A Verifiable Steganography-Based Secret Image Sharing Scheme in 5G Networks

With the development and innovation of new techniques for 5G, 5G networks can provide extremely large capacity, robust integrity, high bandwidth, and low latency for multimedia image sharing and storage. However, it will surely exacerbate the privacy problems intrinsic to image transformation. Due to the high security and reliability requirements for storing and sharing sensitive images in the 5G network environment, verifiable steganography-based secret image sharing (SIS) is attracting increasing attention. -e verifiable capability is necessary to ensure the correct image reconstruction. From the literature, efficient cheating verification, lossless reconstruction, low reconstruct complexity, and high-quality stego images without pixel expansion are summarized as the primary goals of proposing an effective steganography-based SIS scheme. Compared with the traditional underlying techniques for SIS, cellular automata (CA) and matrix projection have more strengths as well as some weaknesses. In this paper, we perform a complimentary of these two techniques to propose a verifiable secret image sharing scheme, where CA is used to enhance the security of the secret image, and matrix projection is used to generate shadows with a smaller size. From the steganography perspective, instead of the traditional least significant bits replacement method, matrix encoding is used in this paper to improve the embedding efficiency and stego image quality.-erefore, we can simultaneously achieve the above goals and achieve proactive and dynamic features based on matrix projection. Such features can make the proposed SIS scheme more applicable to flexible 5G networks. Finally, the security analysis illustrates that our scheme can effectively resist the collusion attack and detect the shadow tampering over the persistent adversary. -e analyses for performance and comparative demonstrate that our scheme is a better performer among the recent schemes with the perspective of functionality, visual quality, embedding ratio, and computational efficiency. -erefore, our scheme further strengthens security for the images in 5G networks.


Introduction
Nowadays, a huge amount of data is available in multimedia forms, such as images and videos. With the growing popularity of multimedia data, multimedia sharing has become one of the most popular Internet services. Meanwhile, the emergence of fifth-generation networks (5G) brings many advantages to supply power to such multimedia sharing services. Compared to the actual 4G technologies, 5G will be more flexible and will provide significantly higher bandwidth, as well as robust integrity, more capacity, and very low latency [1]. Such features are fundamental for facilitating information flow and timeliness of data, thus improving sharing services quality. 5G will undoubtedly drive people and organizations to interact with others more actively and exchange more information in a greater open network environment [2]. However, it may exacerbate the privacy problems intrinsic to multimedia transfer in networks as a result. As image sharing is one of the basic multimedia sharing services, this paper aims to achieve secure image share and storage in 5G networks.
Based on the 5G technique advantages, it is foreseen that 5G will have great potential to handle challenges in various fields, such as smart cities [3], healthcare [4], and industrial control [5], and traffic congestion [6]. In such scenarios, medical images, design drawings, military images, and financial reports [7] always contain massive sensitive information. Hence, the sharing and storing of these images can be more vulnerable towards several kinds of attacks, such as eavesdropping and tampering. Secret image sharing (SIS) [8,9] developing from the traditional secret sharing is a promising way to ensure the privacy and integrity of the secret image for distributed storing and sharing in the network. However, ordinary SIS will generate n shadows in the form of noise-like images [10,11] which might arise suspicious of the invaders [12] during the shadow dissemination.
erefore, steganography-based SIS will further improve the security of SIS systems in a more open 5G network.
A general (k, n)-threshold steganography-based SIS scheme enables a dealer to distribute its secret image among a set of untrusted participants via the public channel. Firstly, the dealer generates n noise-like shadows for the secret image. en, n shadows are embedded into the preselected meaningful images (called cover images) so as to generate n meaningful stego images. Finally, each of the participants is allocated a stego image. When someone requests the secret's reconstruction, they need to extract enough shadows from the stego images. Only the combination of at least k shadows can perform the lossless reconstruction, and less than k shadows give no clues about the secret image in contrast. erefore, steganographybased SIS can protect the secret image with higher security because the eavesdroppers cannot detect secret information from meaningful images. However, most of the existed steganography-based SIS schemes have a problem with the pixel expansion, for example, the stego images generated in the schemes of [13][14][15] are expanded four times the original secret image to realize high-quality steganography. Here, the challenge of proposing steganography-based SIS schemes is to create high-quality stego images so that the modifications are not visually perceptible.
Moreover, the verification ability is necessary to check the validity of the stego images for the secret image reconstruction. If a fake stego image is submitted, the reconstructed image will not be exactly the same as originally outsourced. Cheating detection is one of the methods to locate a set of potential invalid shadows. It is easy to design SIS with verification ability by using hash codes [16][17][18]. However, most steganography-based SIS with cheating detection ability needs to embed these extra authentication bits into the cover image, which unfortunately leads to high recovery (authentication) complexity and pixel expansion. erefore, an efficiency verification mechanism is needed to be designed.
Additionally, in 5G network scenarios, a natural extension of such schemes is to consider the attached proactive feature and dynamic feature. e proactive feature is essential in some circumstances that the secret needs to be kept for a very long time, such as medical image records [19]. It can resist persistent adversaries by updating the shadows periodically. e secret cannot be discovered even from enough shadows, which are mixed with past and present shadows. Especially in 5G network environments, the persistent adversary will be more general who can stay in the network all the time. Moreover, the dynamic feature is also practical which supports efficient secret updating without shadow distribution again. Such a feature is necessary for an SIS scheme to adapt the data flow rate in 5G networks. However, these features are attracted very little attention to SIS. erefore, in this paper, we are willing to propose a verifiable steganography-based secret image sharing scheme for 5G networks that achieves the following goals: (1) highquality stego images without pixel expansion; (2) an efficient cheating verification ability to handle the dishonest participant; (3) lossless reconstruction and low reconstruct complexity; and (4) proactive feature and dynamic feature. To meet the design goals described above, we combine Two-Dimensional Reversible Linear Cellular Automata with Memory (2D-RLCAM) and matrix projection together to design the scheme. 2D-RLCAM is a kind of cellular automata additionally with memory and reversible abilities.
Our contributions are as follows: (i) Security enhanced: during the secret distribution procedure, CA is used to preprocess the secret image. en, the matrix projection-based secret sharing scheme, as introduced in the typical work of Bai and Zou [11], is employed with some changes to generate small shadows. Increased by CA's security, the secret image security is significantly improved to solve the matrix projection's weaknesses.
(ii) Needless of the consecutive shadows for reconstruction: the consecutive requirement for reversing in CA is embedded into the secret image's submatrices, but not directly for the secret image. Hence, the consecutive shadows in this paper are needless for secret reconstruction to overcome CA's weaknesses. (iii) High-quality stego images without pixel expansion: matrix encoding is using in this paper for steganography. Our scheme obtains enhancement in both the security of secret image and the visual quality of the stego image, benefiting from smaller shadows and the comparatively slight modification to the cover image. (iv) Feature optimization for 5G scenarios: for the verifiable feature, a separate verification matrix is used for cheating detection. It can achieve a relatively low verification complexity based on XOR operations. For proactive and dynamic features, they can be realized with only a few times of matrix operations. (v) Lossless reconstruction and low reconstruct complexity: the experiments over the test images demonstrate the effectiveness and efficiency of the proposed scheme via several indices. e rest of this paper is organized as follows: the related work is given in Section 2. e preliminaries of 2D-RLCAM, the typical work of Bai and Zou [11], and matrix encoding are introduced in Section 3. e procedures of the proposed SIS scheme are discussed in detail in Section 4. e security analyses for persistent adversaries are studied in Section 5. e experimental results based on the real images and comparative analysis are given in Section 6. Finally, the paper ends with a conclusion in Section 7.

