1. Introduction
The transmission of sensitive images such as military images, confidential images, private photos, etc., over insecure communication channels causes a challenging issue. Transmitting a single image may suffer from a single point of failure (SPOF) if the communication channel is blocked; transmitting multiple copies increases the danger of secret leakage. Secret image sharing (SIS) can be a solution. A
threshold secret image sharing (SIS) scheme was proposed to divide a secret image into
n shares, known as shadow images or shadows. Fewer than
k shares reveal no clue about the secret image; having at least
k shares makes it easy to compute the secret image. Therefore, even with at most
shares lost, the secret image can still be recovered; this is the so-called loss-tolerant property. SIS has widely been applied to many fields, such as key distribution [
1], access control [
2], identity authentication [
3,
4], watermarking [
5], blockchain [
6], cloud distributive storage [
7,
8] and others [
9]. The basic SIS schemes chiefly includes visual cryptography (VC) [
10,
11], polynomial-based SIS [
12] and the Chinese-remainder-theorem-based SIS [
13,
14].
VC, also called visual secret sharing (VSS), requires low computation in the recovery phase. In
-threshold VC [
15,
16], a binary secret is divided into
n binary shares. If the generated shares are printed on transparent materials, the secret image can be recovered by superposing any
k or more shares. Therefore, the computational equipment’s absence fixes the problem of transmitting top secrets that cannot be stored digitally. However, the random interference introduced in the sharing phase makes it impossible to recover the secret without loss by superposing. The increase of participants also significantly reduces the quality of the recovered secret image, which limits the threshold
k and participants
n. According to the different basic mechanisms, existing schemes may have the flaws of pixel expansion, auxiliary codebook and low image quality, which have been studied in some works [
17,
18,
19,
20,
21,
22].
A polynomial-based secret-sharing algorithm was first propose by Shamir in 1979 [
12]. The scheme constructs a
degree polynomial with
random coefficients and one constant as the secret to generate
n shares. Gathering any
k or more shares makes it possible to reconstruct the polynomial by Lagrange interpolation. Thien and Lin [
23] applied the polynomial-based secret-sharing algorithm to images. They used every coefficient to embed the secret image pixel so that the size of shares decreases to
of the secret image. However, auxiliary encryption was required in their scheme to prevent secret leakage. Then, some works were proposed to extend the field in the following aspects: multiple decoding options, lossless recovery, weighted shares and so on [
24,
25,
26,
27]. Nevertheless, some challenges in the polynomial-based SIS still exist, including auxiliary encryption, lossy recovery and high computation complexity. Auxiliary encryption is used to eliminate the correlation of image pixels, which leads to the leakage of secrets. Since the prime number chosen to form the field is 251 and grayscale image pixels range from 0 to 255, five pixel values are unable to be calculated. Thus, in general, there is a little loss. Moreover, the computation complexity is proven to be
[
13], which is a high cost to SIS.
The Chinese-remainder-theorem-based secret sharing (CRTSS) was proposed in 1983 by Asmuth and Bloom [
13] and Mignotte [
14], respectively. Compared with Mignotte’s algorithm, Asmuth and Bloom’s algorithm utilized a large random integer to confuse the secret, bringing more security against attacks. The computation complexity of the scheme was only
. Yan et al. [
28] firstly introduced the CRT into SIS in 2000, but with some information leakage and a lossy recovery. Shyu et al. [
29] proposed a CRTSIS based on Mignotte’s scheme and used a pseudorandom noise generation (PRNG) algorithm to scramble the correlation of the pixels. In the work of Ulutas et al. [
30], Asmuth and Bloom’s algorithm was the base and the distinctive modification was dividing the pixels into two intervals. Since they did not give precise parameters in their work, there may be some problems in some conditions. For example, the
threshold cannot be achieved if the random number is too small. Hu et al. [
31] used the chaotic map in the CRTSIS, which means auxiliary encryption was involved. Chuang et al. [
32] proposed a CRTSIS to share the most significant seven bits to satisfy the restrictions of Asmuth and Bloom’s algorithm. They stored and transmitted the least significant bit (LSB) independently or just threw it away. Therefore, their scheme has the drawback of extra transmission cost or lossy recovery. Yan et al. [
33,
34] divided the grayscale pixels into two intervals, which corresponded to different ranges of the random integer. Li et al. [
35] shared the high seven bits of the grayscale image pixels and embedded the LSB into the random integer. Both Yan et al.’s scheme and Li et al.’s scheme achieved the
threshold with lossless recovery and provided applicable explicit parameters for the implementation. However, when
n in their schemes is big, it is difficult to find the coprime integers as the moduli, and the pixel values have a bad distribution. As a result, they suggested
n be no more than six.
In general, the CRTSIS based on Asmuth and Bloom’s algorithm is neither perfect nor ideal, which has been proven in some works [
36,
37]. The size of the share space is smaller than that of the secret space. In Asmuth and Bloom’s algorithm, the share ranges from 0 to
, where
is the corresponding modulus. Furthermore, the secret ranges from 0 to
, where
p is an integer with
for all
i. The limitation of the share pixel range creates obstacles to the application of CRTSIS. On the one hand, the
threshold determines the number of participants, so CRTSIS is not applicable in scenarios that require many participants. On the other hand, since the pixels ranging in
cannot be generated, achieving some functions based on the CRTSIS such as meaningful shares, multisecret and share authentication may suffer from a smaller screening space than PSIS. Therefore, it is of great importance to improve CRTSIS to fit more application scenarios.
