Over the past decade, most of secret image sharing schemes have been proposed by using Shamir's technique. It is based on a linear combination polynomial arithmetic. Although Shamir's technique based secret image sharing schemes are efficient and scalable for various environments, there exists a security threat such as Tompa-Woll attack. Renvall and Ding proposed a new secret sharing technique based on nonlinear combination polynomial arithmetic in order to solve this threat. It is hard to apply to the secret image sharing. In this paper, we propose a (t,n)-threshold nonlinear secret image sharing scheme with steganography concept. In order to achieve a suitable and secure secret image sharing scheme, we adapt a modified LSB embedding technique with XOR Boolean algebra operation, define a new variable m, and change a range of prime p in sharing procedure. In order to evaluate
efficiency and security of proposed scheme, we use the embedding capacity and PSNR. As a result of it, average value of PSNR and embedding capacity are 44.78 (dB) and 1.74tlog2m bit-per-pixel (bpp), respectively.
1. Introduction
In a security system, there is a maintenance tool which must be checked every day. In order to check it, someone must have access to this system. Three senior administrators are engaged, but they do not trust the combination to any individual administrator. Hence, we would like to design a system whereby any two of three administrators can gain access to this system, but an individual administrator cannot do so. In order to design this system, we adapt a concept of secret sharing. A secret sharing is technique for distributing a secret amongst a group of honest participants, and each secret piece is allocated for each participant after the secret is divided into several pieces. This secret can be reconstructed only when a sufficient number, of possibly different types of shares are combined together; an individual share is no use on its own [1–3]. Blakley [4] and Shamir [5] have proposed a concept of secret sharing for the first time. It is that the secret is divided into n shares for n participants, and t is used as a threshold value (t≤n). It was called a (t,n)-threshold technique and it means that at least t participants of n participants should be gathered.
With the development of computing and network technologies, in the meantime, multimedia data such as image, audio, and video files have transmitted over the Internet, actively. As a result, multimedia security has emerged as an important issue [6–14]. In 2002, Thien and Lin [15] have proposed a (t,n)-threshold secret image sharing scheme for the first time. The secret image can be shared by several shadow images so the size of each shadow image is only 1/t of that of the secret image for convenient hiding, storage, and transmission in their scheme. Lin and Tsai [16] have proposed a secret image sharing with steganography concept based on the Shamir’s (t,n)-threshold scheme. By using the parity bit check method, they claimed that their scheme can prevent from incidentally bringing an erroneous shadow image or intentionally providing a false image to achieve the authentication goal. They also presented another user-friendly image sharing such that shadow images look like natural images [17]. Recently, Lin and Chan [18] proposed a reversible secret image sharing scheme in 2010. They have achieved a low distortion and high embedding capacity. Additionally, it can reconstruct the secret and cover images, completely.
As mentioned above, most of secret image sharing schemes are based on Shamir’s (t,n)-threshold. It has utilized a linear combination polynomial arithmetic in sharing procedure. A configuration of the linear combination polynomial with (t,n) is as follows:
(1)f(x)=a0+a1x+a2x2+⋯+at-1xt-1.
In sharing procedure for n participants, an arbitrary share ki (1≤i≤n) is computed by above function f(x). Each share ki is distributed to participant i. In order to reconstruct the secret, we need t pairs of (i,ki). In this procedure, an arbitrary participant can submit a false share and only he will be able to obtain the correct secret while leaving the others with the incorrect secret. It is called a Tompa-Woll attack [19, 20]. This attack is caused by the linear property. Renvall and Ding [21] have proposed a new secret sharing scheme based on a nonlinear combination polynomial arithmetic in order to solve this problem. The nonlinear combination arithmetic indicates an inner product for any arbitrary matrix [21]. However, it is hard to apply to the secret image sharing.
In this paper, we propose a nonlinear secret image sharing scheme with steganography concept. Although the proposed scheme is based on Renvall and Ding’s sharing and reconstruction methods [21], we adapt several new techniques in order to achieve a suitable and secure secret image sharing scheme. In sharing procedure, we define a new variable m and change a range of prime p in order to attain the prevention of overflow (or underflow) and reinforce the security. Also, we propose a modified LSB embedding technique with XOR Boolean algebra operation in order to get the high embedding capacity. In order to evaluate efficiency and security of proposed scheme, we use the embedding capacity and PSNR. As the experimental results, we analyze the efficiency and security between proposed and previous techniques.
