Secret image sharing based on cellular automata ... - Semantic Scholar

Pattern Recognition 43 (2010) 397 -- 404

Contents lists available at ScienceDirect

Pattern Recognition journal homepage: w w w . e l s e v i e r . c o m / l o c a t e / p r

Secret image sharing based on cellular automata and steganography Z. Eslami ∗ , S.H. Razzaghi, J. Zarepour Ahmadabadi Department of Computer Science, Shahid Beheshti University, G.C., Tehran, Iran

A R T I C L E

I N F O

Article history: Received 29 January 2009 Received in revised form 9 June 2009 Accepted 15 June 2009 Keywords: Secret sharing scheme Linear memory cellular automata Digital signature Authentication Verifiability

A B S T R A C T

Recently Lin and Tsai [Secret image sharing with steganography and authentication, The Journal of Systems and Software 73 (2004) 405–414] and Yang et al. [Improvements of image sharing with steganography and authentication, The Journal of Systems and Software 80 (2007) 1070–1076] proposed secret image sharing schemes combining steganography and authentication based on Shamir's polynomials. The schemes divide a secret image into some shadows which are then embedded in cover images in order to produce stego images for distributing among participants. To achieve better authentication ability Chang et al. [Sharing secrets in stego images with authentication, Pattern Recognition 41 (2008) 3130–3137] proposed in 2008 an improved scheme which enhances the visual quality of the stego images as well and the probability of successful verification for a fake stego block is 1/16. In this paper, we employ linear cellular automata, digital signatures, and hash functions to propose a novel (t, n)-threshold image sharing scheme with steganographic properties in which a double authentication mechanism is introduced which can detect tampering with probability 255/256. Employing cellular 2 automata instead of Shamir's polynomials not only improves computational complexity from O(n log n) to O(n) but obviates the need to modify pixels of cover images unnecessarily. Compared to previous methods [C. Lin, W. Tsai, Secret image sharing with steganography and authentication, The Journal of Systems and Software 73 (2004) 405–414; C. Yang, T. Chen, K. Yu, C. Wang, Improvements of image sharing with steganography and authentication, The Journal of Systems and Software 80 (2007) 1070–1076; C. Chang, Y. Hsieh, C. Lin, Sharing secrets in stego images with authentication, Pattern Recognition 41 (2008) 3130–3137], we use fewer number of bits in each pixel of cover images for embedding data so that a better visual quality is guaranteed. We further present some experimental results. © 2009 Elsevier Ltd. All rights reserved.

1. Introduction Techniques to share a secret image have attracted considerable attention in the recent years [1–8]. However, there are important issues that such techniques should deal with. The first one is accidental or intentional loss/corruption of images that might occur if only a single party has access to the data. On the other hand, if several participants share parts of the secret image, care must be taken to ensure that no malicious shareholder is able to manipulate his/her data. The second issue is the need to keep invaders unaware not only of the content of the secret image itself but also of the very fact that an image is being transferred. Secret sharing schemes which protect and distribute a secret content among a group of participants provide solutions to the first

∗ Corresponding author. Tel.: +98 2129903005; fax: +98 2122431655. E-mail addresses: [email protected] (Z. Eslami), [email protected] (S.H. Razzaghi), [email protected] [email protected] (J. Zarepour Ahmadabadi). 0031-3203/$ - see front matter © 2009 Elsevier Ltd. All rights reserved. doi:10.1016/j.patcog.2009.06.007

issue. In this regard, the basic example, proposed first by Shamir [9] and Blakley [10], is the concept of a (t, n)-threshold secret sharing scheme which encodes a secret data set into n shares and distributes them among n participants in such a way that any t or more of the shares can be collected to recover the secret data, but any t − 1 or fewer of them provides no information about the secret. Moreover, to ensure recovery of the original secret information some authentication process must be employed so that any manipulation of shares is detected with high probability. To tackle the second concern, steganographic techniques are usually employed [1–3,11–14]. In these methods, first some innocentlooking images, called cover images, are selected. Then the secret data are embedded into cover images and the resulting stego images are distributed among participants using some secret sharing scheme. Clearly, in order not to invoke suspicion, the embedding should create high-quality stego images such that the changes are not visually perceptible. So far, two most popular steganographic methods are the least significant bits (LSBs) replacement [15–17] and the modulus operation [18–20]. For example, Wu et al. [8] proposed a sharing and

