with the minimal distance of 3. For an integer b ≥ 2, the
24 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33
Fig. 1. A framework of the proposed scheme.
3. The proposed scheme
3.1. Motivation and contribution
Existing methods [29] [30] [31] [32] [33] [34] [35] [36] with
steganography and authentication are designed for uncompressed
images. But nowadays, compressed images are commonly used
in the Internet and multimedia applications. These existing ap-
proaches cannot be applied to the compressed domain. Moreover,
in existing methods, a cover image is adopted to generate the stego
images. When the cover image is significant, the distorted stego
image is preferred to be reverted into its original form. However,
these mentioned methods do not offer this functionality.
In this paper, an SIS scheme using compressed cover images
with reversible steganography and authentication is presented.
Herein, we consider AMBTC compressed cover image, since AMBTC
is a highly efficient image compression technique which offers
good image quality and relatively lower complexity compared
to the modern compression techniques, e.g., JPEG or JPEG2000.
AMBTC is suitable to be implemented in computational systems
with low-power processing constrains and high resolution demand.
The main contribution of this paper is summarized as follows.
• An SIS scheme with steganography and authentication using
AMBTC cover images is proposed.
• A level embedding algorithm and a bitmap embedding algo-
rithm are proposed to embed shared data into the AMBTC
cover image.
• A partial recovering algorithm is introduced to ensure that the
distorted AMBTC stego image can be partially inverted into
original with high probability.
• Theoretical analysis and sufficient experiments are provided to
demonstrate the effectiveness and advantages of the proposed
scheme.
While comparing to existing methods with steganography and
authentication, the proposed method can deal with AMBTC com-
pressed image and offer partial recovery functionality for the cover
image.
3.2. Framework
A framework of the proposed scheme is described in Fig. 1. To-
tally, four phases are included: sharing phase, embedding phase,
authentication phase and revealing phase. In sharing phase, a se-
cret image is encoded into n noise-like shares. In embedding
phase, the n shares with authentication codes are embedded into
the AMBTC compressed cover image to form n stego images. In au-
thentication phase, each stego image can be verified whether it is
tampered or not. Those authentic stego images are used to recon-
struct the secret image in recovering phase. Meanwhile, the AMBTC
compressed cover image is partially recovered.
3.3. Sharing phase
In sharing phase, a secret image is split into n shares by the
(k, n) threshold polynomial based SIS. The secret image is ran-
domly permuted. For each time, k pixels { I 1 , I 2 , · · · , I k } are se-
lected from the permuted secret image and encoded by
F (x) = I 1 + I 2 x + · · · + I k xk−1 mod p . (11)
In the above equation, modulus value p is set to the Galois Field
G F (28 ), that is, p = g (x) = x8 + x4 + x3 + 1. And the values of x are
random numbers under G F (28 ). By using n different values of x, n
shared pixels are obtained by
y 1 = F (x1 ), y 2 = F (x2 ), · · · , yn = F (xn ).
3.4. Embedding phase
In embedding phase, each share is embedded into the AMBTC
cover image to form a stego image, as well as the authentication
(1) (2) (8)
codes. Exactly, a shared pixel y i = (si si · · · si )2 is embedded
into a corresponding AMBTC block { H , L , M } to generate a stego
block { H m
i
, Lm
i
, Mm
i
}, where i (1 ≤ i ≤ n) is the share ID corre-
(1) (2) (8)
sponding to the i-th participant and (si si · · · si )2 is the binary
form of y i . The embedding phase contains three main steps, as
described as follows.
 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33 25

3.4.1. Embed two bits into L and H

(1) (2)
Two bits (si si )2 in y i are embedded into the two quantiza-
tion levels L and H by the proposed level embedding algorithm, as
described in Algorithm 1.

Algorithm 1 Level embedding algorithm.

(1) (2)
Input: Share ID i, two levels L i and H i , two bits (si si )2 .
Output: Two modified levels.
(1) (2)
1. When i is odd, the two bits (si si )2 are embedded into L i = (l1 l2 · · · l8 )2 by
LSB substitution and OPAP via Steps 1-5. That is, the 2 rightmost LSBs of L i
(1) (2)
are directly replaced by the two bits, as denoted as Lm i = (l 1 l 2 · · · l 6 s i s i )2 .
The two levels are modified as ( Lm
i , H i ) .
i and L i by e 1 = L i − L i .
2. Compute the embedding error e 1 between Lm m

3. If e 1 = 3, L i is modified by
m


i − 4,
Lm i ≥4
if L m
Lm
i = (12)
Lm
i
, otherwise

4. If e 1 = −3, L m
i
is modified by
 Fig. 2. Embedding examples by the proposed level embedding algorithm. (a) Share
i + 4,
Lm if L m ID is odd, and (b) share ID is even.
i < 252
Lm
i = (13)
Lm
i
, otherwise

5. If |e 1 | = 2, calculate the difference between H i and L i by d1 = H i − L i . When

(1) (2)
d1 > 1, compute the complement of (si si )2 , as denoted as (si si )2 . Then,
(1) (2) In the proposed level embedding algorithm, when the distor-
(1) (2) tion between the modified level and original level is 3 or −3, OPAP
(si si )2 are embedded into L i by
is used to reduce the distortion to −1 and 1. When the distortion
Lm
(1) (2) is 2 or −2, the complement of the two secret bits is embedded,
i = (l1 l2 · · · l6 s i s i )2 . (14)
and the order of two levels are reversed. As a result, the distortion
And the order of the two levels is reversed as ( H i , L m i ). When d1 = 1, obtain is reduced to −1 or 1. But there is a problem in using the comple-
(1) (2)
the 2 LSBs (l7 l8 )2 of L i . If ((l7 l8 )2 = (10)2 )&&((si si )2 = (00)2 ) or ((l7 l8 )2 = ment and reversed order. Let L m and H m be the output two levels.
(1) (2) (1) (2)
(00)2 )&&((si si )2 = (10)2 ), the secret bits (si si )2 are embedded into L i . When L m > H m , we know that the order of two levels is reversed,
The two levels are modified as ( Lm , H ) . For the other cases when d1 = 1, the
two levels are modified like d1 > 1.
i i
and the bits should be extracted from H m . But when L m = H m ,
(1) (2)
6. When i is even, the two bits (si si )2 are embedded into H i = (h1 h2 · · · h8 )2 we determine that the order of two levels is not reversed, and
via Steps 6-10. The 2 rightmost LSBs of H i are directly replaced by the two the bits are extracted from L m . There are four cases in using the
(1) (2)
bits by H mi
= (h1 h2 · · · h6 si si )2 . The two levels are modified as ( L i , H m
i
). complement and reversed order that would lead to L m = H m . They
7. Calculate the embedding error e 2 between H m and H i by e 2 = H m − Hi .
i i are (1) ID is odd, H i − L i = 1, (l7l8 )2 = (10)2 , (s7 s8 )2 = (00)2 , (2)
8. If e 2 = 3, H i is modified by
m
ID is odd, H i − L i = 1, (l7l8 )2 = (00)2 , (s7 s8 )2 = (10)2 , (3) ID is