This paper is organized as follows. Section 2 introduces Shamir’s and Renvall and Ding’s secret sharing scheme. Considerations and algorithm of proposed scheme are discussed in Section 3. Section 4 presents the experimental results. Lastly, Section 5 gives the conclusions.
2. Preliminaries
In this section, Shamir’s (t,n)-threshold secret sharing and Renvall and Ding’s nonlinear secret sharing are introduced.
In 1979, Shamir has proposed a secret sharing scheme for the first time [5]. It is based on (t,n)-threshold which is defined as follows [2].
Definition 1.
Let t,n be positive integers and t≤n. A (t,n)-threshold is a method of sharing a key K among a set of n participants (denoted by P), in such a way that any t participants can compute the value of K, but no group of t-1 participants can do so.
For the example of (2,3)-threshold, the value of K is chosen by a honest participant called the dealer (denoted by D, D∉P, where P is a set of participants). If D wants to share K among the participants in P, D distributes some partial information of K (called a share) for each participant. The shares should be distributed secretly, so no participant knows the share given to another participant. That is, an arbitrary participant does not know the information of K in (2,3)-threshold. In order to reconstruct a K, two or more participants should get together by an arbitrary algorithm.
In Shamir’s scheme, the linear combination polynomial and Lagrange’s interpolation arithmetic operations over prime p were used in order to distribute and reconstruct a K, respectively. It consists of three phases with (t,n)-threshold: initialization, share distribution, and reconstruction.
2.1.1. Initialization Phase
D chooses n distinctly nonzero elements of Zp, denoted by xi, 1≤i≤n (where p≥n+1). For 1≤i≤n, D gives the value xi to Pi. The value xi is public.
2.1.2. Share Distribution Phase
When D wants to share a key K∈Zp, D secretly chooses t-1 elements of Zp which are denoted as a1,…,at-1. And then D computes yi=f(xi), for 1≤i≤n, by
(2)yi=f(xi)=K+∑j=1t-1ajxij(modp),
where a1,a2,…,at-1 are randomly determined from integers within [0,p-1]. Finally, D distributes the share yi to Pi.
2.1.3. Reconstruction Phase
If participants want to reconstruct a K, t or more participants will be recruited by D. K is reconstructed with information (xi,f(xi)) for each participant Pi and Lagrange interpolation formula as shown in (3) for polynomials.
In 1996, Renvall and Ding [21] have proposed a nonlinear secret sharing scheme. A polynomial arithmetic technique is based on quadratic form (called a nonlinear combination) instead of the linear combination. In fact, it is an inner product for an arbitrary matrix, and detailed arithmetic is as follows [21].
Let p be a large prime of the form p≡3 (mod4). In order to generate the secret, it should be within [0,(p-1)/2]. All arithmetic operations are performed over Galois field (GF(p)). For any positive integers t, n (t≤n) and each set of indices 1≤i1<⋯<it≤n, Vandermonde matrix M is generated by
(4)M=((ai1)0(ai1)1⋯(ai1)t-1(ai2)0(ai2)1⋯(ai2)t-1⋮⋮⋱⋮(ait)0(ait)1⋯(ait)t-1),
where all elements in matrix M are distinct nonzero over GF(p) and M must satisfy two requirements as follows.
for any set of indices 1≤i1<⋯<it-1≤n,
(5)1+∑u=1t-1(∑v=1t-2N)2≠0,
where N=[n(i1,i2,…,it-1)u,v] is the inverse of M by the Chinese remainder algorithm.
for any set of indices 1≤i1<⋯<it-2≤n, one of the following conditions is held:
δ≠0 and δ2-4βγ is a quadratic residue,
δ=0, γ≠0, and -β/γ is a quadratic residue,
where β,δ, and γ are expressed by (6), (7), and (8), respectively.
In sharing process, the secret s1 with 0≤s1≤(p-1)/2 is selected to be shared among n participants. Then, s2,…,st are randomly chosen over GF(p). Let a set s={s1,s2,…,st}. Each share is calculated by
(9)f(x)=xxT=(x1)2+(x2)2+⋯+(xt)2overGF(p),
where x is a row vector (or row matrix which has a single row of t elements) and it can be expressed as x=[x1x2⋯xt], and xT is a transpose of x.
