Nonlinear Secret Image Sharing Scheme

Over the past decade, most of secret image sharing schemes have been proposed by using Shamir's technique. It is based on a linear combination polynomial arithmetic. Although Shamir's technique based secret image sharing schemes are efficient and scalable for various environments, there exists a security threat such as Tompa-Woll attack. Renvall and Ding proposed a new secret sharing technique based on nonlinear combination polynomial arithmetic in order to solve this threat. It is hard to apply to the secret image sharing. In this paper, we propose a (t, n)-threshold nonlinear secret image sharing scheme with steganography concept. In order to achieve a suitable and secure secret image sharing scheme, we adapt a modified LSB embedding technique with XOR Boolean algebra operation, define a new variable m, and change a range of prime p in sharing procedure. In order to evaluate efficiency and security of proposed scheme, we use the embedding capacity and PSNR. As a result of it, average value of PSNR and embedding capacity are 44.78 (dB) and 1.74t⌈log2⁡m⌉ bit-per-pixel (bpp), respectively.


Introduction
In a security system, there is a maintenance tool which must be checked every day. In order to check it, someone must have access to this system. Three senior administrators are engaged, but they do not trust the combination to any individual administrator. Hence, we would like to design a system whereby any two of three administrators can gain access to this system, but an individual administrator cannot do so. In order to design this system, we adapt a concept of secret sharing. A secret sharing is technique for distributing a secret amongst a group of honest participants, and each secret piece is allocated for each participant after the secret is divided into several pieces. This secret can be reconstructed only when a sufficient number, of possibly different types of shares are combined together; an individual share is no use on its own [1][2][3]. Blakley [4] and Shamir [5] have proposed a concept of secret sharing for the first time. It is that the secret is divided into shares for participants, and is used as a threshold value ( ≤ ). It was called a ( , )-threshold technique and it means that at least participants of participants should be gathered.
With the development of computing and network technologies, in the meantime, multimedia data such as image, audio, and video files have transmitted over the Internet, actively. As a result, multimedia security has emerged as an important issue [6][7][8][9][10][11][12][13][14]. In 2002, Thien and Lin [15] have proposed a ( , )-threshold secret image sharing scheme for the first time. The secret image can be shared by several shadow images so the size of each shadow image is only 1/ of that of the secret image for convenient hiding, storage, and transmission in their scheme. Lin and Tsai [16] have proposed a secret image sharing with steganography concept based on the Shamir's ( , )-threshold scheme. By using the parity bit check method, they claimed that their scheme can prevent from incidentally bringing an erroneous shadow image or intentionally providing a false image to achieve the authentication goal. They also presented another user-friendly image sharing such that shadow images look like natural images [17]. Recently, Lin and Chan [18] proposed a reversible secret image sharing scheme in 2010. They have achieved a low distortion and high embedding capacity. Additionally, it can reconstruct the secret and cover images, completely.
As mentioned above, most of secret image sharing schemes are based on Shamir's ( , )-threshold. It has utilized a linear combination polynomial arithmetic in sharing procedure. A configuration of the linear combination polynomial with ( , ) is as follows: 2 The Scientific World Journal In sharing procedure for participants, an arbitrary share (1 ≤ ≤ ) is computed by above function ( ). Each share is distributed to participant . In order to reconstruct the secret, we need pairs of ( , ). In this procedure, an arbitrary participant can submit a false share and only he will be able to obtain the correct secret while leaving the others with the incorrect secret. It is called a Tompa-Woll attack [19,20]. This attack is caused by the linear property. Renvall and Ding [21] have proposed a new secret sharing scheme based on a nonlinear combination polynomial arithmetic in order to solve this problem. The nonlinear combination arithmetic indicates an inner product for any arbitrary matrix [21]. However, it is hard to apply to the secret image sharing.
In this paper, we propose a nonlinear secret image sharing scheme with steganography concept. Although the proposed scheme is based on Renvall and Ding's sharing and reconstruction methods [21], we adapt several new techniques in order to achieve a suitable and secure secret image sharing scheme. In sharing procedure, we define a new variable and change a range of prime in order to attain the prevention of overflow (or underflow) and reinforce the security. Also, we propose a modified LSB embedding technique with XOR Boolean algebra operation in order to get the high embedding capacity. In order to evaluate efficiency and security of proposed scheme, we use the embedding capacity and PSNR. As the experimental results, we analyze the efficiency and security between proposed and previous techniques.
This paper is organized as follows. Section 2 introduces Shamir's and Renvall and Ding's secret sharing scheme. Considerations and algorithm of proposed scheme are discussed in Section 3. Section 4 presents the experimental results. Lastly, Section 5 gives the conclusions.