Hm − 4, if H m ≥4 even, H i − L i = 1, (h7 h8 )2 = (01)2 , (s7 s8 )2 = (11)2 , and (4) ID is
Hm
i =
i i (15) even, H i − L i = 1, (h7 h8 )2 = (11)2 , (s7 s8 )2 = (01)2 . When these
Hm
i
, otherwise
four cases occur, we directly embed the two secret bits into the
9. If e 2 = −3, H m
i
is modified by two LSBs of L i or H i . The operations for these four cases are de-
 scribed in Steps 5 and 10 in Algorithm 1.
i + 4, if H i < 252
Hm m
Hm
i = (16)
Hm
i
, otherwise
3.4.2. Embed six bits into M
10. If |e 2 | = 2, compute the difference between H i and L i by d2 = H i − L i . When The six bits (s3 s4 · · · s8 )2 in y i are embedded into the bitmap
(1) (2) (1) (2)
d2 > 1, compute the complement of (si si )2 . Then, (si si )2 are embedded M i by using (7, 4, 3) Hamming code. The (7, 4, 3) Hamming code
into H i by
parity check matrix H p in Eq. (4) is adopted. Let the bitmap M i be

Hm
(1) (2) ⎡ ⎤
i = (h 1 h 2 · · · h 6 s i s i )2 . (17)
m1 m2 m3 m4
And the order of the two levels is reversed as ( H m , L i ). When d2 = 1, ob- ⎢ m5 m6 m7 m8 ⎥
i ⎢
Mi = ⎣ ⎥.
m12 ⎦
(1) (2)
tain the 2 LSBs (h7 h8 )2 of H i . If ((h7 h8 )2 = (01)2 )&&((si si )2 = (11)2 ) or m9 m10 m11
(1) (2) (1) (2)
((h7 h8 )2 = (11)2 )&&((si si )2 = (01)2 ), the secret bits (si si )2 are embed- m13 m14 m15 m16
ded into H i . The two levels are modified as ( L i , H m
i
). For the other cases when
d2 = 1, the two levels are modified like d2 > 1. The proposed bitmap embedding algorithm based on Hamming
11. Output the two levels.
code is formulated in Algorithm 2.
For example, six bits (111000)2 are embedded into the bitmap
Embedding examples by the proposed level embedding algo- ⎡ ⎤
1 1 1 1
rithm are shown in Fig. 2. When the share ID is odd (resp. even),
⎢1 0 0 0⎥
the secret bits are embedded into the lower (resp. higher) level. In Mi = ⎢
⎣0
⎥
Fig. 2(a), if (10)2 is to be embedded, the complement of (10)2 is 0 0 0⎦
concealed into the lower level and the order of L and H is re- 1 1 1 0
versed, so that the distortion is further reduced. Note that, the
by the proposed bitmap embedding algorithm. Two variables X 1
lower level L is not always less than higher level H after modi-
and X 2 are obtained by
fication, since the order of L and H is rearranged. When decom-
pressing the AMBTC stego image, we should compare L with H ,
and the smaller one is the actual lower level. X 1 = (1111100)2 , X 2 = (0000111)2 .
26 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33

Algorithm 2 Bitmap embedding algorithm. 3.5. Authentication phase

(3) (8)
Input: Binary bitmap M i , six bits (si · · · si )2 .
Output: Modified bitmap M m i . Prior to revealing the secret image, the integrity of each AMBTC
1. Read the 4 × 4 bitmap M i , the 16 bits in M i are transferred to two variables stego image should be verified. The authentication process is exe-
X 1 and X 2 by cuted block by block in each stego image.
For each AMBTC stego image block { L i , H i , M i }, calculate the
X 1 = (m1 m2 m3 m4 m5 m6 m7 )2 (18)
parity bit p̃ by
and
p̃ = X O R  H K ( H i  L i  ( M i − m8 − m16 )) . (24)
X 2 = (m9 m10 m11 m12 m13 m14 m15 )2 , (19)
Extract the embedded parity bit p from M i by p = m8 ⊕ m16 . Com-
respectively. pare p̃ and p. If p = p̃, the stego image block is original. If p
= p̃,
2. Calculate δ1 and δ1 by the stego image block is tampered.

δ1 = H X 1T mod 2, δ2 = H X 2T mod 2. (20)

3.6. Recovery phase
3. Compute β1 and β2 by
In recovery phase, when a collection of any k or more stego
(3) (4) (5) (6) (7) (8)
β1 = (si si si ) ⊕ δ1 , β2 = (si si si ) ⊕ δ2 (21) images is achieved, the secret image is losslessly reconstructed and
where ⊕ denotes the Boolean XOR operation.
the AMBTC cover image is partially recovered.
4. If β1 = 0, no error has occurred, (m1 · · · m7 )2 in M i remain the same. Oth- To reconstruct the secret image, the embedded shared bits are
erwise, replace the β1 -th coordinate of mβ1 in M i by its complement mβ1 . extracted from each authenticated stego image block { L i , H i , M i }.
Similarly, if β2 = 0, (m9 · · · m15 )2 in M i remain the same. Otherwise, replace (1) (2)
First of all, the two shared bits (si si )2 concealed in the two
the (8 + β2 )-th coordinate of m8+β2 in M i by its complement m8+β2 .
5. Output the modified bitmap M m
levels are extracted. When i is odd, if L i ≤ H i , the two bits are
i .
embedded in L i , and they are extracted from the two LSBs of L i .
If L i > H i , the complements of the two shared bits are embedded
δ1 and δ1 are calculated by in H i . Two extracted bits are the complement of the two LSBs of
H i . Similarly, when i is even, if L i ≤ H i , the two bits are embedded
δ1 = H X 1T = (001)2 , δ2 = H X 2T = (100)2 . in H i , and they are extracted from the two LSBs of H i . If L i > H i ,
the complement of the two shared bits is embedded in L i . Two
Then, β1 and β2 are computed by extracted bits are the complement of the two LSBs of L i .
(3) (8)
Next, the six shared bits (si · · · si )2 embedded in bitmap M i
β1 = (111)2 ⊕ (001)2 = (110)2 , β2 = (000)2 ⊕ (100)2 = (100)2 . are extracted by