In order to distribute the shares, D calculates k0 and kij as follows:
(10)k0=f(s)=(s1)2+⋯+(st)2,ki=f(s+αij)=(s1+(ai1)0)2+⋯+(st+(ai1)t-1)2,
where αij is ijth row vector in a Vandermonde matrix M (as shown in (4)) and 1≤ij≤n. Then D distributes (k0,kij) to participant Pij.
If participants want to reconstruct the secret s, t-1 or more participants will be recruited by D. And then, s1 is reconstructed with information (k0,kij) for each participant Pij and as follows:
(11)k0=f(s),kij-k0=2αijsT+αijαijT.
They have completed verification of security for Tompa-Woll attack [21]. In this paper, we propose a nonlinear secret image sharing based on concepts of their scheme and steganography.
3. The Proposed Scheme
In this section, we illustrate considerations, sharing, and reconstruction algorithms.
3.1. Considerations
In order to propose a new nonlinear secret image sharing scheme, we discuss some considerations such as handing techniques of secret and shadow images and overflow (or underflow).
3.1.1. Handling of Secret Image
In previous scheme, they used (t-1,n)-threshold concept. But we adapt a concept of (t,n)-threshold because of the convenience of proposed scheme. Given (t,n)-threshold, we require that the secret image (SI) to be divided into n shadow images (SHIs), and SI cannot be reconstructed without t or more SHIs. However, secrets (s1,s2,…,st) are generated from SI’s pixel values. The major difference between proposed and Renvall and Ding’s schemes is that random value does not use s2,…,st. Also, the range of prime p should be at least 60 bits in their scheme, but we let the range be 2≤p≤251. Tompa-Woll attack can occur because the range of prime p is less than 60 bits. But, our scheme is safe for this attack because it is based on the steganography concept that the secret is hidden in friendly cover image such as Lena, airplane, and baboon.
3.1.2. Overflow and Underflow
If an arbitrary pixel value in SI is one of 251 to 255, it can occur an overflow or underflow because all arithmetic operations are performed within GF(251). So, we define another variable positive integer m (2≤m≤p) in order to prevent overflow or underflow. A pixel value in SI is converted by m-ary form. For example, if a pixel value and m are 160(10) and 7, respectively, converted pixel value is 316(7). This converting technique is to provide reinforcement of security robustness. The converted m-ary values utilize inputs of nonlinear polynomial arithmetic. And then, its outputs are performed with modulo-p operation. Even if an attacker knows sharing and reconstruction algorithm of the proposed scheme, it is difficult to extract the correct SI.
3.1.3. The Generation of Shadow Image
In Renvall and Ding’s scheme, (k0,kij) is just a shadow. It was distributed to the participant Pij by the dealer D. However, the shadow is an image that (k0,kij) is embedded in the proposed scheme. In order to generate the shadow image, hence, we utilize XOR Boolean algebra operation for k0 and kij.
3.2. Sharing Procedure
Suppose that the cover image (CI), shadow image (SHI), and secret image (SI) consist of M×M, M×M and N×N pixels, and these represent CI={C0,C1,…,CM2-1}, SHI={SH0,SH1,…,SHM2-1}, and SI={S0,S1,…,SN2-1}, respectively. In order to determine the number of participants, the dealer (D) decides to fix the threshold values t and n (t≤n). Also, D securely chooses a prime p and positive integer m (m≤p).
In this procedure, the sharing process is described.
Input: A CI with size of M×M and a SI with size of N×N.
Output: n SHIs with size of M×M.
Step 1.
Convert a ith pixel value (Si) in SI into m-ary’s expression as follows:
(12)Si⟹{si⌈logm255⌉,…,s(i+1)⌈logm255⌉-1},
where 0≤i≤N2-1 and m≤p. For example, if m is 3, si is one of 0, 1, or 2. Let a set S consist of r subsets that compose tm-ary’s values and it is expressed by
(13)S={s0=(s0,…,st-1),s1=(st,…,s2t-1),…,sr-1}.
If (N2-1)⌈logm255⌉ is not a multiple of t, the remaining part in the last subset sr-1 is filled by using well-known padding techniques.
Step 2.
