Beruflich Dokumente
Kultur Dokumente
2, FEBRUARY 2018
Abstract— The aim of this paper is to maximize the range of the This scheme encrypts a visual secret into visual shares so
access control of visual secret sharing (VSS) schemes encrypting that humans can visually reconstruct the secret with their eyes
multiple images. First, the formulation of access structures for by superposing a qualified combination of visual shares each
a single secret is generalized to that for multiple secrets. This
generalization is maximal in the sense that the generalized for- printed on a transparency. One of the applications in which
mulation makes no restrictions on access structures; in particular, VSS schemes are essential is for the authentication by a human
it includes the existing ones as special cases. Next, a sufficient recipient without any trusted communication channels. More
condition to be satisfied by the encryption of VSS schemes precisely, the problem here is to authenticate a message from
realizing an access structure for multiple secrets of the most an informant to a human recipient through an insecure channel
general form is introduced, and two constructions of VSS schemes
with encryption satisfying this condition are provided. Each of which is under full control of an adversary. This arises, for
the two constructions has its advantage against the other; one is example, in the interactions between a human and an electronic
more general and can generate VSS schemes with strictly better device without screen such as a smartcard. It is hard to provide
contrast and pixel expansion than the other, while the other has a a solution to this problem without assuming a secure channel,1
straightforward implementation. Moreover, for threshold access and the authentication based on VSS schemes, called the visual
structures, the pixel expansions of VSS schemes generated by the
latter construction are estimated and turn out to be the same authentication [14], has been the only secure solution so far.
as those of the existing schemes called the threshold multiple-
secret visual cryptographic schemes. Finally, the optimality of the A. Related Works
former construction is examined, giving that there exist access The SS scheme encrypting multiple secrets can trivially
structures for which it generates no optimal VSS schemes.
be realized by a collection of multiple SS schemes each
Index Terms— Visual secret sharing, general access structures, encrypting each secret. Therefore, this work considers the VSS
multiple secrets, information-theoretic security.
scheme encrypting multiple secrets in which each participant
receives a single visual share and any qualified combination
I. I NTRODUCTION of participants for each visual secret can reconstruct the secret
by superposing their visual shares.2 So far there have been
T HE secret sharing (SS) scheme is a cryptosystem which
encrypts a secret into multiple shares so that any qualified
combination of shares can reconstruct the secret, while any
proposed the following VSS schemes encrypting multiple
secrets: extended visual cryptographic schemes (EVCS) [1],
forbidden combination of shares reveals no information about visual secret sharing schemes for plural secret
the secret. Here, the sets of the qualified combinations and images (VSS-q-PI) [13] and threshold multiple-secret
the forbidden combinations are called a qualified set and a visual cryptographic schemes (MVCS) [21]. Here, EVCS
forbidden set, respectively, and the pair of the qualified and assumes an access structure such that all but one of its
forbidden sets is called an access structure. A typical example qualified sets consist of (the combination of) a single share,
of SS schemes is the (k, n)-threshold SS scheme [4], [17], VSS-q-PI an access structure whose forbidden sets are
in which a secret is encrypted into n shares so that any k identical for all secrets3 (although its qualified sets can
or more shares can reconstruct the secret, while any k − 1 be arbitrary) and MVCS a threshold access structure (for
or less shares leak no information about the secret. details, see (3a)–(3c) in section III-A). This work provides
In contrast to the ordinary cryptosystems, there exist SS the formulation and constructions of VSS schemes realizing
schemes whose decryption can be performed by humans a general access structure for multiple secrets without any
without any numerical computations. The visual secret shar- restrictions. Table I summarizes the existing works as well as
ing (VSS) scheme [15] is an example of such SS schemes. this work, where the classification is based on only the range
of their access control.4
Manuscript received June 17, 2017; revised August 27, 2017; accepted 1 In using a smartcard for payment, for instance, one is supposed to trust
August 27, 2017. Date of publication September 7, 2017; date of current
version November 28, 2017. This work was supported in part by JSPS the place of sale to show the correct price charged to the smartcard; in other
Grants-in-Aid for Young Scientists (B) under Grant 21700021 and in part words, it is assumed that the price is announced from an informant (smartcard)
by Scientific Research (C) under Grant 15K00020. A preliminary version of to a human recipient through a secure channel.
2 This work considers only monochrome images. For VSS schemes encrypt-
this paper was presented at ICASSP 2014, Florence, Italy, May 2014 [16]. The
associate editor coordinating the review of this manuscript and approving it for ing color images, see e.g. [8], [13], [23].
3 It should be noted that VSS-q-PI can encrypt color images.
publication was Dr. Sheng Zhong. (Corresponding author: Yodai Watanabe.)