398

Z. Eslami et al. / Pattern Recognition 43 (2010) 397 -- 404

hiding method that compresses the secret image first and then produces stegos based on the modulus concept. Therefore, although the method can generate smaller stego images, these images may be distorted severely and attract the attention of malicious attackers. Moreover, the original secret image cannot be retrieved completely in the reconstruction procedure. Lin and Tsai [1] proposed a method of secret image sharing with steganography and authentication in 2004. Their scheme is an example of a lossy polynomial-based image sharing and the reconstructed secret image may be distorted slightly. Further, the authentication mechanism in this scheme is rather weak. In 2007, Yang et al. [2] proposed an improved version to overcome the defects in Lin and Tsai's scheme. Although Yang et al.'s method can restore a distortion-free secret image, it not only reduces the quality of the stego images but also allows a significant probability that the fake stego image can be authenticated successfully. In Chang et al. [3], the authors proposed an enhanced scheme in which the concepts of Thien and Lin's secret image sharing [21] is used to ensure that no distortion is introduced into the secret image. Furthermore, an authentication method based on the Chinese remainder theorem (CRT) is used to improve authentication ability. However, we can notice the following shortcomings in the method of Chang et al. First, the use of Shamir's polynomials (as described in Section 3.1) and the fact that this scheme changes (at most) 3 bits in each pixel of a given cover image can introduce a side effect on the visual quality of the resulting stego images. Furthermore, in order to detect tampering of data, it may be necessary to process all blocks of a given stego image and the probability of successful verification for a fake stego block is 1/16 which can be considered high in some applications. In [22], a particular type of discrete dynamical system called onedimensional memory cellular automata (CA) is employed to design a (t, n)-threshold scheme in which at least t consecutive shares are needed to reconstruct the secret. To share secret color images, twodimensional cellular automata are used in [23]. In this paper, we employ cellular automata and introduce a double authentication mechanism to propose a new (t, n)-threshold image sharing scheme with steganographic properties. Our proposed scheme uses 2 bits in each pixel of cover images for embedding data and so a better visual quality for the produced stego images is achieved. We introduce no distortion to the secret image. Moreover, the authentication ability of the scheme can detect a fake stego block with probability 255/256. In contrast to O(n log2 n)-complexity of polynomial evaluation and interpolation algorithms [24], the proposed scheme is of order O(n). The rest of this paper is organized as follows: related work is covered in Section 2. In Section 3, the proposed scheme as well as our motivation to employ CA instead of Shamir's sharing scheme is outlined. Section 4 provides comparison between our proposed scheme and other methods in the literature. Finally, the conclusions of this paper are presented in Section 5. 2. Related works In this section, we briefly review cellular automata and the scheme of Chang et al. [3]. 2.1. One-dimensional memory cellular automata One-dimensional finite boolean cellular automata are discrete dynamical systems formed by a finite array of N identical objects called cells, where each cell can assume a state s ∈ {0, 1}, updated synchronously in discrete time steps according to a local transition function. The updated state of each cell depends on the variables of this function which are the previous states of a set of cells, including the cell itself, and constitute its neighborhood. For the i-th cell, denoted by i, we consider the symmetric neighborhood of radius

(T)

r which is defined as Ni = {i − r, . . . , i, . . . , i + r}. Let ai denote the state of i at time T. Then, the local transition function of the cellular automata with radius r has the following form: (T+1)

ai

(T)

(T)

(T)

0ⱕiⱕN − 1

= f (ai−r , . . . , ai , . . . , ai+r ),

(1)

or equivalently, (T+1)

ai

(T)

= f (Ni ),

0 ⱕ i ⱕ N − 1,

(2)

(T)

where Ni ⊂ (Z2 )2r+1 stands for the states of the neighbor cells of i at time T. Furthermore, if i ≡ j (mod N), then it is assumed that (T) (T) ai = aj to ensure well-defined dynamics of the CA. (T)

(T)

