An extended visual cryptography algorithm for general access structures.bak

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012 219

An Extended Visual Cryptography Algorithm forGeneral Access Structures

Kai-Hui Lee and Pei-Ling Chiu

Abstract—Conventional visual secret sharing schemes generatenoise-like random pixels on shares to hide secret images. It suf-fers a management problem, because of which dealers cannot visu-ally identify each share. This problem is solved by the extended vi-sual cryptography scheme (EVCS), which adds a meaningful coverimage in each share. However, the previous approaches involvingthe EVCS for general access structures suffer from a pixel expan-sion problem. In addition, the visual cryptography (VC)-based ap-proach needs a sophisticated codebook design for various schemes.In this paper, we propose a general approach to solve the above-mentioned problems; the approach can be used for binary secretimages in noncomputer-aided decryption environments. The pro-posed approach consists of two phases. In the first phase, basedon a given access structure, we construct meaningless shares usingan optimization technique and the construction for conventionalVC schemes. In the second phase, cover images are added in eachshare directly by a stamping algorithm. The experimental resultsindicate that a solution to the pixel expansion problem of the EVCSfor GASs is achieved. Moreover, the display quality of the recov-ered image is very close to that obtained using conventional VCschemes.

Index Terms—Extended visual cryptography (EVC), general ac-cess structures, optimization, pixel expansion, visual secret sharingscheme.

I. INTRODUCTION

V ISUAL cryptography (VC), which was proposed by Naorand Shamir, allows the encryption of secret information

in the image form [1]. By applying the concept of secret sharing,a secret image can be encrypted as different share imagesprinted on transparencies, which are then distributed to par-ticipants. By stacking transparencies (shares) directly, the se-cret images can be revealed and visually recognized by humanswithout any computational devices and cryptographic knowl-edge. On the other hand, any one share or a portion of shares canleak nothing related to the secret image. VC is a very good so-lution for sharing secrets when computers cannot be employedfor the decryption process.In the past decade, many research results on the threshold

visual secret sharing scheme (also known as -out-of- VSS

Manuscript received May 07, 2011; revised August 21, 2011; accepted Au-gust 26, 2011. Date of publication September 12, 2011; date of current ver-sion January 13, 2012. This work was supported in part by the National Sci-ence Council of Taiwan under Contract NSC100-2410-H-130-009 and ContractNSC100-2221-E-130-011. The associate editor coordinating the review of thismanuscript and approving it for publication was Dr. Carlo Blundo.K.-H. Lee is with the Department of Computer Science and Information En-

gineering, Ming Chuan University, Taipei, Taiwan (e-mail: [email protected]).P.-L. Chiu is with the Department of Risk Management and Insurance, Ming

Chuan University, Taipei, Taiwan (e-mail: [email protected]).Digital Object Identifier 10.1109/TIFS.2011.2167611

scheme or -VSS scheme) have been proposed [2]–[9].Ateniese et al. (denoted as Ateniese in short) [10] proposedthe concept of general access structure (GAS) and also devel-oped a VC-based solution for some GASs. Afterward, Hsu etal. reported the formulation of an unexpanded VCS for a GASproblem as an optimization model [11], [12]. Liu et al. (de-noted as Liu in short) proposed a recursive approach to con-struct VCS for GASs [13]. By using the GAS, dealers can de-fine reasonable combinations of shares as decryption conditionsrather than specifying the number of shares. For example, ifthere are four participants—one CEO, one manager, and twoemployees—sharing a secret, the CEO may expect to decryptthe secret with any one colleague who holds one of the othershares. The manager is allowed to obtain the secret with onlytwo employees. The two employees are restricted access to thesecret. Due to these flexibilities, dealers can also set the numberof shares as the decrypting condition. Hence, the -VSSscheme can be treated as a special case of the GAS.Conventional VSS schemes generate noise-like random

pixels on shares to hide secret images. In this manner, the secretcan be perfectly concealed on the share images. However,these schemes suffer from a management problem—dealerscannot identify each share visually. Hence, researchers havedeveloped the extended visual cryptography scheme (EVCS[14], also known as the friendly VC scheme [15], [16]), whichadds a meaningful cover image on each share to address themanagement problem. Ateniese presented a general techniqueto implement -threshold EVCS as well as various in-teresting classes of access structures for binary secret images[14]. Fang [15] and Chen et al. [16] proposed VC-based andrandom-grid-based techniques, respectively, for -EVCSwith a progressive decryption effect. Wang et al. developed amatrix extension algorithm for -EVCS by modifying anyexisting VCS with random-looking shares, which were thenutilized as meaningful shares [17].The pixel expansion problem is a common disadvantage with

most of the VSS schemes. When the VC-based approach is em-ployed, each secret pixel within a secret image is encrypted in ablock consisting of subpixels in each constituent share image.Thus, the area of a share is times that of the original secretimage. The contrast of the recovered images will be decreasedto simultaneously. The pixel expansion problem not onlyaffects the practicability of storage/transmission requirementsfor shares but also decreases the contrast of the recovered se-cret images. To the best of our knowledge, the existing EVCSalgorithms for GASs cannot avoid the pixel expansion problem.Therefore, we are motivated to find a solution to this problem.In this paper, we propose a novel encryption algorithm of

EVCS for general access structures to copewith the pixel expan-sion problem. The proposed algorithm is applicable to binary