The authors are with the Department of Computer Science and Engineering, 4 From this point of view, (k, n)-visual cryptographic schemes with meaning-
The University of Aizu, Aizuwakamatsu, Fukushima 9658580, Japan (e-mail: ful shares ((k, n)-VCS-MS) [18] and region incrementing visual cryptographic
yodai@u-aizu.ac.jp). schemes (RIVCS) [24] are special cases of EVCS and MVCS, respectively,
Digital Object Identifier 10.1109/TIFS.2017.2750104 and fully incrementing visual cryptography (FIVC) [7] is equivalent to MVCS.
1556-6013 © 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
SASAKI AND WATANABE: VSS SCHEMES ENCRYPTING MULTIPLE IMAGES 357
II. P RELIMINARIES
It should be stated that there has been proposed another In this section, we provide definitions and notations that will
type of VSS schemes encrypting multiple images in which be used later. For details of definitions in information theory
additional operations in the decryption, such as the rota- and secret sharing, see e.g. [2], [9], [22].
tion of shares with multiple relative angles, are introduced
(see e.g. [19], [20], [26]). In VSS schemes of this type,
A. Basic Definitions and Notations
different operations correspond to different secret images,
while in the VSS schemes in Table I, different combinations of For n ∈ N, let [n] denote the set of natural numbers less
shares correspond to different secret images. Therefore, from than or equal to n; i.e. [n] = {k ∈ N|k ≤ n}. The power
a point of view of the access control, which is the goal of the set of a set S is denoted by 2S ; i.e. 2S = {a|a ⊆ S}. For a
secret sharing, the former schemes can be reduced to a single subset A of a power set partially ordered by inclusion, let A 0
VSS scheme encrypting a single secret (into which multiple denote the set of the minimal elements of A with respect to this
secret images are connected), while there exist no such simple order; i.e.
reductions for the latter ones even for the simplest access
A 0 = {a ∈ A|∀a ∈ A(a ⊂ a)}
structures.5 This is a major difference between the former and
the latter schemes. (where we have used the symbol ⊂ to represent the strict
inclusion). For an ordered set S = {s1 , s2 , · · · , sn }, the order
B. Our Contributions of si in S is denoted by ordS (si ); i.e. ordS (si ) = i .
For random variables X and Y over the same domain,
The aim of this work is to maximize the range of the we write X = Y if X and Y are equal almost surely
access control of VSS schemes encrypting multiple images. (i.e. Pr[X = Y ] = 1), and X ∼ Y if X and Y have the
As a first step, the preliminary version [16] maximally gener- same probability distribution. For a set S, let SU denote a
alized the formulations of access structures and VSS schemes probabilistic function which outputs an element of S according
for multiple secrets, and then provided a construction of to the uniform distribution over S.
VSS schemes of the most general form. This paper pro- For x ∈ {0, 1}n , b ∈ {0, 1} and i ∈ [n], let x xi =b denote the
vides further developments of this generalization described string x with the i -th element x i replaced by b; i.e.
below.6 First, this paper justifies the above construction
in a more general framework. More precisely, this paper x xi =b = (x 1 , · · · , x i−1 , b, x i+1 , · · · , x n ).
introduces a more general construction (Construction 11)
For x ∈ {0, 1}n , let Gray(x) denote the gray level of x; i.e.
which includes the previous one as a special case. In par-
ticular, this inclusion is strict in the sense that the former {i |x i = 1}
(Construction 11) can generate VSS schemes with strictly Gray(x) = .
n
better contrast and pixel expansion than the latter, which The gray level of the empty string ε is defined to be 0; i.e.
is demonstrated by the last two examples in section III-C. Gray(ε) = 0.
Then, this paper proves that for any given access structure of
the most general form, the former indeed generates a VSS
scheme realizing the access structure (in Theorem 12), and B. Access Structure and Secret Sharing
also the latter is a special case of the former (in Corollary 14); Let S = {s1 , s2 , · · · , sn } be the set of all the shares. The
this completes the justification of the latter (previous) con- subset of 2S any of whose elements can decrypt the secret is
struction, which was not given in [16]. Here, to describe the called a qualified set and is denoted by A Q . The subset of 2S
former construction, this paper has introduced two notions any of whose elements leaks no information about the secret
(Definitions 7 and 10), which, together with the proofs to is called a forbidden set and is denoted by A F . The pair of
characterize and justify the construction (Lemma 9 and the qualified and forbidden sets, = (A Q , A F ), is called an
Theorem 12), reveal a sufficient condition to be satisfied by access structure on S. The access structure has to satisfy the
the encryption of VSS schemes for multiple secrets. Moreover, monotonicity:
5 A perfect access structure 2 = ( Ai , Ai ) 2
A ∈ AQ ∧ A ⊆ B ⇒ B ∈ AQ,
Q F i=1 on {s1 , s2 } for two secrets
1 2
with A Q = {{s1 }, {s1 , s2 }} and A Q = {{s2 }, {s1 , s2 }} (see Definition 4 for this B ∈ AF ∧ A ⊆ B ⇒ A ∈ AF ,
notation) is an example of such access structures.
