Reversible Data Hiding in Crypto-Space Images with Polynomial Secret Sharing over Galois Field

Abstract

Secret sharing is a data security technique that divides secret information into multiple parts, embeds these parts into various shares, and distributes these shares to different participants. The original secret information can be retrieved only when the number of shares gathered meets a required threshold. This paper proposes a secret sharing method that can hide data in encrypted images with reversibility and allows content owners to add an additional layer of security before uploading data to the cloud. This method enables the independent extraction of images and data, ensuring that the recovered images and extracted data can serve as validation information for each other. The proposed method not only enhances data security but also guarantees the accuracy of the extracted information.

1. Introduction

With the increasing maturity of cloud technology, more and more users prefer to upload data to the cloud for storage. However, if the uploaded data contain sensitive images or confidential information, precautions must be taken to prevent data breaches during transmission or storage in the cloud. Typically, encryption [1,2,3,4] or steganography [5,6,7,8,9,10] is employed to protect critical data before uploading.

Steganography embeds secret data into a cover medium, such as an image, in an imperceptible manner making the cover medium appear like the original. However, many traditional data hiding methods may cause permanent damage to the cover medium. In many applications and fields, such as the medical and military fields, and so on, the cover medium itself is highly important. It may lead to many issues if the cover medium is permanently damaged or distorted. Reversible data hiding (RDH) [5] is a technology that allows us to embed data while avoiding permanent damage to the cover medium, and it can be perfectly restored after message extraction.

Directly transmitting the cover image is vulnerable to security threats such as hacking, leakage, and eavesdropping. Therefore, subsequent methods, which combine encryption with steganography, have led to the proposal of data hiding in encrypted carriers, such as reversible data hiding in encrypted images (RDHEI) [6,7,8,9,10] in the field of images. Nevertheless, most of these methods embed the secret information into a single image. If such an image is compromised, lost, intercepted, or tampered with by attacks by malicious users during transmission or storage, it is impossible for authorized users to accurately recover the original image, and this may even lead to the leakage of important information.

To address the aforementioned risks, we can utilize secret sharing techniques. With a (k, n)-threshold secret sharing scheme, secret data are divided and embedded into n shares or share images, where any k shares are sufficient to reconstruct the data or original image, while fewer than k shares are insufficient to retrieve it. Even if there are cases in which some of the shares encounter issues during transmission or storage, the security and integrity of the data can still be ensured and thereby the risks of data leakage and corruption are reduced. Secret sharing not only provides a certain degree of fault tolerance but also offers permission control functionality. As a result, it has attracted increasing interest from scholars for various applications, such as authentication [11,12,13], access control [14], cloud storage management [15,16], 3D model protection [17,18], and so on.

Gao et al. [19] proposed a (2, 3)-threshold reversible secret sharing scheme based on a fractal matrix. In their method, secret data are embedded into three shares of a cover image by modifying the pixel values according to a fractal matrix. Any two of the three shared images can retrieve the secret data and recover the cover image, but the method may lead to distortions in steganographic shared images. Lin et al. [20] proposed an improved scheme based on a crystal-lattice matrix to reduce distortions in steganographic shared images. They utilized a greedy algorithm to construct an optimal lattice model that allowed the model to arrange itself tightly around elements like the growth of crystalline materials, and thereby reduced distortion.

The two most commonly used secret sharing techniques are based on either polynomials or the Chinese remainder theorem [21,22,23]. The secret sharing scheme proposed by Shamir [24] is based on polynomials, yet the one Asmuth and Bloom [25] proposed is based on the Chinese remainder theorem. Polynomial-based secret sharing can be further divided into different research directions: those that pursue computational and transmission efficiency [26,27,28] and those that focus on lossless recovery [29,30,31]. Thien and Lin [26] treated the pixel values of the cover image as the secret, sequentially using them as coefficients of a ($k-1$) degree polynomial and thereby generating $1 / k$ size steganographic shared images, which facilitates subsequent storage and transmission. Wu et al. [27,28] reduced computational complexity and image distortion by mixing multiple prime numbers in modular calculations. Yang et al. [29], to prevent cheating by dishonest participants, introduced the Galois field $\mathrm{G}\mathrm{F}\left(2^8\right)$ into secret sharing to obtain lossless recovery. Gong et al. [30] and Luo et al. [31] connected the pixels of multiple images or channels into long integers and used a larger prime number for modular calculations to achieve lossless recovery.

In this paper, we propose a secret sharing method combined with RDHEI. By integrating these advanced secret sharing techniques with RDHEI, our method aims to provide a higher level of security and reliability while maintaining lossless recovery. Before uploading the image to the cloud, additional preventive approaches are added by the content owner to enhance the security of the transmitted image and secret data. While ensuring that the extraction of the embedded data and the recovery of the cover image can be done separately, we utilize steganography to embed secret data into copies of an encrypted image. This means that recovered images and extracted secret data serve not only to carry important information but also to mutually verify each other’s correctness. If one party extracts incorrect information, we can be certain that the remaining party also has an error. This verification method helps ensure that there are no impostors in the shares retrieved from the cloud. Additionally, this approach also helps assess the security of storage providers or transmission channels.

Compared to other cloud-based secret sharing methods, the focus of our proposed approach is to ensure that data uploaded to and retrieved from clouds remain identical, rather than to emphasize the storage and management within the clouds. Consequently, the processes of encryption, secret sharing, and data embedding are all completed by the content owner. This ensures greater control and security over the data without affecting the management of data by other cloud-based polynomial secret sharing methods. Secondly, our method employs two different types of data for secret sharing and embedding to further enhance the robustness of the system. Lastly, both secret message extraction and image recovery require the collaboration of multiple shares. This significantly improves robustness and makes any unauthorized access or tampering more difficult.

The contributions of this paper are as follows:

• Combining RDHEI with secret sharing adds an extra layer of protection to the data transmitted to the cloud.
• The proposed method is capable of full image recovery and restoring 100% the message from k shares completely.
• The proposed method utilizes two different keys to control the image recovery and data extraction separately to achieve some degree of access control.
• While carrying important information, the images and data also verify whether the other party has extracted incorrect data.

The remaining sections of this paper are structured as the followings: Related work in Section 2 provides some fundamental reviews on polynomial secret sharing and Galois fields. The proposed scheme combining encryption data hiding and secret sharing is detailed in Section 3, the proposed scheme, with the information and algorithms related to secret sharing, data embedding, data extraction, and image recovery. Section 4 provides the experiment results, where we analyze, explain, and summarize the experiments we conducted. Lastly, we conclude the paper in Section 5 with our conclusions.

2. Related Work

2.1. Polynomial Secret Sharing

The scholar Shamir [24] proposed a data security technology based on a polynomial function in 1979 with the purpose of splitting secret data into multiple pieces and sending them to participants for transmission and storage. The formula for the polynomial function used in the method is as follows:

$$F\left(x\right)=\sum _{i=0}^{k-1}{a}_i{x}^i=a_0+a_{1}x+a_2{x}^2+\cdots +a_{k-1}{x}^{k-1} ,$$

(1)

where k represents the threshold of the (k, n) secret sharing, $a_0$ represents the secret messages, $a_1, \dots , a_{k-1}$ represents integers that are randomly chosen, and x represents the identity number of the participants. Based on the number of participants, an equal number of pieces are generated, ensuring that the original secret data can be recovered when at least k pieces are available. To recover the original secret data, we can use the Lagrange interpolating formula. The formula is presented as follows:

$$F\left(x\right)=\sum _{i=1}^{k}F\left(x_i\right)·\prod _{j=1, j\ne i}^k{\displaystyle \frac{x-x_j}{x_i-x_j}}, x_1\ne x_2\ne \dots {\ne x}_k,$$

(2)

where $F\left(x_i\right)$ is the polynomial value evaluated at the unique identity number $x_i$ and the secret messages are the coefficients of the recovered polynomial.