The vector C (T) = (a0 , . . . , aN−1 ) is called the configuration of CA at time T and C (0) is the initial configuration. Moreover, the sequence {C (T) }0 ⱕ T ⱕ k is called the evolution of order k of the CA and the set of all possible configurations of the CA is denoted by C. The global function of the CA is a linear transformation, : C −→ C, which determines the configuration at the next time step during the evolution of the CA, that is, C (T+1) = (C (T) ). For a CA with bijective , there exists another cellular automaton, called its inverse, with global function −1 , and the CA itself is called reversible. In such CAs the evolution backward is possible (see [25]). The local transition function of a linear cellular automata (LCA) with radius r is of the following form: (T+1)

ai

=

r

j a(T) (mod 2), i+j

0 ⱕ i ⱕ N − 1,

(3)

j=−r

where j ∈ Z2 for every j. Since there are 2r + 1 neighbor cells for i, there exist 22r+1 LCAs and each of them can be specified by an integer w called rule number which is defined as follows: w=

r

j 2r+j ,

(4)

j=−r

where 0 ⱕ w ⱕ 22r+1 − 1. The CAs considered so far are memoryless, i.e., the updated state of a cell depends on its neighborhood configuration only at the preceding time step. Nevertheless, one can consider cellular automata for which the state of neighboring cells at time T as well as T − 1, T − 2, . . . contributes to determine the state at time T + 1. This is the concept of the memory cellular automata (MCA) [26]. Hereafter, by a CA, we mean a particular type of MCA called the t-th order linear MCA (LMCA) whose local transition function takes the following form: (T+1)

ai

(T)

(T−1)

= f1 (Ni ) + f2 (Ni

(T−t+1)

) + · · · + ft (Ni

) (mod 2),

0 ⱕ i ⱕ N − 1,

(5)

where fi is the local transition function of a particular LCA with radius r, for 1 ⱕ i ⱕ t. In this case, we require t initial configurations C (0) , . . . , C (t−1) to start the evolution of LMCA. Furthermore, in order for this cellular automaton to be reversible, we have the following proposition. A proof for this proposition can be found in [22]. (T−t+1)

(T−t+1)

) = ai , then the LMCA given by (5) Proposition 1. If ft (Ni is reversible and its inverse is another LMCA with the following local transition function: (T+1)

ai

=

t−2

(T−m)

ft−m−1 (Ni

(T−t+1)

) + ai

(mod 2),

0 ⱕ i ⱕ N − 1.

(6)

m=0

2.2. Review of Chang et al.'s (t, n)-threshold secret image sharing scheme The scheme divides the secret image, denoted by SI, into some shadows which are then embedded in n cover images CI1 , . . . , CIn , in


399

3. The proposed scheme In this section, we first outline why we employ CA and then proceed to describe the proposed scheme. 3.1. Our motivation to use cellular automata instead of Shamir's sharing scheme

ij Fig. 1. The block Bˆ k of the k-th stego image in Chang et al.'s scheme.

order to produce stego images STG1 , . . . , STGn , for distributing among participants P1 , . . . , Pn , respectively. There are two procedures: (1) sharing and embedding, (2) authentication and revealing.

2.2.1. Sharing and embedding procedure First, all pixel values in SI that are greater than or equal to 250 are represented as two values, 250 and the value of the difference between the pixel value and 250, respectively. Therefore, a modified secret image (MSI) is generated in which pixel values are ranged from 0 to 250. In addition, a secret key K is used to generate a random bit-stream as the watermark bits. This key is further split into n sub-keys which are given to the participants. Next, every t pixels in MSI are considered as a unit. Each unit is used to generate n shared pixels which must be embedded into four-pixel blocks of CIi to finally produce STGi , 1 ⱕ i ⱕ n. Let Uij be the (i, j)-th unit of MSI. The t pixels of Uij are considered as coefficients of a polynomial function of degree t − 1: q(x) = (c0 + c1 x + · · · + ct−1 x ij

ij

ij

ij

t−1

) (mod 251).

(7)

ij

Let Bk = {Xk , Vk , Wk , Zk } be the block with position (i, j) in CIk with binary representation (x1 , . . . , x8 ), (v1 , . . . , v8 ), (w1 , . . . , w8 ), and ij ij ij ij (z1 , . . . , z8 ), for Xk , Vk , Wk , and Zk , 1 ⱕ k ⱕ n, respectively. ij Denote the corresponding stego block by Bˆ . For 1 ⱕ k ⱕ n, input k

the decimal value of x1 x2 , . . . , x5 into q(x) to generate the shared ij pixel Sk , with binary representation (s1 , . . . , s8 ). Now, the shared ij

ij

pixel Sk is embedded in the block Bk by replacing the eight bits x6 x7 v6 v7 w6 w7 z6 z7 with s1 , . . . , s8 . Finally, to ensure authenticity of stego blocks, four CRT-based authentication bits are computed and combined with the current watermark bits to produce check bits ij ij (p1 , p2 , p3 , p4 ). The check bits replace x8 v8 w8 z8 of Bk . The block Bˆ k of STGk is depicted in Fig. 1. The sharing and embedding procedure is repeated until all pixels of MSI are processed. After that, the stego images are produced and transmitted to P1 , . . . , Pn .