1556-6013/$26.00 © 2011 IEEE

http://ieeexploreprojects.blogspot.com

220 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

secret/cover images, and no computational devices are neededduring the decryption phase. In order to avoid pixel expansion,we do not adopt the traditional VC-based approach to encryptsecret images. The encryption process can be divided into twophases. The first phase of the algorithm, which uses optimiza-tion techniques for a given access structure, constructs a setof noise-like shares that are pixel-expansion-free. We identifiedand formulated the problem in this phase as a combinatorial op-timization problem and then developed a simulated-annealing-based algorithm to solve it. The second phase of the algorithmdirectly adds a cover image on each share via a stamping al-gorithm. In this manner, the pixel expansion can be removedentirely. Recently, Weir and Yan also used the similar techniqueto solve the alignment problem of VC schemes [18]. Finally, wepresent implementation results to evaluate the effectiveness ofthe proposed algorithm. Moreover, we compare our results withother approaches.The remainder of this paper is organized as follows. Section II

presents a review of background and related work. Section IIIintroduces the proposed encryption algorithm. In Section IV, weshow the results of an experiment that was performed in orderto evaluate the performance of the proposed method. Lastly, wesummarize and conclude our work in Section V.

II. BACKGROUND AND RELATED WORK

A. Background of the General Access Structure

In this section, we briefly review some of Ateniese’s basicdefinitions and notations on GAS that will be used throughoutthe paper [10].Suppose is a set of participants, and

denotes the power set of . denotes the set of subsetsof from which we desire to be able to reconstruct the secret;thus, . Each set in is said to be a qualified set,while each set not in is called a forbidden set (denoted as

). Obviously, and .Based on the definitions, a VCS/EVCS for an access structure

on is defined as a technique that can yieldshares. When we stack together the shares associated with theparticipants in any set , we can recover the secretimage, but any has no information related to thesecret image on the stacked image.

consists of all the minimal qualified sets

In traditional secret sharing schemes, is monotonouslyincreasing and is monotonously decreasing, the accessstructure is said to be strong, and is termed abasis. In a strong access structure

and we say that is the closure of . For example, ifthere are four participants sharing a secret image (i.e.,

) and , stackingany set of subsets , , or canreveal the secret image; otherwise, no information can be dis-played.

B. Reviews VCS/EVCS for GASs

1) Ateniese’s VCS/EVCS for GASs: In 1996, Ateniese firstproposed a VC-based approach of VCS for GASs. Theymappedan access structure of VCS to a graph and then found both thelower and the upper bounds on the size of the shares (i.e., thepixel expansion factor) by the graph. They gave minimum pixelexpansion factors as well as basis matrices for VCS for strongaccess structures for at the most four participants [10].Then, in 2001, they developed a general method that can ex-

tend conventional -VCSs to -EVCSs based upon thebasis matrices of VCSs [14]. They proved that their VC-basedencoding approach had an optimal pixel expansion factor. Theirmethod consisted of two steps: first, they found out a set of basismatrices to satisfy the VCS for a given access structure. Second,they adopted the theory of hypergraph coloring to obtain the re-sultant matrices for the EVCS according to the basis matrices.They also discussed some applications of their technique on var-ious interesting classes of access structures. Example 1, whichis adopted from Example 5.1 of [14], shows Ateniese’s solutionprocedures.Example 1: Let and let be clo-

sure of , where . Assume that. A VCS for can be ob-

tained using basis matrices and which are illustrated inthe left part (without gray background) of matricesand , respectively. Then, by the theory of hypergraphcoloring and Ateniese’s algorithm, a set of basis matrices canbe obtained for -EVCS. A part of basis matrices,

and , are as follows:

0 11 11 01 01 00 11 11 01 01 0

As with other conventional VC-based approaches, Ateniese’sVCS approach for GASs also suffers from the pixel expansionproblem. It will expand the size of shares 2–8 times for strongaccess structures on at the most four participants [10]. More-over, their extended method for -EVCS will in-troduce extra pixel expansion that will enlarge the size of theshares and decrease the contrast of the recovered images. Asshown in Example 1, two extra columns (marked as gray back-ground) have to be added to the basis matrices of VCS forEVCS; the pixel expansion factor is, therefore, increased from8 to 10. The contrast value is decreased from 1/8 to 1/10. Thecontrast of meaningful shares is fixed and is only 10% in thisaccess structure.Besides this, there are other drawbacks of Ateniese’s ap-

proach: black secret pixels cannot be completely recovered(e.g., access structures 12, 15, and 17 in [10, Table 1]); theaspect ratio of the recovered image cannot be maintained; thehypergraph coloring problem, which is NP-hard, needs to besolved; this approach needs a sophisticated codebook design;


LEE AND CHIU: EXTENDED VC ALGORITHM FOR GENERAL ACCESS STRUCTURES 221

Fig. 1. Construction trees of Example 2: (a) Construction of -VCS. (b) Con-struction of -VCS.

and the solution approach has to rely on the basis matrices ofthe existing VCSs cannot be generalized.2) Liu’s VCS for GASs: In 2010, Liu [13] proposed a step

construction to construct VCS for GASs by applying (2,2)-VCSrecursively. Their constructions are applicable to binary secretimages and consider the VCS both under XOR and OR opera-tions. The main idea behind Liu’s approach is that the partic-ipants can take multiple share images for sharing one secretimage. Based on their idea, an access structure can be parti-tioned into several independent access structures to reduce theaverage pixel expansion (APE). Liu defined the APE as the av-erage value of the total pixel expansions of the share imagesholding by each participant [13]. Moreover, a VCS for an ac-cess structure can be constructed by downsizing the size of theaccess structure and applying (2,2)-VCS recursively.Example 2, which is modified from [13, Example 4], shows

Liu’s construction.Example 2: Let and let be closure

of , where . First,can be partitioned into

and . Then, the two schemes -VCS and-VCS will be constructed individually. For the step con-

struction of Construction 3, the construction trees are shownin Fig. 1. For the , apply Construction 2 for