As a result, the (110)2 = 6-th and (100)2 + 8 = 12-th elements (s(i 3) s(i 4) s(i 5) )2 = H X 1T (6 ) (7 ) (8 )
mod 2, (si si si )2 = H X 2T mod 2
in M are replaced by m6 and m12 , respectively. And the modified
bitmap M m is
(25)
i
⎡ ⎤ where
1 1 1 1
⎢1 1 0 0⎥ X 1 = (m1 m2m3 m4m5m6m7 )2 (26)
⎢ ⎥.
⎣0 0 0 1⎦
and
1 1 1 0
X 2 = (m9 m10m11m12m13m14m15 )2 , (27)
3.4.3. Generate and embed the parity bit
To prevent participants from manipulating AMBTC stego im- respectively.
When all the shared bits are extracted, the permuted secret
ages, A Hash-based Message Authentication Code (HMAC) is used,
image is perfectly reconstructed by using a Lagrange polynomial
as given by
interpolation algorithm under G F (28 ). Then, the permuted se-
cret image is reverted into its original form. Moreover, when t
H K (Hm m m
i  L i  ( M i − m8 − m16 )) (22)
(k ≤ t ≤ n) AMBTC stego images are achieved, the original AMBTC
where procedure H K () is a one-way hash function with the secret cover image is partially recovered. The partial recovering algorithm
is depicted in Algorithm 3.
i and L i are two levels with embedded bits, ( M i − m8 −
key K , H m m m
m
m16 ) denotes 14 bits in M i except m8 and m16 . H K () can be
implemented by SHA-1, and 160 bits are generated as output. 3.7. Theoretical analysis
Next, the generated HMAC bits adopt Boolean XOR operation to
Herein, we prove the proposed scheme is a valid construction
generate the authentication parity bit p by
of SIS and analyze the percentage of partial reversibility of the two
levels and bitmap in the AMBTC cover image, as well as the au-
p = X O RH K (Hm m m
i  L i  ( M i − m8 − m16 )) . (23)
thentication capacity.
The authentication parity bit p is then embedded into (m8 ⊕ m16 ).
When m8 ⊕ m16 = p, m8 and m16 remain the same. When m8 ⊕ Theorem 1. The proposed scheme is valid construction of secret image
m16
= p, m8 or m16 is reversed to the complement m8 or m16 . sharing scheme, where the security and reconstruction conditions are
Note that, if this time m8 is modified, then m16 is modified next met.
time if a modification is required.
When all the shared bits and parity bits are embedded into the Proof. In the sharing phase of the proposed scheme, a (k − 1) de-
AMBTC compressed image, n stego images are constructed. And gree polynomial is used to generate the shares. The secret pixels
they are distributed to n participants. form the k coefficients of the polynomial.
 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33 27

Algorithm 3 Partial recover algorithm for AMBTC cover image. Proof. When all the t stego images are with odd (resp. even) IDs,
Input: t AMBTC stego images. only the original higher (resp. lower) levels are obtained. At this
Output: Reconstructed AMBTC cover image. time, the partial reversibility of the two original levels is 12 . When
1. The t stego images are separated into blocks, the original AMBTC block is re-
the t stego images contain odd ID and even ID simultaneously,
covered from the t stego image block in the same position by Steps 2-4.
2. For each stego image block { L i , H i , M i }, the original higher and lower levels both the two original levels are reconstructed. The correspond-
H iO and L iO for this block are recovered. When i is odd, if L i < H i , the original ing partial reversibility is 1. The analysis on partial reversibility
higher level is H iO = H i ; If L i > H i , the original higher level is H iO = L i . Simi- is given based on two cases: (1) n is odd, and (2) n is even.
larly, when i is even, if L i < H i , the original lower level is L iO = L i ; If L i > H i , (1) n is odd. The numbers of odd IDs and even IDs are n+ 2
1
the original lower level is L iO = H i . n−1
and , respectively. When t > n+ 1
, both odd ID and even ID
3. When t is odd, the original elements m Oj (1 ≤ j ≤ 16) in the original bitmap 2 2
M i is recovered by majority voting, as denoted by are contained in the t stego images. Hence, P R L = 1. When n−
2
1
<
 t ≤ n+ 1
, the t stego images would contain (a) odd ID and even
1, if H m (m j , m j , · · · , m j ) ≥ t +2 1 2
(1) (2) (t )
m Oj = (28) ID simultaneously or (b) only odd IDs. The probability of t stego
0, otherwise   (n+1)/2
images having only the odd IDs is nt  , when all the t stego
(1) t
where procedure H m () calculates the Hamming weight of the t bits (m j , n+1
(2) (t ) images are chosen from the stego images with odd IDs. On2
m j , · · · , m j ).
the other hand, the probability of t stego

images having odd ID
4. When t is even, m Oj (1 ≤ j ≤ 16) in the original bitmap M i is recovered by (n+1)/2

⎧ and even ID simultaneously is 1 − nt  . As a result, the associate

(1) (2) (t ) t
⎨1, if H m (m j , m j , · · · , m j ) ≥
⎪ +1 t

O (1) (2) (t )
2 partial reversibility is
m j = r , if H m (m j , m j , · · · , m j ) = t
(29)
⎪
⎩
2  (n+1)/2   (n+1)/2 
0, otherwise 1
P RL = nt  × + 1− nt  ×1
where r is randomly chosen from {0, 1}. 2
t t
5. When all the stego image blocks are processed, the partially recovered AMBTC (n+1)/2 (33)
cover image is obtained.
=1− tn .
2 t
For the reconstruction condition, a collection of any k or more
When t < n− 1
, the t stego images would contain (a) odd ID and
shares can recover the (k − 1) degree polynomial F (x) by using a 2
even ID simultaneously, (b) only odd IDs or (c) only even IDs. The
Lagrange polynomial interpolation algorithm, as represented by
probability
 