6 All of these are contributions of this paper relative to the preliminary 7 It should be noted that our constructions are not restricted to threshold
version [16]. access structures, but can apply to arbitrary ones.
358 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 13, NO. 2, FEBRUARY 2018
one black subpixel and one white subpixel (resp. two black 01 01
C0 = and C 1 = .
subpixels) if e is white (resp. black). This construction can 01 10
be represented by the sets C 0 and C 1 of matrices in Table II;
more precisely, the above encryption and decryption can be A pair of matrices C 0 and C 1 is called basis matrices for
represented by the functions Enc : {0, 1} → {0, 1}2×2 and a VSS scheme with encryption Enc if the random column
Dec : {0, 1}2×2 → {0, 1}2 given by permutation of them gives the encryption Enc; i.e. Enc(b) =
C b U for b ∈ {0, 1}. Hence, the above two matrices are basis
Enc(b) = CUb and Dec(M) = (m 11 ∨ m 21 , m 12 ∨ m 22 ) matrices for the (2,2)-threshold VSS scheme.
for b ∈ {0, 1} and M = (m i j ) ∈ {0, 1}2×2 , respectively, where For n ∈ N, let Cn,n0 and C 1 denote basis matrices for an
n,n
∨ denotes the OR operation. optimal (n, n)-threshold VSS scheme. For example,
The relative difference in gray level between superposed ⎛ ⎞
0011
shares that come from a white pixel and a black pixel in the 01
0
C1,1 = 0 , C2,2 0
= , C3,3
0
= ⎝0101⎠ ,
secret image is called the contrast. In the above example, the 01
0110
reconstructed pixel has a gray level of 22 = 1 if e is black, and ⎛ ⎞
1001
a gray level of 12 if e is white; therefore, Contrast = 22 − 12 = 12 . 01
The higher contrast makes it easier to recognize reconstructed
1
C1,1 = 1 , C2,2 1
= , C3,3
1
= ⎝1010⎠ ,
10
images. 1100
8 For audio secret sharing (ASS) schemes, whose decryption can acoustically have been shown to give optimal (n, n)-threshold VSS
be performed by human ears, see e.g. [11], [25] schemes for n = 1, 2, 3, respectively [15].
SASAKI AND WATANABE: VSS SCHEMES ENCRYPTING MULTIPLE IMAGES 359
q
III. V ISUAL S ECRET S HARING S CHEMES structure q = (AiQ , AiF ) i=1 is called minimally refined
E NCRYPTING M ULTIPLE I MAGES if every
qualified sets have only one minimal element;
A. Formulation i.e. | AiQ 0 | = 1 for all i ∈ [q].
Note that each access structure (AiQ , AiF ) can be taken inde-
In this subsection, we provide a formulation of VSS
pendently without any restrictions except for the uniqueness
schemes encrypting multiple images. We begin with the
condition (2). This condition is necessary for VSS schemes
following definition of two matrix operations, which are
because their decryption is restricted to the superposition of
convenient for describing the security and constructions of
visual shares, and so each qualified combination of shares has
VSS schemes.
to be assigned a unique visual secret to be decrypted by the
Definition 2 (Supermatrix and Submatrix With Respect to
superposition. (Hence, this condition may be removed for the
an Ordered Subset [16]): Let S = {s1 , s2 , · · · , sn } be an
ordinary SS schemes).
ordered set of size n, and a be an ordered subset of S of
If we make the restrictions
size n . For an n × m matrix M = (m i j ), let [M]a denote the
n × m matrix defined by ∀i ∈ [|S|] AiQ 0 = {{si }} with q = |S| + 1, (3a)
i
∃A F ∀i ∈ [q] A F = A F , (3b)
m orda (si ) j if si ∈ a,
([M] )i j =
a
∀i ∈ [q]∃k∀a Q ∈ A Q ∀a F ∈ A F |a Q | ≥ k ∧|a F | < k , (3c)
i i
1 otherwise.
then Definition 4 coincides with those for EVCS [1],
The matrix [M]a is called the supermatrix of M with respect VSS-q-PI [13] and MVCS [21], respectively. That is, this
to a. definition includes the existing ones as special cases.