, i.e., apply the (2,2)-VCS, and denotethe first share distributed to a virtual participant as .The second share is duplicated and then distributed to partic-ipants and simultaneously because they are equivalentparticipants in the access structure. Then, take as the secretimage, and construct a step construction of -VCS.Finally, we apply a (2,2)-VCS and distribute the two sharesto participants and , respectively. The construction pro-cedures of is similar to that of .Eventually, participants , , and take two shares, oneresults in a pixel expansion of 2 times and the other results inpixel expansion of 4 times. Participant only take one sharewhich has 4 times pixel expansion.For the , the . For

the , the . Hence,the APE of is 11/2. The pixel expansion for boththe schemes -VCS and -VCS is 4, and the contrast is 1/4.Liu claimed that his approach could improve the average

pixel expansion and contrast properties as compared with Ate-niese’s approach. However, a comparison with the conventionalVCS showed that Liu’s approach had some additional draw-backs: first, the participants may take multiple share imageswith different pixel expansions for one secret image. This dif-fers from conventional VC schemes and will increase admin-istrative inconvenience and difficulty. Second, the decryptionprocess is more complicated than conventional VCSs and needs

Fig. 2. Solution procedures for EVCS.

the help of other devices. For example, for the , theparticipants need to first enlarge the smaller share to the otherlarger shares. This will lead to an alignment problem whileshares were printed on transparencies. Finally, recovered im-ages cannot maintain the same aspect ratio as the original secretimage.

III. PROPOSED ENCRYPTION ALGORITHM

In this section, we present a two-phased encryption algo-rithm of -EVCS for GASs. The solution proce-dures are shown in Fig. 2. In the first phase, it generates interme-diate shares (i.e., in Fig. 2) of -VCS.These intermediate shares (I-shares) have ameaningless appear-ance and no pixel expansion. In the second phase, cover imageswill be added in these I-shares to yield the resultant shares of

-EVCS (i.e., in Fig. 2). Each modulein Fig. 2 will be described in the following section.

A. Phase I: Generating I-Shares

1) Problem Statement: This phase aims to construct a pixel-expansion-free VCS for a given access structure .The main idea behind the solution approach is as follows. Asecurity system employs different keys to protect a secretand distributes these keys to participants. Each key may beduplicated and will be distributed to at least one participant.Each participant is allowed to hold at least one key. Consid-ering this scenario, if someone wants to access the secret, he/shehas to collect different keys from a set of participants. Ifhe/she misses any one type of key, the secret will remain pro-tected. To construct such a security system for an access struc-ture , the dealer has to carefully distribute dif-ferent keys to any set of participants , and hasto guarantee that any set of participants , willnot hold all types of keys. Hence, the method of distributionof different keys to participants will provide a solution fora given access structure. Before applying the above-mentionedscenario to -VCS, there are three key points tobe overcome: first, what constructions can be used to encryptsecret images without pixel expansion? Next, how many keys



(shares) can satisfy the requirement of the given access struc-ture? Finally, how should the keys be distributed?For example, there are 4 participants, ,

sharing a secret image upon the qualified setand the forbidden set

(We keep this relation in the rest of the paper.) Intuitionally, wecan utilize the construction of a (4,4)-VCS to yield 4 shares,, , , and (called basis shares), and then distribute one

basis share to each participant. For example, participantholds the share , holds the share , and so on. Finally, wehave 4 I-shares for the

-VCS. Obviously, upon stacking I-shares , ,, and (according to ), the secret

image which is the same as the result of the (4,4)-VCS, can berevealed.In this paper, construction of -VCSs is adopted to be

the encryptor in Fig. 2. The I-shares of a -VCSare synthesized from the basis shares that are the products of theencryptor. The construction set C holds the relation between thebasis shares and the I-shares.Definition 1: Assume that the -VCS, where

is to be used to construct a -VCS with par-ticipants, , . Constructionset denotes the constitution member of shares of the

-VCS, represents the constitution member ofparticipant , . Basis share ,

, is the resultant share of the -VCS. Sharesof participant can be defined as .ByDefinition 1, the construction set of the above example can

be expressed as . As black andwhite pixels are presented by logical “1” and “0,” respectively,the stacking shares will be limited in pixel-wise “OR”-ed opera-tion. Hence, the recovered image forshould be the stacking result of , , , and which is thesame as that of the (4,4)-VCS.Example 3: Suppose there are 4 participants,

, who share a secret image and the qualifiedset is .Then the -VCS can be constructed by uti-lizing the construction of the (3,3)-VCS to yield 3 basisshares , , and . The construction set can be set as

. By Definition 1, we can ob-tain 4 shares for the -VCS, that is ,

, , and . Stacking any one subsetin can get all the basis shares, otherwise it will leak atleast one.Assume that the qualified set of

Example 3 is altered to.

We can also employ the construction of the (3,3)-VCS toconstruct the -VCS. Now, the construction setcan be modified as . TheI-shares for the -VCS become ,

, , and .In summary, phase I of the proposed algorithm contains two

subprocedures: first, finding the number of basis shares anda corresponding construction set for a -VCS.We develop a GAS solver, as shown in Fig. 2, to deal with these

works. In this subprocedure, the last two questions that wereproposed in the beginning of this subsection will be solved.Second, basis shares that were yielded by construc-tions of -VCS and the construction set will be utilizedto obtain uncovered I-shares . This work will be car-ried out by the encryptor and the share synthesizer, as shown inFig. 2. Obviously, the first question will be solved in this sub-procedure.2) GAS Solver:a) Problem statement and formulation: In this subsection,

we give a formal definition for the GAS solver and then formu-late it as a mathematical optimization problem.The problem of the GAS solver can be defined as follows:Definition 2: Given a set of participants

and an access structure , finding a constructionset with a minimal , such that ,where and . Moreover, for any set ,satisfying ; for any set

, .Definition 2 not only describes a principle to construct a

-VCS via a -threshold VCS, but alsoshows the following properties.Property 1: For any -VCS, if a construction

set satisfying the requirements of exists, thenthe -VCS can be constructed via the resultantshares of a -threshold VCS.Property 2: Suppose a -VCS can be con-

structed via the resultant shares of a -threshold VCSwitha minimal , the recovered image of the -VCShas the highest contrast value .