of t stego

images

having only the odd (resp. even) IDs
(n+1)/2 (n−1)/2
(x − x2 )(x − x3 ) · · · (x − xk ) is nt  (resp. nt  ), when all the t stego images are selected
F (x) = F (x1 ) t t
(x1 − x2 )(x1 − x3 ) · · · (x1 − xk ) from the n+1
(resp. n−1
)
stego images with odd (resp. even) IDs.
2 2
(x − x1 )(x − x3 ) · · · (x − xk ) The probability of t stego images having odd ID and even ID si-
+ F (x2 ) (n+1)/2 (n−1)/2
(x2 − x1 )(x2 − x3 ) · · · (x2 − xk ) multaneously is 1 − t
+
n t . Hence, the associate partial
(x − x1 )(x − x2 ) · · · (x − xk−1 ) t
+ · · · + F (xk ) mod p . reversibility is
(xk − x1 )(xk − x2 ) · · · (xk − xk−1 )  (n+1)/2  
(30) + (n−t1)/2 1
P RL = t
n ×
t
2
The secret pixels can be obtained from the recovered polynomial.  (n+1)/2 (n−1)/2 
The proposed scheme meets the reconstruction condition. +
For the security condition, any (k − 1) or less shares give no + 1− t
n t
×1 (34)
clue about the secret, since the k unknown coefficients cannot be t
(n+1)/2  
precisely reconstructed by the Lagrange polynomial interpolation + (n−t1)/2
algorithm. Thus, the proposed scheme satisfies the security condi- =1− t
n .
tion. t
Actually, the security of the proposed scheme is based on In summary, when n is odd, the partial reversibility is
Shamir’s polynomial secret sharing. Since Shamir’s method is se-
⎧
curity, the proposed method is security as well. 2 ⎪ 1, if t > n+ 1
⎪
⎪ (n+1)/2 2
⎨
P RL = 1 −
tn , if n− 1
< t ≤ n+2 1 (35)
Theorem 2. When any t (k ≤ t ≤ n) stego images are used to recover the 2 2
⎪
⎪
t
(n−1)/2 (n+1)/2
original AMBTC cover image, if n is odd, the partial reversibility P R L of ⎪
⎩1 − + n −1
t n t
2 t
, if t ≤ 2
.
two original levels is
⎧ (2) n is even. The numbers of odd IDs and even IDs are both
⎪
⎪1, if t > n+ 1
⎪
⎪ (n+1)/2 2 n
.When t > n2 , both odd ID and even ID are contained in the t
⎨ 2
1− tn , if n− 1
< t ≤ n+2 1 stego images. And the reversibility is P R L = 1. When t ≤ n2 , the t
P RL = 2 2 (31)
⎪
⎪
t
(n−1)/2 (n+1)/2 stego images would contain (a) odd ID and even ID simultaneously,
⎪
⎪ +
⎩1 − t n t , if t ≤ n−
2
1
. (b) only odd IDs or (c) only even IDs. The probability
 
of t  stego

2 t (n)/2 (n)/2
images having only the odd (resp. even) IDs is nt  (resp. nt  ),
If n is even, t
n n
t
when all the t stego images are chosen from the (resp. stego )
⎧ 2 2
⎨1, n images with odd (resp. even) IDs. The probability of t stego

images
if t > 2 (n)/2
n/2 2
P RL = (32) having odd ID and even ID simultaneously is 1 − nt . Thus, the
⎩1 − nt  , if t ≤ n
2
t
t associate partial reversibility is
28 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33

 (n)/2   (n)/2 
1 ai = 12 × 0 + 12 × 1 = 12 . If i < 2t , m Rj is different from the original
P RL = 2 nt  × + 1 − 2 nt  ×1
2 value, and we achieve ai = 0.
t t
(n)/2 (36) For each block, there are totally 14 bits are used for embedding,
nt  the partial reversibility of m Oj (1 ≤ j ≤ 7 and 9 ≤ j ≤ 15) in the
=1− .
t
bitmap is computed by

In total, when n is even, the partial reversibility is P R M = (am × 14)/14 = am

⎧
i =t    i  t −i

⎨ 1, if t > n
t 7 1 (43)
P RL = n/2 2
(37) = ai . 2
⎩1 − nt  , if t ≤ n
2
2 i =0
i 8 8
t

Theorem 3. When any t (k ≤ t ≤ n) stego images are used to recover the Theorem 4. When any t (k ≤ t ≤ n) stego images are used to recover the
original AMBTC cover image, the partial reversibility of m Oj (1 ≤ j ≤ 7 original AMBTC cover image, the partial reversibility of m Oj ( j = 8 and
and 9 ≤ j ≤ 15) in the bitmap is 16) in the bitmap is

i =t    i  t −i i =t    i  t −i

 t 7 1 t 3 1
P RM = ai (38) P RP = bi (44)
i 8 8 i 4 4
i =0 i =0

where ai is the average length of a correct recovered bit when i bits in where b i is the average length of a correct recovered bit when i bits in
(1) (t )
(1) (t )
{m j , · · · , m j } are not modified. When t is odd, ai is computed by {m j , · · · , m j } are not modified. When t is odd, bi is computed by
 
1, if i ≥ t +2 1 1, if i ≥ t +2 1
ai = (39) bi = (45)
0, otherwise. 0, otherwise.

When t is even, ai is calculated by When b is even, b i is calculated by

⎧ ⎧
⎪ t
⎨1, if i ≥ 2 + 1 ⎪ t
⎨1, if i ≥ 2 + 1
ai = 12 , if i = 2t (40) b i = 12 , if i = 2t (46)
⎪
⎩ ⎪
⎩
0, otherwise. 0, otherwise.

Proof. According to the block embedding algorithm, 3 bits are Proof. Based on the parity bit generation, the authentication par-
embedded into (m1 · · · m7 )2 . When β1 = 0, the 7 bits remain the ity bit p is independent of (m8 ⊕ m16 ) before p is embedded.
same. When β1
= 0, one bit in (m1 · · · m7 )2 is flipped. Since β1 ∈ When p
= (m8 ⊕ m16 ), m8 or m16 is flipped. The probability of
{0, 1, · · · , 7}, the probability of modification in (m1 · · · m7 )2 is 78 . p
= (m8 ⊕ m16 ) is 12 . Since the modification on m8 and m16 is al-
Thus, for one bit m j ( j ∈ {1, 2, · · · , 7}) in (m1 · · · m7 )2 , the proba- ternative when modification is required, the probability of m8 that
bility of modifying one bit m j in the 7 bits is 78 × 17 = 18 . Hence, the is modified is 12 × 12 = 14 , and the probability of m8 remaining the
1
probability of m j without modification is 1 − 78 = 78 . Similarly, for same is 1 − 4
= 34 . Similarly, the probabilities of m16 with and
one bit m j ( j ∈ {9, 10, · · · , 15}) in (m9 · · · m15 )2 , the probabilities without modification are 14 and 34 .
of m j with and without modification are 18 and 78 , respectively. Let m Rj ( j = 8 and 16) be the recovered bit by the reconstruc-
Let m Rj (1 ≤ j ≤ 7 and 9 ≤ j ≤ 15) be the recovered bit by the (1)
tion algorithm based on t bits {m j , m j , · · · , m j }, and let m Oj
(2) (t )
(1) (2) (t )
reconstruction algorithm based on t bits {m j , m j , · · · , m j }, and be the original bit in the AMBTC cover image. Suppose that i is
(1) (t )
let m Oj be the original bit in the AMBTC cover image. Suppose that the number of bits in {m j , · · · , m j } that are not modified by the
(1) (t ) embedding algorithm. The probability of having i bits remained
i is the number of bits in {m j , · · · , m j } that are not modified
the same and (t − i ) bits modified simultaneously is
by the embedding algorithm. The probability of having i bits re-
mained the same and (t − i ) bits modified simultaneously is    i  t −i
t 7 1
   i  t −i i 8 8
. (47)
t 7 1
. (41)
i 8 8 Let b i be the average length of a correct recovered bit when i bits
Let ai be the average length of a correct recovered bit when i bits in {m1j , · · · , mtj } are not modified. The average length bm of a cor-
(1) (t )
in {m j , · · · , m j } are not modified. The average length am of a rect recovered bit for all cases is calculated by
correct recovered bit for all cases is calculated by i =t    i  t −i
 t 7 1
i =t    i  t −i bm = bi . (48)
 t 7 1 i 8 8
am = ai . (42) i =0
i 8 8
i =0 When t is odd, if i ≥ t +2 1 , m Rj is correctly recovered and b i = 1.
When t is odd, if i ≥ t +2 1 , m Rj is the same as m Oj . At this If i < t +2 1 , m Rj is not the same as the original value, and we obtain
t +1 t
time, ai = 1. If i < 2
, m Rj is different from the original value, b i = 0. When t is even, if i ≥ 2
+ 1, m Rj is correctly reconstructed,
t
and we have ai = 0. When t is even, if i ≥ + 1, is cor- t
2
m Rj and b i = 1. If i = 2
, the value of m Rj is randomly chosen from
rectly reconstructed, and we obtain ai = 1. If i = 2t , the value of {0, 1}. Hence, the average length is bi = 1
× 0 + 12 × 1 = 12 . If i < 2t ,
2
m Rj is randomly chosen from {0, 1}. Hence, the average length is m Rj is different from the original value, and we have b i = 0.
 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33 29