For an n × m matrix M = (m i j ), let [M]a denote the n × m Definition 4 does not consider correlation among secrets,
submatrix of M defined by and we may assume any correlation among them. This allows
([M]a )orda (si ) j = m i j us to introduce equivalence between access structures as
follows.
for si ∈ a. The matrix [M]a is called the submatrix of M with Definition 5 (Equivalence Between Access Structures): Let
respect to a. The submatrix with respect to the empty set ∅ is S be a finite set and p, p , q, q ∈ N. Let ν = {v i }i∈[q] and
defined to be the empty string ε; i.e. [M]∅ = ε for all M. ν = {v i }i∈[q ] be sets of random variables
over the same
Example 3: Let S = {s1 , s2 , s3 } be an ordered set, and a1 domain. A partition {Ii }i∈[ p] of [q] (i.e. i Ii = [q] and
and a2 be ordered subsets of S given by a1 = {s2 } and a2 = i = j ⇒ Ii ∩ I j = ∅) is called an index partition of ν if
{s1 , s3 }, respectively. Then ∀k ∈ Ii ∀l ∈ I j (i = j ⇔ v k = vl )
⎛ ⎞ ⎛ ⎞
1 a2 01
a1 01 for all i, j ∈ [ p]. Let = (AiQ , AiF ) i∈[q] and =
0 = ⎝0⎠ , = ⎝11⎠ , i i
10 (A Q , A F ) i∈[q ] be access structures on S for ν and ν ,
1 10
⎡⎛ ⎞⎤ ⎡⎛ ⎞⎤ respectively. The pairs (, ν) and ( , ν ) are called equivalent
1 1001
if there exist index partitions {Ii }i∈[ p] and {Ii }i∈[ p ] of ν and ν ,
⎣⎝0⎠⎦ = 0 , ⎣⎝1010⎠⎦ = 1001 .
1100 respectively, such that
1 a
1100 a
1 2
AkQ = AkQ , AkF = AkF and vri = vr
To consider VSS schemes encrypting multiple images, it is k∈Ii k∈Ii k∈Ii k∈Ii
i
for all j ∈ [m] (with Dec(ε) = ε), and Enc and Dec satisfy the Example 8: Let S = {s1 , s2 , s3 } be an ordered set. Let
following two conditions, called the reconstruct and security ⎛ ⎞ ⎛ ⎞
11 11
conditions respectively,
C 0 = ⎝01⎠ and C 1 = ⎝01⎠ ,
∀a ∈ AiQ 0 γ1i (a) − γ0i (a) > 0 , (5) 01 10
i q
∀a ∈ A F ∀b ∈ {0, 1} [Enc(bbi =0 )]a ∼ [Enc(bbi =1 )]a , (6) and define Enc(b) = C b U . It readily follows that
for all i ∈ [q], where we have defined g(∅; b) = 0 and g(a; b) = 1
γ1i (a) = min q max{γ |Pr[g(a; bbi =1 ) ≥ γ ] = 1},
b∈{0,1} for all b ∈ {0, 1} and a ⊆ S such that s1 ∈ a, with proba-
γ0i (a) = max q min{γ |Pr[g(a; bbi =0 ) ≤ γ ] = 1}, bility 1. Note here that any column permutation of a binary
b∈{0,1}
matrix does not change the gray level of its (superposed) rows.
with Hence, it can be seen that
g(a; b) = Gray(Dec([Enc(b)]a )) (7) 1
g(a; b) =
for a ⊆ S and b ∈ {0, 1}q . The positive constant 2
for all b ∈ {0, 1} and a ∈ {{s2 }, {s3 }}, with probability 1.
ci (a) = γ1i (a) − γ0i (a)
On the other hand, it follows that
in (5) is called the contrast of the i -th secret for a. For a VSS 1
scheme V SS = (Enc, Dec), the number m of the subpixels g({s2 , s3 }; 0) = and g({s2 , s3 }; 1) = 1,
2
generated by Enc is called the pixel expansion of V SS. A VSS
scheme and its encryption are called optimal if the scheme has with probability 1. Therefore
the lowest pixel expansion. GrC (Enc) = 2S − {{s2 , s3 }}.
Note that the reconstruct condition (5) has a relaxed form
in the sense that the reconstructability
is required only for the Lemma 9: Let S be an ordered set of finite size. Suppose
minimal qualified sets AiQ 0 . This relaxation is necessary for that C 0 and C 1 are a pair of matrices such that (Enc, Dec) with
VSS schemes for the same reason as before (see the remark Enc(b) = C b U for b ∈ {0, 1} realizes an access structure
below Definition 4). (A Q , A F ) on S (for a single secret). Then,
Let I (X : Y |Z ) denote the mutual information between
A Q 0 ∩ GrC (Enc) = ∅ and A F ⊆ GrC (Enc).
random variables X and Y conditioned on random variable Z .