Choose αj=((aj)0,(aj)1,(aj)2,…,(aj)t-1) for all participants by D, where aj∈GF(p) and 1≤j≤n. For any t participants, the matrix M which satisfies two requirements R1 and R2 is constructed as (14) in order to ensure the correctly selected αj. If M does not satisfy two requirements, D should select a new αj. Also, M will be used in the reconstruction procedure.
Consider
(14)M=(α1α2⋮αt).
Step 3.
Calculate a shadow value kjl=f(sl+αj) (where kj0=f(s0), 1≤j≤n and 1≤l≤r-1) with f(x) (as shown in (9)) and S and αj by D.
Step 4.
Embed the generated lth shadow value (kj0⊕kjl) for j-th participant into CI with LSB1 and LSB2 techniques by Table 1 in order to generate SHIj (1≤l≤r-1 and 1≤j≤n). “⊕” indicates XOR Boolean algebra operation. Table 1 shows the embedding method by prime p. For example, it corresponds to the range of 24<p≤25 when p is 19. Hence, kj0⊕kjl are embedded by LSB1 and LSB2 techniques for 3 pixels.
The embedding method by prime p.
Range
Embedding technique
Pixel block
20<p≤21
LSB1
per 1 pixel
21<p≤22
LSB2
per 1 pixel
22<p≤23
LSB1 and LSB2
per 2 pixels
23<p≤24
LSB2
per 2 pixels
24<p≤25
LSB1 and LSB2
per 3 pixels
25<p≤26
LSB2
per 3 pixels
26<p≤27
LSB1 and LSB2
per 4 pixels
27<p≤28
LSB2
per 4 pixels
Step 5.
Distribute the generated SHIj into jth participant by D. And then, D stores kj0 (1≤j≤n) for all sl (0≤l≤r-1).
3.3. Reconstruction Procedure
In this procedure, the reconstruction process is described.
Input: tSHIjs with size of M×M.
Output: a reconstructed SI′ with size of N×N.
Step 1.
Extract a lth shadow value (kj0⊕kjl) from jth participant’s SHIj (1≤l≤r-1 and 1≤j≤k), and kjl by XOR Boolean operation (kj0⊕kjl)⊕kj0.
Step 2.
Calculate a lth converted m-ary’s value sl (0≤l≤r-1) as follows:
(15)kj0=f(s0),kjl=f(sl+αj),kj0=f(s0),kjl-kj0=2αj(sl)T+αjαjT.
Step 3.
Convert the calculated s0,s1,…,s(N2-1)⌈logm255⌉ into pixel values by m, and, reconstruct a SI′ with size of N×N.
4. Experimental Results
In this section, we analyze the security and efficiency of proposed scheme.
4.1. The Measurement Tools
In order to estimate the efficiency and security of secret image sharing schemes, there exist two typical measurement tools: the embedding capacity and PSNR. The embedding capacity means the amount of embedded secret data in a cover image, and it can evaluate the efficiency of secret image sharing technique. That is, if the embedding capacity of an arbitrary technique is more increased, we can say that this technique has a good efficiency. It is generally measured in bit-per-pixel (bpp) or bit.
PSNR is the abbreviation for “peak signal-to-noise ratio” and it is the ratio between the maximum possible power of a signal and the power of corrupting noise that affects the fidelity of its representation. Nowadays, PSNR is the most popular distortion measurement tool in the field of image and video coding and compression. It is usually measured in decibels (dB), and it is well known that these difference distortion metrics are not very well correlated with the human visible system (HVS). This might be a problem for their application in secret image sharing since sophisticated secret image sharing methods exploit in one way or the other effects of these schemes [22]. The detailed PSNR is represented by
(16)PSNR=10×log(MAX2MSE),
where MAX indicates the maximum possible pixel value of the image. It is 255 because greyscale test images were used in this paper. MSE is the abbreviation for “mean squared error” and it is represented by
(17)MSE=1M2∑i=0M2-1(Ci-SHi)2,
where M indicates the size of CI and SHI. Ci and SHi are ith pixel values in CI and SHI, respectively. Given two greyscale images, if PSNR value is close to infinity (=∞), the distortion between two images is zero; that is, two images are the same. On the other hand, if PSNR value is close to zero, the distortion is higher; that is, two images are different. Generally, PSNR value is more than 35 dB, the difference between two images cannot be distinguished in HVS.