Preliminaries
In this section, Shamir's ( , )-threshold secret sharing and Renvall and Ding's nonlinear secret sharing are introduced.

Shamir's ( , )-Threshold Secret Sharing.
In 1979, Shamir has proposed a secret sharing scheme for the first time [5]. It is based on ( , )-threshold which is defined as follows [2]. Definition 1. Let , be positive integers and ≤ . A ( , )threshold is a method of sharing a key among a set of participants (denoted by P), in such a way that any participants can compute the value of , but no group of − 1 participants can do so.
For the example of (2, 3)-threshold, the value of is chosen by a honest participant called the dealer (denoted by , ∉ P, where P is a set of participants). If wants to share among the participants in P, distributes some partial information of (called a share) for each participant. The shares should be distributed secretly, so no participant knows the share given to another participant. That is, an arbitrary participant does not know the information of in (2, 3)-threshold. In order to reconstruct a , two or more participants should get together by an arbitrary algorithm.
In Shamir's scheme, the linear combination polynomial and Lagrange's interpolation arithmetic operations over prime were used in order to distribute and reconstruct a , respectively. It consists of three phases with ( , )-threshold: initialization, share distribution, and reconstruction.

Reconstruction Phase.
If participants want to reconstruct a , or more participants will be recruited by . is reconstructed with information ( , ( )) for each participant and Lagrange interpolation formula as shown in (3) for polynomials. Consider Lastly, a key can be derived from (0) = .

Renvall and Ding's ( − 1, )-Threshold Nonlinear Secret
Sharing. In 1996, Renvall and Ding [21] have proposed a nonlinear secret sharing scheme. A polynomial arithmetic technique is based on quadratic form (called a nonlinear combination) instead of the linear combination. In fact, it is an inner product for an arbitrary matrix, and detailed arithmetic is as follows [21]. Let be a large prime of the form ≡ 3 (mod4). In order to generate the secret, it should be within [0, ( − 1)/2]. All arithmetic operations are performed over Galois field (GF( )). For any positive integers , ( ≤ ) and each set of indices 1 ≤ 1 < ⋅ ⋅ ⋅ < ≤ , Vandermonde matrix M is generated by where all elements in matrix M are distinct nonzero over GF( ) and M must satisfy two requirements as follows.
R1: for any set of indices 1 ≤ 1 < ⋅ ⋅ ⋅ < −1 ≤ , The Scientific World Journal is the inverse of M by the Chinese remainder algorithm.

Consider
In sharing process, the secret 1 with 0 ≤ 1 ≤ ( − 1)/2 is selected to be shared among participants. Then, 2 , . . . , are randomly chosen over GF( ). Let a set s = { 1 , 2 , . . . , }. Each share is calculated by where x is a row vector (or row matrix which has a single row of elements) and it can be expressed as x = [ 1 2 ⋅ ⋅ ⋅ ], and x is a transpose of x.
In order to distribute the shares, calculates 0 and as follows: where is th row vector in a Vandermonde matrix M (as shown in (4)) and 1 ≤ ≤ . Then distributes ( 0 , ) to participant .
If participants want to reconstruct the secret , − 1 or more participants will be recruited by . And then, 1 is reconstructed with information ( 0 , ) for each participant and as follows: They have completed verification of security for Tompa-Woll attack [21]. In this paper, we propose a nonlinear secret image sharing based on concepts of their scheme and steganography.

The Proposed Scheme
In this section, we illustrate considerations, sharing, and reconstruction algorithms.

Considerations.
In order to propose a new nonlinear secret image sharing scheme, we discuss some considerations such as handing techniques of secret and shadow images and overflow (or underflow).

Handling of Secret Image.
In previous scheme, they used ( − 1, )-threshold concept. But we adapt a concept of ( , )threshold because of the convenience of proposed scheme. Given ( , )-threshold, we require that the secret image (SI) to be divided into shadow images (SHIs), and SI cannot be reconstructed without or more SHIs. However, secrets ( 1 , 2 , . . . , ) are generated from SI's pixel values. The major difference between proposed and Renvall and Ding's schemes is that random value does not use 2 , . . . , . Also, the range of prime should be at least 60 bits in their scheme, but we let the range be 2 ≤ ≤ 251. Tompa-Woll attack can occur because the range of prime is less than 60 bits. But, our scheme is safe for this attack because it is based on the steganography concept that the secret is hidden in friendly cover image such as Lena, airplane, and baboon.