Then, the security condition (6) can be written in an equivalent Moreover, let S ∗ be an ordered set of finite size such that S is
form its ordered subset. Define Enc∗ (b) = [C b ]S U for b ∈ {0, 1}
∀a ∈ AiF I (bi : [Enc(b)]a |b1 , · · · , bi−1 , bi+1 , · · · , bq ) = 0 (where we have used S ⊆ S ∗ ), and
for all random variables b over {0, 1}q . This equivalent form A∗ = {a ⊆ S ∗ |a ∩ (S ∗ − S) = ∅}.
may help to see that bi may correlate with [Enc(b)]a via other
Then,
secrets b j , which is sufficient and useful for our purpose.
In what follows, we suppose that the decryption function Dec A∗ ⊆ GrC (Enc∗ ),
is the bitwise OR given by (4).
and (Enc∗ , Dec) realizes (A∗Q , A∗F ) on S ∗ (for a single secret),
B. Constructions where we have introduced A∗Q and A∗F by
In this subsection, we introduce a sufficient condition to ∗
A Q 0 = A Q 0 and A∗F = {a ∪ â|a ∈ A F , â ⊆ (S ∗ − S)}.
be satisfied by the encryption of a VSS scheme realizing a
general access structure for multiple secrets, and then provide Furthermore, if (A Q , A F ) is perfect, then so is (A∗Q , A∗F ).
two constructions of VSS schemes with encryption satisfying Proof: The contrast condition (5) of VSS schemes
this condition. To describe the sufficient condition, we first (see Definition 6) for a single secret implies that
introduce the set of share combinations whose superposition
has a constant gray level (with probability 1), and then prove ∀a ∈ A Q 0 Pr[g(a; 1) − g(a; 0) > 0] = 1 ,
a lemma characterizing it.
and so ∀a ∈ A Q 0 a ∈ GrC (Enc) , or equivalently,
Definition 7 (Constant Gray Level Set): Let S be an orde-
red set of size n, and m ∈ N. Let Enc be a probabilistic A Q 0 ∩ GrC (Enc) = ∅.
function from {0, 1} to {0, 1}nm . The constant gray level set
GrC (Enc) of Enc is defined by The security condition (6) of VSS schemes for a single secret
gives that for all a ∈ A F ,
GrC (Enc) = {a ⊆ S|∃γ ∀b Pr[g(a; b) = γ ] = 1 },
[Enc(0)]a ∼ [Enc(1)]a ,
where we have defined
g(a; b) = Gray(Dec([Enc(b)]a )) which is equivalent to
Again, note that any column permutation of a binary matrix 1) (Enci , Dec) realizes (AiQ , AiF ) for all i ∈ [q],
does not change the gray level of its (superposed) rows. Hence, 2) i = j ⇒ AiQ 0 ⊆ GrC (Enc j ) for all i, j ∈ [q].
for all a ∈ A F , there exists γa such that Construction 11 (General Construction): Let S be qan
g(a; 0) = g(a; 1) = γa ordered set of finite size, and q ∈ N. Let q = (AiQ , AiF ) i=1
q
be an access structure on S for q secrets. Let {(Ci0 , Ci1 )}i=1
with probability 1, and so q
be pairs of matrices such that the set {Enci }i=1 of encryption
A F ⊆ GrC (Enc). functions Enci (b) = Cib U is compatible with respect to q .
Define Enc by
Also, it follows from the definition of the supermatrix that for b
all b ∈ {0, 1} and a ∈ A∗ , every column of [Enc∗ (b)]a has Enc(b) = C1b1 |C2b2 | · · · |Cq q U
1 at rows corresponding to (S ∗ − S), and so
for b ∈ {0, 1}q .
g(a; b) = 1, Theorem 12: Let S be an ordered set of finite size, and
q ∈ N. Let q be an access structure on S for q secrets.
with probability 1. Hence,
Then, V SS = (Enc, Dec) given by Construction 11 is a visual
A∗ ⊆ GrC (Enc∗ ). secret sharing scheme realizing q .
Proof: We first show that (Enc, Dec) satisfies the contrast
We next show that (Enc∗ , Dec) realizes (A∗Q , A∗F ). Since condition (5). Let i ∈ [q] and a ∈ AiQ 0 . It follows from the
(Enc, Dec) realizes (A Q , A F ) and A∗Q 0 = A Q 0 , it follows condition 2) of the compatible encryption (see Definition 10)
from the definition of Enc∗ that (Enc∗ , Dec) satisfies the that for all j ∈ [q] such that j = i , there exists l j ∈ {0}∪[m j ]
contrast condition (5) of VSS schemes for A∗Q 0 . Moreover, such that
the definition of the supermatrix gives that for all â ⊆ (S ∗ −S),
lj
both [Enc∗ (0)]â and [Enc∗ (1)]â are an all-1 matrix with g j (a; 0) = g j (a; 1) =
probability 1, and so mj
with probability 1, where m j is the pixel expansion of Enc j
[Enc∗ (0)]â ∼ [Enc∗ (1)]â .