SIS.
From the literature, Shamir's secret sharing [20] is one of the underlying techniques used to build SIS schemes mostly, but always has the pixel loss problem [21,22]. In order to solve this problem, several new techniques have been used to devise a new (k, n)-threshold SIS scheme, such as cellular automata (CA) [23,24] and matrix projection [25]. Compared with Shamir-based SIS, CA-based SIS [12,15,26,27] has more advantages: (1) the computation complexity of CA-based SIS is only O(n), which is more efficient while Shamir-based SIS needs O(n log n); (2) the consecutive properties in CA provide a stronger security guarantee for the secret image. Nevertheless, most CA-based SIS schemes also exist in some problems: (1) only consecutive shadows can reveal the secret image [15,26,27] which limited the availability and (2) the pixel expansion problem still exists. e scheme of Eslami et al. [15] is the first CAbased SIS, which improved tamper detection. However, in this scheme, the shadow's size is the same as the original secret image. If the steganography of these shadows is performed, the pixel expansion problem will be unavoidable. e scheme of Zarepour-Ahmadabadi et al. [12] is a multistage multisecret image sharing scheme based on CA and Shamir-based sharing algorithm that each secret image has its own access structure. In this scheme, the secrets can be reconstructed based on their own prespecified order, which can apply to more general and flexible scenarios. However, this scheme executed the Shamir-based sharing algorithm multiple times during the secret distribution and reconstruction, which still made a higher computation complexity.
Matrix projection-based SIS [11,16,28] can significantly reduce the size of the shadows. In the basic matrix projection-based (k, n) secret sharing scheme [10], for a m × m secret matrix, the generated shadows are vectors with the size of only m × 1. Based on it, Bai and Zou [11] construct a proactive secret sharing scheme. e generated shadows in their scheme are (m + k) × 1 vectors. e size of the shadows is still small. erefore, matrix projection-based SIS can effectively reduce the modifications over the cover images and even create high-quality stego images by avoiding the pixel expansion problem. However, the existing matrix projection-based SIS schemes only generate noise-like image shadows but do not consider combining steganography. Additionally, there are two problems with the existed matrix projection-based SIS schemes: (1) matrix projection-based (k, n) secret sharing scheme is only a strong ramp secret sharing but not perfect secret sharing [25], which may expose information about the secret proportional to the number of the obtained shadows till enough, and (2) without the verification ability [11,28]. Although the scheme of Azzahra and Sugeng [16] realized cheating detection with the help of an additional authentication image, the dealer must be involved in the reconstruction process. erefore, the security and functionality of matrix projection-based SIS need to be improved.
In this paper, we combine Two-Dimensional Reversible Linear Cellular Automata with Memory (2D-RLCAM) and matrix projection together to avoid the weaknesses of these techniques but keeping the advantages.

