In this section, we describe the experiments that were conducted on the scheme. Then, the performance of the experiments are analyzed in detail, and finally, the security of the scheme is discussed.
5.1. Simulation Results
In our experiment, the parameters were set as follows:
,
,
,
,
, and
, which is a
threshold-changeable secret image sharing scheme. We chose a gray-scale baboon of
pixels as the secret image, as shown in
Figure 6.
Initially, we used the classic standard test image, Lena, at
pixels, as the cover image. In our
scheme, six stego images were obtained, and then,
was used as the changed threshold and the key,
, was broadcast. For simplicity, we choose to use images (a), (b), (c), and (d) to recover the secret image, and
Figure 7 shows the experimental results, i.e., the average PSNR of the stego image was 47.15 dB. The results showed that this scheme has a good quality image, i.e., the difference between the stego image and the cover image could not be detected by the human eye, and the secret image can be recovered without any distortion.
In addition, the influence of the cover image on the quality of the stego image was considered. We used 9 different
-pixel gray-scale images as the cover image. This group of images is shown in
Figure 8, and the experimental results are shown in
Table 2. It was apparent that the difference between the results of different cover images was small; therefore it was concluded that the cover image has little effect on the quality of the stego images.
5.2. Performance Analysis
In this section, we focus on analyzing the parameter m and thresholds because these two parameters have important influences on the secret capacity and the quality of secret images in our scheme.
For the analysis of
m, our experimental parameters are as follows:
,
,
,
, and
. The baboon is still the secret image, and Lena is used as the cover image;
Table 3 shows the results of the experiment, i.e., the relationship between the different values of
m and the secret capacity. Based on the experimental data, we concluded the following: (1) as
m increases, the value of PSNR decreases; (2) the secret embedding capacity increases as the factor
m increases. For the first point, we can obtain it from the range of pixels. As the range of pixels changes and becomes larger, the difference between the pixels of the stego image and the pixels of the cover image increases; therefore, the PSNR value increases. Also, as the factor
m increases, there is a lower share of data after conversion. That is to say, there are fewer areas on the cover image where changes occurred; therefore, the embeddable capacity increases. In our scheme, there were
converted digits in the polynomial that was constructed, and it was embedded in
N cover pixels (i.e.,
pixel); similarly,
cover data occupy one cover pixel. For a cover image with
pixels and considering the embedded pixels of the location map (the size of which is
), the embedding capacity is
.
The value of the thresholds is another important factor in the scheme. We chose different thresholds in the experiment, and
Table 4 shows the results of the experiment. In the experiment, there were five different sets of potential thresholds, i.e.,
,
,
,
,
, and
; other parameters were set as above.
In our scheme,
data were embedded for each secret sharing; therefore, the greater the threshold
, the greater the embedding capacity. The data in
Table 4 are consistent with our theoretical analysis. Analyzing the thresholds
,
,
, and
with fixed
m and
N, it was apparent that the quality of the image had little relationship with
. It is worth noting that the value of the minimum threshold and the value of the potential threshold are important factors that determine the quality of the stego images. This is because the minimum threshold and the number of thresholds affect the amount of embedded data. Then, by analyzing the data that correspond to the numbers 1, 3, and 5 in
Table 4, it was found that the PSNR increases gradually as the factor,
, increases. The increase in the embedding capacity means fewer shares of fixed secret data, i.e., the number of pixels in the original cover image is modified less; therefore, the quality of the stego image is better.
Table 5 shows the comparison of our scheme with other secret image sharing schemes in recent years. We still used the baboon with
pixels as the secret image and Lena with
pixels as the cover image and set the thresholds as
,
. The results shown in
Table 5 indicate that the PSNR value of our scheme was slightly lower than the PSNR values of the single-threshold, secret image sharing schemes. This occurred because our scheme embedded redundant shares and non-embedded location map information. However, in all secret image sharing schemes with changeable thresholds, our scheme had the best quality images. Although the embedding method was optimized, a location map also was embedded in order to recover the cover image; therefore, compared with Yuan et al.’s scheme [
31], the improvement in the quality of the stego image was not obvious. In addition, since Liu et al.’s scheme [
33] does not use steganography to hide the shared data, the shadow image is generated directly in their scheme; therefore, there is no meaningful reference to PSNR.
We also compared and analyzed the actual running performance. Considering that different types of secret image sharing schemes were not suitable for comparison, we experimented on the same type schemes, such as Yuan et al.’s scheme and Liu et al.’s scheme. The secret image was the baboon with pixels, and the cover image was Lena with pixels. The other parameters were , , , , and . The adjusted threshold value was chosen for the actual performance test. The execution time of Liu et al.’s scheme is 32 s, that of Yuan et al.’s scheme is 151 s, and that of our scheme is 147 s. Liu et al.’s scheme does not have the steganography operation; therefore, its execution time is shorter than our scheme. Yuan et al.’s scheme needs to recover multiple polynomials layer by layer to recover the secret image, but our scheme only needs to compute a polynomial. Meanwhile, our scheme needs to generate and embed a location map, which Yuan et al.’s scheme does not need. Thus, our scheme’s execution time is shorter but close to Yuan et al.’s. Compared with other methods, our work has the following advantages and contributions:
(1) No limit on thresholds. In Yuan et al.’s scheme [
31], the threshold can be changed only once. However, in our scheme,
N potential thresholds do not need to satisfy
. Meanwhile, the threshold value of our scheme can be changed more than once.