2.2.2. Authentication and revealing procedure In order to restore the secret image, any group of t or more stego images with sub-keys are gathered together. Then, these sub-keys can be used to reveal the secret key K from which the watermark bits can be generated. Next, each of the stego images is divided into a set of four-pixel blocks. The authentication bits and the watermark bits are used to compute the check bits corresponding to the block. If the check bits are identical to the hidden bits of the stego image, the block is verified successfully and a shared pixel is retrieved. This procedure is repeated until all the hidden shared pixels are retrieved. Finally Lagrange's interpolation is used to get the secret image.

Cellular automata are very powerful computational tools with synchronous update mechanism for their individual components (cells) and are specially adopted for image related works. In particular, in secret image sharing applications in which Shamir's sharing scheme is used, we must provide distinct input values for Shamir's secret polynomial. Now, to economize on the size of data to be embedded, these values are usually obtained from pixels of cover images. Therefore, as the number of participants increases, it may become necessary to modify some pixels in cover images and this can introduce a side effect on the visual quality of the resulting stego images. Since we need no input values to start evolutions of CA, this effect is removed when using cellular automata which means that pixels of the cover images can be used more efficiently. Another drawback in Shamir-based sharing schemes is that we are forced to calculate “mod a prime number p” while CA do not impose such restrictions. In calculating mod primes, we should perform a preprocessing on the secret image to produce pixel values in proper range (i.e. 0–251). This process results in modified secret images whose size is greater than the original image (see, e.g. [3,27]). The increase in the size of data to be embedded affects the quality of stego images. 3.2. The scheme The scheme consists of four phases: (1) the setup phase, (2) the sharing phase, (3) the embedding phase, and (4) the verification and recovery phase. In setup phase, a trusted party called the dealer constructs a reversible LMCA (M) of order t. The dealer further creates a set of public/private keys that will later be used to add signature on the data for the purpose of authentication. In sharing phase, the dealer divides the secret image into some units and derives from each unit t initial configurations necessary to evolve M. The evolutions of M are used to produce shared pixels for participants. These shares plus other information about M and necessary data to reconstruct the secret image are then signed by the dealer and embedded in cover images in the embedding phase and the resulting stego images are given to the participants (Fig. 2). The signature is used so that manipulation of stego images can be detected without processing of pixels in verification and recovery phase. Finally, evolutions of the inverse machine are used to recover the original secret (Fig. 4). 3.2.1. Notations We use the following notations to describe the scheme. SI the secret image, U1 , . . . , Ul the (t − 1)-pixel units of SI, Ui1 , . . . , Uit−1 the pixels in the i-th unit Ui , Width, Height width and height of SI, P1 , . . . , Pn the participants, CIi the cover image corresponding to Pi , STGi the stego image corresponding to Pi , Auti authentication string corresponding to Pi , j SHi the share of Pi from unit Uj , r radius of neighborhood for the LMCA, ws the starting rule number of LMCA, C (T) configuration of the LMCA at time T,

400


Fig. 2. Diagram of the sharing and embedding procedure in the proposed scheme.

bitstringi this operator divides bitstring from right to left into substrings of length i and then XORs them to obtain a string of length i, with padding done if necessary, DSk (bitstring) digital signature on the bitstring with key k, Verk (Sign, m) verification function of the digital signature on message m and signature Sign with key k, Seqi a unique sequence number assigned to Pi , H a collision-free hash function, D the dealer, (PU D , PRD ) public and private keys of the dealer corresponding to signature scheme DS, the concatenation operator for strings. 3.2.2. The setup phase In this phase, the dealer D fixes some parameters and constructs a reversible LMCA of order t through the following steps: 1. Assigns a cover image (CIi ) and a sequence number Seqi to each participant Pi . 2. Generates a set of public/private keys (PU D , PRD ). 3. Constructs a reversible LMCA (M): (a) Selects 1 ⱕ r ⱕ 3 as the radius of the symmetric neighborhood of the LMCA. (b) Selects a random number 0 ⱕ ws ⱕ 22r+1 − t + 1. The rule numbers of the LMCA are then ws , ws + 1, . . . , ws + t − 2. (c) Constructs M of order t by (T+1)

aj

(T)