Steganography-Based SIS.
e least significant bits (LSB) method is one of the most common solutions for steganography. is method directly replaces the least significant bits of some pixels in the cover image with the shadow, such as in Yang et al.'s Shamir-based scheme [13], Chang et al.'s Chinese remainder-based scheme [14], and Eslami et al.'s linear cellular automata-(LCA-) based scheme [15]. ese schemes enable the shadow embedding and concealed shadow extraction in a highly efficient way, without any cryptographic computation. However, the above schemes have a problem with the pixel expansion. One of the key reasons is that the generated shadows' size is relatively big. Another reason is that the requirement of the steganography space is relatively big for performing LSB so that the stego image generated in the above schemes is expanded four times the original secret image to realize high-quality steganography.
Matrix encoding (ME) method is another steganography method mainly based on some XOR operations, rather than direct replacement as in LSB. Hence, the information of the shadow does not directly appear in the pixels of the cover image, which increases the security of the concealed information. Moreover, to hide a 3-bit length secret, at most only 1 bit of a pixel is needed to be changed via the ME method, but usually 3 bits are needed in the LSB method. Hence, ME can realize the comparatively slight modification to the cover image. Compared with LSB, ME needs more computational cost because of some simple XOR operations, but it can obtain enhancement in both the security of secret data and the visual quality of stego images. erefore, we use ME in our paper to hide the shadow into a cover image.
Moreover, Yan et al. [29] introduced the requirement of lossless reconstruction of the cover images in an SIS scheme. e reversible cover images are needed in several scenarios, such as law enforcement, experimental investigations, and remote sensing [30]. However, the traditional SIS approaches have some limitations for the cover image reconstruction, such as the restrictions of the cover image formats and kinds, or loss reconstruction of the cover image. In the scheme of Yan et al. [29], the lossless reconstruction is realized, but the format of cover images is restricted to the binary image. In this paper, we generate a submatrix for the grayscale cover image to recover it losslessly.

Verifiable SIS.
It is easy to design SIS with verification ability by using hash codes [16][17][18] or information hiding [15,26,31]. Chang et al. [14] used the Chinese remainder theorem (CRT) to generate four authentication bits by using the hash function in order to obtain better authentication ability. Recently, Liu et al. [17] divided each stego image into nonoverlapping blocks with size 1 × 3 firstly and then Security and Communication Networks generated two authentication bits for each stego block. is scheme also achieved good visual quality and authentication ability. However, most of the above schemes need to embed these extra authentication bits into the cover image, which unfortunately leads to high recovery (authentication) complexity and pixel expansion. Besides the above solutions, the double verification mechanism [15], the random grid [32], and the extra authentication image [16] were also used to provide a powerful verification of the fake stego images. In the scheme of Azzahra and Sugeng [16], the dealer kept an extra authentication image privately. After the secret reconstruction, the dealer performed the cheating detection by checking if the authentication image is recovered correctly. However, this scheme suffers from drawbacks in that even enough shadows cannot reconstruct the secret image because the dealer must be involved in the reconstruction process. To some degree, the participation of the dealer makes this scheme diverge from the original intention of the secret sharing.
In this paper, we embed a verification matrix into the public known information by XOR operations. It can avoid the problems of high recovery complexity and pixel expansion. Moreover, the valid requester can perform an efficient cheating detection via some simple XOR operations but without the additional help from the dealer.

Reversible Linear Cellular Automata with Memory.
Cellular automaton (CA) is a deterministic and discrete system. is paper deals with two-dimensional CA (2D-CA) with the cell space of S b � 0, 1, . . . , 7 { }(b � 8) and with transfer function F depending on Moore neighborhood N. 2D Reversible Linear Cellular Automata with Memory (2D-RLCAM) is a kind of CA additionally with memory and reversible abilities.
For a r × s 2D-CA, if a (t) i,j ∈ S b is taken to denote the state of one cell at the position (i, j) at a certain time t, the state of N of it can be represented as follows: is called the initial configuration. When dealing with the iteration of CA, the periodic boundary condition In 2D-RLCAM of capacity k (2D-k-RLCAM), the state of the configuration C (t+1) evolves as follows: More concretely, the state of each cell a (t+1) i,j ∈ C (t+1) can be computed as (3). Note that k denotes the capability of memory here but not the threshold value of SIS. In this paper, 2D-3-RLCAM is used.
In equation (3), are the Moore neighborhood of the cell a i,j in the time t, t − 1, . . . , t − k + 1, respectively. Besides, w 1 , . . . , w k is the rule number of the transfer function F and f w is computed by (4). erefore, the value of w can be repre- is satisfied, w k should be equal to 16.
A simple example for w � 69 of (4): we can obtain (69) 10 � (001000101) 2 . erefore, only the values of λ − 1,1 , λ 1,− 1 , λ 1,1 are equal to 1 and the others are equal to 0. Hence, we can compute f w (N (t) i,j ) as follows: Let C (t) denote a reversion state of time t and a (t) i,j denote the state of one cell in it. N (t) i,j denotes the neighborhood of it. During the reversion of 2D-k-RLCAM after n iterations, the final configuration C (k+n− 1) is taken as the initial reversion state C (0) . erefore, the configuration C (k+n− 1− t) is taken as A simple example for 2D-3-RLCAM: assume n � 5 and assume the set of C (0) , C (1) , C (2) is the initial configuration. erefore, C (3) is the state after the first iteration, and C (7) is the final state after 5 iterations after computing (7). During the reversible process, C (7) , C (6) , C (5) will be taken as the initial reversion state C (0) , C (1) , C (2) , and C (4) will be recovered by C (3) � C (4) as in (8):