Proof: By Definition 2, a -VCS can get thesame stacking result as a -VCS. Naor and Shamir haveshown that the upper bound on contrast for a -VCSscheme is [1]. That is, the upper bound on contrast isproportional to the value of . Hence, the -VCSwill have the highest contrast while is minimal.The GAS Solver problem can be formulated as the following

mathematical optimization model.

Given parameters:

A set of participants, .

Number of participants, .

Participant , , .

Minimal qualified set, .

Qualified set, .

Forbidden set, .

Decision variables:

Number of basis shares, .

S Set of basis share ,presents the th share which is encrypted bythe construction of -VCS.



Indication variables, if presents, otherwise , ,, .

Construction set, ,where .

(1)

(2)

(3)

(4)

(5)

(6)

Constraint (1) ensures that each share of the-VCS consists of at least one basis

share. Constraint (2) limits each basis share to be assignedto at least one participant. Constraints (3) and (4) examinewhether the construction set obeys the access structure

. Constraints (5) and (6) limit the ranges of thedecision variables.Suppose there are participants sharing a secret. If is

known, there are possible combinations to construct theshare of a participant. The complexity to solve the optimizationproblem is . When and increase, the solution spaceof the optimization problem will grow very fast.3) Algorithm for GAS Solver: In this section, we develop an

algorithm based on the simulated annealing (SA) [19] approachto solve the proposed mathematic optimization formulation forthe GAS problem.We transform and relax the original mathematical model for

the GAS solver to simplify solution procedures. Our solutionapproach adopts an iterative improvement framework. First, wetreat the decision variable as a given variable and the originaloptimization problem is, therefore, transformed into a decisionproblem. In each iteration, we try to find a solution with a givenand refine according to the possibility of a solution being

found or not.We continue to relax Constraints (3) and (4) of the proposed

model by penalizing the energy function. The penalized energyfunction can be defined as follows:

where and. Here, denotes the amount of

a set (which belongs to the qualified set) that can recover thesecret image. If a solution satisfies Constraint (3), will be

; otherwise, . Notation representsthe amount of an insecure forbidden set in . If a solution is

secured, should be equal to 0. This implies that the solutionsatisfies Constraint (4). The penalized energy function canbe used not only to measure whether a solution violates Con-straints (3) and (4) but also to represent how close the solutionis to its feasible status. In the proposed SA-based algorithm, wewill use the penalized energy function to replace the originalenergy function; Constraints (3) and (4) can, therefore, beomitted during the solution process. It should be noted thatfor a feasible solution must be less than 1.The proposed iterative improvement framework is as listed in

Algorithm 1. Initially, the algorithm starts to find a solution forthe given GAS by the procedure with an initialguess in Steps 1 and 2. In each iteration (i.e., fromSteps 2 to 10), the algorithm proceeds to find a minimumby decreasing or increasing the value of by 1. If a solutionis found (i.e., , denotes the best-found energyfunction in the last iteration), the algorithm stops whileor in the case of , it decreases the value of by 1 andproceeds to the next iteration with the lower . On the contrary,if a solution is not found, the algorithm stops while or itincreases the value of by 1 and proceeds to the next iterationwhile . At the end of the procedure, the algorithm outputsa minimum and a construction set as the optimal solutionof the problem. If no solution can be found for a given accessstructure, the solution procedure will be terminated while

, where is a given parameter that prevents Algorithm1 from falling into an infinite loop.

Algorithm 1: SA-based algorithm for GAS solver

Procedure1. .2. Call .3. If then //No solution in last turn4. .5. IF then Stop and Output “No solution

found”6. If then goto Step 11.Else

7. . //Found a solution in last turn8. If then goto Step 11.9. . //Improvement10. End If11. Goto Step 2.12. Output , .

Algorithm 2 presents the pseudocode of the proposedSA-based algorithm, . In Step 1, the initial guesscan be generated as follows:

The initial guess can satisfy Constraints (1) and (2) at the sametime. Steps 2 and 3, evaluate the value of for the initial guessand store the results of the initial guess as the current best-foundsolution (i.e., and ). Step 4 sets the initial value forannealing parameters and . From Steps 5 to 20, the main loop



of the SA heuristic is executed repeatedly. At each state, the so-lution procedure selects a share , , and alters thecurrent state of to a neighbor of the current state randomly,except for an empty set. Steps 9 to 17 evaluate the value of theenergy function for the new state and decide whether to acceptthe new state or not. The objective value with the minimum en-ergy value should be saved as the best-found solution in Step15. After solution iterations, the annealing parameters andare modified in Step 19. The solution procedure will be termi-nated while or a solution without penalty (i.e., )is found. When the algorithm has stopped, the best-found solu-tion corresponding to is a solution to this problem,if receives no penalty.

Algorithm 2: Pseudocode of proposed SA-based algorithm

Procedure1. , , .2. Calculate for the above initial guess.3. , , .4. , .5. While and do6. Repeat times7. Randomly select a share .8. Alter the solution configuration of randomly.9. Calculate for the new configuration.10. .11. .12. Generate a random number uniformly

distributed in [0, 1).13. If or then14. .15. If then ,

.16. If then goto Step 2117. else recover the action in Step 8.18. End Repeat19. , .20. End While21. Output .