and we have defined
This, together with [Enc(0)]a ∼ [Enc(1)]a for a ∈ A F , gives
g j (a; b) = Gray(Dec([Enc j (b)]a ))
[Enc∗ (0)]a ∗ ∼ [Enc∗ (1)]a ∗
as before (see (7)). It also follows from the condition 1) of the
for all a ∗ ∈ A∗F = {a ∪ â|a ∈ A F , â ⊆ (S ∗ − S)}, and so
compatible encryption that there exists di ∈ [m i ] such that
(Enc∗ , Dec) satisfies the security condition (6) for A∗F .
To show the last part of the lemma, suppose that a ∗ ∈ A∗F . gi (a; 1) − gi (a; 0) ≥
di
Then, on noting that mi
A∗F = {a ∪ â|a ∈ A F , â ⊆ (S ∗ − S)} with probability 1. Therefore, the contrast of the i -th secret
∗ ∗ ∗
= {a ⊆ S |(a ∩ S) ∈ A F }, for a is lower-bounded as
di
we have (a ∗ ∩ S)∈ A F , and so (a ∗ ∩ S) ∈ A Q because (a ∗ ∩ ci (a) ≥ >0
S) ⊆ S and (A Q , A F ) is perfect. Therefore, the monotonic- m
with m = i∈[q] m i , from which the contrast condition (5)
(1)
ity of the qualified set A Q gives that there exists a ∈
A Q 0 = A∗Q 0 such that follows.
We next show that (Enc, Dec) satisfies the security con-
a ⊆ (a ∗ ∩ S) ⊆ a ∗ ,
dition (6). Let i ∈ [q] and a ∈ AiF . It follows from the
which implies a ∗ ∈ A∗Q . That is, if a ∗ ∈ A∗F , then a ∗ ∈ A∗Q , condition 1) of the compatible encryption that
and so (A∗Q , A∗F ) is also perfect. This completes the 0
proof. Ci U a ∼ Ci1 U a ,
We are now ready to introduce a property, called the which is equivalent to
compatibility, for a set of VSS encryptions. The subsequent 0
construction and theorem show that this property is indeed a Ci a ∼ Ci1 a .
sufficient condition to be satisfied by a set of VSS encryptions
This at once gives
whose concatenation with random column permutation gives
b1 b b
the encryption of a VSS scheme realizing a general access C1 | · · · |Ci0 | · · · |Cq q a ∼ C1b1 | · · · |Ci1 | · · · |Cq q a
structure for multiple secrets.
Definition 10 (Compatible Encryption): Let S be an for all b ∈ {0, 1}q , and so
ordered set of size n, and q ∈ N. For i ∈ [q], let Enci be a b1 b b
C1 | · · · |Ci0 | · · · |Cq q U a ∼ C1b1 | · · · |Ci1 | · · · |Cq q U a ,
probabilistic
function from {0, 1} to {0, 1}nm i with m i ∈ N.
q
Let = (A Q , A F ) i=1 be an access structure on S for q
q i i
from which the security condition (6) follows. This completes
q
secrets. A set {Enci }i=1 of probabilistic functions is called the proof.
compatible with respect to q if the following two conditions It should be stated that Construction 11 assumes the exis-
q
hold: tence of the basis matrices {(Ci0 , Ci1 )}i=1 , and does not specify
362 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 13, NO. 2, FEBRUARY 2018
for b ∈ {0, 1}q (see section II-D for the definition of Cn,n b ).
E. On Optimality
In general, it is difficult to (directly) examine the opti-
mality of SS schemes realizing a general access structure
(see, e.g., [3], [10]); in fact, the optimality has been shown
so far only for very limited classes of SS schemes such as
Fig. 3. Example of a VSS scheme realizing 3 with secret images {v i }3i=1 , threshold SS schemes [17], threshold VSS schemes [5], [6]
where ( 3 , {v i }3i=1 ) is equivalent to ( 2 , {v i }2i=1 ). In this example, all the and (non-perfect) uniform SS schemes [12].9 Hence, instead
matrices are concatenated 6 times to make the pixel expansion m a square: of directly examining the optimality, we now examine the
m = (2 + 2 + 2) × 6 = 62 (we may take m = 2 + 2 + 2 = 6 if m need
not be a square). The contrast is 16 for all the reconstructed images. In this
possibility that the optimality of Construction 11 may be
construction, Share 1 + 2 + 3, which is not a minimal element of the qualified reduced to that of each encryption Enci . For this purpose,
2
sets, is an all-black image. consider first a simple access structure = (AiQ , AiF ) i=1
on S = {s1 , s2 } for 2 secrets, given by
1
Hence, by transforming s into a minimally refined one and A Q 0 = {s1 } and A2Q 0 = {s2 }
then applying Construction 13 to it, we have a VSS scheme with AiF = 2S −AiQ for all i ∈ [2]. This access structure can be
realizing s with the pixel expansion realized by a VSS scheme with the (deterministic) encryption
given by
s
n
(n−i+1)−1
n Cn−i+1 2 = n Ci 2
i−1
, b
Enc(b) = 1
i=1 i=k b2
where we have used the fact that the pixel expansion of for b ∈ {0, 1}2 , while any VSS scheme generated by
an optimal (n, n)-threshold VSS scheme is 2n−1 [15]. This Construction 11 has the pixel expansion no less than 2. Note
formula gives exactly the same pixel expansions as those of that the above matrix is the concatenation of the basis matrices
(k, n, s)-MVCS for 2 ≤ k ≤ n ≤ 8 and s = n − k + 1 b1
C1,1 b2
and C1,1 with respect to the row (not column).