Bai and Zou's Proactive Secret Sharing Scheme. Bai and
Zou's (k, n)-threshold PSS scheme [11] can periodically renew n shadows without modifying the secret. e secrets cannot be discovered from enough shares, which are mixed with past and present shares. e scheme is based on the matrix projection method, and the proactive feature is achieved through Pythagorean triples.
Now suppose the dealer wants to share a secret m × m matrix S 0 . en, Bai and Zou's [11] proactive scheme based on matrix projection method can be constructed in the following three phases. An, Bn, and Cn denote the n-th step in each phase A, B, C.
Construction of shadows for a secret matrix S 0 (with the size of m × m ) at the time period t � 0, where m > 2k − 3: (iii) A3: compute the remainder matrix R � (P A − S) mod p, where P A is the L T × L T projection matrix of A. e remainder matrix R is also with the size of L T × L T . (iv) A4: distribute shadow vectors θ i(i�1,2,..n) to participants and make the remainder matrix R publicly known.
Update shadows at the beginning of t + 1(t ≥ 0): (i) B1: generate an k × k orthonormal matrix LM by (9) as the update matrix, and distribute it via a secure channel to each participant. (ii) B2: each participant updates its shadow θ (t) i to θ (t+1) i by (10) and erases the variables θ (t) i and LM: [θ (t) i ] 1: m denotes the top part of θ (t) i which contains the first m elements and [θ (t) i ] m+1: m+k is the lower part which contains the remaining k elements.
Reconstruction of the secret matrix S 0 : When the current time period t > 0, there exists P A ≠ P B because the shadows are updated. However, equation (11) is still holding based on the matrix projection and the orthonormal update matrix LM. e detailed explanation can be seen in [11].
e proposed SIS scheme in this paper is constructed based on Bai and Zou's [11] scheme. e detailed analysis of the correctness and security of sharing and updating can be seen in [11].

Matrix Encoding.
Matrix encoding (ME) is a technology for steganography. Generally, for a secret S, a ME process can be defined as a 3-tuple C max , n, k . It denotes that no more than C max bits can be changed among n � 2 k − 1 modifiable bits when hiding a k-bit length secret S.
(1, 7, 3)-ME is used in this paper. It means that the secret value is should be satisfied S ∈ [0, 7]. For example, assume Security and Communication Networks we want to hide S � (6) 10 � (100) 2 into a pixel with the value of (105) 10 � (1101001) 2 � a 1 , a 2 , a 3 , a 4 , a 5 , a 6 , a 7 during a (1, 7, 3)-ME process. Compute f � 0 and p � 6 first. en, change a 6 ′ � 1 − a 6 � 1 and obtain the pixel value � a 1 ′ , a 2 ′ , a 3 ′ , a 4 ′ , a 5 ′ , a 6 ′ , a 7 ′ � (1101011) 2 � (107) 10 that embeds with the secret information. Finally, we can recover the secret S ′ � 6 � S. erefore, the secret S is hidden in a pixel, but not appears directly in this pixel. It shows stronger security than the standard least significant bit (LSB) method. Moreover, it at most changes 1 bit to hide a 3-bit length secret in a (1, 7, 3)-ME process. However, at most 7 bits need to be changed in a standard least significant bit (LSB) method. erefore, the ME method can achieve a slighter modification than the LSB method for the same case.
Moreover, in order to achieve a better image steganography, the changed bit a p should be controlled among the least significant bits of a pixel. erefore, the steganography cell is assigned into three pixels X, Y, Z by X � x 1 , x 2 , .., x 6 , a 1 , a 2 , Y � y 1 , y 2 , .., y 6 , a 3 , a 4 , and Z � z 1 , z 2 , .., z 5 , a 5 , a 6 , a 7 }, and take X, Y, Z { } ⟶ S to denote the embedding process in this paper.

Proposed Scheme
e proposed (k, n)-threshold verifiable SIS scheme is constructed based on 2D-3-RLCAM and matrix projection, and the steganography is realized based on (1, 7, 3)-ME. e system model consists of three entities: a dealer D, a set of participants P Set � P 1 , P 2 , . . . , P n , and a set of requesters Q 1 , Q 2 , . . . (request for reconstructing the secret image). Moreover, there is a concept of "time period t" for that the entire lifetime of the secret is divided into many short time periods determined by the system-wide clock. e proposed scheme contains four procedures: the secret distribution procedure, the shadow update procedure, the secret reconstruction procedure, and the secret update procedure. e overall procedure of the secret distribution and the secret reconstruction is listed in Figure 1. e serial numbers (n) in Figure 1 are corresponding to the serial numbers (n) in each section.

Secret Distribution Procedure.
e dealer D owns an original secret image SI for distributed storage, which is an m × m grayscale image. D also owns a set of grayscale meaningful cover images CI Set � CI 1 , CI 2 , . . . , CI n .
D generates shadow vectors θ Set � θ 1 , θ 2 , . . . , θ n and embeds them into preselected CI Set so as to generate a set of stego images GI Set � GI 1 , GI 2 , . . . , GI n . en, D allocates each participant P i with a unique stego image GI i in the public channel and makes the public information publicly known.