4) Share Constructors: The share constructor consists of twomodules in Fig. 2: the encryptor and the share synthesizer. Theencryptor adopts Yang’s construction for the -ProbVSSscheme directly (i.e., [6, Construction 3]). Yang’s constructionrule is summarized as follows:

Let and be the two white and black sets consistingof matrices for a -VCS. Then, andare constructed asand . Let (respec-tively, ) be the code distributing patterns for white (re-spectively, black) secret pixels. Chosen probability forand is .

The procedure of the share constructor is shown as Algo-rithm 3. The first step (i.e., the encryptor in Fig. 2) generatesthe basis shares by employingYang’s -ProbVSS scheme.

The second step (i.e., the share synthesizer in Fig. 2) producesI-shares by stacking the basis shares upon construction set .

Algorithm 3: Proposed algorithm of share constructor

Procedure // SI: SecretImage1. Encrypting SI by Yang’s -ProbVSS to yield a

set of basis shares .2. , ,3. Output I-shares .

Example 4: Suppose there are 4 participants,, sharing a secret image and the qualified set

. Solving the problem byutilizing the procedure, it can obtainand construction set . ByYang’s construction rule, the codebook for (3,3)-VCS are

The chosen probability for each 3 1 column vector is 1/4.Then, and are employed to produce 3 basis shares, ,, and . Finally, distributing basis shares and to partic-

ipants and , respectively, a composite share is generated bystacking and (respectively, and ) together for partic-ipant (respectively, ).The shared and recovered images that are constructed in this

phase have the following properties.Property 3: The recovered image has no pixel expansion.Proof: The recovered image is produced by stacking all

shares constructed byYang’s -ProbVSS scheme directly.Yang has shown that this construction is free of pixel expansion.That proves this property.Property 4: The black secret pixels can be perfectly recon-

structed in the recovered images.Proof: By observing the code distributing patterns,

, it can be found that each columnmatrix contains at least one “1” (black pixel). Hence, the stackedimage can reconstruct all the black secret pixels completely.Property 5: The I-shares are secure.Proof: Because each I-share is composed of the basis

shares, this property can be evaluated by the following twofacts: first, the basis shares are secure. Second, each I-share isonly composed of a part of the basis shares. Hence, any singleI-share cannot reveal anything related to the secret image. Thatproves the security property.

B. Phase II: Stamping Cover Images

In this section, we have proposed a stamping algorithm tostamp cover images on I-shares , that were producedin the first phase. There are two major differences between ourapproach and the existing research for the EVCS. First, we put



cover images on shares directly rather than redesign a code-book for a specific VC scheme; hence, our approach does notintroduce any pixel expansion in this phase. Second, the blackpixel density of the cover images can be adjusted on demand ina fine-grained fashion.Suppose denotes a collection of pixel colors for I-share, cover image , and secret image in coordinate . Nota-tion expresses there are a white, black, andblack pixels on I-share , cover image , and secret imagein . The stamping algorithm sticks extra black pixels onI-shares where collection of pixel colors isor . That means the stuck black pixels only ap-pear in the region where shared pixels are white and cover pixelsare black. Hence, having more black pixels appear in the region,the cover images can be revealed. Besides, there are two majorissues have to be considered in the algorithm. First, it preservesthe security property for I-shares. Second, it keeps the contrastof reconstructed images as high as possible.To preserve the security condition, on the resultant shares

(called stamped shares), the algorithm has to maintain an equaldensity for cover-pixels between two regions where collectionof pixel colors are and , re-spectively. Otherwise, a portion of the secret image will be dis-closed on stamped shares. To meet this condition, we first cal-culate the amount of extra cover-pixels for each share. Suppose

presents the desired density for cover pixels on I-share .The amount of extra cover-pixels and will be scatteredin the regions where and , re-spectively. The amount of cover-pixels are

respectively, where and denote the amount of pixelsin the regions where and ,respectively. In the stamping phase, we randomly add andcover pixels on their corresponding regions of I-share ,

the cover image can be displayed, and the security conditionof resultant shares can be satisfied.Because the cover and secret images are binary images,

adding extra black pixels on I-shares may increase the blackpixels in the white region of the recovered image. Thus it maydecrease the contrast of the image. Hence, the stamping algo-rithm tries to add black cover-pixels on the same coordinate ofeach I-share to reduce the overall number of extra cover-pixelsin the recovered image. Notation denotes overlappedfrequency of black cover-pixels at coordinate . Notation

means there are cover images which have a blackpixel at . Before scatter cover pixels on I-shares, we firstcalculate for each coordinate. According to the value of

, randomly select candidate coordinates from the regionwhere to add extra cover pixels to I-shares. Inthis manner, coordinates with larger have higher priorityto be added cover pixels. This method ensures that cover pixelshave a high probability of being allocated to the same coordi-nate such that the contrast value of the recovered image is high.A detailed description of the stamping algorithm is provided inAlgorithm 4. Table I lists the notations included in Algorithm 4.

TABLE INOTATIONS OF ALGORITHM 4

Algorithm 4: Proposed stamping algorithm

Procedure Stamping1. , calculate for each coordinate .2. , calculate and

.3. Calculate for each coordinate .4. ,5. For downto 16. Begin6.1 Repeat Steps 6.2 to 6.8 times6.2 Randomly select a coordinate where

and6.36.4 If then goto Step 6.16.5 For to6.6 Begin6.6.1 If and then

Add a black pixel in of , .6.6.2 If and then

Add a black pixel in of , .6.7 EndFor6.8 If and then goto

Step 9.7. EndFor8. If or then goto

Step 4.9. , Output as stamped shares .