Let us take a look at a simple example. Suppose we use the equation $F\left(x\right)=a_0+a_{1}x$ to generate 3 shares for (2, 3)-threshold secret sharing and the secret messages are 42 and 5. Here, we choose the identity numbers $x_1=3$, $x_2=7$, and $x_3=12$. Then,

$$\mathrm{for} x_1, F\left(3\right)=42+5\times 3=57,$$

$$\mathrm{for} x_2, F\left(7\right)=42+5\times 7=77,$$

$$\mathrm{for} x_3, F\left(12\right)=42+5\times 12=102.$$

Therefore, we obtain three shared values, 57, 77, and 102, for the identities 3, 7, and 12, respectively. In the recovery phase, suppose the first and second shares are available. The original polynomial can be recovered using the Lagrange interpolating formula.

$$F\left(x\right)=57{\displaystyle \frac{\left(x-7\right)}{\left(3-7\right)}}+77{\displaystyle \frac{\left(x-3\right)}{\left(7-3\right)}}.$$

Thus, we can obtain $F\left(x\right)=42+5x$. However, when the number of shares is less than the threshold, it is impossible to reveal the secret or the original image because it is not possible to solve for the k unknown coefficients.

Scholar Thien and Lin [26] proposed a scheme to share secret images based on Shamir’s secret sharing method. The primary difference between the two methods lies in the treatment of coefficients in the ($k-1$) degree polynomial. In Shamir’s secret sharing method, only the constant term $a_0$ is the secret message, while the remaining coefficients $a_1, \dots , a_{k-1}$ are randomly chosen. In a different way, Thien and Lin’s method considers all coefficients $a_0, a_1, \dots , a_{k-1}$ as secret messages. Consequently, the output image or message is reduced to $1 / k$ of the original size. Since the scheme was applied to images, with pixel values restricted to the range of 0–255, they used the largest prime number 251 in the range as the modulus for their calculations. Values from 251 to 255 were reduced to 250. However, this approach led to image distortion and information loss.

2.2. Galois Field

A Galois field [1,32,33,34] is a mathematical structure commonly used in data security and coding theory. In Galois fields, all integer operations are performed within finite fields and the results of operations are confined to a limited range. Galois fields are often used to limit the range of computation results to ensure the integrity and security of data. Galois fields also play a critical role in various areas, including coding theory and error correction codes, such as the Reed–Solomon code, which is essential for reliable data storage and transmission. Additionally, a Galois field is utilized in public key infrastructure and quantum computing to define finite field operations. The application of parallelization in large number calculations, particularly over residue number systems (RNS), further highlights their versatility and importance across various technological domains.

The notation $\mathrm{G}\mathrm{F}\left(p\right)$ or $\mathrm{G}\mathrm{F}\left(p^n\right)$ represents a prime field, where p is a prime number referred to as the characteristic of the field, and n is a positive integer to signify the dimension of the field.

In $\mathrm{G}\mathrm{F}\left(p\right),$ the elements comprise$\{\mathrm{0,1},2,\cdots ,p-1\}$. In contrast, $\mathrm{G}\mathrm{F}\left(p^n\right)$ consists of polynomials with coefficients in $\mathrm{G}\mathrm{F}\left(p\right)$ and the degree of the polynomials is less than n. The elements in $\mathrm{G}\mathrm{F}\left(p^n\right)$ can be represented as $\left\{a_0, a_{1}x, a_2{x}^2,\dots ,a_{n-1}{x}^{n-1} \right| a_i\in \mathrm{G}\mathrm{F}\left(p\right)\}$.

To convert a number to the Galois field, the methods differ based on whether we are working with $\mathrm{G}\mathrm{F}\left(p\right)$ or $\mathrm{G}\mathrm{F}\left(p^n\right)$. In $\mathrm{G}\mathrm{F}\left(p\right)$, the number must be reduced by modulo p. For example, given an integer 17, converting it to an element in $\mathrm{G}\mathrm{F}\left(5\right)$ requires performing the modulo operation with 5. Thus, $17 \mathrm{m}\mathrm{o}\mathrm{d} 5=2$, meaning that 17 is represented as 2 in $\mathrm{G}\mathrm{F}\left(5\right)$. In $\mathrm{G}\mathrm{F}\left(p^n\right)$, the conversion involves using the number represented in base p system to create a polynomial of degree n, then reducing it by executing a modulo operation with an irreducible polynomial. For instance, to convert the integer 15 into $\mathrm{G}\mathrm{F}\left(2^3\right)$, we first express ${15}_{\left(10\right)}$ in binary as ${1111}_{\left(2\right)}$, which corresponds to the polynomial $x^3+x^2+x+1$. Then, we reduce the polynomial by the following operation:

$$\left(x^3+x^2+x+1\right) \mathrm{m}\mathrm{o}\mathrm{d} \left(x^3+x+1\right)=x^2=4_{\mathrm{G}\mathrm{F}\left(2^3\right)}.$$

Thus, 15 is represented as 4 in $\mathrm{G}\mathrm{F}\left(2^3\right)$. By following these steps, one can convert numbers to their corresponding values in any Galois field.

Operations such as addition, subtraction, and multiplication in $\mathrm{G}\mathrm{F}\left(p\right)$follow traditional arithmetic rules, and the results are reduced by modulo p. On the other hand, in $\mathrm{G}\mathrm{F}\left(p^n\right)$, the field consists of polynomials with coefficients in $\mathrm{G}\mathrm{F}\left(p^n\right),$ and arithmetic operations in $\mathrm{G}\mathrm{F}\left(p^n\right)$ are executed modulo an irreducible polynomial. The difference in calculating between $\mathrm{G}\mathrm{F}\left(p\right)$ and $\mathrm{G}\mathrm{F}\left(p^n\right)$ is demonstrated by the following example.

Assume $i=6$ and $j=5.$ In $\mathrm{G}\mathrm{F}\left(7\right), i+j=11 \mathrm{m}\mathrm{o}\mathrm{d} 7=4$, but for calculation in $\mathrm{G}\mathrm{F}\left(2^3\right)$, where $i, j$ are represented as polynomials, they are denoted as $\left(x^2+x\right)$ and $(x^2+1)$ respectively. Suppose the applied irreducible polynomial is $x^3+x+1$. The sum of i and j can be calculated by

$$\begin{array}{l}\left(i+j\right) \mathrm{m}\mathrm{o}\mathrm{d} \left(x^3+x+1\right)\\ =\left[\left(x^2+x\right) ⨁ \left(x^2+1\right)\right] \mathrm{m}\mathrm{o}\mathrm{d} \left(x^3+x+1\right)\hfill \\ =\left(x+1\right) \mathrm{m}\mathrm{o}\mathrm{d} \left(x^3+x+1\right)\hfill \\ =\left(x+1\right).\hfill \end{array}$$

After the modulo operation, the result is $\left(x+1\right)$, which is then converted back to its decimal value, represented as 3. Finally, we get $6+5=3$ in $\mathrm{G}\mathrm{F}\left(2^3\right)$.