Generation of Shadows via Matrix Projection.
Firstly, Bai and Zou's scheme [11] is adopted to generate n shadow vectors via matrix projection as described in Section 3.2 (the step of A2). Construct L T × k matrix A and n linearly independent vectors x 1 , x 2 , . . . , x n , and then compute the shadow vectors θ Set � θ 1 , θ 2 , . . . , θ n . e size of each shadow vector θ i is L T × 1, where L T � m + k.

Generation of Stego Images via Matrix Encoding and
Distribution. In this step, we generate the stego image GI i by hiding the shadow vector θ i into the cover image CI i . Let m c × n c denote the size of the cover image CI i . We restrict 3L T ≤ m c n c because the cover image is needed to be large enough to hide the L T -length shadow vector θ i via (1, 7, 3)-ME in this paper.
First of all, construct a chaotic mapping [33] based on CI i to select the steganography cells uniformly. e primary value of the chaotic mapping can be calculated as X 0 � 5 i�1 p i /2 (8 * i) where p 1 , p 2 , p 3 , p 4 , and p 5 are the first five pixels of CI i and X 0 ∈ [0, 1]. en, compute a l 1 -length chaotic sequence X � X 1 , X 2 , . . . , X l 1 based on chaotic mapping function and X 0 , where l 1 � m c n c − 5. A pseudorandom sequence X ′ is the ascending order of X. Every three elements in X ′ is the positions of a steganography cell and a (1,7,3)-ME for θ i can be performed as in Section 3.3. Finally, after embedding the shadow vector θ i into the cover image CI i , the stego image GI i is generated.
A simple case of embedding the vector θ 1 � [v 1 , v 2 ] into a 4 × 4 cover image CI is shown in Figure 2 (assume the chaotic mapping function is X i+1 � α * X i * (1 − X i ) and the parameter α � 4 here, and assume X 1 � 0.63 directly). e five pixels in the grey blocks are used to compute the primary value X 0 for the chaotic mapping. e generated pseudorandom sequence X ′ is the position for the steganography cells. To skip the first five pixels, the pixel no. should be computed as X ′ + 5. Finally, the embedding is performed as p 14 , p 8 , p 15 ⟶ v 1 and p 12 , p 6 , p 10 ⟶ v 2 .
After generating the stego image sets GI Set for the shadow vectors θ Set, distribute each stego image to each participant via a public communication channel.
From the description above, we can observe the following facts of the stego images: (i) Slight and decentralized modification: the steganography cells are chosen uniformly and decentralized over the cover image based on the sensitive chaotic mapping. On this basis, only a trifle statistical difference of cover images will be made via the comparatively slight and decentralized modification of the pixels by using the ME steganography method. (ii) e constraint for the cover image: the shadow size is only m + k, so we can assume the cover image is smaller than the secret image (m c , n c ≤ m) because there is no pixel expansion in our scheme. erefore, the larger cover image is not necessary for this paper. (iii) Extract the shadow independently: the positions of the steganography pixels can be directly obtained from the stego image (by using the grey blocks in Figure 2). Consequently, the requesters can perform the reconstruction, and the participants can perform the shadow update by themselves.
Moreover, make w 1 , w 2 , w 3 and u to be privately known by each requester, which can be seemed like the internal secret key of the system.

Generation of the Separate Verification Part.
For each cover image CI i , the independent m × m verification matrix VM is generated as in (13). CIM i � CI mod 8 is the submatrix for CI i . Here, we call the matrices C (u) , C (u+1) , C (u+2) , CIM i , VM are the secret matrices.

Generation of the Public Information. As in Bai and
Zou's scheme [11], a publicly known remainder matrix is needed to help with the following secret reconstruction. Notice that we have to additionally verify the secret image and the cover images, so we need to generate a remainder matrix for each cover image. To simplify the notation, take R denotes the remainder matrix for an arbitrary cover image. e same number of the remainder matrices is needed to be generated as the cover images actually.
First of all, convert the secret matrices into the L T × L T filling matrices C (u) , C (u+1) , C (u+2) , CIM i , VM by filling with (1) (1) (2) (2)  Security and Communication Networks random values as (14). In (14), C (u) � [C (u) ] UL: m×m represents that m × m matrix C (u) can be extracted from the upper left corner of the matrix C (u) : en, compute a projection matrix P A of matrix A (A is already generated in Step 1), where P A is a L T × L T matrix. Calculate intermediate matrices R 0 , R 1 , R 2 , R 3 , R 4 by performing subtraction between P A and C (u) , C (u+1) , C, CIM i , VM as in the following equation: Finally, the remainder matrix R is computed via R � 4 i�0 R i * 8 4− i , and make the remainder matrices for all cover images publicly known.

Shadow Update
denote the shadow vectors during time period t. e update process to generate θ (t+1) n is similar to Bai and Zou's scheme [11] in Section 3.2.
At the beginning of time period t + 1, the dealer D generates a k × k orthonormal matrix LM and distributes it via a secure channel to each participant. After receiving LM, each participant P i extracts the shadow vectors θ (t) i from its stego image and derives its new shadow vector θ (t+1) i by (10). en, P i embeds θ (t+1) i into its stego image again and erases all the variables except its current stego image. Because steganography is based on the computationally efficient XOR operation, the shadow updating is efficient even over the stego images.
Note that the correctness of the fact that the update shadow vectors generated during the same time period can reconstruct the secret matrix is illustrated clearly in Bai and Zou's scheme [11]. Moreover, a mixture of the shadows with different time periods cannot recover the secret, while equation (11) in Section 3.2 cannot be obtained. e explanation of this is also described in detail in Bai and Zou's scheme [11].