= fws (Nj

(T−t+2)

)+ · · · +fws +t−2 (Nj

(T−t+1)

)+aj

(mod 2),

where 0 ⱕ j ⱕ 7 and fws +i is the local transition function of the LMCA with radius r and rule numbers ws + i, 0 ⱕ i ⱕ t − 2. The pair (PU D , PRD ) will be used to prohibit tampering of stego images. The dealer signs the embedded data with PRD and hides the signature together with the corresponding public key PU D in stego images for the purpose of verification in the recovery phase. Note that in our scheme, we consider 1 byte for each pixel. Therefore, the number of cells in each configuration of M is 8 and this is why we assume 1 ⱕ r ⱕ 3. Note also that for a rule number w we must have 0 ⱕ w ⱕ 22r+1 − 1. 3.2.3. The sharing phase The details of the sharing phase are depicted in Figs. 2 and 3. First, D divides SI into units U1 , U2 , . . . , Ul , where Uj consists of (t − 1) pixels Uj1 , . . . , Ujt−1 (with padding done on the last unit if necessary) (Fig. 2). For each Uj , the dealer employs its pixels as initial configurations C (0) , . . . , C (t−2) of M. The t-th initial configuration C (t−1) is then computed as the hash value of the first t − 1 initial configurations.

j

j

Finally, the evolutions of M are used to create n shares SH1 , . . . , SHn corresponding to participants. The details are as follows: Step 1. D: 1 Divides SI into (t − 1)-pixel units U1 , U2 , . . . , Ul . 2 Repeats for j = 1, . . . , l. 2.1 Sets initial configurations C (0) , . . . , C (t−2) of M as the binary representation of t − 1 pixels in the unit Uj : (Uj1 , . . . , Ujt−1 ). 2.2 Computes C (t−1) as H(C (0) , . . . , C (t−2) )8 . 2.3 Computes evolutions of M of order n + t − 1, with these initial configurations C (0) , . . . , C (t−1) and obtains C (t) , . . . , C (t+n−1) . 2.4 Assigns to each participant one of the configurations as j j his/her share, i.e. SH1 = C (t) , . . . , SHn = C (t+n−1) . Step 2. D: 1 Repeats for i = Seq1 , . . . , Seqn . 1.1 Signi = DSPRD (PU D Width Height l Seqi ws t r SH1i SH2i , . . . , SHli ), 1.2 Auti = PU D Signi .

So far, with l as the total number of units of SI, the string SH1i SH2i , . . . , SHli , plus other information about M and SI must be embedded in the Pi 's cover image (CIi ). In this step, the dealer signs these information with his private key PRD . The signature and the corresponding public key PU D are concatenated to form the authentication string Auti which will also be embedded in CIi to prevent Pi from manipulation of his/her share. Considering the initial configuration C (t−1) as H(C (0) , . . . , C (t−2) )8 provides what we call double authentication. Even if the cheaters succeed in forging the dealer's signature on stego images and therefore pass the first authentication check (with very small probability), their manipulation will be revealed by this technique. We elaborate on how this is done in the verification and recovery phase. Note that Seqi is the sequence number devoted to Pi in the setup phase. It is used to prevent participants from exchanging their shares or announcing an incorrect identification number (that is not consecutive) in the recovery phase.

3.2.4. The embedding phase In this phase, the dealer produces final stego images by embedding the data obtained in previous phases into the cover images. The embedding is such that first the visual quality of the results have no serious downtrend, and second it is difficult to recognize that any data is hidden in the stego images. Our embedding procedures satisfies both of these requirements.


401

Fig. 3. Diagram of the sharing phase.

Fig. 4. Diagram of the recovery phase.