Steps 1–3 calculate all required parameters. Step 4 initializesindicators for all coordinates. Steps 5–7 stamp cover pixelson in iterations. In Step 6.2, each coordinate will be ran-domly selected once at most based on its priority . In Step6.4, the use of constant and function can avoid theclustering of cover-pixels in coordinates with higher priority.Constant ranges between 0.7 and 1.0. Steps 6.5–6.7 add coverpixels on selected coordinates of on demand.Please note that black cover-pixels will only be added on can-didate coordinate of that has a white pixel on it (i.e.,



Fig. 3. Example of Algorithm 4. (a) Parameter , (b) secret image, (c) coverimage 1, (d) cover image 2, (e) I-share , (f) I-share , (g) stamped share ,and (h) stamped share . In (g) and (h), grids filled with gray (black) colorrepresent shared (cover) pixels.

). Step 6.6.1 (Step 6.6.2) adds an extra coverpixel to if the desired density for cover image in the regionof black (white) secret pixels does not reach (i.e., parameter

is greater than zero). In Step 8, if the required densitiesof cover-pixels is not reached in corresponding share, the algo-rithm performs Steps 4–7 again until all required cover-pixelsare stamped on shares . Step 9 outputs all the resultantstamped shares .The main loop (i.e., Steps 4–7) comprises the majority of the

algorithm’s time complexity. The execution time of the loop de-pends on the selection of a random number generator and con-stant . In the best case, the main loop will be only executed onetime, the time complexity of the algorithm is whereand are the height and width of a secret image, respectively.Suppose the loop will be executed times in the worst case; thetime complexity of the stamping algorithm is . Be-sides, in order to uniformly distribute cover pixels over shares,all images are divided into smaller blocks (e.g., 8 8 pixels) atthe beginning of the algorithm.Example 5: Suppose there are 2 participants, ,

sharing a secret image and the qualified set .The example images are shown in Fig. 3. The incremental pixeldensities of the cover image for the 2 participants are

and .From Fig. 3, we have , , , and

. By using Step 2, we can calculate, ,

, and . Parameter for eachcoordinate can be expressed as Fig. 3(a).In the first iteration, coordinates where have

the highest priority to be candidates for adding cover pixels.Suppose coordinate (1,5) is chosen and the collections of pixelcolors are [note: I-shares and areshown in Fig. 3(e) and (f)], when the algorithm starts. Hence, acover pixel is added to the coordinate in I-shares and at thesame time. The values of and are also updated to 7 and 7,respectively. Afterward, in the rest of the iteration, coordinates(3,6), (2,8), (1,6), (3,7), (7,8), (6,7), and (4,5) were chosen;according to the collections of pixel colors, there are 7 and 5cover pixels added to and , respectively. Coordinates (6,7)and (7,8) in share cannot be added black pixels, because ofthere are black shared pixels on it. Parameters were updatedas , , , and . Next, in the seconditeration (i.e., ), coordinates (2,2), (3,3), (6,5), and (8,5)were chosen; two cover pixels were added to coordinates (2,2)and (3,3) in and two cover pixels were added to coordinates

(6,5) and (8,5) in . Parameters were updated as ,, , and . In Step 8, because the stopping

condition is not satisfied, the algorithm continues to performthe second round stamping process. In the first iteration of thesecond round, coordinates (3,4), (8,8), (6,6), and (5,8) werechosen and cover pixels were added on . Parameters wereupdated as and . In the second iteration, the coverpixel was added to coordinate (6,4) in . Finally, the resultantshares and were produced and then the algorithm stopsbecause of the stopping condition is reached.An example of resultant shares and are shown in

Fig. 3(g) and (h). Obviously, the contrast of cover image onshares and are high enough to reveal the cover images.

IV. EXPERIMENTAL RESULTS

In this section, we first evaluate the performance of the pro-posed optimization model by comparing with the previous VCresults for GASs. Then, we assess the performance of the pro-posed encryption algorithm for EVCS in terms of the contrast ofthe recovered secret images. Finally, we demonstrate the resultsof our implementation of EVCS by examples.

A. Performance of GAS Solver

The proposed algorithm for GAS solver is coded in lan-guage. The parameters of the cooling schedule for Algorithm1 are and . The initial values include

and . The frozen temperature is .In the following subsections, we examine the performances

of the GAS solver in two different VC scenarios and comparethem with Ateniese’s and Liu’s results. In both comparisons, wetest all strong access structures with up to four participants aslisted on [10, Table 1].1) Comparison With Conventional VCS for GASs: First, we

test the conventional VCS scenario restricting each participantto hold a single share image for sharing one secret image. Thesolution results of the proposed GAS solver are listed in Table II.In Table II, all strong access structures have a correspondingconstruction set , which means that a pixel-expansion-freeVCS for one of these access structures can be constructed viaa -VCS.Fig. 4 illustrates the implementation results for minimal

qualified set 5. The secret image can be revealed by stackingqualified participants, as shown in Fig. 4(f). However, itcannot be accessed by any forbidden participants, as shown inFig. 4(g) and (h). It proves the effectiveness of the proposedGAS solver algorithm.Although Ateniese has proved that their VC-based approach

has optimal pixel expansion, his approach still results in pixelexpansion of 2–8 times, as listed on Table II. Our proposed al-gorithm can totally remove the pixel expansion; hence, our ap-proach is superior to Ateniese’s method in terms of the pixelexpansion.2) Comparison With Liu’s Scenario: In the second compar-

ison, we adopt Liu’s scenario that allows each participant tocarry multiple share images for sharing one secret image. Forfairness, before the start of the encryption process, the minimalqualified sets listed on Table II are also partitioned into several



TABLE IISOLUTION RESULTS AND COMPARISONS FOR CONVENTIONAL VCS FOR GASs

: Pixel expansion factor.and denote Ateniese’s and our results, respectively.