Secret Reconstruction Procedure.
A requester Q i can reconstruct SI as long as obtaining enough valid stego images GI (t) 1 , GI (t) 2 , . . . , GI (t) k ∈ GI Set during a single time period as follows.

Extraction of the Shadow Vectors via Matrix Encoding.
e requester computes the steganography cells firstly and then extracts the embedding shadow vectors θ (t) 1 , θ (t) 2 , . . . , θ (t) k } ∈ θ Set (t) from the stego images by themselves as in Section 3.3. We omit the details here due to space limitations.

Reconstruction of the Secret Matrices via Matrix
Projection.
e requester selects a remainder matrix R from the public board which corresponds to one of the obtained stego images GI i . e secret image SI and the corresponding cover image CI i can be simultaneously reconstructed.
Split R back into submatrices R 0 , R 1 , R 2 , R 3 , R 4 and generate a project matrix P B over shadow vectors k }. en, perform the subtraction as steps C1 and C2 in Section 3.2 between P B and R 0 , R 1 , R 2 , R 3 , R 4 . Finally, extract the reconstructed secret matrices R C (u) , R C (u+1) , R C (u+2) , R CIM i , R VM from the obtained matrices as follows:

Verification for Cheating Detection.
e separate cheating detection can be performed by the following equation: If (17) holds, the requester proceeds with the following steps or stops in this step. e effectiveness of the verification mechanism is proved in eorem 3.

4.3.5.
Reconstruction of the Cover Image. As described previously, the last three bits of some pixels in GI i are changed for steganography, and the secret matrix CIM i just maintains them. erefore, the cover image C i ′ can be recovered as C i ′ � [GI i − (GI i mod 8)] + R CIM i . Notice that, in most of the existed traditional steganography-based SIS schemes, there have some limitations in the reconstruction of the cover images: (1) they input the same cover image for embedding all of the shadows [14,34], which results in shares with similar content; (2) they cannot losslessly reconstruct the cover image; and (3) the cover recovery method requires more computation. Such limitations make these schemes inapplicable to some scenarios. For example, losslessly reconstructing the cover image can help to share searching with image recognition since a hash function-based searching method is generally sensitive to cover image content including even a slight distortion [29].

Secret Updating
Procedure. When a new secret image is to be shared, the dealer D only needs to update the L T × L T public remainder matric R for each cover image. Intuitively in the secret distribution part in Figure 1, only steps (1), (5), and (6) are needed but without the requirement for steps (3) and (4). erefore, secret updating is very efficient because communication between the dealer and the participants is not required.

Security Analysis
In the proposed scheme, we consider the dealer and the requesters are fully trusted. Assume parts of the participants can be compromised by a statistical and persistent adversary.
A statistical and persistent adversary: in 5G network scenarios, the network environments are more open and flexible. erefore, we need to consider a stronger potential adversary instead of an ordinary adversary. e ordinary adversary at most can corrupt up tok − 1 shadows during the entire lifetime of the secret. In this paper, we consider the adversary can stay on the networks for several time periods and move among the objects. e adversary attempts to reconstruct or destroy the secret image illegally during several time periods. Within a time period t, the adversary at most can corrupt up to k − 1 participants among n participants (restrict that n ≤ 2k − 1). If a participant is corrupted, the adversary can learn or tamper with its shadow vector during this time period. At the beginning of the next time period, all participants will be "rebooted" to the safe state, and their shadows are erased and alternated by the new ones. Because the adversary can corrupt up to k − 1 participants during each time period, it has more power than the ordinary adversary so that it can corrupt some participants multiple times throughout the entire lifetime of the secret image.

Collusion Attack
Theorem 1 (collusion attack). During a time period, the adversary compromises k − 1 participants to obtain an unqualified group θ 1 , θ 2 , . . . , θ k− 1 of shadow vectors, but the adversary still cannot explicitly learn about the secret image. Proof 1. As proved in Bai and Zou's scheme [11], the secret sharing using matrix projection is a strong ramp secret sharing (RSS) with k access levels, but not a perfect secret sharing (PSS) such as Shamir's scheme. Strong RSS also does not reveal any part of the secret explicitly from any k − 1 shadows. However, the secret's exposed information is proportional to the size of the unqualified group of the shadows.
As an improvement, the matrix projection is performed over the secret matrices of SI after the iterations of RLCAM. e secret matrices can seem like the encryption of SI with the RLCAM. Hence, the privacy-protecting for recovering SI is further protected under the irreversible property of RLCAM when without rule number, and the consecutive requirement of the configurations (secret matrices in this paper) with the correct order. erefore, the exposed information cause by the matrix projection is only relative to secret matrices. Based on the security of RLCAM, the configuration after iterations leaks nothing about the SI. Consequently, the adversary cannot get any information about the original secret image from any arbitrarily k − 1 shadows, much less the recovery.
Theorem 2 (persistent collusion attack). During an adjacent time periods, the adversary compromises k − 1 participants during each time period, but the adversary still cannot explicitly learn about the secret image. Proof 2. Assume P 1 ′ denotes the set of k 1 participants compromised only in period t − 1, P 2 ′ denotes the set of k 2 participants compromised in both of the period t − 1 and t, and P 3 ′ denotes the set of k 3 participants compromised only in period t, where k 1 + k 2 � k 2 + k 3 � k − 1.
Additionally, the unqualified group of shadow vectors obtained during t − 1 from P 1 ′ and P 2 ′ is denoted as e unqualified group of shadow vectors obtained during t from the set P 2 ′ and P 3 ′ is denoted as Based on Θ (t− 1) 2 and Θ (t) 2 , we can construct an equation for the unknown updating matrix LM as follows: √√√√√√√√√√√√√ √√√√√√√√√√√√√ However, updating matrix LM cannot be determined by (18) because the matrices M 1 and M 2 are not full rank matrices (the rank of M 1 and M 2 is k 2 but not k). Since LM cannot be determined, Θ (t− 1) 1 cannot be turned into Θ (t) 1 and also Θ (t) 3 cannot be turned into Θ (t− 1) shadows θ i for the same time period cannot be inferred and also the matrix B which is necessary for secret reconstruction cannot be determined. Consequently, the persistent adversary cannot obtain enough shadows even for multiple time periods, and the privacy of the secret image can be effectively guaranteed.