3. Proposed Methods

The overall process can be divided into three main parts: image encryption, secret sharing, and data embedding. Image encryption aims to generate carriers for embedding secret shares while safeguarding against the leakage of image information. Secret sharing involves splitting the secret data into n shares, thereby reducing the risks of data leakage, corruption, and tampering. Data embedding entails concealing the secret shares into the encrypted images. The overall encryption and embedding process is illustrated in Figure 1.

3.1. Image Encryption

Based on the (k, n)-threshold secret sharing scheme, we replicated the cover image n times to serve as carriers for embedding the secret shares. Simultaneously, to ensure that the important information contained within the images remains confidential, we used an encryption key generated from a seed and utilized stream cipher technology to encrypt these copied images. This approach also ensures that even if one of the replicated images is modified or counterfeited during recovery, we can still successfully reconstruct the original image, thereby achieving dual protection through encryption and mitigating the risk of image damage.

3.2. Secret Sharing

For securing sensitive information, a polynomial secret sharing technique can be employed. In this method, secret shares are derived from a polynomial function. This ensures that others cannot reconstruct the original data solely based on a single share and reduces the risk of data leakage. We can utilize the following formula to perform the secret sharing operation.

$$F\left(x_i\right)=a_0+a_1{x}_i+a_2{x_i}^2+{\dots }_{ }+a_{k-1}{x_i}^{k-1}, i\in \left[1, n\right],$$

(3)

where $a_0, a_1, a_2,\dots ,a_{k-1}\in \left[0, 255\right]$ represent the secret segments,$x_i$ denotes the ID provided by the content owner for each participant, and $F\left(x_i\right)$ represents the corresponding secret share. It can be clearly noticed that without certain postprocessing, the generated secret data may exceed the range of pixel values. To mitigate this issue, we can utilize the Galois field $\mathrm{G}\mathrm{F}\left(2^8\right)$. To realize $\mathrm{G}\mathrm{F}\left(2^8\right)$, an irreducible polynomial can be adjusted the computation results to ensure that the output values remain within the range of 0 to 255. This is like the example of Galois field $\mathrm{G}\mathrm{F}\left(2^3\right)$ in Section 2, where the polynomial used $\left(x^3+x+1\right)$. However, in $\mathrm{G}\mathrm{F}\left(2^8\right)$, we instead use the polynomial $(x^8+x^4+x^3+x+1)$ with a required order 8.

3.3. Data Embedding

During the data embedding phase, we divide the n copies of the encrypted image into small blocks with n pixels. The pixels within each block are labeled in a fixed order. Take the (3, 4)-threshold secret sharing as an example. Figure 2 illustrates the dividing and labeling result. Subsequently, we embed the secret shares into all image blocks. For the sake of simplicity, we use the most straightforward embedding process, directly replacing the encrypted pixel values at the corresponding marked positions with the generated secret shares. In practical applications, we can randomly select different positions within blocks for embedding or switch the embedding method from replacing pixels to replacing bits. As long as the conditions of embedding different locations in different shares and ensuring that the number of embedded bits per block is $1 / n$ are met, the proposed method can successfully restore the image and extract the message.

Suppose the encrypted images ${EI}_i,i=\mathrm{1,2},\mathrm{3,4}$ are prepared for the participants with identity numbers ${Gid}_i,i=\mathrm{1,2},\mathrm{3,4}$, respectively. We apply three raw secret segments ${GM}_0,{GM}_1,{GM}_2$ to construct a second order polynomial $F\left(x\right)$ over $\mathrm{G}\mathrm{F}\left(2^8\right)$. Then, the polynomial is evaluated at ${Gid}_i, i=\mathrm{1,2},\mathrm{3,4}$ to obtain secret shares $F\left({Gid}_i\right)$, where $i=\mathrm{1,2},\mathrm{3,4}$. These shares are used to replace the a, b, c, d pixel values of the corresponding blocks in the encrypted images ${EI}_i, i=\mathrm{1,2},\mathrm{3,4}$, respectively. The final steganographic shared images are illustrated in Figure 1, where only a pixel values are altered for the steganographic shared image ${EI}_1$, only b pixel values are altered for steganographic shared image ${EI}_2$, and so forth. The overall steganographic shared image generation processes are given in Algorithm 1.