4.2. Analysis
In the experiments, we have performed the experiment for (3,4)-threshold and used eight greyscale test images as shown in Figure 1. The sizes of CI and SHI were 512×512 and 512×512, respectively. And the size of SI was 256×256 or 512×512, depending on the experiments. The secret data was generated by Rand function in C++ Library. And then, generated secret bitstream was composed by each eight-bit. In order to implement the proposed scheme, the OpenCV Library and C++ programming language (environment: MS Visual Studio 2010) were used.
Eight greyscale test images.
Lena
Baboon
Airplane
Peppers
Boat
Man
Elaine
Woman
In the proposed scheme, PSNR result depends on the embedding method by prime p’s interval as shown in Table 1. Our embedding method is that LSB1 and LSB2 were utilized. Hence, the minimum of PSNR without prime p is more than 44 dB because PSNR value of LSB2 embedding method is close to 44 dB in general. Depending on the change of prime p, PSNR result of the proposed scheme is shown in Table 2. If a prime p is 17, 19, or 29, PSNR values were higher than other values. This result was due to the embedding method in sharing phase. For example, maximum embedding capacity is 5-bit when the range of p is corresponding to 24<p≤25. And, 5-bit is embedded into 3 pixels in CI by LSB1 and LSB2 (i.e., LSB1-LSB2-LSB2). On the other hand, if p is 11, the number of maximum embedding bits is four and it is embedded into 2 pixels in CI by LSB2. So, PSNR result was less than that of 16<p≤32. Also, the number of maximum embedding bits is seven when p is 113. But PSNR values were less than that of range of 16<p≤32 because LSB2 embedding technique was utilized once more (i.e., LSB1-LSB2-LSB2-LSB2). In the experimental result of PSNR, the minimum was 44.11 dB. This result shows that we cannot distinguish the distortion between CI and SHIs in HVS.
PSNR result of (3,4)-threshold proposed scheme by prime p.
p
SHI1
SHI2
SHI3
SHI4
Average
11
44.08
43.92
43.93
43.96
43.97
17
45.39
45.47
45.60
45.39
45.46
19
45.51
45.48
45.50
45.44
45.48
29
45.49
45.38
45.43
45.35
45.41
37
44.15
44.13
44.13
44.04
44.11
79
45.18
45.17
45.03
45.16
45.13
113
45.08
45.11
45.12
45.10
45.10
167
44.15
44.13
44.20
44.15
44.16
251
44.16
44.13
44.16
44.20
44.16
In the meantime, we utilized a variable m in order to prevent the overflow and reinforce the security for secret data. So, the variable m and prime p should not be correlated relatively and Figure 2 shows that the relation of PSNR between p and m with prime p as 19 and 29. PSNR values were located at 45.10 to 45.60 dB regardless of the increase (or decrease) of m. This result shows that there is no correlation between p and m.
The relation of PSNR between p and m.
The embedding capacity of the proposed scheme was decided with the embedding method by prime p’s interval as shown in Table 1. So, we have calculated the theoretical embedding capacity and it is shown in Table 3. MEBs, EC, t, and M indicate the number of maximum embedding bits, embedding capacity, threshold value, and size of shadow image, respectively. The embedding capacity is more increased when MEB is odd and p is close to 251. But, the embedding capacity is fixed at 2tM2⌈log2m⌉ bit when MEB is even. This is because of the proposed embedding method as mentioned above. The best case is the intervals of 26<p≤27 and 27<p≤28 in terms of tradeoff between PSNR and the embedding capacity. And average of all embedding capacity values is 1.74tM2⌈log2m⌉ bit.
The theoretical embedding capacity of the proposed scheme.