Shadow Tampering
Theorem 3. Assume a requester obtains a set of shadow vectors θ 1 , θ 2 , . . . , θ k . If each of the shadow vectors is valid, (17) will be explicitly holding, or holding in a negligibility probability if there exists at least one invalid shadow.
Proof 3. First of all, consider the case that all of the shadow vectors are valid. As proof in [11], there exist [P B ] UL: m×m � [P A ] UL: m×m , and the remainder matrix R is left to be publicly known which cannot be modified by anyone. Hence, the reconstructed secret matrices will be equal to the original secret matrices, obviously. erefore, equation (17) can be explicitly holding.
In contrast, if there exists at least one invalid shadow vector (whether an older one or a tampered one), [P B ] UL: m×m will be a meaningless matrix, which has no relevance with [P A ] UL: m×m . erefore, the reconstructed secret matrices R C (u) , R C (u+1) , R C (u+2) , R CIM i , R VM can also seem like random meaningless matrices. erefore, we should discuss if the probability Prob (VM) of holding (17) is nearly zero, in this case. For each element x 1 , x 2 , x 3 , x 4 , x 5 ∈ [0, 7] in each reconstructed secret matrices, there exists x 1 ⊕x 2 ⊕x 3 ⊕x 4 ? � x 5 as the same form of (17). e probability of holding this equation is 1/8. Hence, Prob (VM) � (1/8) m 2 which is effective for verification. For a 10 × 10 secret image, Prob (VM) � 1/2 300 is small enough to be ignored. erefore, the proposed scheme can effectively detect the tampered shadows.

Experimental Results and
Performance Evaluation 6.1. Implementation. e scheme is implemented in Visual C# 2017 on a computer with an Intel Core i7 1.8 GHz CPU processor and 8 GB RAM that runs a Windows 10 operating system. Different sizes of cover images are considered in this paper, which includes 30 × 30 images chosen from the CIFAR-10 dataset [35], 96 × 96 images chosen from the STL-10 dataset [36], and the 256 × 256 standard images Baboon, Lena, and Pepper. Besides, a 256 × 256 standard image Boat is considered as the secret image. As described above, we do not discuss the case for the larger cover images.

Simulation Experiments.
First of all, the effectiveness of the proposed scheme is shown in Table 1, where Diff denotes the different pixels between the output image and its corresponding original one. e 256 × 256 standard image Boat is taken as the secret image (SI). e 256 × 256 standard images Lena, Pepper, and Baboon are taken as the cover images (CI01, CI02, and CI03). e experimental threshold is set as (2,3). e results of the generated stego images are shown as ste01, ste02, and ste03. It can be seen that there exists no significant difference between the stego image and its corresponding cover image. e indices of PSNR and SSIM of the stego images are good enough (the detailed analyses of PSNR and SSIM are shown in Section 6.3). erefore, the stego images generated in our proposed scheme have a high quality. e reconstruction results are also shown in Table 1 (assume we use the remainder matrix of CI01). Table 1 shows the reconstructed secret image Rec-SI for the secret image SI and the reconstructed cover image Rec-CI01 for the cover image CI01. ese reconstructed images are lossless (where PSNR � ∞ and SSIM � 1).
Moreover, we also test if there is a tampered shadow for reconstruction. As shown in the image Rec-SI (×), the secret image recovery will be totally failed with a tampered shadow.

Visual Quality.
e general criteria to check the visual quality of the stego images are the peak-signal-to-noise ratio (PSNR) and structural similarity (SSIM). Table 2 lists the mean value of PSNR and SSIM produced by the proposed scheme for different sizes of the cover images with threshold k � 2, 3, 7, 15, respectively.
PSNR has explicit physical meanings, which evaluates the similarity between the original image and the output image. e value of PSNR � +∞ for completely identical images. From Table 2, PSNR is larger than 55 dB for 96 × 96 and 256 × 256 cover images, which is almost indistinguishable from the human visual system (HVS).
Additionally, the details of the SSIM algorithm can be found in [37]. SSIM is used to estimate the dependencies between neighboring pixels. SSIM � 0 for extremely dissimilar, and SSIM � 1 for completely identical. From Table 2, SSIM shows 90% structural similarity between the original cover image and stego image of the proposed scheme, which is very close to the upper bound.