(see Table I in [21]). We note that the pixel expansions of q
More generally, let = (AiQ , AiF ) i=1 be an access
(k, n, s)-MVCS are not explicitly given in a general form but
and for i ∈ [q], let S0 bei the union
i
determined by solving linear programming problems for each structure
for q secrets, of
A Q 0 ; i.e. S0 = a∈( Ai )0 a. Moreover, let A Q and Ai
i i
F be
instance. Q
Next, let n ∈ N, k ∈ [n] and s ∈ [n − k + 1], and the restrictions of A Q and A F on S0i , respectively; i.e.
suppose that a list R = (rk , · · · , rn ) satisfies the following S0 i S0 i
Q = AQ ∩ 2
Ai∗ F = AF ∩ 2 .
i
and Ai∗ i
two conditions: (i) ri ∈ {0} ∪ [s] for any i ∈ {k, · · · , n}
q
and (ii) |{i ∈ {k, · · · , n}|ri = s }| = 1 for any s ∈ [s] Suppose further that S0i i=1 are disjoint, i = j ⇒ S0i ∩ S0 =
j
the row concatenation), while any VSS scheme generated by [10] L. Csirmaz, “The size of a share must be large,” J. Cryptol., vol. 10,
Construction 11 has the pixel expansion no less than i m i no. 4, pp. 223–231, 1997.
[11] Y. Desmedt, S. Hou, and J.-J. Quisquater, “Audio and optical cryp-
(which comes from the column concatenation). Since tography,” in Advances in Cryptology—ASIACRYPT (Lecture Notes in
maxi m i < i m i for q ≥ 2, this shows that there exist access Computer Science), vol. 1514. Berlin, Germany: Springer-Verlag, 1998,
structures for which Construction 11 generates no optimal pp. 392–404.
[12] O. Farràs, T. Hansen, T. Kaced, and C. Padró, “Optimal non-perfect
VSS schemes. uniform secret sharing schemes,” in Advances in Cryptology—CRYPTO
(Lecture Notes in Computer Science), vol. 8617. Berlin, Germany:
IV. C ONCLUDING R EMARKS Springer-Verlag, 2014, pp. 217–234.
[13] M. Iwamoto and H. Yamamoto, “A construction method of visual
We close this paper by mentioning an application of our secret sharing schemes for plural secret images,” IEICE Trans. Fundam.,
VSS schemes. In the authentication based on VSS schemes vol. 86, no. 10, pp. 2577–2588, 2003.
encrypting a single secret image, one way to detect tampering [14] M. Naor and B. Pinkas, “Visual authentication and identification,” in
Advances in Cryptology—CRYPTO (Lecture Notes in Computer Sci-
by an adversary is to divide the secret image into two disjoint ence), vol. 1294. Berlin, Germany: Springer-Verlag, 1997, pp. 322–336.
areas: one for a message and the other for the detection [15] M. Naor and A. Shamir, “Visual cryptography,” in Advances in
(see e.g. the first method “content areas and black areas” Cryptology—EUROCRYPT (Lecture Notes in Computer Science),
vol. 950. Berlin, Germany: Springer-Verlag, 1994, pp. 1–12.
in [14]). On the other hand, VSS schemes encrypting multiple [16] M. Sasaki and Y. Watanabe, “Formulation of visual secret sharing
images allow the authentication which can take the above schemes encrypting multiple images,” in Proc. 39th IEEE Int. Conf.
two areas identical; for instance, the second example in Acoust., Speech Signal Process. (ICASSP), Jun. 2014, pp. 7391–7395.