Algorithm 1. Image encryption, secret sharing, and data embedding.
Input	$\mathrm{I}\mathrm{m}\mathrm{a}\mathrm{g}\mathrm{e} I$, secret m$\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{a}\mathrm{g}\mathrm{e} M \mathrm{b}\mathrm{e}\mathrm{t}\mathrm{w}\mathrm{e}\mathrm{e}\mathrm{n} 0~255,$ s$\mathrm{e}\mathrm{e}\mathrm{d} S$, $\mathrm{I}\mathrm{D} \mathrm{f}\mathrm{o}\mathrm{r} n \mathrm{p}\mathrm{a}\mathrm{r}\mathrm{t}\mathrm{i}\mathrm{c}\mathrm{i}\mathrm{p}\mathrm{a}\mathrm{n}\mathrm{t}\mathrm{s} {id}_1, \dots , { id}_n$, t$\mathrm{h}\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}\mathrm{o}\mathrm{l}\mathrm{d} \mathrm{f}\mathrm{o}\mathrm{r} \mathrm{r}\mathrm{e}\mathrm{c}\mathrm{o}\mathrm{v}\mathrm{e}\mathrm{r}\mathrm{y} k.$
Output	$\mathrm{S}\mathrm{t}\mathrm{e}\mathrm{g}\mathrm{a}\mathrm{n}\mathrm{o}\mathrm{g}\mathrm{r}\mathrm{a}\mathrm{p}\mathrm{h}\mathrm{i}\mathrm{c} \mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}\mathrm{e}\mathrm{d} \mathrm{i}\mathrm{m}\mathrm{a}\mathrm{g}\mathrm{e}\mathrm{s} {SI}_1, {SI}_2, \dots , {SI}_n$.
$\mathrm{S}\mathrm{t}\mathrm{e}\mathrm{p} 1. \mathrm{I}\mathrm{m}\mathrm{a}\mathrm{g}\mathrm{e} \mathrm{e}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}\mathrm{i}\mathrm{o}\mathrm{n}$
1	$I={CI}_1= \dots ={CI}_n;$	$\mathrm{C}\mathrm{o}\mathrm{p}\mathrm{y} \mathrm{i}\mathrm{m}\mathrm{a}\mathrm{g}\mathrm{e} n \mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\mathrm{s}.$
2	$randi.seed\left(S\right)$	$\mathrm{S}\mathrm{e}\mathrm{t} \mathrm{t}\mathrm{h}\mathrm{e} \mathrm{r}\mathrm{a}\mathrm{n}\mathrm{d}\mathrm{o}\mathrm{m} \mathrm{s}\mathrm{e}\mathrm{e}\mathrm{d} S.$
3	$B=randi\left(\left[0, 255\right], { I}_{height}, { I}_{width}, n\right);$	$\mathrm{G}\mathrm{e}\mathrm{n}\mathrm{e}\mathrm{r}\mathrm{a}\mathrm{t}\mathrm{e} n \mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\mathrm{s} \mathrm{l}\mathrm{o}\mathrm{n}\mathrm{g}\mathrm{e}\mathrm{r}$ $\mathrm{b}\mathrm{i}\mathrm{t} \mathrm{s}\mathrm{t}\mathrm{r}\mathrm{e}\mathrm{a}\mathrm{m} B \mathrm{w}\mathrm{i}\mathrm{t}\mathrm{h} \mathrm{s}\mathrm{e}\mathrm{e}\mathrm{d}.$
4	$\left\{{EI}_1, \dots , {EI}_n\right\}=\left\{{CI}_1, \dots ,{CI}_n\right\} ⨁B;$	$\mathrm{S}\mathrm{t}\mathrm{r}\mathrm{e}\mathrm{a}\mathrm{m} \mathrm{c}\mathrm{i}\mathrm{p}\mathrm{h}\mathrm{e}\mathrm{r} \mathrm{c}\mathrm{o}\mathrm{p}\mathrm{i}\mathrm{e}\mathrm{d} \mathrm{i}\mathrm{m}\mathrm{a}\mathrm{g}\mathrm{e}$s $\mathrm{w}\mathrm{i}\mathrm{t}\mathrm{h} \mathrm{b}\mathrm{i}\mathrm{t} \mathrm{s}\mathrm{t}\mathrm{r}\mathrm{e}\mathrm{a}\mathrm{m} B.$
$\mathrm{S}\mathrm{t}\mathrm{e}\mathrm{p} 2. \mathrm{S}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{e}\mathrm{t} \mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}\mathrm{i}\mathrm{n}\mathrm{g}$
5	${Gid}_i=gf\left({id}_i, 8\right), i\in [1, n];$	$\mathrm{C}\mathrm{o}\mathrm{n}\mathrm{v}\mathrm{e}\mathrm{r}\mathrm{t} \mathrm{I}\mathrm{D} \mathrm{t}\mathrm{o} Gid \mathrm{i}\mathrm{n} \mathrm{G}\mathrm{a}\mathrm{l}\mathrm{o}\mathrm{i}\mathrm{s} \mathrm{f}\mathrm{i}\mathrm{e}\mathrm{l}\mathrm{d}.$
6	$GM=\{{GM}_1,{GM}_2,\dots \}=gf(M, 8);$	$\mathrm{C}\mathrm{o}\mathrm{n}\mathrm{v}\mathrm{e}\mathrm{r}\mathrm{t} \mathrm{m}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{a}\mathrm{g}\mathrm{e} \mathrm{t}\mathrm{o} GM$ $\mathrm{i}\mathrm{n} \mathrm{G}\mathrm{a}\mathrm{l}\mathrm{o}\mathrm{i}\mathrm{s} \mathrm{f}\mathrm{i}\mathrm{e}\mathrm{l}\mathrm{d}.$
7	$F\left(x\right)={GM}_1+{GM}_{2}x+\dots +{GM}_k{x}^{k-1},$ $x={Gid}_i, i\in \left[1, n\right];$	$\mathrm{P}\mathrm{o}\mathrm{l}\mathrm{y}\mathrm{n}\mathrm{o}\mathrm{m}\mathrm{i}\mathrm{a}\mathrm{l} \mathrm{s}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{e}\mathrm{t} \mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}\mathrm{i}\mathrm{n}\mathrm{g}.$
$\mathrm{S}\mathrm{t}\mathrm{e}\mathrm{p} 3. \mathrm{D}\mathrm{a}\mathrm{t}\mathrm{a} \mathrm{e}\mathrm{m}\mathrm{b}\mathrm{e}\mathrm{d}\mathrm{d}\mathrm{i}\mathrm{n}\mathrm{g}$
8	${RI}_i=reshape\left({EI}_i, \left[1, { I}_{height}\times I_{width}\right]\right), i\in [1, n];$	$\mathrm{S}\mathrm{t}\mathrm{r}\mathrm{e}\mathrm{t}\mathrm{c}\mathrm{h} \mathrm{t}\mathrm{o} 1\mathrm{D} \mathrm{m}\mathrm{a}\mathrm{t}\mathrm{r}\mathrm{i}\mathrm{x}.$
9	$\mathbf{f}\mathbf{o}\mathbf{r} j=1:({ I}_{height}\times I_{width})$
10	$\mathbf{i}\mathbf{f} j mod n==i, i\in [1,n]$
11	${REI}_i\left(j\right)=F\left({Gid}_i\right), i\in [1, n];$
12	$\mathbf{e}\mathbf{n}\mathbf{d} \mathbf{i}\mathbf{f}$
13	$\mathbf{e}\mathbf{n}\mathbf{d} \mathbf{f}\mathbf{o}\mathbf{r}$
14	${SI}_i=reshape\left({RI}_i, \left[{ I}_{height}, { I}_{width}\right]\right), i\in \left[1, n\right];$	$\mathrm{R}\mathrm{e}\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{p}\mathrm{e} \mathrm{t}\mathrm{o} \mathrm{o}\mathrm{r}\mathrm{i}\mathrm{g}\mathrm{i}\mathrm{n}\mathrm{a}\mathrm{l} \mathrm{s}\mathrm{i}\mathrm{z}\mathrm{e}.$
15	$\mathrm{R}\mathrm{e}\mathrm{t}\mathrm{u}\mathrm{r}\mathrm{n} {SI}_i$;

3.4. Data Extraction and Image Recovery

While extracting the secret message or restoring the cover image, we first need to obtain k shares, meeting the (k, n)-threshold requirement, in order to proceed. The proposed method restricts users from extracting the secret message or restoring the cover image based on the keys they have, as shown in Figure 3. If a user has data hiding the key only, the user can only extract the message. Conversely, if a user has an encryption key, the user can only recover the original cover image. If a user has both keys, the user can extract the message and recover the image. The two operations are separable.

When extracting messages, based on the ID provided by the participants, it is also a data hiding key, where we can determine the embedding positions in each steganographic shared image and extract the corresponding secret share from them. Subsequently, utilizing the data hiding key and the Lagrange interpolating formula, we compute the coefficients of the original polynomial. These coefficients are the original secret message. Algorithm 2 outlines the steps for extracting the secret message from the steganographic shared images.