Overflow and Underflow.
If an arbitrary pixel value in SI is one of 251 to 255, it can occur an overflow or underflow because all arithmetic operations are performed within GF(251). So, we define another variable positive integer (2 ≤ ≤ ) in order to prevent overflow or underflow. A pixel value in SI is converted by -ary form. For example, if a pixel value and are 160 (10) and 7, respectively, converted pixel value is 316 (7) . This converting technique is to provide reinforcement of security robustness. The converted -ary values utilize inputs of nonlinear polynomial arithmetic. And then, its outputs are performed with modulo-operation. Even if an attacker knows sharing and reconstruction algorithm of the proposed scheme, it is difficult to extract the correct SI.

The Generation of Shadow
Image. In Renvall and Ding's scheme, ( 0 , ) is just a shadow. It was distributed to the participant by the dealer . However, the shadow is an image that ( 0 , ) is embedded in the proposed scheme. In order to generate the shadow image, hence, we utilize XOR Boolean algebra operation for 0 and .
Input: A CI with size of × and a SI with size of × .
Output: SHIs with size of × .
Step 1. Convert a th pixel value ( ) in SI into -ary's expression as follows: If ( 2 − 1)⌈log 255⌉ is not a multiple of , the remaining part in the last subset −1 is filled by using well-known padding techniques.
Step 4. Embed the generated th shadow value ( 0 ⊕ ) forth participant into CI with LSB1 and LSB2 techniques by Table  1 in order to generate SHI (1 ≤ ≤ − 1 and 1 ≤ ≤ ). "⊕" indicates XOR Boolean algebra operation. Table 1 shows the embedding method by prime . For example, it corresponds to the range of 2 4 < ≤ 2 5 when is 19. Hence, 0 ⊕ are embedded by LSB1 and LSB2 techniques for 3 pixels.

Reconstruction Procedure.
In this procedure, the reconstruction process is described.
Input: SHI s with size of × .
Output: a reconstructed SI with size of × .

Experimental Results
In this section, we analyze the security and efficiency of proposed scheme.

The Measurement Tools.
In order to estimate the efficiency and security of secret image sharing schemes, there exist two typical measurement tools: the embedding capacity and PSNR. The embedding capacity means the amount of embedded secret data in a cover image, and it can evaluate the efficiency of secret image sharing technique. That is, if the embedding capacity of an arbitrary technique is more increased, we can say that this technique has a good efficiency. It is generally measured in bit-per-pixel (bpp) or bit. PSNR is the abbreviation for "peak signal-to-noise ratio" and it is the ratio between the maximum possible power of a signal and the power of corrupting noise that affects the fidelity of its representation. Nowadays, PSNR is the most popular distortion measurement tool in the field of image and video coding and compression. It is usually measured in decibels (dB), and it is well known that these difference distortion metrics are not very well correlated with the human visible system (HVS). This might be a problem for their application in secret image sharing since sophisticated secret image sharing methods exploit in one way or the other effects of these schemes [22]. The detailed PSNR is represented by The Scientific World Journal 5 where MAX indicates the maximum possible pixel value of the image. It is 255 because greyscale test images were used in this paper. MSE is the abbreviation for "mean squared error" and it is represented by where indicates the size of CI and SHI. and SH are th pixel values in CI and SHI, respectively. Given two greyscale images, if PSNR value is close to infinity (=∞), the distortion between two images is zero; that is, two images are the same. On the other hand, if PSNR value is close to zero, the distortion is higher; that is, two images are different. Generally, PSNR value is more than 35 dB, the difference between two images cannot be distinguished in HVS.