[17] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11,
section III-C allows the authentication in which Shares 1 and 3 pp. 612–613, Nov. 1979.
are distributed to a human recipient, Share 2 is generated [18] S. J. Shyu, “Threshold visual cryptographic scheme with meaningful
by an informant, and the two secrets v 1 and v 2 are taken shares,” IEEE Signal Process. Lett., vol. 21, no. 12, pp. 1521–1525,
Dec. 2014.
to be an all-black image for the detection and an image for [19] S. J. Shyu and K. Chen, “Visual multiple-secret sharing by circle random
a message, respectively. (Here, we note that v 1 and v 2 can grids,” SIAM J. Imag. Sci., vol. 3, no. 4, pp. 926–953, 2010.
be decrypted by superposing two (not three) shares and the [20] S. J. Shyu, S.-Y. Huang, Y.-K. Lee, R.-Z. Wang, and K. Chen, “Sharing
multiple secrets in visual cryptography,” Pattern Recognit., vol. 40,
reconstructed images have pixel expansion 4 and contrast 14 .) no. 12, pp. 3633–3651, 2007.
This authentication, equipped with the idea behind the third [21] S. J. Shyu and H.-W. Jiang, “General constructions for threshold
method “black and gray” in [14], ensures that an adversary multiple-secret visual cryptographic schemes,” IEEE Trans. Inf. Foren-
sics Security, vol. 8, no. 5, pp. 733–743, May 2013.
cannot tamper with the latter image without tampering with [22] D. R. Stinson, Cryptography: Theory and Practice, 3rd ed. London,
the former, which makes its security analysis simpler and more U.K.: Chapman & Hall, 2005.
practical. It will be the subject of future work to investigate [23] E. R. Verheul and H. C. van Tilborg, “Constructions and properties of k
out of n visual secret sharing schemes,” Des., Codes Cryptogr., vol. 11,
this authentication in more detail. no. 2, pp. 179–196, 1997.
[24] R. Z. Wang, “Region incrementing visual cryptography,” IEEE Signal
R EFERENCES Process. Lett., vol. 16, no. 8, pp. 659–662, Aug. 2009.
[25] S. Washio and Y. Watanabe, “Security of audio secret sharing scheme
[1] G. Ateniese, C. Blundo, A. D. Santis, and D. R. Stinson, “Extended encrypting audio secrets with bounded shares,” in Proc. 39th IEEE
capabilities for visual cryptography,” Theor. Comput. Sci., vol. 250, Int. Conf. Acoust., Speech Signal Process. (ICASSP), May 2014,
nos. 1–2, pp. 143–161, 2001.
pp. 7396–7400.
[2] A. Beimel, “Secret-sharing schemes: A survey,” in Proc. 3rd Int. [26] C.-N. Yang and T.-H. Chung, “A general multi-secret visual cryptogra-
Workshop Coding Cryptol. (IWCC), vol. 6639. 2011, pp. 11–46. phy scheme,” Opt. Commun., vol. 283, no. 24, pp. 4949–4962, 2010.
[3] A. Beimel and I. Orlov, “Secret sharing and non-Shannon information
inequalities,” IEEE Trans. Inf. Theory, vol. 57, no. 9, pp. 5634–5649,
Sep. 2011.
[4] G. R. Blakley, “Safeguarding cryptographic keys,” in Proc. Nat. Comput.
Conf., Monval, NJ, USA, 1979, pp. 313–317.
[5] C. Blundo, P. D’Arco, A. D. Santis, and D. R. Stinson, “Contrast optimal
threshold visual cryptography schemes,” SIAM J. Discrete Math., vol. 16, Manami Sasaki received the B.S. degree in computer science and engineering
no. 2, pp. 224–261, 2003. from the University of Aizu, Japan, in 2012. She has been an Engineer with
[6] M. Bose and R. Mukerjee, “Optimal (k, n) visual cryptographic schemes Canon IT Solutions Inc., Japan, since 2012.
for general k,” Des., Codes Cryptogr., vol. 55, no. 1, pp. 19–35, 2010.
[7] Y.-C. Chen, “Fully incrementing visual cryptography from a succinct
non-monotonic structure,” IEEE Trans. Inf. Forensics Security, vol. 12,
no. 5, pp. 1082–1091, May 2017.
[8] S. Cimato, R. de Prisco, and A. de Santis, “Optimal colored threshold Yodai Watanabe (M’14) received the Ph.D. degree in physics from the Uni-
visual cryptography schemes,” Des., Codes Cryptogr., vol. 35, no. 3, versity of Tokyo, Japan, in 2000. He is currently a Senior Associate Professor
pp. 311–335, 2005. with the Department of Computer Science and Engineering, University of
[9] T. M. Cover and J. A. Thomas, Elements of Information Theory, 2nd ed. Aizu, Japan. His research interests include information theory and signal
Hoboken, NJ, USA: Wiley, 2006. processing.