Algorithm 2. Secret data extraction.
Input	$\mathrm{S}\mathrm{t}\mathrm{e}\mathrm{g}\mathrm{a}\mathrm{n}\mathrm{o}\mathrm{g}\mathrm{r}\mathrm{a}\mathrm{p}\mathrm{h}\mathrm{i}\mathrm{c} \mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}\mathrm{e}\mathrm{d} \mathrm{i}\mathrm{m}\mathrm{a}\mathrm{g}\mathrm{e}\mathrm{s} {SI}_1, {SI}_2, \dots ,{SI}_k$, $\mathrm{I}\mathrm{D}\mathrm{s} {id}_1, \dots , {id}_k.$
Output	$\mathrm{S}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{e}\mathrm{t} \mathrm{m}\mathrm{e}\mathrm{s}\mathrm{s}\mathrm{a}\mathrm{g}\mathrm{e}\mathrm{s} M.$
1	${Gid}_i=gf\left({id}_i, 8\right), i\in [1, k];$	$\mathrm{C}\mathrm{o}\mathrm{n}\mathrm{v}\mathrm{e}\mathrm{r}\mathrm{t} \mathrm{I}\mathrm{D} \mathrm{t}\mathrm{o} Gid \mathrm{i}\mathrm{n} \mathrm{G}\mathrm{a}\mathrm{l}\mathrm{o}\mathrm{i}\mathrm{s} \mathrm{f}\mathrm{i}\mathrm{e}\mathrm{l}\mathrm{d}.$
2	${RSI}_i=reshape({SI}_i, \left[1, { SI}_{height}\times S{I}_{width}\right]),$ $i\in [1, k];$	$\mathrm{S}\mathrm{t}\mathrm{r}\mathrm{e}\mathrm{t}\mathrm{c}\mathrm{h} \mathrm{t}\mathrm{o} 1\mathrm{D} \mathrm{m}\mathrm{a}\mathrm{t}\mathrm{r}\mathrm{i}\mathrm{x}.$
3	$\mathbf{f}\mathbf{o}\mathbf{r} j=1:({SI}_{height}\times {SI}_{width})$
4	$\mathbf{i}\mathbf{f} j mod n==i$ $\mathrm{a}\mathrm{n}\mathrm{d} i \mathrm{i}\mathrm{s} \mathrm{a}\mathrm{n} \mathrm{a}\mathrm{v}\mathrm{a}\mathrm{i}\mathrm{l}\mathrm{a}\mathrm{b}\mathrm{l}\mathrm{e} \mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}\mathrm{e},$
5	$F\left({Gid}_i\right)={RSI}_i\left(j\right), i\in \left[1, k\right];$	$\mathrm{E}\mathrm{x}\mathrm{t}\mathrm{r}\mathrm{a}\mathrm{c}\mathrm{t} \mathrm{s}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{e}\mathrm{t} \mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}\mathrm{e}\mathrm{s} \mathrm{o}\mathrm{f} \mathrm{t}\mathrm{h}\mathrm{e} \mathrm{a}\mathrm{v}\mathrm{a}\mathrm{i}\mathrm{l}\mathrm{a}\mathrm{b}\mathrm{l}\mathrm{e}$ $\mathrm{r}\mathrm{e}\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{p}\mathrm{e} \mathrm{s}\mathrm{t}\mathrm{e}\mathrm{g}\mathrm{a}\mathrm{n}\mathrm{o}\mathrm{g}\mathrm{r}\mathrm{a}\mathrm{p}\mathrm{h}\mathrm{i}\mathrm{c} \mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}\mathrm{e}\mathrm{d} \mathrm{i}\mathrm{m}\mathrm{a}\mathrm{g}\mathrm{e}\mathrm{s}.$
6	$\mathbf{e}\mathbf{n}\mathbf{d} \mathbf{i}\mathbf{f}$
7	$\mathbf{e}\mathbf{n}\mathbf{d} \mathbf{f}\mathbf{o}\mathbf{r}$
8	$F\left(x\right)={\displaystyle \sum _{i=1}^k}F\left(x_i\right)·{\displaystyle \prod _{j=1, j\ne i}^k}{\displaystyle \frac{x-x_j}{x_i-x_j}};$	$\mathrm{R}\mathrm{e}\mathrm{c}\mathrm{o}\mathrm{n}\mathrm{s}\mathrm{t}\mathrm{r}\mathrm{u}\mathrm{c}\mathrm{t} \mathrm{t}\mathrm{h}\mathrm{e} \mathrm{p}\mathrm{o}\mathrm{l}\mathrm{y}\mathrm{n}\mathrm{o}\mathrm{m}\mathrm{i}\mathrm{a}\mathrm{l} \mathrm{w}\mathrm{i}\mathrm{t}\mathrm{h}$ $\mathrm{L}\mathrm{a}\mathrm{g}\mathrm{r}\mathrm{a}\mathrm{n}\mathrm{g}\mathrm{e} \mathrm{i}\mathrm{n}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{p}\mathrm{o}\mathrm{l}\mathrm{a}\mathrm{t}\mathrm{i}\mathrm{n}\mathrm{g} \mathrm{f}\mathrm{o}\mathrm{r}\mathrm{m}\mathrm{u}\mathrm{l}\mathrm{a}.$
9	$\mathrm{M}\mathrm{a}\mathrm{n}\mathrm{i}\mathrm{p}\mathrm{u}\mathrm{l}\mathrm{a}\mathrm{t}\mathrm{e} \mathrm{t}\mathrm{o} \mathrm{o}\mathrm{b}\mathrm{t}\mathrm{a}\mathrm{i}\mathrm{n}$ $\mathrm{c}\mathrm{o}\mathrm{e}\mathrm{f}\mathrm{f}\mathrm{i}\mathrm{c}\mathrm{i}\mathrm{e}\mathrm{n}\mathrm{t}\mathrm{s} a_i \mathrm{o}\mathrm{f} \mathrm{p}\mathrm{o}\mathrm{l}\mathrm{y}\mathrm{n}\mathrm{o}\mathrm{m}\mathrm{i}\mathrm{a}\mathrm{l}, i\in \left[1, k\right];$
10	$M=a_i, i\in \left[1,k\right]$;
11	$\mathrm{R}\mathrm{e}\mathrm{t}\mathrm{u}\mathrm{r}\mathrm{n} M;$

On the other hand, when restoring the image, utilizing the encryption key to perform stream cipher on k steganographic shared images can recover the original image. Using k steganographic shared images can assist in determining the correct recovered pixels, for which a simple voting mechanism can be employed. Algorithm 3 outlines the processes for recovering the original image.

Algorithm 3. Image recovery
Input	$\mathrm{S}\mathrm{t}\mathrm{e}\mathrm{g}\mathrm{a}\mathrm{n}\mathrm{o}\mathrm{g}\mathrm{r}\mathrm{a}\mathrm{p}\mathrm{h}\mathrm{i}\mathrm{c} \mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}\mathrm{e}\mathrm{d} \mathrm{i}\mathrm{m}\mathrm{a}\mathrm{g}\mathrm{e}\mathrm{s} {SI}_1, {SI}_2, \dots ,{SI}_k,$ $\mathrm{S}\mathrm{e}\mathrm{e}\mathrm{d} S$.
Output	$\mathrm{O}\mathrm{r}\mathrm{i}\mathrm{g}\mathrm{i}\mathrm{n}\mathrm{a}\mathrm{l} \mathrm{i}\mathrm{m}\mathrm{a}\mathrm{g}\mathrm{e} I.$
1	$randi.seed\left(S\right)$	$\mathrm{S}\mathrm{e}\mathrm{t} \mathrm{t}\mathrm{h}\mathrm{e} \mathrm{r}\mathrm{a}\mathrm{n}\mathrm{d}\mathrm{o}\mathrm{m} \mathrm{s}\mathrm{e}\mathrm{e}\mathrm{d} S.$
2	$B=randi\left(\left[0, 255\right],{ SI}_{height},{ SI}_{width}, n\right);$	$\mathrm{G}\mathrm{e}\mathrm{n}\mathrm{e}\mathrm{r}\mathrm{a}\mathrm{t}\mathrm{e} n \mathrm{t}\mathrm{i}\mathrm{m}\mathrm{e}\mathrm{s} \mathrm{l}\mathrm{o}\mathrm{n}\mathrm{g}\mathrm{e}\mathrm{r}$ $\mathrm{b}\mathrm{i}\mathrm{t} \mathrm{s}\mathrm{t}\mathrm{r}\mathrm{e}\mathrm{a}\mathrm{m} B \mathrm{w}\mathrm{i}\mathrm{t}\mathrm{h} \mathrm{s}\mathrm{e}\mathrm{e}\mathrm{d}.$
3	$\left\{{RI}_1, \dots , {RI}_n\right\}=\left\{{SI}_1, \dots ,{SI}_n\right\} ⨁B;$	$\mathrm{S}\mathrm{t}\mathrm{r}\mathrm{e}\mathrm{a}\mathrm{m} \mathrm{c}\mathrm{i}\mathrm{p}\mathrm{h}\mathrm{e}\mathrm{r} \mathrm{s}\mathrm{t}\mathrm{e}\mathrm{g}\mathrm{a}\mathrm{n}\mathrm{o}\mathrm{g}\mathrm{r}\mathrm{a}\mathrm{p}\mathrm{h}\mathrm{i}\mathrm{c}$ $\mathrm{s}\mathrm{h}\mathrm{a}\mathrm{r}\mathrm{e}\mathrm{d} \mathrm{i}\mathrm{m}\mathrm{a}\mathrm{g}\mathrm{e}\mathrm{s} \mathrm{w}\mathrm{i}\mathrm{t}\mathrm{h} \mathrm{b}\mathrm{i}\mathrm{t} \mathrm{s}\mathrm{t}\mathrm{r}\mathrm{e}\mathrm{a}\mathrm{m}.$
4	$\mathbf{f}\mathbf{o}\mathbf{r} a=1:I_{height}$
5	${\mathbf{f}\mathbf{o}\mathbf{r} b=1:I}_{width}$
6	$$\begin{gathered} I\left(a, b\right) \\ =voting\left({RI}_1\left(a, b\right), \dots , {RI}_k\left(a, b\right)\right); \end{gathered}$$	The voting example is illustrated in Section 3.5.
7	$\mathbf{e}\mathbf{n}\mathbf{d} \mathbf{f}\mathbf{o}\mathbf{r}$
8	$\mathbf{e}\mathbf{n}\mathbf{d} \mathbf{f}\mathbf{o}\mathbf{r}$
9	$\mathrm{R}\mathrm{e}\mathrm{t}\mathrm{u}\mathrm{r}\mathrm{n} I;$