As described in previous phases, we need to embed in each CIi the following data: • Seqi , to ensure consecutive ordering of the participants in the recovery phase. • ws, r, t, for reconstruction of the LMCA M. • Width, Height and l, for proper recovery of the secret image. j • The shares assigned to Pi , i.e. SHi , 0 ⱕ j ⱕ l. • The authentication string Auti corresponding to Pi , for the purpose of authentication. We now outline the details of embedding procedure in the ith cover image CIi . The forgoing data, with the same ordering, are

considered as an array of bytes. Each byte of data is embedded into one block of CIi consisting of 4 bytes. Let (d1 , . . . , d8 ) be the binary representation of the byte to be embedded in block B of CIi with pixels X, V, W and Z with binary representation as in Fig. 5. The embedding replaces the least significant bits of X, V, W and Z with d1 , . . . , d8 as depicted in Fig. 6. Note that the embedding changes at most two of the LSBs in each byte of B. This maintains the quality of stego images. 3.2.5. The verification and recovery phase The details of this phase are depicted in Fig. 4. Suppose that t consecutive participants, P , P+1 , . . . , P+t−1 , 1 ⱕ ⱕ n−t+1, present the stego images STG , STG+1 , . . . , STG+t−1 to recover the secret

402


4. Comparison and experimental results In [3], the scheme of Chang et al. is shown to outperform the methods presented in [1,2]. Therefore, in this section, we compare the proposed scheme and the scheme of Chang et al. The results of this section show that our proposed method achieves the following merits: • Our method employs linear cellular automata while best polynomial evaluation and interpolation algorithms are of order O(n log2 n) [24]. • We use at most 2 bits in each pixel of cover images for embedding data while this number is 3 for Chang et al.'s scheme. Moreover, since we employ cellular automata, we are not forced to change any more bits in cover images as Shamir-based methods do. This guarantees a better visual quality for our stego images. We perform some experiments for illustration. • Given a stego image, our scheme detects whether it is tampered or not without processing of its blocks. Other methods may need to process all blocks of the image to find this. Moreover, each fake stego block is verified successfully with probability 1/256 in contrast to 1/16 for Chang et al.'s method. Experimental results are also provided for comparison.

Fig. 5. One block of CIi consisting of 4 bytes.

Fig. 6. The embedding of the hidden byte (d1 , . . . , d8 ) in a stego block.

image SI. Each STGi is divided into a set of blocks with four pixels from which the embedded data can be retrieved. j

(1) Retrieve from STGi , Seqi , ws, r, t, Height, Width, l, SHi , 0 ⱕ j ⱕ l and Auti = PU D Signi for each Pi , ⱕ i ⱕ + t − 1, (2) Check if the derived sequence numbers Seqi are consecutive. (3) Each Pi , ⱕ i ⱕ + t − 1 can verify the information given by Pj , j i, as follows: • PU D of Pi should equal PU D of Pj , for ⱕ j ⱕ + t − 1. • VerPUD (Signj , PU D Width Height l Seqj ws t r SH1j SH2j , . . . , SHlj ) = true. (4) Repeat for j = 1, . . . , l (to reconstruct the j-th unit): ˜ by Eq. (6), with radius r, (4.1) Construct the inverse of M, i.e. M, rule numbers determined by ws , and initial configurations j j j C˜ (0) = SH+t−1 , C˜ (1) = SH+t−2 , . . . , C˜ (t−1) = SH ,

˜ t+−1 times to obtain C˜ (2t+−2) , . . . , C˜ (t+−1) . and evolve M, (4.2) Check if Hash(C˜ (2t+−2) , . . . , C˜ (t+−2) )8 equals C˜ (t+−1) or not. (4.3) The pixels of the j-th unit of SI, that is, Uj1 , . . . , Ujt−1 , are taken as the binary representation of C˜ (2t+−2) , . . . , C˜ (t+−2) , respectively. The stego images which fail the signature verification test are tampered. We have the option to totally reject them and stop, or mark them suspicious and proceed with the recovery phase. Now, ˜ would satisfy, with tampered stego blocks which are input to M probability 1/256, the test in step 4.2 of the verification phase and the corresponding unit of the secret image will be invalidated with probability 255/256. Note that since the shares presented in recovery phase constitute configurations of a reversible t-th order LMCA, then at least t shares are required to compute evolutions of the inverse automata and knowing t − 1 or fewer shares is insufficient.