Analysis.
In the experiments, we have performed the experiment for (3, 4)-threshold and used eight greyscale test images as shown in Figure 1. The sizes of CI and SHI were 512 × 512 and 512 × 512, respectively. And the size of SI was 256 × 256 or 512 × 512, depending on the experiments. The secret data was generated by Rand function in C++ Library. And then, generated secret bitstream was composed by each eight-bit. In order to implement the proposed scheme, the OpenCV Library and C++ programming language (environment: MS Visual Studio 2010) were used.
In the proposed scheme, PSNR result depends on the embedding method by prime 's interval as shown in Table 1. Our embedding method is that LSB1 and LSB2 were utilized. Hence, the minimum of PSNR without prime is more than 44 dB because PSNR value of LSB2 embedding method is close to 44 dB in general. Depending on the change of prime , PSNR result of the proposed scheme is shown in Table 2. If a prime is 17, 19, or 29, PSNR values were higher than other values. This result was due to the embedding method in sharing phase. For example, maximum embedding capacity is 5-bit when the range of is corresponding to 2 4 < ≤ 2 5 . And, 5-bit is embedded into 3 pixels in CI by LSB1 and LSB2 (i.e., LSB1 − LSB2 − LSB2). On the other hand, if is 11, the number of maximum embedding bits is four and it is embedded into 2 pixels in CI by LSB2. So, PSNR result was less than that of 16 < ≤ 32. Also, the number of maximum embedding bits is seven when is 113. But PSNR values were less than that of range of 16 < ≤ 32 because LSB2 embedding technique was utilized once more (i.e., LSB1 − LSB2 − LSB2 − LSB2). In the experimental result of PSNR, the minimum was 44.11 dB. This result shows that we cannot distinguish the distortion between CI and SHIs in HVS.
In the meantime, we utilized a variable in order to prevent the overflow and reinforce the security for secret data. So, the variable and prime should not be correlated relatively and Figure 2 shows that the relation of PSNR between and with prime as 19 and 29. PSNR values were located at 45.10 to 45.60 dB regardless of the increase (or decrease) of . This result shows that there is no correlation between and .
The embedding capacity of the proposed scheme was decided with the embedding method by prime 's interval   as shown in Table 1. So, we have calculated the theoretical embedding capacity and it is shown in Table 3. MEBs, EC, , and indicate the number of maximum embedding bits, embedding capacity, threshold value, and size of shadow image, respectively. The embedding capacity is more increased when MEB is odd and is close to 251. But, the embedding capacity is fixed at 2 2 ⌈log 2 ⌉ bit when MEB is even. This is because of the proposed embedding method as mentioned above. The best case is the intervals of 2 6 < ≤ 2 7 and 2 7 < ≤ 2 8 in terms of tradeoff between PSNR and the embedding capacity. And average of all embedding capacity values is 1.74 2 ⌈log 2 ⌉ bit.
In order to verify an excellence of the proposed scheme, we have performed a comparison between our and the previous schemes and the result of it is shown in Table 4. All results were average values and a unit of EC is bit-per-pixel (bpp). In EC results, the proposed and Lin and Chan's [18] schemes were related to a threshold value . On the other hand, other schemes (Lin and Tsai [16], Wang and Shyu [23], and Chang et al. [24]) were fixed. This is because the amount of secret data that is inserted into polynomial is different. In typical schemes, the secret data is only embedded into the constant terms in the polynomial. But, the secret data is embedded into all coefficients except the highest order terms in Lin and Chan's scheme. If a threshold is increased (this fact shows that the number of participants is also increased), each EC is also increased more for our and Lin and Chan's schemes. But, EC and PSNR results in Lin and Chan's scheme have a inversely proportional relationship. In PSNR results, the proposed scheme was higher than others. We obtained that the efficiency and security of proposed scheme was superior to the previous schemes.

Conclusions
In this paper, we have proposed a ( , )-threshold nonlinear secret image sharing scheme for the first time. Renvall and Ding's scheme was based on quadratic combination and Vandermonde matrix arithmetic operations. In the proposed scheme, it was extended to secret image sharing scheme with steganography concept. All arithmetic operations in the proposed scheme was limited within GF(251) because the  target of secret was a pixel value in SI. In order to prevent the overflow in SHI and reinforce the security, a new variable was used in sharing procedure. In sharing procedure, the embedding technique depended on LSB1, LSB2, and prime . XOR Boolean algebra operation for embedding data was performed in order to increase PSNR and the embedding capacity. As the results, the average values of PSNR and the embedding capacity are 44.78 (dB) and 1.74 ⌈log 2 ⌉ (bpp), respectively. Also, the best case of the proposed scheme is the intervals of 2 6 < ≤ 2 7 and 2 7 < ≤ 2 8 in terms of tradeoff between PSNR and the embedding capacity.
The future works are as follows: the studies of nonlinear secret image sharing scheme over GF (2 ), the various experiments for PSNR and the embedding capacity, and the improved embedding technique.