Fig. 3. Eight AMBTC compressed test images used in this paper.

Fig. 4. An example of a (2, 5) threshold PRASIS scheme. (a) Secret image with 128 × 256 pixels, (b) the AMBTC cover image with 512 × 512 pixels, (c)-(g) stego images 1-5.

For each block, there are 2 bits used for embedding the parity 4. Experimental results and discussions
information, the partial reversibility of m Oj ( j = 8 and 16) in the
bitmap is calculated by Eight AMBTC compressed test images are used as cover im-
ages in the experiments, as demonstrated in Fig. 3. Notice that,
the cover images are compressed from the original images chosen
P R P = (bm × 2)/2 = bm from USC-SIPI and CVG-UGR image databases.
i =t    i  t −i
 An example of a (2, 5) threshold PRASIS scheme is shown in
t 3 1 (49)
= bi . 2 Fig. 4, where the secret image with 128 × 256 pixels and the origi-
i 4 4 nal AMBTC cover images with 512 × 512 pixels are illustrated in
i =0
Figs. 4(a) and (b), respectively. Five stego images are generated
by the proposed method, as shown in Figs. 4(c)-(g). The visual
Theorem 5. Let 4U × 4V be the size of the stego image, the probability
quality of the stego images in Fig. 4 is demonstrated in Table 1,
to successfully make a fake stego-image that passes the authentication is
 1 U V where P S N R A − O is the PSNR of original AMBTC cover image com-
2
. pared with original uncompressed image, P S N R S − O is the PSNR
of AMBTC stego image compared with original uncompressed im-
age, and P S N R S − A is the PSNR of AMBTC stego image compared
Proof. Any modification of stego image block can be detected
with original AMBTC cover image. The PSNR value of the original
by the authentication parity bit with probability 12 . For a 4U ×
AMBTC cover image is about 29.4 dB. The PSNR of the stego im-
4V -pixel stego image, it contains U × V blocks. Hence, the prob-
age with embedded data is approximately 24.6 dB. The value of
ability to successfully make a fake stego-image that passes the
 1 U V PSNR is decreased by 4.8 dB due to the embedding. But the visual
authentication is 2
. 2 quality of the stego image is satisfied.
30 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33

Table 1
Visual quality of the stego images in Fig. 4.

Stego image P S N R A − O (dB) P S N R S − O (dB) P S N R S − A (dB)

1 24.6240 26.4169
2 24.6231 26.4100
3 29.3867 24.6551 26.4324
4 24.6125 26.4180
5 24.6051 26.4001

Table 2
PSNR and SSIM of the stego images for the (2, 2) scheme.

Test image P S N R S−A S S I M S−A

Stego image 1 Stego image 2 Stego image 1 Stego image 2
(a) 26.4169 26.4100 0.9747 0.9746
(b) 29.9713 29.9863 0.9865 0.9864
(c) 31.9362 31.9315 0.9718 0.9717
(d) 33.1740 33.1841 0.9691 0.9692
(e) 27.8158 27.8289 0.9735 0.9735
(f) 26.6877 26.6924 0.9697 0.9698
(g) 27.3314 27.3201 0.9851 0.9850
(h) 24.3333 24.2882 0.9288 0.9280

4.1. Visual quality of stego image

To evaluate the visual quality of stego image, PSNR and struc-

tural similarity index measure (SSIM) are adopted. For an original
image A and a distorted image B, SSIM is calculated by
Fig. 5. Verification results when the stego images are tampered. (a) Tampered stego
image with fake area, (b) tampered stego image with cropping, (c) verification result
S S I M ( A , B ) = [l( A , B )]α [c ( A , B )]β [s( A , B )]γ (50) of (a), and (d) verification result of (b).
where
⎧
2μ μ + C
⎪
⎪l( A , B ) = 2 A B2 1
⎪
⎨ μ A +μ B + C 1
c ( A , B ) = 2σ2 A σ B2+C 2 (51)
⎪
⎪ σ A +σ B + C 2
⎪
⎩ s ( A , B ) = 2σ A B + C 3 .
σ A σ B +C 3
(μ A , μ B ), (σ A , σ B ) and σ A B are the local means, standard de-
viations, and cross-covariance for images A and B. In this pa-
per, α = β = γ = 1, C 1 = (0.01 × 255)2 , C 2 = (0.03 × 255)2 and
C 3 = C 2 /2. The value of SSIM is between 0 and 1.
Both PSNR and SSIM are expected to be as high as possible.
Higher PSNR and SSIM indicate better image quality. The PSNR and
SSIM of the stego images for the (2, 2) scheme are shown in Ta-
ble 2, where the eight test images are used. Herein, P S N R S − A and
S S I M S − A are the PSNR and SSIM of the AMBTC stego image com-
pared with original AMBTC cover image, respectively. For all the
stego images, the values of PSNR are greater than 24 dB, while the
values of SSIM are greater than 0.92. And most of the values of
SSIM are near 0.97. According to Table 2, acceptable visual quality
of stego image is achieved by the proposed scheme.