We first consider visual quality of stego images. We perform experiments for n = 4 and t = 3. We take “Jet-F16” with size 256 × 256 as the secret image while “Lena”, “Pepper”, “Baboon” and “flower” serve as cover images with sizes 512 × 512 (Fig. 7). The criterion for the visual quality of the stego images is the peak-signal-to-noise ratio (PSNR) defined as PSNR = 10 × log10

(255)2 dB, MSE

(8)

where MSE is the mean-square error between the cover image and the stego image. If the cover image is sized f ∗ g, MSE is defined as MSE =

g f 1 (xij − yij )2 , f ×g

(9)

i=1 j=1

where xij and yij denote the cover and the stego pixel values, respectively. The stego images generated by the scheme of Chang et al. and their PSNR are given in Fig. 8(a). The same data are reported for our scheme in Fig. 8(b). The results show that our scheme achieves higher PSNR. We now compare the two schemes in terms of authentication capabilities. In the scheme of Chang et al., the probability that a fake block can be verified successfully is 1/16. Now, suppose that Pi modifies a block of his/her stego image. Therefore, the signature Signi hidden in STGi cannot be verified successfully. Next, the fake blocks in this stego image are used to compute the evolu˜ and obtain C˜ (2t+−2) , . . . , C˜ (t+−1) . The modification makes tions of M (2t+ −2) , . . . , C ˜ (t+−2) ) different from C˜ (t+−1) and the fake ˜ Hash(C 8 block is detected. Hence, the probability that a modified block is verified successfully is about 1/256. Note also that our scheme can detect a tampered stego image with a single test while Chang et al.'s scheme should obtain this information from tampered blocks. We also conducted experiments to confirm authentication abilities of the two schemes. To do this, we follow the method used in [3] and consider DR = NTPD/NTP the criterion for integrity verification, where NTP is the number of the tampered pixels, and NTPD is the number of the tampered pixels that are detected. We consider again the stego image “lena” constructed by the two schemes and manipulate it twice with two different images: “flower” with size 120 × 112, and “Pepper” of size 120 × 148. These images are added to the top-left corner of the victim stego image, as


403

Fig. 7. Test images. (a) Jet-F16, (b) lena, (c) Baboon, (d) Pepper, and (e) flower.

Fig. 8. The experimental results for (3, 4)-threshold secret image sharing scheme. (a) The stego images generated by Chang et al.'s scheme and (b) the stego images generated by the proposed scheme.

shown in Fig. 9. The detection ratios for tampering with “flower” are 0.951 and 0.997 for Chang et al.'s scheme and our proposed scheme, respectively, while tampering with “Pepper” reports 0.974 and 0.997 for the corresponding schemes. 5. Conclusions In this paper, we propose a new (t, n)-threshold image sharing scheme with steganographic properties. The scheme is based on

linear cellular automata and introduces no distortion to the original secret image; however, consecutive shares must be provided to recover the secret image. We change at most 2 bits in each pixel of a given cover image to preserve its visual quality. In order to manipulate even a single block in a stego image and remain unnoticed, a malicious participant has to forge a secure digital signature and even in that case, a double authentication mechanism is employed such that the corresponding information in the secret image will be invalidated with probability 255/256. Moreover,

404


Fig. 9. Manipulated stego images for the two schemes. (a) Chang scheme (DR=0.951), (b) our scheme (DR=0.997), (c) Chang scheme (DR=0.974), (d) our scheme (DR=0.997).