(2) Less calculation. In Yuan et al.’s scheme [
26], if the threshold is adjusted to
, they must use polynomial interpolation to determine the polynomial
and then to determine the polynomial
,
, …,
to obtain the secret from the polynomial
. When recovering, our scheme does not have the process of iterating the polynomials, and only one polynomial has to be recovered.
(3) Recoverable cover image. In the same type of scheme, Yuan et al.’s scheme [
31] cannot recover the cover image and Liu et al.’s scheme [
33] does not use steganography; however, our proposed method can reconstruct the cover image and completely recover the secret image without distortion.
5.3. Security Analysis
In this part, we prove the applicable pixel range of the proposed method, and the security of the scheme is analyzed theoretically.
Theorem 1. In our scheme, the difference between original pixel and the corresponding stego pixel must satisfy , where m is a prime number and .
Proof. In our scheme, stego pixel
is calculated as
where
,
, and
. Then, there are three cases to consider:
(1)
If there exists , then, . Since , it is easy to prove that . The equation can be expressed as because is an integer.
(2)
The difference can be expressed as when . Thus, taking the opposite of , we can conclude that .
(3)
The difference can be expressed as when . Then, we can obtain , which can be transferred to because is an integer. □
In summary, we can prove that .
Theorem 2. Let the original pixel, , satisfy , where is a prime number. Then, we can ensure that the generated stego pixel, , satisfies .
Proof. In view of Theorem 1, there exists , where . Since , there are two cases to consider:
(1)
In this case, can be expressed as . Thus, the original pixel must satisfy because and .
(2)
Since and , we can prove that the original pixel, , must satisfy .
To summarize, the original pixel, , must satisfy , which can ensure that stego pixel calculated through formula (19) does not exceed the range [0, 255]. □
According to Theorem 2, we embed the data into the original pixels that satisfy and use the non-embedded location map to record the original pixels that do not meet this condition.
Theorem 3. Before broadcasting the key, no participant can calculate her/his share point pairs, which can be used to recover the polynomial by Lagrange interpolation.
Proof. Assuming that the current threshold is
, the corresponding key is
, and participant
wants to recover her/his first share point pair
, where
, and
is
’s identification. According to feature (2) of the two-variable one-way function, i.e.,
presented in
Section 3.1, participant
cannot calculate
without key
. Similarly, participant
cannot recover the rest of her/his share point pairs and the other participants also cannot recover their share point pairs. Thus, no participant can obtain her/his share point pairs before broadcasting the key. □
Theorem 4. If the number of authorized participants is less than the current threshold, the secret image cannot be recovered.
Proof. According to the people who take part in the recovery phase, there are two cases to consider when recovering:
(1) Only authorized participants take part in the recovery phase.
Assuming that the threshold is , if only authorized participants take part in the recovery phase, the ideal situation is that participants want to recover the secret image. In our scheme, only if not less than participants want to recover the secret will the dealer broadcast the corresponding key, . By Theorem 3, we know that no participant can calculate her/his share of point pairs before broadcasting the key. Thus, less than authorized participants cannot calculate their share point pairs, which means they cannot recover the secret image. Similarly, participants whose numbers are less than cannot recover their share point pairs that correspond to threshold () because only the dealer can broadcast the current key, .
(2) Malicious and authorized participants both take part in the recovery phase.
Assuming that the current threshold is
and that
if malicious and authorized participants both take part in the recovery phase, the ideal situation is that
malicious participants and
authorized participants want to recover the secret image. The malicious participants can disguise themselves as authorized participants. Without loss of generality, it is assumed that both malicious participants
and authorized participants
take part in the recovery phase. After broadcasting key
, authorized participants
can calculate their share point pairs, i.e.,
,
, and
, where
is their identification. According to feature (3) of the two-variable one-way function
presented in
Section 3.1, malicious participants
cannot calculate their share point pairs without legal identification. Only if recovery have
share point pairs or more can the polynomial of degree
, where secret data can be hidden, be recovered by the Lagrange interpolation formula. Thus, the secret image cannot be recovered in this situation.
To summarize, the secret image cannot be recovered when the number of authorized participants is less than the current threshold. □
Theorem 5. Even if attackers steal the dealer’s keys, they cannot recover the secret image without being able to identify the legal participants.
Proof. Let us assume that the threshold is
and that the attackers want to recover participant
’s
first share point pair
. According to feature (3) of the two-variable one-way function, i.e.,
, presented in
Section 3.1, attackers cannot calculate
without participant
’s identification,
. Similarly, attackers cannot recover the rest of
’s share point pairs and they cannot recover any participant’s share point pairs without her/his identification.
In view of Theorem 4, attackers can recover the secret image only if they can obtain no less than participants’ share point pairs. Thus, attackers cannot recover the secret image without legal participants’ identification even if they steal the dealer’s keys. □
Theorem 6. Even if attackers obtain the keys and all of the share point pairs used to recover the secret image, they cannot calculate any participant’s identification.
Proof. Assume that the current threshold is
and that the attackers want to calculate participant
’s
identification,
, from key
and
’s first share point
. According to feature (5) of the two-variable one-way function,
, presented in
Section 3.1, attackers cannot calculate
from
and
. Similarly, attackers cannot obtain
from the rest of
’s share point pairs and they cannot calculate any participant’s identification. □
By Theorem 6, we know that attackers cannot obtain any participant’s identification even if they obtain the keys and all share point pairs. Thus, participant’s identification can be reused in subsequent secret image sharing procedures, which can improve the efficiency of our scheme.