3.5. Example of Proposed Methods

To better illustrate the proposed method, a simple example is provided in this part. In Figure 4, randomly generated 2 × 2 image blocks and data are used as secret messages. According to the threshold value (3, 4), four copies of the image blocks are initially made. These four copies of the image blocks are then encrypted using the encryption key via the stream cipher. Taking the first copied image block as an example, the process proceeds as follows:

$${\left( 75 \right)}_{10}⨁{\left(136\right)}_{10}={\left(01001011\right)}_2⨁{\left(10001000\right)}_2={\left(11000011\right)}_2={\left(195\right)}_{10}$$

$${\left(125\right)}_{10}⨁{\left( 81 \right)}_{10}={\left(01111101\right)}_2⨁{\left(01010001\right)}_2={\left(00101100\right)}_2={\left( 44 \right)}_{10}$$

$${\left( 20 \right)}_{10}⨁{\left(155\right)}_{10}={\left(00010100\right)}_2⨁{\left(10011011\right)}_2={\left(10001111\right)}_2={\left(143\right)}_{10}$$

$${\left(220\right)}_{10}⨁{\left( 0 \right)}_{10}={\left(11011100\right)}_2⨁{\left(00000000\right)}_2={\left(11011100\right)}_2={\left(220\right)}_{10.}$$

As for the data, it undergoes polynomial secret sharing in $\mathrm{G}\mathrm{F}\left(2^8\right)$ using the data hiding key, which also serves as the ID for each cloud. This process is illustrated in Figure 4:

165 × 137² + 23 × 137 + 177 = 182,

165 × 59² + 23 × 59 + 177 = 113,

165 × 198² + 23 × 198 + 177 = 101,

165 × 61² + 23 × 61 + 177 = 47.

After processing the images and data, the next step is data embedding. The positions for embedding in the four encrypted images are staggered. In this case, the first encrypted image has its embedding position in the top-left corner. Therefore, we directly replace the pixel value of the top-left pixel (195) of the encrypted image with the secret data (182). Subsequently, the embedding process is sequentially carried out for the remaining three encrypted images.

Before the process of image restoration and message extraction, three steganographic shared images are selected as input based on the threshold value of (3, 4). As illustrated in Figure 5, for image restoration, after obtaining the steganographic shared images, we utilize the encryption key to perform stream cipher on these images. Then, voting is employed to determine the pixel values of the recovered image based on the pixel values at the corresponding positions in the steganographic shared images.

Taking the top-left pixel in Figure 5 as an example, after stream ciphering, the pixel values of the three images are 62, 75, and 75, respectively. Since the value 75 has the highest frequency, the pixel value of the top-left pixel in the recovered image block is set to 75.

When extracting data, we determine the positions used during the previous embedding based on the IDs provided by the cloud. We then extract the secret data from these positions. To begin with, we utilize Lagrange interpolation to compute the constant term of the polynomial in $\mathrm{G}\mathrm{F}\left(2^8\right)$, as shown below:

$$\begin{array}{c}G\left(x\right)=182 {\displaystyle \frac{\left(x-59\right)\left(x-198\right)}{\left(137-59\right)\left(137-198\right)}}\hfill \\ +113 \left({\displaystyle \frac{(x-137)(x-198)}{(59-137)(59-198)}}\right)+101 \left({\displaystyle \frac{(x-137)(x-59)}{(198-137)(198-59)}}\right)\hfill \end{array}$$

where x = 0, $G\left(x\right)$ equals the constant term of the original polynomial, which is the result of 182 × 130 + 113 × 112 + 101 × 243 = 177. The values of the remaining two coefficients can be obtained by solving a system of two linear equations with two variables.

$$\left\{\begin{array}{c}{137}^{2}a+137b+177=182,\\ { 59}^{2}a+59b+177=113,\\ {198}^{2}a+198b+177=101.\end{array}\right.$$

From the system of equations above, we can determine that a is 182 and b is 113. Adding the constant term 177, we have successfully extracted the secret message.

4. Experimental Results

In this section, we present a series of experimental results. In Section 4.1, we utilize five grayscale images of 256 × 256 commonly used in image processing as test images: Lena, Airplane, Goldhill, Pepper, and Baboon. To further illustrate the performance of the proposed method, Section 4.2 employs the UCID dataset [35], which consists of 1338 uncompressed color images with dimensions of 384 × 512 or 512 × 384. In Section 4.3, we simulate scenarios where steganographic shared images are attacked and demonstrate the process of image restoration and data extraction. Finally, in Section 4.4, we compare the proposed method with existing approaches and highlight the differences and improvements as well.

4.1. Results and Analysis of Standard Test Images

Figure 6 shows the results when using the Baboon image. First, we copied the image into four copies, and used the stream cipher to encrypt the copied images. On this basis, the important information processed by (3, 4)-threshold secret sharing was embedded into the encrypted image. It can be seen that the share is a noise-like image whether before or after embedding secret data. It is impossible to directly see the original image or important information with the naked eye.

When users need to extract embedded information or restore the original image, they not only need any three images from all steganographic shared images but also need to obtain additional encryption keys or secret keys to restore the original image or extract the information. Figure 7 shows the recovered images for all three combinations.

The peak signal-to-noise ratio (PSNR) value between the ground truth and the recovered images can be calculated using the equation provided below. In our proposed method, all test images were compared with the recovered images after the restoration of any k shared images. The resulting PSNR values are all positive infinity, which shows that we can perfectly restore it to the original image exactly the same, which also shows that the proposed method is reversible.

$$PSNR=10{\log }_{10}{\displaystyle \frac{{255}^2}{MSE}}$$

(4)

$$MSE={\displaystyle \frac{1}{M\times N}}\sum _{i=1}^{M\times N}{(x_i-{x^{\prime }}_i)}^2$$

(5)

where $x_i-{x^{\prime }}_i$ represents the difference between the cover pixel and the distorted pixel, and M and N denote the width and height of the image, respectively.