the integrity of each stego image can be verified without processing of its blocks. References [1] C. Lin, W. Tsai, Secret image sharing with steganography and authentication, The Journal of Systems and Software 73 (2004) 405–414. [2] C. Yang, T. Chen, K. Yu, C. Wang, Improvements of image sharing with steganography and authentication, The Journal of Systems and Software 80 (2007) 1070–1076. [3] C. Chang, Y. Hsieh, C. Lin, Sharing secrets in stego images with authentication, Pattern Recognition 41 (2008) 3130–3137. [4] N. Noar, A. Shamir, Visual cryptography, Advances in Cryptology: Eurocrypt'94, vol. 48, Springer, Berlin, 1995, pp. 1–12. [5] D. Stinson, Visual cryptography and threshold schemes, IEEE Potentials 18 (1999) 13–16. [6] S. Shyu, Efficient visual secret sharing scheme for color images, Pattern Recognition 39 (2006) 866–880. [7] T.C.C.N. Yang, Aspect ratio invariant visual secret sharing schemes with minimum pixel expansion, Pattern Recognition 26 (2) (2005) 193–206. [8] Y. Wu, C. Thien, J. Lin, Sharing and hiding sector images with size constraint, Pattern Recognition 37 (2004) 1377–1385. [9] A. Shamir, How to share a secret, Communications of the ACM 22 (1979) 612–613. [10] G. Blakley, Safeguarding cryptographic keys, AFIPS Conference Proceedings 48 (1979) 313–317. [11] C. Chang, T. Chen, L. Chung, A steganographic method based upon JPEG and quantization table modification, Information Sciences 141 (2002) 123–138. [12] N. Johnson, S. Jajodia, Exploring steganography: seeing the unseen, IEEE Comput. 31 (2) (1998) 26–34. [13] L.M. Marvel, C.G. Boncelet Jr., C.T. Retter, Spread spectrum image steganography, IEEE Transactions on Image Process 8 (8) (1999) 1075–1083.

[14] D. Wu, W. Tsai, A steganographic method for images by pixel-value differencing, Pattern Recognition Letters 24 (9–10) (2003) 1613–1626. [15] C. Chan, L. Cheng, Hiding data in images by simple LSB substitution, Pattern Recognition 37 (3) (2004) 474–496. [16] C. Chang, J. Hsiao, C. Chan, Finding optimal least-significant-bits substitution in image hiding by dynamic programming strategy, Pattern Recognition 36 (7) (2003) 1583–1595. [17] R. Wang, C. Lin, J. Lin, Image hiding by optimal LSB substitution and genetic algorithm, Pattern Recognition 34 (3) (2001) 671–683. [18] C. Chang, C. Chan, Y. Fan, Image hiding scheme with modulus function and dynamic programming, Pattern Recognition 39 (6) (2006) 1155–1167. [19] C. Thien, J. Lin, A simple and high-hiding capacity method for hiding digitbydigit data in images based on modulus function, Pattern Recognition 36 (12) (2003) 2875–2881. [20] S.J. Wang, Steganography of capacity required using modulo operator for embedding secret image, Applied Mathematics and Computation 164 (1) (2005) 99–116. [21] C. Thien, J. Lin, An image-sharing method with user-friendly shadow images, IEEE Transactions on Circuits Systems (2003) 1161–1169. [22] A.M. del Rey, J.P. Mateus, G.R. Sanchez, A secret sharing scheme based on cellular automata, Applied Mathematics and Computation 170 (2005) 1356–1364. [23] G. Álvarez Marañón, L.H. Encinas, A.M. del Rey, Sharing secret color images using cellular automata with memory, CoRR 0312034 (2003). [24] A. Aho, J. Hopcroft, J. Ullman, The Design and Analysis of Computer Algorithms, Addison-Wesley, Reading, MA, 1974. [25] T. Toffoli, N. Margolus, Invertible cellular automata: a review, Physica D 45 (1990) 229–253. [26] R. Alonso-Sanz, Reversible cellular automata with memory: two dimensional patterns from a single seed, Physica D 175 (2003) 1–30. [27] C. Thien, J. Lin, Secret image sharing, Computer Graphics 26 (5) (2002) 765–770.

About the Author—ZIBA ESLAMI received her B.S., M.S., and Ph.D. in Applied Mathematics from Tehran University in Iran. She received her Ph.D. in 2000. From 1991 to 2000, she was a resident researcher in the Institute for Studies in Theoretical Physics and Mathematics (IPM), Iran. During the academic years 2000–2003, she was a Post Doctoral Fellow in IPM. She served as a non-resident researcher at IPM during 2003–2005. Currently, she is the Head of and a Professor in the Department of Computer Sciences at Shahid Beheshti University in Iran. Her research interests include design theory, combinatorial algorithms, cryptographic protocols, and steganography. About the Author—SEYYED HOSSEIN RAZZAGHI received his B.S. degree in Management Information System (MIS) in 2006 from Tabriz University. He is currently an M.S. student of Computer Science in Shahid Beheshti University, Tehran, Iran. About the Author—JAMAL ZAREPOUR AHMADABADI received his B.S. degree in Management Information System (MIS) in 2006 from Yazd University. He is currently an M.S. student of Computer Science in Shahid Beheshti University, Tehran, Iran.