Interval
MEBs
EC (bit)
20<p≤21
1
tM2⌈log2m⌉
21<p≤22
2
2tM2⌈log2m⌉
22<p≤23
3
32tM2⌈log2m⌉
23<p≤24
4
2tM2⌈log2m⌉
24<p≤25
5
53tM2⌈log2m⌉
25<p≤26
6
2tM2⌈log2m⌉
26<p≤27
7
74tM2⌈log2m⌉
27<p≤28
8
2tM2⌈log2m⌉
In order to verify an excellence of the proposed scheme, we have performed a comparison between our and the previous schemes and the result of it is shown in Table 4. All results were average values and a unit of EC is bit-per-pixel (bpp). In EC results, the proposed and Lin and Chan’s [18] schemes were related to a threshold value t. On the other hand, other schemes (Lin and Tsai [16], Wang and Shyu [23], and Chang et al. [24]) were fixed. This is because the amount of secret data that is inserted into polynomial is different. In typical schemes, the secret data is only embedded into the constant terms in the polynomial. But, the secret data is embedded into all coefficients except the highest order terms in Lin and Chan’s scheme. If a threshold t is increased (this fact shows that the number of participants n is also increased), each EC is also increased more for our and Lin and Chan’s schemes. But, EC and PSNR results in Lin and Chan’s scheme have a inversely proportional relationship. In PSNR results, the proposed scheme was higher than others. We obtained that the efficiency and security of proposed scheme was superior to the previous schemes.
The comparison result between the proposed and previous schemes for the embedding capacity and PSNR.
Schemes
EC (bpp)
PSNR (dB)
Lin and Tsai [6]
1/2
39.17
Wang and Shyu [7]
1/4
—
Chang et al. [8]
3/4
40.92
Lin and Chan [22]
(t-1)/3
40.01
Proposed
1.74t⌈log2m⌉
44.78
5. Conclusions
In this paper, we have proposed a (t,n)-threshold nonlinear secret image sharing scheme for the first time. Renvall and Ding’s scheme was based on quadratic combination and Vandermonde matrix arithmetic operations. In the proposed scheme, it was extended to secret image sharing scheme with steganography concept. All arithmetic operations in the proposed scheme was limited within GF(251) because the target of secret was a pixel value in SI. In order to prevent the overflow in SHI and reinforce the security, a new variable m was used in sharing procedure. In sharing procedure, the embedding technique depended on LSB1, LSB2, and prime p. XOR Boolean algebra operation for embedding data was performed in order to increase PSNR and the embedding capacity. As the results, the average values of PSNR and the embedding capacity are 44.78 (dB) and 1.74t⌈log2m⌉ (bpp), respectively. Also, the best case of the proposed scheme is the intervals of 26<p≤27 and 27<p≤28 in terms of tradeoff between PSNR and the embedding capacity.
The future works are as follows: the studies of nonlinear secret image sharing scheme over GF(2n), the various experiments for PSNR and the embedding capacity, and the improved embedding technique.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
Acknowledgments
This research was supported by the Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (NRF-2012R1A1A2008348) and Brain Korea 21 Plus (BK21+) Project in 2014.
StinsonD. R.StallingsW.MenezesA. J.van OorschotP. C.VanstoneS. A.BlakleyG. R.Safeguarding cryptographic keysProceedings of the International Workshop on Managing Requirements Knowledge1979ShamirA.How to share a secretMitsuruI.AkiraS.TakaoN.Secret sharing scheme realizing general access structureSchoenmakersB.A simple publicly verifiable secret sharing scheme and its application to electronic votingPaulF.A practical scheme for non-interactive verifiable secret sharingProceedings of the 28th Annual Symposium on Foundations of Computer Science1987427438BenalohJ.LeichterJ.Generalized secret sharing and monotone functionsBeimelA.ChorB.Secret sharing with public reconstructionNaorM.ShamirA.Visual cryptographyNaorM.ShamirA.Visual cryptography II. Improving the contrast via the cover basevan SchyndelR. G.TirkelA. Z.OsborneC. F.A digital watermark2Proceedings of the IEEE International Conference Image Processing (ICIP '94)November 1994Austin, Tex, USA869010.1109/ICIP.1994.413536BenderW.GruhlD.MorimotoN.LuA.Techniques for data hidingThienC.-C.LinJ.-C.Secret image sharingLinC.TsaiW.Secret image sharing with steganography and authenticationThienC.LinJ.An image sharing method with user-friendly shadow imagesLinP.ChanC.Invertible secret image sharing with steganographyTompaM.WollH.How to share a secret with cheatersChangC.-C.HwangR.-J.Efficient cheater identification method for threshold schemesRenvallA.DingC.A nonlinear secret sharing schemeKatzenbeisserS.PetitcolasF. A. P.WangR.-Z.ShyuS.-J.Scalable secret image sharingChangC.HsiehY.LinC.Sharing secrets in stego images with authentication