Embedding Ratio (ER) and Detection Ratio (DR).
Embedding ratio (ER) shows the amount of information embedded in each cover pixel, which is the ratio of the number of share bits to the number of all pixels of a cover image. For resistance against steganography, ER should be less than 0.25 bpp. For 30 × 30 cover images, we can obtain ER � 0.2867 (k � 2) and ER � 0.2922 (k � 7). For 96 × 96 cover images, ER � 0.0280 (k � 2) and ER � 0.0285 (k � 7). erefore, ER of the proposed scheme is effective enough.
Detection ratio (DR) shows the detecting ability of invalid shares, which is the ratio of detected tampered pixels to all tampered pixels. As described above, the verification of our proposed scheme is based on a separate m × m matrix, which is fully covering the stego image. erefore, as the scheme of Eslami et al. [15], DR in this paper is approximately 256/256, which is effective enough for cheating detection.

Comparative Analysis.
In order to further illustrate the performance of the proposed scheme, we compared it with typical works ( [10] (2006) and [15] (2010)) and some recent schemes ( [16] (2018), [17] (2017), and [12] (2018)). e works described in [10,15] are the classical schemes designed based on matric projection method and CA, respectively. e comparative analysis is listed in Table 3. e first five indices in Table 3 are the characteristics of these schemes: Here in this part, the threshold k � 3. As shown in Table 3, our scheme achieves a clear advantage in the perspective of almost all indices.
Compared with the MP-based SIS schemes [10,16], we achieve more functions. Meanwhile, we certainly not expand the shadows' size and even accomplish a smaller shadow than such schemes. e scheme of Eslami et al. [15] is the first steganography-based SIS constructed by using 1D-CA.  It can achieve a higher computation complexity than our proposed scheme because we have the extra MP's operations. However, viewed from the indices listed in Table 3, we can achieve a better performance of the shadow size and the stego image quality than it. Moreover, this scheme realizes the secret protection based on CA's security, but only consecutive shadows can reveal the secret image that limits the practicality. As an improvement, our proposed scheme also benefits from the security provided by CA but avoids this weakness.
In the scheme of Liu et al. [17], L H is the length of the Huffman code of the difference image of the secret image, where L H � m 2 for the straightforward binary image. Hence, only when m 2 /3k − (m + k) > 0 holding, its generated shadow will be smaller than ours. e solution of m 2 /3k − (m + k) > 0 is restricted by m ≤ 4k. It means that our scheme will get the stego images with higher quality when m ≤ 4k when both of us using (1, 7, 3)-ME for steganography. e scheme of Zarepour-Ahmadabadi et al. [12] is a multisecret image sharing scheme. Each secret image contains a specific threshold value, and the size of shadows is dynamically relative to it. So that the access structure in [12] is greater than ours. However, it needs to combine the hash values in each shadow, which helps to arrange the shadows according to the desired order to recover the secret image via 2D-CA correctly. ese values need a relatively larger space for embedding.
Moreover, besides the scheme of Eslami et al. [15], all the other schemes may increase the computational complexity due to several times of Lagrange interpolation operations (Lagrange interpolation is the main operation of polynomial-based secret sharing). In our proposed scheme, the computation complexity is mainly based on matrix operations. Specifically, during the secret distribution procedure and the secret reconstruction procedure, we mainly have the matrix subtraction operations, the matrix XOR operations, and computing the projection matrix. Compared with the calculation of the projection matrix, the computation complexity of the matrix subtraction and the matrix XOR can be ignored because they are lightweight. e calculation of the projection matrix is the heaviest computation in our scheme. However, we only need to compute the projection matrix P A only once during the secret distribution procedure and compute the projection matrix P B only once during the secret reconstruction procedure. erefore, our proposed scheme has a lower computation complexity than the other schemes.
In conclusion, compared with the above schemes, our scheme is more suitable for 5G network environments. First of all, our scheme can adapt to the rapid data changes in 5G network environments with efficient secret distribution and secret updating. In contrast, the above schemes need to reprocess the distribution for the secret update. Secondly, for the potential adversary in the large-scale complex network environment, our scheme prevents the eavesdroppers via the higher quality steganography. Our scheme can also protect the secret against the persistent adversary through the efficient shadows update. We consider the stronger adversary than the above schemes.

Conclusion
In this paper, a verifiable secret image sharing scheme is proposed by employing the 2D-RLCAM and the matrix projection, which aims to provide a secure multimedia sharing and storing service in 5G network scenarios. In this paper, 2D-RLCAM and the matrix projection are combined together creatively in handling some existing weaknesses. e combination enhances the security of the secret image and the visual quality of stego image. Furthermore, a matrix encoding-based steganography approach is used to make our scheme more secure when sharing in a public network channel. e security analysis and the performance analysis demonstrate it. erefore, the proposed scheme can simultaneously support verifiable, dynamical, and proactive features, which is superior to most existing SIS schemes. e efficient secret and shadow updating procedures make the proposed scheme more suitable for deployment in the 5G platform. We aim to optimize the size of public information for a more efficiently secret update in the future.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.