This paper aims to solve the problem of loss recovery and limited threshold when Asmuth and Bloom’s algorithm is applied to image sharing and provide a more practical scheme for secret image sharing based on the Chinese remainder theorem. Considering the features of grayscale images, we take the high seven bits as the shared secret and embed the LSB into the random integer that is generated in the sharing phase of Asmuth and Bloom’s algorithm by LSB matching [
38]. In order to eliminate the restriction of shared pixel values, moduli are creatively chosen slightly bigger than 255, and a filter is used to avoid the abnormal share pixels. The advantage is that number of participants can be larger than that in the schemes of Yan et al. [
33] and Li et al. [
35]. For color images, the RGB channels can be split and shared, respectively. Then, we can merge the corresponding RGB shares into color shares.
The contributions are summarized as follows.
- (1)
A -threshold CRTSIS scheme with lossless recovery and no auxiliary encryption is proposed, which generates shares with the same pixel space ranging from 0 to 255, so that the limitation of the threshold can be released.
- (2)
Concrete parameters are provided in the paper. We traverse all the integers that meet the conditions and screen out the optimal ones, with which users can achieve a sharing process among as many as 10 participants.
- (3)
To evaluate the effectiveness of the proposed scheme, both theoretical analysis and experiments are carried out. Furthermore, comparisons with other remarkable works are given to indicate our advantages.
The paper hypothesizes that the proposed scheme is a valid lossless secret image sharing scheme with good practicability.
The rest of the paper is organized as follows.
Section 2 gives some basic knowledge, presents the detailed scheme and a security analysis.
Section 3 shows the experimental results of the proposed scheme and discussion. In
Section 4, we conclude the paper.
2. Materials and Methods
This section provides some important ground knowledge and the detailed scheme.
2.1. Preliminaries
Some basic knowledge for our work is given in this section, including the Chinese remainder theorem and Asmuth and Bloom’s Algorithm.
For -threshold SIS, the secret image S is divided into n shares , which are distributed to n participants. When t () shares are gathered, the secret image can be recovered.
2.1.1. Chinese Remainder Theorem (CRT)
The CRT is used to solve a set of linear congruence equations. The number can be determined with a set of coprime integers and their corresponding remainders, shown as below.
,
subject to
where
,
,
and
.
It is worth noting that there is one and only one solution in with all the k linear congruence equations, which is the inherent characteristic of the CRT. Assuming only equations are available and is missing, is calculated as the only solution in . However, for , are also the solutions in , which correspond to every possible in . Therefore, even with equations, we still get nothing about the exact solution y for all the k equations, which achieves the secure condition for a threshold in the proposed scheme.
2.1.2. Asmuth and Bloom’s Algorithm
In 1983, Asmuth and Bloom proposed a secret sharing algorithm based on the CRT, shown in Algorithm 1, achieving a threshold and operations for recovery.
Algorithm 1: Asmuth and Bloom’s CRT-based secret sharing algorithm. |
Input: A nonnegative integer s as the secret and as the threshold. |
Output: n shares and corresponding privacy modular integers . |
Step 1: A set of integers is selected to satisfy the following: |
1. . |
2. for . |
3. |
where , and p will be informed to all the participants. |
Step 2: Randomly generate an integer A in by a PRNG and let . |
Step 3: Calculate and let for . |
Step 4: Output n shares and their corresponding privacy modular integers . |
We note that Asmuth and Bloom’s algorithm maps the secret number s into a much big number y, and at the same time, introduces randomness to enhance the security. The obstacle to applying the scheme to images is the inconsistency between the space of secret and shares. Pixel values are in for grayscale images, which means and . According to the statement in Step 1, we get . Therefore, secret pixels cannot be entirely shared, leading to lossy recovery. Furthermore, the loss becomes more severe with the increase of n.
2.2. The Proposed CRTSIS Scheme
In this section, we present the basic design of our scheme, which is based on Asmuth and Bloom’s algorithm. Creative modifications are applied to solve the problem of loss recovery as well as the inconsistency between the space of secret and shares.
The scenario is described as follows. A dealer firstly divides the original grayscale secret image S into n shares, namely . Then, the shares and their corresponding private modulus are sent to n different participants. When at least k shares are gathered, the secret image is able to be recovered. The order of the shares in the recovery phase is arbitrary as long as it corresponds to the order of the moduli.
To maintain lossless recovery, we take out the high 7 bits of the grayscale pixels as the secret
and embed the LSB into the random integer
A. It is important to note that the moduli in our scheme are greater than 255. The screening operation is applied to eliminate invalid shared values. So the size of the secret image space and the shares are the same. First, we list the variables in
Table 1. The design concept is shown in
Figure 1. The generation steps and the recovery steps are described in Algorithms 2 and 3.