Fig. 4. A parts of Implementation results for minimal qualified set 5. (a) Secretimage; (b) share 1; (c) share 2; (d) share 3; (e) share 4; (f) shares 1 2; (g) shares1 3; (h) shares 1 4.

subsets, which are the same as Liu’s partitioning results. The dif-ferent parts of the qualified sets are separated by a semicolon,as shown in Table II.Table III lists our solution outcomes by combining Liu’s

prepartitioning results. Due to the prepartitioning, a qualifiedset is divided into several smaller subsets; hence, each subsetcan be solved by employing the previous solution results. Forexample, in Table III, the minimal quality set 5 can be dividedinto and . Hence, the constructionresult for minimal quality sets 1 and 2 can be adopted for

and , respectively. The results listedin Table III indicate that our solution approaches can also beapplicable to Liu’s encryption scenario.Table IV shows that Ateniese’s and Liu’s approaches have the

same pixel expansion for the recovered image. By combiningLiu’s partition results, Ateniese’s approach can have a smallerpixel expansion factor than his own previous results in some ac-cess structures. Our approach is still pixel-expansion-free whichmeans that by applying our method, the dealers do not need toresize their shares before decryption. Table IV also indicates thatall the approaches have the same contrast values for the recov-ered images. Fig. 5 shows that our approach has minimal av-erage pixel expansion for shares. The above comparison resultsdemonstrate that the proposed encryption approach has a great

TABLE IIIOUR OUTCOMES BY COMBINING LIU’S PARTITION RESULTS

Note: The qualified sets with prepartitioning are the same as those listedon Table II

TABLE IVCOMPARISON BY PIXEL EXPANSION OF RECOVERED IMAGE

performance in terms of pixel expansion for recovered imagesand APE for shares.

B. Contrast of Images Recovered by EVCS

In this subsection, we evaluate the performance of the EVCSalgorithm by the contrast of recovered images. Cover imagesand the secret image for this experiment are shown in Figs. 6 and7. All figures are in 512 384 pixels and have been reduced to25% of the original size due to space limitation. The incrementalpixel density for the cover image is set at the same valuein this experiment.Table V lists a part of the contrast value of the recovered im-

ages. The resultant contrast values are compared with the the-oretical upper bound of the recovered image. Obviously, thesecontrast values obtained by the proposed EVCS algorithm arevery close to its upper bound. Actually, the use of the stamping



Fig. 5. Comparison of average pixel expansion (APE).

Fig. 6. Cover images used for experiments. (a) Cover image 1; (b) cover image2; (c) cover image 3; (d) cover image 4.

Fig. 7. Secret image used for experiments.

algorithm reduces only slightly the contrast of the recovered im-ages. This degradation is proportional to the parameter re-gardless of the VCS’s access structure. This verifies the effec-tiveness of the proposed stamping algorithm.

C. Demonstration of Our Results for EVCS

In this subsection, we demonstrate the implementation re-sults of the proposed construction algorithm for the conven-tional EVCS. To evaluate whether the stamping algorithm canbe applied to various types of cover images, cover images 1 isreplaced with the inversed version of Fig. 6(a). Cover images 2and 3 are as presented in Figs. 8(a) and 6(c), respectively.The implementation results of access structure 4 in Table II

are shown in Fig. 8. The parameters for cover images1, 2, and 3 are set to 15%, 20%, and 20%, respectively.Fig. 8(b), (c), and (d) show that the cover images can bestamped and can be clearly revealed on meaningless shares.Fig. 8(e), (f), and (g) cannot display any information related tothe secret image due to the forbidden combinations of decryp-tion. On contrary, the qualified set can recover thesecret image, as shown in Fig. 8(h). This example demonstrates

TABLE VCONTRAST (%) OF RECOVERED IMAGES

Fig. 8. Implementation results for minimal qualified set 4 in Table II. (a) Coverimage 2; (b) share 1; (c) share 2; (d) share 3; (e) shares 1 2; (f) shares 1 3;(g) shares 2 3; (h) shares .

the feasibility of our hybrid approach. This indicates that anexcellent display quality of the recovered images is possible byemploying the proposed stamping algorithm.The proposed stamping algorithm may result in some dim

traces of cover images on the recovered images. There are threeways to remove or conceal the traces to promote the displayquality for recovered images. First, use graphs drawn by lines



be the cover images, for example, the cover images in Fig. 6.Second, adjust the density of cover images as low as possible.Finally, adopt a pair of complementary images to be the coverimages in each qualified set. This method was also used in [20].

V. CONCLUSION

In this paper, we have proposed a two-phased encryption al-gorithm for the EVCS for general access structures. From thepoint of view of pixel expansion, our approach successfullysolves the open questions. The experimental results also showthat in most of the cases, our approach has better performancesthan those proposed in previous research in terms of the displayquality of the recovered image, which includes contrast, perfectreconstruction of black secret pixels, and maintenance of thesame aspect ratio as that of the original secret image.The proposed algorithm has four advantages. First, the algo-

rithm is a generic approach. It can construct the EVCS for gen-eral access structures without the need to design a sophisticatedcodebook. The second advantage is the modularity. Each phasein the encryption procedure is less coherent, so it can be indi-vidually designed and also can be replaced separately. The thirdadvantage is the first phase of the proposed algorithm: this phaseis applicable not only to the extended VC schemes but also tothe conventional VC schemes. The fourth advantage is that be-cause the density of the cover images is adjustable, it is veryhelpful for modifying the display quality of the cover images.The major contributions of our work are as follows: First,

this is the first solution that addresses the pixel problem of theEVCS for general access structures. Second, we formulate theconstruction problem of VCS for general access structures as amathematical optimization problem such that the problem canbe solved by optimization techniques. Third, we have developeda hybrid method for EVCS constructions. By adopting the pro-posed stamping algorithm, all existing VC schemes can be mod-ified to form their extended VC schemes without redesigningcodebooks.