4.2. Authentication

Before reconstructing the secret, each stego image should be

verified whether it is tampered or not. Fig. 5 shows the verifica-
tion results when the stego images are tampered. For Fig. 5(a), it
is tampered with fake area. For Fig. 5(b), it is cropped. Both the
two tampered stego images are detected, and the corresponding
tampered areas are identified in Figs. 5(c) and (d). More verifica-
tion results are illustrated in Fig. 6, when different tampered stego
images are used. For different kinds of stego images (with smooth
area or detailed area), the integrity can be verified. According to
Theorem 5, when the stego image is 512 × 512 pixels, the prob-
ability to successfully make a fake stego-image that passes the
 128×128
authentication is 12 . It is impossible to use a fake stego
image in the image reconstruction.
Fig. 6. More verification results when different tampered stego images are used.
(a)-(b) Tampered stego images, (c)-(d) verification results of (a) and (b).
Comparison of authentication is shown in Table 3. Detection
ratio (DR) for tampering is used to evaluate the authentication
capacity. Those existing schemes are designed for uncompressed
images, while the proposed method is applied to BTC compressed
images. The proposed method offers 12 detection ratio for a BTC
compressed stego block. For Yang et al.’s method [34], the authen-
 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33 31

Table 3
Comparison of authentication ability.

Scheme Authentication capability Size of detection unit Authentication bits

(detection ratio) in a stego block
Ref. [29] 0 – 1
Ref. [30] 1/2 1 uncompressed block 1
Ref. [31] 15/16 1 uncompressed block 4
Ref. [32] 0 – 0
Ref. [34] 255/256 k(k + 1)/2 uncompressed blocks 0
Ref. [35] 63/64 3 uncompressed blocks 1
Ref. [36] 15/16 1 uncompressed block 4
Our 1/2 1 BTC compressed block 1

Table 4
Percentages of partial reversibility for recovering the bitmap when t stego images are used in the (2, 5) threshold PRASIS
scheme.

Bitmap Experimental Theoretical

t=2 t=3 t=4 t=5 t=2 t=3 t=4 t=5
m1 − m7 ,
87.41% 95.71% 95.69% 98.39% 87.5% 95.7% 95.7% 98.39%
m9 − m15
m8 , m16 75.14% 84.28% 84.38% 89.65% 75% 84.38% 84.38% 89.65%

tication method used in their (k, n) scheme is for multiple blocks

k(k+1)
( 2 blocks) without embedding parity bits, and the estimate
D R is 255
256
. For Lin et al.’s scheme [29], it does not have the authen-
tication ability to prevent dishonest participants from malicious
modifications. Hence, the corresponding D R is 0 for a block. For
Eslsmi et al.’s method [32], it only detects the invalidity of shared
bits with probability 255256
, while it cannot detect whether tamper-
ing occurred beyond the shared bits. As a result, the D R is 0 as
well. For Yang et al.’s approach [30] and Chang et al.’s approach
[31], the D R is 12 and 15 16
for an uncompressed block, respectively.
For Zarepour-Ahmadabadi et al.’s method [35], the D R is 63 64
with
one authentication bit embedded and the size of detection unit is
3 blocks. For Lee and Chen’s method [36], 4 authentication bits are
embedded in one block. The corresponding D R is 15 16
. In general,
the authentication capacity can be improved with more authenti-
cation bits. But when more bits are concealed, the visual quality of
the stego image would be compromised.
Totally, Yang et al.’s method [34] obtains higher D R, while the
proposed method, Yang et al.’s method [30] and Chang et al.’s
method [31] offer precise detection area since the size of detec- Fig. 7. Theoretical percentages of partial reversibility for recovering the bitmap.
tion unit in the three approaches is 1 block.
versibility for {m1 − m7 , m9 − m15 } and {m8 , m16 } are 87.41% and
4.3. Partial reversibility
75.14%, respectively. When t = 5, the percentages grow to 98.39%
and 89.65%. Higher percentage is achieved when larger t is used.
When the stego images pass the verification, the embedded bits
Fig. 7 further demonstrates the theoretical percentages of partial
are extracted to perfectly recover the secret image. Then, the origi-
reversibility for recovering the bitmap. The bitmap is reconstructed
nal AMBTC cover image can be partially recovered from those stego
with high probability.
images. When stego images with odd and even IDs, all the quan-
tized levels can be recovered losslessly. When only stego images
4.4. Comparison
with odd IDs (resp. even IDs) are used, the lower (resp. higher)
levels are perfectly reconstructed. When randomly selecting t stego
Comparison among the proposed method and related methods
images for the partial recovery, the average percentage of par-
tial reversibility for the two original levels is formulated in The- is illustrated in Table 5. Embedding rate E R is used to evaluate the
orem 2. embedding capacity of the proposed scheme, as calculated by
Further, the bitmap can be partially reconstructed as well. number of shared bits
The elements in the bitmap are divided into two categories: (1) ER = . (52)
number of bits in stego image
{m1 − m7 , m9 − m15 } which are used to accommodate shared bits,
and (2) {m8 , m16 } which are used to embed the parity bit. Table 4 The communication cost and storage cost can be evaluated by em-
shows the experimental and theoretical percentages of partial re- bedding rate as well. Communication cost for SIS scheme is to de-
versibility of {m1 − m7 , m9 − m15 } and {m8 , m16 } in the bitmap, liver the stego images to the corresponding participants and to re-
where the (2, 5) threshold PRASIS scheme is used. The experi- ceive the stego images. The storage cost is to store the stego image.
mental percentages are approximately the same as the theoretical They concern about the number of bits in stego image. When em-
percentages. Theorems 3 and 4 are supported by the experimental bedding rate increases, communication and storage cost decreases.
results. When t = 2, the experimental percentages of partial re- For the proposed scheme, totally 8 shared bits are embedded into
32 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33

Table 5
Comparison among the proposed method and related methods.