The experiments in

Table 1. Comparisons of embedding capacity in different images.

Image	Threshold	Embedding Capacity (bits)	Embedding Rate (bpp)
Lena	(3, 4)	393,216	2
	(3, 5)	314,568	1.6
	(4, 5)	419,424	1.6
Airplane	(3, 4)	393,216	2
	(3, 5)	314,568	1.6
	(4, 5)	419,424	1.6
Goldhill	(3, 4)	393,216	2
	(3, 5)	314,568	1.6
	(4, 5)	419,424	1.6
Peppers	(3, 4)	393,216	2
	(3, 5)	314,568	1.6
	(4, 5)	419,424	1.6
Baboon	(3, 4)	393,216	2
	(3, 5)	314,568	1.6
	(4, 5)	419,424	1.6

explore the data embedding ability of the proposed method and the impacts of different thresholds on embedding capacity (EC) in bits and embedding rate (ER) in bits per pixel (bpp). The calculations for EC and ER are provided in Equations (6) and (7), respectively. EC is the total number of data bits embedded in the encrypted cover images and is calculated as follows:

$$EC=8\times k\times {\displaystyle \frac{M\times N}{n}} \left(\mathrm{b}\mathrm{i}\mathrm{t}\mathrm{s}\right),$$

(6)

where 8 indicates that each shared secret data unit consists of 8 bits, k denotes the number of polynomial coefficients used to form the shared secret data in a (k, n) secret sharing scheme, M and N denote the width and height of the image, and n represents the number of pixels in each processing image block. ER is the ratio of EC to the volume of the image shares required to recover the secret and is calculated as follows:

$$ER={\displaystyle \frac{EC}{k\times M\times N}}\left(\mathrm{b}\mathrm{p}\mathrm{p}\right),$$

(7)

where k indicates that k shared images are applied to reconstruct the secret message and M and N denote the width and height of the image.

In the next experiment, the thresholds were set to (3, 4), (3, 5), and (4, 5). As shown in Table 1, when the threshold is (k, n), an increase in the value of n leads to a decrease in both EC and ER simultaneously. With a (3, 4) threshold, every 4 pixels can form a block and embed an 8-bit secret message. With (3, 5) and (4, 5), 5 pixels are needed to embed a secret message. However, the value of n also indicates the tolerance of the applied scheme. Since only k shares are required to recover the image and secret data, increasing n enhances the scheme’s tolerance to image loss.

Additionally, it can be observed that increasing the value of k results in an increase in EC, while ER remains unchanged. This is because an increase in k implies that the polynomial secret sharing equation applies more coefficients, meaning that each shared message is generated from more secret data. Therefore, although the number of embedded shared messages remains the same, the actual number of embedded bits increases.

When calculating ER, an increase in the value of k means that more shares are required to extract the information, which counteracts the increase in EC. Consequently, when the value of k increases, the EC increases, but the ER remains unchanged.

Figure 8 shows a histogram comparison of the Baboon image and four steganographic shared images. It can be seen from here that the pixel distribution of the steganographic shared image is relatively even and is significantly different from the pixel distribution of the original image. It is impossible to compare the two histograms to find common or similar points, blocks, or features. This proves that the proposed method cannot restore the original image from a single seen from shared image. It can protect important information well and resist statistical attacks.

Information entropy was used to represent the degree of randomness or uncertainty of the seen from shared image generated by the proposed method. The formula for calculating information entropy $H\left(X\right)$ is

$$H\left(X\right)=-\sum _{x\in X}p\left(x\right)\log p\left(x\right).$$

(8)

The information entropy $H\left(X\right)$ represents the average measure of uncertainty or information content of a random variable $X$. It is computed by multiplying each possible value $x$ of the random variable $X$ by the probability of its occurrence $p\left(x\right)$, then taking the negative logarithm of the product for all possible values, and finally summing up all the terms. In other words, the information entropy $H\left(X\right)$ represents the expected value of the information content contained in all possible values of the random variable $X$.

In a grayscale image represented by 8 bits, each pixel value has $2^8$ possibilities. Under such conditions, the most ideal entropy should be exactly equal to 8. As can be seen from

Table 2. Information entropy of different images.

Image	Information Entropy of Each Hare
	Original	Steganographic Image 1	Steganographic Image 2	Steganographic Image 3	Steganographic Image 4
Lena	7.4318	7.9970	7.9968	7.9973	7.9974
Airplane	6.7334	7.9969	7.9964	7.9973	7.9973
Goldhill	7.4452	7.9971	7.9971	7.9967	7.9973
Peppers	7.5816	7.9972	7.9971	7.9974	7.9971
Baboon	7.2288	7.9974	7.9967	7.9970	7.9976

, the information entropy of each steganographic shared image is close to the ideal value, and the overall average can reach 7.9971.

In addition to information entropy, we can use conditional entropy to represent the uncertainty of the original image with the steganographic shared image is known. The formula for calculating conditional entropy $H\left(Y|X\right)$ is

$$H\left(Y|X\right)=-\sum _{x\in X}p\left(x\right)\sum _{y\in Y}p\left(y\right|x)\log p\left(x\right).$$

(9)

Conditional entropy $H\left(Y|X\right)$ represents after knowing the value of the random variable $X$, the average measure of uncertainty or unpredictability of the random variable $Y$. In other words, conditional entropy $H\left(Y|X\right)$ indicates the expected value of the information content of all possible values of $Y$ given by random variable $X$.

The range of conditional entropy $H\left(Y|X\right)$ depends on the entropy $H\left(Y\right)$ of variable $Y$, which can be expressed as

$$0\le H\left(Y|X\right)\le H\left(Y\right),$$

(10)

where $H\left(Y|X\right)=0$ indicates that $X$ completely determines the value of $Y$, leaving no uncertainty. Furthermore, $H\left(Y|X\right)=H\left(Y\right)$ implies that the uncertainty of $Y$ is not affected by whether $X$ is known or not. In information theory, the significance of this range lies in the demonstration of how additional information (i.e., $X$) reduces uncertainty and can be used to assess the relevance and dependence of information.

As shown in

Table 3. Conditional entropy of different images.

Image	Conditional Entropy of Each Share
	Steganographic Image 1	Steganographic Image 2	Steganographic Image 3	Steganographic Image 4
Lena	6.8420	6.8392	6.8366	6.8360
Airplane	6.2172	6.2186	6.2147	6.2218
Goldhill	6.8321	6.8299	6.8305	6.8295
Peppers	6.9316	6.9253	6.9256	6.9306
Baboon	6.6930	6.6980	6.6984	6.6977

, the conditional entropy of each steganographic shared image is close to the entropy of the original image in Table 2, with an overall average difference of less than 0.6. This indicates that even after knowing the steganographic shared images, the proposed method still preserves a considerable amount of uncertainty from the original image. Consequently, knowing one steganographic shared image does not allow for the retrieval of the original image, demonstrating the high security of the proposed method.

4.2. Results and Analysis of General Image Datasets

Table 4. Comparisons of embedding capacity in UCID images.