ACKNOWLEDGMENT

The authors gratefully acknowledge the helpful commentsand suggestions of the reviewers, which have improved the pre-sentation. And they are especially grateful to Prof. Carlo Blundofor his kind help during the review process of this paper.

REFERENCES[1] M. Naor and A. Shamir, “Visual cryptography,” in Proc. Advances in

Cryptology (Eurprocrypt’94), 1994, pp. 1–12.[2] E. R. Verheul and H. C. A. v. Tilborg, “Constructions and properties

of k-out-of-n visual secret sharing schemes,” Designs Codes Crypto.,vol. 11, pp. 179–196, 1997.

[3] H. Koga, “A general formula of the (t,n)-threshold visual secretsharing scheme,” in Proc. Advances in Cryptology (Asiacrypt), 2002,pp. 328–345.

[4] A. Adhikari and S. Sikdar, “A new (2, n)-visual threshold scheme forcolor images,” in Proc. INDOCRYPT 2003, Berlin, Germany, 2003, pp.148–161.

[5] C. Blundo, P. D’Arco, A. D. Santis, and D. R. Stinson, “Contrast op-timal threshold visual cryptography schemes,” SIAM J Discrete Math.,vol. 16, pp. 224–261, 2003.

[6] C. N. Yang, “New visual secret sharing schemes using probabilisticmethod,” Pattern Recognit. Lett., vol. 25, pp. 481–494, 2004.

[7] C. Blundo, S. Cimato, and A. D. Santis, “Visual cryptography schemeswith optimal pixel expansion,” Theor. Comput. Sci., vol. 369, pp.169–182, 2006.

[8] D. Wang, L. Zhang, N. Ma, and X. Li, “Two secret sharing schemesbased on boolean operations,” Pattern Recognit., vol. 40, pp.2776–2785, 2007.

[9] P. L. Chiu and K. H. Lee, “A simulated annealing algorithm for generalthreshold visual cryptography schemes,” IEEE Trans. Inf. Forenics Se-curity, vol. 6, no. 3, pp. 992–1001, Sep. 2011.

[10] G. Ateniese, C. Blundo, A. D. Santis, and D. R. Stinson, “Visual cryp-tography for general access structures,” Inform. Comput., vol. 129, pp.86–106, 1996.

[11] C. S. Hsu and Y. C. Hou, “Goal-programming-assisted visual cryp-tography method with unexpanded shadow images for general accessstructures,” Opt. Eng., vol. 45, no. 9, p. 097001-1, 2006, (10 pages).

[12] C. S. Hsu, S. F. Tu, and Y. C. Hou, “An optimization model for vi-sual cryptography schemes with unexpanded shares,” Found. Intelli-gent Syst., LNAI, vol. 4203, pp. 58–67, 2006.

[13] F. Liu, C. Wu, and X. Lin, “Step construction of visual cryptographyschemes,” IEEE Trans. Inf. Forensics Security, vol. 5, no. 1, pp. 27–38,Mar. 2010.

[14] G. Ateniese, C. Blundo, A. D. Santis, and D. R. Stinson, “Extendedcapabilities for visual cryptography,” Theor. Comput. Sci., vol. 250,pp. 143–161, 2001.

[15] W. P. Fang, “Friendly progressive visual secret sharing,” PatternRecognit., vol. 41, pp. 1410–1414, Apr. 2008.

[16] T. H. Chen and Y. S. Lee, “Yet another friendly progressive visualsecret sharing scheme,” in Proc. 5th Int. Conf. Intelligent InformationHiding and Multimedia Signal Processing, 2009, pp. 353–356.

[17] D.Wang, F. Yi, and X. Li, “On general construction for extended visualcryptography schemes,” Pattern Recognit., vol. 42, pp. 3071–3082,Nov. 2009.

[18] J. Weir and W. Yan, “Plane transform visual cryptography,” in Proc.9th Int. Workshop Digital Watermarking (IWDW2010), Seoul, Korea,Oct. 2010, pp. 60–74.

[19] S. Kirkpatrick, C. D. Gelatt, and M. P. Vecchi, “Optimization by sim-ulated snnealing,” Science, vol. 220, pp. 671–680, 1983.

[20] Z. Zhou, G. R. Arce, and G. D. Crescenzo, “Halftone visual cryptog-raphy,” IEEE Trans. Image Process., vol. 15, no. 8, pp. 2441–2453,Aug. 2006.

Kai-Hui Lee received the Ph.D. degree in electronicengineering from the National Taiwan University ofScience and Technology, Taipei, Taiwan, in 2002.He joined the Department of Computer Science

and Information Engineering, Ming Chuan Uni-versity, Taipei, Taiwan, as an associate professorin 2003. His current research interests includevisual cryptography, wireless networks, and networkresource managements.

Pei-Ling Chiu received the Ph.D. degree in informa-tion management from the National Taiwan Univer-sity, Taipei, Taiwan, in 2007.She joined the Department of Risk Management

and Insurance, Ming Chuan University, Taipei,Taiwan, as an associate professor in 2008. Herresearch focuses on visual cryptography, wirelesssensor networks, and optimizing technologies.


An extended visual cryptography algorithm for general access structures.bak

Documents

Transcript of An extended visual cryptography algorithm for general access structures.bak