Scheme Feature

Key technique Embedding rate Stego image format Reversible Functionality

1
Our PSIS, HMAC 4
BTC compressed Yes, partial. SIS, authentication, steganography
1
Ref. [29] PSIS, watermarking 4
Uncompressed No SIS, authentication, steganography
1
Ref. [30] PSIS, HMAC 4
Uncompressed No SIS, authentication, steganography
1
Ref. [31] PSIS, CRT 4
Uncompressed No SIS, authentication, steganography
1
Ref. [32] CA, signature 4
Uncompressed No SIS, authentication, steganography
1
Ref. [34] Bivariate PSIS 8
Uncompressed No SIS, authentication, steganography
Ref. [35] CA, HMAC [0.18, 0.64] Uncompressed No SIS, authentication, steganography
1
Ref. [36] PSIS, ART 4
Uncompressed No SIS, authentication, steganography
Ref. [38] Linear congruence, image inpainting - Uncompressed No Partial SIS
Ref. [39] VCS, BTC - BTC compressed Yes, partial. Stacking-to-see decryption
Ref. [41] Chaotic encryption 0.2563 BTC compressed Yes Encryption, steganography
Ref. [40] ANNs 0.5 BTC compressed No Steganography

a 4 × 4 AMBTC block. The embedding rate is 8/(8 + 8 + 16) = 1/4.
The embedding rates for other schemes are listed in Table 5. Most
schemes [29] [30] [31] [32] [36] are 1/4.
The key techniques used in SIS schemes are mentioned. For
the proposed scheme, polynomial based SIS (PSIS) and HMAC are
used. For Refs. [32] and [35], cellular automata (CA) are adopted.
The computation complexity for CA to share a secret image is re-
duced from O (nlog 2 n) by PSIS to O (n). The computation cost by
using CA is lower than those by using PSIS. For Refs. [31] and
[36], Chinese remainder theorem (CRT) based authentication and
Aryabhata remainder theorem (ART) based authentication are used,
respectively. For Yan et al.’s method [38], a partial SIS scheme is
introduced based on linear congruence and image inpainting. But
their method only provides partial SIS functionality.
For Wu et al.’s VCS [39], VCS and BTC are combined together.
Differing from the proposed scheme, Wu et al.’s scheme [39] is
a VCS, where the secret is revealed by stacking via human vi-
sual system. Further, the proposed method provides authentication
property. The integrity of an AMBTC stego image can be verified,
and the tampered areas can be identified if it is destructed. On the
other hand, the method by Wu et al. [39] does not offer this abil-
ity. In the proposed method, the quantization levels and bitmaps
are used to conceal the shared bits. The approaches for partially re-
covering the original quantization levels and bitmaps are based on
the embedding method and majority voting. In Wu et al.’s scheme
[39], only the bitmaps are used to generate the bit patterns for
visual cryptography. The method for recovering the bitmap is to
predict the allocation of ‘0’ and ‘1’ in the bitmap. It is a technique
like cheat-preventing VCS.
Moreover, some related data hiding methods [40] [41] for BTC
compressed images are included for comparison as well. These
methods do not offer SIS and authentication functionalities. For
Wang et al.’s method [41], the chaotic encryption is used to pro-
tect the image content, and the embedding rate is approximately
0.2563 as indicated in their paper. For Al-Salhi and Lu’s method
[40], a steganography scheme based on adaptive neural networks
(ANNs) is proposed. The embedding rate can be up to 0.5 as
claimed in their paper. But the stego image in their method [40]
cannot be inverted to the original form.
In total, merits of the proposed method are summarized as fol-
lows.
• Steganography and authentication. The shared data are em-
bedded into the cover image to ease the share management
problem. Authentication is used to prevent the attack of unau-
thorized parties.
• BTC compressed stego image. Existing schemes use uncom-
pressed cover image, but the proposed method can be applied
to BTC compressed image. The application scenario is further
extended.
• Partial reversibility for cover image with high probability.
When the cover image is important, the original cover image
can be partially reconstructed with high probability.
5. Conclusions
A (k, n) threshold PRASIS scheme is presented in this paper.
Steganography and authentication for secret image sharing are ob-
tained. In the proposed method, a secret image is encoded into
n shares by using polynomial based SIS under G F (28 ). Then, the
random-looking shares are concealed into the AMBTC cover im-
age with parity bits by the proposed embedding algorithms, and n
stego images are achieved. Prior to revealing the secret, each stego
image is verified to prevent the attack of unauthorized parties. Fur-
ther, when the secret is reconstructed, the original AMBTC cover
image can be partially recovered with high probability. Theoretical
analysis on the proposed method is given, as well as sufficient ex-
perimental results. According to the analysis and experiments, the
proposed method is effective and advanced.
Declaration of Competing Interest
The authors confirm that there are no known conflicts of inter-
est associated with this publication and there has been no signifi-
cant financial support for this work that could have influenced its
outcome.
Acknowledgments
This work was partially supported by National Natural Science
Foundation of China (Grant No. 61602211), Science and Technol-
ogy Program of Guangzhou, China (Grant No. 201707010259), Fun-
damental Research Funds for the Central Universities (Grant No.
11617404) and Ministry of Science and Technology, under Grant
108-2221-E-259-009-MY2.
References
[1] A. Shamir, How to share a secret, Commun. ACM (ISSN 0001-0782) 22 (11)
(1979) 612–613.
[2] G.R. Blakley, Safeguarding cryptographic keys, Proc. Natl. Comput. Conf. 88
(1979) 313–317.
[3] M. Naor, A. Shamir, Visual cryptography, Lect. Notes Comput. Sci. 950 (1) (1995)
1–12.
[4] C. Yang, New visual secret sharing schemes using probabilistic method, Pattern
Recognit. Lett. (ISSN 0167-8655) 25 (4) (2004) 486–494.
[5] T. Chen, K. Tsao, Visual secret sharing by random grids revisited, Pattern Recog-
nit. (ISSN 0031-3203) 42 (9) (2009) 2203–2217.
 X. Wu, C.-N. Yang / Digital Signal Processing 93 (2019) 22–33
[6] T. Hofmeister, M. Krause, H. Simon, Contrast-optimal k out of n secret sharing
schemes in visual cryptography, Comput. Comb. (1997) 176–185.