Image	Threshold	Embedding Capacity (bits)	Embedding Rate (bpp)
74	(3, 4)	3,538,944	2
	(3, 5)	2,831,112	1.6
	(4, 5)	3,774,816	1.6
331	(3, 4)	3,538,944	2
	(3, 5)	2,831,112	1.6
	(4, 5)	3,774,816	1.6
472	(3, 4)	3,538,944	2
	(3, 5)	2,831,112	1.6
	(4, 5)	3,774,816	1.6
818	(3, 4)	3,538,944	2
	(3, 5)	2,831,112	1.6
	(4, 5)	3,774,816	1.6
1142	(3, 4)	3,538,944	2
	(3, 5)	2,831,112	1.6
	(4, 5)	3,774,816	1.6

demonstrates the embedding performance of the proposed method using a general image dataset at various thresholds. Five images were randomly selected as representatives for this experiment. The images in the UCID are larger in size compared to commonly used images like the Baboon image. Since the UCID consists of color images with two additional channels compared to grayscale images for embedding, the overall embedding capacity significantly increases. However, a comparison between Table 1 and Table 4 reveals that regardless of the image size or whether the image is grayscale, the embedding rate remains constant at the same threshold.

In an 8-bit color image, each channel of every pixel has $2^8$ possibilities. Therefore, for a three-channel color image, the ideal entropy is 24. However, to compare with Table 2, we analyze each channel of the pixels in a color image as an independent value. In this way, the ideal entropy of the image remains 8 in

Table 5. Information entropy of UCID images.

Image	Information Entropy of Each Share
	Original	Steganographic Image 1	Steganographic Image 2	Steganographic Image 3	Steganographic Image 4
74	7.6814	7.9992	7.9990	7.9991	7.9990
331	6.6835	7.9990	7.9992	7.9991	7.9990
472	7.7716	7.9991	7.9992	7.9992	7.9990
818	7.4411	7.9991	7.9990	7.9992	7.9990
1142	7.5592	7.9990	7.9991	7.9989	7.9990
Average	7.4425	7.9991	7.9991	7.9990	7.9990

, which is the same as the ideal entropy in a grayscale image. By this method of splitting, it becomes more intuitive to compare the entropy performance of color images and grayscale images.

4.3. Simulated Attack Tests

To further explore the reliability and security of the proposed method, we applied a mask to one of the steganographic shared images, changing $1 / 4$ of its pixel values to 255 to simulate image damage or an attack. Subsequently, this altered steganographic shared image, along with other steganographic shared images, was used to perform image recovery and extract secret messages.

When the threshold $k$ is less than or equal to three, the restored image appears as shown in Figure 9a. For clarity, we highlighted the potentially problematic areas in white in Figure 9b. In the proposed method, each pixel requires collaboration from at least two images to determine the correct value during the restoration process. However, the pixels in these white-marked areas cannot be restored correctly because they rely on information from the attacked steganographic shared image. Additionally, the other image that could potentially be used for restoration is also rendered unusable due to the embedding process.

As for$k \ge 4$, in the scenario where only a single steganographic shared image is under attack, we can still accurately restore the original image, as illustrated in Figure 10. This experiment demonstrates that if the number of attacked steganographic shared images is less than $\left(k-1\right) / 2$, we can achieve $100\%$ image restoration. Furthermore, as the value of k increases, this restriction can be further reduced. This is because, in order to affect the restoration process, the attacked pixels must be able to prevent us from determining the correct pixel values. In most cases, the altered pixels in the attacked images cannot match each other to form the same incorrect values that deviate from the original image. Therefore, they do not affect the overall decision-making process.

In the restoration method mentioned above, we assume that the user is unaware of the ID of each participant. Since the ID and the embedding location are in a one-to-one relationship, we can leverage this connection to aid in the image restoration process. In fact, with this method, as long as we can confirm that two steganographic shared images have not been attacked, we can achieve perfect restoration.

To facilitate the analysis of extracting embedded messages from attacked steganographic shared images, we used the logo of Feng Chia University depicted in Figure 11 as the secret message. To achieve the maximum embedding capacity, we repeated the logo secret message three times, scrambled it, and then embedded it into the images.

From Figure 12, it can be observed that due to the modification of $1 / 4$ of a certain steganographic shared image, it becomes impossible to retrieve the correct pixel values when recovering the secret message through polynomial calculations. The number of errors is approximately equal to the proportion of the steganographic shared image that has been altered.

Since the logo secret message was repeated three times before being embedded, we can use a simple method to reduce the extraction error rate. By utilizing the same approach as image recovery, we can combine multiple logo secret messages to accurately reconstruct the message. As a result, the error rate decreases from the original $24.79\%$ to $3.36\%$, as shown in Figure 13.

4.4. Method Comparison

In this section, we compare the characteristics of our proposed scheme with other secret sharing methods [19,20]. The proposed method encrypts the cover images as shown in

Table 6. Comparison with other related works.

Features	[19]	[20]	Proposed Method
Reversibility	Yes	Yes	Yes
Encryption to secret data	Yes	Yes	Yes
Encryption to cover image	No	No	Yes
(k, n)-secret sharing	(2, 3)	(2, 3)	Adjustable
Fault tolerance	Medium	Medium	Medium/High
Embedding capacity (bits)	819,162	819,195	1,398,096

, whereas the other methods do not [19,20]. The lack of encryption can attract attackers to analyze the hidden information carried by the images based on the differences in the shares generated by [19,20]. Additionally, the secret sharing thresholds in [19,20] are fixed at (2, 3), while the proposed method allows arbitrary threshold selection which provides greater flexibility.

Under the (2, 3)-threshold, the fault tolerances of all three methods are comparable. However, the fault tolerance of the proposed method improves as the k and n values of the threshold increase. It is one of the advantages brought by the flexibility of the proposed method. Lastly, when using the same threshold to embed data into the same image, the proposed method achieves an embedding capacity that is 1.7 times greater than the other two methods.

5. Conclusions

Multiple clouds have become available for data storage since cloud computing has become popular. To avoid data breaches because of misuse in cloud environments, we propose an RDHEI method using secret sharing. Traditionally, the combination of data hiding and secret sharing has primarily been used for cloud storage management. However, our proposed method focuses on ensuring data remain identical when being uploaded to and retrieved from the cloud. We utilize a straightforward embedding method to detect the presence of counterfeiters, thereby ensuring that the retrieved file from the cloud remains authentic. In the proposed method, the embedded data and the carrier image can get the benefits of mutually verifying each other’s integrity. Experimental results demonstrate that the effective payload of the proposed method is influenced by the secret sharing threshold (k, n), where a larger value of k allows us to compress more secret messages. Sharing encrypted images is highly resistant to statistical attacks and secret messages cannot be extracted if there are fewer shares obtained. From the simulated attack experiments, it can be observed that the ability to achieve lossless image recovery after an attack is constrained by the value of k. As the value of k increases, the proposed method’s resilience to errors improves. The ability to extract 100% accurate messages depends on the extent of the image damage. However, we can still improve the accuracy of extraction through methods such as repeated embedding. Here, security is strengthened compared to state-of-the-art schemes.

This work currently faces several limitations. Firstly, the original images cannot be fully recovered if the encryption key is missing. Additionally, due to the constraints of the carrier’s numerical range and the necessity to extract secret information with 100% accuracy, we employed a Galois field, $\mathrm{G}\mathrm{F}\left(2^8\right)$, in our calculations, and this significantly increases the overall computation time. In the future, we can enhance the efficiency and security of the method by introducing new strategies or techniques and combining different types of carriers. This will improve operational efficiency while simultaneously enhancing the security and feasibility of the approach.