Algorithm 2: The sharing phase of the proposed scheme. |
Input: An H × W secret image S and threshold parameters |
Output: n shares and corresponding privacy modular integers . |
Step 1: A set of integers is selected to satisfy the following:- 1.
. - 2.
for . - 3.
|
where , and p will be informed to all the participants. |
For every pixel position , let . Repeat Steps 2–4. |
Step 2: Randomly generate an integer A in . |
If , keep A unchanged; otherwise A randomly adds or subtracts 1. |
Step 3: Calculate , which means taking out the high 7 bits of the pixel. Let . |
Step 4: Calculate . If , it is valid and assign it to for ; otherwise throw it away and go back to Step 2, randomly generating another integer A for s. |
Step 5: After all secret pixels have been traversed, output n shared images and their corresponding privacy modular integers . |
Algorithm 3: The recovery phase of the proposed scheme. |
Input: Gathered r shares with the same size of H × W, their corresponding privacy modular integers and p. |
Output: A recovered secret image . |
Step 1: For every position , repeat Steps 2–3. |
Step 2: Let for and get the following linear equations.
|
Step 3: Calculate . Let . |
. Assign to . |
Step 4: After all positions have been traversed, output the recovered secret image . |
For Algorithm 2, we give the following notes.
In Step 1, the constraint is obtained through the pixel range in grayscale images and . Since the shared value x is in , 128 exactly covers the secret value and 131 is the smallest prime that meets the conditions, we suggest p as 128 or 131.
In Step 2, the random A is chosen in so as to achieve the threshold, which is going to be proven later. The lower bound and upper bound are slightly modified to ensure the security in case of the adjustment of A at bound.
In Step 2, we associate a pixel’s position with the modification of A, so that every s can be shared using a full range of A, instead of odd s always corresponding to odd A and even s corresponding to even A. The modification of A applies LSB matching, which has better performance than the basic LSB information hiding method. LSB matching is a simple improvement on LSB substitution. If the embedded bit is the same as the lowest bit of the carrier, it is not modified, and if it is different, it randomly increases or decreases by 1.
In Step 3, A is randomly generated by a PRNG for every x and multiplied by p plus the secret x to form a big integer y. Therefore, the secret space is greatly enlarged to scramble the pixel values, and the correlations between adjacent pixels are broken without auxiliary encryption due to the introduction of the nonlinear operation, namely the PRNG.
In Step 3, we take out the high 7 bits of the grayscale pixels as the secret and embed the LSB into the random integer A. As a result, lossless recovery is achieved.
In Step 4, the screening operation is applied. The rate of valid shared pixel values is , which is equal to . Therefore, we suggest be as small as possible to reduce the generated invalid pixel values.
For Algorithm 3, we also give some notes.
To recover the secret image, a dealer or a participant group must gather at least k shares and their corresponding privacy modular integers, while p is public for all the participants.
In Step 2, the order of shares is arbitrary as long as every share matches the right modulus. Moreover, there can be more than k congruence equations to work out the right y.
The recovery process is based on CRT and the computation complexity is still .
2.3. Security Analyses
This subsection theoretically analyses the security of the proposed scheme.
Lemma 1. Nothing about the secret image can be obtained from a single share generated by our scheme.
Proof. The sufficient and necessary condition is that is random in for every possible secret pixel, which can be proven from and .
For a fixed secret pixel
s, we share its high 7 bits, namely
x in
. Since
and every
x needs two values of
A to embed the LSB,
can generate all the integers in
as long as there exist a continuous interval of
A with the least size
. As we all know,
A ranges in
, so the continuous interval space of
A, denoted as
, is
When , considering , we get , which has a minimum at . Thus, . Because of the constraint , it is obvious that is much greater than . Therefore, can generate all the integers in for . Furthermore, with the increase of A, obviously has the same characteristic. Therefore, we come to the conclusion that is random in for the randomness of A.
When , we find . In practice, we suggest p as 128 or 131 and as close to 256 as possible, so is close to but slightly smaller than , which means some values in may not be reached while other values still have the randomness to be generated.
In general, when , although the generated share pixels cannot cover all the values in , the secret image still cannot be revealed from a single share. When , the shared pixels are evenly distributed in , so no clue about the secret image can be obtained. □
Lemma 2. Any shares reveal nothing about the secret image.
Proof. Supposing share pixels are given, according to the CRT, we get the solution , where . So . Since , and , we can construct other different solutions for in , which indicates there are other solutions in to the congruence equations of share pixels. Therefore, or less shares reveal nothing about the secret image. □
Lemma 3. Any k or more shares are sufficient to recover the secret image losslessly.
Proof. First, we prove that the shared x, the high 7 bits of a secret pixel, can be recovered without loss with any k or more shares. When are given, according to the CRT, there exists only one solution in , where . Since , the exact solution is also in , indicating and are the same, because if and are different, there are two solutions to the r congruence equations, which is inconsistent with the CRT. Therefore, with any k or more shares, the unique x can be determined by y modulo p. Then the secret pixel can be losslessly recovered with . □
According to the above lemmas, we have proved that our scheme is a valid -threshold SIS.