[7] X. Wu, W. Sun, Improving the visual quality of random grid-based visual secret
sharing, Signal Process. 93 (5) (2013) 977–995.
[8] X. Yan, S. Wang, X. Niu, C.-N. Yang, Halftone visual cryptography with mini-
mum auxiliary black pixels and uniform image quality, Digit. Signal Process. 38
(2015) 53–65.
[9] P. Tuyls, H. Hollmann, J. Lint, L. Tolhuizen, XOR-based visual cryptography
schemes, Des. Codes Cryptogr. 37 (1) (2005) 169–186.
[10] X. Wu, W. Sun, Extended capabilities for XOR-based visual cryptography, IEEE
Trans. Inf. Forensics Secur. 9 (10) (2014) 1592–1605.
[11] C.-N. Yang, C.-C. Wu, Y.-C. Lin, k out of n region-based progressive visual cryp-
tography, IEEE Trans. Circuits Syst. Video Technol. 29 (1) (2017) 252–262.
[12] H.-C. Chao, T.-Y. Fan, Random-grid based progressive visual secret sharing
scheme with adaptive priority, Digit. Signal Process. 68 (2017) 69–80.
[13] X. Yan, Y. Lu, Contrast-improved visual secret sharing based on random grid for
general access structure, Digit. Signal Process. 71 (2017) 36–45.
[14] S.J. Shyu, XOR-based visual cryptographic schemes with monotonously increas-
ing and flawless reconstruction properties, IEEE Trans. Circuits Syst. Video
Technol. 28 (9) (2018) 2397–2401.
[15] X. Jia, D. Wang, D. Nie, C. Zhang, Collaborative visual cryptography schemes,
IEEE Trans. Circuits Syst. Video Technol. 28 (5) (2018) 1056–1070.
[16] C.-C. Thien, J.-C. Lin, Secret image sharing, Comput. Graph. 26 (5) (2002)
765–770.
[17] P. Li, C.-N. Yang, Z. Zhou, Essential secret image sharing scheme with the same
size of shadows, Digit. Signal Process. 50 (2016) 51–60.
[18] A. Kanso, M. Ghebleh, An efficient (t , n)-threshold secret image sharing
scheme, Multimed. Tools Appl. 76 (15) (2017) 16369–16388.
[19] L. Bao, S. Yi, Y. Zhou, Combination of sharing matrix and image encryption for
lossless (k, n)-secret image sharing, IEEE Trans. Image Process. 26 (12) (2017)
5618–5631.
[20] Y. Liu, C. Yang, Scalable secret image sharing scheme with essential shadows,
Signal Process. Image Commun. 58 (2017) 49–55.
[21] P. Li, Z. Liu, C.-N. Yang, A construction method of (t , k, n)-essential secret image
sharing scheme, Signal Process. Image Commun. 65 (2018) 210–220.
[22] X. Wu, C.-N. Yang, Y.T. Zhuang, S.-C. Hsu, Improving recovered image quality
in secret image sharing by simple modular arithmetic, Signal Process. Image
Commun. 66 (2018) 42–49.
[23] X. Wu, J. Weng, W. Yan, Adopting secret sharing for reversible data hiding in
encrypted images, Signal Process. 143 (2018) 269–281.
[24] X. Yan, Y. Lu, L. Liu, J. Liu, G. Yang, Chinese remainder theorem-based two-in-
one image secret sharing with three decoding options, Digit. Signal Process. 82
(2018) 80–90.
[25] N.F. Johnson, S. Jajodia, Exploring steganography: seeing the unseen, Computer
31 (2) (1998) 26–34.
[26] L.M. Marvel, C.G. Boncelet, C.T. Retter, Spread spectrum image steganography,
IEEE Trans. Image Process. 8 (8) (1999) 1075–1083.
[27] C. Chan, L. Cheng, Hiding data in images by simple LSB substitution, Pattern
Recognit. 37 (3) (2004) 469–474.
[28] Y. Zhang, C. Qin, W. Zhang, F. Liu, X. Luo, On the fault-tolerant performance for
a class of robust image steganography, Signal Process. 146 (2018) 99–111.
[29] C.-C. Lin, W.-H. Tsai, Secret image sharing with steganography and authentica-
tion, J. Syst. Softw. 73 (3) (2004) 405–414.
33
[30] C. Yang, T. Chen, K. Yu, C. Wang, Improvements of image sharing with
steganography and authentication, J. Syst. Softw. (ISSN 0164-1212) 80 (7)
(2007) 1070–1076.
[31] C.-C. Chang, Y.-P. Hsieh, C.-H. Lin, Sharing secrets in stego images with authen-
tication, Pattern Recognit. 41 (10) (2008) 3130–3137.
[32] Z. Eslami, S. Razzaghi, J.Z. Ahmadabadi, Secret image sharing based on cellular
automata and steganography, Pattern Recognit. 43 (1) (2010) 397–404.
[33] C.-C. Wu, S.-J. Kao, M.-S. Hwang, A high quality image sharing with steganog-
raphy and adaptive authentication scheme, J. Syst. Softw. 84 (12) (2011)
2196–2207.
[34] C.-N. Yang, J.-F. Ouyang, L. Harn, Steganography and authentication in image
sharing without parity bits, Opt. Commun. 285 (7) (2012) 1725–1735.
[35] J. Zarepour-Ahmadabadi, M.S. Ahmadabadi, A. Latif, An adaptive secret im-
age sharing with a new bitwise steganographic property, Inf. Sci. 369 (2016)
467–480.
[36] J.-S. Lee, Y.-R. Chen, Selective scalable secret image sharing with verification,
Multimed. Tools Appl. 76 (1) (2017) 1–11.
[37] E. Delp, O. Mitchell, Image compression using block truncation coding, IEEE
Trans. Commun. 27 (9) (1979) 1335–1342.
[38] X. Yan, Y. Lu, L. Liu, S. Wang, Partial secret image sharing for (k, n) thresh-
old based on image inpainting, J. Vis. Commun. Image Represent. 50 (2018)
135–144.
[39] X. Wu, D. Chen, C.-N. Yang, Y.-Y. Yang, A (k, n) threshold partial reversible
AMBTC-based visual cryptography using one reference image, J. Vis. Commun.
Image Represent. 59 (2019) 550–562.
[40] Y.E. Al-Salhi, S. Lu, New steganography scheme to conceal a large amount of
secret messages using an improved-AMBTC algorithm based on hybrid adaptive
neural networks, in: IEEE 3rd International Conference on Big Data Security on
Cloud, IEEE, 2017, pp. 112–121.
[41] H.-Y. Wang, H.-J. Lin, X.-Y. Gao, W.-H. Cheng, Y.-Y. Chen, Reversible AMBTC-
based data hiding with security improvement by chaotic encryption, IEEE Ac-
cess 7 (2019) 38337–38347.
Xiaotian Wu received the Ph.D. degree in Computer Science from Sun
Yat-sen University, Guangzhou, China. He is currently an Associate Pro-
fessor in the Department of Computer Science at Jinan University. His
research interests include visual cryptography, secret image sharing, re-
versible data hiding and multimedia security.
Ching-Nung Yang received the B.S. and M.S. degrees in telecommuni-
cation engineering from National Chiao Tung University, Hsinchu, Taiwan,
in 1983 and 1985, respectively, and the Ph.D. degree in electrical engineer-
ing from National Cheng Kung University, Tainan City, Taiwan, in 1997.
He is currently a Full Professor with the Department of Computer Sci-
ence and Information Engineering, National Dong Hwa University, Hualien,
Taiwan. His research interests include coding theory, information security,
and cryptography. He is a Fellow of the IET and a senior member of the
IEEE.